/** * Test various ACL action permissions for com_attachments for various users * * @dataProvider provider * * @param string $username The name of ther user (for error outputs) * @param int $admin correct 'core.admin' permission (0/1 interpreted as bool) * @param int $manage correct 'core.manage' permission (0/1 interpreted as bool) * @param int $create correct 'core.create' permission (0/1 interpreted as bool) * @param int $delete correct 'core.delete' permission (0/1 interpreted as bool) * @param int $edit_state correct 'core.edit.state' permission (0/1 interpreted as bool) * @param int $edit correct 'core.edit' permission (0/1 interpreted as bool) * @param int $edit_own correct 'core.edit.own' permission (0/1 interpreted as bool) * @param int $delete_own correct 'attachments.delete.own' permission (0/1 interpreted as bool) */ public function testActions($username, $admin, $manage, $create, $delete, $edit_state, $edit, $edit_own, $delete_own) { $user_id = JUserHelper::getUserId($username); $errmsg = "ERROR: ========> USERNAME={$username} does not exist!"; $this->assertNotEquals((int) $user_id, 0, $errmsg); $canDo = AttachmentsPermissions::getActions((int) $user_id); $errmsg = "----> Failed test for {$username} core.admin for com_attachments, " . " expected {$admin}, got " . $canDo->get('core.admin') . " for " . $username; $this->assertEquals($canDo->get('core.admin'), (bool) $admin, $errmsg); $errmsg = "----> Failed test for {$username} core.manage for com_attachments, " . " expected {$manage}, got " . $canDo->get('core.manage') . " for " . $username; $this->assertEquals($canDo->get('core.manage'), (bool) $manage, $errmsg); $errmsg = "----> Failed test for {$username} core.create for com_attachments, " . " expected {$create}, got " . $canDo->get('core.create') . " for " . $username; $this->assertEquals($canDo->get('core.create'), (bool) $create, $errmsg); $errmsg = "----> Failed test for {$username} core.delete for com_attachments, " . " expected {$delete}, got " . $canDo->get('core.delete') . " for " . $username; $this->assertEquals($canDo->get('core.delete'), (bool) $delete, $errmsg); $errmsg = "----> Failed test for {$username} core.edit.state for com_attachments, " . " expected {$edit_state}, got " . $canDo->get('core.edit.state') . " for " . $username; $this->assertEquals($canDo->get('core.edit.state'), (bool) $edit_state, $errmsg); $errmsg = "----> Failed test for {$username} core.edit for com_attachments, " . " expected {$edit}, got " . $canDo->get('core.edit') . " for " . $username; $this->assertEquals($canDo->get('core.edit'), (bool) $edit, $errmsg); $errmsg = "----> Failed test for {$username} core.edit.own for com_attachments, " . " expected {$edit_own}, got " . $canDo->get('core.edit.own') . " for " . $username; $this->assertEquals($canDo->get('core.edit.own'), (bool) $edit_own, $errmsg); $errmsg = "----> Failed test for {$username} attachments.delete.own for com_attachments, " . " expected {$delete_own}, got " . $canDo->get('attachments.delete.own') . " for " . $username; $this->assertEquals($canDo->get('attachments.delete.own'), (bool) $delete_own, $errmsg); }
/** * Return true if this user may change the state of this attachment * * (Note that all of the arguments are assumed to be valid; no sanity checking is done. * It is up to the caller to validate the arguments before calling this function.) * * @param int $parent_id the ID for the parent object * @param string $parent_entity the type of entity for this parent type * @param int $attachment_creator_id the ID of the creator of the attachment * @param object $user_id the user_id to check (optional, primarily for testing) * * @return true if this user may change the state of this attachment */ public function userMayChangeAttachmentState($parent_id, $parent_entity, $attachment_creator_id, $user_id = null) { // If the user generally has permissions to edit all content, they // may change this attachment state (editor, publisher, admin, etc) $user = JFactory::getUser($user_id); if ($user->authorise('com_content', 'edit', 'content', 'all')) { return true; } require_once JPATH_ADMINISTRATOR . '/components/com_attachments/permissions.php'; // Handle each entity type switch ($parent_entity) { case 'category': // ?? Deal with parents being created (parent_id == 0) // First, determine if the user can edit this category if (!AttachmentsPermissions::userMayEditCategory($parent_id)) { return false; } // See if the user can change the state of any attachment if ($user->authorise('core.edit.state', 'com_attachments')) { return true; } // See if the user has permissions to change the state of their own attachments if ($user->authorise('attachments.edit.state.own', 'com_attachments') && (int) $user->id == (int) $attachment_creator_id) { return true; } // See if the user has permission to change the state of any attachments for categories they created if ($user->authorise('attachments.edit.state.ownparent', 'com_attachments')) { $category_creator_id = $this->getParentCreatorId($parent_id, 'category'); return (int) $user->id == (int) $category_creator_id; } break; default: // Articles // ?? Deal with parents being created (parent_id == 0) // First, determine if the user can edit this article if (!AttachmentsPermissions::userMayEditArticle($parent_id)) { return false; } // See if the user can change the state of any attachment if ($user->authorise('core.edit.state', 'com_attachments')) { return true; } // See if the user has permissions to change the state of their own attachments if ($user->authorise('attachments.edit.state.own', 'com_attachments') && (int) $user->id == (int) $attachment_creator_id) { return true; } // See if the user has permission to edit the state of any attachments for articles they created if ($user->authorise('attachments.edit.state.ownparent', 'com_attachments')) { $article_creator_id = $this->getParentCreatorId($parent_id, 'article'); return (int) $user->id == (int) $article_creator_id; } } return false; }
function addAttachments(&$row, &$params, $page = 0) { // Only display attachments for content (articles) global $option; if ($option != 'com_content') { return; } // Apparently this is called before articles are displayed (ignore those calls) if (!isset($row->id)) { return; } // Get the component parameters jimport('joomla.application.component.helper'); $attachParams = JComponentHelper::getParams('com_attachments'); // Get some of the options $user =& JFactory::getUser(); $logged_in = $user->get('username') != ''; $user_type = $user->get('usertype', false); // Load the language files from the backend $lang =& JFactory::getLanguage(); $lang->load('plg_frontend_attachments', JPATH_ADMINISTRATOR); // See whether we can display the links to add attachments require_once JPATH_SITE . DS . 'components' . DS . 'com_attachments' . DS . 'permissions.php'; if (AttachmentsPermissions::attachments_hidden_for_article($row->id, $attachParams)) { return; } $user_can_add = AttachmentsPermissions::user_may_add_attachment($user, $row->id); // Determine where we are global $option; $from = JRequest::getVar('view', false); $Itemid = JRequest::getVar('Itemid', false); if (is_numeric($Itemid)) { $Itemid = intval($Itemid); } else { $Itemid = 1; } // Show the attachment list (if appropriate) $who_can_see = $attachParams->get('who_can_see', 'logged_in'); if ($who_can_see == 'anyone' || $who_can_see == 'logged_in' && $logged_in) { $row->text .= attachments_attachmentListHtml($row->id, $user_can_add, $Itemid, $from); } if ($user_can_add) { $row->text .= attachments_attachmentButtonsHTML($row->id, $Itemid, $from); } }
function add_permissions(&$attachments, $user, $article_id) { // Make sure we have a valid article ID if ($article_id == null || $article_id == '' || !is_numeric($article_id)) { $errmsg = JText::_('ERROR BAD ARTICLE ID'); JError::raiseError(500, $errmsg); } // If there are no attachments, don't do anything if (count($attachments) == 0) { return false; } // Get the component parameters jimport('joomla.application.component.helper'); $params = JComponentHelper::getParams('com_attachments'); // Process each attachment $logged_in = $user->get('username') != ''; $who_can_add = $params->get('who_can_add'); $some_visible = false; for ($i = 0, $n = count($attachments); $i < $n; $i++) { $attach =& $attachments[$i]; $attach->user_may_see = false; $attach->user_may_modify = false; // Determine if the user may modify this attachment // (Nobody may modify attachments without being logged in) if ($logged_in) { $attach->user_may_modify = AttachmentsPermissions::user_may_modify_attachment($user, $attach, $article_id, $params); } // Determine if the user may see the attachment $who_can_see = $params->get('who_can_see', 'logged_in'); if ($who_can_see == 'anyone' || $who_can_see == 'logged_in' && $logged_in) { $attach->user_may_see = true; $some_visible = true; } } return $some_visible; }
function attachmentsTableHTML($article_id, $title, $show_file_links, $allow_modify, $from) { global $mainframe; // Load the language files from the backend $lang =& JFactory::getLanguage(); $lang->load('plg_frontend_attachments', JPATH_ADMINISTRATOR); // Get the component parameters jimport('joomla.application.component.helper'); $params = JComponentHelper::getParams('com_attachments'); // Set up to list the attachments for this artticle $sort_order = $params->get('sort_order', 'filename'); if ($sort_order == 'filename') { $order_by = "filename"; } else { if ($sort_order == 'file_size') { $order_by = "file_size"; } else { if ($sort_order == 'file_size_desc') { $order_by = "file_size DESC"; } else { if ($sort_order == 'description') { $order_by = "description"; } else { if ($sort_order == 'create_date') { $order_by = "create_date"; } else { if ($sort_order == 'create_date_desc') { $order_by = "create_date DESC"; } else { if ($sort_order == 'modification_date') { $order_by = "modification_date"; } else { if ($sort_order == 'modification_date_desc') { $order_by = "modification_date DESC"; } else { if ($sort_order == 'user_field_1') { $order_by = "user_field_1"; } else { if ($sort_order == 'user_field_2') { $order_by = "user_field_2"; } else { if ($sort_order == 'user_field_3') { $order_by = "user_field_3"; } else { if ($sort_order == 'id') { $order_by = "id"; } else { $order_by = "filename"; } } } } } } } } } } } } $db =& JFactory::getDBO(); $query = "SELECT * FROM #__attachments WHERE article_id='{$article_id}' AND published='1' ORDER BY {$order_by}"; $db->setQuery($query); $rows = $db->loadObjectList(); if (count($rows) == 0) { return ''; } // Load the permissions functions require_once JPATH_SITE . DS . 'components' . DS . 'com_attachments' . DS . 'permissions.php'; // Get the permissions for the attachments for this article $user =& JFactory::getUser(); if (!AttachmentsPermissions::add_permissions($rows, $user, $article_id)) { return ''; } // Scan through the results and see if any of them may be modified $some_attachments_modifiable = false; if ($allow_modify) { foreach ($rows as $row) { if ($row->user_may_modify) { $some_attachments_modifiable = true; break; } } } // If modifiable, add necessary Javascript for iframe if ($some_attachments_modifiable) { $document =& JFactory::getDocument(); $document->addScript(JURI::root(true) . '/media/system/js/modal.js'); JHTML::_('behavior.modal', 'a.modal-button'); } // Get the plugin options $style = $params->get('attachments_table_style', 'attachmentsList'); $secure = $params->get('secure', false); $show_column_titles = $params->get('show_column_titles', false); $show_description = $params->get('show_description', true); $show_file_size = $params->get('show_file_size', true); $show_downloads = $params->get('show_downloads', false); $show_mod_date = $params->get('show_modification_date', false); $file_link_open_mode = $params->get('file_link_open_mode', 'in_same_window'); if ($show_mod_date) { $mod_date_format = $params->get('mod_date_format', 'M-j-Y g:ia'); } // Construct the title first $rtitle_str = $params->get('attachments_titles', ''); if (!$title || strlen($title) == 0) { $title = 'ATTACHMENTS TITLE'; } if ($rtitle_str != '') { $rtitle_list = split("[\n|\r]", $rtitle_str); foreach ($rtitle_list as $rtitle) { $rchunks = split(' ', $rtitle, 2); if ($rtitle == '') { continue; } if (count($rchunks) == 1) { $title = $rtitle; } else { if (is_numeric($rchunks[0])) { if (intval($rchunks[0]) == intval($article_id)) { $title = trim($rchunks[1]); break; } } else { $title = $rtitle; } } } } $title = JText::_($title); // Massage some of the attachments info if ($mainframe->isAdmin()) { $base_url = $mainframe->getSiteURL(); } else { $base_url = JURI::Base(); } $icon_url_base = $base_url . 'components/com_attachments/media/icons/'; // Construct the starting HTML $html = "\n<div class=\"{$style}\">\n"; $html .= "<table>\n"; $html .= "<caption>{$title}</caption>\n"; // Add the column titles, if requested if ($show_column_titles) { $html .= "<thead>\n<tr>"; $html .= "<th class=\"at_filename\">" . JText::_('FILE') . "</th>"; if ($show_description) { $html .= "<th class=\"at_description\">" . JText::_('DESCRIPTION') . "</th>"; } if ($params->get('user_field_1_name', '') != '') { $html .= "<th class=\"at_user_field\">" . $params->get('user_field_1_name', '') . "</th>"; } if ($params->get('user_field_2_name', '') != '') { $html .= "<th class=\"at_user_field\">" . $params->get('user_field_2_name', '') . "</th>"; } if ($params->get('user_field_3_name', '') != '') { $html .= "<th class=\"at_user_field\">" . $params->get('user_field_3_name', '') . "</th>"; } if ($show_file_size) { $html .= "<th class=\"at_file_size\">" . JText::_('FILE SIZE') . "</th>"; } if ($secure && $show_downloads) { $html .= "<th class=\"at_downloads\">" . JText::_('DOWNLOADS') . "</th>"; } if ($show_mod_date) { $html .= "<th class=\"at_mod_date\">" . JText::_('LAST MODIFIED') . "</th>"; } if ($some_attachments_modifiable) { $html .= "<th class=\"at_modify\"> </th>"; } $html .= "</tr>\n</thead>\n"; } $html .= "<tbody>\n"; // Construct the lines for the attachments $row_num = 0; for ($i = 0, $n = count($rows); $i < $n; $i++) { $row =& $rows[$i]; // Skip this one if it should not be visible if (!$row->user_may_see) { continue; } $row_num++; if ($row_num & 1 == 1) { $html .= '<tr class="odd">'; } else { $html .= '<tr class="even">'; } // Construct some display items if (strlen($row->icon_filename) > 0) { $icon_url = $icon_url_base . $row->icon_filename; } else { $icon_url = $icon_url_base . 'generic.gif'; } if ($show_file_size) { $file_size = intval($row->file_size / 1024.0); } if ($show_mod_date) { jimport('joomla.utilities.date'); $date = new JDate($row->modification_date, -$mainframe->getCfg('offset')); $last_modified = $date->toFormat($mod_date_format); } // Add the filename $target = ''; if ($file_link_open_mode == 'new_window') { $target = ' target="_blank"'; } $html .= '<td class="at_filename">'; if (strlen($row->display_filename) == 0) { $filename = $row->filename; } else { $filename = $row->display_filename; } if ($show_file_links) { if ($secure) { $url = "index.php?option=com_attachments&task=download&id=" . $row->id; $url = JRoute::_($url); } else { $url = $base_url . $row->url; } $tooltip = JText::_('DOWNLOAD THIS FILE') . ' (' . $row->filename . ')'; $html .= "<a class=\"at_icon\" href=\"{$url}\"{$target} title=\"{$tooltip}\"><img src=\"{$icon_url}\" alt=\"{$tooltip}\" /></a>"; $html .= "<a class=\"at_url\" href=\"{$url}\"{$target} title=\"{$tooltip}\">{$filename}</a>"; } else { $tooltip = JText::_('DOWNLOAD THIS FILE') . ' (' . $row->filename . ')'; $html .= "<img src=\"{$icon_url}\" alt=\"{$tooltip}\" /> "; $html .= $filename; } $html .= "</td>"; // Add description (maybe) if ($show_description) { $description = $row->description; if (strlen($description) == 0) { $description = ' '; } if ($show_column_titles) { $html .= "<td class=\"at_description\">{$description}</td>"; } else { $html .= "<td class=\"at_description\">[{$description}]</td>"; } } // Show the USER DEFINED FIELDs (maybe) if ($params->get('user_field_1_name', '') != '') { $user_field = $row->user_field_1; if (strlen($user_field) == 0) { $user_field = ' '; } if ($show_column_titles) { $html .= "<td class=\"at_user_field\">" . $user_field . "</td>"; } else { $html .= "<td class=\"at_user_field\">[" . $user_field . "]</td>"; } } if ($params->get('user_field_2_name', '') != '') { $user_field = $row->user_field_2; if (strlen($user_field) == 0) { $user_field = ' '; } if ($show_column_titles) { $html .= "<td class=\"at_user_field\">" . $user_field . "</td>"; } else { $html .= "<td class=\"at_user_field\">[" . $user_field . "]</td>"; } } if ($params->get('user_field_3_name', '') != '') { $user_field = $row->user_field_3; if (strlen($user_field) == 0) { $user_field = ' '; } if ($show_column_titles) { $html .= "<td class=\"at_user_field\">" . $user_field . "</td>"; } else { $html .= "<td class=\"at_user_field\">[" . $user_field . "]</td>"; } } // Add file size (maybe) if ($show_file_size) { $html .= "<td class=\"at_file_size\">{$file_size} Kb</td>"; } // Show number of downloads (maybe) if ($secure && $show_downloads) { $num_downloads = intval($row->download_count); $label = ''; if (!$show_column_titles) { if ($num_downloads == 1) { $label = ' ' . JText::_('DOWNLOAD NOUN'); } else { $label = ' ' . JText::_('DOWNLOADS'); } } $html .= '<td class="at_downloads">' . $num_downloads . $label . '</td>'; } // Add the modification date (maybe) if ($show_mod_date) { $html .= "<td class=\"at_mod_date\">{$last_modified}</td>"; } // Add the link to delete the article, if requested if ($some_attachments_modifiable && $row->user_may_modify) { // Create the delete link $url = "index.php?option=com_attachments&task=update&id={$row->id}"; $url .= "&from=closeme&tmpl=component"; $url = JRoute::_($url); $update_img = $base_url . 'components/com_attachments/media/pencil.gif'; $tooltip = JText::_('UPDATE THIS FILE') . ' (' . $row->filename . ')'; $update_link = '<a class="modal-button" type="button" href="' . $url . '"'; $update_link .= " rel=\"{handler: 'iframe', size: {x: 800, y: 530}}\""; $update_link .= " title=\"{$tooltip}\"><img src=\"{$update_img}\" alt=\"{$tooltip}\" /></a>"; // Create the delete link $url = "index.php?option=com_attachments&task=delete_warning&id={$row->id}&artid={$article_id}"; if ($from) { // Add a var to give a hint of where to return to $url .= "&from={$from}"; } else { $url .= "&from=closeme"; } $url .= "&tmpl=component"; $url = JRoute::_($url); $delete_img = $base_url . 'components/com_attachments/media/delete.gif'; $tooltip = JText::_('DELETE THIS FILE') . ' (' . $row->filename . ')'; $del_link = '<a class="modal-button" type="button" href="' . $url . '"'; $del_link .= " rel=\"{handler: 'iframe', size: {x: 600, y: 300}}\""; $del_link .= " title=\"{$tooltip}\"><img src=\"{$delete_img}\" alt=\"{$tooltip}\" /></a>"; $html .= "<td class=\"at_modify\">{$update_link} {$del_link}</td>"; } $html .= "</tr>\n"; } // Close the HTML $html .= "</tbody></table></div>\n"; return $html; }
function plgSearchAttachments($text, $phrase = '', $ordering = '', $areas = null) { $db =& JFactory::getDBO(); $user =& JFactory::getUser(); // Exit if the search does not include attachments if (is_array($areas)) { if (!array_intersect($areas, array_keys(plgSearchAttachmentAreas()))) { return array(); } } // Make sure we have something to search for $text = trim($text); if ($text == '') { return array(); } // load plugin params info $plugin =& JPluginHelper::getPlugin('search', 'attachments'); $pluginParams = new JParameter($plugin->params); $limit = $pluginParams->def('search_limit', 50); // Get the component parameters jimport('joomla.application.component.helper'); $attachParams = JComponentHelper::getParams('com_attachments'); $secure = $attachParams->get('secure', false); $user_field_1 = false; if (strlen($attachParams->get('user_field_1_name', '')) > 0) { $user_field_1 = true; $user_field_1_name = $attachParams->get('user_field_1_name'); } $user_field_2 = false; if (strlen($attachParams->get('user_field_2_name', '')) > 0) { $user_field_2 = true; $user_field_2_name = $attachParams->get('user_field_2_name'); } $user_field_3 = false; if (strlen($attachParams->get('user_field_3_name', '')) > 0) { $user_field_3 = true; $user_field_3_name = $attachParams->get('user_field_3_name'); } $wheres = array(); switch ($phrase) { case 'exact': $text = $db->Quote('%' . $db->getEscaped($text, true) . '%', false); $user_fields_sql = ''; if ($user_field_1) { $user_fields_sql .= " OR (LOWER(a.user_field_1) LIKE {$text})"; } if ($user_field_2) { $user_fields_sql .= " OR (LOWER(a.user_field_2) LIKE {$text})"; } if ($user_field_3) { $user_fields_sql .= " OR (LOWER(a.user_field_3) LIKE {$text})"; } $where = "((LOWER(a.filename) LIKE {$text})" . " OR (LOWER(a.display_filename) LIKE {$text})" . $user_fields_sql . " OR (LOWER(a.description) LIKE {$text}))"; break; default: $words = explode(' ', $text); $wheres = array(); foreach ($words as $word) { $word = $db->Quote('%' . $db->getEscaped($word, true) . '%', false); $wheres2 = array(); $wheres2[] = "LOWER(a.filename) LIKE {$word}"; $wheres2[] = "LOWER(a.display_filename) LIKE {$word}"; if ($user_field_1) { $wheres2[] = "LOWER(a.user_field_1) LIKE {$word}"; } if ($user_field_2) { $wheres2[] = "LOWER(a.user_field_2) LIKE {$word}"; } if ($user_field_3) { $wheres2[] = "LOWER(a.user_field_3) LIKE {$word}"; } $wheres2[] = "LOWER(a.description) LIKE {$word}"; $wheres[] = implode(' OR ', $wheres2); } $where = '(' . implode($phrase == 'all' ? ') AND (' : ') OR (', $wheres) . ')'; break; } // Set up the sorting switch ($ordering) { case 'oldest': $order = 'a.create_date ASC'; break; case 'newest': $order = 'a.create_date DESC'; break; case 'alpha': default: $order = 'a.filename DESC'; } // Load the permissions functions require_once JPATH_SITE . DS . 'components' . DS . 'com_attachments' . DS . 'permissions.php'; $user =& JFactory::getUser(); // Construct and execute the query $query = 'SELECT *, a.id as attachment_id, c.title as article_title' . ' FROM #__attachments AS a' . ' LEFT JOIN #__content as c ON a.article_id = c.id' . ' WHERE (' . $where . ')' . ' AND a.published = 1' . ' ORDER BY ' . $order; $db->setQuery($query, 0, $limit); $rows = $db->loadObjectList(); $count = count($rows); $k = 0; $results = array(); for ($i = 0; $i < $count; $i++) { // Do not add the attachment if the user may not access it if (!AttachmentsPermissions::user_may_access_attachment($user, $rows[$i]->id)) { continue; } // Construct the download URL if necessary if ($secure) { $rows[$i]->href = JRoute::_("index.php?option=com_attachments&task=download&id=" . $rows[$i]->attachment_id); } else { $rows[$i]->href = $rows[$i]->url; } if ($rows[$i]->display_filename && strlen($rows[$i]->display_filename) > 0) { $rows[$i]->title = $rows[$i]->display_filename; } else { $rows[$i]->title = $rows[$i]->filename; } // Set the text to the string containing the search target if (strlen($rows[$i]->display_filename) > 0) { $text = $rows[$i]->display_filename . " (" . JText::_('FILENAME COLON') . " " . $rows[$i]->filename . ") "; } else { $text = JText::_('FILENAME COLON') . " " . $rows[$i]->filename; } if (strlen($rows[$i]->description) > 0) { $text .= " | " . JText::_('DESCRIPTION COLON') . $rows[$i]->description; } if ($user_field_1 && strlen($rows[$i]->user_field_1) > 0) { $text .= " | " . $user_field_1_name . ": " . $rows[$i]->user_field_1; } if ($user_field_2 && strlen($rows[$i]->user_field_2) > 0) { $text .= " | " . $user_field_2_name . ": " . $rows[$i]->user_field_2; } if ($user_field_3 && strlen($rows[$i]->user_field_3) > 0) { $text .= " | " . $user_field_3_name . ": " . $rows[$i]->user_field_3; } $rows[$i]->text = $text; $rows[$i]->created = $rows[$i]->create_date; $rows[$i]->browsernav = 2; $rows[$i]->section = JText::_('ATTACHED TO ARTICLE') . ": " . $rows[$i]->article_title; $results[$k] = $rows[$i]; $k++; } return $results; }
function saveNew() { // Check for request forgeries JRequest::checkToken() or die('Invalid Token'); // Make sure we have a user $user =& JFactory::getUser(); if ($user->get('username') == '') { $errmsg = JText::_('ERROR MUST BE LOGGED IN TO UPLOAD ATTACHMENT'); JError::raiseError(500, $errmsg); } // Make sure we have a valid article ID require_once JPATH_BASE . DS . '..' . DS . 'components' . DS . 'com_attachments' . DS . 'helper.php'; $article_id = AttachmentsHelper::valid_article_id($_POST['article_id']); if ($article_id == -1) { // Save the warning message for the pop-up window // ??? // echo "<script>SqueezeBox.fromElement('<a href=\"index.php\"></a>')</script>"; // echo "<script>document.getElementById('sbox-window').open()</script>"; // require_once(JPATH_BASE.DS.'..'.DS.'components'.DS.'com_attachments'.DS.'helper.php'); // $msg = JText::_('ERROR MUST SELECT ARTICLE'); // AttachmentsHelper::save_warning_message($msg); // $button->set('options', "{handler: 'iframe', size: {x: 400, y: 300}}"); // $link = "index.php?option=com_attachments&task=warning&tmpl=component"; $errmsg = JText::_('ERROR MUST SELECT ARTICLE'); echo "<script> alert('{$errmsg}'); window.history.go(-1); </script>\n"; // exit(); } // Make sure this user has permission to upload (should never fail with admin?) require_once JPATH_COMPONENT_SITE . DS . 'permissions.php'; if (!AttachmentsPermissions::user_may_add_attachment($user, $article_id)) { $errmsg = JText::_('ERROR NO PERMISSION TO UPLOAD'); JError::raiseError(500, $errmsg); exit; } // Set up the new record $row =& JTable::getInstance('Attachments', 'Table'); if (!$row->bind(JRequest::get('post'))) { JError::raiseError(500, $row->getError()); } $row->uploader_id = $user->get('id'); $row->article_id = $article_id; // Handle 'from' clause $from = JRequest::getVar('from', ' (no from)'); $msg = AttachmentsHelper::upload_file($row, $article_id); // See where to go to next global $option; switch ($this->_task) { case 'applyNew': $link = 'index.php?option=' . $option . '&task=edit&cid[]=' . $row->id; break; case 'saveNew': default: $link = 'index.php?option=' . $option; break; } // If called from the editor, go back to it if ($from == 'editor') { $link = 'index.php?option=com_content&task=edit&cid[]=' . $article_id; } // If we are supposed to close this iframe, do it now. if ($from == 'closeme') { echo "<script language=\"javascript\" type=\"text/javascript\">window.parent.document.getElementById('sbox-window').close()</script>"; exit; } $this->setRedirect($link, $msg); }
function update() { require_once JPATH_COMPONENT_SITE . DS . 'helper.php'; // Call with: index.php?option=com_attachments&task=update&id=1&tmpl=component // or: component/attachments/update/id/1/tmpl/component // Make sure we have a valid attachment ID $id = JRequest::getVar('id'); if (is_numeric($id)) { $id = intval($id); } else { $errmsg = JText::_('ERROR INVALID ATTACHMENT ID') . " ({$id})"; JError::raiseError(500, $errmsg); exit; } // Get the attachment record $attachment =& JTable::getInstance('attachments', 'Table'); if (!$attachment->load($id)) { $errmsg = JText::_('ERROR CANNOT UPDATE ATTACHMENT INVALID ID') . " ({$id})"; JError::raiseError(500, $errmsg); exit; } // Get the component parameters jimport('joomla.application.component.helper'); $params = JComponentHelper::getParams('com_attachments'); // Verify that this user may add attachments to this article $user =& JFactory::getUser(); $article_id = $attachment->article_id; $article_title = AttachmentsHelper::get_article_title($article_id); require_once JPATH_COMPONENT_SITE . DS . 'permissions.php'; if (!AttachmentsPermissions::user_may_modify_attachment($user, $attachment, $article_id, $params)) { $errmsg = JText::_('ERROR NO PERMISSION TO UPLOAD'); JError::raiseError(500, $errmsg); exit; } // Make sure the attachments directory exists $upload_subdir = $params->get('attachments_subdir', 'attachments'); if ($upload_subdir == '') { $upload_subdir = 'attachments'; } $upload_dir = JPATH_BASE . DS . $upload_subdir; $secure = $params->get('secure', false); if (!AttachmentsHelper::setup_upload_directory($upload_dir, $secure)) { $errmsg = JText::_('ERROR UNABLE TO SETUP UPLOAD DIR'); JError::raiseError(500, $errmsg); } // Set up the view require_once JPATH_COMPONENT_SITE . DS . 'views' . DS . 'update' . DS . 'view.php'; $view = new AttachmentsViewUpdate(); $view->assign('update_file', JRequest::getVar('change', false)); $view->assign('save_url', "index.php?option=com_attachments&task=save&tmpl=component"); $view->assign('attachment_id', $id); $view->assign('article_id', $article_id); $view->assign('article_title', $article_title); $view->assign('filename', $attachment->filename); $view->assign('description', $attachment->description); $view->assign('display_filename', $attachment->display_filename); $view->assign('user_field_1', $attachment->user_field_1); $view->assign('user_field_2', $attachment->user_field_2); $view->assign('user_field_3', $attachment->user_field_3); $view->assign('from', JRequest::getVar('from', 'closeme')); $view->assign('Itemid', JRequest::getVar('Itemid', 1)); $view->assignRef('params', $params); $view->display(null, false, false, false); }
/** * Test to see whether a user may edit a specified category * * @dataProvider provider * * @param int $user_id the id of the user to test * @param string $username the username (for error printouts) * @param int $cat_id the id of the category to test * @param int $may_edit the expected result of the test */ public function testCategoryEdit($user_id, $username, $cat_id, $may_edit) { $result = AttachmentsPermissions::userMayEditCategory((int) $cat_id, (int) $user_id); $errmsg = "----> Failed test for {$username} edit category {$cat_id}, expected {$may_edit}, got {$result}"; $this->assertEquals($result, (bool) $may_edit, $errmsg); }
/** * Setting the toolbar */ protected function addToolBar() { require_once JPATH_COMPONENT_ADMINISTRATOR . '/permissions.php'; $canDo = AttachmentsPermissions::getActions(); $toolbar = JToolBar::getInstance('toolbar'); JToolBarHelper::title(JText::_('ATTACH_ATTACHMENTS'), 'attachments.png'); if ($canDo->get('core.create')) { JToolBarHelper::addNew('attachment.add'); } if ($canDo->get('core.edit') or $canDo->get('core.edit.own')) { JToolBarHelper::editList('attachment.edit'); } if ($canDo->get('core.edit.state') or $canDo->get('attachments.edit.state.own')) { JToolBarHelper::divider(); JToolBarHelper::publishList('attachments.publish'); JToolBarHelper::unpublishList('attachments.unpublish'); } if ($canDo->get('core.delete') or $canDo->get('attachments.delete.own')) { JToolBarHelper::divider(); JToolBarHelper::deleteList('', 'attachments.delete'); } if ($canDo->get('core.admin')) { JToolBarHelper::divider(); JToolBarHelper::custom('params.edit', 'options', 'options', 'JTOOLBAR_OPTIONS', false); $icon_name = 'adminUtils'; if (version_compare(JVERSION, '3.0', 'ge')) { $icon_name = 'wrench'; } // Add a button for extra admin commands $toolbar->appendButton('Popup', $icon_name, 'ATTACH_UTILITIES', 'index.php?option=com_attachments&task=adminUtils&tmpl=component', 800, 500); } JToolBarHelper::divider(); // Manually add a help button for the help view $url = 'index.php?option=com_attachments&task=help&tmpl=component'; $help = ' ' . JText::_('JTOOLBAR_HELP') . ' '; if (version_compare(JVERSION, '3.0', 'ge')) { $link = "<button class=\"btn btn-small\" rel=\"help\" href=\"#\" "; $link .= "onclick=\"Joomla.popupWindow('{$url}', 'Help', 800, 650, 1)\"> "; $link .= "<i class=\"icon-question-sign\"></i>{$help}</button>"; } else { $link = '<a class="toolbar" rel="help" href="#" '; $link .= "onclick=\"Joomla.popupWindow('{$url}', 'Help', 800, 650, 1)\"> "; $link .= "<span class=\"icon-32-help\"> </span>{$help}</a>"; } $toolbar->appendButton('Custom', $link, 'toolbar-help'); }