security updates
have to check views and entityreference for custom patches
This commit is contained in:
Bachir Soussi Chiadmi
@@ -20,4 +20,11 @@ function entity_metadata_book_entity_property_info_alter(&$info) {
|
||||
'description' => t("If part of a book, the book to which this book page belongs."),
|
||||
'getter callback' => 'entity_metadata_book_get_properties',
|
||||
);
|
||||
}
|
||||
$properties['book_ancestors'] = array(
|
||||
'label' => t("Book ancestors"),
|
||||
'type' => 'list<node>',
|
||||
'computed' => TRUE,
|
||||
'description' => t("If part of a book, a list of all book pages upwards in the book hierarchy."),
|
||||
'getter callback' => 'entity_metadata_book_get_properties',
|
||||
);
|
||||
}
|
||||
|
||||
@@ -20,10 +20,22 @@ function entity_metadata_entity_get_properties($entity, array $options, $name, $
|
||||
* @see entity_metadata_book_entity_info_alter()
|
||||
*/
|
||||
function entity_metadata_book_get_properties($node, array $options, $name, $entity_type) {
|
||||
if (!isset($node->book['bid'])) {
|
||||
throw new EntityMetadataWrapperException('This node is no book page.');
|
||||
switch ($name) {
|
||||
case 'book':
|
||||
if (isset($node->book['bid'])) {
|
||||
return $node->book['bid'];
|
||||
}
|
||||
return NULL;
|
||||
|
||||
case 'book_ancestors':
|
||||
$ancestors = array();
|
||||
while (!empty($node->book['plid'])) {
|
||||
$link = book_link_load($node->book['plid']);
|
||||
array_unshift($ancestors, $link['nid']);
|
||||
$node = node_load($link['nid']);
|
||||
}
|
||||
return $ancestors;
|
||||
}
|
||||
return $node->book['bid'];
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -80,6 +92,12 @@ function entity_metadata_comment_get_node_properties($node, array $options, $nam
|
||||
|
||||
case 'comment_count_new':
|
||||
return comment_num_new($node->nid);
|
||||
|
||||
case 'comments':
|
||||
$select = db_select('comment', 'c')
|
||||
->fields('c', array('cid'))
|
||||
->condition('c.nid', $node->nid);
|
||||
return array_keys($select->execute()->fetchAllKeyed(0, 0));
|
||||
}
|
||||
}
|
||||
|
||||
@@ -125,6 +143,9 @@ function entity_metadata_node_get_properties($node, array $options, $name, $enti
|
||||
|
||||
case 'edit_url':
|
||||
return url('node/' . $node->nid . '/edit', $options);
|
||||
|
||||
case 'author':
|
||||
return !empty($node->uid) ? $node->uid : drupal_anonymous_user();
|
||||
}
|
||||
}
|
||||
|
||||
@@ -191,6 +212,16 @@ function entity_metadata_statistics_node_get_properties($node, array $options, $
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Access callback for restricted node statistics properties.
|
||||
*/
|
||||
function entity_metadata_statistics_properties_access($op, $property, $entity = NULL, $account = NULL) {
|
||||
if ($property == 'views' && user_access('view post access counter', $account)) {
|
||||
return TRUE;
|
||||
}
|
||||
return user_access('access statistics', $account);
|
||||
}
|
||||
|
||||
/**
|
||||
* Callback for getting site-wide properties.
|
||||
* @see entity_metadata_system_entity_info_alter()
|
||||
@@ -388,7 +419,7 @@ function entity_metadata_language_list() {
|
||||
$list = array();
|
||||
$list[LANGUAGE_NONE] = t('Language neutral');
|
||||
foreach (language_list() as $language) {
|
||||
$list[$language->language] = $language->name;
|
||||
$list[$language->language] = t($language->name);
|
||||
}
|
||||
return $list;
|
||||
}
|
||||
@@ -460,8 +491,15 @@ function entity_metadata_field_options_list($name, $info) {
|
||||
// No data available.
|
||||
$entity = NULL;
|
||||
}
|
||||
$instance = $wrapper->getBundle() ? field_info_instance($wrapper->type(), $name, $wrapper->getBundle()) : NULL;
|
||||
return (array) module_invoke($field['module'], 'options_list', $field, $instance, $wrapper->type(), $entity);
|
||||
|
||||
// Support translating labels via i18n field.
|
||||
if (module_exists('i18n_field') && ($translate = i18n_field_type_info($field['type'], 'translate_options'))) {
|
||||
return $translate($field);
|
||||
}
|
||||
else {
|
||||
$instance = $wrapper->getBundle() ? field_info_instance($wrapper->type(), $name, $wrapper->getBundle()) : NULL;
|
||||
return (array) module_invoke($field['module'], 'options_list', $field, $instance, $wrapper->type(), $entity);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -612,23 +650,51 @@ function entity_metadata_field_file_validate_item($items, $context) {
|
||||
*
|
||||
* This function does not implement hook_node_access(), thus it may not be
|
||||
* called entity_metadata_node_access().
|
||||
*
|
||||
* @see entity_access()
|
||||
*
|
||||
* @param $op
|
||||
* The operation being performed. One of 'view', 'update', 'create' or
|
||||
* 'delete'.
|
||||
* @param $node
|
||||
* A node to check access for. Must be a node object. Must have nid,
|
||||
* except in the case of 'create' operations.
|
||||
* @param $account
|
||||
* The user to check for. Leave it to NULL to check for the global user.
|
||||
*
|
||||
* @throws EntityMalformedException
|
||||
*
|
||||
* @return boolean
|
||||
* TRUE if access is allowed, FALSE otherwise.
|
||||
*/
|
||||
function entity_metadata_no_hook_node_access($op, $node = NULL, $account = NULL) {
|
||||
// First deal with the case where a $node is provided.
|
||||
if (isset($node)) {
|
||||
if ($op == 'create') {
|
||||
if (isset($node->type)) {
|
||||
return node_access($op, $node->type, $account);
|
||||
}
|
||||
else {
|
||||
throw new EntityMalformedException('Permission to create a node was requested but no node type was given.');
|
||||
}
|
||||
}
|
||||
// If a non-default revision is given, incorporate revision access.
|
||||
$default_revision = node_load($node->nid);
|
||||
if ($node->vid != $default_revision->vid) {
|
||||
return _node_revision_access($node, $op);
|
||||
if ($node->vid !== $default_revision->vid) {
|
||||
return _node_revision_access($node, $op, $account);
|
||||
}
|
||||
else {
|
||||
return node_access($op, $node, $account);
|
||||
}
|
||||
}
|
||||
// Is access to all nodes allowed?
|
||||
// No node is provided. Check for access to all nodes.
|
||||
if (user_access('bypass node access', $account)) {
|
||||
return TRUE;
|
||||
}
|
||||
if (!user_access('access content', $account)) {
|
||||
return FALSE;
|
||||
}
|
||||
if (user_access('bypass node access', $account) || (!isset($account) && $op == 'view' && node_access_view_all_nodes())) {
|
||||
if ($op == 'view' && node_access_view_all_nodes($account)) {
|
||||
return TRUE;
|
||||
}
|
||||
return FALSE;
|
||||
@@ -637,13 +703,14 @@ function entity_metadata_no_hook_node_access($op, $node = NULL, $account = NULL)
|
||||
/**
|
||||
* Access callback for the user entity.
|
||||
*/
|
||||
function entity_metadata_user_access($op, $entity = NULL, $account = NULL, $entity_type) {
|
||||
function entity_metadata_user_access($op, $entity = NULL, $account = NULL, $entity_type = NULL) {
|
||||
$account = isset($account) ? $account : $GLOBALS['user'];
|
||||
// Grant access to the users own user account and to the anonymous one.
|
||||
if (isset($entity) && $op != 'delete' && (($entity->uid == $account->uid && $entity->uid) || (!$entity->uid && $op == 'view'))) {
|
||||
if (isset($entity->uid) && $op != 'delete' && (($entity->uid == $account->uid && $entity->uid) || (!$entity->uid && $op == 'view'))) {
|
||||
return TRUE;
|
||||
}
|
||||
if (user_access('administer users', $account) || user_access('access user profiles', $account) && $op == 'view' && $entity->status) {
|
||||
if (user_access('administer users', $account)
|
||||
|| user_access('access user profiles', $account) && $op == 'view' && (empty($entity) || !empty($entity->status))) {
|
||||
return TRUE;
|
||||
}
|
||||
return FALSE;
|
||||
@@ -658,7 +725,7 @@ function entity_metadata_user_properties_access($op, $property, $entity = NULL,
|
||||
}
|
||||
$account = isset($account) ? $account : $GLOBALS['user'];
|
||||
// Flag to indicate if this user entity is the own user account.
|
||||
$is_own_account = isset($entity) && $account->uid == $entity->uid;
|
||||
$is_own_account = isset($entity->uid) && $account->uid == $entity->uid;
|
||||
switch ($property) {
|
||||
case 'name':
|
||||
// Allow view access to anyone with access to the entity.
|
||||
@@ -690,6 +757,18 @@ function entity_metadata_comment_access($op, $entity = NULL, $account = NULL) {
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
|
||||
// Comment administrators are allowed to perform all operations on all
|
||||
// comments.
|
||||
if (user_access('administer comments', $account)) {
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
// Unpublished comments can never be accessed by non-admins.
|
||||
if (isset($entity->status) && $entity->status == COMMENT_NOT_PUBLISHED) {
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (isset($entity) && $op == 'update') {
|
||||
// Because 'comment_access' only checks the current user, we need to do our
|
||||
// own access checking if an account was specified.
|
||||
@@ -697,19 +776,26 @@ function entity_metadata_comment_access($op, $entity = NULL, $account = NULL) {
|
||||
return comment_access('edit', $entity);
|
||||
}
|
||||
else {
|
||||
return ($account->uid && $account->uid == $entity->uid && $entity->status == COMMENT_PUBLISHED && user_access('edit own comments', $account)) || user_access('administer comments', $account);
|
||||
return $account->uid && $account->uid == $entity->uid && user_access('edit own comments', $account);
|
||||
}
|
||||
}
|
||||
if (user_access('administer comments', $account) || user_access('access comments', $account) && $op == 'view') {
|
||||
if (user_access('access comments', $account) && $op == 'view') {
|
||||
return TRUE;
|
||||
}
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
/**
|
||||
* Access callback for restricted comment properties.
|
||||
*/
|
||||
function entity_metadata_comment_properties_access($op, $property, $entity = NULL, $account = NULL) {
|
||||
return user_access('administer comments', $account);
|
||||
}
|
||||
|
||||
/**
|
||||
* Access callback for the taxonomy entities.
|
||||
*/
|
||||
function entity_metadata_taxonomy_access($op, $entity = NULL, $account = NULL, $entity_type) {
|
||||
function entity_metadata_taxonomy_access($op, $entity = NULL, $account = NULL, $entity_type = NULL) {
|
||||
if ($entity_type == 'taxonomy_vocabulary') {
|
||||
return user_access('administer taxonomy', $account);
|
||||
}
|
||||
@@ -893,10 +979,17 @@ function entity_metadata_form_comment($comment) {
|
||||
* Callback to get the form of a user account.
|
||||
*/
|
||||
function entity_metadata_form_user($account) {
|
||||
// Pre-populate the form-state with the right form include.
|
||||
// If $account->uid is set then we want a user edit form.
|
||||
// Otherwise we want the user register form.
|
||||
if (isset($account->uid)) {
|
||||
$form_id = 'user_profile_form';
|
||||
form_load_include($form_state, 'inc', 'user', 'user.pages');
|
||||
}
|
||||
else {
|
||||
$form_id = 'user_register_form';
|
||||
}
|
||||
$form_state['build_info']['args'] = array($account);
|
||||
form_load_include($form_state, 'inc', 'user', 'user.pages');
|
||||
return drupal_build_form('user_profile_form', $form_state);
|
||||
return drupal_build_form($form_id, $form_state);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -912,11 +1005,11 @@ function entity_metadata_form_taxonomy_term($term) {
|
||||
/**
|
||||
* Callback to get the form of a vocabulary.
|
||||
*/
|
||||
function entity_metadata_form_taxonomy_vocabulary($term) {
|
||||
function entity_metadata_form_taxonomy_vocabulary($vocab) {
|
||||
// Pre-populate the form-state with the right form include.
|
||||
$form_state['build_info']['args'] = array($term);
|
||||
$form_state['build_info']['args'] = array($vocab);
|
||||
form_load_include($form_state, 'inc', 'taxonomy', 'taxonomy.admin');
|
||||
return drupal_build_form('taxonomy_form_term', $form_state);
|
||||
return drupal_build_form('taxonomy_form_vocabulary', $form_state);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -972,3 +1065,12 @@ function entity_metadata_field_query($entity_type, $property, $value, $limit) {
|
||||
$result = $query->execute();
|
||||
return !empty($result[$entity_type]) ? array_keys($result[$entity_type]) : array();
|
||||
}
|
||||
|
||||
/**
|
||||
* Implements entity_uri() callback for file entities.
|
||||
*/
|
||||
function entity_metadata_uri_file($file) {
|
||||
return array(
|
||||
'path' => file_create_url($file->uri),
|
||||
);
|
||||
}
|
||||
|
||||
@@ -24,6 +24,7 @@ function entity_metadata_comment_entity_property_info() {
|
||||
$properties['hostname'] = array(
|
||||
'label' => t("IP Address"),
|
||||
'description' => t("The IP address of the computer the comment was posted from."),
|
||||
'access callback' => 'entity_metadata_comment_properties_access',
|
||||
'schema field' => 'hostname',
|
||||
);
|
||||
$properties['name'] = array(
|
||||
@@ -40,8 +41,8 @@ function entity_metadata_comment_entity_property_info() {
|
||||
'description' => t("The email address left by the comment author."),
|
||||
'getter callback' => 'entity_metadata_comment_get_properties',
|
||||
'setter callback' => 'entity_property_verbatim_set',
|
||||
'setter permission' => 'administer comments',
|
||||
'validation callback' => 'valid_email_address',
|
||||
'access callback' => 'entity_metadata_comment_properties_access',
|
||||
'schema field' => 'mail',
|
||||
);
|
||||
$properties['homepage'] = array(
|
||||
@@ -56,7 +57,6 @@ function entity_metadata_comment_entity_property_info() {
|
||||
'label' => t("Subject"),
|
||||
'description' => t("The subject of the comment."),
|
||||
'setter callback' => 'entity_property_verbatim_set',
|
||||
'setter permission' => 'administer comments',
|
||||
'sanitize' => 'filter_xss',
|
||||
'required' => TRUE,
|
||||
'schema field' => 'subject',
|
||||
@@ -88,6 +88,7 @@ function entity_metadata_comment_entity_property_info() {
|
||||
'description' => t("The comment's parent, if comment threading is active."),
|
||||
'type' => 'comment',
|
||||
'getter callback' => 'entity_metadata_comment_get_properties',
|
||||
'setter permission' => 'administer comments',
|
||||
'schema field' => 'pid',
|
||||
);
|
||||
$properties['node'] = array(
|
||||
@@ -116,7 +117,7 @@ function entity_metadata_comment_entity_property_info() {
|
||||
// it is an integer, so we follow the schema definition.
|
||||
'type' => 'integer',
|
||||
'options list' => 'entity_metadata_status_options_list',
|
||||
'setter permission' => 'administer comments',
|
||||
'access callback' => 'entity_metadata_comment_properties_access',
|
||||
'schema field' => 'status',
|
||||
);
|
||||
return $info;
|
||||
@@ -136,6 +137,13 @@ function entity_metadata_comment_entity_property_info_alter(&$info) {
|
||||
'setter permission' => 'administer comments',
|
||||
'type' => 'integer',
|
||||
);
|
||||
$properties['comments'] = array(
|
||||
'label' => t("Comments"),
|
||||
'type' => 'list<comment>',
|
||||
'description' => t("The node comments."),
|
||||
'getter callback' => 'entity_metadata_comment_get_node_properties',
|
||||
'computed' => TRUE,
|
||||
);
|
||||
$properties['comment_count'] = array(
|
||||
'label' => t("Comment count"),
|
||||
'description' => t("The number of comments posted on a node."),
|
||||
|
||||
@@ -51,7 +51,10 @@ function entity_metadata_field_default_property_callback(&$info, $entity_type, $
|
||||
$property = &$info[$entity_type]['bundles'][$instance['bundle']]['properties'][$name];
|
||||
$instance += array('property info' => array());
|
||||
$property = $instance['property info'] + array(
|
||||
'label' => $instance['label'],
|
||||
// Since the label will be exposed via hook_token_info() and it is not
|
||||
// clearly defined if that should be sanitized already we prevent XSS
|
||||
// right here (field labels are user provided text).
|
||||
'label' => filter_xss_admin($instance['label']),
|
||||
'type' => $field_type['property_type'],
|
||||
'description' => t('Field "@name".', array('@name' => $name)),
|
||||
'getter callback' => 'entity_metadata_field_property_get',
|
||||
@@ -164,7 +167,7 @@ function entity_metadata_field_image_callback(&$info, $entity_type, $field, $ins
|
||||
if (empty($instance['settings']['alt_field'])) {
|
||||
unset($property['property info']['alt']);
|
||||
}
|
||||
if (empty($field['settings']['title_field'])) {
|
||||
if (empty($instance['settings']['title_field'])) {
|
||||
unset($property['property info']['title']);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -118,6 +118,7 @@ function entity_metadata_node_entity_property_info() {
|
||||
'label' => t("Author"),
|
||||
'type' => 'user',
|
||||
'description' => t("The author of the node."),
|
||||
'getter callback' => 'entity_metadata_node_get_properties',
|
||||
'setter callback' => 'entity_property_verbatim_set',
|
||||
'setter permission' => 'administer nodes',
|
||||
'required' => TRUE,
|
||||
|
||||
@@ -19,6 +19,7 @@ function entity_metadata_statistics_entity_property_info_alter(&$info) {
|
||||
'type' => 'integer',
|
||||
'getter callback' => 'entity_metadata_statistics_node_get_properties',
|
||||
'computed' => TRUE,
|
||||
'access callback' => 'entity_metadata_statistics_properties_access',
|
||||
);
|
||||
$properties['day_views'] = array(
|
||||
'label' => t("Views today"),
|
||||
@@ -26,6 +27,7 @@ function entity_metadata_statistics_entity_property_info_alter(&$info) {
|
||||
'type' => 'integer',
|
||||
'getter callback' => 'entity_metadata_statistics_node_get_properties',
|
||||
'computed' => TRUE,
|
||||
'access callback' => 'entity_metadata_statistics_properties_access',
|
||||
);
|
||||
$properties['last_view'] = array(
|
||||
'label' => t("Last view"),
|
||||
@@ -33,5 +35,6 @@ function entity_metadata_statistics_entity_property_info_alter(&$info) {
|
||||
'type' => 'date',
|
||||
'getter callback' => 'entity_metadata_statistics_node_get_properties',
|
||||
'computed' => TRUE,
|
||||
'access callback' => 'entity_metadata_statistics_properties_access',
|
||||
);
|
||||
}
|
||||
|
||||
@@ -59,6 +59,7 @@ function entity_metadata_user_entity_property_info() {
|
||||
'description' => t("The date the user last accessed the site."),
|
||||
'getter callback' => 'entity_metadata_user_get_properties',
|
||||
'type' => 'date',
|
||||
'access callback' => 'entity_metadata_user_properties_access',
|
||||
'schema field' => 'access',
|
||||
);
|
||||
$properties['last_login'] = array(
|
||||
@@ -66,6 +67,7 @@ function entity_metadata_user_entity_property_info() {
|
||||
'description' => t("The date the user last logged in to the site."),
|
||||
'getter callback' => 'entity_metadata_user_get_properties',
|
||||
'type' => 'date',
|
||||
'access callback' => 'entity_metadata_user_properties_access',
|
||||
'schema field' => 'login',
|
||||
);
|
||||
$properties['created'] = array(
|
||||
@@ -73,6 +75,7 @@ function entity_metadata_user_entity_property_info() {
|
||||
'description' => t("The date the user account was created."),
|
||||
'type' => 'date',
|
||||
'schema field' => 'created',
|
||||
'setter permission' => 'administer users',
|
||||
);
|
||||
$properties['roles'] = array(
|
||||
'label' => t("User roles"),
|
||||
@@ -80,7 +83,6 @@ function entity_metadata_user_entity_property_info() {
|
||||
'type' => 'list<integer>',
|
||||
'getter callback' => 'entity_metadata_user_get_properties',
|
||||
'setter callback' => 'entity_metadata_user_set_properties',
|
||||
'setter permission' => 'administer users',
|
||||
'options list' => 'entity_metadata_user_roles',
|
||||
'access callback' => 'entity_metadata_user_properties_access',
|
||||
);
|
||||
@@ -92,7 +94,7 @@ function entity_metadata_user_entity_property_info() {
|
||||
// it is an integer, so we follow the schema definition.
|
||||
'type' => 'integer',
|
||||
'options list' => 'entity_metadata_user_status_options_list',
|
||||
'setter permission' => 'administer users',
|
||||
'access callback' => 'entity_metadata_user_properties_access',
|
||||
'schema field' => 'status',
|
||||
);
|
||||
$properties['theme'] = array(
|
||||
|
||||
Reference in New Issue
Block a user