mbirth/LuckyCoinkydink
1
0
Fork 0
Code Issues Pull Requests Activity

Fix missing perm checks for a "standard user" in MediaLibrary

Browse Source 
We still have the issue that we have set authorID 0 as the standard authorid in ML. This prevents us being more strict than this.
We will have to re-think this, maybe...

References #385
This commit is contained in:
Ian 2016-02-03 15:47:04 +01:00
parent 3fe8959d00
commit 227d115d71
4 changed files with 17 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/NEWS
View File

@ -1,6 +1,8 @@
Version 2.1 () Version 2.1 ()
------------------------------------------------------------------------ ------------------------------------------------------------------------
* Fix missing perm checks for "standard user" in MediaLibrary
* Fix show Dashboard entries by authors entries * Fix show Dashboard entries by authors entries
* Fix show Dashboard comments by authors entries (#385) * Fix show Dashboard comments by authors entries (#385)

5
include/admin/images.inc.php
View File

@ -120,7 +120,7 @@ switch ($serendipity['GET']['adminAction']) {
break; break;
case 'multidelete': case 'multidelete':
if (!serendipity_checkFormToken()) { if (!serendipity_checkFormToken() || !serendipity_checkPermission('adminImagesDirectories')) {
return; // blank content page, but default token check parameter is presenting a XSRF message when false return; // blank content page, but default token check parameter is presenting a XSRF message when false
} }
if (!is_array($serendipity['POST']['multiDelete']) && isset($_POST['toggle_move'])) { if (!is_array($serendipity['POST']['multiDelete']) && isset($_POST['toggle_move'])) {
@ -635,7 +635,8 @@ switch ($serendipity['GET']['adminAction']) {
'maxImgHeight' => $serendipity['maxImgHeight'], 'maxImgHeight' => $serendipity['maxImgHeight'],
'maxImgWidth' => $serendipity['maxImgWidth'], 'maxImgWidth' => $serendipity['maxImgWidth'],
'extraParems' => serendipity_generateImageSelectorParems(), 'extraParems' => serendipity_generateImageSelectorParems(),
'manage' => isset($serendipity['GET']['showMediaToolbar']) ? serendipity_db_bool($serendipity['GET']['showMediaToolbar']) : true 'manage' => isset($serendipity['GET']['showMediaToolbar']) ? serendipity_db_bool($serendipity['GET']['showMediaToolbar']) : true,
'multiperm' => serendipity_checkPermission('adminImagesDirectories')
); );
// ToDo later: merge $data and $media // ToDo later: merge $data and $media
$serendipity['smarty']->assign('media', $mediaFiles); $serendipity['smarty']->assign('media', $mediaFiles);

16
templates/2k11/admin/media_items.tpl
View File

@ -60,9 +60,9 @@
{$link="?serendipity[adminModule]=images&serendipity[adminAction]=choose&serendipity[noBanner]=true&serendipity[noSidebar]=true&serendipity[noFooter]=true&serendipity[fid]={$file.id}&serendipity[filename_only]={$media.filename_only}&serendipity[textarea]={$media.textarea}&serendipity[htmltarget]={$media.htmltarget}"} {$link="?serendipity[adminModule]=images&serendipity[adminAction]=choose&serendipity[noBanner]=true&serendipity[noSidebar]=true&serendipity[noFooter]=true&serendipity[fid]={$file.id}&serendipity[filename_only]={$media.filename_only}&serendipity[textarea]={$media.textarea}&serendipity[htmltarget]={$media.htmltarget}"}
{/if} {/if}
<article id="media_{$file.id}" class="media_file {if $media.manage}manage {/if}{cycle values="odd,even"}"> <article id="media_{$file.id}" class="media_file {if $media.manage AND $media.multiperm}manage {/if}{cycle values="odd,even"}">
<header class="clearfix"> <header class="clearfix">
{if $media.manage} {if $media.manage AND $media.multiperm}
<div class="form_check"> <div class="form_check">
<input id="multidelete_image{$file.id}" class="multidelete" name="serendipity[multiDelete][]" type="checkbox" value="{$file.id}" data-multidelid="media_{$file.id}"> <input id="multidelete_image{$file.id}" class="multidelete" name="serendipity[multiDelete][]" type="checkbox" value="{$file.id}" data-multidelid="media_{$file.id}">
@ -77,7 +77,7 @@
<div class="clearfix equal_heights media_file_wrap"> <div class="clearfix equal_heights media_file_wrap">
<div class="media_file_preview"> <div class="media_file_preview">
<a {if $media.manage}class="media_fullsize"{/if} href="{$link}" title="{$CONST.MEDIA_FULLSIZE}: {$file.realname}" data-pwidth="{$file.popupWidth}" data-pheight="{$file.popupHeight}"> <a {if $media.manage AND $media.multiperm}class="media_fullsize"{/if} href="{$link}" title="{$CONST.MEDIA_FULLSIZE}: {$file.realname}" data-pwidth="{$file.popupWidth}" data-pheight="{$file.popupHeight}">
<img src="{$img_src}" title="{$img_title}" alt="{$img_alt}"> <img src="{$img_src}" title="{$img_title}" alt="{$img_alt}">
</a> </a>
<footer id="media_file_meta_{$file.id}" class="media_file_meta additional_info"> <footer id="media_file_meta_{$file.id}" class="media_file_meta additional_info">
@ -116,24 +116,26 @@
{if $file.is_editable} {if $file.is_editable}
<li><button class="media_rename button_link" type="button" title="{$CONST.MEDIA_RENAME}" data-fileid="{$file.id}" data-filename="{$file.name|escape:javascript}"><span class="icon-edit"></span><span class="visuallyhidden"> {$CONST.MEDIA_RENAME}</span></button></li> <li><button class="media_rename button_link" type="button" title="{$CONST.MEDIA_RENAME}" data-fileid="{$file.id}" data-filename="{$file.name|escape:javascript}"><span class="icon-edit"></span><span class="visuallyhidden"> {$CONST.MEDIA_RENAME}</span></button></li>
{if $file.is_image AND NOT $file.hotlink} {if $file.is_image AND NOT $file.hotlink AND $media.multiperm}
<li><a class="media_resize button_link" href="?serendipity[adminModule]=images&amp;serendipity[adminAction]=scaleSelect&amp;serendipity[fname]={$file.name|truncate:30:"&hellip;"}&amp;serendipity[fid]={$file.id}&amp;{$media.extraParems}" title="{$CONST.IMAGE_RESIZE}"><span class="icon-resize-full"></span><span class="visuallyhidden"> {$CONST.IMAGE_RESIZE}</span></a></li> <li><a class="media_resize button_link" href="?serendipity[adminModule]=images&amp;serendipity[adminAction]=scaleSelect&amp;serendipity[fname]={$file.name|truncate:30:"&hellip;"}&amp;serendipity[fid]={$file.id}&amp;{$media.extraParems}" title="{$CONST.IMAGE_RESIZE}"><span class="icon-resize-full"></span><span class="visuallyhidden"> {$CONST.IMAGE_RESIZE}</span></a></li>
{/if} {/if}
{if $file.is_image AND NOT $file.hotlink} {if $file.is_image AND NOT $file.hotlink AND $media.multiperm}
<li><a class="media_rotate_left button_link" href="?serendipity[adminModule]=images&amp;serendipity[adminAction]=rotateCCW&amp;serendipity[fid]={$file.id}" title="{$CONST.IMAGE_ROTATE_LEFT}"><span class="icon-ccw"></span><span class="visuallyhidden"> {$CONST.IMAGE_ROTATE_LEFT}</span></a></li> <li><a class="media_rotate_left button_link" href="?serendipity[adminModule]=images&amp;serendipity[adminAction]=rotateCCW&amp;serendipity[fid]={$file.id}" title="{$CONST.IMAGE_ROTATE_LEFT}"><span class="icon-ccw"></span><span class="visuallyhidden"> {$CONST.IMAGE_ROTATE_LEFT}</span></a></li>
{/if} {/if}
{if $file.is_image AND NOT $file.hotlink} {if $file.is_image AND NOT $file.hotlink AND $media.multiperm}
<li><a class="media_rotate_right button_link" href="?serendipity[adminModule]=images&amp;serendipity[adminAction]=rotateCW&amp;serendipity[fid]={$file.id}" title="{$CONST.IMAGE_ROTATE_RIGHT}"><span class="icon-cw"></span><span class="visuallyhidden">{$CONST.IMAGE_ROTATE_RIGHT}</span></a></li> <li><a class="media_rotate_right button_link" href="?serendipity[adminModule]=images&amp;serendipity[adminAction]=rotateCW&amp;serendipity[fid]={$file.id}" title="{$CONST.IMAGE_ROTATE_RIGHT}"><span class="icon-cw"></span><span class="visuallyhidden">{$CONST.IMAGE_ROTATE_RIGHT}</span></a></li>
{/if} {/if}
{if $media.manage} {if $media.manage AND $media.multiperm}
<li><a class="media_prop button_link" href="?serendipity[adminModule]=images&amp;serendipity[adminAction]=properties&amp;serendipity[fid]={$file.id}" title="{$CONST.MEDIA_PROP}"><span class="icon-picture"></span><span class="visuallyhidden"> {$CONST.MEDIA_PROP}</span></a></li> <li><a class="media_prop button_link" href="?serendipity[adminModule]=images&amp;serendipity[adminAction]=properties&amp;serendipity[fid]={$file.id}" title="{$CONST.MEDIA_PROP}"><span class="icon-picture"></span><span class="visuallyhidden"> {$CONST.MEDIA_PROP}</span></a></li>
{/if} {/if}
{if $is_author_file || $perms.delete}
<li><a class="media_delete button_link" href="?serendipity[adminModule]=images&amp;serendipity[adminAction]=delete&amp;serendipity[fid]={$file.id}" title="{$CONST.MEDIA_DELETE}" data-fileid="{$file.id}" data-filename="{$file.name|escape:javascript}"><span class="icon-trash"></span><span class="visuallyhidden"> {$CONST.MEDIA_DELETE}</span></a></li> <li><a class="media_delete button_link" href="?serendipity[adminModule]=images&amp;serendipity[adminAction]=delete&amp;serendipity[fid]={$file.id}" title="{$CONST.MEDIA_DELETE}" data-fileid="{$file.id}" data-filename="{$file.name|escape:javascript}"><span class="icon-trash"></span><span class="visuallyhidden"> {$CONST.MEDIA_DELETE}</span></a></li>
{/if}
{/if} {/if}
</ul> </ul>

6
templates/2k11/admin/media_pane.tpl
View File

@ -237,7 +237,7 @@
<span class="msg_notice"><span class="icon-info-circled"></span> {$CONST.NO_IMAGES_FOUND}</span> <span class="msg_notice"><span class="icon-info-circled"></span> {$CONST.NO_IMAGES_FOUND}</span>
{else} {else}
{if $media.manage} {if $media.manage AND $media.multiperm}
<form id="formMultiDelete" name="formMultiDelete" action="?" method="post"> <form id="formMultiDelete" name="formMultiDelete" action="?" method="post">
{$media.token} {$media.token}
@ -249,7 +249,7 @@
<div class="clearfix media_pane" data-thumbmaxwidth="{$media.thumbSize}"> <div class="clearfix media_pane" data-thumbmaxwidth="{$media.thumbSize}">
{$MEDIA_ITEMS} {$MEDIA_ITEMS}
{if ($media.page != 1 && $media.page <= $media.pages)||$media.page != $media.pages} {if ($media.page != 1 AND $media.page <= $media.pages) OR $media.page != $media.pages}
<nav class="pagination"> <nav class="pagination">
<h3>{$CONST.PAGE_BROWSE_ENTRIES|sprintf:$media.page:$media.pages:$media.totalImages}</h3> <h3>{$CONST.PAGE_BROWSE_ENTRIES|sprintf:$media.page:$media.pages:$media.totalImages}</h3>
@ -266,7 +266,7 @@
</div>{* media pane end *} </div>{* media pane end *}
{if $media.manage} {if $media.manage AND $media.multiperm}
<div class="form_buttons"> <div class="form_buttons">
<input class="invert_selection" name="toggle" type="button" value="{$CONST.INVERT_SELECTIONS}"> <input class="invert_selection" name="toggle" type="button" value="{$CONST.INVERT_SELECTIONS}">