From 6ba1737c22a002a71210fcd15ad36c3c2bc68402 Mon Sep 17 00:00:00 2001
From: brettp <brettp@36083f99-b078-4883-b0ff-0f9b5a30f544>
Date: Fri, 14 May 2010 16:27:08 +0000
Subject: merge -r5832:5898 from 1.7 to trunk.

git-svn-id: http://code.elgg.org/elgg/trunk@6055 36083f99-b078-4883-b0ff-0f9b5a30f544
---
 CHANGES.txt                          | 12 +++---
 engine/lib/actions.php               |  2 +-
 engine/lib/api.php                   |  6 ++-
 engine/lib/elgglib.php               | 39 ++++++++++++-------
 engine/lib/notification.php          | 72 ++++++++++++++++++++++++++++++++++++
 engine/lib/river2.php                |  6 ++-
 mod/invitefriends/actions/invite.php | 52 ++------------------------
 services/api/rest_api.php            |  6 ++-
 8 files changed, 122 insertions(+), 73 deletions(-)

diff --git a/CHANGES.txt b/CHANGES.txt
index 8a4288035..8509958b0 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -16,23 +16,24 @@ Version 1.8.0
 
 
 Version 1.7.1
-(??? from http://code.elgg.org/elgg/branches/1.7)
+(April 21, 2010 from http://code.elgg.org/elgg/branches/1.7)
 
  UI changes:
   * (Unused) tags field removed from external pages.
   * Languages fixes in groups.
   * Installation checks database settings before writing settings.php.
-  * Made the widgets more consistent in their UI
+  * Made the widgets more consistent in their UI.
 
  Bugfixes:
   * Pagination fixed.
-  * Profile icons fixed for CGI users who were seeing incorrect avatars.
+  * Profile icons fixed for PHP-CGI users who were seeing incorrect avatars.
   * Tag search works in groups and members.
   * Tag clouds correctly link to tag search.
   * RSS views added to search.
   * Wrapper function for get_entities() correctly rewrites container_guid to 
     owner_guid.
   * output/url correctly appends http:// again.
+  * full_url() urlencode()'s ' and " to avoid a security problem in IE.
   
  API changes:
   * Moved admin flag to users_entity table and added ElggUser->isAdmin(), 
@@ -43,8 +44,9 @@ Version 1.7.1
   * Tags lib updated to elgg_get_*() interface.
   * Can get entities based upon annotation/metadata owner_guid.
   * Moved friendly time and friendly title into overridable views.
-  * Added unregister_notification_handler()
-  * Added remove_widget_type()
+  * Added unregister_notification_handler().
+  * Added remove_widget_type().
+  * Search supports container_guid.
 
 
 Version 1.7.0
diff --git a/engine/lib/actions.php b/engine/lib/actions.php
index 304179828..66c2d9505 100644
--- a/engine/lib/actions.php
+++ b/engine/lib/actions.php
@@ -54,7 +54,7 @@ function action($action, $forwarder = "") {
 
 	if (isset($CONFIG->actions[$action])) {
 		if ((isadminloggedin()) || (!$CONFIG->actions[$action]['admin'])) {
-			if ($CONFIG->actions[$action]['public'] || $_SESSION['id'] != -1) {
+			if ($CONFIG->actions[$action]['public'] || get_loggedin_userid()) {
 
 				// Trigger action event TODO: This is only called before the primary action is called. We need to rethink actions for 1.5
 				$event_result = true;
diff --git a/engine/lib/api.php b/engine/lib/api.php
index 6b773138e..6707a7418 100644
--- a/engine/lib/api.php
+++ b/engine/lib/api.php
@@ -423,9 +423,11 @@ function authenticate_method($method) {
 		}
 	}
 
-	// check user authentication if required
+	$user_auth_result = pam_authenticate();
+
+	// check if user authentication is required
 	if ($API_METHODS[$method]["require_user_auth"] == true) {
-		if (pam_authenticate() == false) {
+		if ($user_auth_result == false) {
 			throw new APIException(elgg_echo('APIException:UserAuthenticationFailed'));
 		}
 	}
diff --git a/engine/lib/elgglib.php b/engine/lib/elgglib.php
index 78761c739..f6aae2b97 100644
--- a/engine/lib/elgglib.php
+++ b/engine/lib/elgglib.php
@@ -29,8 +29,15 @@ function forward($location = "") {
 			$location = $CONFIG->url . $location;
 		}
 
-		header("Location: {$location}");
-		exit;
+		// return new forward location or false to stop the forward or empty string to exit
+		$params = array('current_url' => $current_page, 'forward_url' => $location);
+		$location = trigger_plugin_hook('forward', 'system', $params, $location);
+		if ($location) {
+			header("Location: {$location}");
+			exit;
+		} else if ($location === '') {
+			exit;
+		}
 	}
 
 	return false;
@@ -568,7 +575,7 @@ function elgg_get_views($dir, $base) {
 }
 
 /**
- * @deprecated 1.7.  Use elgg_extend_view().
+ * @deprecated 1.7.  Use elgg_get_views().
  * @param $dir
  * @param $base
  */
@@ -1301,14 +1308,18 @@ function set_template_handler($function_name) {
 }
 
 /**
- * Extends a view by adding other views to be displayed at the same time.
+ * Extends a view.
  *
- * @param string $view The view to add to.
- * @param string $view_name The name of the view to extend
- * @param int $priority The priority, from 0 to 1000, to add at (lowest numbers will be displayed first)
+ * The addititional views are displayed before or after the primary view. 
+ * Priorities less than 500 are displayed before the primary view and 
+ * greater than 500 after. The default priority is 501. 
+ *
+ * @param string $view The view to extend.
+ * @param string $view_extension This view is added to $view
+ * @param int $priority The priority, from 0 to 1000, to add at (lowest numbers displayed first)
  * @param string $viewtype Not used
  */
-function elgg_extend_view($view, $view_name, $priority = 501, $viewtype = '') {
+function elgg_extend_view($view, $view_extension, $priority = 501, $viewtype = '') {
 	global $CONFIG;
 
 	if (!isset($CONFIG->views)) {
@@ -1327,7 +1338,7 @@ function elgg_extend_view($view, $view_name, $priority = 501, $viewtype = '') {
 		$priority++;
 	}
 
-	$CONFIG->views->extensions[$view][$priority] = "{$view_name}";
+	$CONFIG->views->extensions[$view][$priority] = "{$view_extension}";
 	ksort($CONFIG->views->extensions[$view]);
 }
 
@@ -1482,23 +1493,25 @@ function get_library_files($directory, $exceptions = array(), $list = array()) {
  * @param array $exceptions Array of filenames to ignore
  * @param array $list Array of files to append to
  * @param mixed $extensions Array of extensions to allow, NULL for all. (With a dot: array('.php'))
- * @return array
+ * @return array of filenames including $directory
  */
 function elgg_get_file_list($directory, $exceptions = array(), $list = array(), $extensions = NULL) {
+	$directory = sanitise_filepath($directory);
 	if ($handle = opendir($directory)) {
 		while (($file = readdir($handle)) !== FALSE) {
-			if (!is_file($file) || in_array($file, $exceptions)) {
+			if (!is_file($directory . $file) || in_array($file, $exceptions)) {
 				continue;
 			}
 
 			if (is_array($extensions)) {
 				if (in_array(strrchr($file, '.'), $extensions)) {
-					$list[] = $directory . "/" . $file;
+					$list[] = $directory . $file;
 				}
 			} else {
-				$list[] = $directory . "/" . $file;
+				$list[] = $directory . $file;
 			}
 		}
+		closedir($handle);
 	}
 
 	return $list;
diff --git a/engine/lib/notification.php b/engine/lib/notification.php
index 024881e0f..58e2a10f6 100644
--- a/engine/lib/notification.php
+++ b/engine/lib/notification.php
@@ -308,6 +308,78 @@ function email_notify_handler(ElggEntity $from, ElggUser $to, $subject, $message
 	return mail($to, $subject, wordwrap($message), $headers);
 }
 
+/**
+ * Send an email to any email address
+ *
+ * @param string $from Email address or string: "name <email>"
+ * @param string $to Email address or string: "name <email>"
+ * @param string $subject The subject of the message
+ * @param string $body The message body
+ * @param array $params Optional parameters (none used in this function)
+ * @return bool
+ */
+function elgg_send_email($from, $to, $subject, $body, array $params = NULL) {
+	global $CONFIG;
+
+	if (!$from) {
+		throw new NotificationException(sprintf(elgg_echo('NotificationException:NoEmailAddress'), 'from'));
+	}
+
+	if (!$to) {
+		throw new NotificationException(sprintf(elgg_echo('NotificationException:NoEmailAddress'), 'to'));
+	}
+
+	// return TRUE/FALSE to stop elgg_send_email() from sending
+	$mail_params = array(	'to' => $to,
+							'from' => $from,
+							'subject' => $subject,
+							'body' => $body,
+							'params' => $params);
+	$result = trigger_plugin_hook('email', 'system', $mail_params, NULL);
+	if ($result !== NULL) {
+		return $result;
+	}
+
+	$header_eol = "\r\n";
+	if (isset($CONFIG->broken_mta) && $CONFIG->broken_mta) {
+		// Allow non-RFC 2822 mail headers to support some broken MTAs
+		$header_eol = "\n";
+	}
+
+	// Windows is somewhat broken, so we use just address for to and from
+	if (strtolower(substr(PHP_OS, 0 , 3)) == 'win') {
+		// strip name from to and from
+		if (strpos($to, '<')) {
+			preg_match('/<(.*)>/', $to, $matches);
+			$to = $matches[1];
+		}
+		if (strpos($from, '<')) {
+			preg_match('/<(.*)>/', $from, $matches);
+			$from = $matches[1];
+		}
+	}
+
+	$headers = "From: $from{$header_eol}"
+		. "Content-Type: text/plain; charset=UTF-8; format=flowed{$header_eol}"
+		. "MIME-Version: 1.0{$header_eol}"
+		. "Content-Transfer-Encoding: 8bit{$header_eol}";
+
+
+	// Sanitise subject by stripping line endings
+	$subject = preg_replace("/(\r\n|\r|\n)/", " ", $subject);
+	if (is_callable('mb_encode_mimeheader')) {
+		$subject = mb_encode_mimeheader($subject,"UTF-8", "B");
+	}
+
+	// Format message
+	$message = html_entity_decode($body, ENT_COMPAT, 'UTF-8'); // Decode any html entities
+	$message = strip_tags($body); // Strip tags from message
+	$message = preg_replace("/(\r\n|\r)/", "\n", $body); // Convert to unix line endings in body
+	$message = preg_replace("/^From/", ">From", $body); // Change lines starting with From to >From
+
+	return mail($to, $subject, wordwrap($body), $headers);
+}
+
 /**
  * Correctly initialise notifications and register the email handler.
  *
diff --git a/engine/lib/river2.php b/engine/lib/river2.php
index 8e015ea0d..8fb20ac40 100644
--- a/engine/lib/river2.php
+++ b/engine/lib/river2.php
@@ -374,8 +374,10 @@ function elgg_get_river_items($subject_guid = 0, $object_guid = 0, $subject_rela
 function elgg_view_river_item($item) {
 	if (isset($item->view)) {
 		$object = get_entity($item->object_guid);
-		if (!$object) {
-			$body = elgg_view('river/item/noaccess');
+		$subject = get_entity($item->subject_guid);
+		if (!$object || !$subject) {
+			// probably means an entity is disabled
+			return false;
 		} else {
 			if (elgg_view_exists($item->view)) {
 				$body = elgg_view($item->view,array(
diff --git a/mod/invitefriends/actions/invite.php b/mod/invitefriends/actions/invite.php
index 7e0bd54b8..66902606a 100644
--- a/mod/invitefriends/actions/invite.php
+++ b/mod/invitefriends/actions/invite.php
@@ -51,59 +51,17 @@
 							$link
 						);
 
-		// **** this should be replaced by a core function for sending emails to people who are not members
+		$subject = sprintf(elgg_echo('invitefriends:subject'), $CONFIG->site->name);
+
+		// create the from address
 		$site = get_entity($CONFIG->site_guid);
-		// If there's an email address, use it - but only if its not from a user.
 		if (($site) && (isset($site->email))) {
-			// Has the current site got a from email address?
 			$from = $site->email;
-		} else if (isset($from->url))  {
-			// If we have a url then try and use that.
-			$breakdown = parse_url($from->url);
-			$from = 'noreply@' . $breakdown['host']; // Handle anything with a url
 		} else {
-			// If all else fails, use the domain of the site.
 			$from = 'noreply@' . get_site_domain($CONFIG->site_guid);
 		}
-	
-		if (is_callable('mb_internal_encoding')) {
-			mb_internal_encoding('UTF-8');
-		}
-		$site = get_entity($CONFIG->site_guid);
-		$sitename = $site->name;
-		if (is_callable('mb_encode_mimeheader')) {
-			$sitename = mb_encode_mimeheader($site->name,"UTF-8", "B");
-		}
-	
-		$header_eol = "\r\n";
-		if ((isset($CONFIG->broken_mta)) && ($CONFIG->broken_mta)) {
-			// Allow non-RFC 2822 mail headers to support some broken MTAs
-			$header_eol = "\n";
-		}
-	
-		$from_email = "\"$sitename\" <$from>";
-		if (strtolower(substr(PHP_OS, 0 , 3)) == 'win') {
-			// Windows is somewhat broken, so we use a different format from header
-			$from_email = "$from";
-		}
-	
-		$headers = "From: $from_email{$header_eol}"
-			. "Content-Type: text/plain; charset=UTF-8; format=flowed{$header_eol}"
-			. "MIME-Version: 1.0{$header_eol}"
-			. "Content-Transfer-Encoding: 8bit{$header_eol}";
-	
-		$subject = sprintf(elgg_echo('invitefriends:subject'), $CONFIG->site->name);
-		if (is_callable('mb_encode_mimeheader')) {
-			$subject = mb_encode_mimeheader($subject,"UTF-8", "B");
-		}
-	
-		// Format message
-		$message = html_entity_decode($message, ENT_COMPAT, 'UTF-8'); // Decode any html entities
-		$message = strip_tags($message); // Strip tags from message
-		$message = preg_replace("/(\r\n|\r)/", "\n", $message); // Convert to unix line endings in body
-		$message = preg_replace("/^From/", ">From", $message); // Change lines starting with From to >From
 
-		mail($email, $subject, wordwrap($message), $headers);							
+		elgg_send_email($from, $email, $subject, $message);
 	}
 
 	if ($error) {
@@ -113,5 +71,3 @@
 	}
 
 	forward($_SERVER['HTTP_REFERER']);
-
-?>
diff --git a/services/api/rest_api.php b/services/api/rest_api.php
index 4d3e39aaa..1ef8b729e 100644
--- a/services/api/rest_api.php
+++ b/services/api/rest_api.php
@@ -29,8 +29,10 @@ if ((isset($CONFIG->disable_api)) && ($CONFIG->disable_api == true)) {
 
 // plugins should return true to control what API and user authentication handlers are registered
 if (trigger_plugin_hook('rest', 'init', null, false) == false) {	
-	// check session - this usually means a REST call from a web browser
-	register_pam_handler('pam_auth_session');
+	// for testing from a web browser, you can use the session PAM
+	// do not use for production sites!!
+	//register_pam_handler('pam_auth_session');
+
 	// user token can also be used for user authentication
 	register_pam_handler('pam_auth_usertoken');
 
-- 
cgit v1.2.3