aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--CHANGES.txt25
-rw-r--r--engine/classes/ElggBatch.php2
-rw-r--r--engine/classes/ElggEntity.php114
-rw-r--r--engine/classes/ElggPlugin.php62
-rw-r--r--engine/lib/access.php33
-rw-r--r--engine/lib/annotations.php6
-rw-r--r--engine/lib/languages.php2
-rw-r--r--engine/lib/metadata.php11
-rw-r--r--engine/lib/metastrings.php19
-rw-r--r--engine/lib/plugins.php9
-rw-r--r--engine/lib/users.php2
-rw-r--r--engine/lib/views.php5
-rw-r--r--engine/tests/api/metadata.php74
-rw-r--r--engine/tests/objects/entities.php2
-rw-r--r--languages/en.php2
-rw-r--r--mod/file/pages/file/download.php2
-rw-r--r--mod/pages/actions/pages/delete.php5
-rw-r--r--mod/pages/actions/pages/edit.php14
-rw-r--r--mod/pages/lib/pages.php2
-rw-r--r--mod/pages/pages/pages/view.php2
-rw-r--r--mod/pages/views/default/forms/pages/edit.php15
-rw-r--r--mod/twitter_api/lib/twitter_api.php2
-rw-r--r--upgrade.php3
-rw-r--r--views/default/output/tagcloud.php12
-rw-r--r--views/default/page/elements/comments.php2
-rw-r--r--views/default/river/elements/body.php2
26 files changed, 325 insertions, 104 deletions
diff --git a/CHANGES.txt b/CHANGES.txt
index 11060aa2d..ae0cdc333 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,3 +1,28 @@
+Version 1.8.5
+(May 15, 2012 from https://github.com/Elgg/Elgg/tree/1.8)
+
+ Contributing Developers:
+ * Brett Profitt
+ * Sem
+
+ Security Enhancements:
+ * Fixed possible XSS vulnerability if using a crafted URL.
+ * Fixed exploit to bypass new user validation if using a crafted form.
+ * Fixed incorrect caching of access lists that could allow plugins
+ to show private entities to non-admin and non-owning users. (Non-exploitable)
+
+ Bugfixes:
+ * Twitter API: New users are forwarded to the correct page after creating
+ an account with Twitter.
+ * Files: PDF files are downloaded as "inline" to display in the browser.
+ * Fixed possible duplication errors when writing metadata with multiple values.
+ * Fixed possible upgrade issue if using a plugin uses the system_log hooks.
+ * Fixed problems when enabling more than 50 metadata or annotations.
+
+ API:
+ * River entries' timestamps use elgg_view_friendly_time() and can be
+ overridden with the friendly time output view.
+
Version 1.8.4
(April 24, 2012 from https://github.com/Elgg/Elgg/tree/1.8)
diff --git a/engine/classes/ElggBatch.php b/engine/classes/ElggBatch.php
index 0cb13eb32..c1a77a0d9 100644
--- a/engine/classes/ElggBatch.php
+++ b/engine/classes/ElggBatch.php
@@ -16,7 +16,7 @@
*
* Results from the callback are stored in callbackResult. If the callback
* returns only booleans, callbackResults will be the combined result of
- * all calls.
+ * all calls. If no entities are processed, callbackResults will be null.
*
* If the callback returns anything else, callbackresult will be an indexed
* array of whatever the callback returns. If returning error handling
diff --git a/engine/classes/ElggEntity.php b/engine/classes/ElggEntity.php
index dc38dafbe..164ff3838 100644
--- a/engine/classes/ElggEntity.php
+++ b/engine/classes/ElggEntity.php
@@ -201,8 +201,11 @@ abstract class ElggEntity extends ElggData implements
/**
* Sets the value of a property.
*
- * If $name is defined in $this->attributes that value is set, otherwise it will
- * set the appropriate item of metadata.
+ * If $name is defined in $this->attributes that value is set, otherwise it is
+ * saved as metadata.
+ *
+ * @warning Metadata set this way will inherit the entity's owner and access ID. If you want
+ * to set metadata with a different owner, use create_metadata().
*
* @warning It is important that your class populates $this->attributes with keys
* for all base attributes, anything not in their gets set as METADATA.
@@ -248,7 +251,12 @@ abstract class ElggEntity extends ElggData implements
public function getMetaData($name) {
if ((int) ($this->guid) == 0) {
if (isset($this->temp_metadata[$name])) {
- return $this->temp_metadata[$name];
+ // md is returned as an array only if more than 1 entry
+ if (count($this->temp_metadata[$name]) == 1) {
+ return $this->temp_metadata[$name][0];
+ } else {
+ return $this->temp_metadata[$name];
+ }
} else {
return null;
}
@@ -291,80 +299,78 @@ abstract class ElggEntity extends ElggData implements
/**
* Set a piece of metadata.
*
- * @tip Plugin authors should use the magic methods.
+ * Plugin authors should use the magic methods or create_metadata().
+ *
+ * @warning The metadata will inherit the parent entity's owner and access ID.
+ * If you want to write metadata with a different owner, use create_metadata().
*
* @access private
*
* @param string $name Name of the metadata
- * @param mixed $value Value of the metadata
+ * @param mixed $value Value of the metadata (doesn't support assoc arrays)
* @param string $value_type Types supported: integer and string. Will auto-identify if not set
* @param bool $multiple Allow multiple values for a single name (doesn't support assoc arrays)
*
* @return bool
*/
- public function setMetaData($name, $value, $value_type = "", $multiple = false) {
- $delete_first = false;
- // if multiple is set that always means don't delete.
- // if multiple isn't set it means override. set it to true on arrays for the foreach.
- if (!$multiple) {
- $delete_first = true;
- $multiple = is_array($value);
- }
-
- if (!$this->guid) {
- // real metadata only returns as an array if there are multiple elements
- if (is_array($value) && count($value) == 1) {
- $value = $value[0];
- }
-
- $value_is_array = is_array($value);
-
- if (!isset($this->temp_metadata[$name]) || $delete_first) {
- // need to remove the indexes because real metadata doesn't have them.
- if ($value_is_array) {
- $this->temp_metadata[$name] = array_values($value);
- } else {
- $this->temp_metadata[$name] = $value;
- }
- } else {
- // multiple is always true at this point.
- // if we're setting multiple and temp isn't array, it needs to be.
- if (!is_array($this->temp_metadata[$name])) {
- $this->temp_metadata[$name] = array($this->temp_metadata[$name]);
- }
+ public function setMetaData($name, $value, $value_type = null, $multiple = false) {
- if ($value_is_array) {
- $this->temp_metadata[$name] = array_merge($this->temp_metadata[$name], array_values($value));
- } else {
- $this->temp_metadata[$name][] = $value;
- }
- }
+ // normalize value to an array that we will loop over
+ // remove indexes if value already an array.
+ if (is_array($value)) {
+ $value = array_values($value);
} else {
- if ($delete_first) {
+ $value = array($value);
+ }
+
+ // saved entity. persist md to db.
+ if ($this->guid) {
+ // if overwriting, delete first.
+ if (!$multiple) {
$options = array(
'guid' => $this->getGUID(),
'metadata_name' => $name,
'limit' => 0
);
- // @todo this doesn't check if it exists so we can't handle failed deletes
- // is it worth the overhead of more SQL calls to check?
- elgg_delete_metadata($options);
- }
- // save into real metadata
- if (!is_array($value)) {
- $value = array($value);
+ // @todo in 1.9 make this return false if can't add metadata
+ // http://trac.elgg.org/ticket/4520
+ //
+ // need to remove access restrictions right now to delete
+ // because this is the expected behavior
+ $ia = elgg_set_ignore_access(true);
+ if (false === elgg_delete_metadata($options)) {
+ return false;
+ }
+ elgg_set_ignore_access($ia);
}
- foreach ($value as $v) {
- $result = create_metadata($this->getGUID(), $name, $v, $value_type,
- $this->getOwnerGUID(), $this->getAccessId(), $multiple);
- if (!$result) {
+ // add new md
+ $result = true;
+ foreach ($value as $value_tmp) {
+ // at this point $value should be appended because it was cleared above if needed.
+ $md_id = create_metadata($this->getGUID(), $name, $value_tmp, $value_type,
+ $this->getOwnerGUID(), $this->getAccessId(), true);
+ if (!$md_id) {
return false;
}
}
+
+ return $result;
}
- return true;
+ // unsaved entity. store in temp array
+ // returning single entries instead of an array of 1 element is decided in
+ // getMetaData(), just like pulling from the db.
+ else {
+ // if overwrite, delete first
+ if (!$multiple || !isset($this->temp_metadata[$name])) {
+ $this->temp_metadata[$name] = array();
+ }
+
+ // add new md
+ $this->temp_metadata[$name] = array_merge($this->temp_metadata[$name], $value);
+ return true;
+ }
}
/**
diff --git a/engine/classes/ElggPlugin.php b/engine/classes/ElggPlugin.php
index 33f14ae37..8c9093834 100644
--- a/engine/classes/ElggPlugin.php
+++ b/engine/classes/ElggPlugin.php
@@ -79,6 +79,68 @@ class ElggPlugin extends ElggObject {
}
/**
+ * Overridden from ElggEntity and ElggObject::load(). Core always inits plugins with
+ * a query joined to the objects_entity table, so all the info is there.
+ *
+ * @param mixed $guid GUID of an ElggObject or the stdClass object from entities table
+ *
+ * @return bool
+ * @throws InvalidClassException
+ */
+ protected function load($guid) {
+
+ $expected_attributes = $this->attributes;
+ unset($expected_attributes['tables_split']);
+ unset($expected_attributes['tables_loaded']);
+
+ // this was loaded with a full join
+ $needs_loaded = false;
+
+ if ($guid instanceof stdClass) {
+ $row = (array) $guid;
+ $missing_attributes = array_diff_key($expected_attributes, $row);
+ if ($missing_attributes) {
+ $needs_loaded = true;
+ $old_guid = $guid;
+ $guid = $row['guid'];
+ } else {
+ $this->attributes = $row;
+ }
+ } else {
+ $needs_loaded = true;
+ }
+
+ if ($needs_loaded) {
+ $entity = (array) get_entity_as_row($guid);
+ $object = (array) get_object_entity_as_row($guid);
+
+ if (!$entity || !$object) {
+ return false;
+ }
+
+ $this->attributes = array_merge($this->attributes, $entity, $object);
+ }
+
+ $this->attributes['tables_loaded'] = 2;
+
+ // Check the type
+ if ($this->attributes['type'] != 'object') {
+ $msg = elgg_echo('InvalidClassException:NotValidElggStar', array($guid, get_class()));
+ throw new InvalidClassException($msg);
+ }
+
+ // guid needs to be an int http://trac.elgg.org/ticket/4111
+ $this->attributes['guid'] = (int)$this->attributes['guid'];
+
+ // cache the entity
+ if ($this->attributes['guid']) {
+ cache_entity($this);
+ }
+
+ return true;
+ }
+
+ /**
* Save the plugin object. Make sure required values exist.
*
* @see ElggObject::save()
diff --git a/engine/lib/access.php b/engine/lib/access.php
index 6be252c6a..e8b3b0d52 100644
--- a/engine/lib/access.php
+++ b/engine/lib/access.php
@@ -31,7 +31,7 @@ function get_access_list($user_id = 0, $site_id = 0, $flush = false) {
global $CONFIG, $init_finished;
static $access_list;
- if (!isset($access_list) || !$init_finished) {
+ if (!isset($access_list)) {
$access_list = array();
}
@@ -49,9 +49,16 @@ function get_access_list($user_id = 0, $site_id = 0, $flush = false) {
return $access_list[$user_id];
}
- $access_list[$user_id] = "(" . implode(",", get_access_array($user_id, $site_id, $flush)) . ")";
+ $access = "(" . implode(",", get_access_array($user_id, $site_id, $flush)) . ")";
- return $access_list[$user_id];
+ // only cache if done with init and access is enabled (unless admin user)
+ // session is loaded before init is finished, so don't need to check for user session
+ if ($init_finished && (elgg_is_admin_logged_in() || !elgg_get_ignore_access())) {
+ $access_list[$user_id] = $access;
+ return $access_list[$user_id];
+ } else {
+ return $access;
+ }
}
/**
@@ -83,7 +90,7 @@ function get_access_array($user_id = 0, $site_id = 0, $flush = false) {
// this cache might be redundant. But db cache is flushed on every db write.
static $access_array;
- if (!isset($access_array) || (!isset($init_finished)) || (!$init_finished)) {
+ if (!isset($access_array)) {
$access_array = array();
}
@@ -137,12 +144,12 @@ function get_access_array($user_id = 0, $site_id = 0, $flush = false) {
$tmp_access_array[] = ACCESS_PRIVATE;
}
- $access_array[$user_id] = $tmp_access_array;
- } else {
- // No user id logged in so we can only access public info
- $tmp_return = $tmp_access_array;
+ // only cache if done with init and access is enabled (unless admin user)
+ // session is loaded before init is finished, so don't need to check for user session
+ if ($init_finished && (elgg_is_admin_logged_in() || !elgg_get_ignore_access())) {
+ $access_array[$user_id] = $tmp_access_array;
+ }
}
-
} else {
$tmp_access_array = $access_array[$user_id];
}
@@ -946,7 +953,8 @@ function elgg_get_access_object() {
*
* @global bool $init_finished
* @access private
- * @todo investigate why this is needed
+ * @todo This is required to tell the access system to start caching because
+ * calls are made while in ignore access mode and before the user is logged in.
*/
$init_finished = false;
@@ -1014,8 +1022,9 @@ function access_test($hook, $type, $value, $params) {
return $value;
}
-// This function will let us know when 'init' has finished
-elgg_register_event_handler('init', 'system', 'access_init', 9999);
+// Tell the access functions the system has booted, plugins are loaded,
+// and the user is logged in so it can start caching
+elgg_register_event_handler('ready', 'system', 'access_init');
// For overrided permissions
elgg_register_plugin_hook_handler('permissions_check', 'all', 'elgg_override_permissions');
diff --git a/engine/lib/annotations.php b/engine/lib/annotations.php
index f32dee0f0..2036ccd61 100644
--- a/engine/lib/annotations.php
+++ b/engine/lib/annotations.php
@@ -95,8 +95,6 @@ $owner_guid = 0, $access_id = ACCESS_PRIVATE) {
$entity = get_entity($entity_guid);
if (elgg_trigger_event('annotate', $entity->type, $entity)) {
- system_log($entity, 'annotate');
-
// If ok then add it
$result = insert_data("INSERT into {$CONFIG->dbprefix}annotations
(entity_guid, name_id, value_id, value_type, owner_guid, time_created, access_id) VALUES
@@ -222,7 +220,7 @@ function elgg_delete_annotations(array $options) {
}
$options['metastring_type'] = 'annotations';
- return elgg_batch_metastring_based_objects($options, 'elgg_batch_delete_callback');
+ return elgg_batch_metastring_based_objects($options, 'elgg_batch_delete_callback', false);
}
/**
@@ -240,7 +238,7 @@ function elgg_disable_annotations(array $options) {
}
$options['metastring_type'] = 'annotations';
- return elgg_batch_metastring_based_objects($options, 'elgg_batch_disable_callback');
+ return elgg_batch_metastring_based_objects($options, 'elgg_batch_disable_callback', false);
}
/**
diff --git a/engine/lib/languages.php b/engine/lib/languages.php
index bf6829a39..7a508d298 100644
--- a/engine/lib/languages.php
+++ b/engine/lib/languages.php
@@ -344,7 +344,7 @@ function get_missing_language_keys($language) {
*/
function elgg_languages_init() {
$lang = get_current_language();
- elgg_register_simplecache_view("cache/js/languages/$lang");
+ elgg_register_simplecache_view("js/languages/$lang");
}
elgg_register_event_handler('init', 'system', 'elgg_languages_init');
diff --git a/engine/lib/metadata.php b/engine/lib/metadata.php
index 34a36d86e..0ff3a43dc 100644
--- a/engine/lib/metadata.php
+++ b/engine/lib/metadata.php
@@ -297,6 +297,8 @@ function elgg_get_metadata(array $options = array()) {
* This requires at least one constraint: metadata_owner_guid(s),
* metadata_name(s), metadata_value(s), or guid(s) must be set.
*
+ * @warning This returns null on no ops.
+ *
* @param array $options An options array. {@see elgg_get_metadata()}
* @return mixed Null if the metadata name is invalid. Bool on success or fail.
* @since 1.8.0
@@ -307,8 +309,7 @@ function elgg_delete_metadata(array $options) {
}
$options['metastring_type'] = 'metadata';
- $result = elgg_batch_metastring_based_objects($options, 'elgg_batch_delete_callback');
- return $result;
+ return elgg_batch_metastring_based_objects($options, 'elgg_batch_delete_callback', false);
}
/**
@@ -316,6 +317,8 @@ function elgg_delete_metadata(array $options) {
*
* @warning Unlike elgg_get_metadata() this will not accept an empty options array!
*
+ * @warning This returns null on no ops.
+ *
* @param array $options An options array. {@See elgg_get_metadata()}
* @return mixed
* @since 1.8.0
@@ -326,7 +329,7 @@ function elgg_disable_metadata(array $options) {
}
$options['metastring_type'] = 'metadata';
- return elgg_batch_metastring_based_objects($options, 'elgg_batch_disable_callback');
+ return elgg_batch_metastring_based_objects($options, 'elgg_batch_disable_callback', false);
}
/**
@@ -334,6 +337,8 @@ function elgg_disable_metadata(array $options) {
*
* @warning Unlike elgg_get_metadata() this will not accept an empty options array!
*
+ * @warning This returns null on no ops.
+ *
* @param array $options An options array. {@See elgg_get_metadata()}
* @return mixed
* @since 1.8.0
diff --git a/engine/lib/metastrings.php b/engine/lib/metastrings.php
index d7cc4e0bc..cf6dd4d98 100644
--- a/engine/lib/metastrings.php
+++ b/engine/lib/metastrings.php
@@ -716,22 +716,23 @@ function elgg_set_metastring_based_object_enabled_by_id($id, $enabled, $type) {
* @warning Unlike elgg_get_metastring_based_objects() this will not accept an
* empty options array!
*
- * @param array $options An options array. {@See elgg_get_metastring_based_objects()}
- * @param string $callback The callback to pass each result through
- * @return mixed
+ * @warning This returns null on no ops.
+ *
+ * @param array $options An options array. {@See elgg_get_metastring_based_objects()}
+ * @param string $callback The callback to pass each result through
+ * @param bool $inc_offset Increment the offset? Pass false for callbacks that delete / disable
+ *
+ * @return bool|null true on success, false on failure, null if no objects are found.
* @since 1.8.0
* @access private
*/
-function elgg_batch_metastring_based_objects(array $options, $callback) {
+function elgg_batch_metastring_based_objects(array $options, $callback, $inc_offset = true) {
if (!$options || !is_array($options)) {
return false;
}
- // @todo restore once ElggBatch supports callbacks that delete rows.
- $batch = new ElggBatch('elgg_get_metastring_based_objects', $options, $callback, 50, false);
- $r = $batch->callbackResult;
-
- return $r;
+ $batch = new ElggBatch('elgg_get_metastring_based_objects', $options, $callback, 50, $inc_offset);
+ return $batch->callbackResult;
}
/**
diff --git a/engine/lib/plugins.php b/engine/lib/plugins.php
index 123fb18d8..39a76db5d 100644
--- a/engine/lib/plugins.php
+++ b/engine/lib/plugins.php
@@ -93,10 +93,13 @@ function elgg_get_plugin_ids_in_dir($dir = null) {
function elgg_generate_plugin_entities() {
$site = get_config('site');
$dir = elgg_get_plugins_path();
+ $db_prefix = elgg_get_config('dbprefix');
$options = array(
'type' => 'object',
'subtype' => 'plugin',
+ 'selects' => array('plugin_oe.*'),
+ 'joins' => array("JOIN {$db_prefix}objects_entity plugin_oe on plugin_oe.guid = e.guid"),
'limit' => ELGG_ENTITIES_NO_VALUE
);
@@ -352,7 +355,11 @@ function elgg_get_plugins($status = 'active', $site_guid = null) {
'type' => 'object',
'subtype' => 'plugin',
'limit' => ELGG_ENTITIES_NO_VALUE,
- 'joins' => array("JOIN {$db_prefix}private_settings ps on ps.entity_guid = e.guid"),
+ 'selects' => array('plugin_oe.*'),
+ 'joins' => array(
+ "JOIN {$db_prefix}private_settings ps on ps.entity_guid = e.guid",
+ "JOIN {$db_prefix}objects_entity plugin_oe on plugin_oe.guid = e.guid"
+ ),
'wheres' => array("ps.name = '$priority'"),
'order_by' => "CAST(ps.value as unsigned), e.guid"
);
diff --git a/engine/lib/users.php b/engine/lib/users.php
index 6a881777e..e209f2c38 100644
--- a/engine/lib/users.php
+++ b/engine/lib/users.php
@@ -1551,7 +1551,7 @@ function users_init() {
elgg_register_plugin_hook_handler('register', 'menu:user_hover', 'elgg_user_hover_menu');
elgg_register_action('register', '', 'public');
- elgg_register_action('useradd', '', 'public');
+ elgg_register_action('useradd', '', 'admin');
elgg_register_action('friends/add');
elgg_register_action('friends/remove');
elgg_register_action('avatar/upload');
diff --git a/engine/lib/views.php b/engine/lib/views.php
index ca0ce7196..1b013be6f 100644
--- a/engine/lib/views.php
+++ b/engine/lib/views.php
@@ -103,7 +103,10 @@ function elgg_get_viewtype() {
$viewtype = get_input('view', NULL);
if ($viewtype) {
- return $viewtype;
+ // only word characters allowed.
+ if (!preg_match('[\W]', $viewtype)) {
+ return $viewtype;
+ }
}
if (isset($CONFIG->view) && !empty($CONFIG->view)) {
diff --git a/engine/tests/api/metadata.php b/engine/tests/api/metadata.php
index be8ac269c..2461e975e 100644
--- a/engine/tests/api/metadata.php
+++ b/engine/tests/api/metadata.php
@@ -124,6 +124,80 @@ class ElggCoreMetadataAPITest extends ElggCoreUnitTest {
$e->delete();
}
+ // Make sure metadata with multiple values is correctly deleted when re-written
+ // by another user
+ // http://trac.elgg.org/ticket/2776
+ public function test_elgg_metadata_multiple_values() {
+ $u1 = new ElggUser();
+ $u1->username = rand();
+ $u1->save();
+
+ $u2 = new ElggUser();
+ $u2->username = rand();
+ $u2->save();
+
+ $obj = new ElggObject();
+ $obj->owner_guid = $u1->guid;
+ $obj->container_guid = $u1->guid;
+ $obj->access_id = ACCESS_PUBLIC;
+ $obj->save();
+
+ $md_values = array(
+ 'one',
+ 'two',
+ 'three'
+ );
+
+ // need to fake different logins.
+ // good times without mocking.
+ $original_user = elgg_get_logged_in_user_entity();
+ $_SESSION['user'] = $u1;
+
+ elgg_set_ignore_access(false);
+
+ // add metadata as one user
+ $obj->test = $md_values;
+
+ // check only these md exists
+ $db_prefix = elgg_get_config('dbprefix');
+ $q = "SELECT * FROM {$db_prefix}metadata WHERE entity_guid = $obj->guid";
+ $data = get_data($q);
+
+ $this->assertEqual(count($md_values), count($data));
+ foreach ($data as $md_row) {
+ $md = elgg_get_metadata_from_id($md_row->id);
+ $this->assertTrue(in_array($md->value, $md_values));
+ $this->assertEqual('test', $md->name);
+ }
+
+ // add md w/ same name as a different user
+ $_SESSION['user'] = $u2;
+ $md_values2 = array(
+ 'four',
+ 'five',
+ 'six',
+ 'seven'
+ );
+
+ $obj->test = $md_values2;
+
+ $q = "SELECT * FROM {$db_prefix}metadata WHERE entity_guid = $obj->guid";
+ $data = get_data($q);
+
+ $this->assertEqual(count($md_values2), count($data));
+ foreach ($data as $md_row) {
+ $md = elgg_get_metadata_from_id($md_row->id);
+ $this->assertTrue(in_array($md->value, $md_values2));
+ $this->assertEqual('test', $md->name);
+ }
+
+ $_SESSION['user'] = $original_user;
+
+ $obj->delete();
+ $u1->delete();
+ $u2->delete();
+ }
+
protected function create_metastring($string) {
global $CONFIG, $METASTRINGS_CACHE, $METASTRINGS_DEADNAME_CACHE;
diff --git a/engine/tests/objects/entities.php b/engine/tests/objects/entities.php
index a4dc7946c..248b85c9e 100644
--- a/engine/tests/objects/entities.php
+++ b/engine/tests/objects/entities.php
@@ -98,7 +98,7 @@ class ElggCoreEntityTest extends ElggCoreUnitTest {
// check internal metadata array
$metadata = $this->entity->expose_metadata();
- $this->assertIdentical($metadata['existent'], 'testing');
+ $this->assertIdentical($metadata['existent'], array('testing'));
}
public function testElggEnityGetAndSetAnnotations() {
diff --git a/languages/en.php b/languages/en.php
index e48f992d7..7b51b0c7d 100644
--- a/languages/en.php
+++ b/languages/en.php
@@ -667,7 +667,7 @@ $english = array(
/**
* Plugins
*/
- 'plugins:disabled' => 'Plugins are being loaded because a file named "disabled" is in the mod directory.',
+ 'plugins:disabled' => 'Plugins are not being loaded because a file named "disabled" is in the mod directory.',
'plugins:settings:save:ok' => "Settings for the %s plugin were saved successfully.",
'plugins:settings:save:fail' => "There was a problem saving settings for the %s plugin.",
'plugins:usersettings:save:ok' => "User settings for the %s plugin were saved successfully.",
diff --git a/mod/file/pages/file/download.php b/mod/file/pages/file/download.php
index 00e6d500e..76c1f1272 100644
--- a/mod/file/pages/file/download.php
+++ b/mod/file/pages/file/download.php
@@ -26,7 +26,7 @@ $filename = $file->originalfilename;
header("Pragma: public");
header("Content-type: $mime");
-if (strpos($mime, "image/") !== false) {
+if (strpos($mime, "image/") !== false || $mime == "application/pdf") {
header("Content-Disposition: inline; filename=\"$filename\"");
} else {
header("Content-Disposition: attachment; filename=\"$filename\"");
diff --git a/mod/pages/actions/pages/delete.php b/mod/pages/actions/pages/delete.php
index dfa0de98d..7a314a280 100644
--- a/mod/pages/actions/pages/delete.php
+++ b/mod/pages/actions/pages/delete.php
@@ -9,8 +9,9 @@
$guid = get_input('guid');
$page = get_entity($guid);
-if ($page) {
- if ($page->canEdit()) {
+if (elgg_instanceof($page, 'object', 'page') || elgg_instanceof($page, 'object', 'page_top')) {
+ // only allow owners and admin to delete
+ if (elgg_is_admin_logged_in() || elgg_get_logged_in_user_guid() == $page->getOwnerGuid()) {
$container = get_entity($page->container_guid);
// Bring all child elements forward
diff --git a/mod/pages/actions/pages/edit.php b/mod/pages/actions/pages/edit.php
index 6950d4b2f..a32e4a4ba 100644
--- a/mod/pages/actions/pages/edit.php
+++ b/mod/pages/actions/pages/edit.php
@@ -47,7 +47,19 @@ if ($page_guid) {
}
if (sizeof($input) > 0) {
+ // don't change access if not an owner/admin
+ $user = elgg_get_logged_in_user_entity();
+ $can_change_access = true;
+
+ if ($user && $page) {
+ $can_change_access = $user->isAdmin() || $user->getGUID() == $page->owner_guid;
+ }
+
foreach ($input as $name => $value) {
+ if (($name == 'access_id' || $name == 'write_access_id') && !$can_change_access) {
+ continue;
+ }
+
$page->$name = $value;
}
}
@@ -74,6 +86,6 @@ if ($page->save()) {
forward($page->getURL());
} else {
- register_error(elgg_echo('pages:error:no_save'));
+ register_error(elgg_echo('pages:error:notsaved'));
forward(REFERER);
}
diff --git a/mod/pages/lib/pages.php b/mod/pages/lib/pages.php
index 5c5323d6f..dbf7b8917 100644
--- a/mod/pages/lib/pages.php
+++ b/mod/pages/lib/pages.php
@@ -111,4 +111,4 @@ function pages_register_navigation_tree($container) {
}
}
}
-}
+} \ No newline at end of file
diff --git a/mod/pages/pages/pages/view.php b/mod/pages/pages/pages/view.php
index 5dfb76b55..81477a8d4 100644
--- a/mod/pages/pages/pages/view.php
+++ b/mod/pages/pages/pages/view.php
@@ -32,7 +32,7 @@ elgg_push_breadcrumb($title);
$content = elgg_view_entity($page, array('full_view' => true));
$content .= elgg_view_comments($page);
-if (elgg_get_logged_in_user_guid() == $page->getOwnerGuid()) {
+if (elgg_is_admin_logged_in() || elgg_get_logged_in_user_guid() == $page->getOwnerGuid()) {
$url = "pages/add/$page->guid";
elgg_register_menu_item('title', array(
'name' => 'subpage',
diff --git a/mod/pages/views/default/forms/pages/edit.php b/mod/pages/views/default/forms/pages/edit.php
index 20737a121..9469f5eb9 100644
--- a/mod/pages/views/default/forms/pages/edit.php
+++ b/mod/pages/views/default/forms/pages/edit.php
@@ -6,7 +6,18 @@
*/
$variables = elgg_get_config('pages');
+$user = elgg_get_logged_in_user_entity();
+$entity = elgg_extract('entity', $vars);
+$can_change_access = true;
+if ($user && $entity) {
+ $can_change_access = ($user->isAdmin() || $user->getGUID() == $entity->owner_guid);
+}
+
foreach ($variables as $name => $type) {
+ // don't show read / write access inputs for non-owners or admin when editing
+ if (($type == 'access' || $type == 'write_access') && !$can_change_access) {
+ continue;
+ }
?>
<div>
<label><?php echo elgg_echo("pages:$name") ?></label>
@@ -14,8 +25,8 @@ foreach ($variables as $name => $type) {
if ($type != 'longtext') {
echo '<br />';
}
- ?>
- <?php echo elgg_view("input/$type", array(
+
+ echo elgg_view("input/$type", array(
'name' => $name,
'value' => $vars[$name],
));
diff --git a/mod/twitter_api/lib/twitter_api.php b/mod/twitter_api/lib/twitter_api.php
index 355123992..fbce00d34 100644
--- a/mod/twitter_api/lib/twitter_api.php
+++ b/mod/twitter_api/lib/twitter_api.php
@@ -109,7 +109,7 @@ function twitter_api_login() {
$user = twitter_api_create_user($twitter);
$site_name = elgg_get_site_entity()->name;
system_message(elgg_echo('twitter_api:login:email', array($site_name)));
- $forward = "twitter_api/intersitial";
+ $forward = "twitter_api/interstitial";
}
// set twitter services tokens
diff --git a/upgrade.php b/upgrade.php
index 6f7126326..963523200 100644
--- a/upgrade.php
+++ b/upgrade.php
@@ -20,7 +20,8 @@ define('UPGRADING', 'upgrading');
require_once(dirname(__FILE__) . "/engine/start.php");
if (get_input('upgrade') == 'upgrade') {
- // disable the core system log for upgrades to avoid exceptions when the schema changes.
+ // disable the system log for upgrades to avoid exceptions when the schema changes.
+ elgg_unregister_event_handler('log', 'systemlog', 'system_log_default_logger');
elgg_unregister_event_handler('all', 'all', 'system_log_listener');
if (elgg_get_unprocessed_upgrades()) {
diff --git a/views/default/output/tagcloud.php b/views/default/output/tagcloud.php
index 22b6cf49d..a212becd8 100644
--- a/views/default/output/tagcloud.php
+++ b/views/default/output/tagcloud.php
@@ -47,9 +47,15 @@ if (!empty($vars['tagcloud']) && is_array($vars['tagcloud'])) {
if ($size < 100) {
$size = 100;
}
- $url = elgg_get_site_url()."search?q=". urlencode($tag->tag) . "&search_type=tags$type$subtype";
- $url = elgg_format_url($url);
- $cloud .= "<a href=\"$url\" style=\"font-size: $size%\" title=\"".addslashes($tag->tag)." ($tag->total)\">" . htmlspecialchars($tag->tag, ENT_QUOTES, 'UTF-8') . "</a>";
+ $url = "search?q=". urlencode($tag->tag) . "&search_type=tags$type$subtype";
+
+ $cloud .= elgg_view('output/url', array(
+ 'text' => $tag->tag,
+ 'href' => $url,
+ 'style' => "font-size: $size%;",
+ 'title' => "$tag->tag ($tag->total)",
+ 'rel' => 'tag'
+ ));
}
$cloud .= elgg_view('tagcloud/extend');
diff --git a/views/default/page/elements/comments.php b/views/default/page/elements/comments.php
index ebc7d3df5..cf9b5f08b 100644
--- a/views/default/page/elements/comments.php
+++ b/views/default/page/elements/comments.php
@@ -12,7 +12,7 @@ $show_add_form = elgg_extract('show_add_form', $vars, true);
$id = '';
if (isset($vars['id'])) {
- $id = "id =\"{$vars['id']}\"";
+ $id = "id=\"{$vars['id']}\"";
}
$class = 'elgg-comments';
diff --git a/views/default/river/elements/body.php b/views/default/river/elements/body.php
index 6894b81e2..2cd7f2289 100644
--- a/views/default/river/elements/body.php
+++ b/views/default/river/elements/body.php
@@ -18,7 +18,7 @@ $menu = elgg_view_menu('river', array(
));
// river item header
-$timestamp = elgg_get_friendly_time($item->getPostedTime());
+$timestamp = elgg_view_friendly_time($item->getPostedTime());
$summary = elgg_extract('summary', $vars, elgg_view('river/elements/summary', array('item' => $vars['item'])));
if ($summary === false) {