Move photo deletion from ViewPhoto to EditAsset
Removes the intermediate confirmation page, instead using JavaScript for confirmation. Fixes an XSS issue, in that the previous method was not passing or checking the session (!)
This commit is contained in:
@@ -22,8 +22,14 @@ class EditAsset extends HTMLController
|
||||
if (!($user->isAdmin() || $asset->isOwnedBy($user)))
|
||||
throw new NotAllowedException();
|
||||
|
||||
if (isset($_REQUEST['delete']))
|
||||
throw new Exception('Not implemented.');
|
||||
if (isset($_REQUEST['delete']) && Session::validateSession('get'))
|
||||
{
|
||||
$redirectUrl = BASEURL . '/' . $asset->getSubdir();
|
||||
$asset->delete();
|
||||
|
||||
header('Location: ' . $redirectUrl);
|
||||
exit;
|
||||
}
|
||||
|
||||
if (!empty($_POST))
|
||||
{
|
||||
|
||||
@@ -21,39 +21,14 @@ class ViewPhoto extends HTMLController
|
||||
|
||||
parent::__construct($photo->getTitle() . ' - ' . SITE_TITLE);
|
||||
|
||||
$author = $photo->getAuthor();
|
||||
|
||||
if (isset($_REQUEST['confirm_delete']) || isset($_REQUEST['delete_confirmed']))
|
||||
$this->handleConfirmDelete($user, $author, $photo);
|
||||
else
|
||||
$this->handleViewPhoto($user, $author, $photo);
|
||||
}
|
||||
|
||||
private function handleConfirmDelete(User $user, User $author, Asset $photo)
|
||||
{
|
||||
if (!($user->isAdmin() || $user->getUserId() === $author->getUserId()))
|
||||
throw new NotAllowedException();
|
||||
|
||||
if (isset($_REQUEST['confirm_delete']))
|
||||
{
|
||||
$page = new ConfirmDeletePage($photo->getImage());
|
||||
$this->page->adopt($page);
|
||||
}
|
||||
elseif (isset($_REQUEST['delete_confirmed']))
|
||||
{
|
||||
$album_url = $photo->getSubdir();
|
||||
$photo->delete();
|
||||
|
||||
header('Location: ' . BASEURL . '/' . $album_url);
|
||||
exit;
|
||||
}
|
||||
}
|
||||
|
||||
private function handleViewPhoto(User $user, User $author, Asset $photo)
|
||||
{
|
||||
if (!empty($_POST))
|
||||
$this->handleTagging($photo->getImage());
|
||||
else
|
||||
$this->handleViewPhoto($photo);
|
||||
}
|
||||
|
||||
private function handleViewPhoto(Asset $photo)
|
||||
{
|
||||
$page = new PhotoPage($photo->getImage());
|
||||
|
||||
// Exif data?
|
||||
@@ -75,9 +50,6 @@ class ViewPhoto extends HTMLController
|
||||
if ($next_url)
|
||||
$page->setNextPhotoUrl($next_url);
|
||||
|
||||
if ($user->isAdmin() || $user->getUserId() === $author->getUserId())
|
||||
$page->setIsAssetOwner(true);
|
||||
|
||||
$this->page->adopt($page);
|
||||
$this->page->setCanonicalUrl($photo->getPageUrl());
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user