Commit c2f8961f authored by Alan McNatty's avatar Alan McNatty
Browse files

Merge branch 'master' of git://gitorious.org/mahara/mahara

Conflicts:
	htdocs/artefact/file/mobileupload.php
	htdocs/auth/user.php
parents ed794dfd 1c807f3f
......@@ -602,6 +602,39 @@ class ArtefactTypeComment extends ArtefactType {
}
return $url;
}
// Check whether the logged-in user can see a comment within the
// context of a given view. Does not check whether the user can
// view the view.
public function viewable_in($viewid) {
global $USER;
if ($this->get('deletedby')) {
return false;
}
if ($USER->is_logged_in()) {
if ($USER->can_view_artefact($this)) {
return true;
}
if ($this->get('author') == $USER->get('id')) {
return true;
}
}
if ($this->get('private')) {
return false;
}
if ($onview = $this->get('onview')) {
return $onview == $viewid;
}
if ($onartefact = $this->get('onartefact')) {
return artefact_in_view($onartefact, $viewid);
}
return false;
}
}
/* To make private comments public, both the author and the owner must agree. */
......
......@@ -26,7 +26,7 @@
{if $item->makepublicrequested} | <span>{str tag=youhaverequestedpublic section=artefact.comment}</span>{/if}
{strip}
{foreach $item->attachments item=a name=attachments}
{if $.foreach.attachments.first} | <span>{str tag=Attachments section=artefact.comment}:{else},{/if} <a href="{$WWWROOT}artefact/file/download.php?file={$a->attachid}">{$a->attachtitle}</a> ({$a->attachsize})</span>
{if $.foreach.attachments.first} | <span>{str tag=Attachments section=artefact.comment}:{else},{/if} <a href="{$WWWROOT}artefact/file/download.php?file={$a->attachid}&comment={$item->id}&view={$viewid}">{$a->attachtitle}</a> ({$a->attachsize})</span>
{/foreach}
{/strip}
{if $item->canedit} | <span><a href="{$WWWROOT}artefact/comment/edit.php?id={$item->id}&view={$viewid}" class="btn-edit">{str tag=edit}</a></span>{/if}
......
......@@ -275,7 +275,7 @@ class PluginBlocktypeInternalmedia extends PluginBlocktype {
$type = 'type: "audio",'; // force the player to use the audio plugin
$buffering = 'false'; // without this autoPlay will also be set to true
$audio = ', audio: {
url: "' . $baseurl . 'flowplayer.audio/flowplayer.audio-3.2.1.swf",
url: "' . $baseurl . 'flowplayer.audio/flowplayer.audio-3.2.1.swf"
}';
}
......
......@@ -47,7 +47,20 @@ else {
}
if ($viewid && $fileid) {
if (!artefact_in_view($fileid, $viewid)) {
// The user may be trying to download a file that's not in the view, but which has
// been attached to public feedback on the view
if ($commentid = param_integer('comment', null)) {
if (!record_exists('artefact_attachment', 'artefact', $commentid, 'attachment', $fileid)) {
throw new AccessDeniedException('');
}
safe_require('artefact', 'comment');
$comment = new ArtefactTypeComment($commentid);
if (!$comment->viewable_in($viewid)) {
throw new AccessDeniedException('');
}
}
else if (!artefact_in_view($fileid, $viewid)) {
throw new AccessDeniedException('');
}
......
......@@ -36,63 +36,81 @@ if ($protocol != 'HTTP/1.1') {
$protocol = 'HTTP/1.0';
}
if ( ! get_config('allowmobileuploads') ) {
header($protocol.' 500 Mobile uploads disabled');
exit;
if (!get_config('allowmobileuploads')) {
header($protocol.' 500 Mobile uploads disabled');
exit;
}
$token = '';
try {
$token = param_variable('token');
$token = trim($token);
$token = param_variable('token');
$token = trim($token);
}
catch (ParameterException $e) {
$token = '';
$token = '';
}
if ( $token == '' ) {
header($protocol.' 500 Auth token cannot be blank');
exit;
if ($token == '') {
header($protocol.' 500 Auth token cannot be blank');
exit;
}
$username = '';
try {
$username = param_variable('username');
}
catch (ParameterException $e) {
$username = '';
}
if ($username == '') {
header($protocol.' 500 Username cannot be blank');
exit;
}
$data = new StdClass;
$USER = new User();
try {
$USER->find_by_mobileuploadtoken($token);
$USER->find_by_mobileuploadtoken($token, $username);
}
catch (AuthUnknownUserException $e) {
header($protocol.' 500 Invalid user token');
exit;
header($protocol.' 500 Invalid user token');
exit;
}
$data->owner = $USER->get('id'); // id of owner
$folder = '';
try {
$folder = param_variable('foldername');
$folder = trim($folder);
if ( $folder ) {
// TODO: create if doesn't exist - note assumes it is a base folder (hence null parent)
$artefact = ArtefactTypeFolder::get_folder_by_name($folder, null, $data->owner); // id of folder you're putting the file into
if ( $artefact ) {
$data->parent = $artefact->id;
if ( $data->parent == 0 ) $data->parent = null;
} else {
$fd = (object) array( 'owner' => $data->owner,
'title' => $folder,
'parent' => null,
);
$f = new ArtefactTypeFolder(0, $fd);
$f->commit();
$data->parent = $f->get('id');
}
} else {
$data->parent = null;
}
$folder = param_variable('foldername');
$folder = trim($folder);
if ($folder) {
// TODO: create if doesn't exist - note assumes it is a base folder (hence null parent)
$artefact = ArtefactTypeFolder::get_folder_by_name($folder, null, $data->owner); // id of folder you're putting the file into
if ($artefact) {
$data->parent = $artefact->id;
if ($data->parent == 0) {
$data->parent = null;
}
}
else {
$fd = (object) array(
'owner' => $data->owner,
'title' => $folder,
'parent' => null,
);
$f = new ArtefactTypeFolder(0, $fd);
$f->commit();
$data->parent = $f->get('id');
}
}
else {
$data->parent = null;
}
}
catch (ParameterException $e) {
$data->parent = null;
$data->parent = null;
}
$originalname = $_FILES['userfile']['name'];
......@@ -104,14 +122,13 @@ try {
$newid = ArtefactTypeFile::save_uploaded_file('userfile', $data);
}
catch (QuotaExceededException $e) {
header($protocol.' 500 Quota exceeded');
exit;
header($protocol.' 500 Quota exceeded');
exit;
}
catch (UploadException $e) {
header($protocol.' 500 Failed to save file');
exit;
header($protocol.' 500 Failed to save file');
exit;
}
// Here we need to create a new hash - update our own store of it and return it too the handset
echo $USER->refresh_mobileuploadtoken();
......@@ -263,14 +263,14 @@ class User {
*
* @throws AuthUnknownUserException If the user cannot be found.
*/
public function find_by_mobileuploadtoken($token) {
public function find_by_mobileuploadtoken($token, $username) {
if (!is_string($token)) {
throw new InvalidArgumentException('Input parameters must be strings to create a User object from token');
}
$sql = 'SELECT
u.*,
u.*,
' . db_format_tsfield('u.expiry', 'expiry') . ',
' . db_format_tsfield('u.lastlogin', 'lastlogin') . ',
' . db_format_tsfield('u.lastlastlogin', 'lastlastlogin') . ',
......@@ -280,10 +280,10 @@ class User {
FROM
{usr} u
LEFT JOIN {usr_account_preference} p ON u.id = p.usr
WHERE p.field=\'mobileuploadtoken\' and p.value = ?
WHERE p.field=\'mobileuploadtoken\' AND p.value = ? AND u.username = ?
';
$user = get_record_sql($sql, array($token));
$user = get_record_sql($sql, array($token, $username));
if (false == $user) {
throw new AuthUnknownUserException("User with mobile upload token \"$token\" is not known");
......
......@@ -36,6 +36,7 @@ safe_require('interaction', 'forum');
require_once('group.php');
require_once(get_config('docroot') . 'interaction/lib.php');
require_once('pieforms/pieform.php');
require_once('antispam.php');
$postid = param_integer('id', 0);
......@@ -175,6 +176,12 @@ $editform = pieform(array(
),
));
function editpost_validate(Pieform $form, $values) {
if ($baddomain = get_first_blacklisted_domain($values['body'])) {
$form->set_error('body', get_string('blacklisteddomaininurl', 'mahara', $baddomain));
}
}
function editpost_submit(Pieform $form, $values) {
global $USER, $SESSION;
$postid = param_integer('id');
......
......@@ -36,6 +36,7 @@ safe_require('interaction', 'forum');
require_once('group.php');
require_once(get_config('docroot') . 'interaction/lib.php');
require_once('pieforms/pieform.php');
require_once('antispam.php');
$userid = $USER->get('id');
$topicid = param_integer('id', 0);
......@@ -164,6 +165,18 @@ if(!$moderator){
$editform = pieform($editform);
function addtopic_validate(Pieform $form, $values) {
if ($baddomain = get_first_blacklisted_domain($values['body'])) {
$form->set_error('body', get_string('blacklisteddomaininurl', 'mahara', $baddomain));
}
}
function edittopic_validate(Pieform $form, $values) {
if ($baddomain = get_first_blacklisted_domain($values['body'])) {
$form->set_error('body', get_string('blacklisteddomaininurl', 'mahara', $baddomain));
}
}
function addtopic_submit(Pieform $form, $values) {
global $USER, $SESSION;
$forumid = param_integer('forum');
......
......@@ -43,6 +43,10 @@ Calendar._SDN = new Array
"Sa",
"So");
// First day of the week. "0" means display Sunday first, "1" means display
// Monday first, etc.
Calendar._FD = 1;
// full month names
Calendar._MN = new Array
("Januar",
......@@ -64,7 +68,7 @@ Calendar._SMN = new Array
"Feb",
"M\u00e4r",
"Apr",
"May",
"Mai",
"Jun",
"Jul",
"Aug",
......
......@@ -526,6 +526,7 @@ $string['sendmessage'] = 'Send message';
$string['spamtrap'] = 'Spam trap';
$string['formerror'] = 'There was an error processing your submission. Please try again.';
$string['formerroremail'] = 'Contact us at %s if you continue to have problems.';
$string['blacklisteddomaininurl'] = 'A url in this field contains the blacklisted domain %s.';
$string['notinstallable'] = 'Not installable!';
$string['installedplugins'] = 'Installed plugins';
......
......@@ -45,6 +45,13 @@ function new_spam_trap($fields) {
return new $spamclass($fields);
}
function get_first_blacklisted_domain($text) {
$spamtrap = new_spam_trap(array());
if ($baddomain = $spamtrap->has_blacklisted_urls($text)) {
return $baddomain;
}
}
// windows has no checkdnsrr until PHP 5.3
if (!function_exists('checkdnsrr')) {
function checkdnsrr($host, $type='MX') {
......
......@@ -66,7 +66,7 @@ class AdvancedSpamTrap extends SimpleSpamTrap {
$domain = $match[2];
foreach ($blacklists as $bl) {
if (checkdnsrr($domain . '.' . $bl, 'A')) {
return true;
return $domain;
}
}
return false;
......@@ -82,5 +82,17 @@ class AdvancedSpamTrap extends SimpleSpamTrap {
}
return $score;
}
// Call this when you want to know if there's a url with a
// blacklisted domain in some text but you don't care how many
// non-blacklisted ones there are.
public function has_blacklisted_urls($string) {
foreach ($this->get_urls($string) as $url) {
if ($domain = $this->blacklisted_url($url)) {
return $domain;
}
}
return false;
}
}
......@@ -54,4 +54,8 @@ class NoneSpamTrap {
}
return false;
}
public function has_blacklisted_urls($string) {
return false;
}
}
......@@ -1718,17 +1718,17 @@ function get_view_from_token($token, $visible=true) {
);
if ($order) {
if ($token != get_cookie('caccess:'.$order[0]->collection)) {
set_cookie('caccess:'.$order[0]->collection, $token);
set_cookie('caccess:'.$order[0]->collection, $token, 0, true);
}
return $order[0]->view;
}
}
$viewid = $viewids[0];
if (!$visible && $token != get_cookie('mviewaccess:'.$viewid)) {
set_cookie('mviewaccess:'.$viewid, $token);
set_cookie('mviewaccess:'.$viewid, $token, 0, true);
}
if ($visible && $token != get_cookie('viewaccess:'.$viewid)) {
set_cookie('viewaccess:'.$viewid, $token);
set_cookie('viewaccess:'.$viewid, $token, 0, true);
}
return $viewid;
}
......
......@@ -1333,10 +1333,13 @@ function get_cookies($prefix) {
* @param int $expires The unix timestamp of the time the cookie should expire
* @todo path/domain/secure: should be set automatically by this function if possible (?)
*/
function set_cookie($name, $value='', $expires=0) {
function set_cookie($name, $value='', $expires=0, $access=false) {
$name = get_config('cookieprefix') . $name;
$url = parse_url(get_config('wwwroot'));
setcookie($name, $value, $expires, $url['path'], $url['host'], false);
if ($access) { // View access cookies may be needed on this request
$_COOKIE[$name] = $value;
}
}
/**
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment