public function upgrade()
{
if (php_sapi_name() == "cli") {
// @todo this may screw up some module installers, but we don't have a better answer at
// this time.
$_SERVER["HTTP_HOST"] = "example.com";
} else {
if (!user::active()->admin && !Session::instance()->get("can_upgrade", false)) {
access::forbidden();
}
}
// Upgrade gallery and user first
module::install("gallery");
module::install("user");
// Then upgrade the rest
foreach (module::available() as $id => $module) {
if ($id == "gallery") {
continue;
}
if ($module->active && $module->code_version != $module->version) {
module::install($id);
}
}
if (php_sapi_name() == "cli") {
print "Upgrade complete\n";
} else {
url::redirect("upgrader?done=1");
}
}
public function delete_user($id) {
access::verify_csrf();
if ($id == user::active()->id || $id == user::guest()->id) {
access::forbidden();
}
$user = ORM::factory("user", $id);
if (!$user->loaded) {
kohana::show_404();
}
$form = user::get_delete_form_admin($user);
if($form->validate()) {
$name = $user->name;
$user->delete();
} else {
print json_encode(array("result" => "error",
"form" => $form->__toString()));
}
$message = t("Deleted user %user_name", array("user_name" => p::clean($name)));
log::success("user", $message);
message::success($message);
print json_encode(array("result" => "success"));
}
static function required($perm_name, $item)
{
// Original code from the required function in modules/gallery/helpers/access.php.
if (!access::can($perm_name, $item)) {
if ($perm_name == "view") {
// Treat as if the item didn't exist, don't leak any information.
throw new Kohana_404_Exception();
} else {
access::forbidden();
}
// Begin rWatcher modifications.
// Throw a 404 error when a user attempts to access a protected item,
// unless the password has been provided, or the user is the item's owner.
} elseif (module::get_var("albumpassword", "hideonly") == false) {
$item_protected = ORM::factory("albumpassword_idcache")->where("item_id", "=", $item->id)->order_by("cache_id")->find_all();
if (count($item_protected) > 0) {
$existing_password = ORM::factory("items_albumpassword")->where("id", "=", $item_protected[0]->password_id)->find();
if ($existing_password->loaded()) {
if (cookie::get("g3_albumpassword") != $existing_password->password && identity::active_user()->id != $item->owner_id && !identity::active_user()->admin) {
throw new Kohana_404_Exception();
}
}
}
}
}
public function auth()
{
if (!identity::active_user()->admin) {
access::forbidden();
}
access::verify_csrf();
$form = self::_form();
$valid = $form->validate();
$user = identity::active_user();
if ($valid) {
module::event("user_auth", $user);
if (!request::is_ajax()) {
message::success(t("Successfully re-authenticated!"));
}
url::redirect(Session::instance()->get_once("continue_url"));
} else {
$name = $user->name;
log::warning("user", t("Failed re-authentication for %name", array("name" => $name)));
module::event("user_auth_failed", $name);
if (request::is_ajax()) {
$v = new View("reauthenticate.html");
$v->form = $form;
$v->user_name = identity::active_user()->name;
json::reply(array("html" => (string) $v));
} else {
self::_show_form($form);
}
}
}
public function _form_edit($user)
{
if ($user->guest || $user->id != user::active()->id) {
access::forbidden();
}
print user::get_edit_form($user);
}
public function upgrade()
{
if (php_sapi_name() == "cli") {
// @todo this may screw up some module installers, but we don't have a better answer at
// this time.
$_SERVER["HTTP_HOST"] = "example.com";
} else {
if (!identity::active_user()->admin && !Session::instance()->get("can_upgrade", false)) {
access::forbidden();
}
try {
access::verify_csrf();
} catch (Exception $e) {
url::redirect("upgrader");
}
}
$available = module::available();
// Upgrade gallery first
$gallery = $available["gallery"];
if ($gallery->code_version != $gallery->version) {
module::upgrade("gallery");
module::activate("gallery");
}
// Then upgrade the rest
$failed = array();
foreach (module::available() as $id => $module) {
if ($id == "gallery") {
continue;
}
if ($module->active && $module->code_version != $module->version) {
try {
module::upgrade($id);
} catch (Exception $e) {
// @todo assume it's MODULE_FAILED_TO_UPGRADE for now
$failed[] = $id;
}
}
}
// If the upgrade failed, this will get recreated
site_status::clear("upgrade_now");
// Clear any upgrade check strings, we are probably up to date.
site_status::clear("upgrade_checker");
if (php_sapi_name() == "cli") {
if ($failed) {
print "Upgrade completed ** WITH FAILURES **\n";
print "The following modules were not successfully upgraded:\n";
print " " . implode($failed, "\n ") . "\n";
print "Try getting newer versions or deactivating those modules\n";
} else {
print "Upgrade complete\n";
}
} else {
if ($failed) {
url::redirect("upgrader?failed=" . join(",", $failed));
} else {
url::redirect("upgrader");
}
}
}
public function form_edit($id)
{
$user = user::lookup($id);
if ($user->guest || $user->id != user::active()->id) {
access::forbidden();
}
print $this->_get_edit_form($user);
}
function form($id)
{
$item = ORM::factory("item", $id);
access::required("edit", $item);
if ($item->type != "album") {
access::forbidden();
}
print $this->_get_form($item);
}
/**
* Present a form for adding a new comment to this item or editing an existing comment.
*/
public function form_add($item_id)
{
$item = ORM::factory("item", $item_id);
access::required("view", $item);
if (!comment::can_comment()) {
access::forbidden();
}
print comment::prefill_add_form(comment::get_add_form($item));
}
static function delete($request)
{
if (!identity::active_user()->admin) {
access::forbidden();
}
$comment = rest::resolve($request->url);
access::required("edit", $comment->item());
$comment->delete();
}
/**
* Checks whether the given object can be starred by the active user.
*
* @param Item_Model $item the item
*/
private function _check_star_permissions(Item_Model $item)
{
access::verify_csrf();
access::required("view", $item);
access::required("edit", $item);
if (!star::can_star()) {
access::forbidden();
}
}
/**
* Present a form for sending a new ecard.
*/
public function form_send($item_id)
{
$item = ORM::factory("item", $item_id);
access::required("view", $item);
if (!ecard::can_send_ecard()) {
access::forbidden();
}
print ecard::prefill_send_form(ecard::get_send_form($item));
}
function form($id)
{
$item = ORM::factory("item", $id);
access::required("view", $item);
access::required("edit", $item);
if (!$item->is_album()) {
access::forbidden();
}
print $this->_get_form($item);
}
public function toggle_l10n_mode()
{
access::verify_csrf();
if (!user::active()->admin) {
access::forbidden();
}
$session = Session::instance();
$session->set("l10n_mode", !$session->get("l10n_mode", false));
url::redirect("albums/1");
}
static function delete($request)
{
// Restrict deleting tags to admins. Otherwise, a logged in user can do great harm to an
// install.
if (!identity::active_user()->admin) {
access::forbidden();
}
$tag = rest::resolve($request->url);
$tag->delete();
}
public function form_edit($id)
{
$user = user::lookup($id);
if ($user->guest || $user->id != identity::active_user()->id) {
access::forbidden();
}
$v = new View("user_form.html");
$v->form = $this->_get_edit_form($user);
print $v;
}
public function __construct($theme = null)
{
if (!identity::active_user()->admin) {
if (identity::active_user()->guest) {
Session::instance()->set("continue_url", url::abs_current(true));
url::redirect("login");
} else {
access::forbidden();
}
}
parent::__construct();
}
/**
* @see REST_Controller::_create($resource)
*/
public function _create($album)
{
access::required("add", $album);
switch ($this->input->post("type")) {
case "album":
return $this->_create_album($album);
case "photo":
return $this->_create_photo($album);
default:
access::forbidden();
}
}
static function change_provider($new_provider)
{
if (!identity::active_user()->admin && PHP_SAPI != "cli") {
// Below, the active user is set to the primary admin.
access::forbidden();
}
$current_provider = module::get_var("gallery", "identity_provider");
if (!empty($current_provider)) {
module::uninstall($current_provider);
}
try {
IdentityProvider::reset();
$provider = new IdentityProvider($new_provider);
module::set_var("gallery", "identity_provider", $new_provider);
if (class_exists("{$new_provider}_installer") && method_exists("{$new_provider}_installer", "initialize")) {
call_user_func("{$new_provider}_installer::initialize");
}
if (!$provider->admin_user()) {
throw new Exception("IdentityProvider {$new_provider}: Couldn't find the admin user!");
}
module::event("identity_provider_changed", $current_provider, $new_provider);
identity::set_active_user($provider->admin_user());
Session::instance()->regenerate();
} catch (Exception $e) {
static $restore_already_running;
// In case of error, make an attempt to restore the old provider. Since that's calling into
// this function again and can fail, we should be sure not to get into an infinite recursion.
if (!$restore_already_running) {
$restore_already_running = true;
// Make sure new provider is not in the database
try {
module::uninstall($new_provider);
} catch (Exception $e2) {
Kohana_Log::add("error", "Error uninstalling failed new provider\n" . $e2->getMessage() . "\n" . $e2->getTraceAsString());
}
try {
// Lets reset to the current provider so that the gallery installation is still
// working.
module::set_var("gallery", "identity_provider", null);
IdentityProvider::change_provider($current_provider);
module::activate($current_provider);
} catch (Exception $e2) {
Kohana_Log::add("error", "Error restoring original identity provider\n" . $e2->getMessage() . "\n" . $e2->getTraceAsString());
}
message::error(t("Error attempting to enable \"%new_provider\" identity provider, reverted to \"%old_provider\" identity provider", array("new_provider" => $new_provider, "old_provider" => $current_provider)));
$restore_already_running = false;
}
throw $e;
}
}
public function toggle_l10n_mode()
{
access::verify_csrf();
if (!identity::active_user()->admin) {
access::forbidden();
}
$session = Session::instance();
$l10n_mode = $session->get("l10n_mode", false);
$session->set("l10n_mode", !$l10n_mode);
$redirect_url = "admin/languages";
if (!$l10n_mode) {
$redirect_url .= "#l10n-client";
}
url::redirect($redirect_url);
}
function package()
{
if (PHP_SAPI != "cli") {
access::forbidden();
}
$_SERVER["HTTP_HOST"] = "example.com";
try {
$this->_reset();
// empty and reinstall the standard modules
$this->_dump_database();
// Dump the database
$this->_dump_var();
// Dump the var directory
} catch (Exception $e) {
print $e->getMessage() . "\n" . $e->getTraceAsString();
return;
}
print "Successfully wrote install.sql and init_var.php\n";
}
public function auth()
{
if (!identity::active_user()->admin) {
access::forbidden();
}
access::verify_csrf();
$form = self::_form();
$valid = $form->validate();
$user = identity::active_user();
if ($valid) {
message::success(t("Successfully re-authenticated!"));
module::event("user_auth", $user);
$continue_url = Session::instance()->get_once("continue_url", "admin");
url::redirect($continue_url);
} else {
$name = $user->name;
log::warning("user", t("Failed re-authentication for %name", array("name" => $name)));
module::event("user_auth_failed", $name);
return self::_show_form($form);
}
}
public function delete_postage_band($id)
{
access::verify_csrf();
if ($id == user::active()->id || $id == user::guest()->id) {
access::forbidden();
}
$postage = ORM::factory("postage_band", $id);
if (!$postage->loaded()) {
throw new Kohana_404_Exception();
}
$form = postage_band::get_delete_form_admin($postage);
if ($form->validate()) {
$name = $postage->name;
$postage->delete();
} else {
json::reply(array("result" => "error", "html" => (string) $form));
}
$message = t("Deleted user %postage_band", array("postage_band" => html::clean($name)));
log::success("user", $message);
message::success($message);
json::reply(array("result" => "success"));
}
public function delete_user($id)
{
access::verify_csrf();
if ($id == identity::active_user()->id || $id == user::guest()->id) {
access::forbidden();
}
$user = user::lookup($id);
if (empty($user)) {
kohana::show_404();
}
$form = $this->_get_user_delete_form_admin($user);
if ($form->validate()) {
$name = $user->name;
$user->delete();
} else {
print json_encode(array("result" => "error", "form" => $form->__toString()));
}
$message = t("Deleted user %user_name", array("user_name" => $name));
log::success("user", $message);
message::success($message);
print json_encode(array("result" => "success"));
}
public function delete_product($id)
{
access::verify_csrf();
if ($id == user::active()->id || $id == user::guest()->id) {
access::forbidden();
}
$product = ORM::factory("product", $id);
if (!$product->loaded()) {
throw new Kohana_404_Exception();
}
$form = product::get_delete_form_admin($product);
if ($form->validate()) {
$name = $product->name;
$product->delete();
} else {
print json_encode(array("result" => "error", "form" => $form->__toString()));
}
$message = t("Deleted user %product_name", array("product_name" => html::clean($name)));
log::success("user", $message);
message::success($message);
print json_encode(array("result" => "success"));
}
public function save()
{
access::verify_csrf();
user::active()->admin or access::forbidden();
$input = Input::instance();
$message = $input->post("l10n-message-source");
$translation = $input->post("l10n-edit-target");
$key = I18n::get_message_key($message);
$locale = I18n::instance()->locale();
$entry = ORM::factory("outgoing_translation")->where(array("key" => $key, "locale" => $locale))->find();
if (!$entry->loaded) {
$entry->key = $key;
$entry->locale = $locale;
$entry->message = serialize($message);
$entry->base_revision = null;
}
$entry->translation = serialize($translation);
$entry_from_incoming = ORM::factory("incoming_translation")->where(array("key" => $key, "locale" => $locale))->find();
if (!$entry_from_incoming->loaded) {
$entry->base_revision = $entry_from_incoming->revision;
}
$entry->save();
print json_encode(new stdClass());
}
static function post($request)
{
// The user must have some edit permission somewhere to create a tag.
if (!identity::active_user()->admin) {
$query = db::build()->from("access_caches")->and_open();
foreach (identity::active_user()->groups() as $group) {
$query->or_where("edit_{$group->id}", "=", access::ALLOW);
}
$has_any_edit_perm = $query->close()->count_records();
if (!$has_any_edit_perm) {
access::forbidden();
}
}
if (empty($request->params->entity->name)) {
throw new Rest_Exception("Bad Request", 400);
}
$tag = ORM::factory("tag")->where("name", "=", $request->params->entity->name)->find();
if (!$tag->loaded()) {
$tag->name = $request->params->entity->name;
$tag->count = 0;
$tag->save();
}
return array("url" => rest::url("tag", $tag));
}
function cancelTask($task_id)
{
access::verify_csrf();
$task = ORM::factory("task", $task_id);
if (!$task->loaded || $task->owner_id != user::active()->id) {
access::forbidden();
}
if (!$task->done) {
$task->done = 1;
$task->state = "cancelled";
$type = $task->get("type");
switch ($type) {
case "move":
$task->status = t("Move to album was cancelled prior to completion");
break;
case "rearrange":
$task->status = t("Rearrange album was cancelled prior to completion");
case "rotateCcw":
case "rotateCw":
$task->status = t("Rotation was cancelled prior to completion");
break;
}
$task->save();
}
batch::stop();
print json_encode(array("result" => "success", "task" => array("id" => $task->id, "percent_complete" => $task->percent_complete, "status" => $task->status, "state" => $task->state, "done" => $task->done)));
}
public function delete_user($id)
{
access::verify_csrf();
if ($id == identity::active_user()->id || $id == user::guest()->id) {
access::forbidden();
}
$user = user::lookup($id);
if (empty($user)) {
throw new Kohana_404_Exception();
}
$form = $this->_get_user_delete_form_admin($user);
if ($form->validate()) {
$name = $user->name;
$user->delete();
} else {
json::reply(array("result" => "error", "html" => (string) $form));
}
$message = t("Deleted user %user_name", array("user_name" => $name));
log::success("user", $message);
message::success($message);
json::reply(array("result" => "success"));
}
public function __construct($theme = null)
{
if (!user::active()->admin) {
access::forbidden();
}
parent::__construct();
}
