public function executePostActionsHook($strAction, \DataContainer $dc) { if ($strAction !== static::$uploadAction) { return false; } // Check whether the field is allowed for regular users if (!isset($GLOBALS['TL_DCA'][$dc->table]['fields'][\Input::post('field')]) || $GLOBALS['TL_DCA'][$dc->table]['fields'][\Input::post('field')]['exclude'] && !\BackendUser::getInstance()->hasAccess($dc->table . '::' . \Input::post('field'), 'alexf')) { \System::log('Field "' . \Input::post('field') . '" is not an allowed selector field (possible SQL injection attempt)', __METHOD__, TL_ERROR); $objResponse = new ResponseError(); $objResponse->setMessage('Bad Request'); $objResponse->output(); } $this->name = \Input::post('field'); $this->id = \Input::post('field'); $this->field = \Input::post('field'); if ($dc->activeRecord === null) { $dc->activeRecord = General::getModelInstance($dc->table, $dc->id); } // add dca attributes $this->addAttributes(\Widget::getAttributesFromDca($GLOBALS['TL_DCA'][$dc->table]['fields'][$this->name], $this->name)); $objResponse = $this->upload(); /** @var Response */ if ($objResponse instanceof Response) { $objResponse->output(); } }
public static function getArchiveParent($intSubmission) { if (($objSubmissionArchive = static::getArchive($intSubmission)) !== null && $objSubmissionArchive->parentTable && $objSubmissionArchive->pid) { if (($objArchiveParent = General::getModelInstance($objSubmissionArchive->parentTable, $objSubmissionArchive->pid)) !== null) { return $objArchiveParent; } } }
public static function getArchiveName($strTable) { $strPTable = $GLOBALS['TL_DCA'][$strTable]['config']['ptable']; $intPid = \Input::get('id'); if ($strPTable) { $objInstance = General::getModelInstance($strPTable, $intPid); return $objInstance->title; } else { return $strTable; } }
public static function prepareSpecialValueForPrint($varValue, $arrData, $strTable, $objDc, $objItem = null) { $varValue = deserialize($varValue); $arrOpts = $arrData['options']; $arrReference = $arrData['reference']; $strRegExp = $arrData['eval']['rgxp']; // get options if ((is_array($arrData['options_callback']) || is_callable($arrData['options_callback'])) && !$arrData['reference']) { if (is_array($arrData['options_callback'])) { $strClass = $arrData['options_callback'][0]; $strMethod = $arrData['options_callback'][1]; $objInstance = \Controller::importStatic($strClass); $arrOptionsCallback = @$objInstance->{$strMethod}($objDc); } elseif (is_callable($arrData['options_callback'])) { $arrOptionsCallback = @$arrData['options_callback']($objDc); } $arrOptions = !is_array($varValue) ? array($varValue) : $varValue; if ($varValue !== null && is_array($arrOptionsCallback)) { $varValue = array_intersect_key($arrOptionsCallback, array_flip($arrOptions)); } } // foreignKey if (isset($arrData['foreignKey']) && !is_array($varValue)) { list($strForeignTable, $strForeignField) = explode('.', $arrData['foreignKey']); if (($objInstance = General::getModelInstance($strForeignTable, $varValue)) !== null) { $varValue = $objInstance->{$strForeignField}; } } if ($arrData['inputType'] == 'explanation') { $varValue = $arrData['eval']['text']; } elseif ($strRegExp == 'date') { $varValue = \Date::parse(\Config::get('dateFormat'), $varValue); } elseif ($strRegExp == 'time') { $varValue = \Date::parse(\Config::get('timeFormat'), $varValue); } elseif ($strRegExp == 'datim') { $varValue = \Date::parse(\Config::get('datimFormat'), $varValue); } elseif ($arrData['inputType'] == 'tag' && in_array('tags_plus', \ModuleLoader::getActive())) { if (($arrTags = \HeimrichHannot\TagsPlus\TagsPlus::loadTags($strTable, $objItem->id)) !== null) { $varValue = $arrTags; } } elseif (!is_array($varValue) && \Validator::isBinaryUuid($varValue)) { $strPath = Files::getPathFromUuid($varValue); $varValue = $strPath ? \Environment::get('url') . '/' . $strPath : \StringUtil::binToUuid($varValue); } elseif (is_array($varValue)) { $varValue = Arrays::flattenArray($varValue); $varValue = array_filter($varValue); // remove empty elements // transform binary uuids to paths $varValue = array_map(function ($varValue) { if (\Validator::isBinaryUuid($varValue)) { $strPath = Files::getPathFromUuid($varValue); if ($strPath) { return \Environment::get('url') . '/' . $strPath; } return \StringUtil::binToUuid($varValue); } return $varValue; }, $varValue); if (!$arrReference) { $varValue = array_map(function ($varValue) use($arrOpts) { return isset($arrOpts[$varValue]) ? $arrOpts[$varValue] : $varValue; }, $varValue); } $varValue = array_map(function ($varValue) use($arrReference) { if (is_array($arrReference)) { return isset($arrReference[$varValue]) ? is_array($arrReference[$varValue]) ? $arrReference[$varValue][0] : $arrReference[$varValue] : $varValue; } else { return $varValue; } }, $varValue); } else { if ($arrData['eval']['isBoolean'] || $arrData['inputType'] == 'checkbox' && !$arrData['eval']['multiple']) { $varValue = $varValue != '' ? $GLOBALS['TL_LANG']['MSC']['yes'] : $GLOBALS['TL_LANG']['MSC']['no']; } elseif (is_array($arrOpts) && array_is_assoc($arrOpts)) { $varValue = isset($arrOpts[$varValue]) ? $arrOpts[$varValue] : $varValue; } elseif (is_array($arrReference)) { $varValue = isset($arrReference[$varValue]) ? is_array($arrReference[$varValue]) ? $arrReference[$varValue][0] : $arrReference[$varValue] : $varValue; } } if (is_array($varValue)) { $varValue = implode(', ', $varValue); } // Convert special characters (see #1890) return specialchars($varValue); }
public function checkDeletePermission($intId) { if (!$this->allowDelete) { return false; } if (($objItem = General::getModelInstance($this->formHybridDataContainer, $intId)) === null) { return false; } $arrConditions = array(); // check session if not logged in... if (!FE_USER_LOGGED_IN) { if (!$this->disableSessionCheck) { if (!\Database::getInstance()->fieldExists(General::PROPERTY_SESSION_ID, $this->formHybridDataContainer)) { throw new \Exception(sprintf('No session field in %s available, either create field %s or set `disableSessionCheck` to true.', $this->formHybridDataContainer, General::PROPERTY_SESSION_ID)); } $arrConditions[] = array('field' => General::PROPERTY_SESSION_ID, 'value' => session_id()); } } else { if (!$this->disableAuthorCheck) { if (!\Database::getInstance()->fieldExists(General::PROPERTY_AUTHOR_TYPE, $this->formHybridDataContainer)) { throw new \Exception(sprintf('No session field in %s available, either create field %s or set `disableAuthorCheck` to true.', $this->formHybridDataContainer, General::PROPERTY_AUTHOR_TYPE)); } $arrConditions[] = array('field' => General::PROPERTY_AUTHOR_TYPE, 'value' => General::AUTHOR_TYPE_MEMBER); if (!\Database::getInstance()->fieldExists(General::PROPERTY_AUTHOR, $this->formHybridDataContainer)) { throw new \Exception(sprintf('No session field in %s available, either create field %s or set `disableAuthorCheck` to true.', $this->formHybridDataContainer, General::PROPERTY_AUTHOR)); } $arrConditions[] = array('field' => General::PROPERTY_AUTHOR, 'value' => \FrontendUser::getInstance()->id); } } if ($this->addDeleteConditions) { $arrConditions = array_merge(deserialize($this->deleteConditions, true), $arrConditions); } if (!empty($arrConditions)) { foreach ($arrConditions as $arrCondition) { if ($objItem->{$arrCondition['field']} != $this->replaceInsertTags($arrCondition['value'])) { return false; } } } return true; }
public function generateAjax($strAction, \DataContainer $objDca) { // no tagsinput action --> return if (!$this->isValidAjaxActions($strAction)) { return; } $strField = $objDca->field = \Input::post('name'); \Controller::loadDataContainer($objDca->table); $objActiveRecord = \HeimrichHannot\Haste\Dca\General::getModelInstance($objDca->table, $objDca->id); if ($objActiveRecord === null) { $this->log('No active record for "' . $strField . '" found (possible SQL injection attempt)', __METHOD__, TL_ERROR); header('HTTP/1.1 400 Bad Request'); die('Bad Request'); } $strField = \Input::post('name'); $objDca->activeRecord = $objActiveRecord; $arrData = $GLOBALS['TL_DCA'][$objDca->table]['fields'][$strField]; if (!is_array($arrData)) { $this->log('No valid field configuration (dca) found for "' . $objDca->table . '.' . $strField . '" (possible SQL injection attempt)', __METHOD__, TL_ERROR); header('HTTP/1.1 400 Bad Request'); die('Bad Request'); } $return = ''; switch ($strAction) { case static::ACTION_FETCH_REMOTE_OPTIONS: $objWidget = new \TagsInput(\Widget::getAttributesFromDca($arrData, $strField, $objActiveRecord->{$strField}, $strField, $this->strTable, $objDca)); $return = array_values($objWidget->getRemoteOptionsFromQuery(\Input::post('query'))); break; } die(json_encode($return)); }