/** * Handles GET requests of the publish page. */ public function get_publish($template = 'publish') { $extract = $this->handler_vars->filter_keys('id', 'content_type_name'); foreach ($extract as $key => $value) { ${$key} = $value; } $content_type = Post::type($content_type_name); // 0 is what's assigned to new posts if (isset($id) && $id != 0) { $post = Post::get(array('id' => $id, 'status' => Post::status('any'))); Plugins::act('admin_publish_post', $post); if (!$post) { Session::error(_t("You don't have permission to edit that post")); $this->get_blank(); } if (!ACL::access_check($post->get_access(), 'edit')) { Session::error(_t("You don't have permission to edit that post")); $this->get_blank(); } $this->theme->post = $post; } else { $post = new Post(); Plugins::act('admin_publish_post', $post); $this->theme->post = $post; $post->content_type = Post::type(isset($content_type) ? $content_type : 'entry'); // check the user can create new posts of the set type. $user = User::identify(); $type = 'post_' . Post::type_name($post->content_type); if (ACL::user_cannot($user, $type) || !ACL::user_can($user, 'post_any', 'create') && !ACL::user_can($user, $type, 'create')) { Session::error(_t('Access to create posts of type %s is denied', array(Post::type_name($post->content_type)))); $this->get_blank(); } } $this->theme->admin_page = _t('Publish %s', array(Plugins::filter('post_type_display', Post::type_name($post->content_type), 'singular'))); $this->theme->admin_title = _t('Publish %s', array(Plugins::filter('post_type_display', Post::type_name($post->content_type), 'singular'))); $statuses = Post::list_post_statuses(false); $this->theme->statuses = $statuses; $form = $post->get_form('admin'); $this->theme->form = $form; $this->theme->wsse = Utils::WSSE(); $this->display($template); }
public function form_publish_success( FormUI $form ) { $post_id = 0; if ( isset( $this->handler_vars['id'] ) ) { $post_id = intval( $this->handler_vars['id'] ); } // If an id has been passed in, we're updating an existing post, otherwise we're creating one if ( 0 !== $post_id ) { $post = Post::get( array( 'id' => $post_id, 'status' => Post::status( 'any' ) ) ); // Verify that the post hasn't already been updated since the form was loaded if ( $post->modified != $form->modified->value ) { Session::notice( _t( 'The post %1$s was updated since you made changes. Please review those changes before overwriting them.', array( sprintf( '<a href="%1$s">\'%2$s\'</a>', $post->permalink, Utils::htmlspecialchars( $post->title ) ) ) ) ); Utils::redirect( URL::get( 'admin', 'page=publish&id=' . $post->id ) ); exit; } // REFACTOR: this is duplicated in the insert code below, move it outside of the conditions // Don't try to update form values that have been removed by plugins $expected = array('title', 'tags', 'content'); foreach ( $expected as $field ) { if ( isset( $form->$field ) ) { $post->$field = $form->$field->value; } } if ( $form->newslug->value == '' && $post->status == Post::status( 'published' ) ) { Session::notice( _t( 'A post slug cannot be empty. Keeping old slug.' ) ); } elseif ( $form->newslug->value != $form->slug->value ) { $post->slug = $form->newslug->value; } // REFACTOR: the permissions checks should go before any of this other logic // sorry, we just don't allow changing posts you don't have rights to if ( ! ACL::access_check( $post->get_access(), 'edit' ) ) { Session::error( _t( 'You don\'t have permission to edit that post' ) ); $this->get_blank(); } // sorry, we just don't allow changing content types to types you don't have rights to $user = User::identify(); $type = 'post_' . Post::type_name( $form->content_type->value ); if ( $form->content_type->value != $post->content_type && ( $user->cannot( $type ) || ! $user->can_any( array( 'own_posts' => 'edit', 'post_any' => 'edit', $type => 'edit' ) ) ) ) { Session::error( _t( 'Changing content types is not allowed' ) ); $this->get_blank(); } $post->content_type = $form->content_type->value; // if not previously published and the user wants to publish now, change the pubdate to the current date/time unless a date has been explicitly set if ( ( $post->status != Post::status( 'published' ) ) && ( $form->status->value == Post::status( 'published' ) ) && ( HabariDateTime::date_create( $form->pubdate->value )->int == $form->updated->value ) ) { $post->pubdate = HabariDateTime::date_create(); } // else let the user change the publication date. // If previously published and the new date is in the future, the post will be unpublished and scheduled. Any other status, and the post will just get the new pubdate. // This will result in the post being scheduled for future publication if the date/time is in the future and the new status is published. else { $post->pubdate = HabariDateTime::date_create( $form->pubdate->value ); } $minor = $form->minor_edit->value && ( $post->status != Post::status( 'draft' ) ); $post->status = $form->status->value; } else { // REFACTOR: don't do this here, it's duplicated in Post::create() $post = new Post(); // check the user can create new posts of the set type. $user = User::identify(); $type = 'post_' . Post::type_name( $form->content_type->value ); if ( ACL::user_cannot( $user, $type ) || ( ! ACL::user_can( $user, 'post_any', 'create' ) && ! ACL::user_can( $user, $type, 'create' ) ) ) { Session::error( _t( 'Creating that post type is denied' ) ); $this->get_blank(); } // REFACTOR: why is this on_success here? We don't even display a form $form->on_success( array( $this, 'form_publish_success' ) ); if ( HabariDateTime::date_create( $form->pubdate->value )->int != $form->updated->value ) { $post->pubdate = HabariDateTime::date_create( $form->pubdate->value ); } $postdata = array( 'slug' => $form->newslug->value, 'user_id' => User::identify()->id, 'pubdate' => $post->pubdate, 'status' => $form->status->value, 'content_type' => $form->content_type->value, ); // Don't try to add form values that have been removed by plugins $expected = array( 'title', 'tags', 'content' ); foreach ( $expected as $field ) { if ( isset( $form->$field ) ) { $postdata[$field] = $form->$field->value; } } $minor = false; // REFACTOR: consider using new Post( $postdata ) instead and call ->insert() manually $post = Post::create( $postdata ); } $post->info->comments_disabled = !$form->comments_enabled->value; // REFACTOR: admin should absolutely not have a hook for this here Plugins::act( 'publish_post', $post, $form ); // REFACTOR: we should not have to update a post we just created, this should be moved to the post-update functionality above and only called if changes have been made // alternately, perhaps call ->update() or ->insert() as appropriate here, so things that apply to each operation (like comments_disabled) can still be included once outside the conditions above $post->update( $minor ); $permalink = ( $post->status != Post::status( 'published' ) ) ? $post->permalink . '?preview=1' : $post->permalink; Session::notice( sprintf( _t( 'The post %1$s has been saved as %2$s.' ), sprintf( '<a href="%1$s">\'%2$s\'</a>', $permalink, Utils::htmlspecialchars( $post->title ) ), Post::status_name( $post->status ) ) ); Utils::redirect( URL::get( 'admin', 'page=publish&id=' . $post->id ) ); }
public function form_publish_success(FormUI $form) { // var_dump( $form->post->storage); $user = User::identify(); // Get the Post object from the hidden 'post' control on the form /** @var Post $post */ $post = $form->post->storage; // Do some permission checks // @todo REFACTOR: These probably don't work and should be refactored to use validators on the form fields instead // sorry, we just don't allow changing posts you don't have rights to if ($post->id != 0 && !ACL::access_check($post->get_access(), 'edit')) { Session::error(_t('You don\'t have permission to edit that post')); $this->get_blank(); } // sorry, we just don't allow changing content types to types you don't have rights to $type = 'post_' . Post::type_name($form->content_type->value); if ($form->content_type->value != $post->content_type && ($user->cannot($type) || !$user->can_any(array('own_posts' => 'edit', 'post_any' => 'edit', $type => 'edit')))) { Session::error(_t('Changing content types is not allowed')); // @todo This isn't ideal at all, since it loses all of the changes... Utils::redirect(URL::get('admin', 'page=publish&id=' . $post->id)); exit; } // If we're creating a new post... if ($post->id == 0) { // check the user can create new posts of the set type. $type = 'post_' . Post::type_name($form->content_type->value); if (ACL::user_cannot($user, $type) || !ACL::user_can($user, 'post_any', 'create') && !ACL::user_can($user, $type, 'create')) { Session::error(_t('Creating that post type is denied')); Utils::redirect(URL::get('admin', 'page=publish&id=' . $post->id)); exit; } // Only the original author is associated with a new post $post->user_id = $user->id; } else { // check the user can create new posts of the set type. $type = 'post_' . Post::type_name($form->content_type->value); if (!ACL::access_check($post->get_access(), 'edit')) { Session::error(_t('Editing that post type is denied')); Utils::redirect(URL::get('admin', 'page=publish&id=' . $post->id)); exit; } // Verify that the post hasn't already been updated since the form was loaded if ($post->modified != $form->modified->value) { Session::notice(_t('The post %1$s was updated since you made changes. Please review those changes before overwriting them.', array(sprintf('<a href="%1$s">\'%2$s\'</a>', $post->permalink, Utils::htmlspecialchars($post->title))))); Utils::redirect(URL::get('admin', 'page=publish&id=' . $post->id)); exit; } // Prevent a published post from having its slug zeroed if ($form->newslug->value == '' && $post->status == Post::status('published')) { Session::notice(_t('A post slug cannot be empty. Keeping old slug.')); $form->newslug->value = $form->slug->value; } } // if not previously published and the user wants to publish now, change the pubdate to the current date/time unless a date has been explicitly set if ($post->status != Post::status('published') && $form->status->value == Post::status('published') && HabariDateTime::date_create($form->pubdate->value)->int == $form->updated->value) { $post->pubdate = HabariDateTime::date_create(); } else { $post->pubdate = HabariDateTime::date_create($form->pubdate->value); } // Minor updates are when the user has checked the minor update box and the post isn't in draft or new $minor = $form->minor_edit->value && $post->status != Post::status('draft') && $post->id != 0; // Don't try to update form values that have been removed by plugins, // look for these fields before committing their values to the post $expected = array('title' => 'title', 'tags' => 'tags', 'content' => 'content', 'slug' => 'newslug', 'content_type' => 'content_type', 'status' => 'status'); // var_dump($form->$field); // exit; foreach ($expected as $field => $control) { if (isset($form->{$field})) { //var_dump( $form->$control->value); // exit; //echo $field."----------".$control; $post->{$field} = $form->{$control}->value; // $post->title = '新的的標題1111'; // $post->tags = '標籤1111'; // $post->content = '我的文章內容測試'; // $post->slug = '我的文章內容測試-1'; // // $post->content_type = 'kkk-2'; // $post->status = 2; // print_r($post); // echo "<br/>"; // print_r($post->$field); // echo "<br/>"; // exit; } } // $post->insert(); // exit; // This seems cheesy $post->info->comments_disabled = !$form->comments_enabled->value; // var_dump($post->info->comments_disabled); // var_dump($form->comments_enabled->value); // exit; // This plugin hook allows changes to be made to the post object prior to its save to the database Plugins::act('publish_post', $post, $form); // Insert or Update if ($post->id == 0) { $post->insert(); } else { $post->update($minor); } // Calling $form->save() calls ->save() on any controls that might have been added to the form by plugins $form->save(); $permalink = $post->status != Post::status('published') ? $post->permalink . '?preview=1' : $post->permalink; Session::notice(_t('The post %1$s has been saved as %2$s.', array(sprintf('<a href="%1$s">\'%2$s\'</a>', $permalink, Utils::htmlspecialchars($post->title)), Post::status_name($post->status)))); Utils::redirect(URL::get('admin', 'page=publish&id=' . $post->id)); }
/** * Determine if a user has been denied access to a specific token * * @param string $token The name of the token to detect * @return boolean True if this user has been denied access to the requested token, false if not */ public function cannot($token) { return ACL::user_cannot($this, $token); }
/** * Helper to handle permissions */ public static function has_permission($action, $object = NULL) { $user = User::identify(); switch ($action) { case 'create_thread': $type = 'post_thread'; if (ACL::user_cannot($user, $type) || !ACL::user_can($user, 'post_any', 'create') && !ACL::user_can($user, $type, 'create')) { return false; } return true; case 'reply': $type = 'post_reply'; if (ACL::user_cannot($user, $type) || !ACL::user_can($user, 'post_any', 'create') && !ACL::user_can($user, $type, 'create')) { return false; } return true; case 'edit_thread': $type = 'post_thread'; if (ACL::user_cannot($user, $type) || !ACL::user_can($user, 'post_any', 'edit') && !ACL::user_can($user, $type, 'edit')) { return false; } return true; case 'edit_reply': $type = 'post_reply'; if (ACL::user_cannot($user, $type) || !ACL::user_can($user, 'post_any', 'edit') && !ACL::user_can($user, $type, 'edit')) { return false; } return true; case 'view_private_threads': return $user->can('forum_see_private'); case 'close_thread': case 'open_thread': return $user->can('forum_close_thread'); default: return false; } // check the user can create new posts of the set type. // $type = 'post_thread'; // if ( ACL::user_cannot( $user, $type ) || ( ! ACL::user_can( $user, 'post_any', 'create' ) && ! ACL::user_can( $user, $type, 'create') ) ) { // Session::error( _t( 'Creating that post type is denied' ) ); // return _t('<p>You are not authorized to create threads.</p>'); // } }
/** * Called when the publish form is successfully submitted * @param FormUI $form */ public function form_publish_success(FormUI $form) { $user = User::identify(); // Get the Post object from the hidden 'post' control on the form /** @var Post $post */ $post = $form->post->value; // Do some permission checks // @todo REFACTOR: These probably don't work and should be refactored to use validators on the form fields instead // sorry, we just don't allow changing posts you don't have rights to if ($post->id != 0 && !ACL::access_check($post->get_access(), 'edit')) { Session::error(_t('You don\'t have permission to edit that post')); $this->get_blank(); } // sorry, we just don't allow changing content types to types you don't have rights to $type = 'post_' . Post::type_name($form->content_type->value); if ($form->content_type->value != $post->content_type && ($user->cannot($type) || !$user->can_any(array('own_posts' => 'edit', 'post_any' => 'edit', $type => 'edit')))) { Session::error(_t('You don\'t have permission to change to that content type')); // @todo This isn't ideal at all, since it loses all of the changes... Utils::redirect(URL::get('display_publish', $post, false)); exit; } // If we're creating a new post... if ($post->id == 0) { // check the user can create new posts of the set type. $type = 'post_' . Post::type_name($form->content_type->value); if (ACL::user_cannot($user, $type) || !ACL::user_can($user, 'post_any', 'create') && !ACL::user_can($user, $type, 'create')) { Session::error(_t('You don\'t have permission to create posts of that type')); Utils::redirect(URL::get('display_publish', $post, false)); exit; } // Only the original author is associated with a new post $post->user_id = $user->id; } else { // check the user can create new posts of the set type. $type = 'post_' . Post::type_name($form->content_type->value); if (!ACL::access_check($post->get_access(), 'edit')) { Session::error(_t('You don\'t have permission to edit posts of that type')); Utils::redirect(URL::get('display_publish', $post, false)); exit; } // Verify that the post hasn't already been updated since the form was loaded if ($post->modified != $form->modified->value) { Session::notice(_t('The post %1$s was updated since you made changes. Please review those changes before overwriting them.', array(sprintf('<a href="%1$s">\'%2$s\'</a>', $post->permalink, Utils::htmlspecialchars($post->title))))); Utils::redirect(URL::get('display_publish', $post, false)); exit; } // Prevent a published post from having its slug zeroed if ($form->newslug->value == '' && $post->status == Post::status('published')) { Session::notice(_t('A post slug cannot be empty. Keeping old slug.')); $form->newslug->value = $form->slug->value; } } // sometimes we want to overwrite the published date with the current date, if: // 1) the post was not previously published // 2) the post is now supposed to be published // 3) the user has not entered a specific publish date already -- that is, the one on the form that was submitted is the same as the currently saved one // AND // 4) the published date is NOT in the future -- if it were, we would reset the date on scheduled posts if we edit them again before they are published if ($post->status != Post::status('published') && $form->status->value == Post::status('published') && ($post->pubdate == DateTime::create($form->pubdate->value) && $post->pubdate <= DateTime::create())) { $post->pubdate = DateTime::create(); } else { $post->pubdate = DateTime::create($form->pubdate->value); } // Minor updates are when the user has checked the minor update box and the post isn't in draft or new $minor = $form->minor_edit->value && $post->status != Post::status('draft') && $post->id != 0; // Don't try to update form values that have been removed by plugins, // look for these fields before committing their values to the post $expected = array('title' => 'title', 'tags' => 'tags', 'content' => 'content', 'slug' => 'newslug', 'content_type' => 'content_type', 'status' => 'status'); foreach ($expected as $field => $control) { if (isset($form->{$field})) { $post->{$field} = $form->{$control}->value; } } // This seems cheesy $post->info->comments_disabled = !$form->comments_enabled->value; // This plugin hook allows changes to be made to the post object prior to its save to the database Plugins::act('publish_post', $post, $form); // Insert or Update if ($post->id == 0) { $post->insert(); } else { $post->update($minor); } // Calling $form->save() calls ->save() on any controls that might have been added to the form by plugins $form->save(); $permalink = $post->status != Post::status('published') ? $post->permalink . '?preview=1' : $post->permalink; $postname = sprintf('<a href="%1$s">\'%2$s\'</a>', $permalink, Utils::htmlspecialchars($post->title)); $status = Post::status_name($post->status); Session::notice(_t('The post !postname has been saved as !status.', array('!postname' => $postname, '!status' => $status))); Utils::redirect(URL::get('display_publish', $post, false)); }