diff options
-rw-r--r-- | CHANGES.txt | 12 | ||||
-rw-r--r-- | engine/lib/actions.php | 2 | ||||
-rw-r--r-- | engine/lib/api.php | 6 | ||||
-rw-r--r-- | engine/lib/elgglib.php | 39 | ||||
-rw-r--r-- | engine/lib/notification.php | 72 | ||||
-rw-r--r-- | engine/lib/river2.php | 6 | ||||
-rw-r--r-- | mod/invitefriends/actions/invite.php | 52 | ||||
-rw-r--r-- | services/api/rest_api.php | 6 |
8 files changed, 122 insertions, 73 deletions
diff --git a/CHANGES.txt b/CHANGES.txt index 8a4288035..8509958b0 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -16,23 +16,24 @@ Version 1.8.0 Version 1.7.1 -(??? from http://code.elgg.org/elgg/branches/1.7) +(April 21, 2010 from http://code.elgg.org/elgg/branches/1.7) UI changes: * (Unused) tags field removed from external pages. * Languages fixes in groups. * Installation checks database settings before writing settings.php. - * Made the widgets more consistent in their UI + * Made the widgets more consistent in their UI. Bugfixes: * Pagination fixed. - * Profile icons fixed for CGI users who were seeing incorrect avatars. + * Profile icons fixed for PHP-CGI users who were seeing incorrect avatars. * Tag search works in groups and members. * Tag clouds correctly link to tag search. * RSS views added to search. * Wrapper function for get_entities() correctly rewrites container_guid to owner_guid. * output/url correctly appends http:// again. + * full_url() urlencode()'s ' and " to avoid a security problem in IE. API changes: * Moved admin flag to users_entity table and added ElggUser->isAdmin(), @@ -43,8 +44,9 @@ Version 1.7.1 * Tags lib updated to elgg_get_*() interface. * Can get entities based upon annotation/metadata owner_guid. * Moved friendly time and friendly title into overridable views. - * Added unregister_notification_handler() - * Added remove_widget_type() + * Added unregister_notification_handler(). + * Added remove_widget_type(). + * Search supports container_guid. Version 1.7.0 diff --git a/engine/lib/actions.php b/engine/lib/actions.php index 304179828..66c2d9505 100644 --- a/engine/lib/actions.php +++ b/engine/lib/actions.php @@ -54,7 +54,7 @@ function action($action, $forwarder = "") { if (isset($CONFIG->actions[$action])) { if ((isadminloggedin()) || (!$CONFIG->actions[$action]['admin'])) { - if ($CONFIG->actions[$action]['public'] || $_SESSION['id'] != -1) { + if ($CONFIG->actions[$action]['public'] || get_loggedin_userid()) { // Trigger action event TODO: This is only called before the primary action is called. We need to rethink actions for 1.5 $event_result = true; diff --git a/engine/lib/api.php b/engine/lib/api.php index 6b773138e..6707a7418 100644 --- a/engine/lib/api.php +++ b/engine/lib/api.php @@ -423,9 +423,11 @@ function authenticate_method($method) { } } - // check user authentication if required + $user_auth_result = pam_authenticate(); + + // check if user authentication is required if ($API_METHODS[$method]["require_user_auth"] == true) { - if (pam_authenticate() == false) { + if ($user_auth_result == false) { throw new APIException(elgg_echo('APIException:UserAuthenticationFailed')); } } diff --git a/engine/lib/elgglib.php b/engine/lib/elgglib.php index 78761c739..f6aae2b97 100644 --- a/engine/lib/elgglib.php +++ b/engine/lib/elgglib.php @@ -29,8 +29,15 @@ function forward($location = "") { $location = $CONFIG->url . $location; } - header("Location: {$location}"); - exit; + // return new forward location or false to stop the forward or empty string to exit + $params = array('current_url' => $current_page, 'forward_url' => $location); + $location = trigger_plugin_hook('forward', 'system', $params, $location); + if ($location) { + header("Location: {$location}"); + exit; + } else if ($location === '') { + exit; + } } return false; @@ -568,7 +575,7 @@ function elgg_get_views($dir, $base) { } /** - * @deprecated 1.7. Use elgg_extend_view(). + * @deprecated 1.7. Use elgg_get_views(). * @param $dir * @param $base */ @@ -1301,14 +1308,18 @@ function set_template_handler($function_name) { } /** - * Extends a view by adding other views to be displayed at the same time. + * Extends a view. * - * @param string $view The view to add to. - * @param string $view_name The name of the view to extend - * @param int $priority The priority, from 0 to 1000, to add at (lowest numbers will be displayed first) + * The addititional views are displayed before or after the primary view. + * Priorities less than 500 are displayed before the primary view and + * greater than 500 after. The default priority is 501. + * + * @param string $view The view to extend. + * @param string $view_extension This view is added to $view + * @param int $priority The priority, from 0 to 1000, to add at (lowest numbers displayed first) * @param string $viewtype Not used */ -function elgg_extend_view($view, $view_name, $priority = 501, $viewtype = '') { +function elgg_extend_view($view, $view_extension, $priority = 501, $viewtype = '') { global $CONFIG; if (!isset($CONFIG->views)) { @@ -1327,7 +1338,7 @@ function elgg_extend_view($view, $view_name, $priority = 501, $viewtype = '') { $priority++; } - $CONFIG->views->extensions[$view][$priority] = "{$view_name}"; + $CONFIG->views->extensions[$view][$priority] = "{$view_extension}"; ksort($CONFIG->views->extensions[$view]); } @@ -1482,23 +1493,25 @@ function get_library_files($directory, $exceptions = array(), $list = array()) { * @param array $exceptions Array of filenames to ignore * @param array $list Array of files to append to * @param mixed $extensions Array of extensions to allow, NULL for all. (With a dot: array('.php')) - * @return array + * @return array of filenames including $directory */ function elgg_get_file_list($directory, $exceptions = array(), $list = array(), $extensions = NULL) { + $directory = sanitise_filepath($directory); if ($handle = opendir($directory)) { while (($file = readdir($handle)) !== FALSE) { - if (!is_file($file) || in_array($file, $exceptions)) { + if (!is_file($directory . $file) || in_array($file, $exceptions)) { continue; } if (is_array($extensions)) { if (in_array(strrchr($file, '.'), $extensions)) { - $list[] = $directory . "/" . $file; + $list[] = $directory . $file; } } else { - $list[] = $directory . "/" . $file; + $list[] = $directory . $file; } } + closedir($handle); } return $list; diff --git a/engine/lib/notification.php b/engine/lib/notification.php index 024881e0f..58e2a10f6 100644 --- a/engine/lib/notification.php +++ b/engine/lib/notification.php @@ -309,6 +309,78 @@ function email_notify_handler(ElggEntity $from, ElggUser $to, $subject, $message } /** + * Send an email to any email address + * + * @param string $from Email address or string: "name <email>" + * @param string $to Email address or string: "name <email>" + * @param string $subject The subject of the message + * @param string $body The message body + * @param array $params Optional parameters (none used in this function) + * @return bool + */ +function elgg_send_email($from, $to, $subject, $body, array $params = NULL) { + global $CONFIG; + + if (!$from) { + throw new NotificationException(sprintf(elgg_echo('NotificationException:NoEmailAddress'), 'from')); + } + + if (!$to) { + throw new NotificationException(sprintf(elgg_echo('NotificationException:NoEmailAddress'), 'to')); + } + + // return TRUE/FALSE to stop elgg_send_email() from sending + $mail_params = array( 'to' => $to, + 'from' => $from, + 'subject' => $subject, + 'body' => $body, + 'params' => $params); + $result = trigger_plugin_hook('email', 'system', $mail_params, NULL); + if ($result !== NULL) { + return $result; + } + + $header_eol = "\r\n"; + if (isset($CONFIG->broken_mta) && $CONFIG->broken_mta) { + // Allow non-RFC 2822 mail headers to support some broken MTAs + $header_eol = "\n"; + } + + // Windows is somewhat broken, so we use just address for to and from + if (strtolower(substr(PHP_OS, 0 , 3)) == 'win') { + // strip name from to and from + if (strpos($to, '<')) { + preg_match('/<(.*)>/', $to, $matches); + $to = $matches[1]; + } + if (strpos($from, '<')) { + preg_match('/<(.*)>/', $from, $matches); + $from = $matches[1]; + } + } + + $headers = "From: $from{$header_eol}" + . "Content-Type: text/plain; charset=UTF-8; format=flowed{$header_eol}" + . "MIME-Version: 1.0{$header_eol}" + . "Content-Transfer-Encoding: 8bit{$header_eol}"; + + + // Sanitise subject by stripping line endings + $subject = preg_replace("/(\r\n|\r|\n)/", " ", $subject); + if (is_callable('mb_encode_mimeheader')) { + $subject = mb_encode_mimeheader($subject,"UTF-8", "B"); + } + + // Format message + $message = html_entity_decode($body, ENT_COMPAT, 'UTF-8'); // Decode any html entities + $message = strip_tags($body); // Strip tags from message + $message = preg_replace("/(\r\n|\r)/", "\n", $body); // Convert to unix line endings in body + $message = preg_replace("/^From/", ">From", $body); // Change lines starting with From to >From + + return mail($to, $subject, wordwrap($body), $headers); +} + +/** * Correctly initialise notifications and register the email handler. * */ diff --git a/engine/lib/river2.php b/engine/lib/river2.php index 8e015ea0d..8fb20ac40 100644 --- a/engine/lib/river2.php +++ b/engine/lib/river2.php @@ -374,8 +374,10 @@ function elgg_get_river_items($subject_guid = 0, $object_guid = 0, $subject_rela function elgg_view_river_item($item) { if (isset($item->view)) { $object = get_entity($item->object_guid); - if (!$object) { - $body = elgg_view('river/item/noaccess'); + $subject = get_entity($item->subject_guid); + if (!$object || !$subject) { + // probably means an entity is disabled + return false; } else { if (elgg_view_exists($item->view)) { $body = elgg_view($item->view,array( diff --git a/mod/invitefriends/actions/invite.php b/mod/invitefriends/actions/invite.php index 7e0bd54b8..66902606a 100644 --- a/mod/invitefriends/actions/invite.php +++ b/mod/invitefriends/actions/invite.php @@ -51,59 +51,17 @@ $link ); - // **** this should be replaced by a core function for sending emails to people who are not members + $subject = sprintf(elgg_echo('invitefriends:subject'), $CONFIG->site->name); + + // create the from address $site = get_entity($CONFIG->site_guid); - // If there's an email address, use it - but only if its not from a user. if (($site) && (isset($site->email))) { - // Has the current site got a from email address? $from = $site->email; - } else if (isset($from->url)) { - // If we have a url then try and use that. - $breakdown = parse_url($from->url); - $from = 'noreply@' . $breakdown['host']; // Handle anything with a url } else { - // If all else fails, use the domain of the site. $from = 'noreply@' . get_site_domain($CONFIG->site_guid); } - - if (is_callable('mb_internal_encoding')) { - mb_internal_encoding('UTF-8'); - } - $site = get_entity($CONFIG->site_guid); - $sitename = $site->name; - if (is_callable('mb_encode_mimeheader')) { - $sitename = mb_encode_mimeheader($site->name,"UTF-8", "B"); - } - - $header_eol = "\r\n"; - if ((isset($CONFIG->broken_mta)) && ($CONFIG->broken_mta)) { - // Allow non-RFC 2822 mail headers to support some broken MTAs - $header_eol = "\n"; - } - - $from_email = "\"$sitename\" <$from>"; - if (strtolower(substr(PHP_OS, 0 , 3)) == 'win') { - // Windows is somewhat broken, so we use a different format from header - $from_email = "$from"; - } - - $headers = "From: $from_email{$header_eol}" - . "Content-Type: text/plain; charset=UTF-8; format=flowed{$header_eol}" - . "MIME-Version: 1.0{$header_eol}" - . "Content-Transfer-Encoding: 8bit{$header_eol}"; - - $subject = sprintf(elgg_echo('invitefriends:subject'), $CONFIG->site->name); - if (is_callable('mb_encode_mimeheader')) { - $subject = mb_encode_mimeheader($subject,"UTF-8", "B"); - } - - // Format message - $message = html_entity_decode($message, ENT_COMPAT, 'UTF-8'); // Decode any html entities - $message = strip_tags($message); // Strip tags from message - $message = preg_replace("/(\r\n|\r)/", "\n", $message); // Convert to unix line endings in body - $message = preg_replace("/^From/", ">From", $message); // Change lines starting with From to >From - mail($email, $subject, wordwrap($message), $headers); + elgg_send_email($from, $email, $subject, $message); } if ($error) { @@ -113,5 +71,3 @@ } forward($_SERVER['HTTP_REFERER']); - -?> diff --git a/services/api/rest_api.php b/services/api/rest_api.php index 4d3e39aaa..1ef8b729e 100644 --- a/services/api/rest_api.php +++ b/services/api/rest_api.php @@ -29,8 +29,10 @@ if ((isset($CONFIG->disable_api)) && ($CONFIG->disable_api == true)) { // plugins should return true to control what API and user authentication handlers are registered if (trigger_plugin_hook('rest', 'init', null, false) == false) { - // check session - this usually means a REST call from a web browser - register_pam_handler('pam_auth_session'); + // for testing from a web browser, you can use the session PAM + // do not use for production sites!! + //register_pam_handler('pam_auth_session'); + // user token can also be used for user authentication register_pam_handler('pam_auth_usertoken'); |