Index: trunk/core/kernel/db/db_event_handler.php
===================================================================
diff -u -N -r8360 -r8402
--- trunk/core/kernel/db/db_event_handler.php	(.../db_event_handler.php)	(revision 8360)
+++ trunk/core/kernel/db/db_event_handler.php	(.../db_event_handler.php)	(revision 8402)
@@ -95,7 +95,10 @@
 			parent::mapPermissions();
 			$permissions = Array(
 									'OnLoad'				=>	Array('self' => 'view', 'subitem' => 'view'),
-
+									'OnItemBuild'			=>	Array('self' => 'view', 'subitem' => 'view'),
+									
+									'OnBuild'				=>	Array('self' => true),
+									
 									'OnNew'					=>	Array('self' => 'add', 'subitem' => 'add|edit'),
 									'OnCreate'				=>	Array('self' => 'add', 'subitem' => 'add|edit'),
 									'OnUpdate'				=>	Array('self' => 'edit', 'subitem' => 'add|edit'),
@@ -379,7 +382,19 @@
 			$auto_load = $this->Application->getUnitOption($event->Prefix,'AutoLoad');
 			$skip_autload = $event->getEventParam('skip_autoload');
 
-			if($auto_load && !$skip_autload) $this->LoadItem($event);
+			if ($auto_load && !$skip_autload) {
+				$event->setEventParam('top_prefix', $this->Application->GetTopmostPrefix($event->Prefix, true));
+				if (($this->Application->RecallVar('user_id') == -1) || $this->CheckPermission($event)) {
+					// don't autoload item, when user doesn't have view permission
+					$this->LoadItem($event);
+				}
+				else {
+					// when no permission to view item -> redirect to no pemrission template
+					trigger_error('ItemLoad Permission Failed for prefix ['.$event->getPrefixSpecial().']', E_USER_WARNING);
+					$next_template = $this->Application->IsAdmin() ? 'no_permission' : $this->Application->ConfigValue('NoPermissionTemplate');
+					$this->Application->Redirect($next_template, Array('pass' => 'm'));
+				}
+			}
 
 			$actions =& $this->Application->recallObject('kActions');
 			$actions->Set($event->Prefix_Special.'_GoTab', '');
@@ -483,7 +498,8 @@
 			$sql = $this->ListPrepareQuery($event);
 			$sql = $this->Application->ReplaceLanguageTags($sql);
 			$object->setSelectSQL($sql);
-
+			$object->Counted = false; // when requery="1" should re-count records too!
+			
 			$object->linkToParent( $this->getMainSpecial($event) );
 
 			$this->AddFilters($event);
@@ -986,12 +1002,10 @@
 		{
 			$object =& $event->getObject( Array('skip_autoload' => true) );
 			$object->ID = $this->getPassedID($event);
-			if( $object->Delete() )
-			{
+			if ($object->Delete()) {
 				$event->status = erSUCCESS;
 			}
-			else
-			{
+			else {
 				$event->status = erFAIL;
 				$event->redirect = false;
 			}
@@ -1102,6 +1116,8 @@
 		{
 			$this->setTempWindowID($event);
 			$this->StoreSelectedIDs($event);
+			$var_name = $event->getPrefixSpecial().'_file_pending_actions'.$this->Application->GetVar('m_wid');
+			$this->Application->RemoveVar($var_name);
 
 			$temp =& $this->Application->recallObject($event->getPrefixSpecial().'_TempHandler', 'kTempTablesHandler');
 			/* @var $temp kTempTablesHandler */
@@ -1126,6 +1142,17 @@
 
 				if (!$this->Application->CheckPermission('SYSTEM_ACCESS.READONLY', 1)) {
 					$live_ids = $temp->SaveEdit($event->getEventParam('master_ids') ? $event->getEventParam('master_ids') : Array());
+
+					// Deleteing files scheduled for delete
+					$var_name = $event->getPrefixSpecial().'_file_pending_actions'.$this->Application->GetVar('m_wid');
+					$schedule = $this->Application->RecallVar($var_name);
+					$schedule = $schedule ? unserialize($schedule) : array();
+					foreach ($schedule as $data) {
+						if ($data['action'] == 'delete') {
+							unlink($data['file']);
+						}
+					}
+
 					if ($live_ids) {
 						// ensure, that newly created item ids are avalable as if they were selected from grid
 						// NOTE: only works if main item has subitems !!!
@@ -1783,93 +1810,6 @@
 		}
 
 		/**
-		 * Dynamically fills customdata config
-		 *
-		 * @param kEvent $event
-		 */
-		function OnCreateCustomFields(&$event)
-		{
-			if (defined('IS_INSTALL') && IS_INSTALL && !$this->Application->TableFound('CustomField')) {
-				return false;
-			}
-			$main_prefix = $this->Application->getUnitOption($event->Prefix, 'ParentPrefix');
-			if (!$main_prefix) return false;
-			$item_type = $this->Application->getUnitOption($main_prefix, 'ItemType');
-			if (!$item_type) {
-				// no main config of such type
-				return false;
-			}
-
-			// 1. get custom field information
-			$sql = 'SELECT *
-					FROM '.TABLE_PREFIX.'CustomField
-					WHERE Type = '.$item_type.'
-					ORDER BY CustomFieldId';
-			$custom_fields = $this->Conn->Query($sql, 'CustomFieldId');
-			if (!$custom_fields) {
-				// config doesn't have custom fields
-				return false;
-			}
-
-			// 2. create fields (for customdata item)
-			$fields = $this->Application->getUnitOption($event->Prefix, 'Fields', Array());
-			$field_options = Array('type' => 'string', 'formatter' => 'kMultiLanguage', 'db_type' => 'text', 'default' => '');
-			foreach ($custom_fields as $custom_id => $custom_params) {
-				if (isset($fields['cust_'.$custom_id])) continue;
-				$fields['cust_'.$custom_id] = $field_options;
-			}
-			$this->Application->setUnitOption($event->Prefix, 'Fields', $fields);
-
-			// 3. create virtual & calculated fields (for main item)
-			$calculated_fields = Array();
-			$virtual_fields = $this->Application->getUnitOption($main_prefix, 'VirtualFields', Array());
-
-			$cf_helper =& $this->Application->recallObject('InpCustomFieldsHelper');
-			$field_options = Array('type' => 'string', 'not_null' => 1, 'default' => '');
-			$ml_formatter =& $this->Application->recallObject('kMultiLanguage');
-
-			foreach ($custom_fields as $custom_id => $custom_params) {
-				switch ($custom_params['ElementType']) {
-					case 'date':
-					case 'datetime':
-						unset($field_options['options']);
-						$field_options['formatter'] = 'kDateFormatter';
-						break;
-
-					case 'select':
-					case 'multiselect':
-					case 'radio':
-						if ($custom_params['ValueList']) {
-							$field_options['options'] = $cf_helper->GetValuesHash($custom_params['ValueList']);
-							$field_options['formatter'] = 'kOptionsFormatter';
-						}
-						break;
-
-					default:
-						unset($field_options['options'], $field_options['formatter']);
-						break;
-				}
-
-				$custom_name = $custom_params['FieldName'];
-				$calculated_fields['cust_'.$custom_name] = 'cust.'.$ml_formatter->LangFieldName('cust_'.$custom_id);
-				if (!isset($virtual_fields['cust_'.$custom_name])) {
-					$virtual_fields['cust_'.$custom_name] = Array();
-				}
-				$virtual_fields['cust_'.$custom_name] = array_merge_recursive2($field_options, $virtual_fields['cust_'.$custom_name]);
-				$custom_fields[$custom_id] = $custom_name;
-			}
-
-			$config_calculated_fields = $this->Application->getUnitOption($main_prefix, 'CalculatedFields', Array());
-			foreach ($config_calculated_fields as $special => $special_fields) {
-				$config_calculated_fields[$special] = array_merge_recursive2($config_calculated_fields[$special], $calculated_fields);
-			}
-			$this->Application->setUnitOption($main_prefix, 'CalculatedFields', $config_calculated_fields);
-
-			$this->Application->setUnitOption($main_prefix, 'CustomFields', $custom_fields);
-			$this->Application->setUnitOption($main_prefix, 'VirtualFields', $virtual_fields);
-		}
-
-		/**
 		 * Saves selected user in needed field
 		 *
 		 * @param kEvent $event
@@ -2067,6 +2007,8 @@
 			$section = $event->getSection();
 			if (!$perm_helper->CheckUserPermission($user, $section.'.add') && !$perm_helper->CheckUserPermission($user, $section.'.edit')) {
 				$event->status = erPERM_FAIL;
+				header('HTTP/1.0 403 You don\'t have permissions to upload');
+				exit;
 				return;
 			}
 
@@ -2079,6 +2021,11 @@
 			$id = $this->Application->GetVar('id');
 			if ($id) $fname = $id.'_'.$fname;
 
+			if (!is_writable($tmp_path)) {
+				header('HTTP/1.0 500 Write permissions not set on the server');
+				exit;
+			}
+
 			move_uploaded_file($value['tmp_name'], $tmp_path.$fname);
 			exit;
 		}
@@ -2090,12 +2037,16 @@
 		 */
 		function OnDeleteFile(&$event)
 		{
-			$var_name = $event->getPrefixSpecial().'_file_pending_actions';
+			if (strpos($this->Application->GetVar('file'), '../') !== false) return ;
+			$object =& $event->getObject(array('skip_autoload'=>true));
+			$options = $object->GetFieldOptions($this->Application->GetVar('field'));
+
+			$var_name = $event->getPrefixSpecial().'_file_pending_actions'.$this->Application->GetVar('m_wid');
 			$schedule = $this->Application->RecallVar($var_name);
 			$schedule = $schedule ? unserialize($schedule) : array();
-			$schedule[] = array('action'=>'delete', 'file'=>$this->Application->GetVar('file'));
+			$schedule[] = array('action'=>'delete', 'file'=>$path = FULL_PATH.$options['upload_dir'].$this->Application->GetVar('file'));
 			$this->Application->StoreVar($var_name, serialize($schedule));
-			exit;
+			$this->Application->Session->SaveData();
 		}
 
 		/**
@@ -2105,6 +2056,7 @@
 		 */
 		function OnViewFile(&$event)
 		{
+			if (strpos($this->Application->GetVar('file'), '../') !== false) return ;
 			if ($this->Application->GetVar('tmp')) {
 				$path = WRITEABLE.'/tmp/'.$this->Application->GetVar('id').'_'.$this->Application->GetVar('file');
 			}
@@ -2120,6 +2072,8 @@
 			header('Content-Length: '.filesize($path));
 			header('Content-Type: '.$type);
 
+			safeDefine('DBG_SKIP_REPORTING',1);
+
 			readfile($path);
 			exit();
 		}