mirror of
https://github.com/Piwigo/Piwigo.git
synced 2026-05-02 19:42:54 +02:00
security improvement and code refactorization
This commit is contained in:
Perrom
@@ -120,11 +120,24 @@ function get_regular_search_results($search, $images_where='')
|
||||
$image_ids_for_filter = array();
|
||||
|
||||
$display_filters = unserialize($conf["filters_views"]);
|
||||
foreach($display_filters as $filt_name => $filt_conf){
|
||||
if(isset($filt_conf['access']))
|
||||
{
|
||||
if ($filt_conf['access'] == 'everybody' or ($filt_conf['access'] == 'admins-only' and is_admin()) or ($filt_conf['access'] == 'registered-users' and is_classic_user()))
|
||||
{
|
||||
$display_filters[$filt_name]['access'] = true;
|
||||
}
|
||||
else
|
||||
{
|
||||
$display_filters[$filt_name]['access'] = false;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
//
|
||||
// allwords
|
||||
//
|
||||
if (isset($search['fields']['allwords']) and !empty($search['fields']['allwords']['words']) and count($search['fields']['allwords']['fields']) > 0 and ($display_filters["words"]["access"] == "everybody" or ($display_filters["words"]["access"] == "admins-only" and is_admin()) or ($display_filters["words"]["access"] == "registered-users" and is_classic_user())))
|
||||
if (isset($search['fields']['allwords']) and !empty($search['fields']['allwords']['words']) and count($search['fields']['allwords']['fields']) > 0 and $display_filters['words']['access'])
|
||||
{
|
||||
$has_filters_filled = true;
|
||||
|
||||
@@ -305,7 +318,7 @@ SELECT
|
||||
//
|
||||
// author
|
||||
//
|
||||
if (isset($search['fields']['author']) and count($search['fields']['author']['words']) > 0)
|
||||
if (isset($search['fields']['author']) and count($search['fields']['author']['words']) > 0 and $display_filters['author']['access'])
|
||||
{
|
||||
$has_filters_filled = true;
|
||||
|
||||
@@ -329,7 +342,7 @@ SELECT
|
||||
//
|
||||
// filetypes
|
||||
//
|
||||
if (!empty($search['fields']['filetypes']['data']))
|
||||
if (!empty($search['fields']['filetypes']['data']) and $display_filters['file_type']['access'])
|
||||
{
|
||||
$has_filters_filled = true;
|
||||
|
||||
@@ -353,7 +366,7 @@ SELECT
|
||||
//
|
||||
// added_by
|
||||
//
|
||||
if (!empty($search['fields']['added_by']['data']))
|
||||
if (!empty($search['fields']['added_by']['data']) and $display_filters['added_by']['access'])
|
||||
{
|
||||
$has_filters_filled = true;
|
||||
|
||||
@@ -371,7 +384,7 @@ SELECT
|
||||
//
|
||||
// cat
|
||||
//
|
||||
if (isset($search['fields']['cat']) and !empty($search['fields']['cat']['words']))
|
||||
if (isset($search['fields']['cat']) and !empty($search['fields']['cat']['words']) and $display_filters['album']['access'])
|
||||
{
|
||||
$has_filters_filled = true;
|
||||
|
||||
@@ -405,7 +418,7 @@ SELECT
|
||||
//
|
||||
// date_posted
|
||||
//
|
||||
if (!empty($search['fields']['date_posted']['preset']))
|
||||
if (!empty($search['fields']['date_posted']['preset']) and $display_filters['post_date']['access'])
|
||||
{
|
||||
|
||||
$has_filters_filled = true;
|
||||
@@ -487,7 +500,7 @@ SELECT
|
||||
//
|
||||
// date_created
|
||||
//
|
||||
if (!empty($search['fields']['date_created']['preset']))
|
||||
if (!empty($search['fields']['date_created']['preset']) and $display_filters['creation_date']['access'])
|
||||
{
|
||||
|
||||
$has_filters_filled = true;
|
||||
@@ -569,7 +582,7 @@ SELECT
|
||||
//
|
||||
// ratios
|
||||
//
|
||||
if (!empty($search['fields']['ratios']['data']))
|
||||
if (!empty($search['fields']['ratios']['data']) and $display_filters['ratio']['access'])
|
||||
{
|
||||
$has_filters_filled = true;
|
||||
|
||||
@@ -600,7 +613,7 @@ SELECT
|
||||
//
|
||||
// ratings
|
||||
//
|
||||
if ($conf['rate'] and !empty($search['fields']['ratings']['data']))
|
||||
if ($conf['rate'] and !empty($search['fields']['ratings']['data']) and $display_filters['rating']['access'])
|
||||
{
|
||||
$has_filters_filled = true;
|
||||
|
||||
@@ -631,7 +644,7 @@ SELECT
|
||||
//
|
||||
// filesize
|
||||
//
|
||||
if (!empty($search['fields']['filesize_min']['data']) and !empty($search['fields']['filesize_max']['data']))
|
||||
if (!empty($search['fields']['filesize_min']['data']) and !empty($search['fields']['filesize_max']['data']) and $display_filters['file_size']['access'])
|
||||
{
|
||||
$has_filters_filled = true;
|
||||
|
||||
@@ -651,7 +664,7 @@ SELECT
|
||||
//
|
||||
// height
|
||||
//
|
||||
if (!empty($search['fields']['height_min']['data']) and !empty($search['fields']['height_max']['data']))
|
||||
if (!empty($search['fields']['height_min']['data']) and !empty($search['fields']['height_max']['data']) and $display_filters['height']['access'])
|
||||
{
|
||||
$has_filters_filled = true;
|
||||
|
||||
@@ -669,7 +682,7 @@ SELECT
|
||||
//
|
||||
// width
|
||||
//
|
||||
if (!empty($search['fields']['width_min']['data']) and !empty($search['fields']['width_max']['data']))
|
||||
if (!empty($search['fields']['width_min']['data']) and !empty($search['fields']['width_max']['data']) and $display_filters['width']['access'])
|
||||
{
|
||||
$has_filters_filled = true;
|
||||
|
||||
@@ -687,7 +700,7 @@ SELECT
|
||||
//
|
||||
// tags
|
||||
//
|
||||
if (isset($search['fields']['tags']) and !empty($search['fields']['tags']['words']))
|
||||
if (isset($search['fields']['tags']) and !empty($search['fields']['tags']['words']) and $display_filters['tags']['access'])
|
||||
{
|
||||
$has_filters_filled = true;
|
||||
|
||||
|
||||
@@ -45,12 +45,12 @@ if ('search' == $page['section'] and isset($page['search_details']))
|
||||
|
||||
if (isset($my_search['fields']['allwords']))
|
||||
{
|
||||
$my_search['fields']['allwords']["access"] = $filters_views["words"]["access"];
|
||||
$my_search['fields']['allwords']['access'] = $filters_views['words']['access'];
|
||||
}
|
||||
|
||||
if (isset($my_search['fields']['tags']))
|
||||
{
|
||||
$my_search['fields']['tags']["access"] = $filters_views["tags"]["access"];
|
||||
$my_search['fields']['tags']['access'] = $filters_views['tags']['access'];
|
||||
$filter_tags = array();
|
||||
|
||||
// TODO calling get_available_tags(), with lots of photos/albums/tags may cost time,
|
||||
@@ -88,7 +88,7 @@ if ('search' == $page['section'] and isset($page['search_details']))
|
||||
|
||||
if (isset($my_search['fields']['author']))
|
||||
{
|
||||
$my_search['fields']['author']["access"] = $filters_views["author"]["access"];
|
||||
$my_search['fields']['author']['access'] = $filters_views['author']['access'];
|
||||
$filter_clause = get_clause_for_filter('author');
|
||||
|
||||
$query = '
|
||||
@@ -130,7 +130,7 @@ SELECT
|
||||
|
||||
if (isset($my_search['fields']['date_posted']))
|
||||
{
|
||||
$my_search['fields']['date_posted']["access"] = $filters_views["post_date"]["access"];
|
||||
$my_search['fields']['date_posted']['access'] = $filters_views['post_date']['access'];
|
||||
$filter_clause = get_clause_for_filter('date_posted');
|
||||
$cache_key = $persistent_cache->make_key('filter_date_posted'.$user['id'].$user['cache_update_time']);
|
||||
$set_persistent_cache = !preg_match('/^image_id IN/', $filter_clause) and !$persistent_cache->get($cache_key, $date_posted);
|
||||
@@ -233,7 +233,7 @@ SELECT
|
||||
|
||||
if (isset($my_search['fields']['date_created']))
|
||||
{
|
||||
$my_search['fields']['date_created']["access"] = $filters_views["creation_date"]["access"];
|
||||
$my_search['fields']['date_created']['access'] = $filters_views['creation_date']['access'];
|
||||
$filter_clause = get_clause_for_filter('date_created');
|
||||
$cache_key = $persistent_cache->make_key('filter_date_created'.$user['id'].$user['cache_update_time']);
|
||||
$set_persistent_cache = !preg_match('/^image_id IN/', $filter_clause) and !$persistent_cache->get($cache_key, $date_created);
|
||||
@@ -339,7 +339,7 @@ SELECT
|
||||
|
||||
if (isset($my_search['fields']['added_by']))
|
||||
{
|
||||
$my_search['fields']['added_by']["access"] = $filters_views["added_by"]["access"];
|
||||
$my_search['fields']['added_by']['access'] = $filters_views['added_by']['access'];
|
||||
$filter_clause = get_clause_for_filter('added_by');
|
||||
|
||||
$query = '
|
||||
@@ -403,7 +403,7 @@ SELECT
|
||||
|
||||
if (isset($my_search['fields']['cat']))
|
||||
{
|
||||
$my_search['fields']['cat']["access"] = $filters_views["album"]["access"];
|
||||
$my_search['fields']['cat']['access'] = $filters_views['album']['access'];
|
||||
|
||||
if (!empty($my_search['fields']['cat']['words']))
|
||||
{
|
||||
@@ -439,7 +439,7 @@ SELECT
|
||||
|
||||
if (isset($my_search['fields']['filetypes']))
|
||||
{
|
||||
$my_search['fields']['filetypes']["access"] = $filters_views["file_type"]["access"];
|
||||
$my_search['fields']['filetypes']['access'] = $filters_views['file_type']['access'];
|
||||
$filter_clause = get_clause_for_filter('filetypes');
|
||||
|
||||
// get all file extensions for this user in the gallery, whatever the current filters
|
||||
@@ -495,7 +495,7 @@ SELECT
|
||||
|
||||
if (isset($my_search['fields']['ratings']))
|
||||
{
|
||||
$my_search['fields']['ratings']["access"] = $filters_views["rating"]["access"];
|
||||
$my_search['fields']['ratings']['access'] = $filters_views['rating']['access'];
|
||||
$filter_clause = get_clause_for_filter('ratings');
|
||||
|
||||
$cache_key = $persistent_cache->make_key('filter_ratings'.$user['id'].$user['cache_update_time']);
|
||||
@@ -558,8 +558,8 @@ SELECT
|
||||
// For filesize
|
||||
if (isset($my_search['fields']['filesize_min']) && isset($my_search['fields']['filesize_max']))
|
||||
{
|
||||
$my_search['fields']['filesize_min']["access"] = $filters_views["file_size"]["access"];
|
||||
$my_search['fields']['filesize_max']["access"] = $filters_views["file_size"]["access"];
|
||||
$my_search['fields']['filesize_min']['access'] = $filters_views['file_size']['access'];
|
||||
$my_search['fields']['filesize_max']['access'] = $filters_views['file_size']['access'];
|
||||
$filter_clause = get_clause_for_filter('filesize');
|
||||
|
||||
$filesizes = array();
|
||||
@@ -607,7 +607,7 @@ SELECT
|
||||
|
||||
if (isset($my_search['fields']['ratios']))
|
||||
{
|
||||
$my_search['fields']['ratios']["access"] = $filters_views["ratio"]["access"];
|
||||
$my_search['fields']['ratios']['access'] = $filters_views['ratio']['access'];
|
||||
$filter_clause = get_clause_for_filter('ratios');
|
||||
|
||||
$cache_key = $persistent_cache->make_key('filter_ratios'.$user['id'].$user['cache_update_time']);
|
||||
@@ -677,8 +677,8 @@ SELECT
|
||||
|
||||
if (isset($my_search['fields']['height_min']) and isset($my_search['fields']['height_max']))
|
||||
{
|
||||
$my_search['fields']['height_min']["access"] = $filters_views["height"]["access"];
|
||||
$my_search['fields']['height_max']["access"] = $filters_views["height"]["access"];
|
||||
$my_search['fields']['height_min']['access'] = $filters_views['height']['access'];
|
||||
$my_search['fields']['height_max']['access'] = $filters_views['height']['access'];
|
||||
$filter_clause = get_clause_for_filter('height');
|
||||
|
||||
$query = '
|
||||
@@ -726,8 +726,8 @@ SELECT
|
||||
|
||||
if (isset($my_search['fields']['width_min']) and isset($my_search['fields']['width_max']))
|
||||
{
|
||||
$my_search['fields']['width_min']["access"] = $filters_views["width"]["access"];
|
||||
$my_search['fields']['width_max']["access"] = $filters_views["width"]["access"];
|
||||
$my_search['fields']['width_min']['access'] = $filters_views['width']['access'];
|
||||
$my_search['fields']['width_max']['access'] = $filters_views['width']['access'];
|
||||
$filter_clause = get_clause_for_filter('width');
|
||||
|
||||
$query = '
|
||||
|
||||
Reference in New Issue
Block a user