[evolvis-commits] r18734: widget-areas pending merges:↵ Thorsten Glaser 2012-10-29 [#3230] Fix RBAC checks for Project Areas widget↵ Thorsten Glaser 2012-10-29 check the right thing…

mirabilos at evolvis.org mirabilos at evolvis.org
Mon Oct 29 15:08:40 CET 2012


Author: mirabilos
Date: 2012-10-29 15:08:39 +0100 (Mon, 29 Oct 2012)
New Revision: 18734

Modified:
   trunk/gforge_base/evolvisforge-5.1/src/common/widget/Widget_ProjectPublicAreas.class.php
   trunk/gforge_base/evolvisforge-5.1/src/debian/changelog
   trunk/gforge_base/evolvisforge-5.1/src/www/tracker/ind.php
Log:
widget-areas pending merges:
  Thorsten Glaser 2012-10-29 [#3230] Fix RBAC checks for Project Areas widget
    Thorsten Glaser 2012-10-29 check the right thing…

Modified: trunk/gforge_base/evolvisforge-5.1/src/common/widget/Widget_ProjectPublicAreas.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/common/widget/Widget_ProjectPublicAreas.class.php	2012-10-29 14:08:34 UTC (rev 18733)
+++ trunk/gforge_base/evolvisforge-5.1/src/common/widget/Widget_ProjectPublicAreas.class.php	2012-10-29 14:08:39 UTC (rev 18734)
@@ -1,24 +1,29 @@
 <?php
 /**
- * Copyright (c) Xerox Corporation, Codendi Team, 2001-2009. All rights reserved
+ * Copyright (c) Xerox Corporation, Codendi Team, 2001-2009.
+ * Copyright © 2012
+ *	Thorsten Glaser <t.glaser at tarent.de>
+ * All rights reserved.
  *
- * This file is a part of Codendi.
+ * This file is part of FusionForge. FusionForge is free software;
+ * you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software
+ * Foundation; either version 2 of the Licence, or (at your option)
+ * any later version.
  *
- * Codendi is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * Codendi is distributed in the hope that it will be useful,
+ * FusionForge is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU General Public License for more details.
  *
- * You should have received a copy of the GNU General Public License
- * along with Codendi. If not, see <http://www.gnu.org/licenses/>.
+ * You should have received a copy of the GNU General Public License along
+ * with FusionForge; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 require_once('Widget.class.php');
+require_once($gfcommon.'tracker/ArtifactTypeFactory.class.php');
+require_once($gfcommon.'pm/ProjectGroupFactory.class.php');
 
 /**
  * Widget_ProjectPublicAreas
@@ -29,7 +34,7 @@
 	}
 
 	function getTitle() {
-		return _('Public Areas');
+		return _('Project Areas');
 	}
 
 	function getContent() {
@@ -40,6 +45,17 @@
 		$pm = ProjectManager::instance();
 		$project = $pm->getProject($group_id);
 
+		$group = group_get_object($group_id);
+		if (!$group || !is_object($group)) {
+			echo "<div>Could not get Group #$group_id</div>\n";
+			return false;
+		} elseif ($group->isError()) {
+			echo "<div>Could not get Group #$group_id: " .
+			    util_html_encode($group->getErrorMessage()) .
+			    "</div>\n";
+			return false;
+		}
+
 		// ################# Homepage Link
 
 		echo '<div class="public-area-box" rel="doap:homepage">';
@@ -55,34 +71,49 @@
 			$link_content = $HTML->getFollowPic(_('Tracker')) . ' ' . _('Tracker');
 			echo util_make_link('/tracker/?group_id=' . $group_id, $link_content);
 
-			$result = db_query_params('SELECT agl.*,aca.count,aca.open_count
-				FROM artifact_group_list agl
-				LEFT JOIN artifact_counts_agg aca USING (group_artifact_id)
-				WHERE agl.group_id=$1
-				AND agl.is_public=1
-				ORDER BY group_artifact_id ASC',
-			    array($group_id));
-			$rows = db_numrows($result);
-
-			if (!$result || $rows < 1) {
-				echo "<br />\n<em>" .
-				    _('There are no public trackers available') .
-				    "</em>\n";
+			$atf = new ArtifactTypeFactory($group);
+			$emsg = _('There are no public trackers available');
+			if (!$atf || !is_object($atf) || $atf->isError()) {
+				$emsg = _('Could Not Get ArtifactTypeFactory');
+				$at_arr = array();
 			} else {
-				echo "\n".'<ul class="tracker" rel="doap:bug-database">'."\n";
-				for ($j = 0; $j < $rows; $j++) {
-					$group_artifact_id = db_result($result, $j, 'group_artifact_id');
-					$tracker_stdzd_uri = util_make_url('/tracker/cm/project/'. $project->getUnixName() .'/atid/'. $group_artifact_id);
-					echo "\t".'<li about="'. $tracker_stdzd_uri . '" typeof="sioc:Container">'."\n";
-					print '<span rel="http://www.w3.org/2002/07/owl#sameAs">'."\n";
-					echo util_make_link('/tracker/?atid='. $group_artifact_id . '&group_id='.$group_id.'&func=browse',db_result($result, $j, 'name')) . ' ';
-					echo "</span>\n";
-					printf(ngettext('(<strong>%1$s</strong> open / <strong>%2$s</strong> total)', '(<strong>%1$s</strong> open / <strong>%2$s</strong> total)', (int)db_result($result, $j, 'open_count')), (int)db_result($result, $j, 'open_count'), (int)db_result($result, $j, 'count'));
-					echo '<br />';
-					print '<span rel="sioc:has_space" resource="" ></span>'."\n";
-					echo "</li>\n";
+				$at_arr = $atf->getArtifactTypes();
+				if (!$at_arr) {
+					$at_arr = array();
 				}
+			}
+
+			$at_cnt = 0;
+			foreach ($at_arr as $at) {
+				if (!$at || !is_object($at) || $at->isError()) {
+					/* just skip it */
+					continue;
+				}
+				if (!$at_cnt++) {
+					/* first one to be displayed */
+					echo "\n<ul class=\"tracker\" rel=\"doap:bug-database\">\n";
+				}
+				$tracker_stdzd_uri = util_make_url('/tracker/cm/project/' .
+				    $project->getUnixName() . '/atid/' .
+				    $at->getID());
+				echo "\t<li about=\"$tracker_stdzd_uri\" typeof=\"sioc:Container\">\n" .
+				    '<span rel="http://www.w3.org/2002/07/owl#sameAs">' . "\n" .
+				    util_make_link('/tracker/?atid=' . $at->getID() .
+				    '&group_id=' . $group_id . '&func=browse',
+				    $at->getName()) . "</span>\n (" . sprintf(ngettext(
+				    '<strong>%d</strong> open',
+				    '<strong>%d</strong> open',
+				    (int)$at->getOpenCount()), (int)$at->getOpenCount()) .
+				    ' / ' . sprintf(ngettext(
+				    '<strong>%d</strong> total',
+				    '<strong>%d</strong> total',
+				    (int)$at->getTotalCount()), (int)$at->getTotalCount()) .
+				    ")<br /><span rel=\"sioc:has_space\" resource=\"\" ></span>\n</li>\n";
+			}
+			if ($at_cnt) {
 				echo "</ul>\n";
+			} else {
+				echo "<br />\n<em>$emsg</em>\n";
 			}
 			echo "</div>\n";
 		}
@@ -136,23 +167,47 @@
 			$link_content = $HTML->getPmPic('') . ' ' . _('Tasks');
 			print util_make_link('/pm/?group_id=' . $group_id, $link_content);
 
-			$result = db_query_params('SELECT * FROM project_group_list
-				WHERE group_id=$1 AND is_public=1',
-			    array($group_id));
-			$rows = db_numrows($result);
-			if (!$result || $rows < 1) {
-				echo "<br />\n<em>" .
-				    _('There are no public subprojects available') .
-				    "</em>\n";
+			$pgf = new ProjectGroupFactory($group);
+			$emsg = _('There are no public subprojects available');
+			if (!$pgf || !is_object($pgf) || $pgf->isError()) {
+				$emsg = _('Could Not Get Factory');
+				$pg_arr = array();
 			} else {
-				echo "\n".'<ul class="task-manager">';
-				for ($j = 0; $j < $rows; $j++) {
-					echo "\n\t<li>";
-					print util_make_link('/pm/task.php?group_project_id='.db_result($result, $j, 'group_project_id').'&group_id='.$group_id.'&func=browse',db_result($result, $j, 'project_name'));
-					echo '</li>';
+				$pg_arr = $pgf->getProjectGroups();
+				if (!$pg_arr || $pgf->isError()) {
+					$pg_arr = array();
 				}
-				echo "\n</ul>";
 			}
+
+			$at_cnt = 0;
+			foreach ($pg_arr as $at) {
+				if (!$at || !is_object($at) || $at->isError()) {
+					/* just skip it */
+					continue;
+				}
+				if (!$at_cnt++) {
+					/* first one to be displayed */
+					echo "\n<ul class=\"task-manager\">\n";
+				}
+				echo "\n\t<li>" . util_make_link(
+				    '/pm/task.php?group_project_id=' .
+				    $at->getID() . '&group_id=' .
+				    $group_id . '&func=browse',
+				    $at->getName()) . " (" . sprintf(ngettext(
+				    '<strong>%d</strong> open',
+				    '<strong>%d</strong> open',
+				    (int)$at->getOpenCount()), (int)$at->getOpenCount()) .
+				    ' / ' . sprintf(ngettext(
+				    '<strong>%d</strong> total',
+				    '<strong>%d</strong> total',
+				    (int)$at->getTotalCount()), (int)$at->getTotalCount()) .
+				    ")</li>\n";
+			}
+			if ($at_cnt) {
+				echo "</ul>\n";
+			} else {
+				echo "<br />\n<em>$emsg</em>\n";
+			}
 			echo "\n</div>\n";
 		}
 

Modified: trunk/gforge_base/evolvisforge-5.1/src/debian/changelog
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/debian/changelog	2012-10-29 14:08:34 UTC (rev 18733)
+++ trunk/gforge_base/evolvisforge-5.1/src/debian/changelog	2012-10-29 14:08:39 UTC (rev 18734)
@@ -8,8 +8,9 @@
   * [#3351] Unbreak adding widgets to Group Summary page
   * Widgets: Revert collapsing project members by default, with the
     Codendi widget layout we’re flexible enough to keep the page fit
+  * Widgets: [#3230] “Public Areas” ⇒ “Project Areas” (SECURITY fix)
 
- -- Thorsten Glaser <t.glaser at tarent.de>  Mon, 29 Oct 2012 14:52:35 +0100
+ -- Thorsten Glaser <t.glaser at tarent.de>  Mon, 29 Oct 2012 14:54:31 +0100
 
 fusionforge (1:5.1.1+evolvis74.2) unstable; urgency=high
 

Modified: trunk/gforge_base/evolvisforge-5.1/src/www/tracker/ind.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/www/tracker/ind.php	2012-10-29 14:08:34 UTC (rev 18733)
+++ trunk/gforge_base/evolvisforge-5.1/src/www/tracker/ind.php	2012-10-29 14:08:39 UTC (rev 18734)
@@ -23,7 +23,7 @@
  */
 
 $atf = new ArtifactTypeFactory($group);
-if (!$group || !is_object($group) || $group->isError()) {
+if (!$atf || !is_object($atf) || $atf->isError()) {
 	exit_error(_('Could Not Get ArtifactTypeFactory'),'tracker');
 }
 



More information about the evolvis-commits mailing list