Index: branches/unlabeled/unlabeled-1.2.2/core/admin_templates/js/uploader.js =================================================================== diff -u -r8202 -r8215 --- branches/unlabeled/unlabeled-1.2.2/core/admin_templates/js/uploader.js (.../uploader.js) (revision 8202) +++ branches/unlabeled/unlabeled-1.2.2/core/admin_templates/js/uploader.js (.../uploader.js) (revision 8215) @@ -309,7 +309,7 @@ upl.files.push(file); upl.total += file.size; if (upl.files[0].uploaded) { - UploadsManager.DeleteFile(file.uploader_id, upl.files[0].name); + UploadsManager.DeleteFile(file.uploader_id, upl.files[0].name, true); } else { upl.flash.cancelFile(upl.files[0].id); @@ -350,11 +350,11 @@ alert('Error: '+msg+'\nOccured on file '+file.name); } -UploadsManager.DeleteFile = function(mov, fname) +UploadsManager.DeleteFile = function(mov, fname, confirmed) { - if (!confirm('Are you sure you want to delete this file?')) return; + if (!confirmed && !confirm('Are you sure you want to delete this file?')) return; Request.makeRequest( - this.Uploaders[mov].deleteURL.replace('#FILE#', fname), + this.Uploaders[mov].deleteURL.replace('#FILE#', fname).replace('#FIELD#', this.Uploaders[mov].params.field), false, '', function(req, fname, upl) { upl.RemoveFile({id:fname}) Index: branches/unlabeled/unlabeled-1.85.2/core/kernel/db/db_event_handler.php =================================================================== diff -u -r8202 -r8215 --- branches/unlabeled/unlabeled-1.85.2/core/kernel/db/db_event_handler.php (.../db_event_handler.php) (revision 8202) +++ branches/unlabeled/unlabeled-1.85.2/core/kernel/db/db_event_handler.php (.../db_event_handler.php) (revision 8215) @@ -1100,6 +1100,8 @@ { $this->setTempWindowID($event); $this->StoreSelectedIDs($event); + $var_name = $event->getPrefixSpecial().'_file_pending_actions'.$this->Application->GetVar('m_wid'); + $this->Application->RemoveVar($var_name); $temp =& $this->Application->recallObject($event->getPrefixSpecial().'_TempHandler', 'kTempTablesHandler'); /* @var $temp kTempTablesHandler */ @@ -1124,6 +1126,17 @@ if (!$this->Application->CheckPermission('SYSTEM_ACCESS.READONLY', 1)) { $live_ids = $temp->SaveEdit($event->getEventParam('master_ids') ? $event->getEventParam('master_ids') : Array()); + + // Deleteing files scheduled for delete + $var_name = $event->getPrefixSpecial().'_file_pending_actions'.$this->Application->GetVar('m_wid'); + $schedule = $this->Application->RecallVar($var_name); + $schedule = $schedule ? unserialize($schedule) : array(); + foreach ($schedule as $data) { + if ($data['action'] == 'delete') { + unlink($data['file']); + } + } + if ($live_ids) { // ensure, that newly created item ids are avalable as if they were selected from grid // NOTE: only works if main item has subitems !!! @@ -2095,12 +2108,16 @@ */ function OnDeleteFile(&$event) { - $var_name = $event->getPrefixSpecial().'_file_pending_actions'; + if (strpos($this->Application->GetVar('file'), '../') !== false) return ; + $object =& $event->getObject(array('skip_autoload'=>true)); + $options = $object->GetFieldOptions($this->Application->GetVar('field')); + + $var_name = $event->getPrefixSpecial().'_file_pending_actions'.$this->Application->GetVar('m_wid'); $schedule = $this->Application->RecallVar($var_name); $schedule = $schedule ? unserialize($schedule) : array(); - $schedule[] = array('action'=>'delete', 'file'=>$this->Application->GetVar('file')); + $schedule[] = array('action'=>'delete', 'file'=>$path = FULL_PATH.$options['upload_dir'].$this->Application->GetVar('file')); $this->Application->StoreVar($var_name, serialize($schedule)); - exit; + $this->Application->Session->SaveData(); } /** @@ -2110,6 +2127,7 @@ */ function OnViewFile(&$event) { + if (strpos($this->Application->GetVar('file'), '../') !== false) return ; if ($this->Application->GetVar('tmp')) { $path = WRITEABLE.'/tmp/'.$this->Application->GetVar('id').'_'.$this->Application->GetVar('file'); }