Note: this list is kept only as a demonstration for CVSNotice. For the latest CVS notices, see the Xaraya and Postnuke sites
View Statistics - Next Notice - Previous NoticeDirectory filter : [ all ] / postnuke_official / html / modules / template [ view in CVS ]
| Date | Directory [filter] | File(s) [view] | Author [filter] |
| 01 Aug 2002 15:05:22 | postnuke_official/html/modules/template | pnuser.php,1.12,1.13 pnuserapi.php,1.6,1.7 | Mike |
| add exceptions, better security checks and transform hooks | |||
Update of /home/cvsroot/postnuke_official/html/modules/template
In directory ns7.hostnuke.net:/tmp/cvs-serv27903
Modified Files:
pnuser.php pnuserapi.php
Log Message:
add exceptions, better security checks and transform hooks
Index: pnuser.php
===================================================================
RCS file: /home/cvsroot/postnuke_official/html/modules/template/pnuser.php,v
retrieving revision 1.12
retrieving revision 1.13
diff -C2 -d -r1.12 -r1.13
*** pnuser.php 2 Jul 2002 16:20:08 -0000 1.12
--- pnuser.php 1 Aug 2002 15:05:20 -0000 1.13
***************
*** 43,49 ****
// privilege for some item within this component, or else they won't be
// able to see anything and so we refuse access altogether. The lowest
! // level of access for administration depends on the particular module, but
! // it is generally either 'overview' or 'read'
! if (!pnSecAuthAction(0, 'Template::', '::', ACCESS_READ)) {
$output->Text(_TEMPLATENOAUTH);
return $output->GetOutput();
--- 43,49 ----
// privilege for some item within this component, or else they won't be
// able to see anything and so we refuse access altogether. The lowest
! // level of access for users depends on the particular module, but it is
! // generally either 'overview' or 'read'
! if (!pnSecAuthAction(0, 'Template::', '::', ACCESS_OVERVIEW)) {
$output->Text(_TEMPLATENOAUTH);
return $output->GetOutput();
***************
*** 70,74 ****
// function should be obtained from pnVarCleanFromInput(), getting them
// from other places such as the environment is not allowed, as that makes
! // assumptions that will not hold in future versions of PostNuke
$startnum = pnVarCleanFromInput('startnum');
--- 70,75 ----
// function should be obtained from pnVarCleanFromInput(), getting them
// from other places such as the environment is not allowed, as that makes
! // assumptions that will not hold in future versions of PostNuke.
! // Note that for retrieving 1 parameter, we can use $var1 = ... (see below)
$startnum = pnVarCleanFromInput('startnum');
***************
*** 100,104 ****
// The API function is called. The arguments to the function are passed in
! // as their own arguments array
$items = pnModAPIFunc('template',
'user',
--- 101,107 ----
// The API function is called. The arguments to the function are passed in
! // as their own arguments array.
! // Security check 1 - the getall() function only returns items for which the
! // the user has at least OVERVIEW access.
$items = pnModAPIFunc('template',
'user',
***************
*** 109,119 ****
// The return value of the function is checked here, and if the function
! // suceeded then an appropriate message is posted. Note that if the
! // function did not succeed then the API function should have already
! // posted a failure message so no action is required
if ($items == false) {
$output->Text(_TEMPLATEITEMFAILED);
}
// Loop through each item and display it. Note the use of pnVarCensor() to
// remove any words from the name that the administrator has deemed
--- 112,150 ----
// The return value of the function is checked here, and if the function
! // failed then an appropriate message is posted here. Note that if the
! // API function gave an error, then it should raise an exception that
! // you can handle here...
if ($items == false) {
+ // Throw back any system exceptions (e.g. database failure)
+ if (pnExceptionMajor() == PN_SYSTEM_EXCEPTION) {
+ return; // throw back
+ }
+ // Handle the user exceptions yourself
$output->Text(_TEMPLATEITEMFAILED);
+ // Possibly handle different exception IDs in specific ways :
+ // if (pnExceptionId() == 'BAD_PARAM') {
+ // /* do something */
+ // } elseif (pnExceptionId() == 'NO_PERMISSION') {
+ // /* do something else */
+ // } elseif (pnExceptionId() == 'MyException1') {
+ // /* do some other thing */
+ // } else {
+ // /* default handling */
+ // }
+ // Get the information about the exception (in HTML or string format)
+ // $reason = pnExceptionValueHTML();
+ $reason = pnExceptionValueString();
+ if (!empty($reason)) {
+ $output->Linebreak(2);
+ $output->Text(pnML('Reason') . ' : ' . $reason);
+ }
+ // Free the exception to tell PostNuke that you handled it
+ pnExceptionFree();
+ // Return the result
+ return $output->GetOutput();
}
+ // TODO: check for conflicts between transformation hook output and
+ // pnVarCensor / pnVarPrepForDisplay
// Loop through each item and display it. Note the use of pnVarCensor() to
// remove any words from the name that the administrator has deemed
***************
*** 122,125 ****
--- 153,170 ----
foreach ($items as $item) {
+ // Let any transformation hooks know that we want to transform some text
+ // You'll need to specify the item id, and an array containing all the
+ // pieces of text that you want to transform (e.g. for autolinks, wiki,
+ // smilies, bbcode, ...).
+ // Note : for your module, you might not need to call transformation
+ // hooks in this overview list, but only in the display of the details
+ // in the display() function.
+ list($item['name']) = pnModCallHooks('item',
+ 'transform',
+ $item['tid'],
+ array($item['name']));
+
+ // Security check 2 - if the user has read access to the item, show a
+ // link to display the details of the item
if (pnSecAuthAction(0,
'Templates::',
***************
*** 132,135 ****
--- 177,186 ----
pnVarPrepForDisplay(pnVarCensor($item['name'])));
$output->Linebreak();
+
+ // Security check 2 - else only display the item name (or whatever is
+ // appropriate for your module)
+ } else {
+ $output->Text(pnVarPrepForDisplay(pnVarCensor($item['name'])));
+ $output->Linebreak();
}
}
***************
*** 158,161 ****
--- 209,216 ----
* This is a standard function to provide detailed informtion on a single item
* available from the module.
+ *
+ * @param $args an array of arguments (if called by other modules)
+ * @param $args['objectid'] a generic object id (if called by other modules)
+ * @param $args['tid'] the item id used for this example module
*/
function template_user_display($args)
***************
*** 165,168 ****
--- 220,224 ----
// from other places such as the environment is not allowed, as that makes
// assumptions that will not hold in future versions of PostNuke.
+ // Note that for retrieving several parameters, we use list($var1,$var2) =
list($tid,
$objectid) = pnVarCleanFromInput('tid',
***************
*** 181,185 ****
// if it exists it overrides $tid
//
! // Note that this module couuld just use $objectid everywhere to avoid all
// of this munging of variables, but then the resultant code is less
// descriptive, especially where multiple objects are being used. The
--- 237,241 ----
// if it exists it overrides $tid
//
! // Note that this module could just use $objectid everywhere to avoid all
// of this munging of variables, but then the resultant code is less
// descriptive, especially where multiple objects are being used. The
***************
*** 209,213 ****
// The API function is called. The arguments to the function are passed in
! // as their own arguments array
$item = pnModAPIFunc('template',
'user',
--- 265,271 ----
// The API function is called. The arguments to the function are passed in
! // as their own arguments array.
! // Security check 1 - the get() function will fail if the user does not
! // have at least READ access to this item (also see below).
$item = pnModAPIFunc('template',
'user',
***************
*** 216,231 ****
// The return value of the function is checked here, and if the function
! // suceeded then an appropriate message is posted. Note that if the
! // function did not succeed then the API function should have already
! // posted a failure message so no action is required
if ($item == false) {
$output->Text(_TEMPLATEITEMFAILED);
return $output->GetOutput();
}
// Display details of the item. Note the use of pnVarCensor() to remove
// any words from the name that the administrator has deemed unsuitable for
// the site. Also note that a module variable is used here to determine
! // whether not not parts of the item information should be displayed in
// bold type or not
$output->Text(_TEMPLATENAME . ': ');
--- 274,334 ----
// The return value of the function is checked here, and if the function
! // failed then an appropriate message is posted here. Note that if the
! // API function gave an error, then it should raise an exception that
! // you can handle here...
if ($item == false) {
+ // Throw back any system exceptions (e.g. database failure)
+ if (pnExceptionMajor() == PN_SYSTEM_EXCEPTION) {
+ return; // throw back
+ }
+ // Handle the user exceptions yourself
$output->Text(_TEMPLATEITEMFAILED);
+ // Possibly handle different exception IDs in specific ways :
+ // if (pnExceptionId() == 'BAD_PARAM') {
+ // /* do something */
+ // } elseif (pnExceptionId() == 'NO_PERMISSION') {
+ // /* do something else */
+ // } elseif (pnExceptionId() == 'MyException1') {
+ // /* do some other thing */
+ // } else {
+ // /* default handling */
+ // }
+ // Get the information about the exception (in HTML or string format)
+ // $reason = pnExceptionValueHTML();
+ $reason = pnExceptionValueString();
+ if (!empty($reason)) {
+ $output->Linebreak(2);
+ $output->Text(pnML('Reason') . ' : ' . $reason);
+ }
+ // Free the exception to tell PostNuke that you handled it
+ pnExceptionFree();
+ // Return the result
return $output->GetOutput();
}
+ // Security check 2 - if your API function does *not* check for the
+ // appropriate access rights, or if for some reason you require higher
+ // access than READ for this function, you *must* check this here !
+ // if (!pnSecAuthAction(0, 'Templates::', "$item[name]::$item[tid]",
+ // ACCESS_READ)) {
+ // $output->Text(_TEMPLATENOAUTH);
+ // return $output->GetOutput();
+ //}
+
+ // Let any transformation hooks know that we want to transform some text.
+ // You'll need to specify the item id, and an array containing all the
+ // pieces of text that you want to transform (e.g. for autolinks, wiki,
+ // smilies, bbcode, ...).
+ list($item['name']) = pnModCallHooks('item',
+ 'transform',
+ $item['tid'],
+ array($item['name']));
+
+ // TODO: check for conflicts between transformation hook output and
+ // pnVarCensor / input parsing of Text() by pnHTML
// Display details of the item. Note the use of pnVarCensor() to remove
// any words from the name that the administrator has deemed unsuitable for
// the site. Also note that a module variable is used here to determine
! // whether or not parts of the item information should be displayed in
// bold type or not
$output->Text(_TEMPLATENAME . ': ');
Index: pnuserapi.php
===================================================================
RCS file: /home/cvsroot/postnuke_official/html/modules/template/pnuserapi.php,v
retrieving revision 1.6
retrieving revision 1.7
diff -C2 -d -r1.6 -r1.7
*** pnuserapi.php 30 Apr 2002 10:40:16 -0000 1.6
--- pnuserapi.php 1 Aug 2002 15:05:20 -0000 1.7
***************
*** 25,34 ****
/**
* get all example items
* @returns array
* @return array of items, or false on failure
*/
function template_userapi_getall($args)
{
! //
extract($args);
--- 25,42 ----
/**
* get all example items
+ *
+ * @author the Example module development team
+ * @param numitems the number of items to retrieve (default -1 = all)
+ * @param startnum start with this item number (default 1)
* @returns array
* @return array of items, or false on failure
+ * @raise BAD_PARAM, DATABASE_ERROR, NO_PERMISSION
*/
function template_userapi_getall($args)
{
! // Get arguments from argument array - all arguments to this function
! // should be obtained from the $args array, getting them from other places
! // such as the environment is not allowed, as that makes assumptions that
! // will not hold in future versions of PostNuke
extract($args);
***************
*** 41,47 ****
}
! if ((!isset($startnum)) ||
! (!isset($numitems))) {
! pnSessionSetVar('errormsg', _MODARGSERROR);
return false;
}
--- 49,61 ----
}
! // Argument check - make sure that all required arguments are present and
! // in the expected format, if not then set an appropriate error message
! // and return
! if ((!isset($startnum) || !is_numeric($startnum)) ||
! (!isset($numitems) || !is_numeric($numitems))) {
! $msg = pnML('Invalid #(1) for #(2) function #(3)() in module #(4)',
! 'startnum or numitems', 'user', 'getall', 'Example');
! pnExceptionSet(PN_USER_EXCEPTION, 'BAD_PARAM',
! new SystemException($msg));
return false;
}
***************
*** 51,59 ****
// Security check - important to do this as early on as possible to
// avoid potential security holes or just too much wasted processing
! if (!pnSecAuthAction(0, 'Template::', '::', ACCESS_READ)) {
! return $items;
}
! // Get datbase setup - note that both pnDBGetConn() and pnDBGetTables()
// return arrays but we handle them differently. For pnDBGetConn() we
// currently just want the first item, which is the official database
--- 65,77 ----
// Security check - important to do this as early on as possible to
// avoid potential security holes or just too much wasted processing
! if (!pnSecAuthAction(0, 'Template::', '::', ACCESS_OVERVIEW)) {
! $msg = pnML('Not authorized to access #(1) items',
! 'Example');
! pnExceptionSet(PN_USER_EXCEPTION, 'NO_PERMISSION',
! new SystemException($msg));
! return false;
}
! // Get database setup - note that both pnDBGetConn() and pnDBGetTables()
// return arrays but we handle them differently. For pnDBGetConn() we
// currently just want the first item, which is the official database
***************
*** 81,94 ****
// error message and return
if ($dbconn->ErrorNo() != 0) {
! pnSessionSetVar('errormsg', _GETFAILED);
return false;
}
// Put items into result array. Note that each item is checked
! // individually to ensure that the user is allowed access to it before it
! // is added to the results array
for (; !$result->EOF; $result->MoveNext()) {
list($tid, $name, $number) = $result->fields;
! if (pnSecAuthAction(0, 'Template::', "$name::$tid", ACCESS_READ)) {
$items[] = array('tid' => $tid,
'name' => $name,
--- 99,124 ----
// error message and return
if ($dbconn->ErrorNo() != 0) {
! // Hint : for debugging SQL queries, you can use $dbconn->ErrorMsg()
! // to retrieve the actual database error message, and use e.g. the
! // following message :
! // $msg = pnML('Database error #(1) in query #(2) for #(3) function ' .
! // '#(4)() in module #(5)',
! // $dbconn->ErrorMsg(), $sql, 'user', 'getall', 'Example');
! // Don't use that for release versions, though...
! $msg = pnML('Database error for #(1) function #(2)() in module #(3)',
! 'user', 'getall', 'Example');
! pnExceptionSet(PN_SYSTEM_EXCEPTION, 'DATABASE_ERROR',
! new SystemException($msg));
return false;
}
// Put items into result array. Note that each item is checked
! // individually to ensure that the user is allowed *at least* OVERVIEW
! // access to it before it is added to the results array.
! // If more severe restrictions apply, e.g. for READ access to display
! // the details of the item, this *must* be verified by your function.
for (; !$result->EOF; $result->MoveNext()) {
list($tid, $name, $number) = $result->fields;
! if (pnSecAuthAction(0, 'Template::', "$name::$tid", ACCESS_OVERVIEW)) {
$items[] = array('tid' => $tid,
'name' => $name,
***************
*** 110,113 ****
--- 140,144 ----
* @returns array
* @return item array, or false on failure
+ * @raise BAD_PARAM, DATABASE_ERROR, NO_PERMISSION
*/
function template_userapi_get($args)
***************
*** 119,130 ****
extract($args);
! // Argument check - make sure that all required arguments are present, if
! // not then set an appropriate error message and return
! if (!isset($tid)) {
! pnSessionSetVar('errormsg', _MODARGSERROR);
return false;
}
! // Get datbase setup - note that both pnDBGetConn() and pnDBGetTables()
// return arrays but we handle them differently. For pnDBGetConn() we
// currently just want the first item, which is the official database
--- 150,165 ----
extract($args);
! // Argument check - make sure that all required arguments are present and
! // in the expected format, if not then set an appropriate error message
! // and return
! if (!isset($tid) || !is_numeric($tid)) {
! $msg = pnML('Invalid #(1) for #(2) function #(3)() in module #(4)',
! 'item ID', 'user', 'get', 'Example');
! pnExceptionSet(PN_USER_EXCEPTION, 'BAD_PARAM',
! new SystemException($msg));
return false;
}
! // Get database setup - note that both pnDBGetConn() and pnDBGetTables()
// return arrays but we handle them differently. For pnDBGetConn() we
// currently just want the first item, which is the official database
***************
*** 151,159 ****
// error message and return
if ($dbconn->ErrorNo() != 0) {
return false;
}
! // Check for no rows found, and if so return
if ($result->EOF) {
return false;
}
--- 186,206 ----
// error message and return
if ($dbconn->ErrorNo() != 0) {
+ // Hint : for debugging SQL queries, you can use $dbconn->ErrorMsg()
+ // to retrieve the actual database error message, and use e.g. the
+ // following message :
+ // $msg = pnML('Database error #(1) in query #(2) for #(3) function ' .
+ // '#(4)() in module #(5)',
+ // $dbconn->ErrorMsg(), $sql, 'user', 'get', 'Example');
+ // Don't use that for release versions, though...
+ $msg = pnML('Database error for #(1) function #(2)() in module #(3)',
+ 'user', 'get', 'Example');
+ pnExceptionSet(PN_SYSTEM_EXCEPTION, 'DATABASE_ERROR',
+ new SystemException($msg));
return false;
}
! // Check for no rows found, and if so, close the result set and return
if ($result->EOF) {
+ $result->Close();
return false;
}
***************
*** 169,174 ****
// potential security holes or just too much wasted processing. Although
// this one is a bit late in the function it is as early as we can do it as
! // this is the first time we have the relevant information
if (!pnSecAuthAction(0, 'Template::', "$name::$tid", ACCESS_READ)) {
return false;
}
--- 216,226 ----
// potential security holes or just too much wasted processing. Although
// this one is a bit late in the function it is as early as we can do it as
! // this is the first time we have the relevant information.
! // For this function, the user must *at least* have READ access to this item
if (!pnSecAuthAction(0, 'Template::', "$name::$tid", ACCESS_READ)) {
+ $msg = pnML('Not authorized to access #(1) item #(2)',
+ 'Example', pnVarPrepForStore($tid));
+ pnExceptionSet(PN_USER_EXCEPTION, 'NO_PERMISSION',
+ new SystemException($msg));
return false;
}
***************
*** 190,194 ****
function template_userapi_countitems()
{
! // Get datbase setup - note that both pnDBGetConn() and pnDBGetTables()
// return arrays but we handle them differently. For pnDBGetConn() we
// currently just want the first item, which is the official database
--- 242,246 ----
function template_userapi_countitems()
{
! // Get database setup - note that both pnDBGetConn() and pnDBGetTables()
// return arrays but we handle them differently. For pnDBGetConn() we
// currently just want the first item, which is the official database
***************
*** 213,216 ****
--- 265,279 ----
// error message and return
if ($dbconn->ErrorNo() != 0) {
+ // Hint : for debugging SQL queries, you can use $dbconn->ErrorMsg()
+ // to retrieve the actual database error message, and use e.g. the
+ // following message :
+ // $msg = pnML('Database error #(1) in query #(2) for #(3) function ' .
+ // '#(4)() in module #(5)',
+ // $dbconn->ErrorMsg(), $sql, 'user', 'countitems', 'Example');
+ // Don't use that for release versions, though...
+ $msg = pnML('Database error for #(1) function #(2)() in module #(3)',
+ 'user', 'countitems', 'Example');
+ pnExceptionSet(PN_SYSTEM_EXCEPTION, 'DATABASE_ERROR',
+ new SystemException($msg));
return false;
}
***************
*** 227,229 ****
}
! ?>
\ No newline at end of file
--- 290,292 ----
}
! ?>
View Statistics - Next Notice - Previous Notice
| Visit Developer Site - Browse CVS Repository |
Syndicate via backend.rss (max. once per hour please) | Powered by CVSNotice 0.1.3 |