Peter M. Groen / knowledgetree

Commit b517ab57cdd411eadfd4e9d0b23dea84d8aeba8b

Authored by conradverm
1 parent 02e4b1bb

WSA-51 

"Check that folder and name lookup are sanitized when performing lookup so there are no database errors"
Fixed.

WSA-50
"KTAPIFolder::_get_folder_by_name should be called as a static method"
Fixed.

Committed By: Conrad Vermeulen
Reviewed By: Kevin Fourie


git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@7649 c91229c3-7414-0410-bfa2-8a42b809f60b
Inline Side-by-side
Showing 1 changed file with 53 additions and 36 deletions
ktapi/KTAPIFolder.inc.php
  View file @b517ab5
@@ -5,32 +5,32 @@ @@ -5,32 +5,32 @@
5 * KnowledgeTree Open Source Edition 5 * KnowledgeTree Open Source Edition
6 * Document Management Made Simple 6 * Document Management Made Simple
7 * Copyright (C) 2004 - 2007 The Jam Warehouse Software (Pty) Limited 7 * Copyright (C) 2004 - 2007 The Jam Warehouse Software (Pty) Limited
8 - * 8 + *
9 * This program is free software; you can redistribute it and/or modify it under 9 * This program is free software; you can redistribute it and/or modify it under
10 * the terms of the GNU General Public License version 3 as published by the 10 * the terms of the GNU General Public License version 3 as published by the
11 * Free Software Foundation. 11 * Free Software Foundation.
12 - * 12 + *
13 * This program is distributed in the hope that it will be useful, but WITHOUT 13 * This program is distributed in the hope that it will be useful, but WITHOUT
14 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS 14 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
15 * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more 15 * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
16 * details. 16 * details.
17 - * 17 + *
18 * You should have received a copy of the GNU General Public License 18 * You should have received a copy of the GNU General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>. 19 * along with this program. If not, see <http://www.gnu.org/licenses/>.
20 - * 20 + *
21 * You can contact The Jam Warehouse Software (Pty) Limited, Unit 1, Tramber Place, 21 * You can contact The Jam Warehouse Software (Pty) Limited, Unit 1, Tramber Place,
22 * Blake Street, Observatory, 7925 South Africa. or email info@knowledgetree.com. 22 * Blake Street, Observatory, 7925 South Africa. or email info@knowledgetree.com.
23 - * 23 + *
24 * The interactive user interfaces in modified source and object code versions 24 * The interactive user interfaces in modified source and object code versions
25 * of this program must display Appropriate Legal Notices, as required under 25 * of this program must display Appropriate Legal Notices, as required under
26 * Section 5 of the GNU General Public License version 3. 26 * Section 5 of the GNU General Public License version 3.
27 - * 27 + *
28 * In accordance with Section 7(b) of the GNU General Public License version 3, 28 * In accordance with Section 7(b) of the GNU General Public License version 3,
29 * these Appropriate Legal Notices must retain the display of the "Powered by 29 * these Appropriate Legal Notices must retain the display of the "Powered by
30 - * KnowledgeTree" logo and retain the original copyright notice. If the display of the 30 + * KnowledgeTree" logo and retain the original copyright notice. If the display of the
31 * logo is not reasonably feasible for technical reasons, the Appropriate Legal Notices 31 * logo is not reasonably feasible for technical reasons, the Appropriate Legal Notices
32 - * must display the words "Powered by KnowledgeTree" and retain the original  
33 - * copyright notice. 32 + * must display the words "Powered by KnowledgeTree" and retain the original
  33 + * copyright notice.
34 * Contributor( s): ______________________________________ 34 * Contributor( s): ______________________________________
35 * 35 *
36 */ 36 */
@@ -61,7 +61,7 @@ class KTAPI_Folder extends KTAPI_FolderItem @@ -61,7 +61,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
61 * @param int $folderid 61 * @param int $folderid
62 * @return KTAPI_Folder 62 * @return KTAPI_Folder
63 */ 63 */
64 - function &get(&$ktapi, $folderid) 64 + public static function &get(&$ktapi, $folderid)
65 { 65 {
66 assert(!is_null($ktapi)); 66 assert(!is_null($ktapi));
67 assert(is_a($ktapi, 'KTAPI')); 67 assert(is_a($ktapi, 'KTAPI'));
@@ -93,7 +93,7 @@ class KTAPI_Folder extends KTAPI_FolderItem @@ -93,7 +93,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
93 * @param Folder $folder 93 * @param Folder $folder
94 * @return KTAPI_Folder 94 * @return KTAPI_Folder
95 */ 95 */
96 - function KTAPI_Folder(&$ktapi, &$folder) 96 + public function KTAPI_Folder(&$ktapi, &$folder)
97 { 97 {
98 $this->ktapi = &$ktapi; 98 $this->ktapi = &$ktapi;
99 $this->folder = &$folder; 99 $this->folder = &$folder;
@@ -106,7 +106,7 @@ class KTAPI_Folder extends KTAPI_FolderItem @@ -106,7 +106,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
106 * @access protected 106 * @access protected
107 * @return Folder 107 * @return Folder
108 */ 108 */
109 - function &get_folder() 109 + public function &get_folder()
110 { 110 {
111 return $this->folder; 111 return $this->folder;
112 } 112 }
@@ -117,7 +117,7 @@ class KTAPI_Folder extends KTAPI_FolderItem @@ -117,7 +117,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
117 * 117 *
118 * @return array 118 * @return array
119 */ 119 */
120 - function get_detail() 120 + public function get_detail()
121 { 121 {
122 $detail = array( 122 $detail = array(
123 'id'=>(int) $this->folderid, 123 'id'=>(int) $this->folderid,
@@ -129,12 +129,12 @@ class KTAPI_Folder extends KTAPI_FolderItem @@ -129,12 +129,12 @@ class KTAPI_Folder extends KTAPI_FolderItem
129 return $detail; 129 return $detail;
130 } 130 }
131 131
132 - function get_parent_folder_id() 132 + public function get_parent_folder_id()
133 { 133 {
134 return (int) $this->folder->getParentID(); 134 return (int) $this->folder->getParentID();
135 } 135 }
136 136
137 - function get_folder_name() 137 + public function get_folder_name()
138 { 138 {
139 return $this->folder->getFolderName($this->folderid); 139 return $this->folder->getFolderName($this->folderid);
140 } 140 }
@@ -145,12 +145,12 @@ class KTAPI_Folder extends KTAPI_FolderItem @@ -145,12 +145,12 @@ class KTAPI_Folder extends KTAPI_FolderItem
145 * 145 *
146 * @return int 146 * @return int
147 */ 147 */
148 - function get_folderid() 148 + public function get_folderid()
149 { 149 {
150 return (int) $this->folderid; 150 return (int) $this->folderid;
151 } 151 }
152 152
153 - function &_get_folder_by_name($foldername, $folderid) 153 + public static function &_get_folder_by_name($ktapi, $foldername, $folderid)
154 { 154 {
155 $foldername=trim($foldername); 155 $foldername=trim($foldername);
156 if (empty($foldername)) 156 if (empty($foldername))
@@ -166,7 +166,10 @@ class KTAPI_Folder extends KTAPI_FolderItem @@ -166,7 +166,10 @@ class KTAPI_Folder extends KTAPI_FolderItem
166 { 166 {
167 continue; 167 continue;
168 } 168 }
169 - $sql = "SELECT id FROM folders WHERE name='$foldername' and parent_id=$folderid"; 169 + $foldername = sanitizeForSQL($foldername);
  170 + $sql = "SELECT id FROM folders WHERE
  171 + (name='$foldername' and parent_id=$folderid) OR
  172 + (name='$foldername' and parent_id is null and $folderid=1)";
170 $row = DBUtil::getOneResult($sql); 173 $row = DBUtil::getOneResult($sql);
171 if (is_null($row) || PEAR::isError($row)) 174 if (is_null($row) || PEAR::isError($row))
172 { 175 {
@@ -175,7 +178,7 @@ class KTAPI_Folder extends KTAPI_FolderItem @@ -175,7 +178,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
175 $folderid = $row['id']; 178 $folderid = $row['id'];
176 } 179 }
177 180
178 - return KTAPI_Folder::get($this->ktapi, $folderid); 181 + return KTAPI_Folder::get($ktapi, $folderid);
179 } 182 }
180 183
181 184
@@ -186,12 +189,12 @@ class KTAPI_Folder extends KTAPI_FolderItem @@ -186,12 +189,12 @@ class KTAPI_Folder extends KTAPI_FolderItem
186 * @param string $foldername 189 * @param string $foldername
187 * @return KTAPI_Folder 190 * @return KTAPI_Folder
188 */ 191 */
189 - function &get_folder_by_name($foldername) 192 + public function &get_folder_by_name($foldername)
190 { 193 {
191 - return KTAPI_Folder::_get_folder_by_name($foldername, $this->folderid); 194 + return KTAPI_Folder::_get_folder_by_name($this->ktapi, $foldername, $this->folderid);
192 } 195 }
193 196
194 - function get_full_path() 197 + public function get_full_path()
195 { 198 {
196 $path = $this->folder->getFullPath() . '/' . $this->folder->getName(); 199 $path = $this->folder->getFullPath() . '/' . $this->folder->getName();
197 200
@@ -206,7 +209,7 @@ class KTAPI_Folder extends KTAPI_FolderItem @@ -206,7 +209,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
206 * @param string $function 209 * @param string $function
207 * @return KTAPI_Document 210 * @return KTAPI_Document
208 */ 211 */
209 - function &_get_document_by_name($documentname, $function='getByNameAndFolder') 212 + public function &_get_document_by_name($documentname, $function='getByNameAndFolder')
210 { 213 {
211 $documentname=trim($documentname); 214 $documentname=trim($documentname);
212 if (empty($documentname)) 215 if (empty($documentname))
@@ -224,6 +227,21 @@ class KTAPI_Folder extends KTAPI_FolderItem @@ -224,6 +227,21 @@ class KTAPI_Folder extends KTAPI_FolderItem
224 $ktapi_folder = $this->get_folder_by_name($foldername); 227 $ktapi_folder = $this->get_folder_by_name($foldername);
225 } 228 }
226 229
  230 + $currentFolderName = $this->get_folder_name();
  231 +
  232 + if (PEAR::isError($ktapi_folder) && substr($foldername, 0, strlen($currentFolderName)) == $currentFolderName)
  233 + {
  234 + if ($currentFolderName == $foldername)
  235 + {
  236 + $ktapi_folder = $this;
  237 + }
  238 + else
  239 + {
  240 + $foldername = substr($foldername, strlen($currentFolderName)+1);
  241 + $ktapi_folder = $this->get_folder_by_name($foldername);
  242 + }
  243 + }
  244 +
227 if (is_null($ktapi_folder) || PEAR::isError($ktapi_folder)) 245 if (is_null($ktapi_folder) || PEAR::isError($ktapi_folder))
228 { 246 {
229 return new KTAPI_Error(KTAPI_ERROR_FOLDER_INVALID, $ktapi_folder); 247 return new KTAPI_Error(KTAPI_ERROR_FOLDER_INVALID, $ktapi_folder);
@@ -254,7 +272,7 @@ class KTAPI_Folder extends KTAPI_FolderItem @@ -254,7 +272,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
254 * @param string $documentname 272 * @param string $documentname
255 * @return KTAPI_Document 273 * @return KTAPI_Document
256 */ 274 */
257 - function &get_document_by_name($documentname) 275 + public function &get_document_by_name($documentname)
258 { 276 {
259 return $this->_get_document_by_name($documentname,'getByNameAndFolder'); 277 return $this->_get_document_by_name($documentname,'getByNameAndFolder');
260 } 278 }
@@ -266,12 +284,12 @@ class KTAPI_Folder extends KTAPI_FolderItem @@ -266,12 +284,12 @@ class KTAPI_Folder extends KTAPI_FolderItem
266 * @param string $documentname 284 * @param string $documentname
267 * @return KTAPI_Document 285 * @return KTAPI_Document
268 */ 286 */
269 - function &get_document_by_filename($documentname) 287 + public function &get_document_by_filename($documentname)
270 { 288 {
271 return $this->_get_document_by_name($documentname,'getByFilenameAndFolder'); 289 return $this->_get_document_by_name($documentname,'getByFilenameAndFolder');
272 } 290 }
273 291
274 - function _resolve_user($userid) 292 + public function _resolve_user($userid)
275 { 293 {
276 $user=null; 294 $user=null;
277 295
@@ -286,8 +304,7 @@ class KTAPI_Folder extends KTAPI_FolderItem @@ -286,8 +304,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
286 return $user; 304 return $user;
287 } 305 }
288 306
289 -  
290 - function get_listing($depth=1, $what='DF') 307 + public function get_listing($depth=1, $what='DF')
291 { 308 {
292 if ($depth < 1) 309 if ($depth < 1)
293 { 310 {
@@ -439,7 +456,7 @@ class KTAPI_Folder extends KTAPI_FolderItem @@ -439,7 +456,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
439 * @param string $tempfilename This is a reference to the file that is accessible locally on the file system. 456 * @param string $tempfilename This is a reference to the file that is accessible locally on the file system.
440 * @return KTAPI_Document 457 * @return KTAPI_Document
441 */ 458 */
442 - function &add_document($title, $filename, $documenttype, $tempfilename) 459 + public function &add_document($title, $filename, $documenttype, $tempfilename)
443 { 460 {
444 if (!is_file($tempfilename)) 461 if (!is_file($tempfilename))
445 { 462 {
@@ -497,7 +514,7 @@ class KTAPI_Folder extends KTAPI_FolderItem @@ -497,7 +514,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
497 * @param string $foldername 514 * @param string $foldername
498 * @return KTAPI_Folder 515 * @return KTAPI_Folder
499 */ 516 */
500 - function &add_folder($foldername) 517 + public function &add_folder($foldername)
501 { 518 {
502 $user = $this->can_user_access_object_requiring_permission($this->folder, KTAPI_PERMISSION_ADD_FOLDER); 519 $user = $this->can_user_access_object_requiring_permission($this->folder, KTAPI_PERMISSION_ADD_FOLDER);
503 520
@@ -525,7 +542,7 @@ class KTAPI_Folder extends KTAPI_FolderItem @@ -525,7 +542,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
525 * 542 *
526 * @param string $reason 543 * @param string $reason
527 */ 544 */
528 - function delete($reason) 545 + public function delete($reason)
529 { 546 {
530 $user = $this->can_user_access_object_requiring_permission($this->folder, KTAPI_PERMISSION_DELETE); 547 $user = $this->can_user_access_object_requiring_permission($this->folder, KTAPI_PERMISSION_DELETE);
531 if (PEAR::isError($user)) 548 if (PEAR::isError($user))
@@ -554,7 +571,7 @@ class KTAPI_Folder extends KTAPI_FolderItem @@ -554,7 +571,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
554 * 571 *
555 * @param string $newname 572 * @param string $newname
556 */ 573 */
557 - function rename($newname) 574 + public function rename($newname)
558 { 575 {
559 $user = $this->can_user_access_object_requiring_permission($this->folder, KTAPI_PERMISSION_RENAME_FOLDER); 576 $user = $this->can_user_access_object_requiring_permission($this->folder, KTAPI_PERMISSION_RENAME_FOLDER);
560 if (PEAR::isError($user)) 577 if (PEAR::isError($user))
@@ -579,7 +596,7 @@ class KTAPI_Folder extends KTAPI_FolderItem @@ -579,7 +596,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
579 * @param KTAPI_Folder $ktapi_target_folder 596 * @param KTAPI_Folder $ktapi_target_folder
580 * @param string $reason 597 * @param string $reason
581 */ 598 */
582 - function move($ktapi_target_folder, $reason='') 599 + public function move($ktapi_target_folder, $reason='')
583 { 600 {
584 assert(!is_null($ktapi_target_folder)); 601 assert(!is_null($ktapi_target_folder));
585 assert(is_a($ktapi_target_folder,'KTAPI_Folder')); 602 assert(is_a($ktapi_target_folder,'KTAPI_Folder'));
@@ -611,7 +628,7 @@ class KTAPI_Folder extends KTAPI_FolderItem @@ -611,7 +628,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
611 * @param KTAPI_Folder $ktapi_target_folder 628 * @param KTAPI_Folder $ktapi_target_folder
612 * @param string $reason 629 * @param string $reason
613 */ 630 */
614 - function copy($ktapi_target_folder, $reason='') 631 + public function copy($ktapi_target_folder, $reason='')
615 { 632 {
616 assert(!is_null($ktapi_target_folder)); 633 assert(!is_null($ktapi_target_folder));
617 assert(is_a($ktapi_target_folder,'KTAPI_Folder')); 634 assert(is_a($ktapi_target_folder,'KTAPI_Folder'));
@@ -644,7 +661,7 @@ class KTAPI_Folder extends KTAPI_FolderItem @@ -644,7 +661,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
644 * @access public 661 * @access public
645 * @return array 662 * @return array
646 */ 663 */
647 - function get_permissions() 664 + public function get_permissions()
648 { 665 {
649 return new PEAR_Error('TODO'); 666 return new PEAR_Error('TODO');
650 } 667 }
@@ -655,7 +672,7 @@ class KTAPI_Folder extends KTAPI_FolderItem @@ -655,7 +672,7 @@ class KTAPI_Folder extends KTAPI_FolderItem
655 * @access public 672 * @access public
656 * @return array 673 * @return array
657 */ 674 */
658 - function get_transaction_history() 675 + public function get_transaction_history()
659 { 676 {
660 return new PEAR_Error('TODO'); 677 return new PEAR_Error('TODO');
661 } 678 }