public function create_comment_for_guest_test() { $comment = ORM::factory("comment"); $comment->item_id = item::root()->id; $comment->text = "text"; $comment->author_id = identity::guest()->id; $comment->guest_name = "name"; $comment->guest_email = "*****@*****.**"; $comment->guest_url = "http://url.com"; $comment->save(); $this->assert_equal("name", $comment->author_name()); $this->assert_equal("*****@*****.**", $comment->author_email()); $this->assert_equal("http://url.com", $comment->author_url()); $this->assert_equal("text", $comment->text); $this->assert_equal(1, $comment->item_id); $this->assert_equal("REMOTE_ADDR", $comment->server_remote_addr); $this->assert_equal("HTTP_USER_AGENT", $comment->server_http_user_agent); $this->assert_equal("HTTP_ACCEPT", $comment->server_http_accept); $this->assert_equal("HTTP_ACCEPT_CHARSET", $comment->server_http_accept_charset); $this->assert_equal("HTTP_ACCEPT_ENCODING", $comment->server_http_accept_encoding); $this->assert_equal("HTTP_ACCEPT_LANGUAGE", $comment->server_http_accept_language); $this->assert_equal("HTTP_CONNECTION", $comment->server_http_connection); $this->assert_equal("HTTP_HOST", $comment->server_http_host); $this->assert_equal("HTTP_REFERER", $comment->server_http_referer); $this->assert_equal("HTTP_USER_AGENT", $comment->server_http_user_agent); $this->assert_equal("QUERY_STRING", $comment->server_query_string); $this->assert_equal("REMOTE_ADDR", $comment->server_remote_addr); $this->assert_equal("REMOTE_HOST", $comment->server_remote_host); $this->assert_equal("REMOTE_PORT", $comment->server_remote_port); $this->assert_true(!empty($comment->created)); }
public function create_comment_for_guest_test() { $rand = rand(); $root = ORM::factory("item", 1); $comment = comment::create($root, identity::guest(), "text_{$rand}", "name_{$rand}", "email_{$rand}", "url_{$rand}"); $this->assert_equal("name_{$rand}", $comment->author_name()); $this->assert_equal("email_{$rand}", $comment->author_email()); $this->assert_equal("url_{$rand}", $comment->author_url()); $this->assert_equal("text_{$rand}", $comment->text); $this->assert_equal(1, $comment->item_id); $this->assert_equal("REMOTE_ADDR", $comment->server_remote_addr); $this->assert_equal("HTTP_USER_AGENT", $comment->server_http_user_agent); $this->assert_equal("HTTP_ACCEPT", $comment->server_http_accept); $this->assert_equal("HTTP_ACCEPT_CHARSET", $comment->server_http_accept_charset); $this->assert_equal("HTTP_ACCEPT_ENCODING", $comment->server_http_accept_encoding); $this->assert_equal("HTTP_ACCEPT_LANGUAGE", $comment->server_http_accept_language); $this->assert_equal("HTTP_CONNECTION", $comment->server_http_connection); $this->assert_equal("HTTP_HOST", $comment->server_http_host); $this->assert_equal("HTTP_REFERER", $comment->server_http_referer); $this->assert_equal("HTTP_USER_AGENT", $comment->server_http_user_agent); $this->assert_equal("QUERY_STRING", $comment->server_query_string); $this->assert_equal("REMOTE_ADDR", $comment->server_remote_addr); $this->assert_equal("REMOTE_HOST", $comment->server_remote_host); $this->assert_equal("REMOTE_PORT", $comment->server_remote_port); $this->assert_true(!empty($comment->created)); }
public function deleting_an_item_deletes_its_comments_too_test() { $rand = rand(); $album = album::create(ORM::factory("item", 1), "test_{$rand}", "test_{$rand}"); $comment = comment::create($album, identity::guest(), "text_{$rand}", "name_{$rand}", "email_{$rand}", "url_{$rand}"); $album->delete(); $deleted_comment = ORM::factory("comment", $comment->id); $this->assert_false($deleted_comment->loaded); }
public function deleting_an_item_deletes_its_comments_too_test() { $album = test::random_album(); $comment = ORM::factory("comment"); $comment->item_id = $album->id; $comment->author_id = identity::guest()->id; $comment->guest_name = "test"; $comment->text = "text"; $comment->save(); $album->delete(); $this->assert_false(ORM::factory("comment", $comment->id)->loaded()); }
public function viewable_test() { $root = ORM::factory("item", 1); $album = album::create($root, rand(), rand(), rand()); $item = self::_create_random_item($album); identity::set_active_user(identity::guest()); // We can see the item when permissions are granted access::allow(identity::everybody(), "view", $album); $this->assert_equal(1, ORM::factory("item")->viewable()->where("id", "=", $item->id)->count_all()); // We can't see the item when permissions are denied access::deny(identity::everybody(), "view", $album); $this->assert_equal(0, ORM::factory("item")->viewable()->where("id", "=", $item->id)->count_all()); }
public function viewable_test() { $album = test::random_album(); $item = test::random_photo($album); $album->reload(); identity::set_active_user(identity::guest()); // We can see the item when permissions are granted access::allow(identity::everybody(), "view", $album); $this->assert_equal(1, ORM::factory("item")->viewable()->where("id", "=", $item->id)->count_all()); // We can't see the item when permissions are denied access::deny(identity::everybody(), "view", $album); $this->assert_equal(0, ORM::factory("item")->viewable()->where("id", "=", $item->id)->count_all()); }
public function post_fails_without_permissions_test() { access::deny(identity::everybody(), "edit", item::root()); identity::set_active_user(identity::guest()); try { $request->params->name = "test tag"; tags_rest::post($request); } catch (Exception $e) { $this->assert_equal(403, $e->getCode()); return; } $this->assert_true(false, "Shouldnt get here"); }
public function cant_view_comments_for_unviewable_items_test() { $root = ORM::factory("item", 1); $album = album::create($root, rand(), rand(), rand()); $comment = comment::create($album, identity::guest(), "text", "name", "email", "url"); identity::set_active_user(identity::guest()); // We can see the comment when permissions are granted on the album access::allow(identity::everybody(), "view", $album); $this->assert_equal(1, ORM::factory("comment")->viewable()->where("comments.id", "=", $comment->id)->count_all()); // We can't see the comment when permissions are denied on the album access::deny(identity::everybody(), "view", $album); $this->assert_equal(0, ORM::factory("comment")->viewable()->where("comments.id", "=", $comment->id)->count_all()); }
public function setup() { Input::instance()->ip_address = "1.1.1.1"; request::set_user_agent("Akismet_Helper_Test"); $root = ORM::factory("item", 1); $this->_comment = comment::create($root, identity::guest(), "This is a comment", "John Doe", "*****@*****.**", "http://gallery2.org"); foreach ($this->_comment->list_fields("comments") as $name => $field) { if (strpos($name, "server_") === 0) { $this->_comment->{$name} = substr($name, strlen("server_")); } } $this->_comment->save(); module::set_var("akismet", "api_key", "TEST_KEY"); }
public function cant_view_comments_for_unviewable_items_test() { $album = test::random_album(); $comment = ORM::factory("comment"); $comment->item_id = $album->id; $comment->author_id = identity::admin_user()->id; $comment->text = "text"; $comment->save(); identity::set_active_user(identity::guest()); // We can see the comment when permissions are granted on the album access::allow(identity::everybody(), "view", $album); $this->assert_true(ORM::factory("comment")->viewable()->where("comments.id", "=", $comment->id)->count_all()); // We can't see the comment when permissions are denied on the album access::deny(identity::everybody(), "view", $album); $this->assert_false(ORM::factory("comment")->viewable()->where("comments.id", "=", $comment->id)->count_all()); }
static function set_active_user($access_token) { if (empty($access_token)) { identity::set_active_user(identity::guest()); return; } $key = ORM::factory("user_access_token")->where("access_key", "=", $access_token)->find(); if (!$key->loaded()) { throw new Rest_Exception("Forbidden", 403); } $user = identity::lookup_user($key->user_id); if (empty($user)) { throw new Rest_Exception("Forbidden", 403); } identity::set_active_user($user); }
public function post_fails_without_permissions_test() { // We have to remove edit permissions from everywhere Database::instance()->query("UPDATE {access_caches} SET edit_1=0"); identity::set_active_user(identity::guest()); try { $request = new stdClass(); $request->params = new stdClass(); $request->params->name = "test tag"; tags_rest::post($request); } catch (Exception $e) { $this->assert_equal(403, $e->getCode()); return; } $this->assert_true(false, "Shouldnt get here"); }
public function illegal_access_test() { $album = test::random_album(); $photo = test::random_photo($album); $album->reload(); access::deny(identity::everybody(), "view", $album); identity::set_active_user(identity::guest()); $request = new stdClass(); $request->url = rest::url("data", $photo, "thumb"); $request->params = new stdClass(); $request->params->size = "thumb"; try { data_rest::get($request); $this->assert_true(false); } catch (Kohana_404_Exception $e) { // pass } }
private function _make_comment() { $comment = ORM::factory("comment"); $comment->item_id = item::root()->id; $comment->author_id = identity::guest()->id; $comment->text = "This is a comment"; $comment->guest_name = "John Doe"; $comment->guest_email = "*****@*****.**"; $comment->guest_url = "http://gallery2.org"; $comment->save(); // Set the server fields to a known placeholder foreach ($comment->list_fields("comments") as $name => $field) { if (strpos($name, "server_") === 0) { $comment->{$name} = substr($name, strlen("server_")); } } return $comment->save(); }
static function set_active_user($access_key) { if (empty($access_key)) { if (module::get_var("rest", "allow_guest_access")) { identity::set_active_user(identity::guest()); return; } else { throw new Rest_Exception("Forbidden", 403); } } $key = ORM::factory("user_access_key")->where("access_key", "=", $access_key)->find(); if (!$key->loaded()) { throw new Rest_Exception("Forbidden", 403); } $user = identity::lookup_user($key->user_id); if (empty($user)) { throw new Rest_Exception("Forbidden", 403); } identity::set_active_user($user); }
public static function getuser($user_string) { $user_parts = explode("(", $user_string); $user_part = rtrim(ltrim(end($user_parts)), ")"); $user = ORM::factory("user")->where("name", "=", $user_part)->find(); $user_firstpart = trim(implode(array_slice($user_parts, 0, count($user_parts) - 1))); if (!$user->loaded() || strcasecmp($user_firstpart, $user->display_name()) != 0) { $result->found = false; $result->isguest = false; $result->user = ""; return $result; } if (identity::guest()->id == $user->id) { $result->found = true; $result->isguest = true; $result->user = ""; return $result; } $result->found = true; $result->isguest = false; $result->user = $user; return $result; }
/** * If the gallery is only available to registered users and the user is not logged in, present * the login page. */ static function private_gallery() { if (identity::active_user()->guest && !access::user_can(identity::guest(), "view", item::root()) && php_sapi_name() != "cli") { try { $class = new ReflectionClass(ucfirst(Router::$controller) . '_Controller'); $allowed = $class->getConstant("ALLOW_PRIVATE_GALLERY") === true; } catch (ReflectionClass $e) { $allowed = false; } if (!$allowed) { if (Router::$controller == "admin") { // At this point we're in the admin theme and it doesn't have a themed login page, so // we can't just swap in the login controller and have it work. So redirect back to the // root item where we'll run this code again with the site theme. url::redirect(item::root()->abs_url()); } else { Session::instance()->set("continue_url", url::abs_current()); Router::$controller = "login"; Router::$controller_path = MODPATH . "gallery/controllers/login.php"; Router::$method = "html"; } } } }
/** * Import a single comment. */ static function import_comment(&$queue) { $g2_comment_id = array_shift($queue); try { $g2_comment = g2(GalleryCoreApi::loadEntitiesById($g2_comment_id)); } catch (Exception $e) { return t("Failed to load Gallery 2 comment with id: %id\\%exception", array("id" => $g2_comment_id, "exception" => (string) $e)); } if ($id = self::map($g2_comment->getId())) { if (ORM::factory("comment", $id)->loaded()) { // Already imported and still exists return; } // This comment was already imported, but now it no longer exists. Import it again, per // ticket #1736. } $item_id = self::map($g2_comment->getParentId()); if (empty($item_id)) { // Item was not mapped. return; } $text = join("\n", array($g2_comment->getSubject(), $g2_comment->getComment())); $text = html_entity_decode($text); // Just import the fields we know about. Do this outside of the comment API for now so that // we don't trigger spam filtering events $comment = ORM::factory("comment"); $comment->author_id = self::map($g2_comment->getCommenterId()); $comment->guest_name = ""; if ($comment->author_id == identity::guest()->id) { $comment->guest_name = $g2_comment->getAuthor(); $comment->guest_name or $comment->guest_name = (string) t("Anonymous coward"); $comment->guest_email = "*****@*****.**"; } $comment->item_id = $item_id; $comment->text = self::_transform_bbcode($text); $comment->state = "published"; $comment->server_http_host = $g2_comment->getHost(); try { $comment->save(); } catch (Exception $e) { return (string) new G2_Import_Exception(t("Failed to import comment with id: %id.", array("id" => $g2_comment_id)), $e); } self::set_map($g2_comment->getId(), $comment->id, "comment"); // Backdate the creation date. We can't do this at creation time because // Comment_Model::save() will override it. Leave the updated date alone // so that if the comments get marked as spam, they don't immediately get // flushed (see ticket #1736) db::update("comments")->set("created", $g2_comment->getDate())->where("id", "=", $comment->id)->execute(); }
/** * Same as ORM::as_array() but convert id fields into their RESTful form. * * @param array if specified, only return the named fields */ public function as_restful_array($fields = array()) { if ($fields) { $data = array(); foreach ($fields as $field) { if (isset($this->object[$field])) { $data[$field] = $this->__get($field); } } $fields = array_flip($fields); } else { $data = $this->as_array(); } // Convert item ids to rest URLs for consistency if (empty($fields) || isset($fields["parent"])) { if ($tmp = $this->parent()) { $data["parent"] = rest::url("item", $tmp); } unset($data["parent_id"]); } if (empty($fields) || isset($fields["album_cover"])) { if ($tmp = $this->album_cover()) { $data["album_cover"] = rest::url("item", $tmp); } unset($data["album_cover_item_id"]); } if (empty($fields) || isset($fields["web_url"])) { $data["web_url"] = $this->abs_url(); } if (!$this->is_album()) { if (access::can("view_full", $this)) { if (empty($fields) || isset($fields["file_url"])) { $data["file_url"] = rest::url("data", $this, "full"); } if (empty($fields) || isset($fields["file_size"])) { $data["file_size"] = filesize($this->file_path()); } if (access::user_can(identity::guest(), "view_full", $this)) { if (empty($fields) || isset($fields["file_url_public"])) { $data["file_url_public"] = $this->file_url(true); } } } } if ($this->is_photo()) { if (empty($fields) || isset($fields["resize_url"])) { $data["resize_url"] = rest::url("data", $this, "resize"); } if (empty($fields) || isset($fields["resize_size"])) { $data["resize_size"] = filesize($this->resize_path()); } if (access::user_can(identity::guest(), "view", $this)) { if (empty($fields) || isset($fields["resize_url_public"])) { $data["resize_url_public"] = $this->resize_url(true); } } } if ($this->has_thumb()) { if (empty($fields) || isset($fields["thumb_url"])) { $data["thumb_url"] = rest::url("data", $this, "thumb"); } if (empty($fields) || isset($fields["thumb_size"])) { $data["thumb_size"] = filesize($this->thumb_path()); } if (access::user_can(identity::guest(), "view", $this)) { if (empty($fields) || isset($fields["thumb_url_public"])) { $data["thumb_url_public"] = $this->thumb_url(true); } } } if (empty($fields) || isset($fields["can_edit"])) { $data["can_edit"] = access::can("edit", $this); } // Elide some internal-only data that is going to cause confusion in the client. foreach (array("relative_path_cache", "relative_url_cache", "left_ptr", "right_ptr", "thumb_dirty", "resize_dirty", "weight") as $key) { unset($data[$key]); } return $data; }
/** * Import a single comment. */ static function import_comment(&$queue) { $g2_comment_id = array_shift($queue); try { $g2_comment = g2(GalleryCoreApi::loadEntitiesById($g2_comment_id)); } catch (Exception $e) { return t("Failed to load Gallery 2 comment with id: %id\\%exception", array("id" => $g2_comment_id, "exception" => (string) $e)); } $item_id = self::map($g2_comment->getParentId()); if (empty($item_id)) { // Item was not mapped. return; } $text = $g2_comment->getSubject(); if ($text) { $text .= " "; } $text .= $g2_comment->getComment(); // Just import the fields we know about. Do this outside of the comment API for now so that // we don't trigger spam filtering events $comment = ORM::factory("comment"); $comment->author_id = self::map($g2_comment->getCommenterId()); $comment->guest_name = ""; if ($comment->author_id == identity::guest()->id) { $comment->guest_name = $g2_comment->getAuthor(); $comment->guest_name or $comment->guest_name = (string) t("Anonymous coward"); } $comment->item_id = $item_id; $comment->text = self::_transform_bbcode($text); $comment->state = "published"; $comment->server_http_host = $g2_comment->getHost(); $comment->created = $g2_comment->getDate(); try { $comment->save(); } catch (Exception $e) { return (string) new G2_Import_Exception(t("Failed to import comment with id: %id.", array("id" => $g2_comment_id)), $e); } }
public function view_permissions_propagate_down_to_photos_test() { $album = test::random_album(); $photo = test::random_photo($album); identity::set_active_user(identity::guest()); $this->assert_true(access::can("view", $photo)); $album->reload(); // MPTT pointers have changed, so reload before calling access::deny access::deny(identity::everybody(), "view", $album); $photo->reload(); // view permissions are cached in the photo, so reload before checking $this->assert_false(access::can("view", $photo)); }
/** * Make sure that the email address is legal. */ public function valid_email(Validation $v, $field) { if ($this->author_id == identity::guest()->id) { if (empty($v->guest_email)) { $v->add_error("guest_email", "required"); } else { if (!valid::email($v->guest_email)) { $v->add_error("guest_email", "invalid"); } } } }
public function setup() { identity::set_active_user(identity::guest()); }
static function identity_provider_changed($old_provider, $new_provider) { $guest = identity::guest(); Database::instance()->from("comments")->set(array("author_id" => $guest->id, "guest_email" => null, "guest_name" => "guest", "guest_url" => null))->where("1 = 1")->update(); }
static function user_menu($menu, $theme) { if ($theme->page_subtype != "login") { $user = identity::active_user(); if ($user->guest) { $menu->append(Menu::factory("dialog")->id("user_menu_login")->css_id("g-login-link")->url(url::site("login/ajax"))->label(t("Login"))); } else { $csrf = access::csrf_token(); $menu->append(Menu::factory("link")->id("user_menu_edit_profile")->css_id("g-user-profile-link")->view("login_current_user.html")->url(user_profile::url($user->id))->label($user->display_name())); if (Router::$controller == "admin") { $continue_url = url::abs_site(""); } else { if ($item = $theme->item()) { if (access::user_can(identity::guest(), "view", $theme->item)) { $continue_url = $item->abs_url(); } else { $continue_url = item::root()->abs_url(); } } else { $continue_url = url::abs_current(); } } $menu->append(Menu::factory("link")->id("user_menu_logout")->css_id("g-logout-link")->url(url::site("logout?csrf={$csrf}&continue_url=" . urlencode($continue_url)))->label(t("Logout"))); } } }
public function as_restful_array_with_edit_bit_test() { $response = item::root()->as_restful_array(); $this->assert_true($response["can_edit"]); identity::set_active_user(identity::guest()); $response = item::root()->as_restful_array(); $this->assert_false($response["can_edit"]); }
public function delete_album_fails_without_permission_test() { $album1 = test::random_album(); access::deny(identity::everybody(), "edit", $album1); identity::set_active_user(identity::guest()); $request->url = rest::url("item", $album1); try { item_rest::delete($request); } catch (Exception $e) { $this->assert_equal("@todo FORBIDDEN", $e->getMessage()); return; } $this->assert_true(false, "Shouldn't get here"); }
static function identity_provider_changed($old_provider, $new_provider) { $guest = identity::guest(); db::build()->update("comments")->set("author_id", $guest->id)->set("guest_email", null)->set("guest_name", "guest")->set("guest_url", null)->execute(); }
/** * Return the active user. If there's no active user, return the guest user. * * @return User_Definition */ static function active_user() { // @todo (maybe) cache this object so we're not always doing session lookups. $user = Session::instance()->get("user", null); if (!isset($user)) { // Don't do this as a fallback in the Session::get() call because it can trigger unnecessary // work. $user = identity::guest(); } return $user; }
/** * Import a single user. */ static function import_user(&$queue) { $g2_user_id = array_shift($queue); if (self::map($g2_user_id)) { return t("User with id: %id already imported, skipping", array("id" => $g2_user_id)); } if (g2(GalleryCoreApi::isAnonymousUser($g2_user_id))) { self::set_map($g2_user_id, identity::guest()->id); return t("Skipping anonymous user"); } $g2_admin_group_id = g2(GalleryCoreApi::getPluginParameter("module", "core", "id.adminGroup")); try { $g2_user = g2(GalleryCoreApi::loadEntitiesById($g2_user_id)); } catch (Exception $e) { return t("Failed to import Gallery 2 user with id: %id\n%exception", array("id" => $g2_user_id, "exception" => $e->__toString())); } $g2_groups = g2(GalleryCoreApi::fetchGroupsForUser($g2_user->getId())); try { $user = identity::create_user($g2_user->getUsername(), $g2_user->getfullname(), ""); $message = t("Created user: '******'.", array("name" => $user->name)); } catch (Exception $e) { // @todo For now we assume this is a "duplicate user" exception $user = identity::lookup_user_by_name($g2_user->getUsername()); $message = t("Loaded existing user: '******'.", array("name" => $user->name)); } $user->hashed_password = $g2_user->getHashedPassword(); $user->email = $g2_user->getEmail(); $user->locale = $g2_user->getLanguage(); foreach ($g2_groups as $g2_group_id => $g2_group_name) { if ($g2_group_id == $g2_admin_group_id) { $user->admin = true; $message .= t("\n\tAdded 'admin' flag to user"); } else { $group = identity::lookup_group(self::map($g2_group_id)); $user->add($group); $message .= t("\n\tAdded user to group '%group'.", array("group" => $group->name)); } } $user->save(); self::set_map($g2_user->getId(), $user->id); return $message; }