From 639dd77d156e99e4bad8e0cc72b7c2b2d8da3ead Mon Sep 17 00:00:00 2001 From: Chris Morgan Date: Fri, 5 Aug 2005 22:07:41 +0000 Subject: [PATCH] Let maintainers and super maintainers process the application versions and images submitted for applications they maintain --- admin/adminAppDataQueue.php | 23 +-- admin/adminAppQueue.php | 35 +++-- appimage.php | 11 +- appsubmit.php | 2 +- include/application.php | 5 +- include/incl.php | 4 + include/screenshot.php | 10 +- include/sidebar_admin.php | 5 +- include/sidebar_maintainer_admin.php | 15 ++ include/user.php | 208 ++++++++++++++++++++++++++- include/util.php | 30 ---- include/version.php | 12 ++ screenshots.php | 2 +- 13 files changed, 290 insertions(+), 72 deletions(-) create mode 100644 include/sidebar_maintainer_admin.php diff --git a/admin/adminAppDataQueue.php b/admin/adminAppDataQueue.php index 76fb087..2c34181 100644 --- a/admin/adminAppDataQueue.php +++ b/admin/adminAppDataQueue.php @@ -9,25 +9,20 @@ require(BASE."include/mail.php"); require(BASE."include/tableve.php"); require(BASE."include/application.php"); -// deny access if not admin -if(!$_SESSION['current']->hasPriv("admin")) +// deny access if not admin or at least some kind of maintainer +if(!$_SESSION['current']->hasPriv("admin") && !$_SESSION['current']->isMaintainer()) { errorpage("Insufficient privileges."); exit; } - // shows the list of appdata in queue if (!$_REQUEST['id']) { - apidb_header("Admin Application Data Queue"); - // get available appData - $sQuery = "SELECT appData.*, appVersion.appId AS appId - FROM appData, appVersion - WHERE appVersion.versionId = appData.versionID AND appData.queued = 'true';"; - $hResult = query_appdb($sQuery); + /* retrieve the queued apps */ + $hResult = $_SESSION['current']->getAppDataQuery("*", false, true); if(!$hResult || !mysql_num_rows($hResult)) { @@ -81,11 +76,7 @@ if (!$_REQUEST['id']) } } else // shows a particular appdata { - $sQuery = "SELECT appData.*, appVersion.appId AS appId - FROM appData,appVersion - WHERE appVersion.versionId = appData.versionId - AND id='".$_REQUEST['id']."'"; - $hResult = query_appdb($sQuery); + $hResult = $_SESSION['current']->getAppDataQuery($_REQUEST['id'], false, false); $obj_row = mysql_fetch_object($hResult); if(!$_REQUEST['sub']=="inside_form") @@ -211,9 +202,7 @@ if (!$_REQUEST['id']) } //delete main item - $sQuery = "DELETE from appData where id = ".$obj_row->id.";"; - $hResult = query_appdb($sQuery); - if($hResult) + if($_SESSION['current']->deleteAppData($obj_row->id)) { //success echo "

Application data was successfully deleted from the Queue.

\n"; diff --git a/admin/adminAppQueue.php b/admin/adminAppQueue.php index ee1daa7..7018887 100644 --- a/admin/adminAppQueue.php +++ b/admin/adminAppQueue.php @@ -70,8 +70,8 @@ function outputSearchTableForDuplicateFlagging($currentAppId, $hResult) } } -//deny access if not logged in -if(!$_SESSION['current']->hasPriv("admin")) +//deny access if not logged in or not a super maintainer of any applications +if(!$_SESSION['current']->hasPriv("admin") && !$_SESSION['current']->isSuperMaintainer()) { errorpage("Insufficient privileges."); exit; @@ -81,6 +81,13 @@ if ($_REQUEST['sub']) { if(is_numeric($_REQUEST['appId'])) { + /* make sure the user is authorized to view this application request */ + if(!$_SESSION['current']->hasPriv("admin")) + { + errorpage("Insufficient privileges."); + exit; + } + $oApp = new Application($_REQUEST['appId']); /* if we are processing a queued application there MUST be an implicitly queued */ @@ -91,9 +98,23 @@ if ($_REQUEST['sub']) $hResult = query_appdb($sQuery); $oRow = mysql_fetch_object($hResult); + /* make sure the user has permission to view this version */ + if(!$_SESSION['current']->hasAppVersionModifyPermission($oRow->versionId)) + { + errorpage("Insufficient privileges."); + exit; + } + $oVersion = new Version($oRow->versionId); } elseif(is_numeric($_REQUEST['versionId'])) { + /* make sure the user has permission to view this version */ + if(!$_SESSION['current']->hasAppVersionModifyPermission($_REQUEST['versionId'])) + { + errorpage("Insufficient privileges."); + exit; + } + $oVersion = new Version($_REQUEST['versionId']); } else { @@ -309,7 +330,6 @@ if ($_REQUEST['sub']) /* delete the appId that is the duplicate */ $oApp->delete(); - } /* redirect back to the main page */ @@ -353,9 +373,9 @@ if ($_REQUEST['sub']) else /* if ($_REQUEST['sub']) is not defined, display the main app queue page */ { apidb_header("Admin App Queue"); - // get queued apps - $sQuery = "SELECT appId FROM appFamily WHERE queued = 'true'"; - $hResult = query_appdb($sQuery); + + // get queued apps that the current user should see + $hResult = $_SESSION['current']->getAppQueueQuery(true); /* query for the app family */ if(!$hResult || !mysql_num_rows($hResult)) { @@ -416,8 +436,7 @@ else /* if ($_REQUEST['sub']) is not defined, display the main app queue page */ } // get queued versions (only versions where application are not queued already) - $sQuery = "SELECT versionId FROM appVersion, appFamily WHERE appFamily.appId = appVersion.appId and appFamily.queued = 'false' AND appVersion.queued = 'true'"; - $hResult = query_appdb($sQuery); + $hResult = $_SESSION['current']->getAppQueueQuery(false); /* query for the app version */ if(!$hResult || !mysql_num_rows($hResult)) { diff --git a/appimage.php b/appimage.php index cf0d49c..1c3cb0c 100644 --- a/appimage.php +++ b/appimage.php @@ -5,17 +5,20 @@ include("path.php"); require(BASE."include/"."incl.php"); -require(BASE."include/"."screenshot.php"); +require_once(BASE."include/"."screenshot.php"); /* an image doesn't have a link, so a cookie makes no sense */ header("Set-Cookie: "); header("Pragma: "); -if(!$_SESSION['current']->hasPriv("admin") && $_REQUEST['queued']) +/* if the user isn't supposed to be viewing this image */ +/* display an error message and exit */ +if(!$_SESSION['current']->canViewImage($_REQUEST['id'])) { - errorpage("Insufficient privileges."); - exit; + errorpage("Insufficient privileges."); + exit; } + if ($_REQUEST['REQUEST_METHOD']='HEAD') { /* WARNING! optimization of logic in include/screenshots.php */ diff --git a/appsubmit.php b/appsubmit.php index d29f0fe..d1f1c23 100644 --- a/appsubmit.php +++ b/appsubmit.php @@ -87,7 +87,7 @@ if (isset($_REQUEST['appName'])) $oApplication = new Application(); // FIXME When two htmlarea will be able to live on the same page // without problems under gecko, remove the

around appDescrion - $oApplication->create($_REQUEST['appName'], "

".$_REQUEST['appDescription']."

", $_REQUEST['keywords']." *** ".$_REQUEST['vendorName'], $_REQUEST['webpage'],$_REQUEST['vendorId'], $_REQUEST['catId']); + $oApplication->create($_REQUEST['appName'], "

".$_REQUEST['appDescription']."

", $_REQUEST['keywords']." *** ".$_REQUEST['vendorName'], $_REQUEST['webpage'], $_REQUEST['vendorId'], $_REQUEST['catId']); $oVersion = new Version(); $oVersion->create($_REQUEST['versionName'], $_REQUEST['versionDescription'], null, null, $oApplication->iAppId); redirect(apidb_fullurl("index.php")); diff --git a/include/application.php b/include/application.php index 0801c8f..4ba4902 100644 --- a/include/application.php +++ b/include/application.php @@ -115,7 +115,6 @@ class Application { */ function create($sName=null, $sDescription=null, $sKeywords=null, $sWebpage=null, $iVendorId=null, $iCatId=null) { - // Security, if we are not an administrator the application must be queued. if(!($_SESSION['current']->hasPriv("admin"))) $this->bQueued = true; @@ -222,6 +221,10 @@ class Application { */ function delete($bSilent=false) { + /* don't let non-admins delete applications */ + if(!($_SESSION['current']->hasPriv("admin"))) + return; + foreach($this->aVersionsIds as $iVersionId) { $oVersion = new Version($iVersionId); diff --git a/include/incl.php b/include/incl.php index 49f94db..46cbafa 100644 --- a/include/incl.php +++ b/include/incl.php @@ -107,6 +107,10 @@ function apidb_sidebar() { include(BASE."include/sidebar_admin.php"); apidb_sidebar_add("global_admin_menu"); + } else if($_SESSION['current']->isMaintainer()) /* if the user maintains anything, add their menus */ + { + include(BASE."include/sidebar_maintainer_admin.php"); + apidb_sidebar_add("global_maintainer_admin_menu"); } // Login Menu diff --git a/include/screenshot.php b/include/screenshot.php index b4c2ef7..4caad49 100644 --- a/include/screenshot.php +++ b/include/screenshot.php @@ -3,7 +3,7 @@ /* screenshot class and related functions */ /******************************************/ -require(BASE."include/image.php"); +require_once(BASE."include/image.php"); // load the watermark $watermark = new image("/images/watermark.png"); @@ -128,11 +128,9 @@ class Screenshot { */ function delete($bSilent=false) { - $sQuery = "DELETE FROM appData - WHERE id = ".$this->iScreenshotId." - AND type = 'image' - LIMIT 1"; - if($hResult = query_appdb($sQuery)) + /* the user object should delete the app data entry */ + /* we can perform better permissions checking there */ + if($_SESSION['current']->deleteAppData($this->iScreenshotId)) { $this->oScreenshotImage->delete(); $this->oThumbnailImage->delete(); diff --git a/include/sidebar_admin.php b/include/sidebar_admin.php index e141c88..940f5df 100644 --- a/include/sidebar_admin.php +++ b/include/sidebar_admin.php @@ -11,8 +11,8 @@ function global_admin_menu() { $g->add("Add Vendor", BASE."admin/addVendor.php"); $g->addmisc(" "); - $g->add("View App Queue (".getQueuedAppCount()."/".getQueuedVersionCount().")", BASE."admin/adminAppQueue.php"); - $g->add("View App Data Queue (".getQueuedAppDataCount().")", BASE."admin/adminAppDataQueue.php"); + $g->add("View App Queue (".$_SESSION['current']->getQueuedAppCount()."/".$_SESSION['current']->getQueuedVersionCount().")", BASE."admin/adminAppQueue.php"); + $g->add("View App Data Queue (".$_SESSION['current']->getQueuedAppDataCount().")", BASE."admin/adminAppDataQueue.php"); $g->add("View Maintainer Queue (".getQueuedMaintainerCount().")", BASE."admin/adminMaintainerQueue.php"); $g->add("View Maintainer Entries (".getMaintainerCount().")", BASE."admin/adminMaintainers.php"); $g->add("View Vendors (".getVendorCount().")", BASE."admin/adminVendors.php"); @@ -23,7 +23,6 @@ function global_admin_menu() { $g->add("Comments Management", BASE."admin/adminCommentView.php"); $g->add("Screenshots Management", BASE."admin/adminScreenshots.php"); $g->done(); - } ?> diff --git a/include/sidebar_maintainer_admin.php b/include/sidebar_maintainer_admin.php new file mode 100644 index 0000000..7c0af19 --- /dev/null +++ b/include/sidebar_maintainer_admin.php @@ -0,0 +1,15 @@ +add("View App Queue (".$_SESSION['current']->getQueuedVersionCount().")", BASE."admin/adminAppQueue.php"); + $g->add("View App Data Queue (".$_SESSION['current']->getQueuedAppDataCount().")", BASE."admin/adminAppDataQueue.php"); + $g->done(); +} + +?> diff --git a/include/user.php b/include/user.php index 7bd695b..62a2e1a 100644 --- a/include/user.php +++ b/include/user.php @@ -3,6 +3,7 @@ /* user class and related functions */ /************************************/ +require_once(BASE."include/version.php"); /** * User class for handling users @@ -232,7 +233,7 @@ class User { if($iAppId) { $sQuery = "SELECT * FROM appMaintainers WHERE userid = '$this->iUserId' AND appId = '$iAppId' AND superMaintainer = '1'"; - } else + } else /* are we super maintainer of any applications? */ { $sQuery = "SELECT * FROM appMaintainers WHERE userid = '$this->iUserId' AND superMaintainer = '1'"; } @@ -295,6 +296,49 @@ class User { return $statusMessage; } + /* get the number of queued applications */ + function getQueuedAppCount() + { + /* return 0 because non-admins have no way to process new apps */ + if(!$this->hasPriv("admin")) + return 0; + + $qstring = "SELECT count(*) as queued_apps FROM appFamily WHERE queued='true'"; + $result = query_appdb($qstring); + $ob = mysql_fetch_object($result); + return $ob->queued_apps; + } + + function getQueuedVersionCount() + { + if($this->hasPriv("admin")) + { + $qstring = "SELECT count(*) as queued_versions FROM appVersion WHERE queued='true'"; + } else + { + /* find all queued versions of applications that the user is a super maintainer of */ + $qstring = "SELECT count(*) as queued_versions FROM appVersion, appMaintainers + WHERE queued='true' AND appMaintainers.superMaintainer ='1' + AND appVersion.appId = appMaintainers.appId + AND appMaintainers.userId ='".$this->iUserId."';"; + } + $result = query_appdb($qstring); + $ob = mysql_fetch_object($result); + + /* we don't want to count the versions that are implicit in the applications */ + /* that are in the queue */ + return $ob->queued_versions - $this->getQueuedAppCount(); + } + + + /* get the number of queued appdata */ + function getQueuedAppDataCount() + { + $hResult = $this->getAppDataQuery(0, true, false); + $ob = mysql_fetch_object($hResult); + return $ob->queued_appdata; + } + function addPriv($sPriv) { if(!$this->isLoggedIn() || !$sPriv) @@ -343,6 +387,168 @@ class User { { return ($this->isLoggedIn() && $this->getPref("send_email","yes")=="yes"); } + + /** + * Return an app query based on the user permissions and an iAppDataId + * Used to display appropriate appdata entries based upon admin vs. maintainer + * as well as to determine if the maintainer has permission to delete an appdata entry + */ + function getAppDataQuery($iAppDataId, $queryQueuedCount, $queryQueued) + { + /* either look for queued app data entries */ + /* or ones that match the given id */ + if($queryQueuedCount) + { + $selectTerms = "count(*) as queued_appdata"; + $additionalTerms = "AND appData.queued='true'"; + } else if($queryQueued) + { + $selectTerms = "appData.*, appVersion.appId AS appId"; + $additionalTerms = "AND appData.queued='true'"; + } else + { + $selectTerms = "appData.*, appVersion.appId AS appId"; + $additionalTerms = "AND id='".$iAppDataId."'"; + } + + if($_SESSION['current']->hasPriv("admin")) + { + $sQuery = "SELECT ".$selectTerms." + FROM appData,appVersion + WHERE appVersion.versionId = appData.versionId + ".$additionalTerms.";"; + } else + { + /* select versions where we supermaintain the application or where */ + /* we maintain the appliation, and where the versions we supermaintain */ + /* or maintain are in the appData list */ + /* then apply some additional terms */ + $sQuery = "select ".$selectTerms." from appMaintainers, appVersion, appData where + ( + ((appMaintainers.appId = appVersion.appId) AND + (appMaintainers.superMaintainer = '0')) + OR + ((appMaintainers.versionId = appVersion.versionId) + AND (appMaintainers.superMaintainer = '0')) + ) + AND appData.versionId = appVersion.versionId + AND appMaintainers.userId = '".$this->iUserId."' + ".$additionalTerms.";"; + } + + return query_appdb($sQuery); + } + + /** + * Delete appData + */ + function deleteAppData($iAppDataId) + { + $isMaintainer = false; + + /* if we aren't an admin we should see if we can find any results */ + /* for a query based on this appDataId, if we can then */ + /* we have permission to delete the entry */ + if(!$this->hasPriv("admin")) + { + $hResult = $this->getAppDataQuery($iAppDataId, false, false); + if(!$hResult) + return false; + + echo "result rows:".mysql_num_row($hResult); + + if(mysql_num_rows($hResult) > 0) + $isMaintainer = true; + } + + /* do we have permission to delete this item? */ + if($this->hasPriv("admin") || $isMaintainer) + { + $sQuery = "DELETE from appData where id = ".$iAppDataId." + LIMIT 1;"; + $hResult = query_appdb($sQuery); + if($hResult) + return true; + } + + return false; + } + + /** + * Returns true or false depending on whether the user can view the image + */ + function canViewImage($iImageId) + { + $oScreenshot = new Screenshot($iImageId); + + if(!$oScreenshot->bQueued || + ($oScreenshot->bQueued && ($this->hasPriv("admin") || + $this->isMaintainer($oScreenshot->iVersionId) || + $this->isSuperMaintainer($oScreenshot->iAppId)))) + return true; + + return false; + } + + /** + * Retrieve the list of applications in the app queue that this user can see + */ + function getAppQueueQuery($queryAppFamily) + { + if($this->hasPriv("admin")) + { + if($queryAppFamily) + { + $sQuery = "SELECT appFamily.appId FROM appFamily WHERE queued = 'true'"; + } else + { + $sQuery = "SELECT appVersion.versionId FROM appVersion, appFamily + WHERE appFamily.appId = appVersion.appId + AND appFamily.queued = 'false' AND appVersion.queued = 'true'"; + } + } else + { + if($queryAppFamily) + { + $sQuery = "SELECT appFamily.appId FROM appFamily, appMaintainers + WHERE queued = 'true' + AND appFamily.appId = appMaintainers.appId + AND appMaintainers.superMaintainer = '1' + AND appMaintainers.userId = '".$this->iUserId."';"; + } else + { + $sQuery = "SELECT appVersion.versionId FROM appVersion, appFamily, appMaintainers + WHERE appFamily.appId = appVersion.appId + AND appFamily.queued = 'false' AND appVersion.queued = 'true' + AND appFamily.appId = appMaintainers.appId + AND appMaintainers.superMaintainer = '1' + AND appMaintainers.userId = '".$this->iUserId."';"; + } + } + + return query_appdb($sQuery); + } + + /** + * Does the user have permission to modify on this version? + */ + function hasAppVersionModifyPermission($iVersionId) + { + if($this->hasPriv("admin")) + return true; + + $sQuery = "SELECT appVersion.versionId FROM appVersion, appFamily, appMaintainers + WHERE appFamily.appId = appVersion.appId + AND appFamily.appId = appMaintainers.appId + AND appMaintainers.superMaintainer = '1' + AND appMaintainers.userId = '".$this->iUserId."' + AND appVersion.versionId = '".$iVersionId."';"; + $hResult = query_appdb($sQuery); + if(mysql_num_rows($hResult)) + return true; + else + return false; + } } diff --git a/include/util.php b/include/util.php index e4b9d3d..73d73d7 100644 --- a/include/util.php +++ b/include/util.php @@ -146,36 +146,6 @@ function make_maintainer_rating_list($varname, $cvalue) echo "\n"; } -/* get the number of queued applications */ -function getQueuedAppCount() -{ - $qstring = "SELECT count(*) as queued_apps FROM appFamily WHERE queued='true'"; - $result = query_appdb($qstring); - $ob = mysql_fetch_object($result); - return $ob->queued_apps; -} - -function getQueuedVersionCount() -{ - $qstring = "SELECT count(*) as queued_versions FROM appVersion WHERE queued='true'"; - $result = query_appdb($qstring); - $ob = mysql_fetch_object($result); - - /* we don't want to count the versions that are implicit in the applications */ - /* that are in the queue */ - return $ob->queued_versions - getQueuedAppCount(); -} - - -/* get the number of queued appdata */ -function getQueuedAppDataCount() -{ - $qstring = "SELECT count(*) as queued_appdata FROM appData WHERE queued='true'"; - $result = query_appdb($qstring); - $ob = mysql_fetch_object($result); - return $ob->queued_appdata; -} - /* get the number of queued maintainers */ function getQueuedMaintainerCount() { diff --git a/include/version.php b/include/version.php index 575ed6d..0e45e26 100644 --- a/include/version.php +++ b/include/version.php @@ -248,6 +248,12 @@ class Version { */ function delete($bSilent=false) { + /* is the current user allowed to delete this version? */ + if(!$_SESSION['current']->hasPriv("admin") && !$_SESSION['current']->hasAppVersionModifyPermission($iVersionId)) + { + return; + } + /* remove all of the items this version contains */ foreach($this->aNotesIds as $iNoteId) { @@ -303,6 +309,12 @@ class Version { */ function unQueue() { + /* is the current user allowed to delete this version? */ + if(!$_SESSION['current']->hasPriv("admin") && !$_SESSION['current']->hasAppVersionModifyPermission($iVersionId)) + { + return; + } + // If we are not in the queue, we can't move the version out of the queue. if(!$this->bQueued) return false; diff --git a/screenshots.php b/screenshots.php index 02b4c8d..4266e47 100644 --- a/screenshots.php +++ b/screenshots.php @@ -10,7 +10,7 @@ */ include("path.php"); require(BASE."include/incl.php"); -require(BASE."include/screenshot.php"); +require_once(BASE."include/screenshot.php"); require(BASE."include/application.php"); require(BASE."include/mail.php");