Up to 72ff76b 13.03.22

Author: uralm1

.htaccess

@@ -1,3 +1,3 @@
 RewriteEngine On
 RewriteRule (installer\.php|index\.php|install_form.js.php)$ - [L]
-RewriteRule !.+\.(png|jpg|gif|GIF|PNG|JPG|jpeg|JPEG|ICO|js|css|html|xml|htm|woff|eot|woff2|ttf)$ 403.html [L]
+RewriteRule !.+\.(png|jpg|gif|GIF|PNG|JPG|jpeg|JPEG|ICO|js|css|html|xml|htm|woff|eot|woff2|ttf|svg)$ 403.html [L]

Dataface/Application.php

@@ -241,6 +241,7 @@ function createLoginToken($username, $redirectUrl = null) {
         if (!$redirectUrl) {
             $redirectUrl = DATAFACE_SITE_HREF;
         }
+        $allowEmailLoginAndAutoRegister = $this->getEmailColumn() and $this->usernameColumn and @$this->conf['allow_register'] and @$this->conf['auto_register'] and $this->isEmailLoginAllowed();
 
         // We need to verify the username
         if ($this->usernameColumn) {
@@ -261,7 +262,10 @@ function createLoginToken($username, $redirectUrl = null) {
                 list($num) = xf_db_fetch_row($res);
                 xf_db_free_result($res);
                 if (intval($num) !== 1) {
-                    return false;
+                    if (!$allowEmailLoginAndAutoRegister) {
+                        return false;
+                    }
+                    
                 }
             }
         }
@@ -306,16 +310,28 @@ function getCredentials(){
                 $tokenTable = self::TOKEN_TABLE;
                 if (self::table_exists($tokenTable)) {
                     $res = xf_db_query("delete from `".$tokenTable."` where expires < NOW()", df_db());
-                    
-                    $res = xf_db_query("select `username`, `autologin` from `".$tokenTable."` where `token` = '".addslashes($token)."'", df_db());
+                    if (!empty($this->conf['short_token_length']) and intval($this->conf['short_token_length']) === strlen($token)) {
+                        $tokLen = strlen($token);
+                        $res = xf_db_query("select `username`, `autologin`, `token` from `".$tokenTable."` where SUBSTRING(MD5(`token`), 1, $tokLen)  = '".addslashes($token)."'",df_db());
+                    } else {
+                        $res = xf_db_query("select `username`, `autologin`, `token` from `".$tokenTable."` where `token` = '".addslashes($token)."'",df_db());
+                    }
+                     
                     if (!$res) {
                         throw new Exception("SQL error checking token");
                     }
-                    list($username, $autologin) = xf_db_fetch_row($res);
-                    if ($autologin and @$this->conf['autologin']) {
-                        $_REQUEST['--remember-me'] = 1;
+                    if (xf_db_num_rows($res) > 0) {
+                        
+                    
+                        list($username, $autologin, $token) = xf_db_fetch_row($res);
+                        if ($autologin and @$this->conf['autologin']) {
+                            $_REQUEST['--remember-me'] = 1;
+                        }
+                        
                     }
                     xf_db_free_result($res);
+                    
+                    
                 } 
             }
             if ($username and self::is_email_address($username) and $this->usersTable and $this->getEmailColumn()) {
@@ -328,6 +344,10 @@ function getCredentials(){
                 list($numUsernames) = xf_db_fetch_row($res);
                 xf_db_free_result($res);
                 if ($numUsernames == 0) {
+                    
+                    
+                    
+                    
                     // No usernames found
                     // Let's try to find an email address.
                     $res = xf_db_query("select `".$this->usernameColumn."` from `".$this->usersTable."` where `".$this->getEmailColumn()."` = '".addslashes($username)."'", df_db());
@@ -339,6 +359,20 @@ function getCredentials(){
                     } else if (xf_db_num_rows($res) == 1) {
                         // One to one match
                         list($username) = xf_db_fetch_row($res);
+                    } else {
+                        if ($this->getEmailColumn() and $this->usernameColumn and @$this->conf['allow_register'] and @$this->conf['auto_register'] and $this->isEmailLoginAllowed()) {
+                            $values = [];
+                            $values[$this->getEmailColumn()] = $username;
+                            $values[$this->usernameColumn] = $username;
+                            $record = new Dataface_Record($this->usersTable, array());
+                    		$record->setValues($values);
+                    		$res2 = $record->save();
+                    		if ( PEAR::isError($res2) ){
+                                xf_db_free_result($res);
+                    			throw new Exception("Failed to save user record: " . $res->getMessage());
+                    		} 
+		
+                        }
                     }
                     xf_db_free_result($res);
                 }
@@ -463,14 +497,25 @@ function userHasPassword() {
         return false;
     }
 
+    
+
     /**
      * Creates a session token.
      */
-	function createToken() {
+	function createToken($addToDatabase = false) {
 		if (session_id() == '') {
 			return null;
 		}
-		return md5('sessid').'.'.base64_encode(session_id());
+        $tok = md5('sessid').'.'.base64_encode(session_id());
+        if ($addToDatabase) {
+            Dataface_Application::getInstance()->updateBearerTokensTables();
+            $res = xf_db_query("replace into dataface__tokens (`token`, `hashed_token`) values ('".addslashes($tok)."', '".addslashes(sha1($tok))."')", df_db());
+            if (!$res) {
+                error_log("Failed ot add token to database: " . xf_db_error(df_db()));
+                throw new Exception("Failed to add token to database");
+            }
+        }
+		return $tok;
 	}
 
 	function authenticate(){
@@ -547,7 +592,7 @@ function authenticate(){
 				if ($json) {
 					df_write_json(array(
 						'code' => 200,
-						'token' => $this->createToken(),
+						'token' => $this->createToken(true),
 						'message' => 'Logged in'
 					));
 					exit;
@@ -624,7 +669,7 @@ function authenticate(){
 			if ($json) {
 				df_write_json(array(
 					'code' => 200,
-					'token' => $this->createToken(),
+					'token' => $this->createToken(true),
 					'message' => 'Logged in'
 				));
 				exit;
@@ -719,6 +764,10 @@ function showLoginPrompt($msg=''){
 			echo "<html><body>Please Log In</body></html>";
 			exit;
 		}
+        if (@$query['-response'] == 'json') {
+            df_write_json(['code' => 401, 'message' => 'Please log in']);
+            exit;
+        }
 
 		if ( isset($this->delegate) and method_exists($this->delegate, 'showLoginPrompt') ){
 			return $this->delegate->showLoginPrompt($msg);

Dataface/AuthenticationTool.php

@@ -256,6 +256,12 @@ function createFeedItem(&$record){
 		$item->title = $data['title'];
 		$item->link = $data['link'];
 		$item->description = $data['description']; 
+		if (!empty($data['itunes'])) {
+		    $item->itunes = $data['itunes'];
+		}
+        if (!empty($data['guid'])) {
+            $item->guid = $data['guid'];
+        }
 
 		//optional
 		//item->descriptionTruncSize = 500;
@@ -303,6 +309,12 @@ function createFeed($query=null){
 		if (!empty($feed_data['itunes'])) {
 		    $rss->itunes = $feed_data['itunes'];
 		}
+        if (!empty($feed_data['copyright'])) {
+            $rss->copyright = $feed_data['copyright'];
+        }
+        if (!empty($feed_data['language'])) {
+            $rss->language = $feed_data['language'];
+        }
 		//optional
 		//$rss->descriptionTruncSize = 500;
 		//$rss->descriptionHtmlSyndicated = true;

Dataface/FeedTool.php

@@ -911,7 +911,7 @@ function _update(&$record, $keys=null, $tablename=null, $secure=false  ){
 						// we don't need to perform any permissions on it
 						continue;
 					}
-                    if (@$field['ownerstamp']) {
+                    if (@$field['ownerstamp'] or @$field['uuid']) {
                         continue;
                     }
 					// If this field's change doesn't have veto power and its value has changed,

Dataface/IO.php

@@ -417,7 +417,7 @@ function update(&$record, $key_vals=null, $tablename=null){
 				// state of the record.
 				continue;
 			}
-            if (@$fieldArr['ownerstamp']) {
+            if (@$fieldArr['ownerstamp'] or @$fieldArr['uuid']) {
                 continue;
             }
 
@@ -515,6 +515,11 @@ function insert(&$record, $tablename=null){
 					continue;
 				}
 			}
+            if (@$field['uuid']) {
+                $insertedKeys[] = '`'.$key.'`';
+                $insertedValues[] = 'UUID()';
+                continue;
+            }
             if (@$field['ownerstamp']) {
                 if (class_exists('Dataface_AuthenticationTool')) {
                     $auth = Dataface_AuthenticationTool::getInstance();
@@ -528,9 +533,10 @@ function insert(&$record, $tablename=null){
                     } else {
                         $user = $auth->getLoggedInUser();
                         if ($user) {
-                            $keynames = array_keys($keys);
+                            $keynames = array_keys($user->table()->keys());
                             if (count($keynames) == 1) {
-                                $id = $user->val($keynames[0]);
+                                $keyname = array_shift($keynames);
+                                $id = $user->val($keyname);
                                 $insertedKeys[] = '`'.$key.'`';
                                 $insertedValues[] = $this->prepareValue($key, $id);
                                 $record->setValue($key, $id);

Dataface/QueryBuilder.php

@@ -157,6 +157,10 @@ class Dataface_QuickForm extends HTML_QuickForm {
 
 
 	var $submitLabel = null;
+    
+    private $addRelatedContext;
+    private $parentRecord;
+    private $relationship;
 
 	/**
 	 * @param $tablename The name of the table upon which this form is based. - or a Dataface_Record object to edit.
@@ -179,6 +183,22 @@ function __construct($tablename, $db='',  $query='', $formname='', $new=false, $
 		$app =& Dataface_Application::getInstance();
 		$this->app =& $app;
 		$appQuery =& $app->getQuery();
+        
+        if ($new) {
+            // This request may have been redirected from new_related_record if this table is being used
+            // as a proxy for adding to a relationship.  In this case it would pass the -add-related-context
+            // parameter with a JSON value of the form ['id' => RECORDID, ' => 'relationship' => RELATIONSHIPNAME]
+            $this->addRelatedContext = empty($query['-add-related-context']) ? 
+                    null : 
+                    json_decode($query['-add-related-context'], true);
+            $this->parentRecord = ($this->addRelatedContext and !empty($this->addRelatedContext['id'])) ? 
+                    df_get_record_by_id($this->addRelatedContext['id']) : 
+                    null;
+            $this->relationship = ($this->addRelatedContext and $this->parentRecord and !empty($this->addRelatedContext['relationship'])) ?
+                    $this->parentRecord->_table->getRelationship($this->addRelatedContext['relationship']) : 
+                    null;
+        }
+        
 		if ( !isset($lang) && !isset($this->_lang) ){
 			$this->_lang = $app->_conf['lang'];
 		} else if ( isset($lang) ){

Dataface/QuickForm.php

@@ -429,7 +429,9 @@ function callDelegateFunction($function, $fallback=null, $param=null){
 	}
 
 
-
+    function tablename() {
+        return $this->_table->tablename;
+    }
 
 
 	/**
@@ -2597,11 +2599,15 @@ function display($fieldname, $index=0, $where=0, $sort=0, $urlencode=true, $thum
 		}
 
 		$field =& $this->_table->getField($fieldname);
+        if (PEAR::isError($field)) {
+            throw new Exception("Attempt to get non-existent field $fieldname in table ".$this->_table->tablename.": ".$field->getMessage());
+        }
 		if (@$field['displayField']) {
 			return $this->display($field['displayField'], $index, $where, $sort, $urlencode);
 		}
 		if ( $this->_table->isBlob($fieldname) or ($this->_table->isContainer($fieldname) and (@$field['secure'] or @$field['transform']))){
-			if ($this->getLength($fieldname) > 0) {
+			$thumb = null;
+            if ($this->getLength($fieldname) > 0) {
 				unset($table);
 				$table =& Dataface_Table::loadTable($field['tablename']);
 				$keys = array_keys($table->keys());
@@ -2623,6 +2629,15 @@ function display($fieldname, $index=0, $where=0, $sort=0, $urlencode=true, $thum
 			} else {
 				$out = '';
 			}
+            
+			$evt = new stdClass;
+			$evt->record = $this;
+			$evt->field =& $field;
+			$evt->value = $out;
+            $evt->thumb = $thumb;
+			$table->app->fireEvent('Record::display', $evt);
+			$out = $evt->value;
+            
 			if (!$thumbnail) {
 			    $this->cache[__FUNCTION__][$fieldname][$index][$where][$sort] = $out;
 			}
@@ -2644,6 +2659,15 @@ function display($fieldname, $index=0, $where=0, $sort=0, $urlencode=true, $thum
 			if ( strlen($out) > 1 and $out[0] == '/' and $out[1] == '/' ){
 				$out = substr($out,1);
 			}
+            
+			$evt = new stdClass;
+			$evt->record = $this;
+			$evt->field =& $field;
+			$evt->value = $out;
+            $evt->thumbnail = $thumbnail;
+			$table->app->fireEvent('Record::display', $evt);
+			$out = $evt->value;
+            
 			$this->cache[__FUNCTION__][$fieldname][$index][$where][$sort] = $out;
 			if (!$out and @$field['display.fallback']) {
 				$out = $field['display.fallback'];

Dataface/Record.php

@@ -776,6 +776,7 @@ function toHtml($mode = 'all') {
         ob_start();
         $context['filters'] = $this->filters;
         $context['listStyle'] = $this->listStyle;
+        $context['targetDevice'] = $mode;
         df_display($context, 'xataface/RelatedList/list.html');
         $out = ob_get_contents();
         ob_end_clean();

Dataface/RelatedList.php

@@ -120,8 +120,23 @@ function __construct($tablename, $relationshipName, &$values){
 		$this->_permissions =& $this->_schema['permissions'];
 
 	}
-		function Dataface_Relationship($tablename, $relationshipName, &$values) { self::__construct($tablename, $relationshipName, $values); }
-	
+	function Dataface_Relationship($tablename, $relationshipName, &$values) { self::__construct($tablename, $relationshipName, $values); }
+	
+    /**
+     * Returns the name of a table that is used as a proxy for inserting new records into this 
+     * relationship.
+     */
+    function getAddRelatedRecordTable() {
+        if (!empty($this->_schema['add']['table'])) {
+            return $this->_schema['add']['table'];
+        }
+        $defaultTableName = 'xf_add_'.$this->_sourceTable->tablename . '__' . $this->_name;
+        if (Dataface_Table::tableExists($defaultTableName)) {
+            return $defaultTableName;
+        }
+        return null;
+    }
+    
 
 	function &getFieldDefOverride($field_name, $default=array()){
 		if ( strpos($field_name,'.') !== false	){
@@ -141,6 +156,10 @@ function setFieldDefOverride($field_name, array $field_def){
 		}
 		$this->_field_def_overrides[$field_name] = $field_def;
 	}
+    
+    function isLinkToDomainRecord() {
+        return !empty($this->_schema['list']['link_to_domain_record']) and $this->_schema['list']['link_to_domain_record'];
+    }
 
 	/**
 	 * Returns an array of names of fields in this relationship.