function svn_data_get_revision_detail($group_id, $commit_id, $rev_id = 0, $order = '') { $order_str = ""; if ($order) { if ($order != 'filename') { // SQLi Warning: no real possibility to escape $order here. // We rely on a proper filtering of user input by calling methods. $order_str = " ORDER BY " . $order; } else { $order_str = " ORDER BY dir, file"; } } //check user access rights $pm = ProjectManager::instance(); $project = $pm->getProject($group_id); $forbidden = svn_utils_get_forbidden_paths(user_getname(), $project->getSVNRootPath()); $where_forbidden = ""; if (!empty($forbidden)) { while (list($no_access, ) = each($forbidden)) { $where_forbidden .= " AND svn_dirs.dir not like '%" . db_es(substr($no_access, 1)) . "%' "; } } // if the subversion revision id is given then it akes precedence on // the internal commit_id (this is to make it easy for users to build // URL to access a revision if ($rev_id) { // To be done -> get the commit ID from the svn-commit table $sql = "SELECT svn_commits.description, svn_commits.date, svn_commits.revision, svn_checkins.type,svn_checkins.commitid,svn_dirs.dir,svn_files.file " . "FROM svn_dirs, svn_files, svn_checkins, svn_commits " . "WHERE svn_checkins.fileid=svn_files.id " . "AND svn_checkins.dirid=svn_dirs.id " . "AND svn_checkins.commitid=svn_commits.id " . "AND svn_commits.revision=" . db_ei($rev_id) . " " . "AND svn_commits.group_id=" . db_ei($group_id) . " " . $where_forbidden . $order_str; } else { $sql = "SELECT svn_commits.description, svn_commits.date, svn_commits.revision, svn_checkins.type,svn_checkins.commitid,svn_dirs.dir,svn_files.file " . "FROM svn_dirs, svn_files, svn_checkins, svn_commits " . "WHERE svn_checkins.fileid=svn_files.id " . "AND svn_checkins.dirid=svn_dirs.id " . "AND svn_checkins.commitid=svn_commits.id " . "AND svn_commits.id=" . db_ei($commit_id) . " " . $where_forbidden . $order_str; } $result = db_query($sql); return $result; }
function svn_get_revisions(Project $project, $offset, $chunksz, $_rev_id = '', $_commiter = '', $_srch = '', $order_by = '', $pv = 0, $foundRows = true) { global $_path; $um = UserManager::instance(); //check user access rights $forbidden = svn_utils_get_forbidden_paths($um->getCurrentUser()->getName(), $project->getSVNRootPath()); $select = 'SELECT'; $group_by = ''; if ($foundRows) { $select .= ' SQL_CALC_FOUND_ROWS'; } $select .= ' svn_commits.revision as revision, svn_commits.id as commit_id, svn_commits.description as description, svn_commits.date as date, svn_commits.whoid'; $from = " FROM svn_commits"; $where = " WHERE svn_commits.group_id=" . db_ei($project->getGroupId()); //check user access rights if (!empty($forbidden)) { $from .= " INNER JOIN svn_checkins ON (svn_checkins.commitid = svn_commits.id)"; $from .= " INNER JOIN svn_dirs ON (svn_dirs.id = svn_checkins.dirid)"; $where_forbidden = ""; foreach ($forbidden as $no_access => $v) { if ($no_access == $_path) { $_path = ''; } $where_forbidden .= " AND svn_dirs.dir not like '" . db_es(substr($no_access, 1)) . "%'"; } $where .= $where_forbidden; $group_by .= ' GROUP BY revision'; } //if status selected, and more to where clause if ($_path != '') { $path_str = " AND svn_dirs.dir like '%" . db_es($_path) . "%'"; if (!isset($forbidden) || empty($forbidden)) { $from .= " INNER JOIN svn_checkins ON (svn_checkins.commitid = svn_commits.id)"; $from .= " INNER JOIN svn_dirs ON (svn_dirs.id = svn_checkins.dirid)"; $group_by .= ' GROUP BY revision'; } } else { $path_str = ""; } //if revision selected, and more to where clause if (isset($_rev_id) && $_rev_id != '') { $commit_str = " AND svn_commits.revision='" . db_ei($_rev_id) . "' "; } else { $commit_str = ''; } if (isset($_commiter) && $_commiter && $_commiter != 100) { $commiter_str = " AND svn_commits.whoid='" . db_ei($um->getUserByUserName($_commiter)->getId()) . "' "; } else { //no assigned to was chosen, so don't add it to where clause $commiter_str = ''; } if (isset($_srch) && $_srch != '') { $srch_str = " AND svn_commits.description like '%" . db_es(htmlspecialchars($_srch)) . "%'"; } else { $srch_str = ""; } $where .= $commiter_str . $commit_str . $srch_str . $path_str; if (!isset($pv) || !$pv) { $limit = " LIMIT " . db_ei($offset) . "," . db_ei($chunksz); } // SQLi Warning: no real possibility to escape $order_by here. // We rely on a proper filtering of user input by calling methods. if (!isset($order_by) || $order_by == '') { $order_by = " ORDER BY revision DESC "; } $sql = $select . $from . $where . $group_by . $order_by . $limit; //echo $sql."<br>\n"; $result = db_query($sql); // Compute the number of rows. $totalrows = -1; if ($foundRows) { $sql1 = 'SELECT FOUND_ROWS() as nb'; $result1 = db_query($sql1); if ($result1 && !db_error($result1)) { $row1 = db_fetch_array($result1); $totalrows = $row1['nb']; } } return array($result, $totalrows); }
/** * Return SVN path the user is not allowed to see * * @param PFUser $user * * @return string */ protected function getForbiddenPaths(PFUser $user) { $forbidden = svn_utils_get_forbidden_paths($user->getName(), $this->project->getSVNRootPath()); $where_forbidden = ""; foreach ($forbidden as $no_access => $v) { $where_forbidden .= " AND svn_dirs.dir not like '" . db_es(substr($no_access, 1)) . "%'"; } return $where_forbidden; }