Changeset 11614 for extensions/Icy_Picture_Modify

Timestamp:

Jul 4, 2011, 8:16:38 AM (13 years ago)

Author:

icy

Message:

Merge branch 'master' into svn

Location:

extensions/Icy_Picture_Modify

Files:

• icy_picture_modify.php (modified) (2 diffs)
• include/functions_icy_picture_modify.inc.php (modified) (2 diffs)
• main.inc.php (modified) (1 diff)

extensions/Icy_Picture_Modify/icy_picture_modify.php

@@ -30 +30 @@
 global $template, $conf, $user, $page, $lang, $cache;
 
-// redirect users to the index page or category page if 'image_id' isn't provided
-if (!isset($_GET['image_id']))
-{
-  if (isset($_GET['cat_id']))
-  {
-    redirect_http(get_root_url().'?/category/'.$_GET['cat_id']);
-  }
-  else
-  {
-    redirect_http(make_index_url());
-  }
-}
-
-check_input_parameter('cat_id', $_GET, false, PATTERN_ID);
-check_input_parameter('image_id', $_GET, false, PATTERN_ID);
-
-// make sure the image is editable by current user
-if (!icy_check_image_owner($_GET['image_id'], $user['id']))
-{
-  $url = make_picture_url(
-      array(
-        'image_id' => $_GET['image_id'],
-        'cat_id' => $_GET['cat_id'],
-      )
-    );
-  redirect_http($url);
-}
-
 // <admin.php>
 $page['errors'] = array();
 $page['infos']  = array();
 $page['warnings']  = array();
-
+// </admin.php>
+
+// +-----------------------------------------------------------------------+
+// |                             check permission                          |
+// +-----------------------------------------------------------------------+
+
+// redirect users to the index page or category page if 'image_id' isn't provided
+if (!isset($_GET['image_id']))
+{
+  if (isset($_GET['cat_id']))
+  {
+    redirect_http(get_root_url().'?/category/'.$_GET['cat_id']);
+  }
+  else
+  {
+    // FIXME: $_SESSION['page_infos'] = array(l10n('Permission denied'));
+    redirect_http(make_index_url());
+  }
+}
+
+check_input_parameter('cat_id', $_GET, false, PATTERN_ID);
+check_input_parameter('image_id', $_GET, false, PATTERN_ID);
+
+// Simplify redirect to administrator page if current user == admin
+// FIXME: when a non-existent image_id is provided, the original code
+// FIXME: picture_modify doesn't work well. It should deny to modify
+// FIXME: such picture.
+if (is_admin())
+{
+  if (icy_does_image_exist($_GET['image_id']))
+  {
+    $url = get_root_url().'admin.php?page=picture_modify';
+    $url.= '&amp;image_id='.$_GET['image_id'];
+    $url.= isset($_GET['cat_id']) ? '&amp;cat_id='.$_GET['cat_id'] : '';
+    redirect_http($url);
+  }
+  else
+  {
+    bad_request('invalid picture identifier');
+  }
+}
+elseif (!icy_check_image_owner($_GET['image_id'], $user['id']))
+{
+  $url = make_picture_url(
+      array(
+        'image_id' => $_GET['image_id'],
+        'cat_id' => isset($_GET['cat_id']) ? $_GET['cat_id'] : ""
+      )
+    );
+  // FIXME: $_SESSION['page_infos'] = array(l10n('Permission denied'));
+  redirect_http($url);
+}
+
+// Update the page sessions
 if (isset($_SESSION['page_infos']))
 {
@@ -68 +93 @@
   unset($_SESSION['page_infos']);
 }
-// </admin.php>
+
 
 // +-----------------------------------------------------------------------+

extensions/Icy_Picture_Modify/include/functions_icy_picture_modify.inc.php

@@ -33 +33 @@
   if (!preg_match(PATTERN_ID, $image_id))
   {
-    fatal_error('[Hacking attempt] the input parameter "'.$image_id.'" is not valid');
+    bad_request('invalid picture identifier');
   }
   if (!preg_match(PATTERN_ID, $user_id))
   {
-    fatal_error('[Hacking attempt] the input parameter "'.$user_id.'" is not valid');
+    bad_request('invalid category identifier');
   }
 
@@ -51 +51 @@
   return ($count > 0 ? true: false);
 }
+
+/*
+ * Check if an image does exist
+ * @return bool
+ * @author icy
+ *
+*/
+function icy_does_image_exist($image_id)
+{
+  if (!preg_match(PATTERN_ID, $image_id))
+  {
+    bad_request('invalid picture identifier');
+  }
+  $query = '
+SELECT COUNT(id)
+  FROM '.IMAGES_TABLE.'
+  WHERE id = '.$image_id.'
+;';
+  list($count) = pwg_db_fetch_row(pwg_query($query));
+  return ($count > 0 ? true: false);
+}
 ?>

extensions/Icy_Picture_Modify/main.inc.php

@@ -2 +2 @@
 /*
 Plugin Name: Icy Modify Picture
-Version: 1.0.1
-Description: Allow users to modify users they uploaded
+Version: 1.0.2
+Description: Allow users to modify pictures they uploaded
 Plugin URI: http://piwigo.org/ext/extension_view.php?eid=563
 Author: icy