public static function savePermissionsFor($role_id, $permissions)
{
if (!Record::existsIn('Role', 'id = :role_id', array(':role_id' => $role_id))) {
return false;
}
if (!self::deleteWhere('RolePermission', 'role_id = :role_id', array(':role_id' => (int) $role_id))) {
return false;
}
foreach ($permissions as $perm) {
$rp = new RolePermission(array('role_id' => $role_id, 'permission_id' => $perm->id));
if (!$rp->save()) {
return false;
}
}
return true;
}
/**
* Runs checks and stores a page.
*
* @param string $action What kind of action this is: add or edit.
* @param mixed $id Page to edit if any.
*/
private function _store($action, $id = false)
{
// Sanity checks
if ($action == 'edit' && !$id) {
throw new Exception('Trying to edit page when $id is false.');
}
use_helper('Validate');
$data = $_POST['page'];
$data['is_protected'] = !empty($data['is_protected']) ? 1 : 0;
Flash::set('post_data', (object) $data);
// Add pre-save checks here
$errors = false;
// CSRF checks
if (isset($_POST['csrf_token'])) {
$csrf_token = $_POST['csrf_token'];
$csrf_id = '';
if ($action === 'edit') {
$csrf_id = '/' . $id;
}
if (!SecureToken::validateToken($csrf_token, BASE_URL . 'page/' . $action . $csrf_id)) {
$errors[] = __('Invalid CSRF token found!');
}
} else {
$errors[] = __('No CSRF token found!');
}
$data['title'] = trim($data['title']);
if (empty($data['title'])) {
$errors[] = __('You have to specify a title!');
}
// Make sure we have a slug
if (isset($data['slug'])) {
$data['slug'] = trim($data['slug']);
} else {
$data['slug'] = '';
}
if (empty($data['slug']) && $id != '1') {
$errors[] = __('You have to specify a slug!');
} else {
if ($data['slug'] == ADMIN_DIR) {
$errors[] = __('You cannot have a slug named :slug!', array(':slug' => ADMIN_DIR));
}
// Make sure home's slug is passed ok, but other slugs are validated properly
if ($id != '1' && (!Validate::slug($data['slug']) || empty($data['slug'])) || $id == '1' && !empty($data['slug'])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => 'slug'));
}
if (Record::existsIn('Page', 'parent_id = :parent_id AND slug = :slug AND id <> :id', array(':parent_id' => $data['parent_id'], ':slug' => $data['slug'], ':id' => $id))) {
$errors[] = __('Page with slug <b>:slug</b> already exists!', array(':slug' => $data['slug']));
}
}
// Check all numerical fields for a page
$fields = array('parent_id', 'layout_id', 'needs_login');
foreach ($fields as $field) {
if (!Validate::digit($data[$field])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => $field));
}
}
// Check all date fields for a page
$fields = array('created_on', 'published_on', 'valid_until');
foreach ($fields as $field) {
if (isset($data[$field])) {
$data[$field] = trim($data[$field]);
if (!empty($data[$field]) && !(bool) preg_match('/^[0-9]{4}-[0-9]{2}-[0-9]{2}$/D', (string) $data[$field])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => $field));
}
}
}
// Check all time fields for a page
$fields = array('created_on_time', 'published_on_time', 'valid_until_time');
foreach ($fields as $field) {
if (isset($data[$field])) {
$data[$field] = trim($data[$field]);
if (!empty($data[$field]) && !(bool) preg_match('/^[0-9]{2}:[0-9]{2}:[0-9]{2}$/D', (string) $data[$field])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => $field));
}
}
}
// Check alphanumerical fields
$fields = array('keywords', 'description');
foreach ($fields as $field) {
use_helper('Kses');
$data[$field] = kses(trim($data[$field]), array());
/*
if (!empty($data[$field]) && !Validate::alpha_comma($data[$field])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => $field));
}
*
*/
}
// Check behaviour_id field
if (!empty($data['behaviour_id']) && !Validate::slug($data['behaviour_id'])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => 'behaviour_id'));
}
// Check is_protected field
if (!empty($data['is_protected']) && !AuthUser::hasPermission('admin_edit')) {
$errors[] = __('Only administrators can change <b>protected</b> status of pages!');
unset($data['is_protected']);
}
// Make sure the title doesn't contain HTML
if (Setting::get('allow_html_title') == 'off') {
use_helper('Kses');
$data['title'] = kses(trim($data['title']), array());
}
// Create the page object to be manipulated and populate data
if ($action == 'add') {
$page = new Page($data);
} else {
$page = Record::findByIdFrom('Page', $id);
$page->setFromData($data);
}
// Upon errors, rebuild original page and return to screen with errors
if (false !== $errors) {
$tags = $_POST['page_tag'];
// Rebuild time fields
if (isset($page->created_on)) {
$page->created_on = $page->created_on . ' ' . $page->created_on_time;
}
if (isset($page->published_on)) {
$page->published_on = $page->published_on . ' ' . $page->published_on_time;
}
if (isset($page->valid_until)) {
$page->valid_until = $page->valid_until . ' ' . $page->valid_until_time;
}
// Rebuild parts
$part = $_POST['part'];
if (!empty($part)) {
$tmp = false;
foreach ($part as $key => $val) {
$tmp[$key] = (object) $val;
}
$part = $tmp;
}
// Set the errors to be displayed.
Flash::setNow('error', implode('<br/>', $errors));
// display things ...
$this->setLayout('backend');
$this->display('page/edit', array('action' => $action, 'csrf_token' => SecureToken::generateToken(BASE_URL . 'page/' . $action . $csrf_id), 'page' => (object) $page, 'tags' => $tags, 'filters' => Filter::findAll(), 'behaviors' => Behavior::findAll(), 'page_parts' => (object) $part, 'layouts' => Record::findAllFrom('Layout')));
}
// Notify
if ($action == 'add') {
Observer::notify('page_add_before_save', $page);
} else {
Observer::notify('page_edit_before_save', $page);
}
// Time to actually save the page
// @todo rebuild this so parts are already set before save?
// @todo determine lazy init impact
if ($page->save()) {
// Get data for parts of this page
$data_parts = $_POST['part'];
Flash::set('post_parts_data', (object) $data_parts);
if ($action == 'edit') {
$old_parts = PagePart::findByPageId($id);
// check if all old page part are passed in POST
// if not ... we need to delete it!
foreach ($old_parts as $old_part) {
$not_in = true;
foreach ($data_parts as $part_id => $data) {
$data['name'] = trim($data['name']);
if ($old_part->name == $data['name']) {
$not_in = false;
// this will not really create a new page part because
// the id of the part is passed in $data
$part = new PagePart($data);
$part->page_id = $id;
Observer::notify('part_edit_before_save', $part);
$part->save();
Observer::notify('part_edit_after_save', $part);
unset($data_parts[$part_id]);
break;
}
}
if ($not_in) {
$old_part->delete();
}
}
}
// add the new parts
foreach ($data_parts as $data) {
$data['name'] = trim($data['name']);
$part = new PagePart($data);
$part->page_id = $page->id;
Observer::notify('part_add_before_save', $part);
$part->save();
Observer::notify('part_add_after_save', $part);
}
// save tags
$page->saveTags($_POST['page_tag']['tags']);
Flash::set('success', __('Page has been saved!'));
} else {
Flash::set('error', __('Page has not been saved!'));
$url = 'page/';
$url .= $action == 'edit' ? 'edit/' . $id : 'add/';
redirect(get_url($url));
}
if ($action == 'add') {
Observer::notify('page_add_after_save', $page);
} else {
Observer::notify('page_edit_after_save', $page);
}
// save and quit or save and continue editing ?
if (isset($_POST['commit'])) {
redirect(get_url('page'));
} else {
redirect(get_url('page/edit/' . $page->id));
}
}
/**
* @todo merge _add() and _edit() into one _store()
*
* @param <type> $id
*/
private function _edit($id)
{
use_helper('Validate');
$data = $_POST['user'];
Flash::set('post_data', (object) $data);
// Add pre-save checks here
$errors = false;
// CSRF checks
if (isset($_POST['csrf_token'])) {
$csrf_token = $_POST['csrf_token'];
if (!SecureToken::validateToken($csrf_token, BASE_URL . 'user/edit/' . $id)) {
Flash::set('error', __('Invalid CSRF token found!'));
redirect(get_url('user/edit/' . $id));
}
} else {
Flash::set('error', __('No CSRF token found!'));
redirect(get_url('user/edit/' . $id));
}
// check if user want to change the password
if (strlen($data['password']) > 0) {
// check if pass and confirm are egal and >= 5 chars
if (strlen($data['password']) >= 5 && $data['password'] == $data['confirm']) {
unset($data['confirm']);
} else {
Flash::set('error', __('Password and Confirm are not the same or too small!'));
redirect(get_url('user/edit/' . $id));
}
} else {
unset($data['password'], $data['confirm']);
}
// Check alphanumerical fields
$fields = array('username');
foreach ($fields as $field) {
if (!empty($data[$field]) && !Validate::alphanum_space($data[$field])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => $field));
}
}
if (!empty($data['name']) && !Validate::alphanum_space($data['name'], true)) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => 'name'));
}
if (!empty($data['email']) && !Validate::email($data['email'])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => 'email'));
}
if (!empty($data['language']) && !Validate::alpha_dash($data['language'])) {
$errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => 'language'));
}
// Check if user with the same 'username' already exists
if (Record::existsIn('User', 'username=:username', array(':username' => $data['username']))) {
$errors[] = __('Username <b>:username</b> is already in use, please choose other!', array(':username' => $data['username']));
}
if ($errors !== false) {
// Set the errors to be displayed.
Flash::set('error', implode('<br/>', $errors));
redirect(get_url('user/edit/' . $id));
}
$user = Record::findByIdFrom('User', $id);
if (isset($data['password'])) {
if (empty($user->salt)) {
$user->salt = AuthUser::generateSalt();
}
$data['password'] = AuthUser::generateHashedPassword($data['password'], $user->salt);
}
$user->setFromData($data);
if ($user->save()) {
if (AuthUser::hasPermission('user_edit')) {
// now we need to add roles
$data = isset($_POST['user_role']) ? $_POST['user_role'] : array();
UserRole::setRolesFor($user->id, $data);
}
Flash::set('success', __('User has been saved!'));
Observer::notify('user_after_edit', $user->name, $user->id);
} else {
Flash::set('error', __('User has not been saved!'));
}
if (AuthUser::getId() == $id) {
redirect(get_url('user/edit/' . $id));
} else {
redirect(get_url('user'));
}
}
