From: garvinhicking Date: Thu, 17 Nov 2005 15:15:11 +0000 (+0000) Subject: * Fix configuration for non-admins to not properly store values like blog... X-Git-Tag: 1.0~286 X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=81df2245ac40a355218552064173a6b6bb8006b5;p=s9y.git * Fix configuration for non-admins to not properly store values like blog Title (garvinhicking) --- diff --git a/docs/NEWS b/docs/NEWS index 1540885..aa23c7b 100644 --- a/docs/NEWS +++ b/docs/NEWS @@ -23,13 +23,16 @@ Version 1.0 () * Introduced CUSTOM_ADMIN_INTERFACE that tells the user if the template author also made a stylesheet for the admin interface when selecting a theme (flotsam) - + Version 0.9.1 () ------------------------------------------------------------------------ + * Fix configuration for non-admins to not properly store values like + blog Title (garvinhicking) + * Fix RSS import's timezone detection for ISO-8601 dates (garvinhicking) - + * Fix htmlarea when using UTF-8 charset on a ISO-8859-1 language (garvinhicking) @@ -42,18 +45,18 @@ Version 0.9.1 () * Fix spartacus plugin to not properly indicate updatable versions of plugins (garvinhicking) - + * Fix multi-media upload in Safari browser (jhermanns) * Make calendar plugin also accept links to external events (garvinhicking) - + * Fix mod_rewrite rules to not differentiate on case-sensitivity for authors, archives and category URLs (garvinhicking) - * Fix a bug in the serendipity_currentURL function when Serendipity - is installed in your HTTP root. This bug only effects the plugins karma, - entrysplit and multilingual on these installations. + * Fix a bug in the serendipity_currentURL function when Serendipity + is installed in your HTTP root. This bug only effects the plugins karma, + entrysplit and multilingual on these installations. Thanks to Richard Davey for spotting this! (garvinhicking) * Fix showing preview image of hotlinked images. Thanks to Thomas @@ -89,7 +92,7 @@ Version 0.9 (October 28th, 2005) Thanks to Boris from the forums! * Fix an issue of privilege escalation for non-admins (garvinhicking) - + * Fix a parse error in the Importer, introduced in beta3 (garvinhicking) @@ -97,7 +100,7 @@ Version 0.9 (October 28th, 2005) Version 0.9-beta3 (October 21st, 2005) ------------------------------------------------------------------------ - + * Syndication plugin: Do not show E-Mail adress in RSS feed by default (garvinhicking) @@ -112,7 +115,7 @@ Version 0.9-beta3 (October 21st, 2005) * Also fetch and display entryproperties in the results of a search. Fixes bug #1329379 (garvinhicking) - + * Fix some dreaded "only variables can be returned by referenced" PHP 4.4 notices on some minor occasions (garvinhicking) @@ -177,13 +180,13 @@ Version 0.9-beta1 (September 29th, 2005) is empty. Thanks to Brian J. France! * Spamblock plugin can now define required comment fields. Also fix - parameter order in mt_rand() call, thanks to Jens Kubieziel + parameter order in mt_rand() call, thanks to Jens Kubieziel (garvinhicking) * Plugin API now allows to validate config options via a "validate" method, used by the plugin configuration panel. Need to set "validate" - and "validate_error" property bag attributes in your custom - introspect_config_item() calls, documented on + and "validate_error" property bag attributes in your custom + introspect_config_item() calls, documented on http://www.s9y.org/index.php?node=43#A13 (garvinhicking) * Read/Write permissions for user-groups for specific categories. @@ -259,8 +262,8 @@ Version 0.9-beta1 (September 29th, 2005) categories and hide other categories when descending the tree (garvinhicking) - * "Edit entries" panel can now delete entries and returns to the - originating panel. Also it now utilizes Cookies (via JS) to remember + * "Edit entries" panel can now delete entries and returns to the + originating panel. Also it now utilizes Cookies (via JS) to remember the last used settings (sortorder, filters) (garvinhicking) * Added WordPress-PostgreSQL importer, by Devrim Gunduz @@ -268,9 +271,9 @@ Version 0.9-beta1 (September 29th, 2005) * RFE #1231423: Allow to change the author of an entry with the "entryproperties" plugin. (garvinhicking) - * Templates can now be handled via Spartacus (garvinhicking) - - * Plugin Manager: Improve Spartacus interface and include plugin + * Templates can now be handled via Spartacus (garvinhicking) + + * Plugin Manager: Improve Spartacus interface and include plugin categories (garvinhicking) * Support different WYSIWYG editors via new plugin hooks. TinyMCE @@ -284,7 +287,7 @@ Version 0.9-beta1 (September 29th, 2005) * fixed serendipity_traversePath() - PHP5 issue with array_merge() Thanks to jdhawk for the fix (flotsam) - * fixed wrong display of "found X entries matching your search" in + * fixed wrong display of "found X entries matching your search" in genpage.inc.php (flotsam) * Added fix for wrong language in permission groups (were created in the @@ -300,18 +303,18 @@ Version 0.9-beta1 (September 29th, 2005) * Fix multi-category selector for Konqueror (garvinhicking) * Support use of Boolean search mode in MySQL. Is activated when using - special characters like "()~*+-<>. Syntax see + special characters like "()~*+-<>. Syntax see http://dev.mysql.com/doc/mysql/en/fulltext-boolean.html. (garvinhicking) * Apply patch to allow usage of Feedburner RSS feeds, by Anders Clerwall - * Fixed using "_" instead of "-" in the approve trackback/comments + * Fixed using "_" instead of "-" in the approve trackback/comments URLs. (garvinhicking) * Introduce permission groups with customizable permission sets. (garvinhicking) - + * Make bblog importer recognize trackbacks. Thanks to Hanno! * Spartacus plugin can now properly handle plugins which contain both @@ -333,7 +336,7 @@ Version 0.9-beta1 (September 29th, 2005) * Localized the string "Reply" which occured inside some templates. (s/Reply/{$CONST.REPLY}/) (garvinhicking) - * Added swedish translation by Torbjörn Hedberg, Added european + * Added swedish translation by Torbjörn Hedberg, Added european portugues translation by Joao Palhoto Matos, Added hungarian translation by Posz Marton @@ -411,9 +414,9 @@ Version 0.8.5 (September 29th, 2005) differently) (garvinhicking) * Default Admin Stylesheet no longer uses direct height: assignment, - but padding instead. This should get rid of occasional overlapping + but padding instead. This should get rid of occasional overlapping of menu items. Thanks a lot to Ognyan Kulev for the solution to this! - + * Fix putting sticky entry on the last page in postgreSQL setups. Thanks to Nate Johnston for working this out! (garvinhicking) @@ -443,10 +446,10 @@ Version 0.8.4 (August 19th, 2005) After installing this plugin you can use the same URL and nothing will change for XML-RPC users. (garvinhicking) - * Optionally allow using a local PEAR installation. Set + * Optionally allow using a local PEAR installation. Set $serendipity['use_PEAR'] = true in your serendipity_config_local.inc.php or serendipity_config.inc.php - file. The required packages can be found in the + file. The required packages can be found in the bundled-libs/.current_version file. (garvinhicking) * Append the comment id to the mail that is sent to subscribers of @@ -455,7 +458,7 @@ Version 0.8.4 (August 19th, 2005) Version 0.8.3 (August 4th, 2004) ------------------------------------------------------------------------ - + * Upgraded bundled libs: Cache_Lite to 1.5.1 HTTP_Request to 1.2.4 @@ -481,11 +484,11 @@ Version 0.8.3 (August 4th, 2004) * Allow plugins to contain more than one HTML nuggets which can be WYSIWYGized. (garvinhicking) - + * Fix editing a draft article to be properly displayed as draft in PostgreSQL setups. Thanks to Penny Leach! (garvinhicking) - * Fixed possible XSS in comment input validation, thanks to + * Fixed possible XSS in comment input validation, thanks to Ilia Alshanetsky * Full Korean language support available! Translations done for: @@ -494,7 +497,7 @@ Version 0.8.3 (August 4th, 2004) - Kubrick template (wesley) - * TEMPLATES: New core hook "frontend_footer" is introduced and is + * TEMPLATES: New core hook "frontend_footer" is introduced and is added to index.tpl: {serendipity_hookPlugin hook="frontend_footer"} (wesley) @@ -510,11 +513,11 @@ Version 0.8.3 (August 4th, 2004) Version 0.8.2 (June 29th, 2005) ------------------------------------------------------------------------ - * fixed remote code execution vulnerability. Thanks to Gulftech - Research for pointing out that bug and Stefan Esser for helping - fix it (nohn) - - * Updated Spartacus to most recent version (nohn) + * fixed remote code execution vulnerability. Thanks to Gulftech + Research for pointing out that bug and Stefan Esser for helping + fix it (nohn) + + * Updated Spartacus to most recent version (nohn) * fixed serendipity_traversePath() - PHP5 issue with array_merge() Thanks to jdhawk for the fix (flotsam) diff --git a/include/functions_installer.inc.php b/include/functions_installer.inc.php index bf78129..97e2f7e 100644 --- a/include/functions_installer.inc.php +++ b/include/functions_installer.inc.php @@ -209,7 +209,7 @@ function serendipity_parseTemplate($filename, $areas = null, $onlyFlags=null) { foreach ( $category['items'] as $i => $item ) { $items = &$config[$n]['items'][$i]; - + if (!isset($items['userlevel']) || !is_numeric($items['userlevel'])) { $items['userlevel'] = USERLEVEL_ADMIN; } @@ -230,11 +230,11 @@ function serendipity_parseTemplate($filename, $areas = null, $onlyFlags=null) { $all_found = false; } } - + if (!isset($items['perm_mode'])) { $items['perm_mode'] = 'or'; } - + if ($items['perm_mode'] == 'or' && !$one_found) { unset($config[$n]['items'][$i]); continue; @@ -791,12 +791,18 @@ function serendipity_updateConfiguration() { $item['userlevel'] = USERLEVEL_ADMIN; } + // Check permission set. Changes to blogConfiguration or siteConfiguration items + // always required authorid = 0, so that it be not specific to a userlogin if ( $serendipity['serendipityUserlevel'] >= $item['userlevel'] || IS_installed === false ) { $authorid = 0; + } elseif ($item['permission'] == 'blogConfiguration' && serendipity_checkPermission('blogConfiguration')) { + $authorid = 0; + } elseif ($item['permission'] == 'siteConfiguration' && serendipity_checkPermission('siteConfiguration')) { + $authorid = 0; } else { $authorid = $serendipity['authorid']; } - + if (is_array($_POST[$item['var']])) { // Arrays not allowed. Use first index value. list($a_key, $a_val) = each($_POST[$item['var']]);