EONE-20 (Bug)

2025-08-02 20:57:26 +02:00 · 2010-03-11 11:56:23 +00:00
parent 6a3c400f54
commit 868ec3466e
3 changed files with 133 additions and 95 deletions
--- a/e107_admin/userclass2.php
+++ b/e107_admin/userclass2.php
@@ -2,16 +2,14 @@
 /*
 * e107 website system
 *
- * Copyright (C) 2008-2009 e107 Inc (e107.org)
+ * Copyright (C) 2008-2010 e107 Inc (e107.org)
 * Released under the terms and conditions of the
 * GNU General Public License (http://www.gnu.org/licenses/gpl.txt)
 *
 * Administration Area - User classes
 *
- * $Source: /cvs_backup/e107_0.8/e107_admin/userclass2.php,v $
+ * $URL$
- * $Revision$
+ * $Id$
 * $Date$
 * $Author$
 *
 */
@@ -49,42 +47,52 @@ $uc = new uclass_manager;
 $message = '';
 /**
 * @todo user_class::isEditableClass() thinks public (0) is editable?!
 * @param integer $class_id
 * @param boolean $redirect
 * @return boolean
 */
 function check_allowed($class_id, $redirect = true)
 {
-	$e107 = e107::getInstance();
+	$uc = e107::getUserClass();
-	if (!isset($e107->user_class->class_tree[$class_id]))
+	if (!isset($uc->class_tree[$class_id]) || (!getperms('0') && !check_class($uc->class_tree[$class_id]['userclass_editclass'])))
 	{
 		if(!$redirect) return false;
 		header('location:'.SITEURL);
 		exit;
 	}
-	if (!getperms('0') && !check_class($e107->user_class->class_tree[$class_id]['userclass_editclass']))
+
 	// fix public (0) case here for now
 	if(!$class_id || !$uc->isEditableClass($class_id))
 	{
 		if(!$redirect) return false;
-		header("location:".SITEURL);
+		e107::getMessage()->addSession('You can\'t edit system user classes!', E_MESSAGE_ERROR);
 		header('location:'.e_SELF);
 		exit;
 	}
 	return true;
 }
 if (e_QUERY)
 {
-  $uc_qs = explode(".", e_QUERY);
+	// BC - SO MUCH BAD, never do this at home!!!
 	if(isset($_GET['action']))
 	{
 		$uc_qs = array($_GET['action'], $_GET['id']);
 	}
   else $uc_qs = explode(".", e_QUERY);
 }
 $action = varset($uc_qs[0]);
 $params = varset($uc_qs[1],'');
 e107::setRegistry('pageParams', $uc_qs);
 //AJAX request check is already  made by the API
 if(e_AJAX_REQUEST)
 {
-    $class_num = intval(varset($uc_qs[2],0));
+    $class_num = intval($params);
-	if(!$class_num && isset($_POST['edit']))
+	if ($action == 'edit')
 	{
 	  $params = 'edit';
 	  $class_num = intval(varset($_POST['existing'],0));
 	}
 	if ($params == 'edit')
 	{
 	    require_once(e_HANDLER.'js_helper.php');
 	    $jshelper = new e_jshelper();
@@ -93,7 +101,7 @@ if(e_AJAX_REQUEST)
 			//This will raise an error
 			//'Access denied' is the message which will be thrown
 			//by the JS AJAX handler
-			e_jshelper::sendAjaxError('403', 'Access denied. Form update failed!');
+			e_jshelper::sendAjaxError('403', 'Access denied. '.UCSLAN_90);
 		}
 		elseif($sql->db_Select('userclass_classes', '*', "userclass_id='".$class_num."' "))
 		{
@@ -121,24 +129,18 @@ if(e_AJAX_REQUEST)
 				$jshelper->addResponseAction('element-invoke-by-id', array('hide' => 'userclass_type_groups', 'show' => 'userclass_type_standard'));
 			}
 			unset($row['userclass_accum']);
 			$row['createclass'] = UCSLAN_14; //update the submit button value
 			$row['existing'] = $class_num; //required when user tree is clicked
 			//icon
 			$row['iconview'] = $row['userclass_icon'] ? e_IMAGE_ABS.'userclasses/'.$row['userclass_icon'] : e_IMAGE_ABS."generic/blank.gif";
 			$row['uc_icon_select'] = $row['userclass_icon']; //icons select box
 			//Send the prefered response type
 			//$jshelper->sendJSONResponse('fill-form', $row);
 			$jshelper->addResponseAction('fill-form', $row);
 			$jshelper->sendResponse('XML');
 			// $jshelper->sendResponse('JSON'); - another option (tested) - faster transfer!
 		}
 		else
 		{
 			e_jshelper::sendAjaxError('500', 'Database read error!');
 		}
 		exit;
 	}
 	exit;
 }
 /*
@@ -342,7 +344,7 @@ if(!e_QUERY || $action == 'list')
 	$uc->show_existing();
 }
-if(varset($_GET['id']) && varset($_GET['action'])=='edit')
+if(isset($_GET['id']) && $_GET['action'] == 'edit')
 {
 	$action = 'config';
    $_POST['existing'] = $_GET['id'];
@@ -494,10 +496,6 @@ if($params == 'edit')
 //	$text .= "&nbsp;&nbsp;<input class='button' type='submit' id='updatecancel' name='updatecancel' value='".LAN_CANCEL."' />";
 	$text .= "
 		<input type='hidden' name='userclass_id' value='{$userclass_id}' />
 	    <script type='text/javascript'>
 	        //just in case...
 	        \$('updatecancel').show();
 	    </script>
 		";
 }
 else
@@ -809,12 +807,13 @@ function userclass2_adminlog($msg_num='00', $woffle='')
 function userclass2_adminmenu()
 {
 	$tmp  = array();
 	if (e_QUERY)
 	{
 		$tmp = explode(".", e_QUERY);
 //	$action = $tmp[0];
 	}
-  $action = varsettrue($tmp[0],'list');
+	$action = vartrue($tmp[0],'list');
 	if(isset($_GET['action']) && 'edit' == $_GET['action']) $action = 'config';
 	$var['list']['text'] = LAN_MANAGE;
 	$var['list']['link'] = 'userclass2.php';
@@ -935,6 +934,7 @@ require_once('footer.php');
 function headerjs()
 {
 	$params  = e107::getRegistry('pageParams');
   /*
 	* e107Ajax.fillForm demonstration
 	* Open Firebug console for Ajax transaction details
@@ -942,8 +942,34 @@ function headerjs()
 	*/
 	$script_js = "<script type=\"text/javascript\">
 		//<![CDATA[
 	";
-			//Click observer
+	// Edit mode only
 	if($params[0] == 'edit')
 	{
 		$script_js .= "
 				e107.runOnLoad( function() {
 		            document.observe('click', (function(event){
 		                var target = event.findElement('a.userclass_edit');
 		                if (target) {
 		                    event.stop();
 		                    // non-editable user class
 		                    if('#' == target.readAttribute('href')) return;
 		                    //If link is clicked use it's href as a target
 		    				$('classForm').fillForm($(document.body), { handler: target.readAttribute('href') });
 		                }
 		            }));
 	            });
 	    		//Observe fillForm errors
 	    		e107Event.register('ajax_fillForm_error', function(transport) {
 	    			//memo.error object contains the error message
 	    			//error handling will be extended in the near future
 					alert(transport.memo.error.message);
 	    		});
 				/*//Click observer
 	            document.observe('click', (function(event){
 	                var target = (event.findElement('a.userclass_edit') || event.findElement('input#edit'));
 	                if (target) {
@@ -967,10 +993,11 @@ function headerjs()
 	    			//memo.error object contains the error message
 	    			//error handling will be extended in the near future
 					alert(transport.memo.error.message);
-    		});
+	    		});*/
-
+		";
-
+	}
 	$script_js .= "
 function setGroupStatus(dropdown)
 {
 	var temp1 = document.getElementById('userclass_type_standard');
@@ -990,12 +1017,11 @@ function setGroupStatus(dropdown)
 	//]]>
 	</script>\n";
-  if (!e_QUERY) return $script_js;
+
-  $qs = explode('.',e_QUERY);
+  if ($params[0] != 'membs') return $script_js;
  if ($qs[0] != 'membs') return $script_js;
 // We only want this JS on the class membership selection page
-
+// XXX memebs action is deprecated now, remove this script?
 	$script_js .= "<script type=\"text/javascript\">
 		//<![CDATA[
 // Inspiration (and some of the code) from a script by Sean Geraty -  Web Site:  http://www.freewebs.com/sean_geraty/
--- a/e107_handlers/userclass_class.php
+++ b/e107_handlers/userclass_class.php
@@ -8,10 +8,8 @@
 *
 * User class functions
 *
- * $Source: /cvs_backup/e107_0.8/e107_handlers/userclass_class.php,v $
+ * $URL$
- * $Revision$
+ * $Id$
 * $Date$
 * $Author$
 */
 /**
@@ -49,7 +47,7 @@ define('e_UC_BOTS',246);					// Reserved to identify search bots
 define('e_UC_SPECIAL_BASE',243);			// Assign class IDs 243 and above for fixed/special purposes
 define('e_UC_SPECIAL_END',255);				// Highest 'special' class
-define('UC_ICON_DIR',e_IMAGE.'generic/');		// Directory for the icons used in the admin tree displays
+define('UC_ICON_DIR',e_IMAGE_ABS.'generic/');		// Directory for the icons used in the admin tree displays
 define('e_UC_BLANK','-1');
 define('UC_TYPE_STD', '0');
@@ -57,9 +55,10 @@ define('UC_TYPE_GROUP', '1');
 define('UC_CACHE_TAG', 'nomd5_classtree');
 // FIXME - get rid of deprecated 'var' declarations, decide what should be public and what protected
 class user_class
 {
-	var $class_tree;					// Simple array, filled with current tree. Additional field class_children is an array of child user classes (by ID)
+	public $class_tree;					// Simple array, filled with current tree. Additional field class_children is an array of child user classes (by ID)
 	var $class_parents;					// Array of class IDs of 'parent' (i.e. top level) classes
 	var  $fixed_classes = array();		// The 'predefined' core classes (constants beginning 'e_UC_')
@@ -1187,7 +1186,18 @@ class user_class_admin extends user_class
 		if ($this->graph_debug) $name_line .= "[vis:".$this->class_tree[$listnum]['userclass_visibility'].", edit:".$this->class_tree[$listnum]['userclass_editclass']."] = ".$this->class_tree[$listnum]['userclass_accum']." Children: ".implode(',',$this->class_tree[$listnum]['class_children']);
 		// Next (commented out) line gives a 'conventional' link
 		//$ret .= "<img src='".UC_ICON_DIR."topicon.png' alt='class icon' /><a style='text-decoration: none' class='userclass_edit' href='".e_ADMIN_ABS."userclass2.php?config.edit.{$this->class_tree[$listnum]['userclass_id']}'>".$name_line."</a></div>";
-		$ret .= "<img src='".UC_ICON_DIR."topicon.png' alt='class icon' /><a style='text-decoration: none' class='userclass_edit' href='".e_SELF."?action=edit&amp;id={$this->class_tree[$listnum]['userclass_id']}'>".$name_line."</a></div>";
+		if($this->isEditableClass($this->class_tree[$listnum]['userclass_id']))
 		{
 			$url = e_SELF.'?action=edit&amp;id='.$this->class_tree[$listnum]['userclass_id'];
 			$onc = '';
 		}
 		else
 		{
 			$url = '#';
 			$onc = " onclick=\"alert('".str_replace("'", "\\'", (stripslashes(UCSLAN_90)))."'); return false;\"";
 		}
 		$ret .= "<img src='".UC_ICON_DIR."topicon.png' alt='class icon' /><a style='text-decoration: none' class='userclass_edit'{$onc} href='{$url}'>".$name_line."</a></div>";
 		//$ret .= "<img src='".UC_ICON_DIR."topicon.png' alt='class icon' />
 			//<span style='cursor:pointer; vertical-align: bottom' onclick=\"javascript: document.location.href='".e_ADMIN."userclass2.php?config.edit.{$this->class_tree[$listnum]['userclass_id']}'\">".$name_line."</span></div>";
 		// vertical-align: middle doesn't work! Nor does text-top
@@ -1223,7 +1233,8 @@ class user_class_admin extends user_class
-	/** Create graphical class tree, including clickable liks to expand/contract branches.
+	/**
 	 * Create graphical class tree, including clickable links to expand/contract branches.
 	 * @param boolean $show_debug - TRUE to display additional information against each class
 	 * @return string - text for display
 	 */
@@ -1232,7 +1243,8 @@ class user_class_admin extends user_class
 		$this->graph_debug = $show_debug;
 		$indent_images = array();
-		$ret = "<div class='uclass_tree' style='height:16px'>
+		$ret = "
 		<div class='uclass_tree' style='height:16px'>
 			<img src='".UC_ICON_DIR."topicon.png' alt='class icon' style='vertical-align: bottom' />
 			<span style='top:3px'></span>
 		</div>";		// Just a generic icon here to provide a visual anchor
--- a/e107_languages/English/admin/lan_userclass2.php
+++ b/e107_languages/English/admin/lan_userclass2.php
@@ -98,7 +98,7 @@ define('UCSLAN_86', 'Some settings not allowed for admin classes - they have bee
 define('UCSLAN_87', 'Recently joined users');
 define('UCSLAN_88', 'Identified search bots');
 define('UCSLAN_89', 'Checked classes are members of the group');
-define('UCSLAN_90', '');
+define('UCSLAN_90', 'You can\'t edit system user classes!');
 define('UCSLAN_91', '');