Mercurial > defr > drupal > core
diff modules/blogapi/blogapi.module @ 11:589fb7c02327 6.5
Drupal 6.5
| author | Franck Deroche <webmaster@defr.org> |
|---|---|
| date | Tue, 23 Dec 2008 14:32:19 +0100 |
| parents | acef7ccb09b5 |
| children |
line wrap: on
line diff
--- a/modules/blogapi/blogapi.module Tue Dec 23 14:32:08 2008 +0100 +++ b/modules/blogapi/blogapi.module Tue Dec 23 14:32:19 2008 +0100 @@ -1,5 +1,5 @@ <?php -// $Id: blogapi.module,v 1.115.2.3 2008/08/13 23:59:13 drumm Exp $ +// $Id: blogapi.module,v 1.115.2.5 2008/10/08 20:12:17 goba Exp $ /** * @file @@ -222,6 +222,11 @@ node_invoke_nodeapi($edit, 'blogapi new'); + $valid = blogapi_status_error_check($edit, $publish); + if ($valid !== TRUE) { + return $valid; + } + node_validate($edit); if ($errors = form_get_errors()) { return blogapi_error(implode("\n", $errors)); @@ -259,7 +264,8 @@ if (!node_access('update', $node)) { return blogapi_error(t('You do not have permission to update this post.')); } - + // Save the original status for validation of permissions. + $original_status = $node->status; $node->status = $publish; // check for bloggerAPI vs. metaWeblogAPI @@ -275,6 +281,11 @@ node_invoke_nodeapi($node, 'blogapi edit'); + $valid = blogapi_status_error_check($node, $original_status); + if ($valid !== TRUE) { + return $valid; + } + node_validate($node); if ($errors = form_get_errors()) { return blogapi_error(implode("\n", $errors)); @@ -308,6 +319,33 @@ } /** + * Check that the user has permission to save the node with the chosen status. + * + * @return + * TRUE if no error, or the blogapi_error(). + */ +function blogapi_status_error_check($node, $original_status) { + + $node = (object) $node; + + $node_type_default = variable_get('node_options_'. $node->type, array('status', 'promote')); + + // If we don't have the 'administer nodes' permission and the status is + // changing or for a new node the status is not the content type's default, + // then return an error. + if (!user_access('administer nodes') && (($node->status != $original_status) || (empty($node->nid) && $node->status != in_array('status', $node_type_default)))) { + if ($node->status) { + return blogapi_error(t('You do not have permission to publish this type of post. Please save it as a draft instead.')); + } + else { + return blogapi_error(t('You do not have permission to save this post as a draft. Please publish it instead.')); + } + } + return TRUE; +} + + +/** * Blogging API callback. Removes the specified blog node. */ function blogapi_blogger_delete_post($appkey, $postid, $username, $password, $publish) { @@ -437,6 +475,11 @@ * associated with a blog node. */ function blogapi_metaweblog_get_category_list($blogid, $username, $password) { + $user = blogapi_validate_user($username, $password); + if (!$user->uid) { + return blogapi_error($user); + } + if (($error = _blogapi_validate_blogid($blogid)) !== TRUE) { // Return an error if not configured type. return $error; @@ -509,11 +552,59 @@ foreach ($categories as $category) { $node->taxonomy[] = $category['categoryId']; } + $validated = blogapi_mt_validate_terms($node); + if ($validated !== TRUE) { + return $validated; + } node_save($node); return TRUE; } /** + * Blogging API helper - find allowed taxonomy terms for a node type. + */ +function blogapi_mt_validate_terms($node) { + // We do a lot of heavy lifting here since taxonomy module doesn't have a + // stand-alone validation function. + if (module_exists('taxonomy')) { + $found_terms = array(); + if (!empty($node->taxonomy)) { + $term_list = array_unique($node->taxonomy); + $params = $term_list; + $params[] = $node->type; + $result = db_query(db_rewrite_sql("SELECT t.tid, t.vid FROM {term_data} t INNER JOIN {vocabulary_node_types} n ON t.vid = n.vid WHERE t.tid IN (". db_placeholders($term_list) .") AND n.type = '%s'", 't', 'tid'), $params); + $found_terms = array(); + $found_count = 0; + while ($term = db_fetch_object($result)) { + $found_terms[$term->vid][$term->tid] = $term->tid; + $found_count++; + } + // If the counts don't match, some terms are invalid or not accessible to this user. + if (count($term_list) != $found_count) { + return blogapi_error(t('Invalid categories submitted.')); + } + } + // Look up all the vocabularies for this node type. + $result2 = db_query(db_rewrite_sql("SELECT v.vid, v.name, v.required, v.multiple FROM {vocabulary} v INNER JOIN {vocabulary_node_types} n ON v.vid = n.vid WHERE n.type = '%s'", 'v', 'vid'), $node->type); + // Check each vocabulary associated with this node type. + while ($vocabulary = db_fetch_object($result2)) { + // Required vocabularies must have at least one term. + if ($vocabulary->required && empty($found_terms[$vocabulary->vid])) { + return blogapi_error(t('A category from the @vocabulary_name vocabulary is required.', array('@vocabulary_name' => $vocabulary->name))); + } + // Vocabularies that don't allow multiple terms may have at most one. + if (!($vocabulary->multiple) && (isset($found_terms[$vocabulary->vid]) && count($found_terms[$vocabulary->vid]) > 1)) { + return blogapi_error(t('You may only choose one category from the @vocabulary_name vocabulary.'), array('@vocabulary_name' => $vocabulary->name)); + } + } + } + elseif (!empty($node->taxonomy)) { + return blogapi_error(t('Error saving categories. This feature is not available.')); + } + return TRUE; +} + +/** * Blogging API callback. Sends a list of available input formats. */ function blogapi_mt_supported_text_filters() { @@ -544,11 +635,16 @@ return blogapi_error(t('Invalid post.')); } - $node->status = 1; - if (!node_access('update', $node)) { + // Nothing needs to be done if already published. + if ($node->status) { + return; + } + + if (!node_access('update', $node) || !user_access('administer nodes')) { return blogapi_error(t('You do not have permission to update this post.')); } + $node->status = 1; node_save($node); return TRUE;