3,545 changes: 1,773 additions & 1,772 deletions framework/modules/events/controllers/eventController.php

Large diffs are not rendered by default.

13 changes: 9 additions & 4 deletions framework/modules/events/models/event.php
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,11 @@ public function find($range = 'all', $where = null, $order = null, $limit = null
//note $order is boolean for 'featured'
//note $limit is number of days, NOT number of records
//note $limitstart is a unixtimestamp in this instance
$order = expString::escape($order);
if ($limit !== null)
$limit = intval($limit);
if ($limitstart !== null)
$limitstart = intval($limitstart);
$ed = new eventdate();
$day = expDateTime::startOfDayTimestamp(time());
$sort_asc = true; // For the getEventsForDates call
Expand All @@ -65,7 +70,7 @@ public function find($range = 'all', $where = null, $order = null, $limit = null
// $begin = $day;
// $end = null;
$items = $this->getEventsForDates($dates, $sort_asc, $order ? true : false, true);

// external events
// $extitems = $this->getExternalEvents($begin, $end);
// we need to crunch these down
Expand All @@ -78,7 +83,7 @@ public function find($range = 'all', $where = null, $order = null, $limit = null
// }
// }
// $items = array_merge($items, $extitem);

// event registration events
// if (!empty($this->config['aggregate_registrations'])) $regitems = eventregistrationController::getRegEventsForDates($begin, $end, $regcolor);
// we need to crunch these down
Expand All @@ -89,7 +94,7 @@ public function find($range = 'all', $where = null, $order = null, $limit = null
// }
// }
// $items = array_merge($items, $regitem);

$items = expSorter::sort(array('array' => $items, 'sortby' => 'eventstart', 'order' => 'ASC'));
return $items;
}
Expand Down Expand Up @@ -246,7 +251,7 @@ public static function dayNames() {
}
return $days;
}

}

?>
62 changes: 34 additions & 28 deletions framework/modules/file/controllers/fileController.php
Original file line number Diff line number Diff line change
Expand Up @@ -23,20 +23,26 @@

class fileController extends expController {
public $basemodel_name = "expFile";
protected $add_permissions = array(
// 'picker'=>'Manage Files',
'import'=>'Import',
'export'=>'Export',
);
protected $remove_permissions = array(
'delete'
);
// protected $manage_permissions = array(
// 'picker'=>'Manage Files',
// 'import'=>'Import',
// 'export'=>'Export',
// );
public $requires_login = array(
'picker'=>'must be logged in',
'editAlt'=>'must be logged in',
'editCat'=>'must be logged in',
'editShare'=>'must be logged in',
'editTitle'=>'must be logged in',
'picker'=>'You must be logged in to perform this action',
'adder'=>'You must be logged in to perform this action',
'addit'=>'You must be logged in to perform this action',
'batchDelete'=>'You must be logged in to perform this action',
'createFolder'=>'You must be logged in to perform this action',
'deleter'=>'You must be logged in to perform this action',
'deleteit'=>'You must be logged in to perform this action',
'edit'=>'You must be logged in to perform this action',
'quickUpload'=>'You must be logged in to perform this action',
'upload'=>'You must be logged in to perform this action',
'uploader'=>'You must be logged in to perform this action',
);

static function displayname() { return gt("File Manager"); }
Expand All @@ -47,20 +53,20 @@ public function manage_fixPaths() {
// fixes file directory issues when the old file class was used to save record
// where the trailing forward slash was not added. This simply checks to see
// if the trailing / is there, if not, it adds it.

$file = new expFile();
$files = $file->find('all');

foreach ($files as $key=>$file) {
if (substr($files[$key]->directory,-1,1)!="/") {
$files[$key]->directory = $files[$key]->directory.'/';
}
$files[$key]->save();
}

// eDebug($files,true);
}

public function picker() {
// global $user;

Expand Down Expand Up @@ -89,7 +95,7 @@ public function picker() {
'jscats'=>json_encode($jscatarray)
));
}

public function uploader() {
global $user;
//expHistory::set('manageable', $this->params);
Expand All @@ -113,14 +119,14 @@ public function uploader() {
'cats'=>$catarray,
));
}

/**
* Returns attached file view template configuration settings template
*
*/
public function get_view_config() {
global $template;

// set paths we will search in for the view
$paths = array(
BASE.'themes/'.DISPLAY_THEME.'/modules/common/views/file/configure',
Expand Down Expand Up @@ -148,7 +154,7 @@ public function get_view_config() {
}
}
}

/**
* Returns view template configuration settings view template
*
Expand Down Expand Up @@ -331,7 +337,7 @@ public function getFilesByJSON() {
$filter .= !empty($filter) ? " AND " : "";
$filter .= "is_image=1";
}

// $totalrecords = $this->$modelname->find('count',$filter);
// $files = $this->$modelname->find('all',$filter,$sort.' '.$dir, $results, $startIndex);
$files = $this->$modelname->find('all', $filter, $sort.' '.$dir);
Expand Down Expand Up @@ -364,9 +370,9 @@ public function getFilesByJSON() {
'pageSize'=>$results,
'records'=>$files
);

}

echo json_encode($returnValue);
}

Expand Down Expand Up @@ -411,8 +417,8 @@ public function delete() {
flash('error',$file->filename.' '.gt('wasn\'t deleted because you don\'t own the file.'));
}
redirect_to(array("controller"=>'file',"action"=>'picker',"ajax_action"=>1,"update"=>$this->params['update'],"filter"=>$this->params['filter']));
}
}

public function deleter() {
// global $db;

Expand Down Expand Up @@ -527,7 +533,7 @@ public function addit() {
}

public function upload() {

// upload the file, but don't save the record yet...
if ($this->params['resize'] != 'false') {
$maxwidth = $this->params['max_width'];
Expand Down Expand Up @@ -562,7 +568,7 @@ public function upload() {
echo gt('File was NOT uploaded!');
// flash('error',gt('File was not uploaded!'));
}
}
}

public function quickUpload(){
global $user;
Expand Down Expand Up @@ -661,10 +667,10 @@ public function editTitle() {
$ar = new expAjaxReply(300, gt("You didn't create this file, so you can't edit it."));
}
$ar->send();
}
}

public function editAlt() {
global $user;
global $user;
$file = new expFile($this->params['id']);
if ($user->id==$file->poster || $user->isAdmin()) {
$file->alt = $this->params['newValue'];
Expand All @@ -675,7 +681,7 @@ public function editAlt() {
}
$ar->send();
echo json_encode($file); //FIXME we exit before hitting this
}
}

public function editShare() {
global $user;
Expand Down
5 changes: 3 additions & 2 deletions framework/modules/file/models/expFile.php
Original file line number Diff line number Diff line change
Expand Up @@ -425,7 +425,7 @@ public static function fileUpload($_postName = null,
//Check to see if the directory exists. If not, create the directory structure.
// if (!file_exists(BASE . $_destDir)) {
// self::makeDirectory(BASE . $_destDir);
// }
// }

// Move the temporary uploaded file into the destination directory,
// and change the name.
Expand Down Expand Up @@ -735,8 +735,9 @@ public static function download($file) {
*/
public static function fixName($name) {
$name = preg_replace('/[^A-Za-z0-9\.]/','_',$name);
if ($name[0] == '.')
if ($name[0] == '.') // attempt to upload a dot file
$name[0] = '_';
$name = str_replace('_', '..', $name); // attempt to upload with redirection to new folder
return $name;
// return preg_replace('/[^A-Za-z0-9\.]/', '-', $name);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ class filedownloadController extends expController {
static function displayname() { return gt("File Downloads"); }
static function description() { return gt("Place files on your website for users to download or use as a podcast."); }
static function isSearchable() { return true; }

function showall() {
expHistory::set('viewable', $this->params);
$limit = (isset($this->config['limit']) && $this->config['limit'] != '') ? $this->config['limit'] : 10;
Expand Down Expand Up @@ -90,21 +90,21 @@ public function downloadfile() {
flash('error', gt('There was an error while trying to download your file. No File Specified.'));
expHistory::back();
}
$fd = new filedownload($this->params['fileid']);

$fd = new filedownload(intval($this->params['fileid']));
if (empty($this->params['filenum'])) $this->params['filenum'] = 0;

if (empty($fd->expFile['downloadable'][$this->params['filenum']]->id)) {
flash('error', gt('There was an error while trying to download your file. The file you were looking for could not be found.'));
expHistory::back();
}
}

$fd->downloads++;
$fd->save();

// this will set the id to the id of the actual file..makes the download go right.
$this->params['id'] = $fd->expFile['downloadable'][$this->params['filenum']]->id;
parent::downloadfile();
parent::downloadfile();
}

/**
Expand Down Expand Up @@ -219,10 +219,10 @@ function getRSSContent($limit = 0) {

$fd = new filedownload();
$items = $fd->find('all',$this->aggregateWhereClause(), isset($this->config['order']) ? $this->config['order'] : 'created_at DESC', $limit);

//Convert the items to rss items
$rssitems = array();
foreach ($items as $key => $item) {
foreach ($items as $key => $item) {
$rss_item = new FeedItem();

// Add the basic data
Expand Down Expand Up @@ -281,7 +281,7 @@ function getRSSContent($limit = 0) {
}
return $rssitems;
}

}

?>
25 changes: 16 additions & 9 deletions framework/modules/forms/controllers/formsController.php
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,13 @@ class formsController extends expController {
'showall' => 'Show All Records',
'show' => 'Show a Single Record',
);
protected $add_permissions = array(
'viewdata' => "View Data",
'enter_data' => "Enter Data", // slight naming variation to not fully restrict enterdata method
);
protected $manage_permissions = array(
'design' => 'Design Form',
);
public $remove_configs = array(
'aggregation',
'categories',
Expand All @@ -39,10 +46,6 @@ class formsController extends expController {
'tags',
'twitter',
); // all options: ('aggregation','categories','comments','ealerts','facebook','files','pagination','rss','tags','twitter',)
protected $add_permissions = array(
'viewdata' => "View Data",
'enter_data' => "Enter Data" // slight naming variation to not fully restrict enterdata method
);
// public $codequality = 'beta';

static function displayname() {
Expand Down Expand Up @@ -81,7 +84,7 @@ public function showall() {
if (!empty($this->config)) {
$f = $this->forms->find('first', 'id=' . $this->config['forms_id']);
} elseif (!empty($this->params['title'])) {
$f = $this->forms->find('first', 'sef_url="' . $this->params['title'] . '"');
$f = $this->forms->find('first', 'sef_url="' . expString::escape($this->params['title']) . '"');
$this->get_defaults($f);
} elseif (!empty($this->params['id'])) {
$f = $this->forms->find('first', 'id=' . $this->params['id']);
Expand All @@ -92,7 +95,7 @@ public function showall() {
if (empty($this->config['report_filter']) && empty($this->params['filter'])) { // allow for param of 'filter' also
$where = '1';
} elseif (!empty($this->params['filter'])) {
$where = $this->params['filter'];
$where = expString::escape($this->params['filter']);
} else {
$where = $this->config['report_filter'];
}
Expand Down Expand Up @@ -200,7 +203,7 @@ public function show() {
} elseif (!empty($this->params['forms_id'])) {
$f = $this->forms->find('first', 'id=' . $this->params['forms_id']);
} elseif (!empty($this->params['title'])) {
$f = $this->forms->find('first', 'sef_url="' . $this->params['title'] . '"');
$f = $this->forms->find('first', 'sef_url="' . expString::escape($this->params['title']) . '"');
redirect_to(array('controller' => 'forms', 'action' => 'enterdata', 'forms_id' => $f->id));
}

Expand Down Expand Up @@ -710,10 +713,10 @@ public function submit_data() {
// );

$tmsg = trim(strip_tags(str_replace(array("<br />", "<br>", "br/>"), "\n", $this->config['auto_respond_body'])));
if ($this->config['auto_respond_form'])
if ($this->config['auto_respond_form'])
$tmsg .= "\n" . $emailText;
$hmsg = $this->config['auto_respond_body'];
if ($this->config['auto_respond_form'])
if ($this->config['auto_respond_form'])
$hmsg .= "\n" . $emailHtml;
$mail = new expMail();
$mail->quickSend(array(
Expand Down Expand Up @@ -1939,6 +1942,10 @@ public function import_csv_data_display() {
public function import_csv_data_add() {
global $user;

if (!empty($this->params['filename']) && (strpos($this->params['filename'], 'tmp/') === false || strpos($this->params['folder'], '..') !== false)) {
header('Location: ' . URL_FULL);
exit(); // attempt to hack the site
}
$line_end = ini_get('auto_detect_line_endings');
ini_set('auto_detect_line_endings',TRUE);
$file = fopen(BASE . $this->params["filename"], "r");
Expand Down
39 changes: 20 additions & 19 deletions framework/modules/help/controllers/helpController.php
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ class helpController extends expController {
static function displayname() { return gt("Help"); }
static function description() { return gt("Manage Exponent CMS help files."); }
static function isSearchable() { return true; }

function __construct($src=null, $params=array()) {
parent::__construct($src,$params);
// only set the system help version if it's not already set as a session variable
Expand Down Expand Up @@ -74,13 +74,13 @@ public function showall() {
//$current_version = $hv->find('first', 'is_current=1');
$ref_version = $hv->find('first', 'version=\''.$this->help_version.'\'');

// pagination parameter..hard coded for now.
// pagination parameter..hard coded for now.
$where = $this->aggregateWhereClause();
$where .= 'AND help_version_id='.(empty($ref_version->id)?'0':$ref_version->id);
if (empty($this->params['parent'])) {
$where .= ' AND (parent=0 OR parent IS NULL)';
} else {
$where .= ' AND parent=' . $this->params['parent'];
$where .= ' AND parent=' . intval($this->params['parent']);
}
// $limit = 999;
$order = isset($this->config['order']) ? $this->config['order'] : 'rank';
Expand Down Expand Up @@ -127,6 +127,7 @@ public function show() {
$version_id = help_version::getCurrentHelpVersionId();
}
}
$this->params['title'] = expString::escape($this->params['title']); // escape title to prevent sql injection
$doc = $help->find('first', 'help_version_id='.$version_id.' AND sef_url="'.$this->params['title'].'"');
$children = $help->find('count','parent='.$doc->id);
if (empty($doc)) {
Expand Down Expand Up @@ -201,10 +202,10 @@ public function edit() {
public function manage() {
expHistory::set('manageable', $this->params);
global $db;

$hv = new help_version();
$current_version = $hv->find('first', 'is_current=1');

if (empty($current_version)) {
flash('error', gt("You don't have any software versions created yet. Please do so now."));
redirect_to(array('controller'=>'help', 'action'=>'edit_version'));
Expand All @@ -218,7 +219,7 @@ public function manage() {
}
}

$where = empty($this->params['version']) ? 1 : 'help_version_id='.$this->params['version'];
$where = empty($this->params['version']) ? 1 : 'help_version_id='.intval($this->params['version']);
$page = new expPaginator(array(
'model'=>'help',
'where'=>$where,
Expand Down Expand Up @@ -263,7 +264,7 @@ private static function copydocs($from, $to) {
$origid = $doc->id;
unset($doc->id);
$doc->help_version_id = $to;

// $tmpsef = $doc->sef_url;
// $doc->sef_url = "";
// $doc->save();
Expand Down Expand Up @@ -313,10 +314,10 @@ private static function copydocs($from, $to) {
*/
public function manage_versions() {
expHistory::set('manageable', $this->params);

$hv = new help_version();
$current_version = $hv->find('first', 'is_current=1');

$sql = 'SELECT hv.*, COUNT(h.title) AS num_docs FROM '.DB_TABLE_PREFIX.'_help h ';
$sql .= 'RIGHT JOIN '.DB_TABLE_PREFIX.'_help_version hv ON h.help_version_id=hv.id GROUP BY hv.version';

Expand All @@ -336,7 +337,7 @@ public function manage_versions() {
gt('# of Docs')=>'num_docs'
),
));

assign_to_template(array(
'current_version'=>$current_version,
'page'=>$page
Expand All @@ -362,23 +363,23 @@ public function delete_version() {
if (empty($this->params['id'])) {
flash('error', gt('The version you are trying to delete could not be found'));
}

// get the version
$version = new help_version($this->params['id']);
if (empty($version->id)) {
flash('error', gt('The version you are trying to delete could not be found'));
}

// if we have errors than lets get outta here!
if (!expQueue::isQueueEmpty('error')) expHistory::back();

// delete the version
$version->delete();

expSession::un_set('help-version');

flash('message', gt('Deleted version').' '.$version->version.' '.gt('and all documents in that version.'));
expHistory::back();
expHistory::back();
}

/**
Expand All @@ -388,7 +389,7 @@ public function update_version() {
// get the current version
$hv = new help_version();
$current_version = $hv->find('first', 'is_current=1');

// check to see if the we have a new current version and unset the old current version.
if (!empty($this->params['is_current'])) {
// $db->sql('UPDATE '.DB_TABLE_PREFIX.'_help_version set is_current=0');
Expand All @@ -402,10 +403,10 @@ public function update_version() {
// if we don't have a current version yet so we will force this one to be it
if (empty($current_version->id)) $this->params['is_current'] = 1;
$version->update($this->params);

// if this is a new version we need to copy over docs
if (empty($id)) {
self::copydocs($current_version->id, $version->id);
self::copydocs($current_version->id, $version->id);
}
// let's update the search index to reflect the current help version
searchController::spider();
Expand Down Expand Up @@ -536,7 +537,7 @@ public static function getSection($params) {
$section = new section(intval($sid));
return $section;
}

}

?>
4 changes: 2 additions & 2 deletions framework/modules/help/models/help_version.php
Original file line number Diff line number Diff line change
Expand Up @@ -52,13 +52,13 @@ public static function getCurrentHelpVersion() {
public static function getHelpVersionId($version) {
global $db;

return $db->selectValue('help_version', 'id', 'version="'.$version.'"');

This comment has been minimized.

Copy link
@yough3rt

yough3rt Oct 28, 2016

Fix

return $db->selectValue('help_version', 'id', 'version="'.$db->escapeString($version).'"');
}

public static function getHelpVersion($version_id) {
global $db;

return $db->selectValue('help_version', 'version', 'id="'.$version_id.'"');
return $db->selectValue('help_version', 'version', 'id="'.intval($version_id).'"');
}

public static function getHelpVersionsDropdown() {
Expand Down
109 changes: 58 additions & 51 deletions framework/modules/importexport/controllers/importexportController.php
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,13 @@
*/

class importexportController extends expController {
protected $add_permissions = array(
'import' => 'Import Data',
'export' => 'Export Data'
);
protected $manage_permissions = array(
'importProduct' => 'Import Product',
);
// hide the configs we don't need
public $remove_configs = array(
'aggregation',
Expand All @@ -35,11 +42,6 @@ class importexportController extends expController {
'twitter',
); // all options: ('aggregation','categories','comments','ealerts','facebook','files','pagination','rss','tags','twitter',)

//protected $permissions = array_merge(array("test"=>'Test'), array('copyProduct'=>"Copy Product"));
protected $add_permissions = array(
'import' => 'Import Data',
'export' => 'Export Data'
);

static function displayname() {
return gt("Data Import / Export Module");
Expand Down Expand Up @@ -177,6 +179,11 @@ function import_process() {
expValidator::failAndReturnToForm(gt('You must select at least one item.'), $this->params);
}

if (!empty($this->params['filename']) && (strpos($this->params['filename'], 'tmp/') === false || strpos($this->params['folder'], '..') !== false)) {
header('Location: ' . URL_FULL);
exit(); // attempt to hack the site
}

$filename = $this->params['filename'];
$src = $this->params['source'];
$selected = $this->params['items'];
Expand Down Expand Up @@ -357,7 +364,7 @@ function export_process() {

function validate() {
// global $db;
//eDebug($this->params,true);
//eDebug($this->params,true);
set_time_limit(0);
//$file = new expFile($this->params['expFile']['import_file'][0]);
if (!empty($_FILES['import_file']['error'])) {
Expand Down Expand Up @@ -397,117 +404,117 @@ function validate() {
{
$handle = fopen($file->path, "r");
$data = fgetcsv($handle, 10000, ",");
//eDebug($data);
$source = '';
//eDebug($data);
$source = '';
foreach ($data as $key=>$value)
{
$dataset[$value] = '';
$dataset[$value] = '';
if($key == 2 && $value=='Unique_Bill_Name') $source = '1'; //SMC
}
//eDebug($source);
//eDebug($dataset,true);
$count = 1;
$errorSet = array();
$successSet = array();
eDebug($dataset);
$extAddy = null;
while (($data = fgetcsv($handle, 10000, ",")) !== FALSE) {
$count++;
$extAddy = new external_address();
$extAddy = new external_address();
$bName = explode(' ',$data[3]);
eDebug($bName);
$extAddy->firstname = $bName[0];
if(count($bName) == 3)
{
$extAddy->middlename = $bName[1];
$extAddy->lastname = $bName[2];
$extAddy->lastname = $bName[2];
}
else if (count($bName) ==1)
{
$extAddy->middlename = '';
$extAddy->lastname = '';
$extAddy->lastname = '';
}
else
{
$extAddy->middlename = '';
$extAddy->lastname = $bName[1];
$extAddy->lastname = $bName[1];
}
$extAddy->organization = $data[4];
$extAddy->address1 = $data[5];
$extAddy->address2 = $data[6];
$extAddy->address2 = $data[6];
$extAddy->city = $data[7];
$extAddy->address2 = $data[6];
$extAddy->address2 = $data[6];
$extAddy->city = $data[7];
$s = new geoRegion();
$state = $s->find('first','code="'.trim($data[8]).'"');
eDebug($state);
$extAddy->state = $state->id;
$extAddy->zip = str_ireplace("'",'',$data[9]);
$extAddy->phone = $data[20];
$extAddy->email = $data[21];
$extAddy->state = $state->id;
$extAddy->zip = str_ireplace("'",'',$data[9]);
$extAddy->phone = $data[20];
$extAddy->email = $data[21];
$extAddy->source = $source;
//shipping
if($data[3] == $data[12] && $data[5] == $data[14] && $data[6] == $data[15]) //shipping and billing same
{
$extAddy->is_billing = 1;
$extAddy->is_shipping = 1;
$extAddy->save(false);
$extAddy->is_shipping = 1;
$extAddy->save(false);
}
else
{
{
$extAddy->is_billing = 1;
$extAddy->is_shipping = 0;
$extAddy->save(false);
$extAddy = new external_address();
$extAddy->is_shipping = 0;
$extAddy->save(false);
$extAddy = new external_address();
$sName = explode(' ',$data[12]);
eDebug($sName);
$extAddy->firstname = $sName[0];
if(count($sName) == 3)
{
$extAddy->middlename = $sName[1];
$extAddy->lastname = $sName[2];
$extAddy->lastname = $sName[2];
}
else if (count($sName) ==1)
{
$extAddy->middlename = '';
$extAddy->lastname = '';
$extAddy->lastname = '';
}
else
{
$extAddy->middlename = '';
$extAddy->lastname = $sName[1];
$extAddy->lastname = $sName[1];
}
$extAddy->organization = $data[13];
$extAddy->address1 = $data[14];
$extAddy->address2 = $data[15];
$extAddy->city = $data[16];
$extAddy->address2 = $data[15];
$extAddy->city = $data[16];
$s = new geoRegion();
$state = $s->find('first','code="'.trim($data[17]).'"');
eDebug($state);
$extAddy->state = $state->id;
$extAddy->zip = str_ireplace("'",'',$data[18]);
$extAddy->phone = $data[20];
$extAddy->email = $data[21];
$extAddy->state = $state->id;
$extAddy->zip = str_ireplace("'",'',$data[18]);
$extAddy->phone = $data[20];
$extAddy->email = $data[21];
$extAddy->is_billing = 0;
$extAddy->is_shipping = 1;
$extAddy->source = $source;
$extAddy->source = $source;
$extAddy->save(false);
}
echo "Successfully imported row " . $count . ", name: " . $extAddy->firstname . " " . $extAddy->lastname . "<br/>";
//eDebug($product);
}
}
if(count($errorSet))
{
echo "<br/><hr><br/><font color='red'>The following records were NOT imported:<br/>";
Expand All @@ -524,7 +531,7 @@ function validate() {
else echo "--" . $err . "<br/>";
}
echo "</font>";
}
}
}*/

function importProduct($file=null) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
*/

class migrationController extends expController {
protected $add_permissions = array(
protected $manage_permissions = array(
'analyze'=>'Analyze Data',
'migrate'=>'Migrate Data'
);
Expand Down
2,594 changes: 1,305 additions & 1,289 deletions framework/modules/navigation/controllers/navigationController.php

Large diffs are not rendered by default.

43 changes: 23 additions & 20 deletions framework/modules/news/controllers/newsController.php
Original file line number Diff line number Diff line change
Expand Up @@ -26,18 +26,21 @@ class newsController extends expController {
'showall'=>'Show all News',
'tags'=>"Tags",
);
protected $add_permissions = array(
'showUnpublished'=>'View Unpublished News',
'showExpired'=>'View Unpublished News',
);
protected $manage_permissions = array(
'import'=>'Import News Items',
'export'=>'Export News Items'
);
public $remove_configs = array(
'categories',
'comments',
// 'ealerts',
// 'facebook',
// 'twitter',
); // all options: ('aggregation','categories','comments','ealerts','facebook','files','pagination','rss','tags','twitter',)
protected $add_permissions = array(
'showUnpublished'=>'View Unpublished News',
'import'=>'Import News Items',
'export'=>'Export News Items'
);

static function displayname() { return gt("News"); }
static function description() { return gt("Display & manage news type content on your site."); }
Expand All @@ -58,15 +61,15 @@ public function showall() {
$limit = $this->params['limit'] == 'none' ? null : $this->params['limit'];
} else {
$limit = (isset($this->config['limit']) && $this->config['limit'] != '') ? $this->config['limit'] : 10;
}
}
$order = isset($this->config['order']) ? $this->config['order'] : 'publish DESC';

// pull the news posts from the database
$items = $this->news->find('all', $this->aggregateWhereClause(), $order);

// merge in any RSS news and perform the sort and limit the number of posts we return to the configured amount.
if (!empty($this->config['pull_rss'])) $items = $this->mergeRssData($items);

// setup the pagination object to paginate the news stories.
$page = new expPaginator(array(
'records'=>$items,
Expand All @@ -78,7 +81,7 @@ public function showall() {
'src'=>$this->loc->src,
'view'=>empty($this->params['view']) ? null : $this->params['view']
));

assign_to_template(array(
'page'=>$page,
'items'=>$page->records,
Expand Down Expand Up @@ -134,7 +137,7 @@ public function show() {
if (isset($this->params['id'])) {
$id = $this->params['id'];
} elseif (isset($this->params['title'])) {
$id = $this->params['title'];
$id = expString::escape($this->params['title']);
}

$record = new news($id);
Expand Down Expand Up @@ -176,7 +179,7 @@ public function show() {

public function showUnpublished() {
expHistory::set('viewable', $this->params);

// setup the where clause for looking up records.
$where = parent::aggregateWhereClause();
$where = "((unpublish != 0 AND unpublish < ".time().") OR (publish > ".time().")) AND ".$where;
Expand All @@ -197,38 +200,38 @@ public function showUnpublished() {
gt('Status')=>'unpublish'
),
));

assign_to_template(array(
'page'=>$page
));
}

public function showExpired() {
redirect_to(array('controller'=>'news', 'action'=>'showUnpublished','src'=>$this->params['src']));
}

// public function configure() {
// parent::configure();
// assign_to_template(array('sortopts'=>$this->sortopts));
// }
public function saveConfig() {

public function saveconfig() {
if (!empty($this->params['aggregate']) || !empty($this->params['pull_rss'])) {
if ($this->params['order'] == 'rank ASC') {
expValidator::failAndReturnToForm(gt('User defined ranking is not allowed when aggregating or pull RSS data feeds.'), $this->params);
}
}
parent::saveConfig();

parent::saveconfig();
}

public function getRSSContent($limit = 0) {
// pull the news posts from the database
$items = $this->news->find('all', $this->aggregateWhereClause(), isset($this->config['order']) ? $this->config['order'] : 'publish DESC', $limit);

//Convert the newsitems to rss items
$rssitems = array();
foreach ($items as $key => $item) {
foreach ($items as $key => $item) {
$rss_item = new FeedItem();
$rss_item->title = expString::convertSmartQuotes($item->title);
$rss_item->link = $rss_item->guid = makeLink(array('controller'=>'news', 'action'=>'show', 'title'=>$item->sef_url));
Expand All @@ -252,7 +255,7 @@ public function getRSSContent($limit = 0) {
* @return array
*/
private function mergeRssData($items) {
if (!empty($this->config['pull_rss'])) {
if (!empty($this->config['pull_rss'])) {
$RSS = new SimplePie();
$RSS->set_cache_location(BASE.'tmp/rsscache'); // default is ./cache
// $RSS->set_cache_duration(3600); // default is 3600
Expand Down
25 changes: 14 additions & 11 deletions framework/modules/photoalbum/controllers/photosController.php
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,9 @@ class photosController extends expController {
// 'slideshow'=>'Slideshow',
// //'showall_tags'=>"Tag Categories"
// );
protected $manage_permissions = array(
'multi'=>'Bulk Actions',
);
public $remove_configs = array(
'comments',
'ealerts',
Expand All @@ -41,7 +44,7 @@ class photosController extends expController {
static function displayname() { return gt("Photo Album"); }
static function description() { return gt("Displays and manages images."); }
static function isSearchable() { return true; }

public function showall() {
expHistory::set('viewable', $this->params);
$limit = (isset($this->config['limit']) && $this->config['limit'] != '') ? $this->config['limit'] : 10;
Expand All @@ -66,22 +69,22 @@ public function showall() {
gt('Title')=>'title'
),
));

assign_to_template(array(
'page'=>$page,
'params'=>$this->params,
));
}

function show() {
expHistory::set('viewable', $this->params);

// figure out if we're looking this up by id or title
$id = null;
if (isset($this->params['id'])) {
$id = $this->params['id'];
} elseif (isset($this->params['title'])) {
$id = $this->params['title'];
$id = expString::escape($this->params['title']);
}
$record = new photo($id);
if (empty($record->id))
Expand Down Expand Up @@ -121,7 +124,7 @@ function show() {
'config'=>$config
));
}

public function slideshow() {
expHistory::set('viewable', $this->params);
$order = isset($this->config['order']) ? $this->config['order'] : "rank";
Expand All @@ -147,7 +150,7 @@ public function slideshow() {
'slides'=>$page->records,
));
}

public function showall_tags() {
$images = $this->image->find('all');
$used_tags = array();
Expand All @@ -160,14 +163,14 @@ public function showall_tags() {
$used_tags[$tag->id] = $exptag;
$used_tags[$tag->id]->count = 1;
}

}
}

assign_to_template(array(
'tags'=>$used_tags
));
}
}

/**
* Returns rich snippet PageMap meta data
Expand Down Expand Up @@ -195,7 +198,7 @@ public function update() {

//populate the alt tag field if the user didn't
if (empty($this->params['alt'])) $this->params['alt'] = $this->params['title'];

// call expController update to save the image
parent::update();
}
Expand Down
57 changes: 28 additions & 29 deletions framework/modules/pixidou/controllers/pixidouController.php
Original file line number Diff line number Diff line change
Expand Up @@ -22,11 +22,10 @@
*/

class pixidouController extends expController {
// public $cacheDir = "framework/modules/pixidou/images/";
public $cacheDir = "tmp/pixidou/";
public $requires_login = array(
'editor',
'exitEditor'
'editor'=>'You must be logged in to perform this action',
'exitEditor'=>'You must be logged in to perform this action',
);

static function displayname() { return gt("Pixidou Image Editor"); }
Expand All @@ -40,23 +39,23 @@ static function hasSources()

function editor() {
global $user;

$file = new expFile($this->params['id']);
$canSaveOg = $user->id==$file->poster || $user->is_admin ? 1 : 0 ;
if (file_exists(BASE.$file->directory.$file->filename)) {
$file->copyToDirectory(BASE.$this->cacheDir);

$canSaveOg = $user->id==$file->poster || $user->isSuperAdmin() ? 1 : 0 ;
if (file_exists(BASE . $file->directory . $file->filename)) {
$file->copyToDirectory(BASE . $this->cacheDir);
assign_to_template(array(
'image'=>$file,
'update'=>$this->params['update'],
'saveog'=>$canSaveOg
));
} else {
flash('error',gt('The file').' "'.BASE.$file->directory.$file->filename.'" '.gt('does not exist on the server.'));
redirect_to(array("controller"=>'file',"action"=>'picker',"ajax_action"=>1,"update"=>$this->params['update'],"filter"=>$this->params['filter']));
flash('error', gt('The file') . ' "' . BASE . $file->directory . $file->filename . '" ' . gt('does not exist on the server.'));
redirect_to(array("controller"=>'file', "action"=>'picker', "ajax_action"=>1, "update"=>$this->params['update'], "filter"=>$this->params['filter']));
}
}

public function exitEditor() {
// clean up parameters
$this->params['fid'] = intval($this->params['fid']);
Expand All @@ -65,17 +64,17 @@ public function exitEditor() {
}
switch ($this->params['exitType']) {
case 'saveAsCopy':
$oldimage = new expFile($this->params['fid']);
$copyname = expFile::resolveDuplicateFilename($oldimage->path);
copy(BASE.$this->cacheDir."/".$this->params['cpi'],$oldimage->directory.$copyname); //copy the edited file over to the files dir
$oldimage = new expFile($this->params['fid']);
$copyname = expFile::resolveDuplicateFilename($oldimage->path);
copy(BASE . $this->cacheDir . "/" . $this->params['cpi'], $oldimage->directory . $copyname); //copy the edited file over to the files dir
$newFile = new expFile(array("filename"=>$copyname)); //construct a new expFile
$newFile->directory = $oldimage->directory;
$newFile->title = $oldimage->title;
$newFile->shared = $oldimage->shared;
$newFile->mimetype = $oldimage->mimetype;
$newFile->posted = time();
$newFile->filesize = filesize(BASE.$this->cacheDir."/".$this->params['cpi']);
$resized = getimagesize(BASE.$this->cacheDir."/".$this->params['cpi']);
$newFile->filesize = filesize(BASE . $this->cacheDir . "/" . $this->params['cpi']);
$resized = getimagesize(BASE . $this->cacheDir . "/" . $this->params['cpi']);
$newFile->image_width = $resized[0];
$newFile->image_height = $resized[1];
$newFile->alt = $oldimage->alt;
Expand All @@ -86,36 +85,36 @@ public function exitEditor() {
case 'saveAsIs':
//eDebug($this->params,true);
$oldimage = new expFile($this->params['fid']);
$resized = getimagesize(BASE.$this->cacheDir."/".$this->params['cpi']);
$resized = getimagesize(BASE . $this->cacheDir . "/" . $this->params['cpi']);
$oldimage->image_width = $resized[0];
$oldimage->image_height = $resized[1];
$oldimage->save();
copy(BASE.$this->cacheDir."/".$this->params['cpi'],$oldimage->directory.$oldimage->filename); //copy the edited file over to the files dir
copy(BASE . $this->cacheDir . "/" . $this->params['cpi'], $oldimage->directory . $oldimage->filename); //copy the edited file over to the files dir
break;

default:
# code...
break;
}
// proper file types to look for
$types = array(".jpg",".gif",".png");
$types = array(".jpg", ".gif", ".png");

//Pixidou images directory, the editor's cache
$cachedir = BASE.$this->cacheDir;
$cachedir = BASE . $this->cacheDir;

if (is_dir($cachedir) && is_readable($cachedir) ) {
$dh = opendir($cachedir);
while (($tmpfile = readdir($dh)) !== false) {
if (in_array(substr($tmpfile,-4,4),$types)) {
$filename = $cachedir.$tmpfile;
if (in_array(substr($tmpfile, -4, 4), $types)) {
$filename = $cachedir . $tmpfile;
unlink($filename);
}
}
}
redirect_to(array("controller"=>'file',"action"=>'picker',"ajax_action"=>1,"update"=>$this->params['update'],"filter"=>$this->params['filter']));

redirect_to(array("controller"=>'file', "action"=>'picker', "ajax_action"=>1, "update"=>$this->params['update'], "filter"=>$this->params['filter']));
}

}

?>
?>
Original file line number Diff line number Diff line change
Expand Up @@ -27,17 +27,17 @@ class portfolioController extends expController {
'tags'=>"Tags",
'slideshow'=>"Slideshow"
);
protected $manage_permissions = array(
'import'=>'Import Portfolio Items',
'export'=>'Export Portfolio Items'
);
public $remove_configs = array(
'comments',
'ealerts',
'facebook',
'rss',
'twitter',
); // all options: ('aggregation','categories','comments','ealerts','facebook','files','pagination','rss','tags','twitter',)
protected $add_permissions = array(
'import'=>'Import Portfolio Items',
'export'=>'Export Portfolio Items'
);

static function displayname() { return gt("Portfolio"); }
static function description() { return gt("Display a portfolio or listing."); }
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
*/
class recyclebinController extends expController
{
protected $add_permissions = array(
protected $manage_permissions = array(
'showall' => 'View Recycle Bin',
'show' => 'View Recycle Bin',
'remove' => 'Remove Recycle Bin Item'
Expand Down Expand Up @@ -97,6 +97,8 @@ public function remove()
{
global $db;

$this->params['mod'] = expString::escape($this->params['mod']);
$this->params['src'] = expString::escape($this->params['src']);
$mod = expModules::getController($this->params['mod'], $this->params['src']);
if ($mod != null) {
$mod->delete_instance(); // delete all assoc items
Expand Down
173 changes: 89 additions & 84 deletions framework/modules/report/controllers/reportController.php

Large diffs are not rendered by default.

59 changes: 30 additions & 29 deletions framework/modules/search/controllers/searchController.php
Original file line number Diff line number Diff line change
Expand Up @@ -26,10 +26,11 @@ class searchController extends expController {
'show'=>'Show Search Form',
'cloud'=>'Show Tag Cloud'
);
protected $add_permissions = array(
'spider'=>'Spider Site'
protected $manage_permissions = array(
'spider'=>'Spider Site',
'searchQueryReport'=>'Search Query Report',
'topSearchReport'=>'Top Search Report',
);

public $remove_configs = array(
'aggregation',
'categories',
Expand Down Expand Up @@ -109,7 +110,7 @@ public function search()
'params'=>$this->params,
));
}

public static function spider() {
global $db;

Expand All @@ -136,18 +137,18 @@ public static function spider() {
$mods[$controller->searchName()] = $controller->addContentToSearch();
}
}

uksort($mods,'strnatcasecmp');
assign_to_template(array(
'mods'=>$mods
));
}

public function show() {
//no need to do anything..we're just showing the form... so far! MUAHAHAHAHAHAAA! what?
// redirect_to(array("controller"=>'search',"action"=>'showall'));
}

public function showall() {
// redirect_to(array("controller"=>'search',"action"=>'show'));
// $this->show();
Expand Down Expand Up @@ -220,70 +221,70 @@ public function autocomplete() {
}*/
// $sql .= ' AND parent_id=0';
//eDebug($sql);

//$res = $mod->find('all',$sql,'id',25);
$sql = "select DISTINCT(p.id), p.title, model, sef_url, f.id as fileid from ".$db->prefix."product as p INNER JOIN ".$db->prefix."content_expfiles as cef ON p.id=cef.content_id INNER JOIN ".$db->prefix."expfiles as f ON cef.expfiles_id = f.id where match (p.title,p.model,p.body) against ('" . $this->params['query'] . "') AND p.parent_id=0 order by match (p.title,p.model,p.body) against ('" . $this->params['query'] . "') desc LIMIT 25";
//$res = $db->selectObjectsBySql($sql);
//$res = $db->selectObjectBySql('SELECT * FROM `exponent_product`');

$ar = new expAjaxReply(200, gt('Here\'s the items you wanted'), $res);
$ar->send();
}

public function searchQueryReport() {
global $db;

//Instantiate the search model
$search = new search();

//Store the keywords that returns nothing
$badSearch = array();
$badSearchArr = array();

//User Records Initialization
$all_user = -1;
$anonymous = -2;
$uname = array('id'=>array($all_user, $anonymous), 'name'=>array('All Users', 'Anonymous'));

$user_default = '';
$where = '';

if(isset($this->params['user_id']) && $this->params['user_id'] != -1) {
$user_default = $this->params['user_id'];
}

expHistory::set('manageable', $this->params);

$ctr = 2;
$ctr2 = 0;

//Getting the search users
$records = $db->selectObjects('search_queries');


foreach($records as $item) {
$u = user::getUserById($item->user_id);

if($item->user_id == 0) {
$item->user_id = $anonymous;
}

if(!in_array($item->user_id, $uname['id'])) {
$uname['name'][$ctr] = $u->firstname . ' ' . $u->lastname;
$uname['id'][$ctr] = $item->user_id;
$ctr++;
}

$result = $search->getSearchResults($item->query, false, true);
if(empty($result) && !in_array($item->query, $badSearchArr)) {
$badSearchArr[] = $item->query;
$badSearch[$ctr2]['query'] = $item->query;
$badSearch[$ctr2]['count'] = $db->countObjects("search_queries", "query='{$item->query}'");
$ctr2++;
}

}

//Check if the user choose from the dropdown
if(!empty($user_default)) {
if($user_default == $anonymous) {
Expand All @@ -293,7 +294,7 @@ public function searchQueryReport() {
}
$where .= "user_id = {$u_id}";
}

//Get all the search query records
$records = $db->selectObjects('search_queries', $where);
for ($i = 0, $iMax = count($records); $i < $iMax; $i++) {
Expand All @@ -302,7 +303,7 @@ public function searchQueryReport() {
$records[$i]->user = $u->firstname . ' ' . $u->lastname;
}
}

$page = new expPaginator(array(
'records' => $records,
'where'=>1,
Expand All @@ -328,19 +329,19 @@ public function searchQueryReport() {
'user_default' => $user_default,
'badSearch' => $badSearch
));

}

public function topSearchReport() {
global $db;
$limit = intval(TOP_SEARCH);

if(empty($limit)) {
$limit = 10;
}

$count = $db->countObjects('search_queries');

$records = $db->selectObjectsBySql("SELECT COUNT(query) cnt, query FROM " .$db->prefix . "search_queries GROUP BY query ORDER BY cnt DESC LIMIT 0, {$limit}");

$records_key_arr = array();
Expand All @@ -351,7 +352,7 @@ public function topSearchReport() {
}
$records_key = implode(",", $records_key_arr);
$records_values = implode(",", $records_values_arr);

assign_to_template(array(
'records'=>$records,
'total'=>$count,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -143,7 +143,7 @@ public function vote() {
global $user;

if (isset($this->params['choice'])) {
$answer = new simplepoll_answer($this->params['choice']);
$answer = new simplepoll_answer(intval($this->params['choice']));
if (empty($this->config)) {
$this->config['anonymous_timeout'] = 5*3600;
$this->config['thank_you_message'] = 'Thank you for voting.';
Expand Down
2 changes: 1 addition & 1 deletion framework/modules/users/controllers/loginController.php
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,7 @@ public static function logout() {
* main login method
*/
public static function login() {
user::login(expString::sanitize($_POST['username']),expString::sanitize($_POST['password']));
user::login(expString::escape(expString::sanitize($_POST['username'])),expString::escape(expString::sanitize($_POST['password'])));
if (!isset($_SESSION[SYS_SESSION_KEY]['user'])) { // didn't successfully log in
flash('error', gt('Invalid Username / Password'));
if (expSession::is_set('redirecturl_error')) {
Expand Down
31 changes: 22 additions & 9 deletions framework/modules/users/controllers/usersController.php
Original file line number Diff line number Diff line change
Expand Up @@ -24,18 +24,19 @@

class usersController extends expController {
public $basemodel_name = 'user';
protected $add_permissions = array(
// protected $remove_permissions = array(
// 'create',
// 'edit'
// );
protected $manage_permissions = array(
'toggle_extension' => 'Activate Extensions',
'kill_session' => 'End Sessions',
'boot_user' => 'Boot Users',
'userperms' => 'User Permissions',
'groupperms' => 'Group Permissions',
'import' => 'Import Users',
'export' => 'Export Users',
);
protected $remove_permissions = array(
'create',
'edit'
'update' => 'Update Users',
);

static function displayname() {
Expand Down Expand Up @@ -171,7 +172,7 @@ public function update() {
expHistory::back();
}

// if this is a new user account we need to check the password.
// if this is a new user account we need to check the password.
// the password fields wont come thru on an edit. Otherwise we will
// just update the existing account.
if (!empty($id)) {
Expand Down Expand Up @@ -233,7 +234,7 @@ public function update() {
if ($u->id == $user->id) expSession::triggerRefresh();
}

// if this is a new account then we will check to see if we need to send
// if this is a new account then we will check to see if we need to send
// a welcome message or admin notification of new accounts.
if (empty($id)) {
// Calculate Group Memberships for newly created users. Any groups that
Expand Down Expand Up @@ -491,6 +492,7 @@ public function send_new_password() {
global $db;

// find the user
$this->params['username'] = expString::escape($this->params['username']);
$u = user::getUserByName($this->params['username']);
if (empty($u)) {
$u = user::getUserByEmail($this->params['username']);
Expand Down Expand Up @@ -539,7 +541,7 @@ public function confirm_password_reset() {
global $db;

$db->delete('passreset_token', 'expires < ' . time());
$tok = $db->selectObject('passreset_token', 'uid=' . $this->params['uid'] . " AND token='" . preg_replace('/[^A-Za-z0-9]/', '', $this->params['token']) . "'");
$tok = $db->selectObject('passreset_token', 'uid=' . intval($this->params['uid']) . " AND token='" . preg_replace('/[^A-Za-z0-9]/', '', expString::escape($this->params['token'])) . "'");
if ($tok == null) {
flash('error', gt('Your password reset request has expired. Please try again.'));
expHistory::back();
Expand Down Expand Up @@ -617,7 +619,7 @@ public function save_change_password() {
expHistory::returnTo('editable');
}
//eDebug($user);
$u = new user($this->params['uid']);
$u = new user(intval($this->params['uid']));

$ret = $u->setPassword($this->params['new_password1'], $this->params['new_password2']);
//eDebug($u, true);
Expand Down Expand Up @@ -654,6 +656,13 @@ public function edit_userpassword() {
}

public function update_userpassword() {
global $user;

if (!$user->isAdmin() && $this->params['id'] != $user->id) {
flash('error', gt('You do not have permissions to change this users password.'));
expHistory::back();
}

if (empty($this->params['id'])) {
expValidator::failAndReturnToForm(gt('You must specify the user whose password you want to change'), $this->params);
}
Expand Down Expand Up @@ -1497,6 +1506,10 @@ public function import_users_display() {
}

public function import_users_add() {
if (!empty($this->params['filename']) && (strpos($this->params['filename'], 'tmp/') === false || strpos($this->params['folder'], '..') !== false)) {
header('Location: ' . URL_FULL);
exit(); // attempt to hack the site
}
$line_end = ini_get('auto_detect_line_endings');
ini_set('auto_detect_line_endings',TRUE);
$file = fopen(BASE . $this->params["filename"], "r");
Expand Down