From a1a0a11bbeca3048517472fa89d565f1557be7e7 Mon Sep 17 00:00:00 2001 From: Kevin Fourie Date: Sun, 24 Jun 2007 22:43:09 +0000 Subject: [PATCH] KTS-2128 "Renaming a folder double sanitizes the new foldername" Fixed the folder add method too. --- lib/foldermanagement/folderutil.inc.php | 242 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------------------------------------------------------------------------------------------------------- 1 file changed, 121 insertions(+), 121 deletions(-) diff --git a/lib/foldermanagement/folderutil.inc.php b/lib/foldermanagement/folderutil.inc.php index aa3f3ab..5979fc6 100644 --- a/lib/foldermanagement/folderutil.inc.php +++ b/lib/foldermanagement/folderutil.inc.php @@ -31,7 +31,7 @@ */ require_once(KT_LIB_DIR . '/storage/storagemanager.inc.php'); -require_once(KT_LIB_DIR . '/subscriptions/subscriptions.inc.php'); +require_once(KT_LIB_DIR . '/subscriptions/subscriptions.inc.php'); require_once(KT_LIB_DIR . '/permissions/permission.inc.php'); require_once(KT_LIB_DIR . '/permissions/permissionutil.inc.php'); @@ -42,7 +42,7 @@ require_once(KT_LIB_DIR . '/foldermanagement/foldertransaction.inc.php'); require_once(KT_LIB_DIR . '/database/dbutil.inc'); class KTFolderUtil { - function _add ($oParentFolder, $sFolderName, $oUser) { + function _add($oParentFolder, $sFolderName, $oUser) { if (PEAR::isError($oParentFolder)) { return $oParentFolder; } @@ -51,10 +51,10 @@ class KTFolderUtil { } $oStorage =& KTStorageManagerUtil::getSingleton(); $oFolder =& Folder::createFromArray(array( - 'name' => $sFolderName, - 'description' => $sFolderName, - 'parentid' => $oParentFolder->getID(), - 'creatorid' => $oUser->getID(), + 'name' => sanitizeForSQL($sFolderName), + 'description' => sanitizeForSQL($sFolderName), + 'parentid' => $oParentFolder->getID(), + 'creatorid' => $oUser->getID(), )); if (PEAR::isError($oFolder)) { return $oFolder; @@ -67,35 +67,35 @@ class KTFolderUtil { return $oFolder; } - function add ($oParentFolder, $sFolderName, $oUser) { - - - $folderid=$oParentFolder->getId(); + function add($oParentFolder, $sFolderName, $oUser) { + + + $folderid=$oParentFolder->getId(); // check for conflicts first if (Folder::folderExistsName($sFolderName,$folderid)) { return PEAR::raiseError(sprintf(_kt('The folder %s already exists.'), $sFolderName)); } - - $oFolder = KTFolderUtil::_add($oParentFolder, $sFolderName, $oUser); + + $oFolder = KTFolderUtil::_add($oParentFolder, $sFolderName, $oUser); if (PEAR::isError($oFolder)) { return $oFolder; } - + $oTransaction = KTFolderTransaction::createFromArray(array( - 'folderid' => $oFolder->getId(), - 'comment' => _kt('Folder created'), - 'transactionNS' => 'ktcore.transactions.create', - 'userid' => $oUser->getId(), - 'ip' => Session::getClientIP(), + 'folderid' => $oFolder->getId(), + 'comment' => _kt('Folder created'), + 'transactionNS' => 'ktcore.transactions.create', + 'userid' => $oUser->getId(), + 'ip' => Session::getClientIP(), )); // fire subscription alerts for the new folder $oSubscriptionEvent = new SubscriptionEvent(); $oSubscriptionEvent->AddFolder($oFolder, $oParentFolder); - + KTFolderUtil::updateSearchableText($oFolder); - + return $oFolder; } @@ -131,7 +131,7 @@ class KTFolderUtil { // First, deal with SQL, as it, at least, is guaranteed to be atomic $table = 'folders'; - + if ($oNewParentFolder->getId() == 1) { $sNewParentFolderPath = $oNewParentFolder->getName(); $sNewParentFolderIds = ''; @@ -150,10 +150,10 @@ class KTFolderUtil { // Update the moved folder first... $sQuery = "UPDATE $table SET full_path = ?, parent_folder_ids = ?, parent_id = ? WHERE id = ?"; $aParams = array( - sprintf("%s", $sNewParentFolderPath), - $sNewParentFolderIds, - $oNewParentFolder->getID(), - $oFolder->getID(), + sprintf("%s", $sNewParentFolderPath), + $sNewParentFolderIds, + $oNewParentFolder->getID(), + $oFolder->getID(), ); $res = DBUtil::runQuery(array($sQuery, $aParams)); if (PEAR::isError($res)) { @@ -165,14 +165,14 @@ class KTFolderUtil { } else { $sOldFolderPath = sprintf("%s/%s", $oFolder->getFullPath(), $oFolder->getName()); } - + $sQuery = "UPDATE $table SET full_path = CONCAT(?, SUBSTRING(full_path FROM ?)), parent_folder_ids = CONCAT(?, SUBSTRING(parent_folder_ids FROM ?)) WHERE full_path LIKE ?"; $aParams = array( - sprintf("%s", $sNewParentFolderPath), - strlen($oFolder->getFullPath()) + 1, - $sNewParentFolderIds, - strlen($oFolder->getParentFolderIDs()) + 1, - sprintf("%s%%", $sOldFolderPath), + sprintf("%s", $sNewParentFolderPath), + strlen($oFolder->getFullPath()) + 1, + $sNewParentFolderIds, + strlen($oFolder->getParentFolderIDs()) + 1, + sprintf("%s%%", $sOldFolderPath), ); $res = DBUtil::runQuery(array($sQuery, $aParams)); if (PEAR::isError($res)) { @@ -182,11 +182,11 @@ class KTFolderUtil { $table = 'documents'; $sQuery = "UPDATE $table SET full_path = CONCAT(?, SUBSTRING(full_path FROM ?)), parent_folder_ids = CONCAT(?, SUBSTRING(parent_folder_ids FROM ?)) WHERE full_path LIKE ?"; $aParams = array( - sprintf("%s", $sNewParentFolderPath), - strlen($oFolder->getFullPath()) + 1, - $sNewParentFolderIds, - strlen($oFolder->getParentFolderIDs()) + 1, - sprintf("%s%%", $sOldFolderPath), + sprintf("%s", $sNewParentFolderPath), + strlen($oFolder->getFullPath()) + 1, + $sNewParentFolderIds, + strlen($oFolder->getParentFolderIDs()) + 1, + sprintf("%s%%", $sOldFolderPath), ); $res = DBUtil::runQuery(array($sQuery, $aParams)); if (PEAR::isError($res)) { @@ -204,11 +204,11 @@ class KTFolderUtil { } $oTransaction = KTFolderTransaction::createFromArray(array( - 'folderid' => $oFolder->getId(), - 'comment' => $sComment, - 'transactionNS' => 'ktcore.transactions.move', - 'userid' => $oUser->getId(), - 'ip' => Session::getClientIP(), + 'folderid' => $oFolder->getId(), + 'comment' => $sComment, + 'transactionNS' => 'ktcore.transactions.move', + 'userid' => $oUser->getId(), + 'ip' => Session::getClientIP(), )); Document::clearAllCaches(); @@ -216,20 +216,20 @@ class KTFolderUtil { if ($bChangePermissionObject) { $aOptions = array( - 'evenifnotowner' => true, // Inherit from parent folder, even though not permission owner + 'evenifnotowner' => true, // Inherit from parent folder, even though not permission owner ); KTPermissionUtil::inheritPermissionObject($oFolder, $aOptions); } return true; } - + function rename($oFolder, $sNewName, $oUser) { $oStorage =& KTStorageManagerUtil::getSingleton(); $sOldName = $oFolder->getName(); // First, deal with SQL, as it, at least, is guaranteed to be atomic $table = "folders"; - + $sQuery = "UPDATE $table SET full_path = CONCAT(?, SUBSTRING(full_path FROM ?)) WHERE full_path LIKE ?"; if ($oFolder->getId() == 1) { @@ -241,9 +241,9 @@ class KTFolderUtil { } $aParams = array( - sprintf("%s", $sNewPath), - strlen($sOldPath) + 1, - sprintf("%s%%", $sOldPath), + sprintf("%s", $sNewPath), + strlen($sOldPath) + 1, + sprintf("%s%%", $sOldPath), ); $res = DBUtil::runQuery(array($sQuery, $aParams)); if (PEAR::isError($res)) { @@ -253,9 +253,9 @@ class KTFolderUtil { $table = "documents"; $sQuery = "UPDATE $table SET full_path = CONCAT(?, SUBSTRING(full_path FROM ?)) WHERE full_path LIKE ?"; $aParams = array( - sprintf("%s", $sNewPath), - strlen($sOldPath) + 1, - sprintf("%s%%", $sOldPath), + sprintf("%s", $sNewPath), + strlen($sOldPath) + 1, + sprintf("%s%%", $sOldPath), ); $res = DBUtil::runQuery(array($sQuery, $aParams)); if (PEAR::isError($res)) { @@ -266,16 +266,16 @@ class KTFolderUtil { if (PEAR::isError($res)) { return $res; } - + $oFolder->setName($sNewName); $res = $oFolder->update(); $oTransaction = KTFolderTransaction::createFromArray(array( - 'folderid' => $oFolder->getId(), - 'comment' => sprintf(_kt("Renamed from \"%s\" to \"%s\""), $sOldName, $sNewName), - 'transactionNS' => 'ktcore.transactions.rename', - 'userid' => $_SESSION['userID'], - 'ip' => Session::getClientIP(), + 'folderid' => $oFolder->getId(), + 'comment' => sprintf(_kt("Renamed from \"%s\" to \"%s\""), $sOldName, $sNewName), + 'transactionNS' => 'ktcore.transactions.rename', + 'userid' => $_SESSION['userID'], + 'ip' => Session::getClientIP(), )); if (PEAR::isError($oTransaction)) { return $oTransaction; @@ -292,34 +292,34 @@ class KTFolderUtil { function exists($oParentFolder, $sName) { return Folder::folderExistsName($sName, $oParentFolder->getID()); } - - - + + + /* folderUtil::delete - * - * this function is _much_ more complex than it might seem. - * we need to: - * - recursively identify children - * - validate that permissions are allocated correctly. - * - step-by-step delete. - */ - + * + * this function is _much_ more complex than it might seem. + * we need to: + * - recursively identify children + * - validate that permissions are allocated correctly. + * - step-by-step delete. + */ + function delete($oStartFolder, $oUser, $sReason, $aOptions = null) { require_once(KT_LIB_DIR . '/unitmanagement/Unit.inc'); $oPerm = KTPermission::getByName('ktcore.permissions.delete'); $bIgnorePermissions = KTUtil::arrayGet($aOptions, 'ignore_permissions'); - + $aFolderIds = array(); // of oFolder $aDocuments = array(); // of oDocument $aFailedDocuments = array(); // of String $aFailedFolders = array(); // of String - + $aRemainingFolders = array($oStartFolder->getId()); - + DBUtil::startTransaction(); - + while (!empty($aRemainingFolders)) { $iFolderId = array_pop($aRemainingFolders); $oFolder = Folder::get($iFolderId); @@ -340,15 +340,15 @@ class KTFolderUtil { } else { $aFolderIds[] = $iFolderId; } - + // child documents $aChildDocs = Document::getList(array('folder_id = ?',array($iFolderId))); foreach ($aChildDocs as $oDoc) { if (!$bIgnorePermissions && $oDoc->getImmutable()) { - if (!KTBrowseUtil::inAdminMode($oUser, $oStartFolder)) { + if (!KTBrowseUtil::inAdminMode($oUser, $oStartFolder)) { $aFailedDocuments[] = $oDoc->getName(); continue; - } + } } if ($bIgnorePermissions || (KTPermissionUtil::userHasPermissionOnItem($oUser, $oPerm, $oDoc) && ($oDoc->getIsCheckedOut() == false)) ) { $aDocuments[] = $oDoc; @@ -356,14 +356,14 @@ class KTFolderUtil { $aFailedDocuments[] = $oDoc->getName(); } } - + // child folders. $aCFIds = Folder::getList(array('parent_id = ?', array($iFolderId)), array('ids' => true)); $aRemainingFolders = kt_array_merge($aRemainingFolders, $aCFIds); } // FIXME we could subdivide this to provide a per-item display (viz. bulk upload, etc.) - + if ((!empty($aFailedDocuments) || (!empty($aFailedFolders)))) { $sFD = ''; $sFF = ''; @@ -391,23 +391,23 @@ class KTFolderUtil { // documents all cleared. $sQuery = 'DELETE FROM ' . KTUtil::getTableName('folders') . ' WHERE id IN (' . DBUtil::paramArray($aFolderIds) . ')'; $aParams = $aFolderIds; - + $res = DBUtil::runQuery(array($sQuery, $aParams)); if (PEAR::isError($res)) { DBUtil::rollback(); return PEAR::raiseError(_kt('Failure deleting folders.')); } - + // purge caches - KTEntityUtil::clearAllCaches('Folder'); - + KTEntityUtil::clearAllCaches('Folder'); + // and store DBUtil::commit(); - + return true; } - + function copy($oSrcFolder, $oDestFolder, $oUser, $sReason) { if (KTFolderUtil::exists($oDestFolder, $oSrcFolder->getName())) { return PEAR::raiseError(_kt("Folder with the same name already exists in the new parent folder")); @@ -417,20 +417,20 @@ class KTFolderUtil { // $oPerm = KTPermission::getByName('ktcore.permissions.read'); $oBaseFolderPerm = KTPermission::getByName('ktcore.permissions.addFolder'); - + if (!KTPermissionUtil::userHasPermissionOnItem($oUser, $oBaseFolderPerm, $oDestFolder)) { return PEAR::raiseError(_kt('You are not allowed to create folders in the destination.')); } - + $aFolderIds = array(); // of oFolder $aDocuments = array(); // of oDocument $aFailedDocuments = array(); // of String $aFailedFolders = array(); // of String - + $aRemainingFolders = array($oSrcFolder->getId()); - + DBUtil::startTransaction(); - + while (!empty($aRemainingFolders)) { $iFolderId = array_pop($aRemainingFolders); $oFolder = Folder::get($iFolderId); @@ -438,14 +438,14 @@ class KTFolderUtil { DBUtil::rollback(); return PEAR::raiseError(sprintf(_kt('Failure resolving child folder with id = %d.'), $iFolderId)); } - + // don't just stop ... plough on. if (KTPermissionUtil::userHasPermissionOnItem($oUser, $oPerm, $oFolder)) { $aFolderIds[] = $iFolderId; } else { $aFailedFolders[] = $oFolder->getName(); } - + // child documents $aChildDocs = Document::getList(array('folder_id = ?',array($iFolderId))); foreach ($aChildDocs as $oDoc) { @@ -455,12 +455,12 @@ class KTFolderUtil { $aFailedDocuments[] = $oDoc->getName(); } } - + // child folders. $aCFIds = Folder::getList(array('parent_id = ?', array($iFolderId)), array('ids' => true)); $aRemainingFolders = kt_array_merge($aRemainingFolders, $aCFIds); } - + if ((!empty($aFailedDocuments) || (!empty($aFailedFolders)))) { $sFD = ''; $sFF = ''; @@ -472,15 +472,15 @@ class KTFolderUtil { } return PEAR::raiseError(_kt('You do not have permission to copy these items. ') . $sFD . $sFF); } - + // first we walk the tree, creating in the new location as we go. // essentially this is an "ok" pass. - - - $oStorage =& KTStorageManagerUtil::getSingleton(); - + + + $oStorage =& KTStorageManagerUtil::getSingleton(); + $aFolderMap = array(); - + $sTable = KTUtil::getTableName('folders'); $sGetQuery = 'SELECT * FROM ' . $sTable . ' WHERE id = ? '; $aParams = array($oSrcFolder->getId()); @@ -501,18 +501,18 @@ class KTFolderUtil { return $res; } $aRemainingFolders = Folder::getList(array('parent_id = ?', array($oSrcFolder->getId())), array('ids' => true)); - - + + while (!empty($aRemainingFolders)) { $iFolderId = array_pop($aRemainingFolders); - + $aParams = array($iFolderId); $aRow = DBUtil::getOneResult(array($sGetQuery, $aParams)); unset($aRow['id']); - + // since we are nested, we will have solved the parent first. - $aRow['parent_id'] = $aFolderMap[$aRow['parent_id']]; - + $aRow['parent_id'] = $aFolderMap[$aRow['parent_id']]; + $id = DBUtil::autoInsert($sTable, $aRow); if (PEAR::isError($id)) { $oStorage->removeFolder($oNewBaseFolder); @@ -520,7 +520,7 @@ class KTFolderUtil { return $id; } $aFolderMap[$iFolderId] = $id; - + $oNewFolder = Folder::get($id); $res = $oStorage->createFolder($oNewFolder); if (PEAR::isError($res)) { @@ -529,18 +529,18 @@ class KTFolderUtil { DBUtil::rollback(); return $res; } - + $aCFIds = Folder::getList(array('parent_id = ?', array($iFolderId)), array('ids' => true)); $aRemainingFolders = kt_array_merge($aRemainingFolders, $aCFIds); } - - - // var_dump($aFolderMap); - + + + // var_dump($aFolderMap); + // now we can go ahead. foreach ($aDocuments as $oDocument) { $oChildDestinationFolder = Folder::get($aFolderMap[$oDocument->getFolderID()]); -// var_dump($oDocument->getFolderID()); + // var_dump($oDocument->getFolderID()); $res = KTDocumentUtil::copy($oDocument, $oChildDestinationFolder); if (PEAR::isError($res) || ($res === false)) { $oStorage->removeFolder($oNewBaseFolder); @@ -548,33 +548,33 @@ class KTFolderUtil { return PEAR::raiseError(_kt('Delete Aborted. Unexpected failure to copydocument: ') . $oDocument->getName() . $res->getMessage()); } } - + // and store DBUtil::commit(); - - return true; + + return true; } - + function updateSearchableText($oFolder) { - // very simple function to rebuild the searchable text for this + // very simple function to rebuild the searchable text for this // folder. - + // MyISAM table for fulltext index - no transactions. - + // get the folder text // XXX replace this with a trigger / producer set. $sSearchableText = $oFolder->getName(); - + // do the update. $iFolderId = KTUtil::getId($oFolder); $sTable = KTUtil::getTableName('folder_searchable_text'); $aDelete = array( - "folder_id" => $iFolderId, + "folder_id" => $iFolderId, ); DBUtil::whereDelete($sTable, $aDelete); $aInsert = array( - "folder_id" => $iFolderId, - "folder_text" => $sSearchableText, + "folder_id" => $iFolderId, + "folder_text" => $sSearchableText, ); return DBUtil::autoInsert($sTable, $aInsert, array('noid' => true)); } -- libgit2 0.21.4