Index: trunk/core/kernel/db/db_event_handler.php
===================================================================
diff -u -N -r8104 -r8178
--- trunk/core/kernel/db/db_event_handler.php	(.../db_event_handler.php)	(revision 8104)
+++ trunk/core/kernel/db/db_event_handler.php	(.../db_event_handler.php)	(revision 8178)
@@ -144,6 +144,11 @@
 									'OnSearchReset'			=>	Array('self' => true, 'subitem' => true),
 
 									'OnGoBack'				=>	Array('self' => true, 'subitem' => true),
+
+									// it checks permission itself since flash uploader does not send cookies
+									'OnUploadFile' => Array('self'=>true, 'subitem'=>true),
+
+									'OnViewFile' => Array('self'=>true, 'subitem'=>true),
 							);
 			$this->permMapping = array_merge($this->permMapping, $permissions);
 		}
@@ -2045,6 +2050,78 @@
 			}
 		}
 
+		function OnUploadFile(&$event)
+		{
+			// Flash uploader does NOT send correct cookies, so we need to make our own check
+			$cookie_name = 'adm_'.$this->Application->ConfigValue('SessionCookieName');
+			$this->Application->HttpQuery->Cookie['cookies_on'] = 1;
+			$this->Application->HttpQuery->Cookie[$cookie_name] = $this->Application->GetVar('flashsid');
+
+			$admin_ses =& $this->Application->recallObject('Session.admin');
+			/* @var $admin_ses Session */
+			$user = $admin_ses->RecallVar('user_id');
+			$perm_helper =& $this->Application->recallObject('PermissionsHelper');
+			/* @var $perm_helper kPermissionsHelper */
+			$section = $event->getSection();
+			if (!$perm_helper->CheckUserPermission($user, $section.'.add') && !$perm_helper->CheckUserPermission($user, $section.'.edit')) {
+				$event->status = erPERM_FAIL;
+				return;
+			}
+
+			if (!$cookie_name) $cookie_name = 'sid';
+
+			$value = $this->Application->GetVar('Filedata');
+			if (!$value) return ;
+			$tmp_path = WRITEABLE.'/tmp/';
+			$fname = $value['name'];
+			$id = $this->Application->GetVar('id');
+			if ($id) $fname = $id.'_'.$fname;
+
+			move_uploaded_file($value['tmp_name'], $tmp_path.$fname);
+			exit;
+		}
+
+		/**
+		 * Enter description here...
+		 *
+		 * @param kEvent $event
+		 */
+		function OnDeleteFile(&$event)
+		{
+			$var_name = $event->getPrefixSpecial().'_file_pending_actions';
+			$schedule = $this->Application->RecallVar($var_name);
+			$schedule = $schedule ? unserialize($schedule) : array();
+			$schedule[] = array('action'=>'delete', 'file'=>$this->Application->GetVar('file'));
+			$this->Application->StoreVar($var_name, serialize($schedule));
+			exit;
+		}
+
+		/**
+		 * Enter description here...
+		 *
+		 * @param kEvent $event
+		 */
+		function OnViewFile(&$event)
+		{
+			if ($this->Application->GetVar('tmp')) {
+				$path = WRITEABLE.'/tmp/'.$this->Application->GetVar('id').'_'.$this->Application->GetVar('file');
+			}
+			else {
+				$object =& $event->getObject(array('skip_autoload'=>true));
+				$options = $object->GetFieldOptions($this->Application->GetVar('field'));
+
+				$path = FULL_PATH.$options['upload_dir'].$this->Application->GetVar('file');
+			}
+
+			$type = mime_content_type($path);
+
+			header('Content-Length: '.filesize($path));
+			header('Content-Type: '.$type);
+
+			readfile($path);
+			exit();
+		}
+
 	}