From 9bda5425d8a1e33ce42ea11de12918706768c39b Mon Sep 17 00:00:00 2001
From: Cash Costello <cash.costello@gmail.com>
Date: Sat, 23 Feb 2013 08:05:01 -0500
Subject: Fixes #5126 forwards on attempts to access someone else's settings
 page

---
 pages/settings/account.php    | 3 ++-
 pages/settings/statistics.php | 3 ++-
 pages/settings/tools.php      | 5 +++--
 3 files changed, 7 insertions(+), 4 deletions(-)

(limited to 'pages')

diff --git a/pages/settings/account.php b/pages/settings/account.php
index 1bf71973b..962e1fc37 100644
--- a/pages/settings/account.php
+++ b/pages/settings/account.php
@@ -11,7 +11,8 @@ gatekeeper();
 
 // Make sure we don't open a security hole ...
 if ((!elgg_get_page_owner_entity()) || (!elgg_get_page_owner_entity()->canEdit())) {
-	elgg_set_page_owner_guid(elgg_get_logged_in_user_guid());
+	register_error(elgg_echo('noaccess'));
+	forward('/');
 }
 
 $title = elgg_echo('usersettings:user');
diff --git a/pages/settings/statistics.php b/pages/settings/statistics.php
index 9df71ec5e..9dcc9211d 100644
--- a/pages/settings/statistics.php
+++ b/pages/settings/statistics.php
@@ -11,7 +11,8 @@ gatekeeper();
 
 // Make sure we don't open a security hole ...
 if ((!elgg_get_page_owner_entity()) || (!elgg_get_page_owner_entity()->canEdit())) {
-	elgg_set_page_owner_guid(elgg_get_logged_in_user_guid());
+	register_error(elgg_echo('noaccess'));
+	forward('/');
 }
 
 $title = elgg_echo("usersettings:statistics");
diff --git a/pages/settings/tools.php b/pages/settings/tools.php
index daf381728..ed6b941c0 100644
--- a/pages/settings/tools.php
+++ b/pages/settings/tools.php
@@ -6,12 +6,13 @@
  * @subpackage Core
  */
 
-// Make sure only valid users can see this
+// Only logged in users
 gatekeeper();
 
 // Make sure we don't open a security hole ...
 if ((!elgg_get_page_owner_entity()) || (!elgg_get_page_owner_entity()->canEdit())) {
-	elgg_set_page_owner_guid(elgg_get_logged_in_user_guid());
+	register_error(elgg_echo('noaccess'));
+	forward('/');
 }
 
 $title = elgg_echo("usersettings:plugins");
-- 
cgit v1.2.3


From dd9df95001f5293e7a3a93a365c64842fe3650e4 Mon Sep 17 00:00:00 2001
From: Steve Clay <steve@mrclay.org>
Date: Wed, 29 May 2013 13:13:16 -0400
Subject: Fix avatar edit permissions (by Jerôme Bakker)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 actions/avatar/remove.php | 52 ++++++++++++++++++++++++-----------------------
 languages/en.php          |  1 +
 pages/avatar/edit.php     |  5 +++++
 3 files changed, 33 insertions(+), 25 deletions(-)

(limited to 'pages')

diff --git a/actions/avatar/remove.php b/actions/avatar/remove.php
index cd38e456a..9cb40a760 100644
--- a/actions/avatar/remove.php
+++ b/actions/avatar/remove.php
@@ -3,32 +3,34 @@
  * Avatar remove action
  */
 
-$guid = get_input('guid');
-$user = get_entity($guid);
-if ($user) {
-	// Delete all icons from diskspace
-	$icon_sizes = elgg_get_config('icon_sizes');
-	foreach ($icon_sizes as $name => $size_info) {
-		$file = new ElggFile();
-		$file->owner_guid = $guid;
-		$file->setFilename("profile/{$guid}{$name}.jpg");
-		$filepath = $file->getFilenameOnFilestore();
-		if (!$file->delete()) {
-			elgg_log("Avatar file remove failed. Remove $filepath manually, please.", 'WARNING');
-		}
-	}
-	
-	// Remove crop coords
-	unset($user->x1);
-	unset($user->x2);
-	unset($user->y1);
-	unset($user->y2);
-	
-	// Remove icon
-	unset($user->icontime);
-	system_message(elgg_echo('avatar:remove:success'));
-} else {
+$user_guid = get_input('guid');
+$user = get_user($user_guid);
+
+if (!$user || !$user->canEdit()) {
 	register_error(elgg_echo('avatar:remove:fail'));
+	forward(REFERER);
 }
 
+// Delete all icons from diskspace
+$icon_sizes = elgg_get_config('icon_sizes');
+foreach ($icon_sizes as $name => $size_info) {
+	$file = new ElggFile();
+	$file->owner_guid = $user_guid;
+	$file->setFilename("profile/{$user_guid}{$name}.jpg");
+	$filepath = $file->getFilenameOnFilestore();
+	if (!$file->delete()) {
+		elgg_log("Avatar file remove failed. Remove $filepath manually, please.", 'WARNING');
+	}
+}
+
+// Remove crop coords
+unset($user->x1);
+unset($user->x2);
+unset($user->y1);
+unset($user->y2);
+
+// Remove icon
+unset($user->icontime);
+
+system_message(elgg_echo('avatar:remove:success'));
 forward(REFERER);
diff --git a/languages/en.php b/languages/en.php
index be86e12e6..49e366484 100644
--- a/languages/en.php
+++ b/languages/en.php
@@ -359,6 +359,7 @@ $english = array(
 	'friendspicker:chararray' => 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',
 
 	'avatar' => 'Avatar',
+	'avatar:noaccess' => "You're not allowed to edit this user's avatar",
 	'avatar:create' => 'Create your avatar',
 	'avatar:edit' => 'Edit avatar',
 	'avatar:preview' => 'Preview',
diff --git a/pages/avatar/edit.php b/pages/avatar/edit.php
index c71633b8b..56aede887 100644
--- a/pages/avatar/edit.php
+++ b/pages/avatar/edit.php
@@ -11,6 +11,11 @@ elgg_set_context('profile_edit');
 $title = elgg_echo('avatar:edit');
 
 $entity = elgg_get_page_owner_entity();
+if (!elgg_instanceof($entity, 'user') || !$entity->canEdit()) {
+	register_error(elgg_echo('avatar:noaccess'));
+	forward(REFERER);
+}
+
 $content = elgg_view('core/avatar/upload', array('entity' => $entity));
 
 // only offer the crop view if an avatar has been uploaded
-- 
cgit v1.2.3


From 731b7bdde4790d2bfd565eb2d9c847f4adedf4b4 Mon Sep 17 00:00:00 2001
From: Cash Costello <cash.costello@gmail.com>
Date: Wed, 12 Jun 2013 21:09:03 -0400
Subject: Refs #5487 account related pages use walled garden now

---
 pages/account/forgotten_password.php | 11 ++++++++---
 pages/account/login.php              | 14 +++++++++++---
 pages/account/register.php           | 11 ++++++++---
 pages/account/reset_password.php     | 11 ++++++++---
 4 files changed, 35 insertions(+), 12 deletions(-)

(limited to 'pages')

diff --git a/pages/account/forgotten_password.php b/pages/account/forgotten_password.php
index bf6ef87e0..f464f98c9 100644
--- a/pages/account/forgotten_password.php
+++ b/pages/account/forgotten_password.php
@@ -17,6 +17,11 @@ $content .= elgg_view_form('user/requestnewpassword', array(
 	'class' => 'elgg-form-account',
 ));
 
-$body = elgg_view_layout("one_column", array('content' => $content));
-
-echo elgg_view_page($title, $body);
+if (elgg_get_config('walled_garden')) {
+	elgg_load_css('elgg.walled_garden');
+	$body = elgg_view_layout('walled_garden', array('content' => $content));
+	echo elgg_view_page($title, $body, 'walled_garden');
+} else {
+	$body = elgg_view_layout('one_column', array('content' => $content));
+	echo elgg_view_page($title, $body);
+}
diff --git a/pages/account/login.php b/pages/account/login.php
index 14f65cc3f..6aa3752d0 100644
--- a/pages/account/login.php
+++ b/pages/account/login.php
@@ -15,6 +15,14 @@ if (elgg_is_logged_in()) {
 	forward('');
 }
 
-$login_box = elgg_view('core/account/login_box');
-$content = elgg_view_layout('one_column', array('content' => $login_box));
-echo elgg_view_page(elgg_echo('login'), $content);
+$title = elgg_echo('login');
+$content = elgg_view('core/account/login_box');
+
+if (elgg_get_config('walled_garden')) {
+	elgg_load_css('elgg.walled_garden');
+	$body = elgg_view_layout('walled_garden', array('content' => $content));
+	echo elgg_view_page($title, $body, 'walled_garden');
+} else {
+	$body = elgg_view_layout('one_column', array('content' => $content));
+	echo elgg_view_page($title, $body);
+}
diff --git a/pages/account/register.php b/pages/account/register.php
index cf18a635b..2fe8b74c0 100644
--- a/pages/account/register.php
+++ b/pages/account/register.php
@@ -48,6 +48,11 @@ $content .= elgg_view_form('register', $form_params, $body_params);
 
 $content .= elgg_view('help/register');
 
-$body = elgg_view_layout("one_column", array('content' => $content));
-
-echo elgg_view_page($title, $body);
+if (elgg_get_config('walled_garden')) {
+	elgg_load_css('elgg.walled_garden');
+	$body = elgg_view_layout('walled_garden', array('content' => $content));
+	echo elgg_view_page($title, $body, 'walled_garden');
+} else {
+	$body = elgg_view_layout('one_column', array('content' => $content));
+	echo elgg_view_page($title, $body);
+}
diff --git a/pages/account/reset_password.php b/pages/account/reset_password.php
index 6515bfc5d..3ab8ccf3e 100644
--- a/pages/account/reset_password.php
+++ b/pages/account/reset_password.php
@@ -30,6 +30,11 @@ $form = elgg_view_form('user/passwordreset', array('class' => 'elgg-form-account
 $title = elgg_echo('resetpassword');
 $content = elgg_view_title(elgg_echo('resetpassword')) . $form;
 
-$body = elgg_view_layout('one_column', array('content' => $content));
-
-echo elgg_view_page($title, $body);
+if (elgg_get_config('walled_garden')) {
+	elgg_load_css('elgg.walled_garden');
+	$body = elgg_view_layout('walled_garden', array('content' => $content));
+	echo elgg_view_page($title, $body, 'walled_garden');
+} else {
+	$body = elgg_view_layout('one_column', array('content' => $content));
+	echo elgg_view_page($title, $body);
+}
-- 
cgit v1.2.3


From aa3b8ac53fb0f761061ca8ac713427daa5186750 Mon Sep 17 00:00:00 2001
From: Jerome Bakker <jeabakker@coldtrick.com>
Date: Tue, 16 Jul 2013 11:38:58 +0200
Subject: changed: page title now matches the document title

---
 pages/river.php | 1 +
 1 file changed, 1 insertion(+)

(limited to 'pages')

diff --git a/pages/river.php b/pages/river.php
index 0e1511334..801d9f664 100644
--- a/pages/river.php
+++ b/pages/river.php
@@ -49,6 +49,7 @@ $content = elgg_view('core/river/filter', array('selector' => $selector));
 $sidebar = elgg_view('core/river/sidebar');
 
 $params = array(
+	'title' => $title,
 	'content' =>  $content . $activity,
 	'sidebar' => $sidebar,
 	'filter_context' => $page_filter,
-- 
cgit v1.2.3