Index: branches/RC/core/kernel/db/db_event_handler.php =================================================================== diff -u -N -r11351 -r11361 --- branches/RC/core/kernel/db/db_event_handler.php (.../db_event_handler.php) (revision 11351) +++ branches/RC/core/kernel/db/db_event_handler.php (.../db_event_handler.php) (revision 11361) @@ -2257,33 +2257,12 @@ return ; } - // Flash uploader does NOT send correct cookies, so we need to make our own check - $cookie_name = 'adm_'.$this->Application->ConfigValue('SessionCookieName'); - $this->Application->HttpQuery->Cookie['cookies_on'] = 1; - $this->Application->HttpQuery->Cookie[$cookie_name] = $this->Application->GetVar('flashsid'); - - // this prevents session from auto-expiring when KeepSessionOnBrowserClose & FireFox is used - $this->Application->HttpQuery->Cookie[$cookie_name.'_live'] = $this->Application->GetVar('flashsid'); - - $admin_ses =& $this->Application->recallObject('Session.admin'); - /* @var $admin_ses Session */ - - $perm_helper =& $this->Application->recallObject('PermissionsHelper'); - /* @var $perm_helper kPermissionsHelper */ - - $section = $event->getSection(); - $user_id = $admin_ses->RecallVar('user_id'); - - if (!$perm_helper->CheckUserPermission($user_id, $section.'.add') && !$perm_helper->CheckUserPermission($user_id, $section.'.edit')) { + if (!$this->_checkFlashUploaderPermission($event)) { // 403 Forbidden header('HTTP/1.0 403 You don\'t have permissions to upload'); return ; } - if (!$cookie_name) { - $cookie_name = 'sid'; - } - $value = $this->Application->GetVar('Filedata'); if (!$value || ($value['error'] != UPLOAD_ERR_OK)) { @@ -2300,8 +2279,12 @@ $fname = $id.'_'.$fname; } - if (!is_writable($tmp_path)) { + $fields = $this->Application->getUnitOption($event->Prefix, 'Fields'); + $upload_dir = $fields[ $this->Application->GetVar('field') ]['upload_dir']; + + if (!is_writable($tmp_path) || !is_writable(FULL_PATH . $upload_dir)) { // 500 Internal Server Error + // check both temp and live upload directory header('HTTP/1.0 500 Write permissions not set on the server'); return ; } @@ -2310,6 +2293,36 @@ } /** + * Checks, that flash uploader is allowed to perform upload + * + * @param kEvent $event + * @return bool + */ + function _checkFlashUploaderPermission(&$event) + { + // Flash uploader does NOT send correct cookies, so we need to make our own check + $cookie_name = 'adm_' . $this->Application->ConfigValue('SessionCookieName'); + $this->Application->HttpQuery->Cookie['cookies_on'] = 1; + $this->Application->HttpQuery->Cookie[$cookie_name] = $this->Application->GetVar('flashsid'); + + // this prevents session from auto-expiring when KeepSessionOnBrowserClose & FireFox is used + $this->Application->HttpQuery->Cookie[$cookie_name . '_live'] = $this->Application->GetVar('flashsid'); + + $admin_ses =& $this->Application->recallObject('Session.admin'); + /* @var $admin_ses Session */ + + $backup_user_id = $this->Application->RecallVar('user_id'); // 1. backup user + $this->Application->StoreVar('user_id', $admin_ses->RecallVar('user_id')); // 2. fake user_id + + $check_event = new kEvent($event->getPrefixSpecial() . ':OnProcessSelected'); // 3. event, that have "add|edit" rule + $allowed_to_upload = $this->CheckPermission($check_event); // 4. check permission + + $this->Application->StoreVar('user_id', $backup_user_id); // 5. restore user id + + return $allowed_to_upload; + } + + /** * Enter description here... * * @param kEvent $event