Xaraya / Postnuke CVS Notices - Message

Note: this list is kept only as a demonstration for CVSNotice. For the latest CVS notices, see the Xaraya and Postnuke sites

View Statistics - Next Notice - Previous Notice

Directory filter : [ all ] / postnuke_official / html / modules / template [ view in CVS ]

Date Directory [filter] File(s) [view] Author [filter]
01 Aug 2002 15:05:22postnuke_official/html/modules/templatepnuser.php,1.12,1.13 pnuserapi.php,1.6,1.7Mike
 add exceptions, better security checks and transform hooks

Update of /home/cvsroot/postnuke_official/html/modules/template
In directory ns7.hostnuke.net:/tmp/cvs-serv27903

Modified Files:
	pnuser.php pnuserapi.php 
Log Message:
add exceptions, better security checks and transform hooks


Index: pnuser.php
===================================================================
RCS file: /home/cvsroot/postnuke_official/html/modules/template/pnuser.php,v
retrieving revision 1.12
retrieving revision 1.13
diff -C2 -d -r1.12 -r1.13
*** pnuser.php	2 Jul 2002 16:20:08 -0000	1.12
--- pnuser.php	1 Aug 2002 15:05:20 -0000	1.13
***************
*** 43,49 ****
      // privilege for some item within this component, or else they won't be
      // able to see anything and so we refuse access altogether.  The lowest
!     // level of access for administration depends on the particular module, but
!     // it is generally either 'overview' or 'read'
!     if (!pnSecAuthAction(0, 'Template::', '::', ACCESS_READ)) {
          $output->Text(_TEMPLATENOAUTH);
          return $output->GetOutput();
--- 43,49 ----
      // privilege for some item within this component, or else they won't be
      // able to see anything and so we refuse access altogether.  The lowest
!     // level of access for users depends on the particular module, but it is
!     // generally either 'overview' or 'read'
!     if (!pnSecAuthAction(0, 'Template::', '::', ACCESS_OVERVIEW)) {
          $output->Text(_TEMPLATENOAUTH);
          return $output->GetOutput();
***************
*** 70,74 ****
      // function should be obtained from pnVarCleanFromInput(), getting them
      // from other places such as the environment is not allowed, as that makes
!     // assumptions that will not hold in future versions of PostNuke
      $startnum = pnVarCleanFromInput('startnum');
  
--- 70,75 ----
      // function should be obtained from pnVarCleanFromInput(), getting them
      // from other places such as the environment is not allowed, as that makes
!     // assumptions that will not hold in future versions of PostNuke.
!     // Note that for retrieving 1 parameter, we can use $var1 = ... (see below)
      $startnum = pnVarCleanFromInput('startnum');
  
***************
*** 100,104 ****
  
      // The API function is called.  The arguments to the function are passed in
!     // as their own arguments array
      $items = pnModAPIFunc('template',
                            'user',
--- 101,107 ----
  
      // The API function is called.  The arguments to the function are passed in
!     // as their own arguments array.
!     // Security check 1 - the getall() function only returns items for which the
!     // the user has at least OVERVIEW access.
      $items = pnModAPIFunc('template',
                            'user',
***************
*** 109,119 ****
  
      // The return value of the function is checked here, and if the function
!     // suceeded then an appropriate message is posted.  Note that if the
!     // function did not succeed then the API function should have already
!     // posted a failure message so no action is required
      if ($items == false) {
          $output->Text(_TEMPLATEITEMFAILED);
      }
  
      // Loop through each item and display it.  Note the use of pnVarCensor() to
      // remove any words from the name that the administrator has deemed
--- 112,150 ----
  
      // The return value of the function is checked here, and if the function
!     // failed then an appropriate message is posted here.  Note that if the
!     // API function gave an error, then it should raise an exception that 
!     // you can handle here...
      if ($items == false) {
+         // Throw back any system exceptions (e.g. database failure)
+         if (pnExceptionMajor() == PN_SYSTEM_EXCEPTION) {
+              return; // throw back
+         }
+         // Handle the user exceptions yourself
          $output->Text(_TEMPLATEITEMFAILED);
+         // Possibly handle different exception IDs in specific ways :
+         // if (pnExceptionId() == 'BAD_PARAM') {
+         //     /* do something */
+         // } elseif (pnExceptionId() == 'NO_PERMISSION') {
+         //     /* do something else */
+         // } elseif (pnExceptionId() == 'MyException1') {
+         //     /* do some other thing */
+         // } else {
+         //     /* default handling */
+         // }
+         // Get the information about the exception (in HTML or string format)
+         // $reason = pnExceptionValueHTML();
+         $reason = pnExceptionValueString();
+         if (!empty($reason)) {
+             $output->Linebreak(2);
+             $output->Text(pnML('Reason') . ' : ' . $reason);
+         }
+         // Free the exception to tell PostNuke that you handled it
+         pnExceptionFree();
+         // Return the result
+         return $output->GetOutput();
      }
  
+ // TODO: check for conflicts between transformation hook output and
+ //       pnVarCensor / pnVarPrepForDisplay
      // Loop through each item and display it.  Note the use of pnVarCensor() to
      // remove any words from the name that the administrator has deemed
***************
*** 122,125 ****
--- 153,170 ----
      foreach ($items as $item) {
  
+         // Let any transformation hooks know that we want to transform some text
+         // You'll need to specify the item id, and an array containing all the
+         // pieces of text that you want to transform (e.g. for autolinks, wiki,
+         // smilies, bbcode, ...).
+         // Note : for your module, you might not need to call transformation
+         // hooks in this overview list, but only in the display of the details
+         // in the display() function.
+         list($item['name']) = pnModCallHooks('item',
+                                              'transform',
+                                              $item['tid'],
+                                              array($item['name']));
+ 
+         // Security check 2 - if the user has read access to the item, show a
+         // link to display the details of the item
          if (pnSecAuthAction(0,
                              'Templates::',
***************
*** 132,135 ****
--- 177,186 ----
                           pnVarPrepForDisplay(pnVarCensor($item['name'])));
              $output->Linebreak();
+ 
+         // Security check 2 - else only display the item name (or whatever is
+         // appropriate for your module)
+         } else {
+             $output->Text(pnVarPrepForDisplay(pnVarCensor($item['name'])));
+             $output->Linebreak();
          }
      }
***************
*** 158,161 ****
--- 209,216 ----
   * This is a standard function to provide detailed informtion on a single item
   * available from the module.
+  *
+  * @param $args an array of arguments (if called by other modules)
+  * @param $args['objectid'] a generic object id (if called by other modules)
+  * @param $args['tid'] the item id used for this example module
   */
  function template_user_display($args)
***************
*** 165,168 ****
--- 220,224 ----
      // from other places such as the environment is not allowed, as that makes
      // assumptions that will not hold in future versions of PostNuke.
+     // Note that for retrieving several parameters, we use list($var1,$var2) =
      list($tid,
           $objectid) = pnVarCleanFromInput('tid',
***************
*** 181,185 ****
      // if it exists it overrides $tid
      //
!     // Note that this module couuld just use $objectid everywhere to avoid all
      // of this munging of variables, but then the resultant code is less
      // descriptive, especially where multiple objects are being used.  The
--- 237,241 ----
      // if it exists it overrides $tid
      //
!     // Note that this module could just use $objectid everywhere to avoid all
      // of this munging of variables, but then the resultant code is less
      // descriptive, especially where multiple objects are being used.  The
***************
*** 209,213 ****
  
      // The API function is called.  The arguments to the function are passed in
!     // as their own arguments array
      $item = pnModAPIFunc('template',
                            'user',
--- 265,271 ----
  
      // The API function is called.  The arguments to the function are passed in
!     // as their own arguments array.
!     // Security check 1 - the get() function will fail if the user does not
!     // have at least READ access to this item (also see below).
      $item = pnModAPIFunc('template',
                            'user',
***************
*** 216,231 ****
  
      // The return value of the function is checked here, and if the function
!     // suceeded then an appropriate message is posted.  Note that if the
!     // function did not succeed then the API function should have already
!     // posted a failure message so no action is required
      if ($item == false) {
          $output->Text(_TEMPLATEITEMFAILED);
          return $output->GetOutput();
      }
  
      // Display details of the item.  Note the use of pnVarCensor() to remove
      // any words from the name that the administrator has deemed unsuitable for
      // the site.  Also note that a module variable is used here to determine
!     // whether not not parts of the item information should be displayed in
      // bold type or not
      $output->Text(_TEMPLATENAME . ': ');
--- 274,334 ----
  
      // The return value of the function is checked here, and if the function
!     // failed then an appropriate message is posted here.  Note that if the
!     // API function gave an error, then it should raise an exception that 
!     // you can handle here...
      if ($item == false) {
+         // Throw back any system exceptions (e.g. database failure)
+         if (pnExceptionMajor() == PN_SYSTEM_EXCEPTION) {
+              return; // throw back
+         }
+         // Handle the user exceptions yourself
          $output->Text(_TEMPLATEITEMFAILED);
+         // Possibly handle different exception IDs in specific ways :
+         // if (pnExceptionId() == 'BAD_PARAM') {
+         //     /* do something */
+         // } elseif (pnExceptionId() == 'NO_PERMISSION') {
+         //     /* do something else */
+         // } elseif (pnExceptionId() == 'MyException1') {
+         //     /* do some other thing */
+         // } else {
+         //     /* default handling */
+         // }
+         // Get the information about the exception (in HTML or string format)
+         // $reason = pnExceptionValueHTML();
+         $reason = pnExceptionValueString();
+         if (!empty($reason)) {
+             $output->Linebreak(2);
+             $output->Text(pnML('Reason') . ' : ' . $reason);
+         }
+         // Free the exception to tell PostNuke that you handled it
+         pnExceptionFree();
+         // Return the result
          return $output->GetOutput();
      }
  
+     // Security check 2 - if your API function does *not* check for the
+     // appropriate access rights, or if for some reason you require higher
+     // access than READ for this function, you *must* check this here !
+     // if (!pnSecAuthAction(0, 'Templates::', "$item[name]::$item[tid]",
+     //        ACCESS_READ)) {
+     //    $output->Text(_TEMPLATENOAUTH);
+     //    return $output->GetOutput();
+     //}
+ 
+     // Let any transformation hooks know that we want to transform some text.
+     // You'll need to specify the item id, and an array containing all the
+     // pieces of text that you want to transform (e.g. for autolinks, wiki,
+     // smilies, bbcode, ...).
+     list($item['name']) = pnModCallHooks('item',
+                                          'transform',
+                                          $item['tid'],
+                                          array($item['name']));
+ 
+ // TODO: check for conflicts between transformation hook output and
+ //       pnVarCensor / input parsing of Text() by pnHTML
      // Display details of the item.  Note the use of pnVarCensor() to remove
      // any words from the name that the administrator has deemed unsuitable for
      // the site.  Also note that a module variable is used here to determine
!     // whether or not parts of the item information should be displayed in
      // bold type or not
      $output->Text(_TEMPLATENAME . ': ');

Index: pnuserapi.php
===================================================================
RCS file: /home/cvsroot/postnuke_official/html/modules/template/pnuserapi.php,v
retrieving revision 1.6
retrieving revision 1.7
diff -C2 -d -r1.6 -r1.7
*** pnuserapi.php	30 Apr 2002 10:40:16 -0000	1.6
--- pnuserapi.php	1 Aug 2002 15:05:20 -0000	1.7
***************
*** 25,34 ****
  /**
   * get all example items
   * @returns array
   * @return array of items, or false on failure
   */
  function template_userapi_getall($args)
  {
!     //
      extract($args);
  
--- 25,42 ----
  /**
   * get all example items
+  *
+  * @author the Example module development team
+  * @param numitems the number of items to retrieve (default -1 = all)
+  * @param startnum start with this item number (default 1)
   * @returns array
   * @return array of items, or false on failure
+  * @raise BAD_PARAM, DATABASE_ERROR, NO_PERMISSION
   */
  function template_userapi_getall($args)
  {
!     // Get arguments from argument array - all arguments to this function
!     // should be obtained from the $args array, getting them from other places
!     // such as the environment is not allowed, as that makes assumptions that
!     // will not hold in future versions of PostNuke
      extract($args);
  
***************
*** 41,47 ****
      }
  
!     if ((!isset($startnum)) ||
!         (!isset($numitems))) {
!         pnSessionSetVar('errormsg', _MODARGSERROR);
          return false;
      }
--- 49,61 ----
      }
  
!     // Argument check - make sure that all required arguments are present and
!     // in the expected format, if not then set an appropriate error message
!     // and return
!     if ((!isset($startnum) || !is_numeric($startnum)) ||
!         (!isset($numitems) || !is_numeric($numitems))) {
!         $msg = pnML('Invalid #(1) for #(2) function #(3)() in module #(4)',
!                     'startnum or numitems', 'user', 'getall', 'Example');
!         pnExceptionSet(PN_USER_EXCEPTION, 'BAD_PARAM',
!                        new SystemException($msg));
          return false;
      }
***************
*** 51,59 ****
      // Security check - important to do this as early on as possible to
      // avoid potential security holes or just too much wasted processing
!     if (!pnSecAuthAction(0, 'Template::', '::', ACCESS_READ)) {
!         return $items;
      }
  
!     // Get datbase setup - note that both pnDBGetConn() and pnDBGetTables()
      // return arrays but we handle them differently.  For pnDBGetConn() we
      // currently just want the first item, which is the official database
--- 65,77 ----
      // Security check - important to do this as early on as possible to
      // avoid potential security holes or just too much wasted processing
!     if (!pnSecAuthAction(0, 'Template::', '::', ACCESS_OVERVIEW)) {
!         $msg = pnML('Not authorized to access #(1) items',
!                     'Example');
!         pnExceptionSet(PN_USER_EXCEPTION, 'NO_PERMISSION',
!                        new SystemException($msg));
!         return false;
      }
  
!     // Get database setup - note that both pnDBGetConn() and pnDBGetTables()
      // return arrays but we handle them differently.  For pnDBGetConn() we
      // currently just want the first item, which is the official database
***************
*** 81,94 ****
      // error message and return
      if ($dbconn->ErrorNo() != 0) {
!         pnSessionSetVar('errormsg', _GETFAILED);
          return false;
      }
  
      // Put items into result array.  Note that each item is checked
!     // individually to ensure that the user is allowed access to it before it
!     // is added to the results array
      for (; !$result->EOF; $result->MoveNext()) {
          list($tid, $name, $number) = $result->fields;
!         if (pnSecAuthAction(0, 'Template::', "$name::$tid", ACCESS_READ)) {
              $items[] = array('tid' => $tid,
                               'name' => $name,
--- 99,124 ----
      // error message and return
      if ($dbconn->ErrorNo() != 0) {
!         // Hint : for debugging SQL queries, you can use $dbconn->ErrorMsg()
!         // to retrieve the actual database error message, and use e.g. the
!         // following message :
!         // $msg = pnML('Database error #(1) in query #(2) for #(3) function ' .
!         //             '#(4)() in module #(5)',
!         //             $dbconn->ErrorMsg(), $sql, 'user', 'getall', 'Example');
!         // Don't use that for release versions, though...
!         $msg = pnML('Database error for #(1) function #(2)() in module #(3)',
!                     'user', 'getall', 'Example');
!         pnExceptionSet(PN_SYSTEM_EXCEPTION, 'DATABASE_ERROR',
!                        new SystemException($msg));
          return false;
      }
  
      // Put items into result array.  Note that each item is checked
!     // individually to ensure that the user is allowed *at least* OVERVIEW
!     // access to it before it is added to the results array.
!     // If more severe restrictions apply, e.g. for READ access to display
!     // the details of the item, this *must* be verified by your function.
      for (; !$result->EOF; $result->MoveNext()) {
          list($tid, $name, $number) = $result->fields;
!         if (pnSecAuthAction(0, 'Template::', "$name::$tid", ACCESS_OVERVIEW)) {
              $items[] = array('tid' => $tid,
                               'name' => $name,
***************
*** 110,113 ****
--- 140,144 ----
   * @returns array
   * @return item array, or false on failure
+  * @raise BAD_PARAM, DATABASE_ERROR, NO_PERMISSION
   */
  function template_userapi_get($args)
***************
*** 119,130 ****
      extract($args);
  
!     // Argument check - make sure that all required arguments are present, if
!     // not then set an appropriate error message and return
!     if (!isset($tid)) {
!         pnSessionSetVar('errormsg', _MODARGSERROR);
          return false;
      }
  
!     // Get datbase setup - note that both pnDBGetConn() and pnDBGetTables()
      // return arrays but we handle them differently.  For pnDBGetConn() we
      // currently just want the first item, which is the official database
--- 150,165 ----
      extract($args);
  
!     // Argument check - make sure that all required arguments are present and
!     // in the expected format, if not then set an appropriate error message
!     // and return
!     if (!isset($tid) || !is_numeric($tid)) {
!         $msg = pnML('Invalid #(1) for #(2) function #(3)() in module #(4)',
!                     'item ID', 'user', 'get', 'Example');
!         pnExceptionSet(PN_USER_EXCEPTION, 'BAD_PARAM',
!                        new SystemException($msg));
          return false;
      }
  
!     // Get database setup - note that both pnDBGetConn() and pnDBGetTables()
      // return arrays but we handle them differently.  For pnDBGetConn() we
      // currently just want the first item, which is the official database
***************
*** 151,159 ****
      // error message and return
      if ($dbconn->ErrorNo() != 0) {
          return false;
      }
  
!     // Check for no rows found, and if so return
      if ($result->EOF) {
          return false;
      }
--- 186,206 ----
      // error message and return
      if ($dbconn->ErrorNo() != 0) {
+         // Hint : for debugging SQL queries, you can use $dbconn->ErrorMsg()
+         // to retrieve the actual database error message, and use e.g. the
+         // following message :
+         // $msg = pnML('Database error #(1) in query #(2) for #(3) function ' .
+         //             '#(4)() in module #(5)',
+         //             $dbconn->ErrorMsg(), $sql, 'user', 'get', 'Example');
+         // Don't use that for release versions, though...
+         $msg = pnML('Database error for #(1) function #(2)() in module #(3)',
+                     'user', 'get', 'Example');
+         pnExceptionSet(PN_SYSTEM_EXCEPTION, 'DATABASE_ERROR',
+                        new SystemException($msg));
          return false;
      }
  
!     // Check for no rows found, and if so, close the result set and return
      if ($result->EOF) {
+         $result->Close();
          return false;
      }
***************
*** 169,174 ****
      // potential security holes or just too much wasted processing.  Although
      // this one is a bit late in the function it is as early as we can do it as
!     // this is the first time we have the relevant information
      if (!pnSecAuthAction(0, 'Template::', "$name::$tid", ACCESS_READ)) {
          return false;
      }
--- 216,226 ----
      // potential security holes or just too much wasted processing.  Although
      // this one is a bit late in the function it is as early as we can do it as
!     // this is the first time we have the relevant information.
!     // For this function, the user must *at least* have READ access to this item
      if (!pnSecAuthAction(0, 'Template::', "$name::$tid", ACCESS_READ)) {
+         $msg = pnML('Not authorized to access #(1) item #(2)',
+                     'Example', pnVarPrepForStore($tid));
+         pnExceptionSet(PN_USER_EXCEPTION, 'NO_PERMISSION',
+                        new SystemException($msg));
          return false;
      }
***************
*** 190,194 ****
  function template_userapi_countitems()
  {
!     // Get datbase setup - note that both pnDBGetConn() and pnDBGetTables()
      // return arrays but we handle them differently.  For pnDBGetConn() we
      // currently just want the first item, which is the official database
--- 242,246 ----
  function template_userapi_countitems()
  {
!     // Get database setup - note that both pnDBGetConn() and pnDBGetTables()
      // return arrays but we handle them differently.  For pnDBGetConn() we
      // currently just want the first item, which is the official database
***************
*** 213,216 ****
--- 265,279 ----
      // error message and return
      if ($dbconn->ErrorNo() != 0) {
+         // Hint : for debugging SQL queries, you can use $dbconn->ErrorMsg()
+         // to retrieve the actual database error message, and use e.g. the
+         // following message :
+         // $msg = pnML('Database error #(1) in query #(2) for #(3) function ' .
+         //             '#(4)() in module #(5)',
+         //          $dbconn->ErrorMsg(), $sql, 'user', 'countitems', 'Example');
+         // Don't use that for release versions, though...
+         $msg = pnML('Database error for #(1) function #(2)() in module #(3)',
+                     'user', 'countitems', 'Example');
+         pnExceptionSet(PN_SYSTEM_EXCEPTION, 'DATABASE_ERROR',
+                        new SystemException($msg));
          return false;
      }
***************
*** 227,229 ****
  }
  
! ?>
\ No newline at end of file
--- 290,292 ----
  }
  
! ?>


Directory filter : [ all ] / postnuke_official / html / modules / template [ view in CVS ]

View Statistics - Next Notice - Previous Notice


Visit Developer Site - Browse CVS Repository Syndicate via backend.rss
(max. once per hour please)
Powered by CVSNotice 0.1.3