Merge 2.2 into 2.x

COPYRIGHT.txt

@@ -1,14 +1,15 @@
 The follow individuals, companies, or entities have contributed significant 
 code to the Elgg project and share the copyright. (In alphabetical order.)
 
-Organizations:
-The MITRE Corportation (jricher@mitre.org)
-Curverider Ltd (info@elgg.com)
-
-Individuals:
 Steve Clay (steve@mrclay.org)
 Cash Costello (cash.costello@gmail.com)
 Brett Profitt (brett.profitt@gmail.com)
 Dave Tosh (davidgtosh@gmail.com)
 Ben Werdmuller (ben@benwerd.com)
 Evan Winslow (evan.b.winslow@gmail.com)
+
+Organizations:
+The MITRE Corportation (jricher@mitre.org)
+Curverider Ltd (info@elgg.com)
+
+When adding to this list, update the list of copyright owners in LICENSE.txt.

LICENSE.txt

@@ -1,3 +1,48 @@
+Bundled plugins (the contents of the "/mod" directory) are available
+only under the GPLv2 license.
+
+The remainder of the project is available under either MIT or GPLv2.
+
+Both licenses can be found below.
+
+More info: http://learn.elgg.org/en/latest/intro/license.html
+
+------------------------------------------------------------------------
+
+The MIT License (MIT)
+Copyright (c) 2016 The following parties:
+
+	Steve Clay (steve@mrclay.org)
+	Cash Costello (cash.costello@gmail.com)
+	Brett Profitt (brett.profitt@gmail.com)
+	Dave Tosh (davidgtosh@gmail.com)
+	Ben Werdmuller (ben@benwerd.com)
+	Evan Winslow (evan.b.winslow@gmail.com)
+
+	The MITRE Corportation (jricher@mitre.org)
+	Curverider Ltd (info@elgg.com)
+
+Permission is hereby granted, free of charge, to any person obtaining a
+copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to permit
+persons to whom the Software is furnished to do so, subject to the
+following conditions:
+
+The above copyright notice and this permission notice shall be included
+in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+------------------------------------------------------------------------
+
 		    GNU GENERAL PUBLIC LICENSE
                        Version 2, June 1991
 

engine/classes/Elgg/BootData.php

@@ -125,20 +125,22 @@ public function populate(\stdClass $config, Database $db, EntityTable $entities,
 		$guids = array_values($guids);
 		$guids = array_diff($guids, $unsuitable_guids);
 
-		// get the settings
-		$set = implode(',', $guids);
-		$rows = $db->getData("
-			SELECT entity_guid, `name`, `value`
-			FROM {$db->prefix}private_settings
-			WHERE entity_guid IN ($set)
-			  AND name NOT LIKE 'plugin:user_setting:%'
-			  AND name NOT LIKE 'elgg:internal:%'
-			ORDER BY entity_guid
-		");
-		// make sure we show all entities as loaded
-		$this->plugin_settings = array_fill_keys($guids, []);
-		foreach ($rows as $i => $row) {
-			$this->plugin_settings[$row->entity_guid][$row->name] = $row->value;
+		if ($guids) {
+			// get the settings
+			$set = implode(',', $guids);
+			$rows = $db->getData("
+				SELECT entity_guid, `name`, `value`
+				FROM {$db->prefix}private_settings
+				WHERE entity_guid IN ($set)
+				  AND name NOT LIKE 'plugin:user_setting:%'
+				  AND name NOT LIKE 'elgg:internal:%'
+				ORDER BY entity_guid
+			");
+			// make sure we show all entities as loaded
+			$this->plugin_settings = array_fill_keys($guids, []);
+			foreach ($rows as $i => $row) {
+				$this->plugin_settings[$row->entity_guid][$row->name] = $row->value;
+			}
 		}
 	}
 

engine/classes/Elgg/BootService.php

@@ -141,7 +141,9 @@ public function boot() {
 
 		// finish boot sequence
 		_elgg_session_boot();
-		_elgg_services()->systemCache->loadAll();
+		if ($CONFIG->system_cache_enabled) {
+			_elgg_services()->systemCache->loadAll();
+		}
 		_elgg_services()->translator->loadTranslations();
 
 		// we always need site->email and user->icontime, so load them together

engine/classes/Elgg/Database/AccessCollections.php

@@ -393,6 +393,9 @@ public function getWhereSql(array $options = array()) {
 	 * @return bool
 	 */
 	public function hasAccessToEntity($entity, $user = null) {
+		if (!$entity instanceof \ElggEntity) {
+			return false;
+		}
 
 		// See #7159. Must not allow ignore access to affect query
 		$ia = elgg_set_ignore_access(false);

engine/classes/ElggCrypto.php

@@ -25,15 +25,15 @@ class ElggCrypto {
 	/**
 	 * @var SiteSecret
 	 */
-	private $siteSecret;
+	private $site_secret;
 
 	/**
 	 * Constructor
 	 *
-	 * @param SiteSecret $siteSecret Secret service
+	 * @param SiteSecret $site_secret Secret service
 	 */
-	public function __construct(SiteSecret $siteSecret) {
-		$this->siteSecret = $siteSecret;
+	public function __construct(SiteSecret $site_secret = null) {
+		$this->site_secret = $site_secret;
 	}
 
 	/**
@@ -185,7 +185,7 @@ public function getRandomBytes($length) {
 	 */
 	public function getHmac($data, $algo = 'sha256', $key = '') {
 		if (!$key) {
-			$key = $this->siteSecret->get(true);
+			$key = $this->site_secret->get(true);
 		}
 		return new Elgg\Security\Hmac($key, [$this, 'areEqual'], $data, $algo);
 	}

engine/classes/ElggEntity.php

@@ -1608,12 +1608,6 @@ protected function update() {
 
 		_elgg_services()->boot->invalidateCache($this->guid);
 
-		if (!has_access_to_entity($this)) {
-			// Why worry about this case? If access control was off when the user fetched $this, but
-			// was turned back on again. Better to just bail than to turn access control off again.
-			return false;
-		}
-
 		if (!$this->canEdit()) {
 			return false;
 		}

engine/classes/ElggSession.php

@@ -213,7 +213,7 @@ public function setLoggedInUser(\ElggUser $user) {
 	/**
 	 * Gets the logged in user
 	 * 
-	 * @return \ElggUser
+	 * @return \ElggUser|null
 	 * @since 1.9
 	 */
 	public function getLoggedInUser() {

engine/lib/output.php

@@ -70,11 +70,14 @@ function elgg_autop($string) {
  * @since 1.7.2
  */
 function elgg_get_excerpt($text, $num_chars = 250) {
+	$view = 'output/excerpt';
 	$vars = [
 		'text' => $text,
 		'num_chars' => $num_chars,
 	];
-	return elgg_view('output/excerpt', $vars);
+	$viewtype = elgg_view_exists($view) ? '' : 'default';
+
+	return _elgg_view_under_viewtype($view, $vars, $viewtype);
 }
 
 /**

engine/lib/views.php

@@ -1140,9 +1140,12 @@ function elgg_view_title($title, array $vars = array()) {
  * @since 1.7.2
  */
 function elgg_view_friendly_time($time) {
-	return elgg_view('output/friendlytime', array('time' => $time));
-}
+	$view = 'output/friendlytime';
+	$vars = ['time' => $time];
+	$viewtype = elgg_view_exists($view) ? '' : 'default';
 
+	return _elgg_view_under_viewtype($view, $vars, $viewtype);
+}
 
 /**
  * Returns rendered comments and a comment form for an entity.
@@ -1927,6 +1930,32 @@ function _elgg_get_js_page_data() {
 	return $elgg;
 }
 
+/**
+ * Render a view while the global viewtype is temporarily changed. This makes sure that
+ * nested views use the same viewtype.
+ *
+ * @param string  $view     View name
+ * @param array   $vars     View vars
+ * @param string  $viewtype Temporary viewtype ('' to leave current)
+ *
+ * @return mixed
+ * @access private
+ */
+function _elgg_view_under_viewtype($view, $vars, $viewtype) {
+	if ($viewtype) {
+		$old = elgg_get_viewtype();
+		elgg_set_viewtype($viewtype);
+	}
+
+	$ret = elgg_view($view, $vars);
+
+	if ($viewtype) {
+		elgg_set_viewtype($old);
+	}
+
+	return $ret;
+}
+
 return function(\Elgg\EventsService $events, \Elgg\HooksRegistrationService $hooks) {
 	$events->registerHandler('boot', 'system', 'elgg_views_boot');
 	$hooks->registerHandler('view_vars', 'all', '_elgg_manage_pagesetup', 1000);

engine/tests/ElggCoreAccessSQLTest.php

@@ -179,6 +179,49 @@ public function testAccessPluginHookAddAnd() {
 		$this->assertTrue($this->assertSqlEqual($ans, $sql), "$sql does not match $ans");
 	}
 
+	public function testHasAccessToEntity() {
+		$session = elgg_get_session();
+		$test_user = $session->getLoggedInUser();
+
+		$object = new ElggObject();
+		$object->access_id = ACCESS_PRIVATE;
+		$object->save();
+
+		$session->removeLoggedInUser();
+		$this->assertFalse(has_access_to_entity($object));
+		$this->assertFalse(has_access_to_entity($object, $this->user));
+		$session->setLoggedInUser($test_user);
+
+		$object->access_id = ACCESS_PUBLIC;
+		$object->save();
+
+		$session->removeLoggedInUser();
+		$this->assertTrue(has_access_to_entity($object));
+		$this->assertTrue(has_access_to_entity($object, $this->user));
+		$session->setLoggedInUser($test_user);
+
+		$object->access_id = ACCESS_LOGGED_IN;
+		$object->save();
+
+		$session->removeLoggedInUser();
+		$this->assertFalse(has_access_to_entity($object));
+		$this->assertTrue(has_access_to_entity($object, $this->user));
+		$session->setLoggedInUser($test_user);
+
+		$test_user->addFriend($this->user->guid);
+
+		$object->access_id = ACCESS_FRIENDS;
+		$object->save();
+
+		$session->removeLoggedInUser();
+		$this->assertFalse(has_access_to_entity($object));
+		$this->assertTrue(has_access_to_entity($object, $this->user));
+		$session->setLoggedInUser($test_user);
+
+		$test_user->removeFriend($this->user->guid);
+		$object->delete();
+	}
+
 	public function addAndCallback($hook, $type, $clauses, $params) {
 		$clauses['ands'][] = '57 > 32';
 		return $clauses;
@@ -215,4 +258,4 @@ protected function getLoggedOutAccessListClause($table_alias) {
 		$table_alias = $table_alias ? $table_alias . '.' : '';
 		return "{$table_alias}access_id IN (2)";
 	}
-}
+}

engine/tests/ElggCoreMetadataAPITest.php

@@ -161,8 +161,7 @@ public function test_elgg_metadata_multiple_values() {
 
 		// need to fake different logins.
 		// good times without mocking.
-		$original_user = elgg_get_logged_in_user_entity();
-		$_SESSION['user'] = $u1;
+		$original_user = $this->replaceSession($u1);
 
 		elgg_set_ignore_access(false);
 
@@ -182,7 +181,7 @@ public function test_elgg_metadata_multiple_values() {
 		}
 
 		// add md w/ same name as a different user
-		$_SESSION['user'] = $u2;
+		$this->replaceSession($u2);
 		$md_values2 = array(
 			'four',
 			'five',
@@ -202,7 +201,7 @@ public function test_elgg_metadata_multiple_values() {
 			$this->assertEqual('test', $md->name);
 		}
 
-		$_SESSION['user'] = $original_user;
+		$this->replaceSession($original_user);
 
 		$obj->delete();
 		$u1->delete();

engine/tests/ElggCoreUnitTest.php

@@ -48,6 +48,23 @@ public function assertIdenticalEntities(\ElggEntity $first, \ElggEntity $second,
 		return $this->assert(new IdenticalEntityExpectation($first), $second, $message);
 	}
 
+	/**
+	 * Replace the current user session
+	 *
+	 * @param ElggUser $user New user to login as (null to log out)
+	 * @return ElggUser|null Removed session user (or null)
+	 */
+	public function replaceSession(ElggUser $user = null) {
+		$session = elgg_get_session();
+		$old = $session->getLoggedInUser();
+		if ($user) {
+			$session->setLoggedInUser($user);
+		} else {
+			$session->removeLoggedInUser();
+		}
+		return $old;
+	}
+
 }
 
 /**

engine/tests/ElggEntityTest.php

@@ -379,4 +379,37 @@ public function testCreateWithContainerGuidEqualsZero() {
 		$user->delete();
 
 	}
+
+	public function testUpdateAbilityDependsOnCanEdit() {
+		$this->entity->access_id = ACCESS_PRIVATE;
+
+		$this->assertTrue($this->entity->save());
+
+		// even owner can't bypass permissions
+		elgg_register_plugin_hook_handler('permissions_check', 'object', [Elgg\Values::class, 'getFalse'], 999);
+		$this->assertFalse($this->entity->save());
+		elgg_unregister_plugin_hook_handler('permissions_check', 'object', [Elgg\Values::class, 'getFalse']);
+
+		$user = new ElggUser();
+		$user->save();
+		$old_user = $this->replaceSession($user);
+
+		$this->assertFalse($this->entity->save());
+
+		elgg_register_plugin_hook_handler('permissions_check', 'object', [Elgg\Values::class, 'getTrue']);
+
+		// even though this user can't look up the entity via the DB, permission allows update.
+		$this->assertFalse(has_access_to_entity($this->entity, $user));
+		$this->assertTrue($this->entity->save());
+
+		elgg_unregister_plugin_hook_handler('permissions_check', 'object', [Elgg\Values::class, 'getTrue']);
+
+		// can save with access ignore
+		$ia = elgg_set_ignore_access();
+		$this->assertTrue($this->entity->save());
+		elgg_set_ignore_access($ia);
+
+		$this->replaceSession($old_user);
+		$user->delete();
+	}
 }