[Pkg-drupal-commits] r1960 - in /branches/upstream/current-5: ./ includes/ modules/aggregator/ modules/block/ modules/blog/ modules/blogapi/ modules/book/ modules/color/ modules/comment/ modules/contact/ modules/drupal/ modules/filter/ modules/forum/ modules/help/ modules/legacy/ modules/locale/ modules/menu/ modules/node/ modules/path/ modules/ping/ modules/poll/ modules/profile/ modules/search/ modules/statistics/ modules/system/ modules/taxonomy/ modules/throttle/ modules/tracker/ modules/upload/ modules/user/ modules/watchdog/
luigi at users.alioth.debian.org
luigi at users.alioth.debian.org
Sun Nov 30 23:08:16 UTC 2008
Author: luigi
Date: Sun Nov 30 23:08:16 2008
New Revision: 1960
URL: http://svn.debian.org/wsvn/pkg-drupal/?sc=1&rev=1960
Log:
[svn-upgrade] Integrating new upstream version, drupal5 (5.12)
Modified:
branches/upstream/current-5/CHANGELOG.txt
branches/upstream/current-5/includes/bootstrap.inc
branches/upstream/current-5/includes/database.mysql.inc
branches/upstream/current-5/includes/database.mysqli.inc
branches/upstream/current-5/includes/database.pgsql.inc
branches/upstream/current-5/includes/file.inc
branches/upstream/current-5/includes/form.inc
branches/upstream/current-5/includes/install.inc
branches/upstream/current-5/includes/theme.inc
branches/upstream/current-5/includes/xmlrpc.inc
branches/upstream/current-5/modules/aggregator/aggregator.info
branches/upstream/current-5/modules/block/block.info
branches/upstream/current-5/modules/blog/blog.info
branches/upstream/current-5/modules/blogapi/blogapi.info
branches/upstream/current-5/modules/blogapi/blogapi.install
branches/upstream/current-5/modules/blogapi/blogapi.module
branches/upstream/current-5/modules/book/book.info
branches/upstream/current-5/modules/color/color.info
branches/upstream/current-5/modules/comment/comment.info
branches/upstream/current-5/modules/contact/contact.info
branches/upstream/current-5/modules/contact/contact.module
branches/upstream/current-5/modules/drupal/drupal.info
branches/upstream/current-5/modules/filter/filter.info
branches/upstream/current-5/modules/filter/filter.module
branches/upstream/current-5/modules/forum/forum.info
branches/upstream/current-5/modules/help/help.info
branches/upstream/current-5/modules/legacy/legacy.info
branches/upstream/current-5/modules/locale/locale.info
branches/upstream/current-5/modules/menu/menu.info
branches/upstream/current-5/modules/node/node.info
branches/upstream/current-5/modules/node/node.module
branches/upstream/current-5/modules/path/path.info
branches/upstream/current-5/modules/ping/ping.info
branches/upstream/current-5/modules/poll/poll.info
branches/upstream/current-5/modules/poll/poll.module
branches/upstream/current-5/modules/profile/profile.info
branches/upstream/current-5/modules/search/search.info
branches/upstream/current-5/modules/statistics/statistics.info
branches/upstream/current-5/modules/system/system.info
branches/upstream/current-5/modules/system/system.module
branches/upstream/current-5/modules/taxonomy/taxonomy.info
branches/upstream/current-5/modules/throttle/throttle.info
branches/upstream/current-5/modules/tracker/tracker.info
branches/upstream/current-5/modules/upload/upload.info
branches/upstream/current-5/modules/upload/upload.module
branches/upstream/current-5/modules/user/user.info
branches/upstream/current-5/modules/user/user.module
branches/upstream/current-5/modules/watchdog/watchdog.info
Modified: branches/upstream/current-5/CHANGELOG.txt
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/CHANGELOG.txt?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/CHANGELOG.txt (original)
+++ branches/upstream/current-5/CHANGELOG.txt Sun Nov 30 23:08:16 2008
@@ -1,4 +1,15 @@
-// $Id: CHANGELOG.txt,v 1.173.2.25 2008/08/13 23:59:09 drumm Exp $
+// $Id: CHANGELOG.txt,v 1.173.2.29 2008/10/22 19:25:27 drumm Exp $
+
+Drupal 5.12, 2008-10-22
+-----------------------
+- fixed security issues, (File inclusion), see SA-2008-067
+
+
+Drupal 5.11, 2008-10-08
+-----------------------
+- fixed a variety of small bugs.
+- fixed security issues, (File upload access bypass, Access rules bypass,
+ BlogAPI access bypass, Node validation bypass), see SA-2008-060
Drupal 5.10, 2008-08-13
-----------------------
Modified: branches/upstream/current-5/includes/bootstrap.inc
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/includes/bootstrap.inc?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/includes/bootstrap.inc (original)
+++ branches/upstream/current-5/includes/bootstrap.inc Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
<?php
-// $Id: bootstrap.inc,v 1.145.2.8 2008/01/10 22:14:24 drumm Exp $
+// $Id: bootstrap.inc,v 1.145.2.10 2008/10/22 19:25:28 drumm Exp $
/**
* @file
@@ -201,6 +201,11 @@
$confdir = 'sites';
$uri = explode('/', $_SERVER['SCRIPT_NAME'] ? $_SERVER['SCRIPT_NAME'] : $_SERVER['SCRIPT_FILENAME']);
+ if (strpos($_SERVER['HTTP_HOST'], '/') !== FALSE) {
+ // A HTTP_HOST containing slashes may be an attack and is invalid.
+ header('HTTP/1.1 400 Bad Request');
+ exit;
+ }
$server = explode('.', implode('.', array_reverse(explode(':', rtrim($_SERVER['HTTP_HOST'], '.')))));
for ($i = count($uri) - 1; $i > 0; $i--) {
for ($j = count($server); $j > 0; $j--) {
@@ -289,6 +294,15 @@
if (!empty($_SERVER['HTTP_HOST'])) {
$cookie_domain = check_plain($_SERVER['HTTP_HOST']);
}
+ }
+ // To prevent session cookies from being hijacked, a user can configure the
+ // SSL version of their website to only transfer session cookies via SSL by
+ // using PHP's session.cookie_secure setting. The browser will then use two
+ // separate session cookies for the HTTPS and HTTP versions of the site. So we
+ // must use different session identifiers for HTTPS and HTTP to prevent a
+ // cookie collision.
+ if (ini_get('session.cookie_secure')) {
+ $session_name .= 'SSL';
}
// Strip leading periods, www., and port numbers from cookie domain.
$cookie_domain = ltrim($cookie_domain, '.');
Modified: branches/upstream/current-5/includes/database.mysql.inc
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/includes/database.mysql.inc?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/includes/database.mysql.inc (original)
+++ branches/upstream/current-5/includes/database.mysql.inc Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
<?php
-// $Id: database.mysql.inc,v 1.66.2.2 2007/10/19 21:49:26 drumm Exp $
+// $Id: database.mysql.inc,v 1.66.2.3 2008/09/15 06:14:52 drumm Exp $
/**
* @file
@@ -63,6 +63,7 @@
install_goto('install.php');
}
drupal_maintenance_theme();
+ drupal_set_header('HTTP/1.1 503 Service Unavailable');
drupal_set_title('PHP MySQL support not enabled');
print theme('maintenance_page', '<p>We were unable to use the MySQL database because the MySQL extension for PHP is not installed. Check your <code>PHP.ini</code> to see how you can enable it.</p>
<p>For more help, see the <a href="http://drupal.org/node/258">Installation and upgrading handbook</a>. If you are unsure what these terms mean you should probably contact your hosting provider.</p>');
@@ -119,6 +120,7 @@
if (!mysql_select_db(substr($url['path'], 1))) {
drupal_maintenance_theme();
+ drupal_set_header('HTTP/1.1 503 Service Unavailable');
drupal_set_title('Unable to select database');
print theme('maintenance_page', '<p>We were able to connect to the MySQL database server (which means your username and password are okay) but not able to select the database.</p>
<p>The MySQL error was: '. theme('placeholder', mysql_error($connection)) .'.</p>
Modified: branches/upstream/current-5/includes/database.mysqli.inc
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/includes/database.mysqli.inc?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/includes/database.mysqli.inc (original)
+++ branches/upstream/current-5/includes/database.mysqli.inc Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
<?php
-// $Id: database.mysqli.inc,v 1.32.2.4 2008/07/16 18:55:38 drumm Exp $
+// $Id: database.mysqli.inc,v 1.32.2.5 2008/09/15 06:14:52 drumm Exp $
/**
* @file
@@ -56,6 +56,7 @@
// Check if MySQLi support is present in PHP
if (!function_exists('mysqli_init') && !extension_loaded('mysqli')) {
drupal_maintenance_theme();
+ drupal_set_header('HTTP/1.1 503 Service Unavailable');
drupal_set_title('PHP MySQLi support not enabled');
print theme('maintenance_page', '<p>We were unable to use the MySQLi database because the MySQLi extension for PHP is not installed. Check your <code>PHP.ini</code> to see how you can enable it.</p>
<p>For more help, see the <a href="http://drupal.org/node/258">Installation and upgrading handbook</a>. If you are unsure what these terms mean you should probably contact your hosting provider.</p>');
@@ -102,6 +103,7 @@
}
else if (mysqli_connect_errno() > 0) {
drupal_maintenance_theme();
+ drupal_set_header('HTTP/1.1 503 Service Unavailable');
drupal_set_title('Unable to select database');
print theme('maintenance_page', '<p>We were able to connect to the MySQL database server (which means your username and password are okay) but not able to select the database.</p>
<p>The MySQL error was: '. theme('placeholder', mysqli_connect_error($connection)) .'.</p>
Modified: branches/upstream/current-5/includes/database.pgsql.inc
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/includes/database.pgsql.inc?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/includes/database.pgsql.inc (original)
+++ branches/upstream/current-5/includes/database.pgsql.inc Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
<?php
-// $Id: database.pgsql.inc,v 1.43.2.2 2008/07/16 19:12:52 drumm Exp $
+// $Id: database.pgsql.inc,v 1.43.2.3 2008/09/15 06:14:52 drumm Exp $
/**
* @file
@@ -54,6 +54,7 @@
// Check if MySQL support is present in PHP
if (!function_exists('pg_connect')) {
drupal_maintenance_theme();
+ drupal_set_header('HTTP/1.1 503 Service Unavailable');
drupal_set_title('PHP PostgreSQL support not enabled');
print theme('maintenance_page', '<p>We were unable to use the PostgreSQL database because the PostgreSQL extension for PHP is not installed. Check your <code>PHP.ini</code> to see how you can enable it.</p>
<p>For more help, see the <a href="http://drupal.org/node/258">Installation and upgrading handbook</a>. If you are unsure what these terms mean you should probably contact your hosting provider.</p>');
Modified: branches/upstream/current-5/includes/file.inc
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/includes/file.inc?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/includes/file.inc (original)
+++ branches/upstream/current-5/includes/file.inc Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
<?php
-// $Id: file.inc,v 1.90.2.5 2008/08/13 23:59:09 drumm Exp $
+// $Id: file.inc,v 1.90.2.6 2008/09/15 06:23:52 drumm Exp $
/**
* @file
@@ -641,7 +641,7 @@
$files = array();
if (is_dir($dir) && $handle = opendir($dir)) {
- while ($file = readdir($handle)) {
+ while (FALSE !== ($file = readdir($handle))) {
if (!in_array($file, $nomask) && $file[0] != '.') {
if (is_dir("$dir/$file") && $recurse) {
$files = array_merge($files, file_scan_directory("$dir/$file", $mask, $nomask, $callback, $recurse, $key, $min_depth, $depth + 1));
Modified: branches/upstream/current-5/includes/form.inc
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/includes/form.inc?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/includes/form.inc (original)
+++ branches/upstream/current-5/includes/form.inc Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
<?php
-// $Id: form.inc,v 1.174.2.14 2008/08/04 04:00:24 drumm Exp $
+// $Id: form.inc,v 1.174.2.15 2008/09/15 06:03:17 drumm Exp $
/**
* @defgroup form Form generation
@@ -1538,7 +1538,11 @@
* A string representing the form element.
*/
function theme_form_element($element, $value) {
- $output = '<div class="form-item">'."\n";
+ $output = '<div class="form-item"';
+ if (!empty($element['#id'])) {
+ $output .= ' id="'. $element['#id'] .'-wrapper"';
+ }
+ $output .= ">\n";
$required = !empty($element['#required']) ? '<span class="form-required" title="'. t('This field is required.') .'">*</span>' : '';
if (!empty($element['#title'])) {
Modified: branches/upstream/current-5/includes/install.inc
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/includes/install.inc?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/includes/install.inc (original)
+++ branches/upstream/current-5/includes/install.inc Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
<?php
-// $Id: install.inc,v 1.31.2.2 2007/10/06 22:38:28 drumm Exp $
+// $Id: install.inc,v 1.31.2.4 2008/10/05 01:46:57 drumm Exp $
define('SCHEMA_UNINSTALLED', -1);
define('SCHEMA_INSTALLED', 0);
@@ -33,8 +33,8 @@
* @param $module
* A module name.
* @return
- * If the module has updates, an array of available updates. Otherwise,
- * FALSE.
+ * If the module has updates, an array of available updates sorted by version.
+ * Otherwise, FALSE.
*/
function drupal_get_schema_versions($module) {
$updates = array();
@@ -50,6 +50,7 @@
if (count($updates) == 0) {
return FALSE;
}
+ sort($updates, SORT_NUMERIC);
return $updates;
}
@@ -243,7 +244,7 @@
function drupal_get_install_files($module_list = array()) {
$installs = array();
foreach ($module_list as $module) {
- $installs = array_merge($installs, file_scan_directory('./modules', "^$module.install$", array('.', '..', 'CVS'), 0, TRUE, 'name', 0));
+ $installs = array_merge($installs, drupal_system_listing($module .'.install$', 'modules'));
}
return $installs;
}
@@ -677,6 +678,7 @@
*/
function drupal_check_profile($profile) {
include_once './includes/file.inc';
+ include_once './includes/common.inc';
$profile_file = "./profiles/$profile/$profile.profile";
Modified: branches/upstream/current-5/includes/theme.inc
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/includes/theme.inc?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/includes/theme.inc (original)
+++ branches/upstream/current-5/includes/theme.inc Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
<?php
-// $Id: theme.inc,v 1.337.2.5 2008/07/09 21:48:41 drumm Exp $
+// $Id: theme.inc,v 1.337.2.6 2008/10/01 22:48:47 drumm Exp $
/**
* @file
@@ -8,7 +8,7 @@
* The theme system allows for nearly all output of the Drupal system to be
* customized by user themes.
*
- * @see <a href="http://drupal.org/node/253">Theme system</a>
+ * @see <a href="http://drupal.org/node/171179">Theme guide</a>
* @see themeable
*/
Modified: branches/upstream/current-5/includes/xmlrpc.inc
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/includes/xmlrpc.inc?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/includes/xmlrpc.inc (original)
+++ branches/upstream/current-5/includes/xmlrpc.inc Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
<?php
-// $Id: xmlrpc.inc,v 1.38.2.4 2008/08/13 18:01:53 drumm Exp $
+// $Id: xmlrpc.inc,v 1.38.2.5 2008/10/01 22:01:17 drumm Exp $
/*
Drupal XML-RPC library. Based on the IXR - The Incutio XML-RPC Library - (c) Incutio Ltd 2002-2005
@@ -343,13 +343,16 @@
}
-function xmlrpc_error($code = NULL, $message = NULL) {
+function xmlrpc_error($code = NULL, $message = NULL, $reset = FALSE) {
static $xmlrpc_error;
if (isset($code)) {
$xmlrpc_error = new stdClass();
$xmlrpc_error->is_error = TRUE;
$xmlrpc_error->code = $code;
$xmlrpc_error->message = $message;
+ }
+ elseif ($reset) {
+ $xmlrpc_error = NULL;
}
return $xmlrpc_error;
}
@@ -427,6 +430,7 @@
function _xmlrpc() {
$args = func_get_args();
$url = array_shift($args);
+ xmlrpc_clear_error();
if (is_array($args[0])) {
$method = 'system.multicall';
$multicall_args = array();
@@ -475,3 +479,10 @@
$error = xmlrpc_error();
return $error->message;
}
+
+/**
+ * Clears any previous error.
+ */
+function xmlrpc_clear_error() {
+ xmlrpc_error(NULL, NULL, TRUE);
+}
Modified: branches/upstream/current-5/modules/aggregator/aggregator.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/aggregator/aggregator.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/aggregator/aggregator.info (original)
+++ branches/upstream/current-5/modules/aggregator/aggregator.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
package = Core - optional
version = VERSION
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
Modified: branches/upstream/current-5/modules/block/block.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/block/block.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/block/block.info (original)
+++ branches/upstream/current-5/modules/block/block.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
package = Core - required
version = VERSION
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
Modified: branches/upstream/current-5/modules/blog/blog.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/blog/blog.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/blog/blog.info (original)
+++ branches/upstream/current-5/modules/blog/blog.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
package = Core - optional
version = VERSION
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
Modified: branches/upstream/current-5/modules/blogapi/blogapi.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/blogapi/blogapi.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/blogapi/blogapi.info (original)
+++ branches/upstream/current-5/modules/blogapi/blogapi.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
package = Core - optional
version = VERSION
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
Modified: branches/upstream/current-5/modules/blogapi/blogapi.install
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/blogapi/blogapi.install?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/blogapi/blogapi.install (original)
+++ branches/upstream/current-5/modules/blogapi/blogapi.install Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
<?php
-// $Id: blogapi.install,v 1.2.2.2 2008/08/13 23:59:09 drumm Exp $
+// $Id: blogapi.install,v 1.2.2.3 2008/08/27 13:25:13 drumm Exp $
/**
* Implementation of hook_install().
@@ -22,7 +22,7 @@
case 'pgsql':
db_query("CREATE TABLE {blogapi_files} (
fid serial,
- filename varchar(255) NOT NULL default '',
+ uid int_unsigned NOT NULL default 0,
filepath varchar(255) NOT NULL default '',
filesize int_unsigned NOT NULL default 0,
PRIMARY KEY (fid)
@@ -70,7 +70,7 @@
case 'pgsql':
$ret[] = update_sql("CREATE TABLE {blogapi_files} (
fid serial,
- filename varchar(255) NOT NULL default '',
+ uid int_unsigned NOT NULL default 0,
filepath varchar(255) NOT NULL default '',
filesize int_unsigned NOT NULL default 0,
PRIMARY KEY (fid)
Modified: branches/upstream/current-5/modules/blogapi/blogapi.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/blogapi/blogapi.module?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/blogapi/blogapi.module (original)
+++ branches/upstream/current-5/modules/blogapi/blogapi.module Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
<?php
-// $Id: blogapi.module,v 1.100.2.5 2008/08/13 23:59:09 drumm Exp $
+// $Id: blogapi.module,v 1.100.2.6 2008/10/08 20:10:25 drumm Exp $
/**
* @file
@@ -217,6 +217,11 @@
node_invoke_nodeapi($edit, 'blogapi new');
+ $valid = blogapi_status_error_check($edit, $publish);
+ if ($valid !== TRUE) {
+ return $valid;
+ }
+
node_validate($edit);
if ($errors = form_get_errors()) {
return blogapi_error(implode("\n", $errors));
@@ -254,7 +259,8 @@
if (!node_access('update', $node)) {
return blogapi_error(t('You do not have permission to update this post.'));
}
-
+ // Save the original status for validation of permissions.
+ $original_status = $node->status;
$node->status = $publish;
// check for bloggerAPI vs. metaWeblogAPI
@@ -270,6 +276,11 @@
node_invoke_nodeapi($node, 'blogapi edit');
+ $valid = blogapi_status_error_check($node, $original_status);
+ if ($valid !== TRUE) {
+ return $valid;
+ }
+
node_validate($node);
if ($errors = form_get_errors()) {
return blogapi_error(implode("\n", $errors));
@@ -301,6 +312,33 @@
return _blogapi_get_post($node, TRUE);
}
+
+/**
+ * Check that the user has permission to save the node with the chosen status.
+ *
+ * @return
+ * TRUE if no error, or the blogapi_error().
+ */
+function blogapi_status_error_check($node, $original_status) {
+
+ $node = (object) $node;
+
+ $node_type_default = variable_get('node_options_'. $node->type, array('status', 'promote'));
+
+ // If we don't have the 'administer nodes' permission and the status is
+ // changing or for a new node the status is not the content type's default,
+ // then return an error.
+ if (!user_access('administer nodes') && (($node->status != $original_status) || (empty($node->nid) && $node->status != in_array('status', $node_type_default)))) {
+ if ($node->status) {
+ return blogapi_error(t('You do not have permission to publish this type of post. Please save it as a draft instead.'));
+ }
+ else {
+ return blogapi_error(t('You do not have permission to save this post as a draft. Please publish it instead.'));
+ }
+ }
+ return TRUE;
+}
+
/**
* Blogging API callback. Removes the specified blog node.
@@ -492,7 +530,56 @@
foreach ($categories as $category) {
$node->taxonomy[] = $category['categoryId'];
}
+ $validated = blogapi_mt_validate_terms($node);
+ if ($validated !== TRUE) {
+ return $validated;
+ }
node_save($node);
+ return TRUE;
+}
+
+/**
+ * Blogging API helper - find allowed taxonomy terms for a node type.
+ */
+function blogapi_mt_validate_terms($node) {
+ // We do a lot of heavy lifting here since taxonomy module doesn't have a
+ // stand-alone validation function.
+ if (module_exists('taxonomy')) {
+ $found_terms = array();
+ if (!empty($node->taxonomy)) {
+ $term_list = array_unique($node->taxonomy);
+ $placeholders = implode(', ', array_fill(0, count($term_list), '%d'));
+ $params = $term_list;
+ $params[] = $node->type;
+ $result = db_query(db_rewrite_sql("SELECT t.tid, t.vid FROM {term_data} t INNER JOIN {vocabulary_node_types} n ON t.vid = n.vid WHERE t.tid IN (". $placeholders .") AND n.type = '%s'", 't', 'tid'), $params);
+ $found_terms = array();
+ $found_count = 0;
+ while ($term = db_fetch_object($result)) {
+ $found_terms[$term->vid][$term->tid] = $term->tid;
+ $found_count++;
+ }
+ // If the counts don't match, some terms are invalid or not accessible to this user.
+ if (count($term_list) != $found_count) {
+ return blogapi_error(t('Invalid categories submitted.'));
+ }
+ }
+ // Look up all the vocabularies for this node type.
+ $result2 = db_query(db_rewrite_sql("SELECT v.vid, v.name, v.required, v.multiple FROM {vocabulary} v INNER JOIN {vocabulary_node_types} n ON v.vid = n.vid WHERE n.type = '%s'", 'v', 'vid'), $node->type);
+ // Check each vocabulary associated with this node type.
+ while ($vocabulary = db_fetch_object($result2)) {
+ // Required vocabularies must have at least one term.
+ if ($vocabulary->required && empty($found_terms[$vocabulary->vid])) {
+ return blogapi_error(t('A category from the @vocabulary_name vocabulary is required.', array('@vocabulary_name' => $vocabulary->name)));
+ }
+ // Vocabularies that don't allow multiple terms may have at most one.
+ if (!($vocabulary->multiple) && (isset($found_terms[$vocabulary->vid]) && count($found_terms[$vocabulary->vid]) > 1)) {
+ return blogapi_error(t('You may only choose one category from the @vocabulary_name vocabulary.'), array('@vocabulary_name' => $vocabulary->name));
+ }
+ }
+ }
+ elseif (!empty($node->taxonomy)) {
+ return blogapi_error(t('Error saving categories. This feature is not available.'));
+ }
return TRUE;
}
@@ -527,11 +614,16 @@
return blogapi_error(t('Invalid post.'));
}
+ // Nothing needs to be done if already published.
+ if ($node->status) {
+ return;
+ }
+
+ if (!node_access('update', $node) || !user_access('administer nodes')) {
+ return blogapi_error(t('You do not have permission to update this post.'));
+ }
+
$node->status = 1;
- if (!node_access('update', $node)) {
- return blogapi_error(t('You do not have permission to update this post.'));
- }
-
node_save($node);
return TRUE;
Modified: branches/upstream/current-5/modules/book/book.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/book/book.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/book/book.info (original)
+++ branches/upstream/current-5/modules/book/book.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
package = Core - optional
version = VERSION
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
Modified: branches/upstream/current-5/modules/color/color.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/color/color.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/color/color.info (original)
+++ branches/upstream/current-5/modules/color/color.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
package = Core - optional
version = VERSION
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
Modified: branches/upstream/current-5/modules/comment/comment.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/comment/comment.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/comment/comment.info (original)
+++ branches/upstream/current-5/modules/comment/comment.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
package = Core - optional
version = VERSION
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
Modified: branches/upstream/current-5/modules/contact/contact.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/contact/contact.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/contact/contact.info (original)
+++ branches/upstream/current-5/modules/contact/contact.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
package = Core - optional
version = VERSION
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
Modified: branches/upstream/current-5/modules/contact/contact.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/contact/contact.module?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/contact/contact.module (original)
+++ branches/upstream/current-5/modules/contact/contact.module Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
<?php
-// $Id: contact.module,v 1.74.2.1 2007/06/05 07:18:05 drumm Exp $
+// $Id: contact.module,v 1.74.2.2 2008/09/15 06:19:06 drumm Exp $
/**
* @file
@@ -27,7 +27,7 @@
$menu_note = '';
}
$output .= '<p>'. t('The contact module also adds a <a href="@menu-settings">menu item</a> (disabled by default) to the navigation block.', array('@menu-settings' => url('admin/build/menu'))) .' '. $menu_note .'</p>';
- return($output);
+ return $output;
}
}
@@ -227,7 +227,7 @@
db_query('UPDATE {contact} SET selected = 0');
}
$recipients = explode(',', $form_values['recipients']);
- foreach ($recipients as $key=>$recipient) {
+ foreach ($recipients as $key => $recipient) {
// E-mail address validation has already been done in _validate.
$recipients[$key] = trim($recipient);
}
@@ -547,6 +547,6 @@
drupal_set_message(t('Your message has been sent.'));
// Jump to home page rather than back to contact page to avoid contradictory messages if flood control has been activated.
- return('');
-}
-
+ return '';
+}
+
Modified: branches/upstream/current-5/modules/drupal/drupal.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/drupal/drupal.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/drupal/drupal.info (original)
+++ branches/upstream/current-5/modules/drupal/drupal.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
package = Core - optional
version = VERSION
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
Modified: branches/upstream/current-5/modules/filter/filter.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/filter/filter.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/filter/filter.info (original)
+++ branches/upstream/current-5/modules/filter/filter.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
package = Core - required
version = VERSION
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
Modified: branches/upstream/current-5/modules/filter/filter.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/filter/filter.module?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/filter/filter.module (original)
+++ branches/upstream/current-5/modules/filter/filter.module Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
<?php
-// $Id: filter.module,v 1.160.2.9 2008/08/13 23:59:09 drumm Exp $
+// $Id: filter.module,v 1.160.2.10 2008/09/17 19:14:19 drumm Exp $
/**
* @file
@@ -1244,7 +1244,7 @@
* for scripts and styles.
*/
function filter_xss_admin($string) {
- return filter_xss($string, array('a', 'abbr', 'acronym', 'address', 'b', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'div', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'img', 'ins', 'kbd', 'li', 'ol', 'p', 'param', 'pre', 'q', 'samp', 'small', 'span', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'ul', 'var'));
+ return filter_xss($string, array('a', 'abbr', 'acronym', 'address', 'b', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'div', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'img', 'ins', 'kbd', 'li', 'ol', 'p', 'pre', 'q', 'samp', 'small', 'span', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'ul', 'var'));
}
/**
Modified: branches/upstream/current-5/modules/forum/forum.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/forum/forum.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/forum/forum.info (original)
+++ branches/upstream/current-5/modules/forum/forum.info Sun Nov 30 23:08:16 2008
@@ -5,8 +5,8 @@
package = Core - optional
version = VERSION
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
Modified: branches/upstream/current-5/modules/help/help.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/help/help.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/help/help.info (original)
+++ branches/upstream/current-5/modules/help/help.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
package = Core - optional
version = VERSION
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
Modified: branches/upstream/current-5/modules/legacy/legacy.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/legacy/legacy.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/legacy/legacy.info (original)
+++ branches/upstream/current-5/modules/legacy/legacy.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
package = Core - optional
version = VERSION
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
Modified: branches/upstream/current-5/modules/locale/locale.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/locale/locale.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/locale/locale.info (original)
+++ branches/upstream/current-5/modules/locale/locale.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
package = Core - optional
version = VERSION
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
Modified: branches/upstream/current-5/modules/menu/menu.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/menu/menu.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/menu/menu.info (original)
+++ branches/upstream/current-5/modules/menu/menu.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
package = Core - optional
version = VERSION
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
Modified: branches/upstream/current-5/modules/node/node.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/node/node.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/node/node.info (original)
+++ branches/upstream/current-5/modules/node/node.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
package = Core - required
version = VERSION
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
Modified: branches/upstream/current-5/modules/node/node.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/node/node.module?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/node/node.module (original)
+++ branches/upstream/current-5/modules/node/node.module Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
<?php
-// $Id: node.module,v 1.776.2.30 2008/07/16 19:04:21 drumm Exp $
+// $Id: node.module,v 1.776.2.31 2008/10/08 20:10:26 drumm Exp $
/**
* @file
@@ -2165,6 +2165,14 @@
$form['delete'] = array('#type' => 'button', '#value' => t('Delete'), '#weight' => 50);
}
$form['#after_build'] = array('node_form_add_preview');
+ // Ensure that node_validate() will always get called.
+ $form['#validate']['node_form_validate'] = array();
+ // Also, if the module defines its own _validate() routine based on the
+ // form_id, include that in the #validate array, as well.
+ $node_validate = $node->type .'_node_form_validate';
+ if (function_exists($node_validate)) {
+ $form['#validate'][$node_validate] = array();
+ }
$form['#base'] = 'node_form';
return $form;
}
Modified: branches/upstream/current-5/modules/path/path.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/path/path.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/path/path.info (original)
+++ branches/upstream/current-5/modules/path/path.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
package = Core - optional
version = VERSION
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
Modified: branches/upstream/current-5/modules/ping/ping.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/ping/ping.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/ping/ping.info (original)
+++ branches/upstream/current-5/modules/ping/ping.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
package = Core - optional
version = VERSION
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
Modified: branches/upstream/current-5/modules/poll/poll.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/poll/poll.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/poll/poll.info (original)
+++ branches/upstream/current-5/modules/poll/poll.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
package = Core - optional
version = VERSION
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
Modified: branches/upstream/current-5/modules/poll/poll.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/poll/poll.module?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/poll/poll.module (original)
+++ branches/upstream/current-5/modules/poll/poll.module Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
<?php
-// $Id: poll.module,v 1.222.2.4 2007/12/27 08:26:00 drumm Exp $
+// $Id: poll.module,v 1.222.2.5 2008/10/05 00:51:40 drumm Exp $
/**
* @file
@@ -284,15 +284,15 @@
function poll_load($node) {
global $user;
- // Load the appropriate choices into the $node object
$poll = db_fetch_object(db_query("SELECT runtime, active FROM {poll} WHERE nid = %d", $node->nid));
+ // Load the appropriate choices into the $poll object.
$result = db_query("SELECT chtext, chvotes, chorder FROM {poll_choices} WHERE nid = %d ORDER BY chorder", $node->nid);
while ($choice = db_fetch_array($result)) {
$poll->choice[$choice['chorder']] = $choice;
}
- // Determine whether or not this user is allowed to vote
+ // Determine whether or not this user is allowed to vote.
$poll->allowvotes = FALSE;
if (user_access('vote on polls') && $poll->active) {
if ($user->uid) {
@@ -629,18 +629,32 @@
* Implementation of hook_update().
*/
function poll_update($node) {
+ // Update poll settings.
db_query('UPDATE {poll} SET runtime = %d, active = %d WHERE nid = %d', $node->runtime, $node->active, $node->nid);
+ // Clean poll choices.
db_query('DELETE FROM {poll_choices} WHERE nid = %d', $node->nid);
- db_query('DELETE FROM {poll_votes} WHERE nid = %d', $node->nid);
-
- $i = 0;
- foreach ($node->choice as $choice) {
- $chvotes = (int)$choice['chvotes'];
+
+ // Poll choices come in the same order with the same numbers as they are in
+ // the database, but some might have an empty title, which signifies that
+ // they should be removed. We remove all votes to the removed options, so
+ // people who voted on them can vote again.
+ $new_chorder = 0;
+ foreach ($node->choice as $old_chorder => $choice) {
+ $chvotes = isset($choice['chvotes']) ? (int)$choice['chvotes'] : 0;
$chtext = $choice['chtext'];
- if ($chtext != '') {
- db_query("INSERT INTO {poll_choices} (nid, chtext, chvotes, chorder) VALUES (%d, '%s', %d, %d)", $node->nid, $chtext, $chvotes, $i++);
+ if (!empty($chtext)) {
+ db_query("INSERT INTO {poll_choices} (nid, chtext, chvotes, chorder) VALUES (%d, '%s', %d, %d)", $node->nid, $chtext, $chvotes, $new_chorder);
+ if ($new_chorder != $old_chorder) {
+ // We can only remove items in the middle, not add, so
+ // new_chorder is always <= old_chorder, making this safe.
+ db_query("UPDATE {poll_votes} SET chorder = %d WHERE nid = %d AND chorder = %d", $new_chorder, $node->nid, $old_chorder);
+ }
+ $new_chorder++;
+ }
+ else {
+ db_query("DELETE FROM {poll_votes} WHERE nid = %d AND chorder = %d", $node->nid, $old_chorder);
}
}
}
Modified: branches/upstream/current-5/modules/profile/profile.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/profile/profile.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/profile/profile.info (original)
+++ branches/upstream/current-5/modules/profile/profile.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
package = Core - optional
version = VERSION
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
Modified: branches/upstream/current-5/modules/search/search.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/search/search.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/search/search.info (original)
+++ branches/upstream/current-5/modules/search/search.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
package = Core - optional
version = VERSION
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
Modified: branches/upstream/current-5/modules/statistics/statistics.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/statistics/statistics.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/statistics/statistics.info (original)
+++ branches/upstream/current-5/modules/statistics/statistics.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
package = Core - optional
version = VERSION
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
Modified: branches/upstream/current-5/modules/system/system.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/system/system.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/system/system.info (original)
+++ branches/upstream/current-5/modules/system/system.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
package = Core - required
version = VERSION
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
Modified: branches/upstream/current-5/modules/system/system.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/system/system.module?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/system/system.module (original)
+++ branches/upstream/current-5/modules/system/system.module Sun Nov 30 23:08:16 2008
@@ -1,12 +1,12 @@
<?php
-// $Id: system.module,v 1.440.2.35 2008/08/13 23:59:09 drumm Exp $
+// $Id: system.module,v 1.440.2.39 2008/10/22 19:25:28 drumm Exp $
/**
* @file
* Configuration system that lets administrators modify the workings of the site.
*/
-define('VERSION', '5.10');
+define('VERSION', '5.12');
/**
* Implementation of hook_help().
Modified: branches/upstream/current-5/modules/taxonomy/taxonomy.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/taxonomy/taxonomy.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/taxonomy/taxonomy.info (original)
+++ branches/upstream/current-5/modules/taxonomy/taxonomy.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
package = Core - optional
version = VERSION
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
Modified: branches/upstream/current-5/modules/throttle/throttle.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/throttle/throttle.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/throttle/throttle.info (original)
+++ branches/upstream/current-5/modules/throttle/throttle.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
package = Core - optional
version = VERSION
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
Modified: branches/upstream/current-5/modules/tracker/tracker.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/tracker/tracker.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/tracker/tracker.info (original)
+++ branches/upstream/current-5/modules/tracker/tracker.info Sun Nov 30 23:08:16 2008
@@ -5,8 +5,8 @@
package = Core - optional
version = VERSION
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
Modified: branches/upstream/current-5/modules/upload/upload.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/upload/upload.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/upload/upload.info (original)
+++ branches/upstream/current-5/modules/upload/upload.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
package = Core - optional
version = VERSION
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
Modified: branches/upstream/current-5/modules/upload/upload.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/upload/upload.module?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/upload/upload.module (original)
+++ branches/upstream/current-5/modules/upload/upload.module Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
<?php
-// $Id: upload.module,v 1.148.2.4 2008/05/26 05:03:47 drumm Exp $
+// $Id: upload.module,v 1.148.2.5 2008/10/08 20:10:26 drumm Exp $
/**
* @file
@@ -878,8 +878,21 @@
* Menu-callback for JavaScript-based uploads.
*/
function upload_js() {
- // We only do the upload.module part of the node validation process.
- $node = (object)$_POST;
+ if (isset($_POST['vid']) && is_numeric($_POST['vid'])) {
+ // Load the node and check the user is allowed to post attachments to it.
+ $node = node_load(array('vid' => $_POST['vid']));
+ if (!$node || !node_access('update', $node) || !variable_get('upload_'. $node->type, TRUE)) {
+ // Setting this error will cause the form to fail validation.
+ form_set_error('form_token', t('Validation error, please try again. If this error persists, please contact the site administrator.'));
+ $output = theme('status_messages');
+ print drupal_to_js(array('status' => TRUE, 'data' => $output));
+ exit();
+ }
+ }
+ else {
+ // This is a new node.
+ $node = new stdClass();
+ }
// Load existing node files.
$node->files = upload_load($node);
Modified: branches/upstream/current-5/modules/user/user.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/user/user.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/user/user.info (original)
+++ branches/upstream/current-5/modules/user/user.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
package = Core - required
version = VERSION
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
Modified: branches/upstream/current-5/modules/user/user.module
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/user/user.module?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/user/user.module (original)
+++ branches/upstream/current-5/modules/user/user.module Sun Nov 30 23:08:16 2008
@@ -1,5 +1,5 @@
<?php
-// $Id: user.module,v 1.745.2.32 2008/08/13 23:59:09 drumm Exp $
+// $Id: user.module,v 1.745.2.35 2008/10/08 20:10:26 drumm Exp $
/**
* @file
@@ -979,11 +979,21 @@
// Try to log in the user locally. Don't set $user unless successful.
if ($account = user_load(array('name' => $name, 'pass' => $pass, 'status' => 1))) {
- $user = $account;
- return $user;
+ // Check if the e-mail is denied by an access rule.
+ // Doing this check here saves us a user_load() in user_login_validate()
+ // and introduces less code change for a security fix.
+ if (drupal_is_denied('mail', $account->mail)) {
+ form_set_error('name', t('The name %name is registered using a reserved e-mail address and therefore could not be logged in.', array('%name' => $account->name)));
+ return;
+ }
+ else {
+ $user = $account;
+ return $user;
+ }
}
// Strip name and server from ID:
+ $fullname = $name;
if ($server = strrchr($name, '@')) {
$name = substr($name, 0, strlen($name) - strlen($server));
$server = substr($server, 1);
@@ -991,10 +1001,10 @@
// When possible, determine corresponding external auth source. Invoke
// source, and log in user if successful:
- if ($server && ($result = user_get_authmaps("$name@$server"))) {
+ if ($result = user_get_authmaps($fullname)) {
if (module_invoke(key($result), 'auth', $name, $pass, $server)) {
- $user = user_external_load("$name@$server");
- watchdog('user', t('External load by %user using module %module.', array('%user' => $name .'@'. $server, '%module' => key($result))));
+ $user = user_external_load($fullname);
+ watchdog('user', t('External load by %user using module %module.', array('%user' => $fullname, '%module' => key($result))));
}
}
@@ -1003,23 +1013,18 @@
else {
foreach (module_implements('auth') as $module) {
if (module_invoke($module, 'auth', $name, $pass, $server)) {
- if ($server) {
- $name .= '@'. $server;
- }
- $registered_user = user_load(array('name' => $name));
+ $registered_user = user_load(array('name' => $fullname));
if (!$registered_user->uid) { // Register this new user.
$userinfo = array(
- 'name' => $name,
+ 'name' => $fullname,
'pass' => user_password(),
- 'init' => $name,
+ 'init' => $fullname,
'status' => 1,
'access' => time(),
);
- if ($server) {
- $userinfo["authname_$module"] = $name;
- }
+ $userinfo["authname_$module"] = $fullname;
$user = user_save('', $userinfo);
- watchdog('user', t('New external user: %user using module %module.', array('%user' => $name, '%module' => $module)), WATCHDOG_NOTICE, l(t('edit'), 'user/'. $user->uid .'/edit'));
+ watchdog('user', t('New external user: %user using module %module.', array('%user' => $fullname, '%module' => $module)), WATCHDOG_NOTICE, l(t('edit'), 'user/'. $user->uid .'/edit'));
break;
}
}
@@ -1064,6 +1069,13 @@
function user_pass_validate($form_id, $form_values) {
$name = $form_values['name'];
+
+ // Blocked accounts cannot request a new password,
+ // check provided username and email against access rules.
+ if (drupal_is_denied('user', $name) || drupal_is_denied('mail', $name)) {
+ form_set_error('name', t('%name is not allowed to request a new password.', array('%name' => $name)));
+ }
+
$account = user_load(array('mail' => $name, 'status' => 1));
if (!$account) {
$account = user_load(array('name' => $name, 'status' => 1));
@@ -1083,7 +1095,7 @@
$from = variable_get('site_mail', ini_get('sendmail_from'));
// Mail one time login URL and instructions.
- $variables = array('!username' => $account->name, '!site' => variable_get('site_name', 'Drupal'), '!login_url' => user_pass_reset_url($account), '!uri' => $base_url, '!uri_brief' => substr($base_url, strlen('http://')), '!mailto' => $account->mail, '!date' => format_date(time()), '!login_uri' => url('user', NULL, NULL, TRUE), '!edit_uri' => url('user/'. $account->uid .'/edit', NULL, NULL, TRUE));
+ $variables = array('!username' => $account->name, '!site' => variable_get('site_name', 'Drupal'), '!login_url' => user_pass_reset_url($account), '!uri' => $base_url, '!uri_brief' => preg_replace('!^https?://!', '', $base_url), '!mailto' => $account->mail, '!date' => format_date(time()), '!login_uri' => url('user', NULL, NULL, TRUE), '!edit_uri' => url('user/'. $account->uid .'/edit', NULL, NULL, TRUE));
$subject = _user_mail_text('pass_subject', $variables);
$body = _user_mail_text('pass_body', $variables);
$mail_success = drupal_mail('user-pass', $account->mail, $subject, $body, $from);
@@ -1116,6 +1128,11 @@
$current = time();
// Some redundant checks for extra security ?
if ($timestamp < $current && $account = user_load(array('uid' => $uid, 'status' => 1)) ) {
+ // Deny one-time login to blocked accounts.
+ if (drupal_is_denied('user', $account->name) || drupal_is_denied('mail', $account->mail)) {
+ drupal_set_message(t('You have tried to use a one-time login for an account which has been blocked.'), 'error');
+ drupal_goto();
+ }
// No time out for first time login.
if ($account->login && $current - $timestamp > $timeout) {
drupal_set_message(t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'));
Modified: branches/upstream/current-5/modules/watchdog/watchdog.info
URL: http://svn.debian.org/wsvn/pkg-drupal/branches/upstream/current-5/modules/watchdog/watchdog.info?rev=1960&op=diff
==============================================================================
--- branches/upstream/current-5/modules/watchdog/watchdog.info (original)
+++ branches/upstream/current-5/modules/watchdog/watchdog.info Sun Nov 30 23:08:16 2008
@@ -4,8 +4,8 @@
package = Core - required
version = VERSION
-; Information added by drupal.org packaging script on 2008-08-14
-version = "5.10"
+; Information added by drupal.org packaging script on 2008-10-22
+version = "5.12"
project = "drupal"
-datestamp = "1218672307"
+datestamp = "1224703813"
More information about the Pkg-drupal-commits
mailing list