[pLog-svn] r6063 - in plugins/branches/lifetype-1.2/editcomments: class/action class/view templates
Jon Daley
plogworld at jon.limedaley.com
Mon Nov 19 23:35:23 EST 2007
Perhaps there are other places where a "blog" permission like
"update comments" let's people modify other people's blogs in the same
installation?
Is there a way to fix that on the permission level - ie, if I
require a permission that is on a blog level, also check the blog id
automatically?
On Mon, 19 Nov 2007, jondaley at devel.lifetype.net wrote:
> Author: jondaley
> Date: 2007-11-19 23:33:57 -0500 (Mon, 19 Nov 2007)
> New Revision: 6063
>
> Modified:
> plugins/branches/lifetype-1.2/editcomments/class/action/admineditcommentaction.class.php
> plugins/branches/lifetype-1.2/editcomments/class/action/adminupdatecommentaction.class.php
> plugins/branches/lifetype-1.2/editcomments/class/action/adminupdatetrackbackaction.class.php
> plugins/branches/lifetype-1.2/editcomments/class/view/admineditcommentview.class.php
> plugins/branches/lifetype-1.2/editcomments/class/view/adminedittrackbackview.class.php
> plugins/branches/lifetype-1.2/editcomments/templates/editcomment.template
> plugins/branches/lifetype-1.2/editcomments/templates/edittrackback.template
> Log:
> hrm, just requiring the update_comment permission doesn't give me all the security I need. Now this plugin is more careful about who can edit comments and trackbacks
>
> Modified: plugins/branches/lifetype-1.2/editcomments/class/action/admineditcommentaction.class.php
> ===================================================================
> --- plugins/branches/lifetype-1.2/editcomments/class/action/admineditcommentaction.class.php 2007-11-20 04:07:47 UTC (rev 6062)
> +++ plugins/branches/lifetype-1.2/editcomments/class/action/admineditcommentaction.class.php 2007-11-20 04:33:57 UTC (rev 6063)
> @@ -15,7 +15,7 @@
>
> function perform(){
> $commentId = $this->_request->getValue("commentId");
> -
> +
> $this->_view = new AdminEditCommentView($this->_blogInfo, $commentId);
>
> $this->setCommonData();
>
> Modified: plugins/branches/lifetype-1.2/editcomments/class/action/adminupdatecommentaction.class.php
> ===================================================================
> --- plugins/branches/lifetype-1.2/editcomments/class/action/adminupdatecommentaction.class.php 2007-11-20 04:07:47 UTC (rev 6062)
> +++ plugins/branches/lifetype-1.2/editcomments/class/action/adminupdatecommentaction.class.php 2007-11-20 04:33:57 UTC (rev 6063)
> @@ -107,45 +107,54 @@
> $comments = new ArticleComments();
> $comment = $comments->getComment($this->_commentId);
> if(!$comment){
> - $this->_view = new AdminEditCommentView($this->_blogInfo, $id);
> + $this->_view = new AdminEditCommentView($this->_blogInfo, $this->_commentId);
> $this->_view->setErrorMessage( $this->_locale->tr("pluginEditCommentsFailed") );
> }
> - else if(!ArticleCommentStatus::isValidStatus($this->_commentStatus)){
> - $this->_view = new AdminEditCommentView($this->_blogInfo, $id);
> - $this->_view->setErrorMessage( $this->_locale->tr("pluginEditCommentsFailed") );
> - }
> else{
> - $comment->setTopic($this->_commentTopic);
> - $comment->setText($this->_commentText);
> - $comment->setUserName($this->_authorName);
> - $comment->setUserEmail($this->_authorEmail);
> - $comment->setUserUrl($this->_authorUrl);
> - $comment->setDate($this->_commentDateTime);
> - $comment->setStatus($this->_commentStatus);
> - $comment->setClientIp($this->_commentIp);
> - $comment->setNormalizedTopic($this->_commentNormalizedTopic);
> - $comment->setNormalizedText($this->_commentNormalizedText);
> -
> - if($comments->updateComment($comment)){
> - if($this->_articleId){
> - $articles = new Articles();
> - $article = $articles->getBlogArticle($this->_articleId,
> - $this->_blogInfo->getId());
> - $this->_view = new AdminArticleCommentsListView(
> - $this->_blogInfo,
> - array("article" => $article));
> + $commBlogInfo = $comment->getBlogInfo();
> + if(!$commBlogInfo ||
> + ($commBlogInfo->getId() != $this->_blogInfo->getId()))
> + {
> + $this->_view = new AdminEditCommentView($this->_blogInfo, $this->_commentId);
> + $this->_view->setErrorMessage( $this->_locale->tr("pluginEditCommentsFailed") );
> + }
> + else if(!ArticleCommentStatus::isValidStatus($this->_commentStatus)){
> + $this->_view = new AdminEditCommentView($this->_blogInfo, $this->_commentId);
> + $this->_view->setErrorMessage( $this->_locale->tr("pluginEditCommentsFailed") );
> + }
> + else{
> + $comment->setTopic($this->_commentTopic);
> + $comment->setText($this->_commentText);
> + $comment->setUserName($this->_authorName);
> + $comment->setUserEmail($this->_authorEmail);
> + $comment->setUserUrl($this->_authorUrl);
> + $comment->setDate($this->_commentDateTime);
> + $comment->setStatus($this->_commentStatus);
> + $comment->setClientIp($this->_commentIp);
> + $comment->setNormalizedTopic($this->_commentNormalizedTopic);
> + $comment->setNormalizedText($this->_commentNormalizedText);
> +
> + if($comments->updateComment($comment)){
> + if($this->_articleId){
> + $articles = new Articles();
> + $article = $articles->getBlogArticle($this->_articleId,
> + $this->_blogInfo->getId());
> + $this->_view = new AdminArticleCommentsListView(
> + $this->_blogInfo,
> + array("article" => $article));
> + }
> + else{
> + $this->_view = new AdminPostsListView( $this->_blogInfo );
> + }
> + $this->_view->setSuccessMessage( $this->_locale->tr("pluginEditCommentsOk") );
> + CacheControl::resetBlogCache( $this->_blogInfo->getId());
> }
> else{
> - $this->_view = new AdminPostsListView( $this->_blogInfo );
> + $this->_view = new AdminArticleCommentsListView(
> + $this->_blogInfo);
> + $this->_view->setErrorMessage( $this->_locale->tr("pluginEditCommentsFailed") );
> }
> - $this->_view->setSuccessMessage( $this->_locale->tr("pluginEditCommentsOk") );
> - CacheControl::resetBlogCache( $this->_blogInfo->getId());
> }
> - else{
> - $this->_view = new AdminArticleCommentsListView(
> - $this->_blogInfo);
> - $this->_view->setErrorMessage( $this->_locale->tr("pluginEditCommentsFailed") );
> - }
> }
> }
> else if($this->_articleId){
>
> Modified: plugins/branches/lifetype-1.2/editcomments/class/action/adminupdatetrackbackaction.class.php
> ===================================================================
> --- plugins/branches/lifetype-1.2/editcomments/class/action/adminupdatetrackbackaction.class.php 2007-11-20 04:07:47 UTC (rev 6062)
> +++ plugins/branches/lifetype-1.2/editcomments/class/action/adminupdatetrackbackaction.class.php 2007-11-20 04:33:57 UTC (rev 6063)
> @@ -103,46 +103,54 @@
> if($this->_op == "updateTrackback"){
> $trackbacks = new Trackbacks();
> $trackback = $trackbacks->getTrackback($this->_trackbackId);
> -
> if(!$trackback){
> - $this->_view = new AdminEditTrackbackView($this->_blogInfo, $id);
> + $this->_view = new AdminEditTrackbackView($this->_blogInfo, $this->_trackbackId);
> $this->_view->setErrorMessage( $this->_locale->tr("pluginEditTrackbacksFailed") );
> }
> - else if(!ArticleCommentStatus::isValidStatus($this->_commentStatus)){
> - $this->_view = new AdminEditTrackbackView($this->_blogInfo, $id);
> - $this->_view->setErrorMessage( $this->_locale->tr("pluginEditTrackbacksFailed") );
> - }
> else{
> - $trackback->setTopic($this->_commentTopic);
> - $trackback->setText($this->_commentText);
> - $trackback->setUserName($this->_authorName);
> - $trackback->setUserEmail($this->_authorEmail);
> - $trackback->setUserUrl($this->_authorUrl);
> - $trackback->setDate($this->_commentDateTime);
> - $trackback->setStatus($this->_commentStatus);
> - $trackback->setClientIp($this->_commentIp);
> - $trackback->setNormalizedTopic($this->_commentNormalizedTopic);
> - $trackback->setNormalizedText($this->_commentNormalizedText);
> -
> - if($trackbacks->updateComment($trackback)) {
> - if($this->_articleId) {
> - $articles = new Articles();
> - $article = $articles->getBlogArticle($this->_articleId,
> - $this->_blogInfo->getId());
> - $this->_view = new AdminArticleTrackbacksListView(
> - $this->_blogInfo,
> - array("article" => $article));
> + $tbBlogInfo = $trackback->getBlogInfo();
> + if(!$tbBlogInfo ||
> + ($tbBlogInfo->getId() != $this->_blogInfo->getId()))
> + {
> + $this->_view = new AdminEditTrackbackView($this->_blogInfo, $this->_trackbackId);
> + $this->_view->setErrorMessage( $this->_locale->tr("pluginEditTrackbacksFailed") );
> + }
> + else if(!ArticleCommentStatus::isValidStatus($this->_commentStatus)){
> + $this->_view = new AdminEditTrackbackView($this->_blogInfo, $this->_trackbackId);
> + $this->_view->setErrorMessage( $this->_locale->tr("pluginEditTrackbacksFailed") );
> + }
> + else{
> + $trackback->setTopic($this->_commentTopic);
> + $trackback->setText($this->_commentText);
> + $trackback->setUserName($this->_authorName);
> + $trackback->setUserEmail($this->_authorEmail);
> + $trackback->setUserUrl($this->_authorUrl);
> + $trackback->setDate($this->_commentDateTime);
> + $trackback->setStatus($this->_commentStatus);
> + $trackback->setClientIp($this->_commentIp);
> + $trackback->setNormalizedTopic($this->_commentNormalizedTopic);
> + $trackback->setNormalizedText($this->_commentNormalizedText);
> +
> + if($trackbacks->updateComment($trackback)) {
> + if($this->_articleId) {
> + $articles = new Articles();
> + $article = $articles->getBlogArticle($this->_articleId,
> + $this->_blogInfo->getId());
> + $this->_view = new AdminArticleTrackbacksListView(
> + $this->_blogInfo,
> + array("article" => $article));
> + }
> + else {
> + $this->_view = new AdminPostsListView( $this->_blogInfo );
> + }
> + $this->_view->setSuccessMessage( $this->_locale->tr("pluginEditTrackbacksOk") );
> + CacheControl::resetBlogCache( $this->_blogInfo->getId());
> }
> else {
> - $this->_view = new AdminPostsListView( $this->_blogInfo );
> + $this->_view = new AdminArticleTrackbacksListView ($this->_blogInfo);
> + $this->_view->setErrorMessage( $this->_locale->tr("pluginEditTrackbacksFailed") );
> }
> - $this->_view->setSuccessMessage( $this->_locale->tr("pluginEditTrackbacksOk") );
> - CacheControl::resetBlogCache( $this->_blogInfo->getId());
> }
> - else {
> - $this->_view = new AdminArticleTrackbacksListView ($this->_blogInfo);
> - $this->_view->setErrorMessage( $this->_locale->tr("pluginEditTrackbacksFailed") );
> - }
> }
> }
> else if($this->_articleId){
>
> Modified: plugins/branches/lifetype-1.2/editcomments/class/view/admineditcommentview.class.php
> ===================================================================
> --- plugins/branches/lifetype-1.2/editcomments/class/view/admineditcommentview.class.php 2007-11-20 04:07:47 UTC (rev 6062)
> +++ plugins/branches/lifetype-1.2/editcomments/class/view/admineditcommentview.class.php 2007-11-20 04:33:57 UTC (rev 6063)
> @@ -17,6 +17,15 @@
> $articleComments = new ArticleComments();
> $comment = $articleComments->getComment($this->_commentId);
>
> + $commBlogInfo = $comment ? $comment->getBlogInfo() : NULL;
> + if(!$commBlogInfo ||
> + ($commBlogInfo->getId() != $this->_blogInfo->getId()))
> + {
> + $text = "You are not allowed to edit this comment";
> + $this->setErrorMessage( $text );
> + unset($comment);
> + }
> +
> if($comment){
> $t = $comment->getDateObject();
> $this->setValue( "commentDateTime", $t->getDay()."/".
>
> Modified: plugins/branches/lifetype-1.2/editcomments/class/view/adminedittrackbackview.class.php
> ===================================================================
> --- plugins/branches/lifetype-1.2/editcomments/class/view/adminedittrackbackview.class.php 2007-11-20 04:07:47 UTC (rev 6062)
> +++ plugins/branches/lifetype-1.2/editcomments/class/view/adminedittrackbackview.class.php 2007-11-20 04:33:57 UTC (rev 6063)
> @@ -17,6 +17,15 @@
> $trackbacks = new Trackbacks();
> $tb = $trackbacks->getTrackBack($this->_trackbackId);
>
> + $tbBlogInfo = $tb ? $tb->getBlogInfo() : NULL;
> + if(!$tbBlogInfo ||
> + ($tbBlogInfo->getId() != $this->_blogInfo->getId()))
> + {
> + $text = "You are not allowed to edit this trackback";
> + $this->setErrorMessage( $text );
> + unset($tb);
> + }
> +
> if($tb){
> $t = $tb->getDateObject();
> $this->setValue( "commentDateTime", $t->getDay()."/".
>
> Modified: plugins/branches/lifetype-1.2/editcomments/templates/editcomment.template
> ===================================================================
> --- plugins/branches/lifetype-1.2/editcomments/templates/editcomment.template 2007-11-20 04:07:47 UTC (rev 6062)
> +++ plugins/branches/lifetype-1.2/editcomments/templates/editcomment.template 2007-11-20 04:33:57 UTC (rev 6063)
> @@ -9,6 +9,7 @@
> <script type="text/javascript"
> src="js/jscalendar/calendar-setup_stripped.js"></script>
>
> +{if $editcomment}
> <form id="editComment" action="admin.php" method="post">
> <div id="list">
> {include file="$admintemplatepath/successmessage.template"}
> @@ -95,5 +96,8 @@
> <input type="submit" name="cancel" value="{$locale->tr("pluginEditCommentsCancel")}" />
> </div>
> </form>
> +{else}
> + {include file="$admintemplatepath/errormessage.template"}
> +{/if}
>
> {include file="$admintemplatepath/footer.template"}
>
> Modified: plugins/branches/lifetype-1.2/editcomments/templates/edittrackback.template
> ===================================================================
> --- plugins/branches/lifetype-1.2/editcomments/templates/edittrackback.template 2007-11-20 04:07:47 UTC (rev 6062)
> +++ plugins/branches/lifetype-1.2/editcomments/templates/edittrackback.template 2007-11-20 04:33:57 UTC (rev 6063)
> @@ -9,6 +9,7 @@
> <script type="text/javascript"
> src="js/jscalendar/calendar-setup_stripped.js"></script>
>
> +{if $edittrackback}
> <form id="editComment" action="admin.php" method="post">
> <div id="list">
> {include file="$admintemplatepath/successmessage.template"}
> @@ -95,5 +96,8 @@
> <input type="submit" name="cancel" value="{$locale->tr("pluginEditCommentsCancel")}" />
> </div>
> </form>
> +{else}
> + {include file="$admintemplatepath/errormessage.template"}
> +{/if}
>
> {include file="$admintemplatepath/footer.template"}
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>
--
Jon Daley
http://jon.limedaley.com/
We're making progress. Things are getting worse at a slower rate.
More information about the pLog-svn
mailing list