public function upgrade() { if (php_sapi_name() == "cli") { // @todo this may screw up some module installers, but we don't have a better answer at // this time. $_SERVER["HTTP_HOST"] = "example.com"; } else { if (!user::active()->admin && !Session::instance()->get("can_upgrade", false)) { access::forbidden(); } } // Upgrade gallery and user first module::install("gallery"); module::install("user"); // Then upgrade the rest foreach (module::available() as $id => $module) { if ($id == "gallery") { continue; } if ($module->active && $module->code_version != $module->version) { module::install($id); } } if (php_sapi_name() == "cli") { print "Upgrade complete\n"; } else { url::redirect("upgrader?done=1"); } }
public function delete_user($id) { access::verify_csrf(); if ($id == user::active()->id || $id == user::guest()->id) { access::forbidden(); } $user = ORM::factory("user", $id); if (!$user->loaded) { kohana::show_404(); } $form = user::get_delete_form_admin($user); if($form->validate()) { $name = $user->name; $user->delete(); } else { print json_encode(array("result" => "error", "form" => $form->__toString())); } $message = t("Deleted user %user_name", array("user_name" => p::clean($name))); log::success("user", $message); message::success($message); print json_encode(array("result" => "success")); }
static function required($perm_name, $item) { // Original code from the required function in modules/gallery/helpers/access.php. if (!access::can($perm_name, $item)) { if ($perm_name == "view") { // Treat as if the item didn't exist, don't leak any information. throw new Kohana_404_Exception(); } else { access::forbidden(); } // Begin rWatcher modifications. // Throw a 404 error when a user attempts to access a protected item, // unless the password has been provided, or the user is the item's owner. } elseif (module::get_var("albumpassword", "hideonly") == false) { $item_protected = ORM::factory("albumpassword_idcache")->where("item_id", "=", $item->id)->order_by("cache_id")->find_all(); if (count($item_protected) > 0) { $existing_password = ORM::factory("items_albumpassword")->where("id", "=", $item_protected[0]->password_id)->find(); if ($existing_password->loaded()) { if (cookie::get("g3_albumpassword") != $existing_password->password && identity::active_user()->id != $item->owner_id && !identity::active_user()->admin) { throw new Kohana_404_Exception(); } } } } }
public function auth() { if (!identity::active_user()->admin) { access::forbidden(); } access::verify_csrf(); $form = self::_form(); $valid = $form->validate(); $user = identity::active_user(); if ($valid) { module::event("user_auth", $user); if (!request::is_ajax()) { message::success(t("Successfully re-authenticated!")); } url::redirect(Session::instance()->get_once("continue_url")); } else { $name = $user->name; log::warning("user", t("Failed re-authentication for %name", array("name" => $name))); module::event("user_auth_failed", $name); if (request::is_ajax()) { $v = new View("reauthenticate.html"); $v->form = $form; $v->user_name = identity::active_user()->name; json::reply(array("html" => (string) $v)); } else { self::_show_form($form); } } }
public function _form_edit($user) { if ($user->guest || $user->id != user::active()->id) { access::forbidden(); } print user::get_edit_form($user); }
public function upgrade() { if (php_sapi_name() == "cli") { // @todo this may screw up some module installers, but we don't have a better answer at // this time. $_SERVER["HTTP_HOST"] = "example.com"; } else { if (!identity::active_user()->admin && !Session::instance()->get("can_upgrade", false)) { access::forbidden(); } try { access::verify_csrf(); } catch (Exception $e) { url::redirect("upgrader"); } } $available = module::available(); // Upgrade gallery first $gallery = $available["gallery"]; if ($gallery->code_version != $gallery->version) { module::upgrade("gallery"); module::activate("gallery"); } // Then upgrade the rest $failed = array(); foreach (module::available() as $id => $module) { if ($id == "gallery") { continue; } if ($module->active && $module->code_version != $module->version) { try { module::upgrade($id); } catch (Exception $e) { // @todo assume it's MODULE_FAILED_TO_UPGRADE for now $failed[] = $id; } } } // If the upgrade failed, this will get recreated site_status::clear("upgrade_now"); // Clear any upgrade check strings, we are probably up to date. site_status::clear("upgrade_checker"); if (php_sapi_name() == "cli") { if ($failed) { print "Upgrade completed ** WITH FAILURES **\n"; print "The following modules were not successfully upgraded:\n"; print " " . implode($failed, "\n ") . "\n"; print "Try getting newer versions or deactivating those modules\n"; } else { print "Upgrade complete\n"; } } else { if ($failed) { url::redirect("upgrader?failed=" . join(",", $failed)); } else { url::redirect("upgrader"); } } }
public function form_edit($id) { $user = user::lookup($id); if ($user->guest || $user->id != user::active()->id) { access::forbidden(); } print $this->_get_edit_form($user); }
function form($id) { $item = ORM::factory("item", $id); access::required("edit", $item); if ($item->type != "album") { access::forbidden(); } print $this->_get_form($item); }
/** * Present a form for adding a new comment to this item or editing an existing comment. */ public function form_add($item_id) { $item = ORM::factory("item", $item_id); access::required("view", $item); if (!comment::can_comment()) { access::forbidden(); } print comment::prefill_add_form(comment::get_add_form($item)); }
static function delete($request) { if (!identity::active_user()->admin) { access::forbidden(); } $comment = rest::resolve($request->url); access::required("edit", $comment->item()); $comment->delete(); }
/** * Checks whether the given object can be starred by the active user. * * @param Item_Model $item the item */ private function _check_star_permissions(Item_Model $item) { access::verify_csrf(); access::required("view", $item); access::required("edit", $item); if (!star::can_star()) { access::forbidden(); } }
/** * Present a form for sending a new ecard. */ public function form_send($item_id) { $item = ORM::factory("item", $item_id); access::required("view", $item); if (!ecard::can_send_ecard()) { access::forbidden(); } print ecard::prefill_send_form(ecard::get_send_form($item)); }
function form($id) { $item = ORM::factory("item", $id); access::required("view", $item); access::required("edit", $item); if (!$item->is_album()) { access::forbidden(); } print $this->_get_form($item); }
public function toggle_l10n_mode() { access::verify_csrf(); if (!user::active()->admin) { access::forbidden(); } $session = Session::instance(); $session->set("l10n_mode", !$session->get("l10n_mode", false)); url::redirect("albums/1"); }
static function delete($request) { // Restrict deleting tags to admins. Otherwise, a logged in user can do great harm to an // install. if (!identity::active_user()->admin) { access::forbidden(); } $tag = rest::resolve($request->url); $tag->delete(); }
public function form_edit($id) { $user = user::lookup($id); if ($user->guest || $user->id != identity::active_user()->id) { access::forbidden(); } $v = new View("user_form.html"); $v->form = $this->_get_edit_form($user); print $v; }
public function __construct($theme = null) { if (!identity::active_user()->admin) { if (identity::active_user()->guest) { Session::instance()->set("continue_url", url::abs_current(true)); url::redirect("login"); } else { access::forbidden(); } } parent::__construct(); }
/** * @see REST_Controller::_create($resource) */ public function _create($album) { access::required("add", $album); switch ($this->input->post("type")) { case "album": return $this->_create_album($album); case "photo": return $this->_create_photo($album); default: access::forbidden(); } }
static function change_provider($new_provider) { if (!identity::active_user()->admin && PHP_SAPI != "cli") { // Below, the active user is set to the primary admin. access::forbidden(); } $current_provider = module::get_var("gallery", "identity_provider"); if (!empty($current_provider)) { module::uninstall($current_provider); } try { IdentityProvider::reset(); $provider = new IdentityProvider($new_provider); module::set_var("gallery", "identity_provider", $new_provider); if (class_exists("{$new_provider}_installer") && method_exists("{$new_provider}_installer", "initialize")) { call_user_func("{$new_provider}_installer::initialize"); } if (!$provider->admin_user()) { throw new Exception("IdentityProvider {$new_provider}: Couldn't find the admin user!"); } module::event("identity_provider_changed", $current_provider, $new_provider); identity::set_active_user($provider->admin_user()); Session::instance()->regenerate(); } catch (Exception $e) { static $restore_already_running; // In case of error, make an attempt to restore the old provider. Since that's calling into // this function again and can fail, we should be sure not to get into an infinite recursion. if (!$restore_already_running) { $restore_already_running = true; // Make sure new provider is not in the database try { module::uninstall($new_provider); } catch (Exception $e2) { Kohana_Log::add("error", "Error uninstalling failed new provider\n" . $e2->getMessage() . "\n" . $e2->getTraceAsString()); } try { // Lets reset to the current provider so that the gallery installation is still // working. module::set_var("gallery", "identity_provider", null); IdentityProvider::change_provider($current_provider); module::activate($current_provider); } catch (Exception $e2) { Kohana_Log::add("error", "Error restoring original identity provider\n" . $e2->getMessage() . "\n" . $e2->getTraceAsString()); } message::error(t("Error attempting to enable \"%new_provider\" identity provider, reverted to \"%old_provider\" identity provider", array("new_provider" => $new_provider, "old_provider" => $current_provider))); $restore_already_running = false; } throw $e; } }
public function toggle_l10n_mode() { access::verify_csrf(); if (!identity::active_user()->admin) { access::forbidden(); } $session = Session::instance(); $l10n_mode = $session->get("l10n_mode", false); $session->set("l10n_mode", !$l10n_mode); $redirect_url = "admin/languages"; if (!$l10n_mode) { $redirect_url .= "#l10n-client"; } url::redirect($redirect_url); }
function package() { if (PHP_SAPI != "cli") { access::forbidden(); } $_SERVER["HTTP_HOST"] = "example.com"; try { $this->_reset(); // empty and reinstall the standard modules $this->_dump_database(); // Dump the database $this->_dump_var(); // Dump the var directory } catch (Exception $e) { print $e->getMessage() . "\n" . $e->getTraceAsString(); return; } print "Successfully wrote install.sql and init_var.php\n"; }
public function auth() { if (!identity::active_user()->admin) { access::forbidden(); } access::verify_csrf(); $form = self::_form(); $valid = $form->validate(); $user = identity::active_user(); if ($valid) { message::success(t("Successfully re-authenticated!")); module::event("user_auth", $user); $continue_url = Session::instance()->get_once("continue_url", "admin"); url::redirect($continue_url); } else { $name = $user->name; log::warning("user", t("Failed re-authentication for %name", array("name" => $name))); module::event("user_auth_failed", $name); return self::_show_form($form); } }
public function delete_postage_band($id) { access::verify_csrf(); if ($id == user::active()->id || $id == user::guest()->id) { access::forbidden(); } $postage = ORM::factory("postage_band", $id); if (!$postage->loaded()) { throw new Kohana_404_Exception(); } $form = postage_band::get_delete_form_admin($postage); if ($form->validate()) { $name = $postage->name; $postage->delete(); } else { json::reply(array("result" => "error", "html" => (string) $form)); } $message = t("Deleted user %postage_band", array("postage_band" => html::clean($name))); log::success("user", $message); message::success($message); json::reply(array("result" => "success")); }
public function delete_user($id) { access::verify_csrf(); if ($id == identity::active_user()->id || $id == user::guest()->id) { access::forbidden(); } $user = user::lookup($id); if (empty($user)) { kohana::show_404(); } $form = $this->_get_user_delete_form_admin($user); if ($form->validate()) { $name = $user->name; $user->delete(); } else { print json_encode(array("result" => "error", "form" => $form->__toString())); } $message = t("Deleted user %user_name", array("user_name" => $name)); log::success("user", $message); message::success($message); print json_encode(array("result" => "success")); }
public function delete_product($id) { access::verify_csrf(); if ($id == user::active()->id || $id == user::guest()->id) { access::forbidden(); } $product = ORM::factory("product", $id); if (!$product->loaded()) { throw new Kohana_404_Exception(); } $form = product::get_delete_form_admin($product); if ($form->validate()) { $name = $product->name; $product->delete(); } else { print json_encode(array("result" => "error", "form" => $form->__toString())); } $message = t("Deleted user %product_name", array("product_name" => html::clean($name))); log::success("user", $message); message::success($message); print json_encode(array("result" => "success")); }
public function save() { access::verify_csrf(); user::active()->admin or access::forbidden(); $input = Input::instance(); $message = $input->post("l10n-message-source"); $translation = $input->post("l10n-edit-target"); $key = I18n::get_message_key($message); $locale = I18n::instance()->locale(); $entry = ORM::factory("outgoing_translation")->where(array("key" => $key, "locale" => $locale))->find(); if (!$entry->loaded) { $entry->key = $key; $entry->locale = $locale; $entry->message = serialize($message); $entry->base_revision = null; } $entry->translation = serialize($translation); $entry_from_incoming = ORM::factory("incoming_translation")->where(array("key" => $key, "locale" => $locale))->find(); if (!$entry_from_incoming->loaded) { $entry->base_revision = $entry_from_incoming->revision; } $entry->save(); print json_encode(new stdClass()); }
static function post($request) { // The user must have some edit permission somewhere to create a tag. if (!identity::active_user()->admin) { $query = db::build()->from("access_caches")->and_open(); foreach (identity::active_user()->groups() as $group) { $query->or_where("edit_{$group->id}", "=", access::ALLOW); } $has_any_edit_perm = $query->close()->count_records(); if (!$has_any_edit_perm) { access::forbidden(); } } if (empty($request->params->entity->name)) { throw new Rest_Exception("Bad Request", 400); } $tag = ORM::factory("tag")->where("name", "=", $request->params->entity->name)->find(); if (!$tag->loaded()) { $tag->name = $request->params->entity->name; $tag->count = 0; $tag->save(); } return array("url" => rest::url("tag", $tag)); }
function cancelTask($task_id) { access::verify_csrf(); $task = ORM::factory("task", $task_id); if (!$task->loaded || $task->owner_id != user::active()->id) { access::forbidden(); } if (!$task->done) { $task->done = 1; $task->state = "cancelled"; $type = $task->get("type"); switch ($type) { case "move": $task->status = t("Move to album was cancelled prior to completion"); break; case "rearrange": $task->status = t("Rearrange album was cancelled prior to completion"); case "rotateCcw": case "rotateCw": $task->status = t("Rotation was cancelled prior to completion"); break; } $task->save(); } batch::stop(); print json_encode(array("result" => "success", "task" => array("id" => $task->id, "percent_complete" => $task->percent_complete, "status" => $task->status, "state" => $task->state, "done" => $task->done))); }
public function delete_user($id) { access::verify_csrf(); if ($id == identity::active_user()->id || $id == user::guest()->id) { access::forbidden(); } $user = user::lookup($id); if (empty($user)) { throw new Kohana_404_Exception(); } $form = $this->_get_user_delete_form_admin($user); if ($form->validate()) { $name = $user->name; $user->delete(); } else { json::reply(array("result" => "error", "html" => (string) $form)); } $message = t("Deleted user %user_name", array("user_name" => $name)); log::success("user", $message); message::success($message); json::reply(array("result" => "success")); }
public function __construct($theme = null) { if (!user::active()->admin) { access::forbidden(); } parent::__construct(); }