From 3850904d467fe0ca6cb8800a75f1b9e233bf8d90 Mon Sep 17 00:00:00 2001
From: marcus <marcus@36083f99-b078-4883-b0ff-0f9b5a30f544>
Date: Mon, 6 Jul 2009 11:03:28 +0000
Subject: * Closes #1104: Edit profile and edit icon links on pulldown menu for
 editable users. * Closes #545: Admins are now able to edit profiles and icons
 of other users. * CSRF protection added to icon upload and edit code. *
 Version bump.

git-svn-id: https://code.elgg.org/elgg/trunk@3387 36083f99-b078-4883-b0ff-0f9b5a30f544
---
 mod/profile/actions/cropicon.php                  |  3 ++
 mod/profile/actions/edit.php                      |  5 +++-
 mod/profile/actions/iconupload.php                | 36 +++++++++++++++--------
 mod/profile/editicon.php                          |  2 +-
 mod/profile/manifest.xml                          |  4 +--
 mod/profile/start.php                             | 31 ++++++++++++++-----
 mod/profile/views/default/profile/edit.php        |  2 +-
 mod/profile/views/default/profile/editicon.php    | 22 +++++++++-----
 mod/profile/views/default/profile/menu/links.php  | 16 +++++++++-
 mod/profile/views/default/profile/userdetails.php |  2 +-
 10 files changed, 88 insertions(+), 35 deletions(-)

(limited to 'mod')

diff --git a/mod/profile/actions/cropicon.php b/mod/profile/actions/cropicon.php
index 5acf8a915..58f12a512 100644
--- a/mod/profile/actions/cropicon.php
+++ b/mod/profile/actions/cropicon.php
@@ -9,6 +9,9 @@
 	 * @copyright Curverider Ltd 2008-2009
 	 * @link http://elgg.com/
 	 */
+
+	gatekeeper();
+	action_gatekeeper();
 
 		$x1 = (int) get_input('x_1',0);
 		$y1 = (int) get_input('y_1',0);
diff --git a/mod/profile/actions/edit.php b/mod/profile/actions/edit.php
index 95a669a69..5092dbd8b 100644
--- a/mod/profile/actions/edit.php
+++ b/mod/profile/actions/edit.php
@@ -11,7 +11,10 @@
 	 */
 		
 	// Load configuration
-		global $CONFIG;
+		global $CONFIG;
+		
+		gatekeeper();
+		action_gatekeeper();
 
 	// Get profile fields
 		$input = array();
diff --git a/mod/profile/actions/iconupload.php b/mod/profile/actions/iconupload.php
index aec433bbd..3bfbe5ceb 100644
--- a/mod/profile/actions/iconupload.php
+++ b/mod/profile/actions/iconupload.php
@@ -9,11 +9,21 @@
 	 * @copyright Curverider Ltd 2008-2009
 	 * @link http://elgg.com/
 	 */
-
+
+	gatekeeper();
+	action_gatekeeper();
+	
+	$user = page_owner_entity();
+	if (!$user)
+		$user = $_SESSION['user'];
+		
 	// If we were given a correct icon
 		if (
-				isloggedin()
+				(isloggedin()) &&
+				($user) &&
+				($user->canEdit())
 			) {
+				
 				
 				$topbar = get_resized_image_from_uploaded_file('profileicon',16,16, true);
 				$tiny = get_resized_image_from_uploaded_file('profileicon',25,25, true);
@@ -28,40 +38,40 @@
 					&& $tiny !== false) {
 				
 					$filehandler = new ElggFile();
-					$filehandler->owner_guid = $_SESSION['user']->getGUID();
-					$filehandler->setFilename("profile/" . $_SESSION['user']->username . "large.jpg");
+					$filehandler->owner_guid = $user->getGUID();
+					$filehandler->setFilename("profile/" . $user->username . "large.jpg");
 					$filehandler->open("write");
 					$filehandler->write($large);
 					$filehandler->close();
-					$filehandler->setFilename("profile/" . $_SESSION['user']->username . "medium.jpg");
+					$filehandler->setFilename("profile/" . $user->username . "medium.jpg");
 					$filehandler->open("write");
 					$filehandler->write($medium);
 					$filehandler->close();
-					$filehandler->setFilename("profile/" . $_SESSION['user']->username . "small.jpg");
+					$filehandler->setFilename("profile/" . $user->username . "small.jpg");
 					$filehandler->open("write");
 					$filehandler->write($small);
 					$filehandler->close();
-					$filehandler->setFilename("profile/" . $_SESSION['user']->username . "tiny.jpg");
+					$filehandler->setFilename("profile/" . $user->username . "tiny.jpg");
 					$filehandler->open("write");
 					$filehandler->write($tiny);
 					$filehandler->close();
-					$filehandler->setFilename("profile/" . $_SESSION['user']->username . "topbar.jpg");
+					$filehandler->setFilename("profile/" . $user->username . "topbar.jpg");
 					$filehandler->open("write");
 					$filehandler->write($topbar);
 					$filehandler->close();
-					$filehandler->setFilename("profile/" . $_SESSION['user']->username . "master.jpg");
+					$filehandler->setFilename("profile/" . $user->username . "master.jpg");
 					$filehandler->open("write");
                     $filehandler->write($master);
 					$filehandler->close();
 					
-					$_SESSION['user']->icontime = time();
+					$user->icontime = time();
 					
 					system_message(elgg_echo("profile:icon:uploaded"));
 					
-					trigger_elgg_event('profileiconupdate',$_SESSION['user']->type,$_SESSION['user']);
+					trigger_elgg_event('profileiconupdate',$user->type,$user);
 					
 					//add to river
-					add_to_river('river/user/default/profileiconupdate','update',$_SESSION['user']->guid,$_SESSION['user']->guid);
+					add_to_river('river/user/default/profileiconupdate','update',$user->guid,$user->guid);
 				
 				} else {
 					system_message(elgg_echo("profile:icon:notfound"));					
@@ -75,7 +85,7 @@
 			
 	    //forward the user back to the upload page to crop
 	    
-	    $url = "mod/profile/editicon.php";
+	    $url = "pg/profile/{$user->username}/editicon/";
 			
 		if (isloggedin()) forward($url);
 
diff --git a/mod/profile/editicon.php b/mod/profile/editicon.php
index 2471eb00e..b9e2b2e13 100644
--- a/mod/profile/editicon.php
+++ b/mod/profile/editicon.php
@@ -24,7 +24,7 @@
 
 	// set title
 		$area2 = elgg_view_title(elgg_echo('profile:createicon:header'));
-		$area2 .= elgg_view("profile/editicon");
+		$area2 .= elgg_view("profile/editicon", array('user' => $page_owner));
 		
 	// Get the form and correct canvas area
 		$body = elgg_view_layout("two_column_left_sidebar", '', $area2);
diff --git a/mod/profile/manifest.xml b/mod/profile/manifest.xml
index 3ddbb1c07..d67b15fd0 100644
--- a/mod/profile/manifest.xml
+++ b/mod/profile/manifest.xml
@@ -1,10 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <plugin_manifest>
         <field key="author" value="Curverider ltd" />
-        <field key="version" value="1.5" />
+        <field key="version" value="1.6" />
         <field key="description" value="Elgg profile plugin." />
         <field key="website" value="http://www.elgg.org/" />
         <field key="copyright" value="(C) Curverider 2008-2009" />
 		<field key="licence" value="GNU Public License version 2" />
-		<field key="elgg_version" value="2009030702" />
+		<field key="elgg_version" value="2009070601" />
 </plugin_manifest>
diff --git a/mod/profile/start.php b/mod/profile/start.php
index 3dd57c450..2b4d08c5d 100644
--- a/mod/profile/start.php
+++ b/mod/profile/start.php
@@ -67,11 +67,7 @@
 				if (get_context() == "profile")
 				    extend_view('canvas_header/submenu','profile/submenu');
 
-			//add submenu options
-				if (get_context() == "profile") {
-					add_submenu_item(elgg_echo('profile:editdetails'), $CONFIG->wwwroot . "mod/profile/edit.php");
-					add_submenu_item(elgg_echo('profile:editicon'), $CONFIG->wwwroot . "mod/profile/editicon.php");
-				}
+			
 
 			// Extend context menu with admin links
 			if (isadminloggedin())
@@ -146,7 +142,18 @@
 			// The username should be the file we're getting
 			if (isset($page[0])) {
 				set_input('username',$page[0]);
-			}
+			}
+			// Any sub pages?
+			if (isset($page[1])) {
+				
+				switch ($page[1])
+				{
+					case 'edit' : include($CONFIG->pluginspath . "profile/edit.php"); break;
+					case 'editicon' : include($CONFIG->pluginspath . "profile/editicon.php"); break;
+			
+				}
+			}
+			
 			// Include the standard profile index
 			include($CONFIG->pluginspath . "profile/index.php");
 			
@@ -165,7 +172,6 @@
 			if (isset($page[0])) {
 				switch ($page[0])
 				{
-					case 'edit' :
 					default: include($CONFIG->pluginspath . "profile/defaultprofile.php");
 				}
 			}
@@ -178,10 +184,19 @@
 	 */
 		function profile_pagesetup()
 		{
+			global $CONFIG;
 			if (get_context() == 'admin' && isadminloggedin()) {
-				global $CONFIG;
+				
 				add_submenu_item(elgg_echo('profile:edit:default'), $CONFIG->wwwroot . 'pg/defaultprofile/edit/');
 			}
+		
+			//add submenu options
+			if (get_context() == "profile") {
+				$page_owner = page_owner_entity();
+				
+				add_submenu_item(elgg_echo('profile:editdetails'), $CONFIG->wwwroot . "pg/profile/{$page_owner->username}/edit/");
+				add_submenu_item(elgg_echo('profile:editicon'), $CONFIG->wwwroot . "pg/profile/{$page_owner->username}/editicon/");
+			}
 		}
 		
 	/**
diff --git a/mod/profile/views/default/profile/edit.php b/mod/profile/views/default/profile/edit.php
index e2eb8f5ce..b4d8162dd 100644
--- a/mod/profile/views/default/profile/edit.php
+++ b/mod/profile/views/default/profile/edit.php
@@ -16,7 +16,7 @@
 ?>
 <div class="contentWrapper">
 <form action="<?php echo $vars['url']; ?>action/profile/edit" method="post">
-
+<?php echo elgg_view('input/securitytoken') ?>
 <?php
 
 	//var_export($vars['profile']);
diff --git a/mod/profile/views/default/profile/editicon.php b/mod/profile/views/default/profile/editicon.php
index 17154cee4..b36da2c4f 100644
--- a/mod/profile/views/default/profile/editicon.php
+++ b/mod/profile/views/default/profile/editicon.php
@@ -12,7 +12,10 @@
 	 * @uses $vars['entity'] The user entity
 	 * @uses $vars['profile'] Profile items from $CONFIG->profile, defined in profile/start.php for now 
 	 */
-
+
+	$currentuser = page_owner_entity();
+    if (!$currentuser)
+    	$currentuser=$_SESSION['user'];
 ?>
 <!-- grab the required js for icon cropping -->
 <div class="contentWrapper">
@@ -25,7 +28,7 @@
 	<label><?php echo elgg_echo('profile:currentavatar'); ?></label>
 	<?php 
 		
-		$user_avatar = $_SESSION['user']->getIcon('medium');//$vars['url'] . "pg/icon/" . $_SESSION['user']->username . "/medium/" . $_SESSION['user']->icontime . ".jpg";
+		$user_avatar = $currentuser->getIcon('medium');
 		echo "<img src=\"{$user_avatar}\" alt=\"avatar\" />";
 
 	?>
@@ -33,7 +36,9 @@
 </div>
 
 <div id="profile_picture_form">
-	<form action="<?php echo $vars['url']; ?>action/profile/iconupload" method="post" enctype="multipart/form-data">
+	<form action="<?php echo $vars['url']; ?>action/profile/iconupload" method="post" enctype="multipart/form-data">
+	<?php echo elgg_view('input/securitytoken'); ?>
+	<input type="hidden" name="username" value="<?php echo $vars['user']->username; ?>" />
 	<p><label><?php echo elgg_echo("profile:editicon"); ?></label><br />
 	
 		<?php
@@ -51,9 +56,11 @@
 <p>	
 <?php
 
-    echo elgg_echo("profile:createicon:instructions");
-    //display the current user photo 
-    $user_master_image = $vars['url'] . "pg/icon/" . $_SESSION['user']->username . "/master/" . $_SESSION['user']->icontime . ".jpg";
+    echo elgg_echo("profile:createicon:instructions");
+    
+    //display the current user photo
+     
+    $user_master_image = $currentuser->getIcon('master');//$vars['url'] . "pg/icon/" . $currentuser->username . "/master/" . $currentuser->icontime . ".jpg";
     
 ?>
 </p>
@@ -121,7 +128,8 @@
 
 <div class="clearfloat"></div>
 
-<form action="<?php echo $vars['url']; ?>action/profile/cropicon" method="post" />
+<form action="<?php echo $vars['url']; ?>action/profile/cropicon" method="post" />
+	<?php echo elgg_view('input/securitytoken'); ?>
 	<input type="hidden" name="username" value="<?php echo $vars['user']->username; ?>" />
 	<input type="hidden" name="x_1" value="<?php echo $vars['user']->x1; ?>" id="x_1" />
     <input type="hidden" name="x_2" value="<?php echo $vars['user']->x2; ?>" id="x_2" />
diff --git a/mod/profile/views/default/profile/menu/links.php b/mod/profile/views/default/profile/menu/links.php
index ccbe5748f..0dbe48264 100644
--- a/mod/profile/views/default/profile/menu/links.php
+++ b/mod/profile/views/default/profile/menu/links.php
@@ -16,7 +16,21 @@
 
 	<p class="user_menu_profile">
 		<a href="<?php echo $vars['entity']->getURL(); ?>"><?php echo elgg_echo("profile"); ?></a>
-	</p>
+	</p>
+	<?php
+		if ($vars['entity']->canEdit())
+		{
+	?>
+		<p class="user_menu_profile">
+			<a href="<?php echo $vars['url']?>pg/profile/<?php echo $vars['entity']->username; ?>/edit/"><?php echo elgg_echo("profile:edit"); ?></a>
+		</p>
+		<p class="user_menu_profile">
+			<a href="<?php echo $vars['url']?>pg/profile/<?php echo $vars['entity']->username; ?>/editicon/"><?php echo elgg_echo("profile:editicon"); ?></a>
+		</p>
+	<?php
+		}
+	
+	?>
 	<p class="user_menu_friends">
 		<a href="<?php echo $vars['url']; ?>pg/friends/<?php echo $vars['entity']->username; ?>/"><?php echo elgg_echo("friends"); ?></a>	
 	</p>
diff --git a/mod/profile/views/default/profile/userdetails.php b/mod/profile/views/default/profile/userdetails.php
index c9eb5d770..91c373910 100644
--- a/mod/profile/views/default/profile/userdetails.php
+++ b/mod/profile/views/default/profile/userdetails.php
@@ -63,7 +63,7 @@
 
 	?>
 		<p class="profile_info_edit_buttons">
-			<a href="<?php echo $vars['url']; ?>mod/profile/edit.php?username=<?php echo $vars['entity']->username; ?>"><?php echo elgg_echo("profile:edit"); ?></a>
+			<a href="<?php echo $vars['url']; ?>pg/profile/<?php echo $vars['entity']->username; ?>/edit/"><?php echo elgg_echo("profile:edit"); ?></a>
 		</p>
 	<?php
 
-- 
cgit v1.2.3