From 1959c30eedfcaf9a545002681ef9d405f355a683 Mon Sep 17 00:00:00 2001 From: Andrew McMillan Date: Thu, 4 Mar 2010 01:41:11 +1300 Subject: [PATCH] Validating user/collection names. Updating fullname/displayname. --- inc/ui/collection-edit.php | 32 +++++++++++------- inc/ui/principal-edit.php | 66 +++++++++++++++++++++++++++++++------- 2 files changed, 76 insertions(+), 22 deletions(-) diff --git a/inc/ui/collection-edit.php b/inc/ui/collection-edit.php index 4d9593c5..afe9e429 100644 --- a/inc/ui/collection-edit.php +++ b/inc/ui/collection-edit.php @@ -4,8 +4,10 @@ $editor = new Editor(translate('Collection'), 'collection'); param_to_global('id', 'int', 'old_id', 'collection_id' ); param_to_global('user_no', 'int' ); +param_to_global('principal_id', 'int' ); param_to_global('collection_name', '{^.+$}' ); -if ( isset($user_no) ) $usr = GetUserByID($user_no); +if ( isset($user_no) ) $usr = getUserByID($user_no); +if ( isset($principal_id) ) $usr = getPrincipalByID($principal_id); $editor->SetLookup( 'timezone', 'SELECT \'\', \'*** Unknown ***\' UNION SELECT tz_id, tz_locn FROM time_zone WHERE tz_id = tz_locn AND length(tz_spec) > 100 ORDER BY 1' ); $editor->SetLookup( 'schedule_transp', 'SELECT \'opaque\', \'Opaque\' UNION SELECT \'transp\', \'Transparent\'' ); @@ -36,22 +38,29 @@ $params = array( 'scan_depth' => $c->permission_scan_depth ); $is_update = ( $_POST['_editor_action'][$editor->Id] == 'update' ); -if ( isset($collection_name) ) $collection_name = str_replace( '/', '', $collection_name); -if ( !$is_update && isset($collection_name) && isset($user_no) && is_object($usr) ) { - $_POST['dav_name'] = sprintf('/%s/%s/', $usr->username, rawurlencode($collection_name) ); +if ( isset($collection_name) ) $collection_name = trim(str_replace( '/', '', $collection_name)); +if ( !$is_update && isset($collection_name) && $collection_name != '' && is_object($usr) ) { + $_POST['dav_name'] = sprintf('/%s/%s/', $usr->username, $collection_name ); $_POST['parent_container'] = sprintf('/%s/', $usr->username ); $params['collection_path'] = $_POST['dav_name']; $privsql = 'SELECT path_privs( :session_principal, :collection_path, :scan_depth) AS priv'; } -else { +else if ( $id > 0 ) { $params['collection_id'] = $id; $privsql = 'SELECT path_privs( :session_principal, dav_name, :scan_depth) AS priv FROM collection WHERE collection_id = :collection_id'; } +else { + if ( $editor->IsSubmit() && !$is_update && isset($collection_name) && $collection_name == '' ) { + $c->messages[] = i18n('The collection name may not be blank.'); + } +} -$privqry = new AwlQuery( $privsql, $params ); -$privqry->Exec('admin-collection-edit'); -$permissions = $privqry->Fetch(); -$can_write_collection = ($session->AllowedTo('Admin') || ($permissions->priv & privilege_to_bits('DAV::bind')) ); +if ( isset($privsql) ) { + $privqry = new AwlQuery( $privsql, $params ); + $privqry->Exec('admin-collection-edit'); + $permissions = $privqry->Fetch(); + $can_write_collection = ($session->AllowedTo('Admin') || ($permissions->priv & privilege_to_bits('DAV::bind')) ); +} dbg_error_log("ERROR", "Can write collection: %s", ($can_write_collection? 'yes' : 'no') ); @@ -177,7 +186,7 @@ $privileges_set .= ''; $prompt_collection_id = translate('Collection ID'); $value_id = ( $editor->Available() ? '##collection_id.hidden####collection_id.value##' : translate('New Collection')); $prompt_dav_name = translate('DAV Path'); -$value_dav_name = ( $editor->Available() ? '##dav_name.value##' : '/##user_no.hidden####username.value##/ ##collection_name.input.30##' ); +$value_dav_name = $c->base_url.'/caldav.php'. ( $editor->Available() ? '##dav_name.value##' : '/##user_no.hidden####username.value##/ ##collection_name.input.30##' ); $prompt_load_file = translate('Load From File'); $prompt_displayname = translate('Displayname'); $prompt_public = translate('Publicly Readable'); @@ -286,11 +295,12 @@ label.privilege { margin:0.2em 1em 0.2em 0.1em; padding:0 0.2em; line-height:1.6em; + font-size: 87%; } - + diff --git a/inc/ui/principal-edit.php b/inc/ui/principal-edit.php index f90c9f63..e2cc0e58 100644 --- a/inc/ui/principal-edit.php +++ b/inc/ui/principal-edit.php @@ -7,6 +7,7 @@ $editor->SetLookup( 'date_format_type', "SELECT 'E', 'European' UNION SELECT 'U' $editor->SetLookup( 'type_id', 'SELECT principal_type_id, principal_type_desc FROM principal_type ORDER BY principal_type_id' ); $editor->SetLookup( 'locale', 'SELECT \'\', \''.translate("*** Default Locale ***").'\' UNION SELECT locale, locale_name_locale FROM supported_locales ORDER BY 1 ASC' ); $editor->AddAttribute( 'locale', 'title', translate("The preferred language for this person.") ); +$editor->AddAttribute( 'fullname', 'title', translate("The full name for this person, group or other type of principal.") ); param_to_global('id', 'int', 'old_id', 'principal_id' ); $editor->SetWhere( 'principal_id='.$id ); @@ -85,10 +86,30 @@ if ( isset($_GET['subaction']) ) { $can_write_principal = ($session->AllowedTo('Admin') || $session->principal_id == $id ); +$post_values = false; + +if ( isset($_POST['xxxxusername']) ) { + $_POST['xxxxusername'] = trim(str_replace('/', '', $_POST['xxxxusername'])); + if ( $_POST['xxxxusername'] == '' ) { + $c->messages[] = i18n("The username must not be blank, and may not contain a slash"); + $can_write_principal = false; + } +}; +if ( isset($_POST['fullname']) && trim($_POST['fullname']) == '' ) { + $c->messages[] = i18n("The full name must not be blank."); + $can_write_principal = false; +}; +if ( isset($_POST['email']) && trim($_POST['email']) == '' ) { + $c->messages[] = i18n("The email address really should not be blank."); +} + $pwstars = '@@@@@@@@@@'; if ( $can_write_principal && $editor->IsSubmit() ) { $editor->WhereNewRecord( "principal_id=(SELECT CURRVAL('dav_id_seq'))" ); - if ( ! $session->AllowedTo('Admin') ) unset($_POST['admin_role']); + if ( ! $session->AllowedTo('Admin') ) { + unset($_POST['admin_role']); + unset($_POST['user_active']); + } unset($_POST['password']); if ( $_POST['newpass1'] != '' && $_POST['newpass1'] != $pwstars ) { if ( $_POST['newpass1'] == $_POST['newpass2'] ) { @@ -98,6 +119,9 @@ if ( $can_write_principal && $editor->IsSubmit() ) { $c->messages[] = "Password not updated. The supplied passwords do not match."; } } + if ( isset($_POST['fullname']) && !isset($_POST['displayname']) ) { + $_POST['displayname'] = $_POST['fullname']; + } if ( isset($_POST['default_privileges']) ) { $privilege_bitpos = array_flip($privilege_names); $priv_names = array_keys($_POST['default_privileges']); @@ -133,6 +157,9 @@ if ( $can_write_principal && $editor->IsSubmit() ) { } else { $editor->GetRecord(); + if ( $editor->IsSubmit() ) { + $post_values = true; + } } if ( $editor->Available() ) { $c->page_title = $editor->Title(translate('Principal').': '.$editor->Value('fullname')); @@ -142,9 +169,23 @@ else { $privs = decbin(privilege_to_bits($c->default_privileges)); $editor->Assign('default_privileges', $privs); $editor->Assign('user_active', 't'); + foreach( $c->template_usr AS $k => $v ) { + $editor->Assign($k, $v); + } +} +if ( $post_values ) { + $editor->PostToValues(); + if ( isset($_POST['default_privileges']) ) { + $privilege_bitpos = array_flip($privilege_names); + $priv_names = array_keys($_POST['default_privileges']); + $privs = privilege_to_bits($priv_names); + $_POST['default_privileges'] = sprintf('%024s',decbin($privs)); + $editor->Assign('default_privileges', $_POST['default_privileges']); + } } $privilege_xlate = array( + 'all' => translate('All privileges'), 'read' => translate('Read'), 'write-properties' => translate('Write Metadata'), 'write-content' => translate('Write Data'), @@ -199,10 +240,12 @@ for( $i=0; $iAvailable() ? '##principal_id.hidden####principal_id.value##' : translate('New Principal')); $prompt_username = translate('Username'); $prompt_password_1 = translate('Change Password'); $prompt_password_1 = translate('Confirm Password'); $prompt_fullname = translate('Fullname'); +$prompt_displayname = translate('Display Name'); $prompt_email = translate('Email Address'); $prompt_date_format = translate('Date Format Style'); $prompt_admin = translate('Administrator'); @@ -274,23 +317,24 @@ label.privilege { margin:0.2em 1em 0.2em 0.1em; padding:0 0.2em; line-height:1.6em; + font-size:87%; }
$prompt_collection_id: $value_id
$prompt_dav_name: $c->base_name/caldav.php$value_dav_name
$prompt_dav_name: $value_dav_name
$prompt_load_file: ##ics_file.file.60##
$prompt_displayname: ##dav_displayname.input.50##
$prompt_public: ##publicly_readable.checkbox##
- - + + - - - - - + + + + + $admin_row_entry
$prompt_principal_id: - +
##principal_id.value##$value_id $delete_principal_button
$prompt_username: ##xxxxusername.input.50##
$prompt_password_1: ##newpass1.password.$pwstars##
$prompt_username: ##xxxxusername.input.50##
$prompt_password_1: ##newpass1.password.$pwstars##
$prompt_password_1: ##newpass2.password.$pwstars##
$prompt_fullname: ##fullname.input.50##
$prompt_email: ##email.input.50##
$prompt_locale: ##locale.select##
$prompt_date_format: ##date_format_type.select##
$prompt_type: ##type_id.select##
$prompt_fullname: ##fullname.input.50##
$prompt_email: ##email.input.50##
$prompt_locale: ##locale.select##
$prompt_date_format: ##date_format_type.select##
$prompt_type: ##type_id.select##
$prompt_privileges: @@ -356,7 +400,7 @@ if ( isset($id) ) { if ( $editor->Value('type_id') == 3 ) { $grouprow = new Editor("Group Members", "group_member"); - $grouprow->SetLookup( 'member_id', 'SELECT principal_id, displayname FROM dav_principal WHERE principal_id NOT IN (SELECT member_id FROM group_member WHERE group_id = '.$id.')'); + $grouprow->SetLookup( 'member_id', 'SELECT principal_id, coalesce(displayname,fullname,username) FROM dav_principal WHERE principal_id NOT IN (SELECT member_id FROM group_member WHERE group_id = '.$id.')'); $grouprow->SetSubmitName( 'savegrouprow' ); if ( $can_write_principal ) { @@ -446,7 +490,7 @@ EOTEMPLATE; if ( isset($_GET['edit_grant']) ) { $edit_grant_clause = ' AND to_principal != '.intval($_GET['edit_grant']); } - $grantrow->SetLookup( 'to_principal', 'SELECT principal_id, displayname FROM dav_principal WHERE principal_id NOT IN (SELECT to_principal FROM grants WHERE by_principal = '.$id.$edit_grant_clause.')' ); + $grantrow->SetLookup( 'to_principal', 'SELECT principal_id, displayname FROM dav_principal WHERE principal_id NOT IN (SELECT to_principal FROM grants WHERE by_principal = '.$id.$edit_grant_clause.') ORDER BY fullname' ); if ( $can_write_principal ) { if ( $grantrow->IsSubmit() ) { if ( $grantrow->IsUpdate() )