Commit bdd3062d authored by Gábor Hojtsy's avatar Gábor Hojtsy

Drupal 6.9

parent 13bbecba
// $Id$
Drupal 6.9, 2009-01-14
----------------------
- Fixed security issues, (Access Bypass, Validation Bypass and Hardening
against SQL injection), see SA-CORE-2009-001
- Made HTTP request checking more robust and informative.
- Fixed HTTP_HOST checking to work again with HTTP 1.0 clients and
basic shell scripts.
- Removed t() calls from all schema documentation. Suggested best practice
changed for contributed modules, see http://drupal.org/node/322731.
- Fixed a variety of small bugs.
Drupal 6.9-dev, xxxx-xx-xx (development release)
----------------------
......@@ -157,6 +168,13 @@ Drupal 6.0, 2008-02-13
- Removed old system updates. Updates from Drupal versions prior to 5.x will
require upgrading to 5.x before upgrading to 6.x.
Drupal 5.15, 2009-01-14
----------------------
- Fixed security issues, (Hardening against SQL injection), see SA-CORE-2009-001
- Fixed HTTP_HOST checking to work again with HTTP 1.0 clients and
basic shell scripts.
- Fixed a variety of small bugs.
Drupal 5.14, 2008-12-11
----------------------
- Removed a previous change incompatible with PHP 5.1.x and lower.
......
......@@ -577,7 +577,7 @@ function drupal_error_handler($errno, $message, $filename, $line, $context) {
return;
}
if ($errno & (E_ALL)) {
if ($errno & (E_ALL ^ E_NOTICE)) {
$types = array(1 => 'error', 2 => 'warning', 4 => 'parse error', 8 => 'notice', 16 => 'core error', 32 => 'core warning', 64 => 'compile error', 128 => 'compile warning', 256 => 'user error', 512 => 'user warning', 1024 => 'user notice', 2048 => 'strict warning', 4096 => 'recoverable fatal error');
// For database errors, we want the line number/file name of the place that
......
......@@ -1977,7 +1977,9 @@ function node_search_validate($form, &$form_state) {
function node_access($op, $node, $account = NULL) {
global $user;
if (!$node) {
if (!$node || !in_array($op, array('view', 'update', 'delete', 'create'), TRUE)) {
// If there was no node to check against, or the $op was not one of the
// supported ones, we return access denied.
return FALSE;
}
// Convert the node to an object if necessary:
......
......@@ -9,7 +9,7 @@
/**
* The current system version.
*/
define('VERSION', '6.9-dev');
define('VERSION', '6.9');
/**
* Core API compatibility.
......
......@@ -76,10 +76,7 @@ function translation_menu() {
* all languages).
*/
function _translation_tab_access($node) {
if (!empty($node->language) && translation_supported_type($node->type)) {
return user_access('translate content');
}
return FALSE;
return !empty($node->language) && translation_supported_type($node->type) && node_access('view', $node) && user_access('translate content');
}
/**
......@@ -192,15 +189,27 @@ function translation_nodeapi(&$node, $op, $teaser, $page) {
switch ($op) {
case 'prepare':
if (empty($node->nid) && isset($_GET['translation']) && isset($_GET['language']) &&
($source_nid = $_GET['translation']) && ($language = $_GET['language']) &&
(user_access('translate content'))) {
// We are translating a node from a source node, so
// load the node to be translated and populate fields.
$node->language = $language;
$node->translation_source = node_load($source_nid);
$node->title = $node->translation_source->title;
$node->body = $node->translation_source->body;
if (empty($node->nid) && user_access('translate content') && isset($_GET['translation']) && isset($_GET['language']) && is_numeric($_GET['translation'])) {
$translation_source = node_load($_GET['translation']);
if (empty($translation_source) || !node_access('view', $translation_source)) {
// Source node not found or no access to view. We should not check
// for edit access, since the translator might not have permissions
// to edit the source node but should still be able to translate.
return;
}
$language_list = language_list();
if (!isset($language_list[$_GET['language']]) || ($translation_source->language == $_GET['language'])) {
// If not supported language, or same language as source node, break.
return;
}
// Populate fields based on source node.
$node->language = $_GET['language'];
$node->translation_source = $translation_source;
$node->title = $translation_source->title;
// If user has no access to the filter used for the body, Drupal core
// does not let the edit form to appear, so we should avoid exposing
// the source text here too.
$node->body = filter_access($translation_source->format) ? $translation_source->body : '';
// Let every module add custom translated fields.
node_invoke_nodeapi($node, 'prepare translation');
}
......
......@@ -1534,6 +1534,7 @@ function user_edit_form(&$form_state, $uid, $edit, $register = FALSE) {
$form['picture']['picture_delete'] = array('#type' => 'hidden');
}
$form['picture']['picture_upload'] = array('#type' => 'file', '#title' => t('Upload picture'), '#size' => 48, '#description' => t('Your virtual face or picture. Maximum dimensions are %dimensions and the maximum size is %size kB.', array('%dimensions' => variable_get('user_picture_dimensions', '85x85'), '%size' => variable_get('user_picture_file_size', '30'))) .' '. variable_get('user_picture_guidelines', ''));
$form['#validate'][] = 'user_profile_form_validate';
$form['#validate'][] = 'user_validate_picture';
}
$form['#uid'] = $uid;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment