contrib modules security updates

sites/all/modules/panels/panels_node/panels_node.info

@@ -1,14 +1,15 @@
 name = Panel nodes
 description = Create nodes that are divided into areas with selectable content.
 package = "Panels"
+version = PANELS_VERSION
 dependencies[] = panels
 configure = admin/structure/panels
 core = 7.x
 files[] = panels_node.module
 
-; Information added by drupal.org packaging script on 2013-03-02
-version = "7.x-3.3+39-dev"
+; Information added by Drupal.org packaging script on 2016-08-20
+version = "7.x-3.7"
 core = "7.x"
 project = "panels"
-datestamp = "1362187383"
+datestamp = "1471704242"
 

sites/all/modules/panels/panels_node/panels_node.install

@@ -56,6 +56,18 @@ function panels_node_uninstall() {
   drupal_uninstall_schema('panels_node');
 }
 
+/**
+ * Implements hook_update_dependencies().
+ */
+function panels_node_update_dependencies() {
+  // Update 7301 requires panels storage support
+  $dependencies['panels_node'][7301] = array(
+    'panels' => 7305,
+  );
+
+  return $dependencies;
+}
+
 /**
  * Implementation of hook_update to handle adding a pipeline
  */
@@ -69,3 +81,87 @@ function panels_node_update_6001() {
   db_add_field('panels_node', 'pipeline', $field);
   return $ret;
 }
+
+/**
+ * Migrate legacy Drupal 6 permissions to Drupal 7.
+ */
+function panels_node_update_7301() {
+  $permissions = array(
+    'create panel-nodes' => 'create panel content',
+    'edit any panel-nodes' => 'edit any panel content',
+    'edit own panel-nodes' => 'edit own panel content',
+    'delete any panel-nodes' => 'delete any panel content',
+    'delete own panel-nodes' => 'delete own panel content',
+  );
+  foreach ($permissions as $legacy_permission => $new_permission) {
+    $query = db_select('role_permission', 'p')
+      ->fields('p', array('rid'))
+      ->condition('permission', $legacy_permission);
+    $rids = $query->execute()->fetchCol();
+    foreach ($rids as $rid) {
+      // Insert the new permission if it doesn't already exist.
+      db_merge('role_permission')
+        ->key(array(
+          'rid' => $rid,
+          'permission' => $new_permission,
+        ))
+        ->insertFields(array(
+          'rid' => $rid,
+          'permission' => $new_permission,
+          'module' => 'node',
+        ))
+        ->execute();
+    }
+
+    // Delete the legacy permission.
+    db_delete('role_permission')
+      ->condition('permission', $legacy_permission)
+      ->execute();
+  }
+}
+
+/**
+ * Set the storage type and id on existing panels nodes.
+ */
+function panels_node_update_7302() {
+  if (!isset($sandbox['progress'])) {
+     // Initialize batch update information.
+     $sandbox['progress'] = (float)0;
+     $sandbox['current_did'] = -1;
+     $sandbox['max'] = db_query("SELECT COUNT(pd.did)
+         FROM {panels_display} pd
+           JOIN {panels_node} pn ON pn.did = pd.did
+         WHERE pd.storage_type = ''")->fetchField();
+   }
+
+  // Set a limit of how many rows to process per batch.
+  $limit = 1000;
+
+  // Run the query
+  $result = db_query_range("SELECT pd.did, pn.nid
+      FROM {panels_display} pd
+        JOIN {panels_node} pn ON pn.did = pd.did
+      WHERE pd.storage_type = '' AND pd.did > :current_did", 0, $limit, array(':current_did' => $sandbox['current_did']));
+
+  foreach ($result as $row) {
+    db_update('panels_display')
+      ->fields(array(
+        'storage_type' => 'panels_node',
+        'storage_id' => $row->nid,
+      ))
+      ->condition('did', $row->did)
+      ->execute();
+
+    // Update our progress information.
+    $sandbox['progress']++;
+    $sandbox['current_did'] = $row->did;
+  }
+
+  // Set the "finished" status, to tell batch engine whether this function
+  // needs to run again.
+  $sandbox['#finished'] = ($sandbox['progress'] >= $sandbox['max']) ? TRUE : ($sandbox['progress'] / $sandbox['max']);
+
+  if ($sandbox['#finished']) {
+    return t('Added the storage type for panels_node to relevant panels displays');
+  }
+}

sites/all/modules/panels/panels_node/panels_node.module

@@ -17,33 +17,22 @@
  */
 function panels_node_permission() {
   return array(
-    'create panel-nodes' => array(
-      'title' => t('Create panel nodes'),
-      'description' => t('Create new panel nodes.'),
-    ),
-    'edit any panel-nodes' => array(
-      'title' => t('Edit any panel-nodes'),
-      'description' => t('Edit all pre-existing panel nodes regardless of ownership.'),
-    ),
-    'edit own panel-nodes' => array(
-      'title' => t('Edit own panel nodes'),
-      'description' => t('Edit panel nodes owned by this user.'),
-    ),
     'administer panel-nodes' => array(
       'title' => t('Administer panel nodes'),
       'description' => t('Full administrative access to panel nodes including create, update and delete all'),
     ),
-    'delete any panel-nodes' => array(
-      'title' => t('Delete any panel nodes'),
-      'description' => t('Delete any panel node regardless of ownership'),
-    ),
-    'delete own panel-nodes' => array(
-      'title' => t('Delete own panel nodes'),
-      'description' => t('Delete any panel node owned by this user.'),
-    ),
   );
 }
 
+/**
+ * Implementation of hook_ctools_plugin_directory().
+ */
+function panels_node_ctools_plugin_directory($module, $plugin) {
+  if ($module == 'panels' && $plugin == 'panels_storage') {
+    return 'plugins/' . $plugin;
+  }
+}
+
 /**
  * Implementation of hook_menu().
  */
@@ -83,7 +72,7 @@ function panels_node_menu() {
 
   $items['node/add/panel/choose-layout'] = array(
     'title' => 'Choose layout',
-    'access arguments' => array('create panel-nodes'),
+    'access callback' => 'panels_add_panel_access_callback',
     'page callback' => 'panels_node_add',
     'type' => MENU_CALLBACK,
   );
@@ -102,6 +91,13 @@ function panels_node_edit_node($node) {
   return node_access('update', $node);
 }
 
+/**
+ * Access callback to determine if user has access to add panel nodes.
+ */
+function panels_add_panel_access_callback() {
+  return user_access('create panel content') || user_access('administer panel-nodes');
+}
+
 /**
  * Override of node add page to force layout selection prior
  * to actually editing a node.
@@ -113,7 +109,7 @@ function panels_node_add() {
   ctools_include('common', 'panels');
 
   $layouts = panels_common_get_allowed_layouts('panels_node');
-  return panels_common_print_layout_links($layouts, 'node/add/panel', array('query' => $_GET));
+  return panels_common_print_layout_links($layouts, 'node/add/panel', array('query' => drupal_get_query_parameters()));
 }
 
 // ---------------------------------------------------------------------------
@@ -156,19 +152,6 @@ function panels_node_node_access($node, $op, $account) {
   if (user_access('administer panel-nodes', $account)) {
     return NODE_ACCESS_ALLOW;
   }
-
-  if ($op == 'create' && user_access('create panel-nodes', $account)) {
-    return NODE_ACCESS_ALLOW;
-  }
-
-  if ($op == 'update' && (user_access('edit any panel-nodes', $account) || $node->uid == $account->uid && user_access('edit own panel-nodes', $account))) {
-    return NODE_ACCESS_ALLOW;
-  }
-
-
-  if ($op == 'delete' && (user_access('delete any panel-nodes') || $node->uid == $account->uid && user_access('delete own panel-nodes'))) {
-    return NODE_ACCESS_ALLOW;
-  }
 }
 
 /**
@@ -183,14 +166,12 @@ function panels_node_hook_form(&$node, &$form_state) {
     // and if that doesn't work present them with a list to pick from.
     $panel_layout = isset($node->panel_layout) ? $node->panel_layout : arg(3);
     if (empty($panel_layout)) {
-      $opts = $_GET;
-      unset($opts['q']);
-      return drupal_goto('node/add/panel/choose-layout', $opts);
+      drupal_goto('node/add/panel/choose-layout', array('query' => drupal_get_query_parameters()));
     }
 
     $layout = panels_get_layout($panel_layout);
     if (empty($layout)) {
-      return drupal_not_found();
+      return MENU_NOT_FOUND;
     }
     $form['panels_node']['layout'] = array(
       '#type' => 'value',
@@ -233,7 +214,7 @@ function panels_node_hook_form(&$node, &$form_state) {
     '#type' => 'radios',
     '#options' => $options,
     '#title' => t('Renderer'),
-    '#default_value' => isset($node->panels_node['pipeline']) ? $node->panels_node['pipeline'] : 'standard',
+    '#default_value' => isset($node->panels_node['pipeline']) ? $node->panels_node['pipeline'] : variable_get('panels_renderer_default', 'standard'),
   );
 
   return $form;
@@ -271,6 +252,8 @@ function panels_node_hook_insert(&$node) {
   // Create a new display and record that.
   $display = panels_new_display();
   $display->layout = $node->panels_node['layout'];
+  $display->storage_type = 'panels_node';
+  $display->storage_id = $node->nid;
 
   // Special handling for nodes being imported from an export.module data dump.
   if (!empty($node->export_display)) {
@@ -431,6 +414,19 @@ function panels_node_panels_dashboard_blocks(&$vars) {
   );
 }
 
+/**
+ * Implements hook_panels_ipe_access().
+ */
+function panels_node_panels_ipe_access($display) {
+  // We only care about Panels displays from panels_node.
+  if (isset($display->context['panel-node'])) {
+    // Only allow access to use the IPE if the user has 'update' access to
+    // the underlying node.
+    $node = $display->context['panel-node']->data;
+    return node_access('update', $node); 
+  }
+}
+
 // ---------------------------------------------------------------------------
 // Callbacks for panel caching.
 

sites/all/modules/panels/panels_node/plugins/panels_storage/panels_node.inc

@@ -0,0 +1,25 @@
+<?php
+
+/**
+ * @file
+ * Provides a panels_storage plugin for panels node.
+ */
+
+// Plugin definition
+$plugin = array(
+  'access callback' => 'panels_node_panels_storage_access',
+);
+
+/**
+ * Access callback for panels storage.
+ */
+function panels_node_panels_storage_access($storage_type, $storage_id, $op, $account) {
+  if ($node = node_load($storage_id)) {
+    if ($op == 'read') {
+      $op = 'view';
+    }
+    return node_access($op, $node, $account);
+  }
+
+  return FALSE;
+}