Commits

sembrestels committed aea881f

Upgraded to Elgg 1.7.14

  • Participants
  • Parent commits 19dac75

Comments (0)

Files changed (6)

+Version 1.7.14
+(October 20th, 2011 from https://github.com/Elgg/Elgg/tree/1.7)
+
+ Contributing Developers:
+  * Cash Costello
+  * Jeroen Dalsem
+  * Brett Profitt
+
+ Security Enhancements:
+  * Fixed a SQL injection and query exposure vulnerability in the search
+    plugin.
+
+ Bug fixes:
+  * Rolled back changes to access system that prevented users from registering
+    if default widgets were enabled.
+  * Default widgets now registers for the correct plugin hook.
+
 Version 1.7.13
 (October 8th, 2011 from https://github.com/Elgg/Elgg/tree/1.7)
 
     of saving an empty file.
 
  Bugfixes:
-  * Fixed problem that could cause WSOD for logged out users and during upgrade.
-  * Pages without owners will forward away to avoid WSOD.
+  * Fixed problem that could cause WSOD for logged out users during upgrade.
+  * Pages plugin forwards if no owner on a user's list page instead of empty page.
 
 Version 1.7.12
 (September 29th, 2011 from https://github.com/Elgg/Elgg/tree/1.7)
+2011-10-20  Brett Profitt <brett.profitt@gmail.com>
+
+  	* CHANGES.txt, version.php: Refs #3984. Updated changes. Version bump to
+  1.7.14.
+
+2011-10-19  cash <cash.costello@gmail.com>
+
+  	* mod/search/search_hooks.php: Fixes #3983 sanitizing limit and offset for
+  comment search
+
+  	* engine/lib/entities.php: Fixes #3722 reverted to previous
+  can_write_to_container() plus fix for group check overriding previous return
+  value. Passed unit tests.
+
+  	* mod/defaultwidgets/start.php: Fixes #3979 default widgets now registers
+  for the correct plugin hook
+
+2011-10-15  Cash Costello <cash.costello@gmail.com>
+
+  	* CHANGES.txt: updated changes file for more accurate description of pages
+  change
+
 2011-10-08  Brett Profitt <brett.profitt@gmail.com>
 
   	* CHANGES.txt, version.php: Bumped version to 1.7.13. Updated changes.

elgg/engine/lib/entities.php

 		$container_guid = page_owner();
 	}
 
-	$return = false;
-
-	// @todo This is probably not a good idea.
 	if (!$container_guid) {
-		$return = true;
-	} else {
-		$container = get_entity($container_guid);
-
-		if ($container && $user) {
-			// If the user can edit the container, they can also write to it
-			$return = $container->canEdit($user->getGUID());
-
-			// See if the user is a member of the group.
-			if (!$return && $container instanceof ElggGroup) {
-				$return = $container->isMember($user);
+		$return = TRUE;
+	}
+	
+	$container = get_entity($container_guid);
+
+	if ($container) {
+		// If the user can edit the container, they can also write to it
+		if ($container->canEdit($user_guid)) {
+			$return = TRUE;
+		}
+
+		// If still not approved, see if the user is a member of the group.
+		if (!$return && $user && $container instanceof ElggGroup) {
+			if (!$container->isMember($user)) {
+				$return = FALSE;
+			} else {
+				$return = TRUE;
 			}
 		}
 	}

elgg/mod/defaultwidgets/start.php

 /**
  * Default widgets initialisation
  *
- * These parameters are required for the event API, but we won't use them:
- * 
- * @param unknown_type $event
- * @param unknown_type $object_type
- * @param unknown_type $object
  */
 function defaultwidgets_init() {
 	
 	if (!isadminloggedin()) {
 		register_elgg_event_handler('validate', 'user', 'defaultwidgets_reset_access');
 	}
-	
-	// Override metadata permissions
-	//register_plugin_hook ( 'permissions_check:metadata', 'object', 'defaultwidgets_can_edit_metadata' );
 }
 
 /**
- * Overrides default permissions for the default widgets context
- * 
- */
-function defaultwidgets_can_edit($hook_name, $entity_type, $return_value, $parameters) {
-	global $defaultwidget_access;
-	
-	if ($defaultwidget_access) {
-		return true;
-	}
-	return $return_value;
-}
-
-/**
- * Override the canEditMetadata function to return true for messages
- *
- */
-function defaultwidgets_can_edit_metadata($hook_name, $entity_type, $return_value, $parameters) {
-	global $defaultwidget_access;
-	
-	if ($defaultwidget_access) {
-		return true;
-	}
-	return $return_value;
-
-}
-
-/**
- * Override the canEdit function to return true for messages within a particular context.
- *
+ * Override the container permissions check so that a new user can have widgets
+ * added while no one is logged in
  */
 function defaultwidgets_can_edit_container($hook_name, $entity_type, $return_value, $parameters) {
 	global $defaultwidget_access;
 register_elgg_event_handler ( 'init', 'system', 'defaultwidgets_init' );
 register_elgg_event_handler ( 'pagesetup', 'system', 'defaultwidgets_pagesetup' );
 
-register_plugin_hook ( 'permissions_check', 'user', 'defaultwidgets_can_edit' );
-register_plugin_hook ( 'permissions_check', 'object', 'defaultwidgets_can_edit' );
-register_plugin_hook ( 'container_permissions_check', 'user', 'defaultwidgets_can_edit_container' );
+register_plugin_hook ( 'container_permissions_check', 'object', 'defaultwidgets_can_edit_container' );
 
 register_action ( "defaultwidgets/update", false, $CONFIG->pluginspath . "defaultwidgets/actions/update.php" );

elgg/mod/search/search_hooks.php

 	global $CONFIG;
 
 	$query = sanitise_string($params['query']);
+	$limit = sanitise_int($params['limit']);
+	$offset = sanitise_int($params['offset']);
+
 	$params['annotation_names'] = array('generic_comment', 'group_topic_post');
 
 	$params['joins'] = array(
 			AND $a_access
 			$container_and
 
-		LIMIT {$params['offset']}, {$params['limit']}
+		LIMIT $offset, $limit
 		";
 
 	$comments = get_data($q);
 $version = 2011052801;
 
 // Human-friendly version name
-$release = '1.7.13';
+$release = '1.7.14';