Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Refs #18. Doing an access check on TidypicsAlbum->getImageList() to o…

…nly return images the current user can access.

This is a simple fix, but requires an extra DB call for the first getImageList() call.
  • Loading branch information...
commit b09db0ec2a35590cb13cda6ed053edc10e671035 1 parent 894ea67
@brettp authored
Showing with 25 additions and 4 deletions.
  1. +15 −4 classes/TidypicsAlbum.php
  2. +10 −0 lib/tidypics.php
View
19 classes/TidypicsAlbum.php
@@ -9,7 +9,6 @@
class TidypicsAlbum extends ElggObject {
-
/**
* Sets the internal attributes
*/
@@ -186,6 +185,17 @@ public function getImageList() {
return array();
}
$list = unserialize($listString);
+
+ // check access levels
+ $guidsString = implode(',', $list);
+ $options = array(
+ 'wheres' => array("e.guid IN ($guidsString)"),
+ 'order_by' => "FIELD (e.guid, $guidsString)",
+ 'callback' => 'tp_guid_callback',
+ 'limit' => ELGG_ENTITIES_NO_VALUE
+ );
+
+ $list = elgg_get_entities($options);
return $list;
}
@@ -211,7 +221,7 @@ public function prependImageList($list) {
}
/**
- * Get the previous image in the album
+ * Get the previous image in the album. Wraps around to the last image if given the first.
*
* @param int $guid GUID of the current image
* @return TidypicsImage
@@ -230,7 +240,7 @@ public function getPreviousImage($guid) {
}
/**
- * Get the next image in the album
+ * Get the next image in the album. Wraps around to the first image if given the last.
*
* @param int $guid GUID of the current image
* @return TidypicsImage
@@ -282,9 +292,10 @@ public function shouldNotify() {
/**
* Delete all the images in this album
+ *
+ * @todo ElggBatch?
*/
protected function deleteImages() {
- // get all the images from this album as long as less than 999 images
$images = elgg_get_entities(array(
"type=" => "object",
"subtype" => "image",
View
10 lib/tidypics.php
@@ -190,6 +190,16 @@ function tidypics_list_photos(array $options = array()) {
return elgg_view_entity_list($sorted_entities, $options);
}
+/**
+ * Returns just a guid from a database $row. Used in elgg_get_entities()'s callback.
+ *
+ * @param stdClass $row
+ * @return type
+ */
+function tp_guid_callback($row) {
+ return ($row->guid) ? $row->guid : false;
+}
+
/*********************************************************************
* the functions below replace broken core functions or add functions
Please sign in to comment.
Something went wrong with that request. Please try again.