Commit 2a4b8e80 authored by Malcolm Blaney's avatar Malcolm Blaney

Made second parameter optional in Factory method (interface change).

Reverted escaping user content in Contact module, but updated the
variables to reflect they are mysql un-safe.
Stock module now has a concept of "supply groups", meaning each
user can supply to only specific groups in an organisation. The
groups are selected via the "Manage Users" dialog and changes have
also been made to the Account module to allow this to happen. The
dialog was updated at the same time to allow users with permission
to update the details of other users in their organisation,
including which group they are in.
parent 93258617
......@@ -155,7 +155,7 @@ class Banking extends Base {
}
public function Factory($fn, $p) {
public function Factory($fn, $p = NULL) {
if ($fn == "Settings") {
return $this->Settings($p);
}
......
......@@ -211,7 +211,7 @@ class Browser extends Base {
}
public function Factory($fn, $p) {
public function Factory($fn, $p = NULL) {
}
......
......@@ -379,7 +379,7 @@ class Cart extends Base {
}
public function Factory($fn, $p) {
public function Factory($fn, $p = NULL) {
}
......
......@@ -158,7 +158,7 @@ class Comment extends Base {
}
public function Factory($fn, $p) {
public function Factory($fn, $p = NULL) {
}
......@@ -285,10 +285,10 @@ class Comment extends Base {
// Private functions below here ////////////////////////////////////////////
private function Format($comment_id, $name, $url, $content, $time) {
if ($url != "") {
$name = '<a href="'.htmlspecialchars($url).'">'.
htmlspecialchars($name).'</a>';
private function Format($comment_id, $us_name, $us_url, $us_content, $time) {
if ($us_url != "") {
$us_name = '<a href="'.htmlspecialchars($us_url).'">'.
htmlspecialchars($us_name).'</a>';
}
$remove = "";
if ($this->user->canEditPage) {
......@@ -297,8 +297,8 @@ class Comment extends Base {
}
return '<div class="comment-wrapper">'.
$remove.'<div class="comment-content">'.
nl2br(htmlspecialchars($content)).'</div>'.
'<div class="comment-name">'.$name.' <span class="comment-time">'.
nl2br(htmlspecialchars($us_content), false).'</div>'.
'<div class="comment-name">'.$us_name.' <span class="comment-time">'.
date('M jS, Y \a\t g:i a', $time).'</span></div></div>';
}
......
......@@ -70,23 +70,22 @@ class Contact extends Base {
else {
$reply_to = "";
$subject = "Message from ".$this->config->ServerName();
$message = "<html><head><title>".$subject."</title></head>\n".
$us_message = "<html><head><title>".$subject."</title></head>\n".
"<body>\n".
"<p>A message was received at: ".$this->config->ServerName().
"<br>For: <b>".$name."</b><br>Details:</p>\n";
foreach ($us_content as $us_key => $us_value) {
$key = $mysqli->escape_string($us_key);
$value = $mysqli->escape_string($us_value);
if ($key != "contact-name" && $key != "contact-organisation") {
$message .= $key.": ".nl2br($value, false)."<br>\n";
if ($us_key != "contact-name" && $us_key != "contact-organisation") {
$us_message .= $us_key.": ".
nl2br(htmlspecialchars($us_value), false)."<br>\n";
// Look for an email field to use as the "reply-to".
if ($key == "email") {
$reply_to = $value;
if ($us_key == "email") {
$reply_to = $us_value;
}
}
}
$message .= '</body></html>';
$message = wordwrap($message);
$us_message .= '</body></html>';
$us_message = wordwrap($us_message);
$organiser = new Organiser($this->user, $this->owner, $this->config);
$user = $organiser->Contact($name, $organisation);
$email = $name." <".$user."@".$this->config->ServerName().">";
......@@ -105,7 +104,7 @@ class Contact extends Base {
if ($reply_to != "") {
$headers .= "Reply-To: ".$reply_to."\r\n";
}
if (!mail($email, $subject, $message, $headers, "-f ".$sender)) {
if (!mail($email, $subject, $us_message, $headers, "-f ".$sender)) {
$object["error"] = "Email to ".$email." not accepted for delivery.";
}
else {
......@@ -143,7 +142,7 @@ class Contact extends Base {
}
public function Factory($fn, $p) {
public function Factory($fn, $p = NULL) {
}
......
......@@ -120,7 +120,7 @@ class Detail extends Base {
}
public function Factory($fn, $p) {
public function Factory($fn, $p = NULL) {
if (is_array($p)) {
// Account module calls UpdateUser through module interface.
if ($fn == "UpdateUser" && count($p) == 4) {
......
......@@ -113,7 +113,7 @@ class Gift extends Base {
}
public function Factory($fn, $p) {
public function Factory($fn, $p = NULL) {
}
......
......@@ -207,7 +207,7 @@ class Graph extends Base {
}
public function Factory($fn, $p) {
public function Factory($fn, $p = NULL) {
if (is_array($p)) {
if ($fn == "AddData" && count($p) == 2) {
$data = $p[0];
......
......@@ -49,7 +49,7 @@ class Grid extends Base {
}
public function Factory($fn, $p) {
public function Factory($fn, $p = NULL) {
}
......
......@@ -237,7 +237,7 @@ class Invoice extends Base {
}
}
public function Factory($fn, $p) {
public function Factory($fn, $p = NULL) {
}
......@@ -317,7 +317,7 @@ class Invoice extends Base {
'"invoice-current-balance","","'.$current_balance.'"',
'"invoice-old-balance","","'.$old_balance.'"',
'"invoice-sign-off","","Thanks, see you next week!"',
'"invoice-subject","","Invoice for this week"',
'"invoice-subject","","Invoice for week !week"',
'"invoice-sender","","noreply@!host"',
'"invoice-stock-email","","(stock email)"',
'"invoice-stock-subject","","Orders for next week"',
......@@ -1242,6 +1242,11 @@ class Invoice extends Base {
return $object;
}
// TODO: parameters should be:
// ($description, $group="", $group_is_parent=false)
// and then when group/parent is set, check a "group-only-notification"
// substitution for true or false. When true, the group parameter must
// match the visitor's group for them to receive the notification.
private function Notification($description) {
// Create the array required for SetContent.
$content = array();
......
......@@ -204,7 +204,7 @@ class Manager extends Base {
}
public function Factory($fn, $p) {
public function Factory($fn, $p = NULL) {
}
......
......@@ -287,7 +287,7 @@ class Organiser extends Base {
}
public function Factory($fn, $p) {
public function Factory($fn, $p = NULL) {
}
......
......@@ -341,7 +341,7 @@ class Payment extends Base {
}
public function Factory($fn, $p) {
public function Factory($fn, $p = NULL) {
}
......
......@@ -87,7 +87,7 @@ class Player extends Base {
}
public function Factory($fn, $p) {
public function Factory($fn, $p = NULL) {
}
......
......@@ -174,7 +174,7 @@ class Post extends Base {
}
public function Factory($fn, $p) {
public function Factory($fn, $p = NULL) {
}
......
......@@ -448,7 +448,7 @@ class Purchase extends Base {
}
public function Factory($fn, $p) {
public function Factory($fn, $p = NULL) {
}
......
......@@ -151,7 +151,7 @@ class Reader extends Base {
$mysqli->close();
}
public function Factory($fn, $p) {
public function Factory($fn, $p = NULL) {
if (is_array($p)) {
if ($fn == "UpdateFeed") {
$xml_url = $p[0];
......
......@@ -196,7 +196,7 @@ class Roster extends Base {
}
public function Factory($fn, $p) {
public function Factory($fn, $p = NULL) {
}
......
......@@ -87,7 +87,7 @@ class Slider extends Base {
}
public function Factory($fn, $p) {
public function Factory($fn, $p = NULL) {
}
......
This diff is collapsed.
......@@ -179,7 +179,7 @@ class Summary extends Base {
}
public function Factory($fn, $p) {
public function Factory($fn, $p = NULL) {
}
......
......@@ -87,7 +87,7 @@ class Turner extends Base {
}
public function Factory($fn, $p) {
public function Factory($fn, $p = NULL) {
}
......
......@@ -99,7 +99,7 @@ class Writer extends Base {
}
public function Factory($fn, $p) {
public function Factory($fn, $p = NULL) {
}
......
This diff is collapsed.
......@@ -31,12 +31,13 @@ if (!this.dobrado.account) {
'use strict';
var userExists = false;
var currentUser = "";
$(function() {
$(".account").dialog({
autoOpen: false,
position: { my: "top", at: "top+50", of: "body" },
title: "Manage Account",
title: "Manage Accounts",
width: 550,
height: 500
});
......@@ -131,13 +132,31 @@ if (!this.dobrado.account) {
return false;
}
function checkUsernameEnter(event) {
if (event.keyCode !== 13) {
return;
}
event.preventDefault();
checkUsername();
// checkUsername will be called again when the new-user-input field loses
// focus, so track the input value here so that a duplicate request is
// not made.
currentUser = $("#new-user-input").val();
}
function checkUsername() {
var newUser = $("#new-user-input").val();
if (newUser !== "" && newUser === currentUser) {
currentUser = "";
return;
}
$("#register-form #email-input").val("");
$("#register-form #system-group-input").val("");
$("#register-form #new-details-first-input").val("");
$("#register-form #new-details-last-input").val("");
$("#register-form #new-details-phone-input").val("");
$("#register-form .stock-supply-options").html("");
if (newUser === "") {
$("#register-form .username-info").html("");
......@@ -166,6 +185,16 @@ if (!this.dobrado.account) {
$("#register-form #new-details-first-input").val(account.first);
$("#register-form #new-details-last-input").val(account.last);
$("#register-form #new-details-phone-input").val(account.phone);
if (account.stock) {
$("#register-form .stock-supply-options").html(account.stock);
var addSupplyGroupButton = "#register-form .stock-add-supply-group";
$(addSupplyGroupButton).button().click(addSupplyGroup);
var removeSupplyGroupButton = "#register-form .remove-stock-group";
$(removeSupplyGroupButton).button({
icons: { primary: 'ui-icon-closethick' },
text: false
}).click(removeSupplyGroup);
}
}
else {
$("#register-form .username-info").html("<i>This username is " +
......@@ -174,7 +203,12 @@ if (!this.dobrado.account) {
});
}
function newUser() {
function updateUser() {
var newUser = $("#new-user-input").val();
if (newUser === "") {
return false;
}
var user = dobrado.readCookie("user");
var message = "";
if (user && user.substring(0,5) === "guest" && user.length === 20) {
......@@ -189,7 +223,7 @@ if (!this.dobrado.account) {
dobrado.log(message, "info");
$.post("/php/request.php", { request: "account",
action: "add-user",
newUser: $("#new-user-input").val(),
newUser: newUser,
email: $("#email-input").val(),
group: $("#system-group-input").val(),
first: $("#new-details-first-input").val(),
......@@ -408,6 +442,71 @@ if (!this.dobrado.account) {
});
}
function addSupplyGroup() {
var newUser = $("#new-user-input").val();
if (newUser === "") {
return false;
}
var listed = false;
var group = $("#stock-select-supply-group").val();
// If the selected group is already listed don't do anything.
$("#register-form .stock-supply-group").each(function() {
if ($(this).html() === group) {
listed = true;
}
});
if (listed) {
return false;
}
dobrado.log("Adding supply group.", "info");
$.post("/php/request.php", { request: "account",
action: "add-supply-group",
newUser: newUser,
group: group,
url: location.href,
token: dobrado.token },
function(response) {
if (dobrado.checkResponseError(response, "addSupplyGroup request")) {
return false;
}
var account = JSON.parse(response);
$("#register-form .stock-all-groups").remove();
$("#register-form .stock-current-groups").append(account.content);
var removeSupplyGroupButton = "#register-form .remove-stock-group";
$(removeSupplyGroupButton).button({
icons: { primary: 'ui-icon-closethick' },
text: false
}).click(removeSupplyGroup);
});
return false;
}
function removeSupplyGroup() {
var newUser = $("#new-user-input").val();
if (newUser === "") {
return false;
}
var that = this;
var group = $(this).siblings(".stock-supply-group").html();
dobrado.log("Removing supply group.", "info");
$.post("/php/request.php", { request: "account",
action: "remove-supply-group",
newUser: newUser,
group: group,
url: location.href,
token: dobrado.token },
function(response) {
if (dobrado.checkResponseError(response, "removeSupplyGroup request")) {
return false;
}
$(that).parent().remove();
});
return false;
}
dobrado.account.option = function(event) {
event.preventDefault();
var option = $(this).attr("id");
......@@ -433,8 +532,8 @@ if (!this.dobrado.account) {
if (option === "register") {
$("#new-user-input").change(checkUsername);
$("#register-form .submit").button().click(newUser);
$("#new-user-input").keypress(checkUsernameEnter);
$("#register-form .submit").button().click(updateUser);
}
else if (option === "remove-user") {
$("#remove-user-form .submit").button().click(removeUser);
......
......@@ -15,7 +15,7 @@
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
function username_available($user, $owner, $config, $update = false) {
function username_available($user, $owner, $config) {
// The path to the directory needs to be relative to the calling script.
// There are two options, a script in the php directory, or index.php.
// In the case of the latter, need to also check if it's the top level
......@@ -51,7 +51,6 @@ function username_available($user, $owner, $config, $update = false) {
if ($exists) {
$mysqli->close();
$message = "Username: ".$user->name." already exists.";
if ($update) return $message."<br>(Will update details for this user)";
return $message;
}
else if (is_dir($prefix.$user->name)) {
......
......@@ -71,7 +71,7 @@ class Module {
return $this->instance->Cron();
}
public function Factory($fn, $p) {
public function Factory($fn, $p = NULL) {
if ($this->instance == null) return;
return $this->instance->Factory($fn, $p);
}
......
This diff is collapsed.
......@@ -46,7 +46,7 @@ abstract class Base {
// If a module is instantiated via the Module class, it will only have access
// to this interface. Factory is used to provide access to custom methods.
abstract public function Factory($fn, $p);
abstract public function Factory($fn, $p = NULL);
// Group returns the class name of a div that this module will be placed in,
// so that it can be grouped with other modules. It is used to set the value
......@@ -279,7 +279,7 @@ abstract class Base {
$mysqli->close();
}
protected function GroupMember($group, $owner="") {
protected function GroupMember($group, $owner = "") {
$member = false;
if ($owner == "") {
$owner = $this->owner;
......
......@@ -61,7 +61,8 @@ class Control extends Base {
}
else {
if ($this->GroupMember("admin", "admin")) {
$account_menu .= '<li><a href="#" id="register">Add User...</a></li>';
$account_menu .=
'<li><a href="#" id="register">Manage Users...</a></li>';
}
if ($this->user->canEditSite) {
$account_menu .= '<li><a href="#" id="remove-user">'.
......@@ -209,7 +210,7 @@ class Control extends Base {
$mysqli->close();
}
public function Factory($fn, $p) {
public function Factory($fn, $p = NULL) {
}
......
......@@ -249,7 +249,7 @@ class Extended extends Base {
}
public function Factory($fn, $p) {
public function Factory($fn, $p = NULL) {
}
......
......@@ -174,7 +174,7 @@ class Login extends Base {
}
public function Factory($fn, $p) {
public function Factory($fn, $p = NULL) {
}
......
......@@ -98,7 +98,7 @@ class More extends Base {
}
public function Factory($fn, $p) {
public function Factory($fn, $p = NULL) {
}
......
......@@ -95,7 +95,7 @@ class Notification extends Base {
}
public function Factory($fn, $p) {
public function Factory($fn, $p = NULL) {
}
......
......@@ -84,7 +84,7 @@ class Simple extends Base {
}
public function Factory($fn, $p) {
public function Factory($fn, $p = NULL) {
}
......
......@@ -53,7 +53,7 @@ class Skeleton extends Base {
}
public function Factory($fn, $p) {
public function Factory($fn, $p = NULL) {
}
......
......@@ -33,23 +33,31 @@ class User {
public function __construct($config = null, $user = "", $group = "") {
if ($user !== "") {
$this->name = $user;
$this->group = $group;
if ($group === "") {
$this->SetGroup();
}
else {
$this->group = $group;
}
return;
}
$mysqli = connect_db();
// Check if a (possibly different) user is trying to log in.
if (isset($_POST["user"])) {
$mysqli = connect_db();
$this->name = strtolower($mysqli->escape_string($_POST["user"]));
if ($this->name == "guest" && isset($config) &&
$config->GuestAllowed()) {
$this->Guest($config);
$mysqli->close();
return;
}
if (isset($_POST["password"])) {
$this->password = $mysqli->escape_string($_POST["password"]);
}
$mysqli->close();
// Check if the user is requesting a password reset.
if (isset($_POST["email"])) {
......@@ -82,27 +90,7 @@ class User {
if ($this->loggedIn) {
$this->SetPermission();
$query = 'SELECT system_group FROM users WHERE user = "'.$this->name.'"';
if ($result = $mysqli->query($query)) {
if ($users = $result->fetch_assoc()) {
$this->group = $users["system_group"];
}
$result->close();
}
else {
log_db("User: ".$mysqli->error);
}
}
$mysqli->close();
}
public function SetPermission() {
// The permission functions rely on page being set in the session.
if (isset($_SESSION["page"])) {
$this->canEditSite = can_edit_site();
$this->canEditPage = can_edit_page();
$this->canCopyPage = can_copy_page();
$this->canViewPage = can_view_page();
$this->SetGroup();
}
}
......@@ -123,6 +111,31 @@ class User {
}
}
public function SetPermission() {
// The permission functions rely on page being set in the session.
if (isset($_SESSION["page"])) {
$this->canEditSite = can_edit_site();
$this->canEditPage = can_edit_page();
$this->canCopyPage = can_copy_page();
$this->canViewPage = can_view_page();
}
}
private function SetGroup() {
$mysqli = connect_db();
$query = 'SELECT system_group FROM users WHERE user = "'.$this->name.'"';
if ($result = $mysqli->query($query)) {
if ($users = $result->fetch_assoc()) {
$this->group = $users["system_group"];
}
$result->close();
}
else {
log_db("User->SetGroup: ".$mysqli->error);
}
$mysqli->close();
}
private function Valid() {
$valid = false;
// new_password is just for upgrading from md5 to crypt.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment