-<?php\r
-/**\r
- * Nucleus: PHP/MySQL Weblog CMS (http://nucleuscms.org/) \r
- * Copyright (C) 2002-2005 The Nucleus Group\r
- *\r
- * This program is free software; you can redistribute it and/or\r
- * modify it under the terms of the GNU General Public License\r
- * as published by the Free Software Foundation; either version 2\r
- * of the License, or (at your option) any later version.\r
- * (see nucleus/documentation/index.html#license for more info)\r
- *\r
- * Media popup window for Nucleus\r
- *\r
- * Purpose:\r
- * - can be openen from an add-item form or bookmarklet popup\r
- * - shows a list of recent files, allowing browsing, search and \r
- * upload of new files\r
- * - close the popup by selecting a file in the list. The file gets\r
- * passed through to the add-item form (linkto, popupimg or inline img)\r
- *\r
- * $Id: media.php,v 1.3 2005-03-12 06:19:03 kimitake Exp $\r
- */\r
- \r
+<?php
+/*
+ * Nucleus: PHP/MySQL Weblog CMS (http://nucleuscms.org/)
+ * Copyright (C) 2002-2009 The Nucleus Group
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ * (see nucleus/documentation/index.html#license for more info)
+ */
+/**
+ * Media popup window for Nucleus
+ *
+ * Purpose:
+ * - can be openen from an add-item form or bookmarklet popup
+ * - shows a list of recent files, allowing browsing, search and
+ * upload of new files
+ * - close the popup by selecting a file in the list. The file gets
+ * passed through to the add-item form (linkto, popupimg or inline img)
+ *
+ * @license http://nucleuscms.org/license.txt GNU General Public License
+ * @copyright Copyright (C) 2002-2009 The Nucleus Group
+ * @version $Id$
+ * $NucleusJP: media.php,v 1.8.2.1 2007/09/07 07:36:44 kimitake Exp $
+ *
+ */
+
$CONF = array();\r
\r
// defines how much media items will be shown per page. You can override this\r
$CONF['MediaPerPage'] = 10;\r
\r
// include all classes and config data\r
-include('../config.php');\r
+require('../config.php');\r
include($DIR_LIBS . 'MEDIA.php'); // media classes\r
\r
sendContentType('application/xhtml+xml', 'media');\r
$teams = mysql_query($query);\r
if (mysql_num_rows($teams) == 0)\r
media_doError(_ERROR_DISALLOWEDUPLOAD);\r
- \r
+\r
// get action\r
$action = requestVar('action');\r
if ($action == '')\r
$action = 'selectmedia';\r
- \r
+\r
// check ticket\r
$aActionsNotToCheck = array('selectmedia', _MEDIA_FILTER_APPLY, _MEDIA_COLLECTION_SELECT);\r
if (!in_array($action, $aActionsNotToCheck))\r
{\r
if (!$manager->checkTicket())\r
media_doError(_ERROR_BADTICKET);\r
-} \r
+}\r
\r
\r
switch($action) {\r
case 'chooseupload':\r
case _MEDIA_UPLOAD_TO:\r
case _MEDIA_UPLOAD_NEW:\r
- media_choose();\r
+ if (!$member->isAdmin() and $CONF['AllowUpload'] != true) {\r
+ media_doError(_ERROR_DISALLOWED);\r
+ } else {\r
+ media_choose();\r
+ }\r
break;\r
case 'uploadfile':\r
- media_upload();\r
+ if (!$member->isAdmin() and $CONF['AllowUpload'] != true) {\r
+ media_doError(_ERROR_DISALLOWED);\r
+ } else {\r
+ media_upload();\r
+ }\r
break;\r
case _MEDIA_FILTER_APPLY:\r
case 'selectmedia':\r
// select a file\r
function media_select() {\r
global $member, $CONF, $DIR_MEDIA, $manager;\r
- \r
- media_head();\r
- \r
- // show 10 files + navigation buttons \r
+\r
+ // show 10 files + navigation buttons\r
// show msg when no files\r
// show upload form\r
// files sorted according to last modification date\r
$currentCollection = requestVar('collection');\r
if (!$currentCollection || !@is_dir($DIR_MEDIA . $currentCollection))\r
$currentCollection = $member->getID();\r
- \r
- \r
+\r
+ // avoid directory travarsal and accessing invalid directory\r
+ if (!MEDIA::isValidCollection($currentCollection)) media_doError(_ERROR_DISALLOWED);\r
+\r
+ media_head();\r
+\r
// get collection list\r
$collections = MEDIA::getCollectionList();\r
\r
<input type="hidden" name="collection" value="<?php echo htmlspecialchars($currentCollection)?>" />\r
<input type="submit" name="action" value="<?php echo htmlspecialchars(_MEDIA_UPLOAD_NEW) ?>" title="<?php echo htmlspecialchars(_MEDIA_UPLOADLINK) ?>" />\r
<?php $manager->addTicketHidden() ?>\r
- </div></form> \r
+ </div></form>\r
<?php } // if sizeof\r
- \r
- $filter = requestVar('filter'); \r
- $offset = intRequestVar('offset'); \r
+\r
+ $filter = requestVar('filter');\r
+ $offset = intRequestVar('offset');\r
$arr = MEDIA::getMediaListByCollection($currentCollection, $filter);\r
\r
?>\r
<label for="media_filter"><?php echo htmlspecialchars(_MEDIA_FILTER_LABEL)?></label>\r
<input id="media_filter" type="text" name="filter" value="<?php echo htmlspecialchars($filter)?>" />\r
<input type="submit" name="action" value="<?php echo htmlspecialchars(_MEDIA_FILTER_APPLY) ?>" />\r
- <input type="hidden" name="collection" value="<?php echo htmlspecialchars($currentCollection)?>" /> \r
- <input type="hidden" name="offset" value="<?php echo intval($offset)?>" /> \r
- </div></form> \r
- \r
+ <input type="hidden" name="collection" value="<?php echo htmlspecialchars($currentCollection)?>" />\r
+ <input type="hidden" name="offset" value="<?php echo intval($offset)?>" />\r
+ </div></form>\r
+\r
<?php\r
- \r
- ?> \r
+\r
+ ?>\r
<table width="100%">\r
<caption><?php echo _MEDIA_COLLECTION_LABEL . htmlspecialchars($collections[$currentCollection])?></caption>\r
<tr>\r
<th><?php echo _MEDIA_MODIFIED?></th><th><?php echo _MEDIA_FILENAME?></th><th><?php echo _MEDIA_DIMENSIONS?></th>\r
</tr>\r
- \r
- <?php \r
- \r
+\r
+ <?php\r
+\r
if (sizeof($arr)>0) {\r
- \r
+\r
if (($offset + $CONF['MediaPerPage']) >= sizeof($arr))\r
$offset = sizeof($arr) - $CONF['MediaPerPage'];\r
\r
if ($offset < 0) $offset = 0;\r
- \r
+\r
$idxStart = $offset;\r
$idxEnd = $offset + $CONF['MediaPerPage'];\r
$idxNext = $idxEnd;\r
$filename = $DIR_MEDIA . $currentCollection . '/' . $obj->filename;\r
\r
$old_level = error_reporting(0);\r
- $size = @GetImageSize($filename); \r
+ $size = @GetImageSize($filename);\r
error_reporting($old_level);\r
$width = $size[0];\r
$height = $size[1];\r
$filetype = $size[2];\r
- \r
+\r
echo "<tr>";\r
echo "<td>". date("Y-m-d",$obj->timestamp) ."</td>";\r
- \r
+\r
// strings for javascript\r
$jsCurrentCollection = str_replace("'","\\'",$currentCollection);\r
$jsFileName = str_replace("'","\\'",$obj->filename);\r
}\r
} // if (sizeof($arr)>0)\r
?>\r
- \r
+\r
</table>\r
- <?php \r
+ <?php\r
if ($idxStart > 0)\r
echo "<a href='media.php?offset=$idxPrev&collection=".urlencode($currentCollection)."'>". _LISTS_PREV."</a> ";\r
if ($idxEnd < sizeof($arr))\r
echo "<a href='media.php?offset=$idxNext&collection=".urlencode($currentCollection)."'>". _LISTS_NEXT."</a> ";\r
- \r
+\r
?>\r
<input id="typeradio0" type="radio" name="typeradio" onclick="setType(0);" checked="checked" /><label for="typeradio0"><?php echo _MEDIA_INLINE?></label>\r
<input id="typeradio1" type="radio" name="typeradio" onclick="setType(1);" /><label for="typeradio1"><?php echo _MEDIA_POPUP?></label>\r
- <?php \r
+ <?php\r
media_foot();\r
- \r
- \r
+\r
+\r
}\r
\r
/**\r
global $CONF, $member, $manager;\r
\r
$currentCollection = requestVar('collection');\r
- \r
+\r
$collections = MEDIA::getCollectionList();\r
\r
media_head();\r
?>\r
<h1><?php echo _UPLOAD_TITLE?></h1>\r
- \r
+\r
<p><?php echo _UPLOAD_MSG?></p>\r
- \r
+\r
<form method="post" enctype="multipart/form-data" action="media.php">\r
<div>\r
- <input type="hidden" name="action" value="uploadfile" />\r
- <?php $manager->addTicketHidden() ?>\r
+ <input type="hidden" name="action" value="uploadfile" />\r
+ <?php $manager->addTicketHidden() ?>\r
<input type="hidden" name="MAX_FILE_SIZE" value="<?php echo $CONF['MaxUploadSize']?>" />\r
File:\r
<br />\r
</select>\r
<?php } else {\r
?>\r
- <input name="collection" type="hidden" value="<?php echo htmlspecialchars(requestVar('collection'))?>" /> \r
+ <input name="collection" type="hidden" value="<?php echo htmlspecialchars(requestVar('collection'))?>" />\r
<?php } // if sizeof\r
- ?> \r
+ ?>\r
<br /><br />\r
<input type="submit" value="<?php echo _UPLOAD_BUTTON?>" />\r
</div>\r
</form>\r
- \r
- <?php \r
+\r
+ <?php\r
media_foot();\r
}\r
\r
global $DIR_MEDIA, $member, $CONF;\r
\r
$uploadInfo = postFileInfo('uploadfile');\r
- \r
+\r
$filename = $uploadInfo['name'];\r
$filetype = $uploadInfo['type'];\r
$filesize = $uploadInfo['size'];\r
$filetempname = $uploadInfo['tmp_name'];\r
+ $fileerror = intval($uploadInfo['error']);\r
\r
+ switch ($fileerror)\r
+ {\r
+ case 0: // = UPLOAD_ERR_OK\r
+ break;\r
+ case 1: // = UPLOAD_ERR_INI_SIZE\r
+ case 2: // = UPLOAD_ERR_FORM_SIZE\r
+ media_doError(_ERROR_FILE_TOO_BIG);\r
+ case 3: // = UPLOAD_ERR_PARTIAL\r
+ case 4: // = UPLOAD_ERR_NO_FILE\r
+ case 6: // = UPLOAD_ERR_NO_TMP_DIR\r
+ case 7: // = UPLOAD_ERR_CANT_WRITE\r
+ default:\r
+ // include error code for debugging\r
+ // (see http://www.php.net/manual/en/features.file-upload.errors.php)\r
+ media_doError(_ERROR_BADREQUEST . ' (' . $fileerror . ')');\r
+ }\r
+\r
if ($filesize > $CONF['MaxUploadSize'])\r
media_doError(_ERROR_FILE_TOO_BIG);\r
- \r
+\r
// check file type against allowed types\r
$ok = 0;\r
$allowedtypes = explode (',', $CONF['AllowedTypes']);\r
- foreach ( $allowedtypes as $type ) \r
- if (eregi("\." .$type. "$",$filename)) $ok = 1; \r
+ foreach ( $allowedtypes as $type )\r
+ if (eregi("\." .$type. "$",$filename)) $ok = 1;\r
if (!$ok) media_doError(_ERROR_BADFILETYPE);\r
- \r
- if (!is_uploaded_file($filetempname)) \r
+\r
+ if (!is_uploaded_file($filetempname))\r
media_doError(_ERROR_BADREQUEST);\r
\r
// prefix filename with current date (YYYY-MM-DD-)\r
$collection = requestVar('collection');\r
$res = MEDIA::addMediaObject($collection, $filetempname, $filename);\r
\r
- if ($res != '') \r
+ if ($res != '')\r
media_doError($res);\r
- \r
+\r
// shows updated list afterwards\r
media_select();\r
}\r
media_head();\r
?>\r
<h1><?php echo _LOGIN_PLEASE?></h1>\r
- \r
+\r
<form method="post" action="media.php">\r
<div>\r
<input name="action" value="login" type="hidden" />\r
- <input name="collection" value="<?php echo htmlspecialchars(requestVar('collection'))?>" type="hidden" /> \r
+ <input name="collection" value="<?php echo htmlspecialchars(requestVar('collection'))?>" type="hidden" />\r
<?php echo _LOGINFORM_NAME?>: <input name="login" />\r
<br /><?php echo _LOGINFORM_PWD?>: <input name="password" type="password" />\r
<br /><input type="submit" value="<?php echo _LOGIN?>" />\r
function media_head() {\r
?>\r
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">\r
- <html xmlns="http://www.w3.org/1999/xhtml">\r
+ <html<?php echo _HTML_XML_NAME_SPACE_AND_LANG_CODE; ?>>\r
<head>\r
<meta http-equiv="Content-Type" content="text/html; charset=<?php echo _CHARSET ?>" />\r
<title>Nucleus Media</title>\r
<script type="text/javascript">\r
var type = 0;\r
function setType(val) { type = val; }\r
- \r
+\r
function chooseImage(collection, filename, width, height) {\r
- window.opener.focus(); \r
+ window.opener.focus();\r
window.opener.includeImage(collection,\r
- filename, \r
- type == 0 ? 'inline' : 'popup',\r
- width,\r
- height\r
- );\r
+ filename,\r
+ type == 0 ? 'inline' : 'popup',\r
+ width,\r
+ height\r
+ );\r
window.close();\r
}\r
- \r
+\r
function chooseOther(collection, filename) {\r
- window.opener.focus(); \r
+ window.opener.focus();\r
window.opener.includeOtherMedia(collection, filename);\r
window.close();\r
- \r
+\r
}\r
</script>\r
</head>\r
- <body> \r
+ <body>\r
<?php }\r
\r
function media_foot() {\r
?>\r
</body>\r
- </html> \r
-<?php } \r
+ </html>\r
+<?php }\r
\r
?>\r