IMPORTANT - fixed HubSub to properly fetch primary keys
In commit e95f77d34c501d345e731ccf6bc722034d155b77 HubSub lost the
'staticGet' function in a consolidation into the Managed_DataObject class.
This was done carelessly by me as HubSub::staticGet was actually taking
two arguments, none of which was a key and merging them in HubSub::hashkey()
(staticGet was renamed getKV 2a4dc77a633cc78907934fd93200ac16d55be78e).
IMPORTANT: Making prev. Memcached_DataObject working again with schemaDef
Lots of the Memcached_DataObject classes stopped working when upgraded to
Managed_DataObject because they lacked schemaDef().
I have _hopefully_ made it so that all the references to the table uses
each class' schemaDef, rather than the more manual ColumnDef stuff. Not
all plugins have been tested thoroughly yet.
NOTE: This is applied with getKV calls instead of staticGet, as it was
important for PHP Strict Standards compliance to avoid calling the non-
static functions statically. (unfortunately DB and DB_DataObject still do
this within themselves...)
Memcached_DataObject now defines
* pkeyGetClass to avoid collision with Managed_DataObject pkeyGet
* getClassKV to avoid collision with Managed_DataObject getKV
The overloaded DB_DataObject function staticGet is now called getKV
I used this hacky sed-command (run it from your GNU Social root, or change the first grep's path to where it actually lies) to do a rough fix on all ::staticGet calls and rename them to ::getKV
If you're applying this, remember to change the Managed_DataObject and Memcached_DataObject function definitions of staticGet to getKV!
This might of course take some getting used to, or modification fo StatusNet plugins, but the result is that all the static calls (to staticGet) are now properly made without breaking PHP Strict Standards. Standards are there to be followed (and they caused some very bad confusion when used with get_called_class)
Reasonably any plugin or code that tests for the definition of 'GNUSOCIAL' or similar will take this change into consideration.
Updating all Memcached_DataObject extended classes to Managed_DataObject
In some brief tests, this causes no problems.
In this state however, you would need to modify DB_DataObject to have a static declaration of staticget (and probably pkeyGet). The next commit will change the staticGet overload to a unique function name (like getKV for getKeyValue), which means we can properly call the function by PHP Strict Standards.
staticGet for sub-Managed_DataObject classes now calls parent
The parent class for our database objects, Managed_DataObject, has a
dynamically assigned class in staticGet which objects get put into,
leaving us with less code to do the same thing.
We will probably have to move away from the DB_DataObject 'staticGet'
call as it is nowadays deprecated.
We always call staticGet statically, so we define it statically. Next
step is to remove a bunch of definitions of 'staticGet' from classes
that can instead fall back to a parent class in Managed_DataObject.
The ampersand is removed as we're returning a class anyway, which does
not need a reference (and when we return false, it means nothing).
Default to NOT ask for current location for new users
It may be a bad experience for new users to immediately when trying
out the service be asked for their geographical position. Instead,
let them opt-in for this behaviour.
if parameters are not 0, null then limit will be PROFILES_PER_PAGE
If you look at classes/User_group.php on line 412 in the current code, you can see that a call to $profile->getGroups() is made. This implies getGroups($offset=0, $limit=PROFILES_PER_PAGE) only giving a limited amount of groups.
This means only the first 20 groups in an ascending numerical order by locally stored User_group->id will be addressable with the bangtag syntax.
I solved this by making the getGroups() call to the same one made in Profile->isMember(), i.e. $profile->getGroups(0, null);
added missing return statement after showForm call
Issue #3125 at http://status.net/open-source/issues/3125 (and its duplicate 3127) describe buggy behaviour when trying to create a new group - i.e. the group is still created but with nickname NULL.
The reason the group is created is that when failing Nickname::normalize, the function trySave() in actions/newgroup.php doesn't call 'return' - meaning it just keeps going despite the error thrown. It a
So the simple solution to this bug was adding a return call at line 128, inside the catch just after the showForm(...) call.
Escape argument to prevent SQL injection attack in
User::getTaggedSubscriptions()
This change escapes the $tag argument to prevent a SQL injection
attack in User::getTaggedSubscriptions(). The parameter was not
escaped higher up the stack, so this vulnerability could be exploited.
Escape query parameters in Profile_tag::getTagged()
This patch escapes query parameters in Profile_tag::getTagged(). This
is an extra security step; since these parameters come out of the
database, it's unlikely that they would have dangerous data in them.
This change adds additional escapes for arguments to
Profile_tag::moveTag(). The arguments are canonicalized in the API and
Web UI paths higher up the stack, but this change makes sure that no
other paths can introduce SQL injection errors.
Escape $tag passed to Profile::getTaggedSubscribers()
This patch escapes the $tag parameter in
Profile::getTaggedSubscribers(). The parameter is not escaped either
in actions/subscriptions.php or in actions/apiuserfollowers.php. So
there is a potential for SQL injection here.
Potential SQL injection in Local_group::setNickname()
This change escapes a parameter in Local_group::setNickname(). Review
of the code paths that call this function sanitize the parameter
higher up the stack, but it's escaped here to prevent mistakes later.
Note that nickname parameters are normally alphanum strings, so
there's not much danger in double-escaping them.
Potential SQL injection in Local_group::setNickname()
This change escapes a parameter in Local_group::setNickname(). Review
of the code paths that call this function sanitize the parameter
higher up the stack, but it's escaped here to prevent mistakes later.
Note that nickname parameters are normally alphanum strings, so
there's not much danger in double-escaping them.
Notice update with media attachment may fail through API when status text + attachment length get higher than max notice length. Calling URL shortener can make global length less than maxlength, though allowing notice update.
Notice update with media attachment may fail through API when status text + attachment length get higher than max notice length. Calling URL shortener can make global length less than maxlength, though allowing notice update.
Bookmark plugin enhancement: display Bookmark's list. Integration of @chimo's work (http://http://sn.chromic.org/) from https://github.com/chimo/BookmarkList into official plugin.
projects / quix0rs-gnu-social.git / log