we're not relying on overriding url::site() to do tricks around item
urls. This means that you won't get item urls by doing
url::site("albums/37"), for example, but it also means that we won't
get pretty urls where we don't expect them (like in the action of a
<form> element).
Incidentally, this will help us move over to using the slug format
because if you've got a bad character in a url, the edit forms will
now work on it since they'll be id based.
don't break encapsulation. In the logout controller, don't run the
url through url::redirect because that uses url::site(). Just set the
Location header directly.
This fixes ticket #483.
based on the uri. Then use this helper method in logout.php to insure that
the guest user has access to the "continue" uri. If they don't redirect to
the root album and let it deal with access issues.
Signed-off-by: Tim Almdal <tnalmdal@shaw.ca>
and verifying user permissions, but there are several above-the-bar
changes:
1) Server add is now only available to admins. This is a hard
requirement because we have to limit server access (eg:
server_add::children) to a user subset and the current permission
model doesn't include that. Easiest fix is to restrict to admins.
Got rid of the server_add permission.
2) We now know check permissions at every level, which means in
controllers AND in helpers. This "belt and suspenders" approach will
give us defense in depth in case we overlook it in one area.
3) We now do CSRF checking in every controller method that changes the
code, in addition to the Forge auto-check. Again, defense in depth
and it makes scanning the code for security much simpler.
4) Moved Simple_Uploader_Controller::convert_filename_to_title to
item:convert_filename_to_title
5) Fixed a bug in sending notification emails.
6) Fixed the Organize code to verify that you only have access to your
own tasks. In general, added permission checks to organize which had
pretty much no validation code.
I did my best to verify every feature that I touched.
- And refactor printf to our string interpolation / pluralization syntax
- Also, a slight change to the translations_incomings table, using binary(16) instead of char(32) as message key.
1) they now have their own matching severity constants
2) they both have convenience functions success(), info(), warning() and error()
3) they both have severity_class()
convention. To respond to the "photo_created" event in the gmaps
module, you create modules/gmaps/helpers/gmaps_event.php containing
class gmaps_event which has function photo_created.
Renamed all events from gallery.foo.bar to foo_bar
Updated tag module to use new convention.
* Remove user registration link and popup from the theme; this
shouldn't be done in a popup. Use ajaxform to simplify the way
that we load the login popup.
* Create form.html.php, this is a template for Forge based forms.
* Move user validation rules into User_Model and let forms
populate the rules into their forms as useful.
* Undo r18688's changes regarding the REST code. We should never
accept a null resource, this breaks the REST abstraction.
* Change login and user controllers to use Forge which lets us delete
login.html.php and user.html.php since those now are generated by
the theme-owned form template
