Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge branch 'develop'
  • Loading branch information
fplanque committed Jan 19, 2017
2 parents 551702a + 255e4d1 commit e35f7c1
Show file tree
Hide file tree
Showing 97 changed files with 4,503 additions and 608 deletions.
2 changes: 2 additions & 0 deletions Gruntfile.js
Expand Up @@ -229,6 +229,7 @@ module.exports = function(grunt) {
'rsc/js/src/evo_user_contact_groups.js',
'rsc/js/src/evo_rest_api.js',
'rsc/js/src/evo_item_flag.js',
'rsc/js/src/evo_links.js',
'rsc/js/ajax.js'],
dest: 'rsc/js/build/evo_frontoffice.bmin.js'
},
Expand All @@ -245,6 +246,7 @@ module.exports = function(grunt) {
'rsc/js/src/evo_user_contact_groups.js',
'rsc/js/src/evo_rest_api.js',
'rsc/js/src/evo_item_flag.js',
'rsc/js/src/evo_links.js',
'rsc/js/ajax.js'],
dest: 'rsc/js/build/bootstrap-evo_frontoffice.bmin.js'
},
Expand Down
7 changes: 7 additions & 0 deletions conf/_advanced.php
Expand Up @@ -667,6 +667,13 @@
$dirpath_max_length = ( ( ( strtoupper( substr( PHP_OS, 0, 3 ) ) ) === 'WIN' ) ? ( 247 - 35 /* the maximum additional path length because of the _evocache folder */ ) : 767 ) - $filename_max_length;


/**
* Allow double dots in file names
* Use TRUE if you want to allow ".." in file and directory names like "..filename" or "dir..name"
*/
$filemanager_allow_dotdot_in_filenames = false;


/**
* XMLRPC logging. Set this to 1 to log XMLRPC calls received by this server (into /xmlsrv/xmlrpc.log).
*
Expand Down
6 changes: 3 additions & 3 deletions conf/_application.php
Expand Up @@ -15,13 +15,13 @@
* Note: This has to be compatible with {@link http://us2.php.net/en/version-compare}.
* @global string
*/
$app_version = '6.8.4-stable';
$app_version = '6.8.5-stable';

/**
* Release date (ISO)
* @global string
*/
$app_date = '2017-01-16';
$app_date = '2017-01-19';

/**
* Long version string for checking differences
Expand All @@ -36,7 +36,7 @@
*
* {@internal Before changing this in CVS, it should be discussed! }}
*/
$new_db_version = 12140;
$new_db_version = 12150;

/**
* Minimum PHP version required for b2evolution to function properly. It will contain each module own minimum PHP version as well.
Expand Down
140 changes: 140 additions & 0 deletions htsrv/anon_async.php
Expand Up @@ -1354,11 +1354,151 @@
require $inc_path.'users/views/_user_groups.form.php';
break;

case 'set_object_link_position':
// Change a position of a link on the edit item screen (fieldset "Images & Attachments")

// Check that this action request is not a CSRF hacked request:
$Session->assert_received_crumb( 'link' );

// Check item/comment edit permission below after we have the $LinkOwner object ( we call LinkOwner->check_perm ... )

param('link_ID', 'integer', true);
param('link_position', 'string', true);

// Don't display the inline position reminder again until the user logs out or loses the session cookie
if( $link_position == 'inline' )
{
$Session->set( 'display_inline_reminder', 'false' );
}

$LinkCache = & get_LinkCache();
if( ( $Link = & $LinkCache->get_by_ID( $link_ID ) ) === false )
{ // Bad request with incorrect link ID
echo '';
exit(0);
}
$LinkOwner = & $Link->get_LinkOwner();

// Check permission:
$LinkOwner->check_perm( 'edit', true );

if( $Link->set( 'position', $link_position ) && $Link->dbupdate() )
{ // update was successful
echo 'OK';

// Update last touched date of Owners
$LinkOwner->update_last_touched_date();

if( $link_position == 'cover' && $LinkOwner->type == 'item' )
{ // Position "Cover" can be used only by one link
// Replace previous position with "Inline"
$DB->query( 'UPDATE T_links
SET link_position = "aftermore"
WHERE link_ID != '.$DB->quote( $link_ID ).'
AND link_itm_ID = '.$DB->quote( $LinkOwner->Item->ID ).'
AND link_position = "cover"' );
}
}
else
{ // return the current value on failure
echo $Link->get( 'position' );
}
break;

case 'update_links_order':
// Update the order of all links at one time:

// Check that this action request is not a CSRF hacked request:
$Session->assert_received_crumb( 'link' );

$link_IDs = param( 'links', 'string' );

if( empty( $link_IDs ) )
{ // No links to update, wrong request, exit here:
break;
}

$link_IDs = explode( ',', $link_IDs );

// Check permission by first link:
$LinkCache = & get_LinkCache();
if( ( $Link = & $LinkCache->get_by_ID( $link_IDs[0] ) ) === false )
{ // Bad request with incorrect link ID
exit(0);
}
$LinkOwner = & $Link->get_LinkOwner();
// Check permission:
$LinkOwner->check_perm( 'edit', true );

$DB->begin( 'SERIALIZABLE' );

// Get max order value of the links:
$max_link_order = intval( $DB->get_var( 'SELECT MAX( link_order )
FROM T_links
WHERE link_ID IN ( '.$DB->quote( $link_IDs ).' )' ) );

// Initialize parts of sql queries to update the links order:
$fake_sql_update_strings = '';
$real_sql_update_strings = '';
$real_link_order = 0;
foreach( $link_IDs as $link_ID )
{
$max_link_order++;
$fake_sql_update_strings .= ' WHEN link_ID = '.$DB->quote( $link_ID ).' THEN '.$max_link_order;
$real_link_order++;
$real_sql_update_strings .= ' WHEN link_ID = '.$DB->quote( $link_ID ).' THEN '.$real_link_order;
}

// Do firstly fake ordering start with max order, to avoid duplicate entry error:
$DB->query( 'UPDATE T_links
SET link_order = CASE '.$fake_sql_update_strings.' ELSE link_order END
WHERE link_ID IN ( '.$DB->quote( $link_IDs ).' )' );
// Do real ordering start with number 1:
$DB->query( 'UPDATE T_links
SET link_order = CASE '.$real_sql_update_strings.' ELSE link_order END
WHERE link_ID IN ( '.$DB->quote( $link_IDs ).' )' );

$DB->commit();
break;

case 'test_api':
// Spec action to test API from ctrl=system:
echo 'ok';
break;

case 'get_file_select_item':
$field_params = param( 'params', 'array', true );
$field_name = param( 'field_name', 'string', true );
$root = param( 'root', 'string', true );
$file_path = param( 'path', 'string', true );

$FileCache = & get_FileCache();
list( $root_type, $root_in_type_ID ) = explode( '_', $root, 2 );
if( ! ( $current_File = $FileCache->get_by_root_and_path( $root_type, $root_in_type_ID, $file_path ) ) )
{ // No file:
debug_die( 'No such file' );
// Exit here.
}

if( ! $current_File->is_image() )
{
debug_die( 'Incorrect file type for '.$field_name );
}

// decode params with HTML tags
$field_params['field_item_start'] = base64_decode( $field_params['field_item_start'] );
$field_params['field_item_end'] = base64_decode( $field_params['field_item_end'] );

$current_File->load_meta( true ); // erhsatingin > can we force create file meta in DB here or should this whole thing require login?
$r = file_select_item( $current_File->ID, $field_params );

echo json_encode( array(
'fieldName' => $field_name,
'fieldValue' => $current_File->ID,
'item' => base64_encode( $r )
) );
break;

default:
$Ajaxlog->add( T_('Incorrect action!'), 'error' );
break;
Expand Down
147 changes: 35 additions & 112 deletions htsrv/async.php
Expand Up @@ -107,7 +107,7 @@
// Highlight lines starting with orgname: or org-name: (case insensitive)
for( $i = 0; $i < count( $result['rawdata'] ); $i++ )
{
if( preg_match( '/^(orgname:|org-name:)/i', $result['rawdata'][$i] ) )
if( preg_match( '/^(orgname:|org-name:|descr:)/i', $result['rawdata'][$i] ) )
{
$result['rawdata'][$i] = '<span style="font-weight: bold; background-color: yellow;">'.$result['rawdata'][$i].'</span>';
}
Expand Down Expand Up @@ -163,113 +163,6 @@
autoform_display_field( $set_path, $r['set_meta'], $Form, $set_type, $Plugin, NULL, $r['set_node'] );
break;

case 'set_object_link_position':
// Change a position of a link on the edit item screen (fieldset "Images & Attachments")

// Check that this action request is not a CSRF hacked request:
$Session->assert_received_crumb( 'link' );

// Check item/comment edit permission below after we have the $LinkOwner object ( we call LinkOwner->check_perm ... )

param('link_ID', 'integer', true);
param('link_position', 'string', true);

// Don't display the inline position reminder again until the user logs out or loses the session cookie
if( $link_position == 'inline' )
{
$Session->set( 'display_inline_reminder', 'false' );
}

$LinkCache = & get_LinkCache();
if( ( $Link = & $LinkCache->get_by_ID( $link_ID ) ) === false )
{ // Bad request with incorrect link ID
echo '';
exit(0);
}
$LinkOwner = & $Link->get_LinkOwner();

// Check permission:
$LinkOwner->check_perm( 'edit', true );

if( $Link->set( 'position', $link_position ) && $Link->dbupdate() )
{ // update was successful
echo 'OK';

// Update last touched date of Owners
$LinkOwner->update_last_touched_date();

if( $link_position == 'cover' && $LinkOwner->type == 'item' )
{ // Position "Cover" can be used only by one link
// Replace previous position with "Inline"
$DB->query( 'UPDATE T_links
SET link_position = "aftermore"
WHERE link_ID != '.$DB->quote( $link_ID ).'
AND link_itm_ID = '.$DB->quote( $LinkOwner->Item->ID ).'
AND link_position = "cover"' );
}
}
else
{ // return the current value on failure
echo $Link->get( 'position' );
}
break;

case 'update_links_order':
// Update the order of all links at one time:

// Check that this action request is not a CSRF hacked request:
$Session->assert_received_crumb( 'link' );

$link_IDs = param( 'links', 'string' );

if( empty( $link_IDs ) )
{ // No links to update, wrong request, exit here:
break;
}

$link_IDs = explode( ',', $link_IDs );

// Check permission by first link:
$LinkCache = & get_LinkCache();
if( ( $Link = & $LinkCache->get_by_ID( $link_IDs[0] ) ) === false )
{ // Bad request with incorrect link ID
exit(0);
}
$LinkOwner = & $Link->get_LinkOwner();
// Check permission:
$LinkOwner->check_perm( 'edit', true );

$DB->begin( 'SERIALIZABLE' );

// Get max order value of the links:
$max_link_order = intval( $DB->get_var( 'SELECT MAX( link_order )
FROM T_links
WHERE link_ID IN ( '.$DB->quote( $link_IDs ).' )' ) );

// Initialize parts of sql queries to update the links order:
$fake_sql_update_strings = '';
$real_sql_update_strings = '';
$real_link_order = 0;
foreach( $link_IDs as $link_ID )
{
$max_link_order++;
$fake_sql_update_strings .= ' WHEN link_ID = '.$DB->quote( $link_ID ).' THEN '.$max_link_order;
$real_link_order++;
$real_sql_update_strings .= ' WHEN link_ID = '.$DB->quote( $link_ID ).' THEN '.$real_link_order;
}

// Do firstly fake ordering start with max order, to avoid duplicate entry error:
$DB->query( 'UPDATE T_links
SET link_order = CASE '.$fake_sql_update_strings.' ELSE link_order END
WHERE link_ID IN ( '.$DB->quote( $link_IDs ).' )' );
// Do real ordering start with number 1:
$DB->query( 'UPDATE T_links
SET link_order = CASE '.$real_sql_update_strings.' ELSE link_order END
WHERE link_ID IN ( '.$DB->quote( $link_IDs ).' )' );

$DB->commit();
break;

case 'edit_comment':
// Used to edit a comment from back-office (Note: Only for meta comments now!)

Expand Down Expand Up @@ -816,9 +709,9 @@
// Check permission:
$current_User->check_perm( 'files', 'add', true, $fileroot_ID );

param( 'path', 'string' );
param( 'oldfile', 'string' );
param( 'newfile', 'string' );
param( 'path', 'filepath' );
param( 'oldfile', 'filepath' );
param( 'newfile', 'filepath' );
param( 'format', 'string' );

$fileroot = explode( '_', $fileroot_ID );
Expand Down Expand Up @@ -863,7 +756,7 @@
param( 'link_owner_ID', 'integer', true );
// Additional params, Used to highlight file/folder
param( 'root', 'string', '' );
param( 'path', 'string', '' );
param( 'path', 'filepath', '' );
param( 'fm_highlight', 'string', '' );

$additional_params = empty( $root ) ? '' : '&amp;root='.$root;
Expand All @@ -879,6 +772,36 @@

break;

case 'file_attachment':
// The content for popup window to link the files to the items/comments

// Check that this action request is not a CSRF hacked request:
$Session->assert_received_crumb( 'file' );

// Check permission:
$current_User->check_perm( 'files', 'view' );

param( 'iframe_name', 'string', '' );
param( 'field_name', 'string', '' );
// Additional params, Used to highlight file/folder
param( 'root', 'string', '' );
param( 'path', 'string', '' );
param( 'fm_highlight', 'string', '' );

$additional_params = empty( $root ) ? '' : '&amp;root='.$root;
$additional_params .= empty( $path ) ? '' : '&amp;path='.$path;
$additional_params .= empty( $fm_highlight ) ? '' : '&amp;fm_highlight='.$fm_highlight;
//$additional_params .= empty( $field_name ) ? '' : '&amp;field_name='.$field_name;

echo '<div style="background:#FFF;height:90%">'
.'<span id="link_attachment_loader" class="loader_img absolute_center" title="'.T_('Loading...').'"></span>'
.'<iframe src="'.$admin_url.'?ctrl=files&amp;mode=upload&amp;field_name='.$field_name.'&amp;ajax_request=1&amp;iframe_name='.$iframe_name.'&amp;fm_mode=file_select'.$additional_params.'"'
.' width="100%" height="100%" marginwidth="0" marginheight="0" align="top" scrolling="auto" frameborder="0"'
.' onload="document.getElementById(\'link_attachment_loader\').style.display=\'none\'">loading</iframe>'
.'</div>';

break;

case 'import_files':
// The content for popup window to import the files for XML importer

Expand Down
2 changes: 1 addition & 1 deletion htsrv/getfile.php
Expand Up @@ -69,7 +69,7 @@
}

// Load the other params:
param( 'path', 'string', true );
param( 'path', 'filepath', true );
param( 'size', 'string', NULL ); // Can be used for images.
param( 'size_x', 'integer', 1 ); // Ratio size, can be 1, 2 and etc.
param( 'mtime', 'integer', 0 ); // used for unique URLs (that never expire).
Expand Down

0 comments on commit e35f7c1

Please sign in to comment.