Index: branches/5.2.x/core/kernel/db/db_event_handler.php =================================================================== diff -u -N -r15427 -r15446 --- branches/5.2.x/core/kernel/db/db_event_handler.php (.../db_event_handler.php) (revision 15427) +++ branches/5.2.x/core/kernel/db/db_event_handler.php (.../db_event_handler.php) (revision 15446) @@ -1,6 +1,6 @@ setTempWindowID($event); $ids = $this->StoreSelectedIDs($event); - $this->Application->RemoveVar($this->_getPendingActionVariableName($event)); + $object = $event->getObject(Array('skip_autoload' => true)); + /* @var $object kDBItem */ + $this->Application->RemoveVar($object->getPendingActionVariableName()); + $changes_var_name = $this->Prefix . '_changes_' . $this->Application->GetTopmostWid($this->Prefix); $this->Application->RemoveVar($changes_var_name); + foreach ($ids as $id) { + $object->resetUploads($id); + } + $temp_handler = $this->Application->recallObject($event->getPrefixSpecial() . '_TempHandler', 'kTempTablesHandler', Array ('parent_event' => $event)); /* @var $temp_handler kTempTablesHandler */ @@ -2166,6 +2173,8 @@ $this->Application->SetVar($event->getPrefixSpecial() . '_id', 0); $this->Application->SetVar($event->getPrefixSpecial() . '_PreCreate', 1); + $object->resetUploads(); + $changes_var_name = $this->Prefix . '_changes_' . $this->Application->GetTopmostWid($this->Prefix); $this->Application->RemoveVar($changes_var_name); @@ -2597,7 +2606,20 @@ */ protected function _proccessPendingActions(kEvent $event) { - $var_name = $this->_getPendingActionVariableName($event); + $object = $event->getObject(); + /* @var $object kDBItem */ + + if ( $event->Name == 'OnAfterCopyToLive' ) { + $object->SwitchToLive(); + $object->Load($event->getEventParam('id')); + + $object->processUploads($event->getEventParam('temp_id')); + } + else { + $object->processUploads(); + } + + $var_name = $object->getPendingActionVariableName(); $schedule = $this->Application->RecallVar($var_name); if ( $schedule ) { @@ -2614,20 +2636,6 @@ } /** - * Returns variable name, used to store pending file actions - * - * @param kEvent $event - * @return string - * @access protected - */ - protected function _getPendingActionVariableName(kEvent $event) - { - $window_id = $this->Application->GetTopmostWid($event->Prefix); - - return $event->Prefix . '_file_pending_actions' . $window_id; - } - - /** * Occurs before an item has been cloned * Id of newly created item is passed as event' 'id' param * @@ -3252,23 +3260,20 @@ protected function OnDeleteFile(kEvent $event) { $event->status = kEvent::erSTOP; - $filename = $this->Application->GetVar('file'); + $filename = $this->_getUploadedFileInfo($event, 'full_path'); - if ( !$this->Application->isAdmin ) { - $filename = htmlspecialchars_decode($filename); - } - - if ( strpos($filename, '../') !== false ) { + if ( $filename === false ) { return; } $object = $event->getObject(Array ('skip_autoload' => true)); - $options = $object->GetFieldOptions($this->Application->GetVar('field')); + /* @var $object kDBItem */ - $var_name = $this->_getPendingActionVariableName($event); + $var_name = $object->getPendingActionVariableName(); $schedule = $this->Application->RecallVar($var_name); $schedule = $schedule ? unserialize($schedule) : Array (); - $schedule[] = Array ('action' => 'delete', 'file' => FULL_PATH . $options['upload_dir'] . $filename); + $schedule[] = Array ('action' => 'delete', 'file' => $filename); + $this->Application->StoreVar($var_name, serialize($schedule)); } @@ -3283,6 +3288,47 @@ { $event->status = kEvent::erSTOP; + if ( $this->Application->GetVar('thumb') ) { + $object = $event->getObject(Array ('skip_autoload' => true)); + /* @var $object kDBItem */ + + $field = $this->Application->GetVar('field'); + $url = $this->_getUploadedFileInfo($event, $object->GetFieldOption($field, 'thumb_format')); + } + else { + $url = $this->_getUploadedFileInfo($event, 'full_url'); + } + + if ( $url === false ) { + return; + } + + $file_helper = $this->Application->recallObject('FileHelper'); + /* @var $file_helper FileHelper */ + + $path = $file_helper->urlToPath($url); + + if ( !file_exists($path) ) { + exit; + } + + header('Content-Length: ' . filesize($path)); + $this->Application->setContentType(kUtil::mimeContentType($path), false); + header('Content-Disposition: inline; filename="' . basename($path) . '"'); + + readfile($path); + } + + /** + * Returns information about uploaded file + * + * @param kEvent $event + * @param string $format + * @return bool + * @access protected + */ + protected function _getUploadedFileInfo(kEvent $event, $format) + { $file = $this->Application->GetVar('file'); if ( !$this->Application->isAdmin ) { @@ -3291,7 +3337,7 @@ if ( (strpos($file, '../') !== false) || (trim($file) !== $file) ) { // when relative paths or special chars are found template names from url, then it's hacking attempt - return; + return false; } $object = $event->getObject(Array ('skip_autoload' => true)); @@ -3312,28 +3358,7 @@ $object->SetDBField($field, $file); } - // get url to uploaded file - if ( $this->Application->GetVar('thumb') ) { - $url = $object->GetField($field, $options['thumb_format']); - } - else { - $url = $object->GetField($field, 'full_url'); // don't use "file_urls" format to prevent recursion - } - - $file_helper = $this->Application->recallObject('FileHelper'); - /* @var $file_helper FileHelper */ - - $path = $file_helper->urlToPath($url); - - if ( !file_exists($path) ) { - exit; - } - - header('Content-Length: ' . filesize($path)); - $this->Application->setContentType(kUtil::mimeContentType($path), false); - header('Content-Disposition: inline; filename="' . $file . '"'); - - readfile($path); + return $object->GetField($field, $format); } /**