working around use_only_cookies

diff --git a/start.php b/start.php
index c44bc9f1e503280fee8edf922a4f1a95107fc209..4d2b127983fa3a214774de2cc047d54fbdc495a4 100644 (file)
--- a/start.php
+++ b/start.php
@@ -68,6 +68,9 @@ function tidypics_init() {
 
        // slideshow plugin hook
        register_plugin_hook('tp_slideshow', 'album', 'tidypics_slideshow');
+
+        // ajax handler for uploads when use_only_cookies is set
+        register_plugin_hook('forward', 'system', 'tidypics_ajax_session_handler');
 }
 
 /**
@@ -451,10 +454,73 @@ function tidypics_slideshow($hook, $entity_type, $returnvalue, $params) {
        return $slideshow_link;
 }
 
+/**
+ * Convenience function for listing recent images
+ * 
+ * @param int $max
+ * @param bool $pagination
+ * @return string
+ */
 function tp_mostrecentimages($max = 8, $pagination = true) {
        return list_entities("object", "image", 0, $max, false, false, $pagination);
 }
 
+/**
+ * Work around for Flash/session issues
+ *
+ * @param string $hook
+ * @param string $entity_type
+ * @param string $returnvalue
+ * @param array  $params
+ */
+function tidypics_ajax_session_handler($hook, $entity_type, $returnvalue, $params) {
+    global $CONFIG;
+
+    $url = current_page_url();
+    if ($url !== "{$CONFIG->wwwroot}action/tidypics/ajax_upload/") {
+        return;
+    }
+
+    if (get_loggedin_userid() != 0) {
+        return;
+    }
+
+    // action_gatekeeper rejected ajax call from Flash due to session issue
+    
+       // Validate token
+    $token = get_input('__elgg_token');
+    $ts = get_input('__elgg_ts');
+    $session_id = get_input('Elgg');
+       $tidypics_token = get_input('tidypics_token');
+       $user_guid = get_input('user_guid');
+
+       $user = get_user($user_guid);
+       if (!$user) {
+               return;
+       }
+
+       if (!$token || !$ts || !$session_id || !$tidypics_token) {
+               return;
+       }
+
+       $hour = 60*60;
+       $now = time();
+       if ($ts < $now-$hour || $ts > $now+$hour) {
+               return;
+       }
+
+       $generated_token = md5($session_id . get_site_secret() . $ts . $user->salt);
+
+       if ($tidypics_token !== $generated_token) {
+               return;
+       }
+
+       // passed token test, so login and process action
+       login($user);
+       include $CONFIG->actions['tidypics/ajax_upload']['file'];
+
+       exit;
+}
 
 // Make sure tidypics_init is called on initialization
 register_elgg_event_handler('init', 'system', 'tidypics_init');

diff --git a/views/default/tidypics/forms/ajax_upload.php b/views/default/tidypics/forms/ajax_upload.php
index 1d2a240ad58fd7a73553cb2be8ca998b8e0a1e3c..87a6ad0ed809b31213752f9de609acf478f4e410 100644 (file)
--- a/views/default/tidypics/forms/ajax_upload.php
+++ b/views/default/tidypics/forms/ajax_upload.php
@@ -3,15 +3,13 @@
 extend_view('metatags', 'tidypics/js/uploader');
 
 $album = $vars['album'];
-$access_id = $album->access_id;
 
 $ts = time();
 $token = generate_action_token($ts);
-
 $batch = time();
+$tidypics_token = md5(session_id() . get_site_secret() . $ts . get_loggedin_user()->salt);
 
 $basic_uploader_url = current_page_url() . '/basic';
-
 $upload_endpoint_url = "{$vars['url']}action/tidypics/ajax_upload/";
 $upload_complete_url = "{$vars['url']}action/tidypics/ajax_upload_complete/";
 
@@ -73,11 +71,13 @@ $("#uploadify").uploadify({
        'uploader'     : '<?php echo $vars['url']; ?>mod/tidypics/vendors/uploadify/uploadify.swf',
        'script'       : '<?php echo $upload_endpoint_url; ?>',
        'scriptData'   : {
-                                               'album_guid'   : '<?php echo $album->guid; ?>',
-                                               '__elgg_token' : '<?php echo $token; ?>',
-                                               '__elgg_ts'    : '<?php echo $ts; ?>',
-                                               'Elgg'         : '<?php echo session_id(); ?>',
-                                               'batch'        : '<?php echo $batch; ?>'
+                                               'album_guid'     : '<?php echo $album->guid; ?>',
+                                               'user_guid'      : '<?php echo get_loggedin_userid(); ?>',
+                                               '__elgg_token'   : '<?php echo $token; ?>',
+                                               '__elgg_ts'      : '<?php echo $ts; ?>',
+                                               'Elgg'           : '<?php echo session_id(); ?>',
+                                               'tidypics_token' : '<?php echo $tidypics_token; ?>',
+                                               'batch'          : '<?php echo $batch; ?>'
                                         },
        'fileDataName' : 'Image',
        'cancelImg'    : '<?php echo $vars['url']; ?>_graphics/icon_customise_remove.gif',