From ae10e3729190726c49faab7c6d17e5c2e58b493b Mon Sep 17 00:00:00 2001 From: garvinhicking Date: Thu, 17 Nov 2005 15:15:11 +0000 Subject: [PATCH] * Fix configuration for non-admins to not properly store values like blog Title (garvinhicking) M include/functions_installer.inc.php M docs/NEWS --- docs/NEWS | 71 +++++++++++++++-------------- include/functions_installer.inc.php | 14 ++++-- 2 files changed, 47 insertions(+), 38 deletions(-) diff --git a/docs/NEWS b/docs/NEWS index a8281ec..6149463 100644 --- a/docs/NEWS +++ b/docs/NEWS @@ -3,22 +3,25 @@ Version 0.9.1 () ------------------------------------------------------------------------ + * Fix configuration for non-admins to not properly store values like + blog Title (garvinhicking) + * Fix RSS import's timezone detection for ISO-8601 dates (garvinhicking) * Fix htmlarea when using UTF-8 charset on a ISO-8859-1 language (garvinhicking) - + * Statistics plugin now contains entries per author. Patch #1347639 by SvOlli - + * Fix thumbnail generation for imageMagick when target image is smaller than the target size, it should not be blown up (garvinhicking) * Fix spartacus plugin to not properly indicate updatable versions of plugins (garvinhicking) - + * Fix multi-media upload in Safari browser (jhermanns) * Make calendar plugin also accept links to external events @@ -26,12 +29,12 @@ Version 0.9.1 () * Fix mod_rewrite rules to not differentiate on case-sensitivity for authors, archives and category URLs (garvinhicking) - + * Fix a bug in the serendipity_currentURL function when Serendipity is installed in your HTTP root. This bug only effects the plugins karma, entrysplit and multilingual on these installations. Thanks to Richard Davey for spotting this! (garvinhicking) - + * Fix showing preview image of hotlinked images. Thanks to Thomas and RobA from the forums! (garvinhicking) @@ -65,7 +68,7 @@ Version 0.9 (October 28th, 2005) Thanks to Boris from the forums! * Fix an issue of privilege escalation for non-admins (garvinhicking) - + * Fix a parse error in the Importer, introduced in beta3 (garvinhicking) @@ -73,7 +76,7 @@ Version 0.9 (October 28th, 2005) Version 0.9-beta3 (October 21st, 2005) ------------------------------------------------------------------------ - + * Syndication plugin: Do not show E-Mail adress in RSS feed by default (garvinhicking) @@ -88,7 +91,7 @@ Version 0.9-beta3 (October 21st, 2005) * Also fetch and display entryproperties in the results of a search. Fixes bug #1329379 (garvinhicking) - + * Fix some dreaded "only variables can be returned by referenced" PHP 4.4 notices on some minor occasions (garvinhicking) @@ -153,13 +156,13 @@ Version 0.9-beta1 (September 29th, 2005) is empty. Thanks to Brian J. France! * Spamblock plugin can now define required comment fields. Also fix - parameter order in mt_rand() call, thanks to Jens Kubieziel + parameter order in mt_rand() call, thanks to Jens Kubieziel (garvinhicking) * Plugin API now allows to validate config options via a "validate" method, used by the plugin configuration panel. Need to set "validate" - and "validate_error" property bag attributes in your custom - introspect_config_item() calls, documented on + and "validate_error" property bag attributes in your custom + introspect_config_item() calls, documented on http://www.s9y.org/index.php?node=43#A13 (garvinhicking) * Read/Write permissions for user-groups for specific categories. @@ -235,8 +238,8 @@ Version 0.9-beta1 (September 29th, 2005) categories and hide other categories when descending the tree (garvinhicking) - * "Edit entries" panel can now delete entries and returns to the - originating panel. Also it now utilizes Cookies (via JS) to remember + * "Edit entries" panel can now delete entries and returns to the + originating panel. Also it now utilizes Cookies (via JS) to remember the last used settings (sortorder, filters) (garvinhicking) * Added WordPress-PostgreSQL importer, by Devrim Gunduz @@ -244,9 +247,9 @@ Version 0.9-beta1 (September 29th, 2005) * RFE #1231423: Allow to change the author of an entry with the "entryproperties" plugin. (garvinhicking) - * Templates can now be handled via Spartacus (garvinhicking) - - * Plugin Manager: Improve Spartacus interface and include plugin + * Templates can now be handled via Spartacus (garvinhicking) + + * Plugin Manager: Improve Spartacus interface and include plugin categories (garvinhicking) * Support different WYSIWYG editors via new plugin hooks. TinyMCE @@ -260,7 +263,7 @@ Version 0.9-beta1 (September 29th, 2005) * fixed serendipity_traversePath() - PHP5 issue with array_merge() Thanks to jdhawk for the fix (flotsam) - * fixed wrong display of "found X entries matching your search" in + * fixed wrong display of "found X entries matching your search" in genpage.inc.php (flotsam) * Added fix for wrong language in permission groups (were created in the @@ -276,18 +279,18 @@ Version 0.9-beta1 (September 29th, 2005) * Fix multi-category selector for Konqueror (garvinhicking) * Support use of Boolean search mode in MySQL. Is activated when using - special characters like "()~*+-<>. Syntax see + special characters like "()~*+-<>. Syntax see http://dev.mysql.com/doc/mysql/en/fulltext-boolean.html. (garvinhicking) * Apply patch to allow usage of Feedburner RSS feeds, by Anders Clerwall - * Fixed using "_" instead of "-" in the approve trackback/comments + * Fixed using "_" instead of "-" in the approve trackback/comments URLs. (garvinhicking) * Introduce permission groups with customizable permission sets. (garvinhicking) - + * Make bblog importer recognize trackbacks. Thanks to Hanno! * Spartacus plugin can now properly handle plugins which contain both @@ -309,7 +312,7 @@ Version 0.9-beta1 (September 29th, 2005) * Localized the string "Reply" which occured inside some templates. (s/Reply/{$CONST.REPLY}/) (garvinhicking) - * Added swedish translation by Torbjörn Hedberg, Added european + * Added swedish translation by Torbjörn Hedberg, Added european portugues translation by Joao Palhoto Matos, Added hungarian translation by Posz Marton @@ -387,9 +390,9 @@ Version 0.8.5 (September 29th, 2005) differently) (garvinhicking) * Default Admin Stylesheet no longer uses direct height: assignment, - but padding instead. This should get rid of occasional overlapping + but padding instead. This should get rid of occasional overlapping of menu items. Thanks a lot to Ognyan Kulev for the solution to this! - + * Fix putting sticky entry on the last page in postgreSQL setups. Thanks to Nate Johnston for working this out! (garvinhicking) @@ -419,10 +422,10 @@ Version 0.8.4 (August 19th, 2005) After installing this plugin you can use the same URL and nothing will change for XML-RPC users. (garvinhicking) - * Optionally allow using a local PEAR installation. Set + * Optionally allow using a local PEAR installation. Set $serendipity['use_PEAR'] = true in your serendipity_config_local.inc.php or serendipity_config.inc.php - file. The required packages can be found in the + file. The required packages can be found in the bundled-libs/.current_version file. (garvinhicking) * Append the comment id to the mail that is sent to subscribers of @@ -431,7 +434,7 @@ Version 0.8.4 (August 19th, 2005) Version 0.8.3 (August 4th, 2004) ------------------------------------------------------------------------ - + * Upgraded bundled libs: Cache_Lite to 1.5.1 HTTP_Request to 1.2.4 @@ -457,11 +460,11 @@ Version 0.8.3 (August 4th, 2004) * Allow plugins to contain more than one HTML nuggets which can be WYSIWYGized. (garvinhicking) - + * Fix editing a draft article to be properly displayed as draft in PostgreSQL setups. Thanks to Penny Leach! (garvinhicking) - * Fixed possible XSS in comment input validation, thanks to + * Fixed possible XSS in comment input validation, thanks to Ilia Alshanetsky * Full Korean language support available! Translations done for: @@ -470,7 +473,7 @@ Version 0.8.3 (August 4th, 2004) - Kubrick template (wesley) - * TEMPLATES: New core hook "frontend_footer" is introduced and is + * TEMPLATES: New core hook "frontend_footer" is introduced and is added to index.tpl: {serendipity_hookPlugin hook="frontend_footer"} (wesley) @@ -486,11 +489,11 @@ Version 0.8.3 (August 4th, 2004) Version 0.8.2 (June 29th, 2005) ------------------------------------------------------------------------ - * fixed remote code execution vulnerability. Thanks to Gulftech - Research for pointing out that bug and Stefan Esser for helping - fix it (nohn) - - * Updated Spartacus to most recent version (nohn) + * fixed remote code execution vulnerability. Thanks to Gulftech + Research for pointing out that bug and Stefan Esser for helping + fix it (nohn) + + * Updated Spartacus to most recent version (nohn) * fixed serendipity_traversePath() - PHP5 issue with array_merge() Thanks to jdhawk for the fix (flotsam) diff --git a/include/functions_installer.inc.php b/include/functions_installer.inc.php index bf78129..97e2f7e 100644 --- a/include/functions_installer.inc.php +++ b/include/functions_installer.inc.php @@ -209,7 +209,7 @@ function serendipity_parseTemplate($filename, $areas = null, $onlyFlags=null) { foreach ( $category['items'] as $i => $item ) { $items = &$config[$n]['items'][$i]; - + if (!isset($items['userlevel']) || !is_numeric($items['userlevel'])) { $items['userlevel'] = USERLEVEL_ADMIN; } @@ -230,11 +230,11 @@ function serendipity_parseTemplate($filename, $areas = null, $onlyFlags=null) { $all_found = false; } } - + if (!isset($items['perm_mode'])) { $items['perm_mode'] = 'or'; } - + if ($items['perm_mode'] == 'or' && !$one_found) { unset($config[$n]['items'][$i]); continue; @@ -791,12 +791,18 @@ function serendipity_updateConfiguration() { $item['userlevel'] = USERLEVEL_ADMIN; } + // Check permission set. Changes to blogConfiguration or siteConfiguration items + // always required authorid = 0, so that it be not specific to a userlogin if ( $serendipity['serendipityUserlevel'] >= $item['userlevel'] || IS_installed === false ) { $authorid = 0; + } elseif ($item['permission'] == 'blogConfiguration' && serendipity_checkPermission('blogConfiguration')) { + $authorid = 0; + } elseif ($item['permission'] == 'siteConfiguration' && serendipity_checkPermission('siteConfiguration')) { + $authorid = 0; } else { $authorid = $serendipity['authorid']; } - + if (is_array($_POST[$item['var']])) { // Arrays not allowed. Use first index value. list($a_key, $a_val) = each($_POST[$item['var']]); -- 2.39.5