public function create_comment_for_guest_test()
{
$comment = ORM::factory("comment");
$comment->item_id = item::root()->id;
$comment->text = "text";
$comment->author_id = identity::guest()->id;
$comment->guest_name = "name";
$comment->guest_email = "*****@*****.**";
$comment->guest_url = "http://url.com";
$comment->save();
$this->assert_equal("name", $comment->author_name());
$this->assert_equal("*****@*****.**", $comment->author_email());
$this->assert_equal("http://url.com", $comment->author_url());
$this->assert_equal("text", $comment->text);
$this->assert_equal(1, $comment->item_id);
$this->assert_equal("REMOTE_ADDR", $comment->server_remote_addr);
$this->assert_equal("HTTP_USER_AGENT", $comment->server_http_user_agent);
$this->assert_equal("HTTP_ACCEPT", $comment->server_http_accept);
$this->assert_equal("HTTP_ACCEPT_CHARSET", $comment->server_http_accept_charset);
$this->assert_equal("HTTP_ACCEPT_ENCODING", $comment->server_http_accept_encoding);
$this->assert_equal("HTTP_ACCEPT_LANGUAGE", $comment->server_http_accept_language);
$this->assert_equal("HTTP_CONNECTION", $comment->server_http_connection);
$this->assert_equal("HTTP_HOST", $comment->server_http_host);
$this->assert_equal("HTTP_REFERER", $comment->server_http_referer);
$this->assert_equal("HTTP_USER_AGENT", $comment->server_http_user_agent);
$this->assert_equal("QUERY_STRING", $comment->server_query_string);
$this->assert_equal("REMOTE_ADDR", $comment->server_remote_addr);
$this->assert_equal("REMOTE_HOST", $comment->server_remote_host);
$this->assert_equal("REMOTE_PORT", $comment->server_remote_port);
$this->assert_true(!empty($comment->created));
}
public function create_comment_for_guest_test()
{
$rand = rand();
$root = ORM::factory("item", 1);
$comment = comment::create($root, identity::guest(), "text_{$rand}", "name_{$rand}", "email_{$rand}", "url_{$rand}");
$this->assert_equal("name_{$rand}", $comment->author_name());
$this->assert_equal("email_{$rand}", $comment->author_email());
$this->assert_equal("url_{$rand}", $comment->author_url());
$this->assert_equal("text_{$rand}", $comment->text);
$this->assert_equal(1, $comment->item_id);
$this->assert_equal("REMOTE_ADDR", $comment->server_remote_addr);
$this->assert_equal("HTTP_USER_AGENT", $comment->server_http_user_agent);
$this->assert_equal("HTTP_ACCEPT", $comment->server_http_accept);
$this->assert_equal("HTTP_ACCEPT_CHARSET", $comment->server_http_accept_charset);
$this->assert_equal("HTTP_ACCEPT_ENCODING", $comment->server_http_accept_encoding);
$this->assert_equal("HTTP_ACCEPT_LANGUAGE", $comment->server_http_accept_language);
$this->assert_equal("HTTP_CONNECTION", $comment->server_http_connection);
$this->assert_equal("HTTP_HOST", $comment->server_http_host);
$this->assert_equal("HTTP_REFERER", $comment->server_http_referer);
$this->assert_equal("HTTP_USER_AGENT", $comment->server_http_user_agent);
$this->assert_equal("QUERY_STRING", $comment->server_query_string);
$this->assert_equal("REMOTE_ADDR", $comment->server_remote_addr);
$this->assert_equal("REMOTE_HOST", $comment->server_remote_host);
$this->assert_equal("REMOTE_PORT", $comment->server_remote_port);
$this->assert_true(!empty($comment->created));
}
public function deleting_an_item_deletes_its_comments_too_test()
{
$rand = rand();
$album = album::create(ORM::factory("item", 1), "test_{$rand}", "test_{$rand}");
$comment = comment::create($album, identity::guest(), "text_{$rand}", "name_{$rand}", "email_{$rand}", "url_{$rand}");
$album->delete();
$deleted_comment = ORM::factory("comment", $comment->id);
$this->assert_false($deleted_comment->loaded);
}
public function deleting_an_item_deletes_its_comments_too_test()
{
$album = test::random_album();
$comment = ORM::factory("comment");
$comment->item_id = $album->id;
$comment->author_id = identity::guest()->id;
$comment->guest_name = "test";
$comment->text = "text";
$comment->save();
$album->delete();
$this->assert_false(ORM::factory("comment", $comment->id)->loaded());
}
public function viewable_test()
{
$root = ORM::factory("item", 1);
$album = album::create($root, rand(), rand(), rand());
$item = self::_create_random_item($album);
identity::set_active_user(identity::guest());
// We can see the item when permissions are granted
access::allow(identity::everybody(), "view", $album);
$this->assert_equal(1, ORM::factory("item")->viewable()->where("id", "=", $item->id)->count_all());
// We can't see the item when permissions are denied
access::deny(identity::everybody(), "view", $album);
$this->assert_equal(0, ORM::factory("item")->viewable()->where("id", "=", $item->id)->count_all());
}
public function viewable_test()
{
$album = test::random_album();
$item = test::random_photo($album);
$album->reload();
identity::set_active_user(identity::guest());
// We can see the item when permissions are granted
access::allow(identity::everybody(), "view", $album);
$this->assert_equal(1, ORM::factory("item")->viewable()->where("id", "=", $item->id)->count_all());
// We can't see the item when permissions are denied
access::deny(identity::everybody(), "view", $album);
$this->assert_equal(0, ORM::factory("item")->viewable()->where("id", "=", $item->id)->count_all());
}
public function post_fails_without_permissions_test()
{
access::deny(identity::everybody(), "edit", item::root());
identity::set_active_user(identity::guest());
try {
$request->params->name = "test tag";
tags_rest::post($request);
} catch (Exception $e) {
$this->assert_equal(403, $e->getCode());
return;
}
$this->assert_true(false, "Shouldnt get here");
}
public function cant_view_comments_for_unviewable_items_test()
{
$root = ORM::factory("item", 1);
$album = album::create($root, rand(), rand(), rand());
$comment = comment::create($album, identity::guest(), "text", "name", "email", "url");
identity::set_active_user(identity::guest());
// We can see the comment when permissions are granted on the album
access::allow(identity::everybody(), "view", $album);
$this->assert_equal(1, ORM::factory("comment")->viewable()->where("comments.id", "=", $comment->id)->count_all());
// We can't see the comment when permissions are denied on the album
access::deny(identity::everybody(), "view", $album);
$this->assert_equal(0, ORM::factory("comment")->viewable()->where("comments.id", "=", $comment->id)->count_all());
}
public function setup()
{
Input::instance()->ip_address = "1.1.1.1";
request::set_user_agent("Akismet_Helper_Test");
$root = ORM::factory("item", 1);
$this->_comment = comment::create($root, identity::guest(), "This is a comment", "John Doe", "*****@*****.**", "http://gallery2.org");
foreach ($this->_comment->list_fields("comments") as $name => $field) {
if (strpos($name, "server_") === 0) {
$this->_comment->{$name} = substr($name, strlen("server_"));
}
}
$this->_comment->save();
module::set_var("akismet", "api_key", "TEST_KEY");
}
public function cant_view_comments_for_unviewable_items_test()
{
$album = test::random_album();
$comment = ORM::factory("comment");
$comment->item_id = $album->id;
$comment->author_id = identity::admin_user()->id;
$comment->text = "text";
$comment->save();
identity::set_active_user(identity::guest());
// We can see the comment when permissions are granted on the album
access::allow(identity::everybody(), "view", $album);
$this->assert_true(ORM::factory("comment")->viewable()->where("comments.id", "=", $comment->id)->count_all());
// We can't see the comment when permissions are denied on the album
access::deny(identity::everybody(), "view", $album);
$this->assert_false(ORM::factory("comment")->viewable()->where("comments.id", "=", $comment->id)->count_all());
}
static function set_active_user($access_token)
{
if (empty($access_token)) {
identity::set_active_user(identity::guest());
return;
}
$key = ORM::factory("user_access_token")->where("access_key", "=", $access_token)->find();
if (!$key->loaded()) {
throw new Rest_Exception("Forbidden", 403);
}
$user = identity::lookup_user($key->user_id);
if (empty($user)) {
throw new Rest_Exception("Forbidden", 403);
}
identity::set_active_user($user);
}
public function post_fails_without_permissions_test()
{
// We have to remove edit permissions from everywhere
Database::instance()->query("UPDATE {access_caches} SET edit_1=0");
identity::set_active_user(identity::guest());
try {
$request = new stdClass();
$request->params = new stdClass();
$request->params->name = "test tag";
tags_rest::post($request);
} catch (Exception $e) {
$this->assert_equal(403, $e->getCode());
return;
}
$this->assert_true(false, "Shouldnt get here");
}
public function illegal_access_test()
{
$album = test::random_album();
$photo = test::random_photo($album);
$album->reload();
access::deny(identity::everybody(), "view", $album);
identity::set_active_user(identity::guest());
$request = new stdClass();
$request->url = rest::url("data", $photo, "thumb");
$request->params = new stdClass();
$request->params->size = "thumb";
try {
data_rest::get($request);
$this->assert_true(false);
} catch (Kohana_404_Exception $e) {
// pass
}
}
private function _make_comment()
{
$comment = ORM::factory("comment");
$comment->item_id = item::root()->id;
$comment->author_id = identity::guest()->id;
$comment->text = "This is a comment";
$comment->guest_name = "John Doe";
$comment->guest_email = "*****@*****.**";
$comment->guest_url = "http://gallery2.org";
$comment->save();
// Set the server fields to a known placeholder
foreach ($comment->list_fields("comments") as $name => $field) {
if (strpos($name, "server_") === 0) {
$comment->{$name} = substr($name, strlen("server_"));
}
}
return $comment->save();
}
static function set_active_user($access_key)
{
if (empty($access_key)) {
if (module::get_var("rest", "allow_guest_access")) {
identity::set_active_user(identity::guest());
return;
} else {
throw new Rest_Exception("Forbidden", 403);
}
}
$key = ORM::factory("user_access_key")->where("access_key", "=", $access_key)->find();
if (!$key->loaded()) {
throw new Rest_Exception("Forbidden", 403);
}
$user = identity::lookup_user($key->user_id);
if (empty($user)) {
throw new Rest_Exception("Forbidden", 403);
}
identity::set_active_user($user);
}
public static function getuser($user_string)
{
$user_parts = explode("(", $user_string);
$user_part = rtrim(ltrim(end($user_parts)), ")");
$user = ORM::factory("user")->where("name", "=", $user_part)->find();
$user_firstpart = trim(implode(array_slice($user_parts, 0, count($user_parts) - 1)));
if (!$user->loaded() || strcasecmp($user_firstpart, $user->display_name()) != 0) {
$result->found = false;
$result->isguest = false;
$result->user = "";
return $result;
}
if (identity::guest()->id == $user->id) {
$result->found = true;
$result->isguest = true;
$result->user = "";
return $result;
}
$result->found = true;
$result->isguest = false;
$result->user = $user;
return $result;
}
/**
* If the gallery is only available to registered users and the user is not logged in, present
* the login page.
*/
static function private_gallery()
{
if (identity::active_user()->guest && !access::user_can(identity::guest(), "view", item::root()) && php_sapi_name() != "cli") {
try {
$class = new ReflectionClass(ucfirst(Router::$controller) . '_Controller');
$allowed = $class->getConstant("ALLOW_PRIVATE_GALLERY") === true;
} catch (ReflectionClass $e) {
$allowed = false;
}
if (!$allowed) {
if (Router::$controller == "admin") {
// At this point we're in the admin theme and it doesn't have a themed login page, so
// we can't just swap in the login controller and have it work. So redirect back to the
// root item where we'll run this code again with the site theme.
url::redirect(item::root()->abs_url());
} else {
Session::instance()->set("continue_url", url::abs_current());
Router::$controller = "login";
Router::$controller_path = MODPATH . "gallery/controllers/login.php";
Router::$method = "html";
}
}
}
}
/**
* Import a single comment.
*/
static function import_comment(&$queue)
{
$g2_comment_id = array_shift($queue);
try {
$g2_comment = g2(GalleryCoreApi::loadEntitiesById($g2_comment_id));
} catch (Exception $e) {
return t("Failed to load Gallery 2 comment with id: %id\\%exception", array("id" => $g2_comment_id, "exception" => (string) $e));
}
if ($id = self::map($g2_comment->getId())) {
if (ORM::factory("comment", $id)->loaded()) {
// Already imported and still exists
return;
}
// This comment was already imported, but now it no longer exists. Import it again, per
// ticket #1736.
}
$item_id = self::map($g2_comment->getParentId());
if (empty($item_id)) {
// Item was not mapped.
return;
}
$text = join("\n", array($g2_comment->getSubject(), $g2_comment->getComment()));
$text = html_entity_decode($text);
// Just import the fields we know about. Do this outside of the comment API for now so that
// we don't trigger spam filtering events
$comment = ORM::factory("comment");
$comment->author_id = self::map($g2_comment->getCommenterId());
$comment->guest_name = "";
if ($comment->author_id == identity::guest()->id) {
$comment->guest_name = $g2_comment->getAuthor();
$comment->guest_name or $comment->guest_name = (string) t("Anonymous coward");
$comment->guest_email = "*****@*****.**";
}
$comment->item_id = $item_id;
$comment->text = self::_transform_bbcode($text);
$comment->state = "published";
$comment->server_http_host = $g2_comment->getHost();
try {
$comment->save();
} catch (Exception $e) {
return (string) new G2_Import_Exception(t("Failed to import comment with id: %id.", array("id" => $g2_comment_id)), $e);
}
self::set_map($g2_comment->getId(), $comment->id, "comment");
// Backdate the creation date. We can't do this at creation time because
// Comment_Model::save() will override it. Leave the updated date alone
// so that if the comments get marked as spam, they don't immediately get
// flushed (see ticket #1736)
db::update("comments")->set("created", $g2_comment->getDate())->where("id", "=", $comment->id)->execute();
}
/**
* Same as ORM::as_array() but convert id fields into their RESTful form.
*
* @param array if specified, only return the named fields
*/
public function as_restful_array($fields = array())
{
if ($fields) {
$data = array();
foreach ($fields as $field) {
if (isset($this->object[$field])) {
$data[$field] = $this->__get($field);
}
}
$fields = array_flip($fields);
} else {
$data = $this->as_array();
}
// Convert item ids to rest URLs for consistency
if (empty($fields) || isset($fields["parent"])) {
if ($tmp = $this->parent()) {
$data["parent"] = rest::url("item", $tmp);
}
unset($data["parent_id"]);
}
if (empty($fields) || isset($fields["album_cover"])) {
if ($tmp = $this->album_cover()) {
$data["album_cover"] = rest::url("item", $tmp);
}
unset($data["album_cover_item_id"]);
}
if (empty($fields) || isset($fields["web_url"])) {
$data["web_url"] = $this->abs_url();
}
if (!$this->is_album()) {
if (access::can("view_full", $this)) {
if (empty($fields) || isset($fields["file_url"])) {
$data["file_url"] = rest::url("data", $this, "full");
}
if (empty($fields) || isset($fields["file_size"])) {
$data["file_size"] = filesize($this->file_path());
}
if (access::user_can(identity::guest(), "view_full", $this)) {
if (empty($fields) || isset($fields["file_url_public"])) {
$data["file_url_public"] = $this->file_url(true);
}
}
}
}
if ($this->is_photo()) {
if (empty($fields) || isset($fields["resize_url"])) {
$data["resize_url"] = rest::url("data", $this, "resize");
}
if (empty($fields) || isset($fields["resize_size"])) {
$data["resize_size"] = filesize($this->resize_path());
}
if (access::user_can(identity::guest(), "view", $this)) {
if (empty($fields) || isset($fields["resize_url_public"])) {
$data["resize_url_public"] = $this->resize_url(true);
}
}
}
if ($this->has_thumb()) {
if (empty($fields) || isset($fields["thumb_url"])) {
$data["thumb_url"] = rest::url("data", $this, "thumb");
}
if (empty($fields) || isset($fields["thumb_size"])) {
$data["thumb_size"] = filesize($this->thumb_path());
}
if (access::user_can(identity::guest(), "view", $this)) {
if (empty($fields) || isset($fields["thumb_url_public"])) {
$data["thumb_url_public"] = $this->thumb_url(true);
}
}
}
if (empty($fields) || isset($fields["can_edit"])) {
$data["can_edit"] = access::can("edit", $this);
}
// Elide some internal-only data that is going to cause confusion in the client.
foreach (array("relative_path_cache", "relative_url_cache", "left_ptr", "right_ptr", "thumb_dirty", "resize_dirty", "weight") as $key) {
unset($data[$key]);
}
return $data;
}
/**
* Import a single comment.
*/
static function import_comment(&$queue)
{
$g2_comment_id = array_shift($queue);
try {
$g2_comment = g2(GalleryCoreApi::loadEntitiesById($g2_comment_id));
} catch (Exception $e) {
return t("Failed to load Gallery 2 comment with id: %id\\%exception", array("id" => $g2_comment_id, "exception" => (string) $e));
}
$item_id = self::map($g2_comment->getParentId());
if (empty($item_id)) {
// Item was not mapped.
return;
}
$text = $g2_comment->getSubject();
if ($text) {
$text .= " ";
}
$text .= $g2_comment->getComment();
// Just import the fields we know about. Do this outside of the comment API for now so that
// we don't trigger spam filtering events
$comment = ORM::factory("comment");
$comment->author_id = self::map($g2_comment->getCommenterId());
$comment->guest_name = "";
if ($comment->author_id == identity::guest()->id) {
$comment->guest_name = $g2_comment->getAuthor();
$comment->guest_name or $comment->guest_name = (string) t("Anonymous coward");
}
$comment->item_id = $item_id;
$comment->text = self::_transform_bbcode($text);
$comment->state = "published";
$comment->server_http_host = $g2_comment->getHost();
$comment->created = $g2_comment->getDate();
try {
$comment->save();
} catch (Exception $e) {
return (string) new G2_Import_Exception(t("Failed to import comment with id: %id.", array("id" => $g2_comment_id)), $e);
}
}
public function view_permissions_propagate_down_to_photos_test()
{
$album = test::random_album();
$photo = test::random_photo($album);
identity::set_active_user(identity::guest());
$this->assert_true(access::can("view", $photo));
$album->reload();
// MPTT pointers have changed, so reload before calling access::deny
access::deny(identity::everybody(), "view", $album);
$photo->reload();
// view permissions are cached in the photo, so reload before checking
$this->assert_false(access::can("view", $photo));
}
/**
* Make sure that the email address is legal.
*/
public function valid_email(Validation $v, $field)
{
if ($this->author_id == identity::guest()->id) {
if (empty($v->guest_email)) {
$v->add_error("guest_email", "required");
} else {
if (!valid::email($v->guest_email)) {
$v->add_error("guest_email", "invalid");
}
}
}
}
public function setup()
{
identity::set_active_user(identity::guest());
}
static function identity_provider_changed($old_provider, $new_provider)
{
$guest = identity::guest();
Database::instance()->from("comments")->set(array("author_id" => $guest->id, "guest_email" => null, "guest_name" => "guest", "guest_url" => null))->where("1 = 1")->update();
}
static function user_menu($menu, $theme)
{
if ($theme->page_subtype != "login") {
$user = identity::active_user();
if ($user->guest) {
$menu->append(Menu::factory("dialog")->id("user_menu_login")->css_id("g-login-link")->url(url::site("login/ajax"))->label(t("Login")));
} else {
$csrf = access::csrf_token();
$menu->append(Menu::factory("link")->id("user_menu_edit_profile")->css_id("g-user-profile-link")->view("login_current_user.html")->url(user_profile::url($user->id))->label($user->display_name()));
if (Router::$controller == "admin") {
$continue_url = url::abs_site("");
} else {
if ($item = $theme->item()) {
if (access::user_can(identity::guest(), "view", $theme->item)) {
$continue_url = $item->abs_url();
} else {
$continue_url = item::root()->abs_url();
}
} else {
$continue_url = url::abs_current();
}
}
$menu->append(Menu::factory("link")->id("user_menu_logout")->css_id("g-logout-link")->url(url::site("logout?csrf={$csrf}&continue_url=" . urlencode($continue_url)))->label(t("Logout")));
}
}
}
public function as_restful_array_with_edit_bit_test()
{
$response = item::root()->as_restful_array();
$this->assert_true($response["can_edit"]);
identity::set_active_user(identity::guest());
$response = item::root()->as_restful_array();
$this->assert_false($response["can_edit"]);
}
public function delete_album_fails_without_permission_test()
{
$album1 = test::random_album();
access::deny(identity::everybody(), "edit", $album1);
identity::set_active_user(identity::guest());
$request->url = rest::url("item", $album1);
try {
item_rest::delete($request);
} catch (Exception $e) {
$this->assert_equal("@todo FORBIDDEN", $e->getMessage());
return;
}
$this->assert_true(false, "Shouldn't get here");
}
static function identity_provider_changed($old_provider, $new_provider)
{
$guest = identity::guest();
db::build()->update("comments")->set("author_id", $guest->id)->set("guest_email", null)->set("guest_name", "guest")->set("guest_url", null)->execute();
}
/**
* Return the active user. If there's no active user, return the guest user.
*
* @return User_Definition
*/
static function active_user()
{
// @todo (maybe) cache this object so we're not always doing session lookups.
$user = Session::instance()->get("user", null);
if (!isset($user)) {
// Don't do this as a fallback in the Session::get() call because it can trigger unnecessary
// work.
$user = identity::guest();
}
return $user;
}
/**
* Import a single user.
*/
static function import_user(&$queue)
{
$g2_user_id = array_shift($queue);
if (self::map($g2_user_id)) {
return t("User with id: %id already imported, skipping", array("id" => $g2_user_id));
}
if (g2(GalleryCoreApi::isAnonymousUser($g2_user_id))) {
self::set_map($g2_user_id, identity::guest()->id);
return t("Skipping anonymous user");
}
$g2_admin_group_id = g2(GalleryCoreApi::getPluginParameter("module", "core", "id.adminGroup"));
try {
$g2_user = g2(GalleryCoreApi::loadEntitiesById($g2_user_id));
} catch (Exception $e) {
return t("Failed to import Gallery 2 user with id: %id\n%exception", array("id" => $g2_user_id, "exception" => $e->__toString()));
}
$g2_groups = g2(GalleryCoreApi::fetchGroupsForUser($g2_user->getId()));
try {
$user = identity::create_user($g2_user->getUsername(), $g2_user->getfullname(), "");
$message = t("Created user: '******'.", array("name" => $user->name));
} catch (Exception $e) {
// @todo For now we assume this is a "duplicate user" exception
$user = identity::lookup_user_by_name($g2_user->getUsername());
$message = t("Loaded existing user: '******'.", array("name" => $user->name));
}
$user->hashed_password = $g2_user->getHashedPassword();
$user->email = $g2_user->getEmail();
$user->locale = $g2_user->getLanguage();
foreach ($g2_groups as $g2_group_id => $g2_group_name) {
if ($g2_group_id == $g2_admin_group_id) {
$user->admin = true;
$message .= t("\n\tAdded 'admin' flag to user");
} else {
$group = identity::lookup_group(self::map($g2_group_id));
$user->add($group);
$message .= t("\n\tAdded user to group '%group'.", array("group" => $group->name));
}
}
$user->save();
self::set_map($g2_user->getId(), $user->id);
return $message;
}
