Commit Graph

1765 Commits

Author SHA1 Message Date
Mikael Nordfeldth
747fe9d59b Tidying up getUser calls to profiles and some events
getUser calls are much more strict, and one place where this was found was
in the (un)subscribe start/end event handlers, which resulted in making the
Subscription class a bit stricter, regarding ::start and ::cancel at least.
Several minor fixes in many files were made due to this.

This does NOT touch the Foreign_link function, which should also have a more
strict getUser call. That is a future project.
2013-09-09 23:03:34 +02:00
Mikael Nordfeldth
e5e3aeb4e6 newmessage (and Message class) fixed for FormAction
Also added a needLogin function to the Action class, which will do
redirect to login page with proper returnto setting.
2013-09-02 11:05:30 +02:00
Mikael Nordfeldth
79e3acf0f0 Moved multiGet into Managed_DataObject 2013-08-29 10:38:11 +02:00
Mikael Nordfeldth
b3e61ce7d0 Stronger typing, require array where param array 2013-08-29 10:27:39 +02:00
Mikael Nordfeldth
fac7371179 pivotGet moved into Managed_DataObject 2013-08-29 10:13:07 +02:00
Mikael Nordfeldth
40fe10e002 Woops, forgot auto_increment (comes with 'serial')
There are still some classes not ported (like Yammer import)
2013-08-21 15:02:44 +02:00
Mikael Nordfeldth
3a7261f70a IMPORTANT: Making prev. Memcached_DataObject working again with schemaDef
Lots of the Memcached_DataObject classes stopped working when upgraded to
Managed_DataObject because they lacked schemaDef().

I have _hopefully_ made it so that all the references to the table uses
each class' schemaDef, rather than the more manual ColumnDef stuff. Not
all plugins have been tested thoroughly yet.

NOTE: This is applied with getKV calls instead of staticGet, as it was
important for PHP Strict Standards compliance to avoid calling the non-
static functions statically. (unfortunately DB and DB_DataObject still do
this within themselves...)
2013-08-21 09:48:42 +02:00
Mikael Nordfeldth
b1465a7559 We can now do late static binding (PHP >= 5.3) 2013-08-20 09:43:51 +02:00
Mikael Nordfeldth
0785cc2469 Don't use DB_DataObject::factory (statically at least)
Not all instances of this has been fixed, but at least the ones
in the base class of Memcached_DataObject.

Avatar fix (in classes/Profile.php) requires a pkeyGet function
in the Avatar class (or as in this tree, the parent class of
Managed_DataObject)
2013-08-19 11:40:35 +02:00
Mikael Nordfeldth
97ce71e55d Managed_DataObject now has listGet for all classes 2013-08-18 21:02:33 +02:00
Mikael Nordfeldth
3ce5631b3c Memcached_DataObject::multicache is now properly defined static 2013-08-18 16:21:30 +02:00
Mikael Nordfeldth
861e838add pkeyGet is now static and more similar to getKV
Memcached_DataObject now defines
   * pkeyGetClass to avoid collision with Managed_DataObject pkeyGet
   * getClassKV to avoid collision with Managed_DataObject getKV
2013-08-18 15:42:51 +02:00
Mikael Nordfeldth
2a4dc77a63 The overloaded DB_DataObject function staticGet is now called getKV
I used this hacky sed-command (run it from your GNU Social root, or change the first grep's path to where it actually lies) to do a rough fix on all ::staticGet calls and rename them to ::getKV

   sed -i -s -e '/DataObject::staticGet/I!s/::staticGet/::getKV/Ig' $(grep -R ::staticGet `pwd`/* | grep -v -e '^extlib' | grep -v DataObject:: |grep -v "function staticGet"|cut -d: -f1 |sort |uniq)

If you're applying this, remember to change the Managed_DataObject and Memcached_DataObject function definitions of staticGet to getKV!

This might of course take some getting used to, or modification fo StatusNet plugins, but the result is that all the static calls (to staticGet) are now properly made without breaking PHP Strict Standards. Standards are there to be followed (and they caused some very bad confusion when used with get_called_class)

Reasonably any plugin or code that tests for the definition of 'GNUSOCIAL' or similar will take this change into consideration.
2013-08-18 13:13:56 +02:00
Mikael Nordfeldth
e95f77d34c Updating all Memcached_DataObject extended classes to Managed_DataObject
In some brief tests, this causes no problems.

In this state however, you would need to modify DB_DataObject to have a static declaration of staticget (and probably pkeyGet). The next commit will change the staticGet overload to a unique function name (like getKV for getKeyValue), which means we can properly call the function by PHP Strict Standards.
2013-08-18 12:32:32 +02:00
Mikael Nordfeldth
1a9a8ea730 staticGet for sub-Managed_DataObject classes now calls parent
The parent class for our database objects, Managed_DataObject, has a
dynamically assigned class in staticGet which objects get put into,
leaving us with less code to do the same thing.

We will probably have to move away from the DB_DataObject 'staticGet'
call as it is nowadays deprecated.
2013-08-12 19:46:44 +02:00
Mikael Nordfeldth
d115cddfb7 Managed_DataObject gets dynamic class detection for staticGet
Compatibility: get_called_class is implemented in PHP >= 5.3.0
2013-08-12 19:12:13 +02:00
Mikael Nordfeldth
3394efca60 staticGet is a static function
We always call staticGet statically, so we define it statically. Next
step is to remove a bunch of definitions of 'staticGet' from classes
that can instead fall back to a parent class in Managed_DataObject.

The ampersand is removed as we're returning a class anyway, which does
not need a reference (and when we return false, it means nothing).
2013-08-12 19:08:11 +02:00
Mikael Nordfeldth
794163c31f Default to NOT ask for current location for new users
It may be a bad experience for new users to immediately when trying
out the service be asked for their geographical position. Instead,
let them opt-in for this behaviour.
2013-08-12 14:40:55 +02:00
Mikael Nordfeldth
bd60ab2e05 fix typo on provider_url 2013-08-12 13:01:47 +02:00
Mikael Nordfeldth
56cfd2bf22 comparing a url scheme should be done case insensitively 2013-08-12 12:52:50 +02:00
Mikael Nordfeldth
f433f7ce77 if parameters are not 0, null then limit will be PROFILES_PER_PAGE
If you look at classes/User_group.php on line 412 in the current code, you can see that a call to $profile->getGroups() is made. This implies getGroups($offset=0, $limit=PROFILES_PER_PAGE) only giving a limited amount of groups.

This means only the first 20 groups in an ascending numerical order by locally stored User_group->id will be addressable with the bangtag syntax.

I solved this by making the getGroups() call to the same one made in Profile->isMember(), i.e. $profile->getGroups(0, null);
2013-08-12 12:50:23 +02:00
Evan Prodromou
3fc1d245a1 Merge 1.1.x into master 2013-07-16 10:57:06 -07:00
Joshua Wise
89ba820246 Escape argument to prevent SQL injection attack in
User::getTaggedSubscriptions()

This change escapes the $tag argument to prevent a SQL injection
attack in User::getTaggedSubscriptions(). The parameter was not
escaped higher up the stack, so this vulnerability could be exploited.
2013-07-16 10:47:29 -07:00
Joshua Wise
4a30da924a Escape argument to User::getTaggedSubscribers() to preven SQL injection
This change escapes the argument to User::getTaggedSubscribers() to
prevent SQL injection attacks.

Both code paths up the stack fail to escape this parameter, so this is
a potential SQL injection attack.
2013-07-16 10:43:56 -07:00
Joshua Wise
e54cb6958a Escape query parameters in Profile_tag::getTagged()
This patch escapes query parameters in Profile_tag::getTagged(). This
is an extra security step; since these parameters come out of the
database, it's unlikely that they would have dangerous data in them.
2013-07-16 10:35:44 -07:00
Joshua Wise
5b118b3781 Escape SQL parameter in Profile_tag::moveTag()
This change adds additional escapes for arguments to
Profile_tag::moveTag(). The arguments are canonicalized in the API and
Web UI paths higher up the stack, but this change makes sure that no
other paths can introduce SQL injection errors.
2013-07-16 10:27:30 -07:00
Joshua Wise
c5a710e081 Escape $tag passed to Profile::getTaggedSubscribers()
This patch escapes the $tag parameter in
Profile::getTaggedSubscribers(). The parameter is not escaped either
in actions/subscriptions.php or in actions/apiuserfollowers.php. So
there is a potential for SQL injection here.
2013-07-16 10:14:38 -07:00
Joshua Wise
3fb2c06cba Potential SQL injection in Local_group::setNickname()
This change escapes a parameter in Local_group::setNickname(). Review
of the code paths that call this function sanitize the parameter
higher up the stack, but it's escaped here to prevent mistakes later.

Note that nickname parameters are normally alphanum strings, so
there's not much danger in double-escaping them.
2013-07-16 10:11:26 -07:00
Joshua Wise
783e400d94 Potential SQL injection in Local_group::setNickname()
This change escapes a parameter in Local_group::setNickname(). Review
of the code paths that call this function sanitize the parameter
higher up the stack, but it's escaped here to prevent mistakes later.

Note that nickname parameters are normally alphanum strings, so
there's not much danger in double-escaping them.
2013-07-16 10:09:16 -07:00
Evan Prodromou
e502bba259 Slightly more robust group-membership conversion 2013-06-30 12:07:55 -04:00
Evan Prodromou
8cc4660bd9 Better ID for notice activity 2013-06-15 12:07:52 -04:00
Evan Prodromou
7a5bd495c5 Better ID for notice activity 2013-06-15 12:07:34 -04:00
Evan Prodromou
bb0cf686df Pass null to Profile::profileInfo() 2013-06-08 21:12:29 -04:00
Evan Prodromou
806f7d439a Bad variable in Message::asActivity() 2013-06-08 21:07:51 -04:00
Evan Prodromou
f189d0b438 Bad variable in Message::asActivity() 2013-06-08 21:04:51 -04:00
Evan Prodromou
96d7b68c50 Store direct messages as an activity 2013-06-08 17:54:27 -04:00
Evan Prodromou
9fd2c3e1c9 Store direct messages as an activity 2013-06-08 17:45:49 -04:00
Evan Prodromou
14a111189d Merge remote-tracking branch 'origin/master' 2013-06-08 14:57:20 -04:00
Evan Prodromou
2252a9ffaf Throw exception if subscription is invalid 2013-06-08 14:56:57 -04:00
Evan Prodromou
08eca420ca Add generator to JSON output 2013-06-07 11:35:06 -04:00
Evan Prodromou
fe2c0a9687 Add generator to JSON output 2013-06-07 11:34:54 -04:00
Evan Prodromou
25823f6e5b Some better context for notices as arrays 2013-06-07 03:11:33 -04:00
Evan Prodromou
6164940e8c Some better context for notices as arrays 2013-06-07 03:11:23 -04:00
Evan Prodromou
7229533b0f Use real attachments for JSON output 2013-06-05 09:39:43 -04:00
Evan Prodromou
772383e84b Use real attachments for JSON output 2013-06-05 09:39:13 -04:00
Evan Prodromou
15d466ebe6 Don't add content as title for notes 2013-06-04 19:53:07 -04:00
Evan Prodromou
736bc9cc96 Don't add content as title for notes 2013-06-04 19:52:38 -04:00
Evan Prodromou
b493f3839c Use better type, title for service 2013-06-04 16:31:17 -04:00
Evan Prodromou
08c72a00e8 Use better type, title for service 2013-06-04 16:30:40 -04:00
Evan Prodromou
04f6e4ce7b Better registrationActivity 2013-06-04 15:21:33 -04:00