Changeset 2862
- Timestamp:
- 11/24/08 04:23:30 (7 weeks ago)
- Location:
- trunk/htdocs/system
- Files:
-
- 20 modified
-
admin/db_profiling.php (modified) (2 diffs)
-
classes/acl.php (modified) (9 diffs)
-
classes/adminhandler.php (modified) (1 diff)
-
classes/ajaxhandler.php (modified) (4 diffs)
-
classes/atomhandler.php (modified) (2 diffs)
-
classes/bitmask.php (modified) (3 diffs)
-
classes/comment.php (modified) (2 diffs)
-
classes/eventlog.php (modified) (2 diffs)
-
classes/feedbackhandler.php (modified) (4 diffs)
-
classes/logentry.php (modified) (2 diffs)
-
classes/post.php (modified) (1 diff)
-
classes/posts.php (modified) (1 diff)
-
classes/theme.php (modified) (3 diffs)
-
classes/user.php (modified) (4 diffs)
-
classes/userhandler.php (modified) (4 diffs)
-
plugins/undelete/undelete.plugin.php (modified) (9 diffs)
-
themes/charcoal/header.php (modified) (1 diff)
-
themes/k2/loginform.php (modified) (1 diff)
-
themes/k2/theme.php (modified) (1 diff)
-
themes/mzingi/loginform.php (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/htdocs/system/admin/db_profiling.php
r2592 r2862 1 1 <?php 2 if (! isset($_GET['db_profile']) || ( User::identify() == FALSE) )2 if (! isset($_GET['db_profile']) || ( !User::identify()->loggedin ) ) 3 3 { 4 4 return; … … 50 50 <?php }?> 51 51 </div> 52 <?php 52 <?php 53 53 $total_time_querying+= $profile->total_time; 54 54 } -
trunk/htdocs/system/classes/acl.php
r2859 r2862 24 24 const ACCESS_NONEXISTANT_PERMISSION = true; 25 25 26 private static $access_names = array( 'read', 'write' );26 private static $access_names = array( 'read', 'write', 'delete' ); 27 27 28 28 /** … … 33 33 */ 34 34 public static function access_check( $permission, $access ) 35 { 35 { 36 36 $bitmask = new Bitmask( self::$access_names, $permission ); 37 37 38 38 if ( $access == 'full' ) { 39 39 return $bitmask->read && $bitmask->write; … … 223 223 * Determine whether a user can perform a specific action 224 224 * @param mixed $user A user object, user ID or a username 225 * @param mixed $ permission A permission ID or name225 * @param mixed $token A permission ID or name 226 226 * @param string $access Check for 'read', 'write', or 'delete' access 227 227 * @return bool Whether the user can perform the action 228 228 **/ 229 public static function user_can( $user, $permission, $access = 'write' ) 229 public static function user_can( $user, $token, $access = 'read' ) 230 { 231 232 $result = self::get_user_token_permissions( $user, $token ); 233 234 if ( isset( $result ) && self::access_check( $result, $access ) ) { 235 return true; 236 } 237 238 // either the permission hasn't been granted, or it's been 239 // explicitly denied. 240 return false; 241 } 242 243 /** 244 * Determine whether a user is denied permission to perform a specific action 245 * @param mixed $user A user object, user ID or a username 246 * @param mixed $token A permission ID or name 247 * @return bool Whether the user can perform the action 248 **/ 249 public static function user_cannot( $user, $token ) 250 { 251 252 $result = self::get_user_token_permissions( $user, $token ); 253 254 if ( isset( $result ) && $result == 0 ) { 255 return true; 256 } 257 258 // either the permission hasn't been granted, or it's been 259 // explicitly denied. 260 return false; 261 } 262 263 264 /** 265 * Return the permission to a specific token for a specific user 266 * 267 * @param mixed $user A User object instance or user id 268 * @param mixed $token A token string or if 269 * @return integer A permission bitmask integer 270 */ 271 public static function get_user_token_permissions( $user, $token ) 230 272 { 231 273 // Use only numeric ids internally 232 $ permission = self::token_id( $permission );274 $token = self::token_id( $token ); 233 275 234 276 /** … … 236 278 * When ACL is functional ACCESS_NONEXISTANT_PERMISSION should be false by default. 237 279 */ 238 if ( is_null( $ permission) ) {280 if ( is_null( $token) ) { 239 281 return self::ACCESS_NONEXISTANT_PERMISSION; 240 282 } … … 283 325 LIMIT 1; 284 326 SQL; 285 $result = DB::get_value( $sql, array( ':user_id' => $user_id, ':token_id' => $permission ) ); 286 287 if ( isset( $result ) && self::access_check( $result, $access ) ) { 288 return true; 289 } 290 291 // either the permission hasn't been granted, or it's been 292 // explicitly denied. 293 return false; 327 $result = DB::get_value( $sql, array( ':user_id' => $user_id, ':token_id' => $token ) ); 328 329 return $result; 294 330 } 295 331 … … 305 341 if ( is_numeric( $user ) ) { 306 342 $user_id = $user; 307 } else { 343 } 344 else { 308 345 if ( ! $user instanceof User ) { 309 346 $user = User::get( $user ); … … 311 348 $user_id = $user->id; 312 349 } 313 314 $result = DB::get_results( 'SELECT token_id, permission_id FROM {user_token_permissions} WHERE user_id = ?', array( $user_id ) ); 315 $bitmask = new Bitmask ( self::$access_names ); 350 351 $sql = <<<SQL 352 SELECT token_id, permission_id 353 FROM user_token_permissions 354 WHERE user_id = :user_id 355 UNION ALL 356 SELECT gp.token_id, gp.permission_id 357 FROM users_groups ug 358 INNER JOIN group_token_permissions gp 359 ON ug.group_id = gp.group_id 360 AND ug.user_id = :user_id 361 ORDER BY token_id ASC 362 SQL; 363 $result = DB::get_results( $sql, array( ':user_id' => $user_id ) ); 364 365 $bitmask = new Bitmask ( self::$access_names, $access ); 316 366 $tokens = array(); 317 367 … … 339 389 $permission_id = 0; // default is 'deny' (bitmask 0) 340 390 } 341 391 342 392 $bitmask = new Bitmask( self::$access_names, $permission_id ); 343 393 344 394 if ( $access == 'full' || $access == 'deny' ) { 345 395 if ( $access == 'full' ) { … … 384 434 $permission_id = 0; // default is 'deny' (bitmask 0) 385 435 } 386 436 387 437 $bitmask = new Bitmask( self::$access_names, $permission_id ); 388 438 389 439 if ( $access == 'full' || $access == 'deny' ) { 390 440 if ( $access == 'full' ) { -
trunk/htdocs/system/classes/adminhandler.php
r2861 r2862 21 21 { 22 22 $user = User::identify(); 23 if ( !$user ) {23 if ( !$user->loggedin ) { 24 24 Session::add_to_set( 'login', $_SERVER['REQUEST_URI'], 'original' ); 25 25 if( URL::get_matched_rule()->name == 'admin_ajax' ) { -
trunk/htdocs/system/classes/ajaxhandler.php
r2606 r2862 15 15 * The following example would set the context of 'foo' and trigger 16 16 * the plugin action 'ajax_foo'. 17 * 17 * 18 18 * <code>URL::get( 'ajax', 'context=foo' );</code> 19 * 19 * 20 20 */ 21 21 public function act_ajax() … … 23 23 /** 24 24 * Triggers the ajax plugin action for the context. 25 * 25 * 26 26 * @see AjaxHandler::act_ajax() 27 27 * @action ajax_{$context} … … 33 33 * Handles incoming ajax requests for which the user must be authenticated. 34 34 * Forwards the request to plugin actions for the "context" portion of the URL. 35 * 35 * 36 36 * @see act_ajax() 37 37 */ … … 39 39 { 40 40 $user = User::identify(); 41 if ($user !== FALSE) {41 if ($user->loggedin) { 42 42 /** 43 43 * Triggers the ajax plugin action for the context if user is authenticated. 44 * 44 * 45 45 * @see act_auth_ajax() 46 46 * @action ajax_auth_{$context} -
trunk/htdocs/system/classes/atomhandler.php
r2616 r2862 52 52 } 53 53 54 if ( ( $force != FALSE ) && ( !$this->user = User::identify() ) ) { 54 $this->user = User::identify(); 55 if ( ( $force != FALSE ) && ( !$this->user->loggedin ) ) { 55 56 header( 'HTTP/1.1 401 Unauthorized' ); 56 57 header( 'Status: 401 Unauthorized' ); … … 489 490 $self = URL::get( 'atom_entry' ); 490 491 $id = isset( $params['slug'] ) ? $params['slug'] : 'atom_entry'; 491 492 492 493 $user = User::get_by_id( $post->user_id ); 493 494 $title = ( $this->is_auth() ) ? htmlspecialchars( $post->title ) : htmlspecialchars( $post->title_atom ); 494 495 $content = ( $this->is_auth() ) ? htmlspecialchars( $post->content ) : htmlspecialchars( $post->content_atom ); 495 496 496 497 $xml = $this->create_atom_wrapper( $alternate, $self, $id ); 497 498 498 499 $entry = $xml->addChild('entry'); 499 500 $entry->addAttribute( 'xmlns', 'http://www.w3.org/2005/Atom' ); -
trunk/htdocs/system/classes/bitmask.php
r2860 r2862 14 14 * @param integer $value (optional) a combined bitmask value 15 15 */ 16 public function __construct( $flags = null, $value = null ) { 16 public function __construct( $flags = null, $value = null ) 17 { 17 18 if ( ! is_array( $flags ) ) { 18 19 throw new InvalidArgumentException(_t('Bitmask constructor expects either no arguments or an array as a first argument')); … … 32 33 * @param on on or off? 33 34 */ 34 public function __set( $bit, $on ) { 35 public function __set( $bit, $on ) 36 { 35 37 switch( $bit ) { 36 38 case 'value': … … 63 65 * @return boolean 64 66 */ 65 public function __get( $bit ) { 67 public function __get( $bit ) 68 { 66 69 if ( is_string( $bit ) ) { 67 70 $bit = array_search( $bit, $this->flags ); -
trunk/htdocs/system/classes/comment.php
r2719 r2862 273 273 private function get_post( $use_cache = TRUE ) 274 274 { 275 if ( ! isset( $this->post_object ) || ( ! $use_cache) ) 276 { 275 if ( ! isset( $this->post_object ) || ( ! $use_cache) ) { 277 276 $this->post_object = Posts::get( array('id' => $this->post_id, 'fetch_fn' => 'get_row') ); 278 277 } … … 388 387 return self::$comment_status_actions[$statuses[$name]]; 389 388 } 390 389 391 390 return ''; 392 391 } -
trunk/htdocs/system/classes/eventlog.php
r2736 r2862 86 86 'ip' => sprintf("%u", ip2long( $_SERVER['REMOTE_ADDR'] ) ), 87 87 ) ); 88 if ( $user = User::identify() ) { 88 $user = User::identify(); 89 if ( $user->loggedin ) { 89 90 $log->user_id = $user->id; 90 91 } … … 134 135 // Put incoming parameters into the local scope 135 136 $paramarray = Utils::get_params( $paramarray ); 136 137 137 138 // Get any full-query parameters 138 139 extract( $paramarray ); -
trunk/htdocs/system/classes/feedbackhandler.php
r2822 r2862 16 16 public function act_add_comment() 17 17 { 18 18 19 19 $defaults = array( 20 20 'name' => '', … … 23 23 'content' => '' 24 24 ); 25 25 26 26 // We need to get the post anyway to redirect back to the post page. 27 27 $post = Post::get( array( 'id'=>$this->handler_vars['id'] ) ); … … 31 31 die(); 32 32 } 33 33 34 34 // make sure all our default values are set so we don't throw undefined index errors 35 35 foreach ( $defaults as $k => $v ) { … … 116 116 // Should this really be here or in a default filter? 117 117 // In any case, we should let plugins modify the status after we set it here. 118 if( ( $user = User::identify() ) && ( $comment->email == $user->email ) ) { 118 $user = User::identify(); 119 if( ( $user->loggedin ) && ( $comment->email == $user->email ) ) { 119 120 $comment->status = Comment::STATUS_APPROVED; 120 121 } -
trunk/htdocs/system/classes/logentry.php
r2592 r2862 216 216 'fetch_fn' => 'get_row', 217 217 ); 218 if ( $user = User::identify() ) { 218 $user = User::identify(); 219 if ( $user->loggedin ) { 219 220 $defaults['where'][]= array( 220 221 'user_id' => $user->id, … … 273 274 $allow = true; 274 275 $allow = Plugins::filter( 'logentry_delete_allow', $allow, $this ); 275 if ( ! $allow ) { 276 if ( ! $allow ) { 276 277 return; 277 278 } -
trunk/htdocs/system/classes/post.php
r2851 r2862 319 319 'fetch_fn' => 'get_row', 320 320 ); 321 if ( $user = User::identify() ) { 321 $user = User::identify(); 322 if ( $user->loggedin ) { 322 323 $defaults['where'][]= array( 323 324 'user_id' => $user->id, -
trunk/htdocs/system/classes/posts.php
r2851 r2862 369 369 370 370 // Only show posts to which the current user has permission 371 /* 372 if( !isset( $paramset['ignore_permissions'] ) ) { 373 $token_id_list = User::identify(); 374 $joins['post_tokens__posts']= ' JOIN {post_tokens} ON {posts}.id= {post_tokens}.post_id AND {post_tokens}.token_id IN ()'; 375 } 376 */ 371 $paramset['ignore_permissions'] = true; 372 if(!isset($paramset['ignore_permissions'])) { 373 $permission_token_ids = isset($paramset['override_permissions']) ? $paramset['override_permissions'] : ACL::user_tokens(User::identify(), 'read'); 374 if(User::identify()->can('own_posts', 'read')) { 375 376 } 377 foreach(Post::list_active_post_types() as $name => $posttype) { 378 if(User::identify()->can(Utils::slugify($name) . '_post_type', 'read')) { 379 380 } 381 } 382 $joins['post_tokens__posts']= ' JOIN {post_tokens} ON {posts}.id= {post_tokens}.post_id AND ({post_tokens}.token_id IN ('.implode(',', $permission_token_ids).'))'; 383 } 377 384 378 385 // Concatenate the WHERE clauses -
trunk/htdocs/system/classes/theme.php
r2851 r2862 107 107 } 108 108 109 if( !$this->template_engine->assigned( 'loggedin' ) ) { 110 $this->assign('loggedin', User::identify()->loggedin ); 111 } 112 109 113 if( !$this->template_engine->assigned( 'page' ) ) { 110 114 $this->assign('page', isset( $this->page ) ? $this->page : 1 ); … … 165 169 unset( $where_filters['tag'] ); 166 170 } 167 if ( User::identify() ) {171 if ( User::identify()->loggedin ) { 168 172 $where_filters['status']= isset( $_GET['preview'] ) ? Post::status( 'any' ) : Post::status( 'published' ); 169 173 } … … 221 225 $$key = $value; 222 226 } 223 227 224 228 $this->assign( 'page', isset($page)? $page:1 ); 225 229 -
trunk/htdocs/system/classes/user.php
r2825 r2862 30 30 31 31 private $group_list = null; 32 32 33 33 protected $url_args; 34 34 … … 87 87 } 88 88 } 89 return false; 89 $anonymous = new User(); 90 Plugins::act('create_anonymous_user', $anonymous); 91 return $anonymous; 90 92 } 91 93 … … 412 414 { 413 415 return ACL::user_can( $this, $permission, $access ); 416 } 417 418 /** 419 * Determine if a user has been denied a specific permission 420 * 421 * @param string $permission The name of the permission to detect 422 * @return boolean True if this user has the requested permission, false if not 423 */ 424 public function cannot( $permission ) 425 { 426 return ACL::user_cannot( $this, $permission ); 414 427 } 415 428 … … 527 540 case 'displayname': 528 541 return ( empty($this->info->displayname) ) ? $this->username : $this->info->displayname; 542 case 'loggedin': 543 return $this->id != 0; 529 544 default: 530 545 return parent::__get( $name ); -
trunk/htdocs/system/classes/userhandler.php
r2752 r2862 18 18 $name = InputFilter::filter( Controller::get_var( 'habari_username' ) ); 19 19 $pass = InputFilter::filter( Controller::get_var( 'habari_password' ) ); 20 21 20 21 22 22 if ( ( NULL != $name ) || ( NULL != $pass ) ) { 23 23 $user = User::authenticate( $name, $pass ); … … 28 28 $user->info->authenticate_time = date( 'Y-m-d H:i:s' ); 29 29 $user->update(); 30 30 31 31 // Remove left over expired session error message. 32 32 if ( Session::has_errors( 'expired_session' ) ) { … … 43 43 Session::add_to_set( 'last_form_data', $last_form_data['get'], 'get' ); 44 44 } 45 45 46 46 /* Redirect to the correct admin page */ 47 47 $dest = explode( '/', substr( $login_session['original'], strpos( $login_session['original'], 'admin/' ) ) ); … … 93 93 { 94 94 // get the user from their cookie 95 if ( $user = User::identify() ) { 95 $user = User::identify(); 96 if ( $user->loggedin ) { 96 97 Plugins::act( 'user_logout', $user ); 97 98 // delete the cookie, and destroy the object -
trunk/htdocs/system/plugins/undelete/undelete.plugin.php
r2592 r2862 3 3 /** 4 4 * Undelete Class 5 * 5 * 6 6 * This class provides undelete functionality for posts and comments, and 7 7 * provides a trashcan interface for restoring items. … … 41 41 } 42 42 } 43 43 44 44 /** 45 45 * function actions_plugins_loaded … … 53 53 /** 54 54 * function filter_allow_post_delete 55 * This function is executed when the filter "before_post_delete" is 55 * This function is executed when the filter "before_post_delete" is 56 56 * called just before a post is to be deleted. 57 57 * This filter should return a boolean value to indicate whether … … 79 79 } 80 80 } 81 81 82 82 function filter_post_actions($actions, $post) { 83 83 if($post->status == Post::status('deleted')) { … … 85 85 $actions['remove']['title']= _t('Permanently delete this post'); 86 86 } 87 87 88 88 return $actions; 89 89 } … … 128 128 $ui->out(); 129 129 break; 130 &