diff options
| author | Angie Byron <webchick@24967.no-reply.drupal.org> | 2008-10-11 03:08:09 +0000 |
|---|---|---|
| committer | Angie Byron <webchick@24967.no-reply.drupal.org> | 2008-10-11 03:08:09 +0000 |
| commit | 240fa1b407af70c45fbc133d815ff894e821777c (patch) | |
| tree | e810299417a69a700388ea121d95cb165cbb9ca8 /modules/blogapi/blogapi.module | |
| parent | fcf34c3abca85191ca4efefc7c7864facc4c6f6c (diff) | |
| download | brdo-240fa1b407af70c45fbc133d815ff894e821777c.tar.gz brdo-240fa1b407af70c45fbc133d815ff894e821777c.tar.bz2 | |
#319346: SA-2008-60 (#318706): blogapi_mt_set_post_categories() allows assigning arbitrary categories.
Diffstat (limited to 'modules/blogapi/blogapi.module')
| -rw-r--r-- | modules/blogapi/blogapi.module | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/modules/blogapi/blogapi.module b/modules/blogapi/blogapi.module index 9a55666b9..ed1e337e2 100644 --- a/modules/blogapi/blogapi.module +++ b/modules/blogapi/blogapi.module @@ -516,12 +516,60 @@ function blogapi_mt_set_post_categories($postid, $username, $password, $categori foreach ($categories as $category) { $node->taxonomy[] = $category['categoryId']; } + $validated = blogapi_mt_validate_terms($node); + if ($validated !== TRUE) { + return $validated; + } node_save($node); return TRUE; } /** + * Blogging API helper - find allowed taxonomy terms for a node type. + */ +function blogapi_mt_validate_terms($node) { + // We do a lot of heavy lifting here since taxonomy module doesn't have a + // stand-alone validation function. + if (module_exists('taxonomy')) { + $found_terms = array(); + if (!empty($node->taxonomy)) { + $term_list = array_unique($node->taxonomy); + $params = $term_list; + $params[] = $node->type; + $result = db_query(db_rewrite_sql("SELECT t.tid, t.vid FROM {term_data} t INNER JOIN {vocabulary_node_types} n ON t.vid = n.vid WHERE t.tid IN (". db_placeholders($term_list) .") AND n.type = '%s'", 't', 'tid'), $params); + $found_terms = array(); + $found_count = 0; + while ($term = db_fetch_object($result)) { + $found_terms[$term->vid][$term->tid] = $term->tid; + $found_count++; + } + // If the counts don't match, some terms are invalid or not accessible to this user. + if (count($term_list) != $found_count) { + return blogapi_error(t('Invalid categories submitted.')); + } + } + // Look up all the vocabularies for this node type. + $result2 = db_query(db_rewrite_sql("SELECT v.vid, v.name, v.required, v.multiple FROM {vocabulary} v INNER JOIN {vocabulary_node_types} n ON v.vid = n.vid WHERE n.type = '%s'", 'v', 'vid'), $node->type); + // Check each vocabulary associated with this node type. + while ($vocabulary = db_fetch_object($result2)) { + // Required vocabularies must have at least one term. + if ($vocabulary->required && empty($found_terms[$vocabulary->vid])) { + return blogapi_error(t('A category from the @vocabulary_name vocabulary is required.', array('@vocabulary_name' => $vocabulary->name))); + } + // Vocabularies that don't allow multiple terms may have at most one. + if (!($vocabulary->multiple) && (isset($found_terms[$vocabulary->vid]) && count($found_terms[$vocabulary->vid]) > 1)) { + return blogapi_error(t('You may only choose one category from the @vocabulary_name vocabulary.'), array('@vocabulary_name' => $vocabulary->name)); + } + } + } + elseif (!empty($node->taxonomy)) { + return blogapi_error(t('Error saving categories. This feature is not available.')); + } + return TRUE; +} + +/** * Blogging API callback. Sends a list of available input formats. */ function blogapi_mt_supported_text_filters() { |