Permalink
Browse files

Merge branch 'master' into talmdal_dev

  • Loading branch information...
2 parents a893b03 + cd45c94 commit 09739dfd2c52ebc1b898b6e3b3aabd8fe41f018e @talmdal talmdal committed Feb 12, 2010
@@ -13,7 +13,7 @@
</p>
<ul>
<li>
- <?= t("Please <b>review album permissions</b> after the import! Permissions are imported, but user specific and item specific permissions are not supported in Gallery 3 and thus ignored.") ?>
+ <?= t("Gallery 3 does not support per-user / per-item permissions. <b>Review permissions after your import is done.</b>") ?>
</li>
<li>
<?= t("The only supported file formats are JPG, PNG and GIF, FLV and MP4. Other formats will be skipped.") ?>
@@ -26,12 +26,18 @@ public function show($album) {
if (!is_object($album)) {
// show() must be public because we route to it in url::parse_url(), so make
// sure that we're actually receiving an object
- Kohana::show_404();
+ throw new Kohana_404_Exception();
}
if (!access::can("view", $album)) {
- print auth::require_login();
- return;
+ if ($album->id == 1) {
+ // Even show the login page to logged in users.
+ // It's a better user experience than a "Dang" error page.
+ print auth::login_page();
+ return;
+ } else {
+ access::required("view", $album);
+ }
}
$page_size = module::get_var("gallery", "page_size", 9);
@@ -22,13 +22,10 @@ public function show($movie) {
if (!is_object($movie)) {
// show() must be public because we route to it in url::parse_url(), so make
// sure that we're actually receiving an object
- Kohana::show_404();
+ throw new Kohana_404_Exception();
}
- if (!access::can("view", $movie)) {
- print auth::require_login();
- return;
- }
+ access::required("view", $movie);
$where = array(array("type", "!=", "album"));
$position = $movie->parent()->get_position($movie, $where);
@@ -22,14 +22,11 @@ public function show($photo) {
if (!is_object($photo)) {
// show() must be public because we route to it in url::parse_url(), so make
// sure that we're actually receiving an object
- Kohana::show_404();
+ throw new Kohana_404_Exception();
}
-
- if (!access::can("view", $photo)) {
- print auth::require_login();
- return;
- }
-
+
+ access::required("view", $photo);
+
$where = array(array("type", "!=", "album"));
$position = $photo->parent()->get_position($photo, $where);
if ($position > 1) {
@@ -118,7 +118,12 @@ static function user_can($user, $perm_name, $item) {
*/
static function required($perm_name, $item) {
if (!self::can($perm_name, $item)) {
- self::forbidden();
+ if ($perm_name == "view") {
+ // Treat as if the item didn't exist, don't leak any information.
+ throw new Kohana_404_Exception();
+ } else {
+ self::forbidden();
+ }
}
}
@@ -132,15 +132,16 @@ static function must_reauth_for_admin_area() {
}
/**
- * Redirect to the login page.
+ * Returns the themed login page.
*/
- static function require_login() {
+ static function login_page($continue_url=null) {
$view = new Theme_View("page.html", "other", "login");
$view->page_title = t("Log in to Gallery");
$view->content = new View("login_ajax.html");
$view->content->form = auth::get_login_form("login/auth_html");
// Avoid anti-phishing protection by passing the url as session variable.
- Session::instance()->set("continue_url", url::current(true));
+ $continue_url or $continue_url = url::current(true);
+ Session::instance()->set("continue_url", $continue_url);
return $view;
}
}
@@ -15,12 +15,15 @@
</p>
<p>
- <a href="<?= url::site("user_profile/show/{$user->id}") ?>"
+ <a href="<?= url::site("admin/users/edit_user_form/{$user->id}") ?>"
title="<?= t("Edit your profile")->for_html_attr() ?>"
id="g-after-install-change-password-link"
class="g-button ui-state-default ui-corners-all">
<?= t("Change password and email now") ?>
</a>
+ <script type="text/javascript">
+ $("#g-after-install-change-password-link").gallery_dialog();
+ </script>
</p>
<p>
@@ -19,12 +19,19 @@
*/
class Password_Controller extends Controller {
public function reset() {
+ $form = self::_reset_form();
if (request::method() == "post") {
// @todo separate the post from get parts of this function
access::verify_csrf();
- $this->_send_reset();
+ // Basic validation (was some user name specified?)
+ if ($form->validate()) {
+ $this->_send_reset($form);
+ } else {
+ print json_encode(array("result" => "error",
+ "form" => (string) $form));
+ }
} else {
- print $this->_reset_form();
+ print $form;
}
}
@@ -41,19 +48,10 @@ public function do_reset() {
}
}
- private function _send_reset() {
- $form = $this->_reset_form();
-
- $valid = $form->validate();
- if ($valid) {
- $user = user::lookup_by_name($form->reset->inputs["name"]->value);
- if (!$user->loaded() || empty($user->email)) {
- $form->reset->inputs["name"]->add_error("no_email", 1);
- $valid = false;
- }
- }
-
- if ($valid) {
+ private function _send_reset($form) {
+ $user_name = $form->reset->inputs["name"]->value;
+ $user = user::lookup_by_name($user_name);
+ if ($user && !empty($user->email)) {
$user->hash = md5(rand());
$user->save();
$message = new View("reset_password.html");
@@ -71,22 +69,30 @@ private function _send_reset() {
log::success(
"user",
t("Password reset email sent for user %name", array("name" => $user->name)));
- } else {
+ } else if (!$user) {
// Don't include the username here until you're sure that it's XSS safe
log::warning(
- "user", "Password reset email requested for bogus user");
+ "user", t("Password reset email requested for user %user_name, which does not exist.",
+ array("user_name" => $user_name)));
+ } else {
+ log::warning(
+ "user", t("Password reset failed for %user_name (has no email address on record).",
+ array("user_name" => $user->name)));
}
+ // Always pretend that an email has been sent to avoid leaking
+ // information on what user names are actually real.
message::success(t("Password reset email sent"));
print json_encode(
array("result" => "success"));
}
- private function _reset_form() {
+ private static function _reset_form() {
$form = new Forge(url::current(true), "", "post", array("id" => "g-reset-form"));
$group = $form->group("reset")->label(t("Reset Password"));
- $group->input("name")->label(t("Username"))->id("g-name")->class(null)->rules("required");
- $group->inputs["name"]->error_messages("no_email", t("No email, unable to reset password"));
+ $group->input("name")->label(t("Username"))->id("g-name")->class(null)
+ ->rules("required")
+ ->error_messages("required", t("You must enter a user name"));
$group->submit("")->value(t("Reset"));
return $form;
@@ -110,20 +116,19 @@ private function _new_password_form($hash=null) {
"mistyped", t("The password and the confirm password must match"));
$group->submit("")->value(t("Update"));
- $template->content = new View("confirm_reset_password.html");
- $template->content->form = $form;
+ $template->content = $form;
return $template;
}
private function _change_password() {
$view = $this->_new_password_form();
- if ($view->content->form->validate()) {
+ if ($view->content->validate()) {
$user = user::lookup_by_hash(Input::instance()->post("hash"));
if (empty($user)) {
throw new Exception("@todo FORBIDDEN", 503);
}
- $user->password = $view->content->form->reset->password->value;
+ $user->password = $view->content->reset->password->value;
$user->hash = null;
$user->save();
message::success(t("Password reset successfully"));
@@ -20,7 +20,7 @@
class Users_Controller extends Controller {
public function update($id) {
$user = user::lookup($id);
- if ($user->guest || $user->id != identity::active_user()->id) {
+ if (!$user || $user->guest || $user->id != identity::active_user()->id) {
access::forbidden();
}
@@ -63,7 +63,7 @@ public function update($id) {
public function change_password($id) {
$user = user::lookup($id);
- if ($user->guest || $user->id != identity::active_user()->id) {
+ if (!$user || $user->guest || $user->id != identity::active_user()->id) {
access::forbidden();
}
@@ -99,7 +99,7 @@ public function change_password($id) {
public function change_email($id) {
$user = user::lookup($id);
- if ($user->guest || $user->id != identity::active_user()->id) {
+ if (!$user || $user->guest || $user->id != identity::active_user()->id) {
access::forbidden();
}
@@ -134,7 +134,7 @@ public function change_email($id) {
public function form_edit($id) {
$user = user::lookup($id);
- if ($user->guest || $user->id != identity::active_user()->id) {
+ if (!$user || $user->guest || $user->id != identity::active_user()->id) {
access::forbidden();
}
@@ -143,7 +143,7 @@ public function form_edit($id) {
public function form_change_password($id) {
$user = user::lookup($id);
- if ($user->guest || $user->id != identity::active_user()->id) {
+ if (!$user || $user->guest || $user->id != identity::active_user()->id) {
access::forbidden();
}
@@ -152,7 +152,7 @@ public function form_change_password($id) {
public function form_change_email($id) {
$user = user::lookup($id);
- if ($user->guest || $user->id != identity::active_user()->id) {
+ if (!$user || $user->guest || $user->id != identity::active_user()->id) {
access::forbidden();
}
@@ -1,2 +0,0 @@
-<?php defined("SYSPATH") or die("No direct script access.") ?>
-<?= $form ?>

0 comments on commit 09739df

Please sign in to comment.