Merge pull request #910 from rjmackay/2.6.x

2.6 post launch fixes

Author: kamaulynder

application/config/openlayers.ushahidi.cfg

@@ -30,6 +30,7 @@ OpenLayers/Layer/Google.js
 OpenLayers/Layer/Google/v3.js
 OpenLayers/Layer/Markers.js
 OpenLayers/Layer/OSM.js
+OpenLayers/Layer/TMS.js
 OpenLayers/Layer/Vector.js
 OpenLayers/Layer/WMS.js
 OpenLayers/Layer/XYZ.js

application/controllers/json.php

@@ -169,8 +169,21 @@ protected function markers_geojson($incidents, $category_id, $color, $icon, $inc
 		{
 			// Handle both reports::fetch_incidents() response and actual ORM objects
 			$marker->id = isset($marker->incident_id) ? $marker->incident_id : $marker->id;
-			$latitude = isset($marker->latitude) ? $marker->latitude : $marker->location->latitude;
-			$longitude = isset($marker->longitude) ? $marker->longitude : $marker->location->longitude;
+			if (isset($marker->latitude) AND isset($marker->longitude))
+			{
+				$latitude = $marker->latitude;
+				$longitude = $marker->longitude;
+			}
+			elseif (isset($marker->location) AND isset($marker->location->latitude) AND isset($marker->location->longitude))
+			{
+				$latitude = $marker->location->latitude;
+				$longitude = $marker->location->longitude;
+			}
+			else
+			{
+				// No location - skip this report
+				continue;
+			}
 
 			// Get thumbnail
 			$thumb = "";
@@ -296,16 +309,44 @@ protected function clusters_geojson($incidents, $category_id, $color, $icon)
 		{
 			$marker	 = array_pop($markers);
 			$cluster = array();
+			
+			// Handle both reports::fetch_incidents() response and actual ORM objects
+			$marker->id = isset($marker->incident_id) ? $marker->incident_id : $marker->id;
+			if (isset($marker->latitude) AND isset($marker->longitude))
+			{
+				$marker_latitude = $marker->latitude;
+				$marker_longitude = $marker->longitude;
+			}
+			elseif (isset($marker->location) AND isset($marker->location->latitude) AND isset($marker->location->longitude))
+			{
+				$marker_latitude = $marker->location->latitude;
+				$marker_longitude = $marker->location->longitude;
+			}
+			else
+			{
+				// No location - skip this report
+				continue;
+			}
 
 			// Compare marker against all remaining markers.
 			foreach ($markers as $key => $target)
 			{
 				// Handle both reports::fetch_incidents() response and actual ORM objects
-				$marker->id = isset($marker->incident_id) ? $marker->incident_id : $marker->id;
-				$marker_latitude = isset($marker->latitude) ? $marker->latitude : $marker->location->latitude;
-				$marker_longitude = isset($marker->longitude) ? $marker->longitude : $marker->location->longitude;
-				$target_latitude = isset($target->latitude) ? $target->latitude : $target->location->latitude;
-				$target_longitude = isset($target->longitude) ? $target->longitude : $target->location->longitude;
+				if (isset($target->latitude) AND isset($target->longitude))
+				{
+					$target_latitude = $target->latitude;
+					$target_longitude = $target->longitude;
+				}
+				elseif (isset($target->location) AND isset($target->location->latitude) AND isset($target->location->longitude))
+				{
+					$target_latitude = $target->location->latitude;
+					$target_longitude = $target->location->longitude;
+				}
+				else
+				{
+					// No location - skip this report
+					continue;
+				}
 
 				// This function returns the distance between two markers, at a defined zoom level.
 				// $pixels = $this->_pixelDistance($marker['latitude'], $marker['longitude'],

application/controllers/login.php

@@ -320,13 +320,9 @@ public function index($user_id = 0)
 					else
 					{
 						// Reset locally
-
-						// Secret consists of email and the last_login field.
-						// So as soon as the user logs in again,
-						// the reset link expires automatically.
-						$secret = $auth->hash_password($user->email.$user->last_login);
-						$secret_link = url::site('login/index/'.$user->id.'/'.$secret.'?reset');
-						$email_sent = $this->_email_resetlink($post->resetemail,$user->name,$secret_link);
+						$secret = $user->forgot_password_token();
+						$secret_link = url::site('login/index/'.$user->id.'/'.urlencode($secret).'?reset');
+						$email_sent = $this->_email_resetlink($post->resetemail, $user->name, $secret_link);
 					}
 
 					if ($email_sent == TRUE)
@@ -870,8 +866,7 @@ private function _new_password($user_id = 0, $password, $token)
 			else
 			{
 				// Use Standard
-
-				if($auth->hash_password($user->email.$user->last_login, $auth->find_salt($token)) == $token)
+				if($user->check_forgot_password_token($token))
 				{
 					$user->password = $password;
 					$user->save();

application/helpers/alert.php

@@ -31,7 +31,7 @@ public static function _send_mobile_alert($post, $alert)
 		// Should be 8 distinct characters
 		$alert_code = text::random('distinct', 8);
 
-		$sms_from = $this->_sms_from();
+		$sms_from = self::_sms_from();
 
 		$message = Kohana::lang('ui_admin.confirmation_code').$alert_code
 			.'.'.Kohana::lang('ui_admin.not_case_sensitive');
@@ -196,7 +196,7 @@ public static function mobile_alerts_unsubscribe($message_from, $message_descrip
 			return FALSE;
 		}
 
-		$sms_from = $this->_sms_from();
+		$sms_from = self::_sms_from();
 
 		$site_name = $settings->site_name;
 		$message = Kohana::lang('ui_admin.unsubscribe_message').' ' .$site_name;

application/helpers/customforms.php

@@ -55,23 +55,23 @@ public static function get_custom_form_fields($incident_id = FALSE, $form_id = N
 		// Check if the provided incident exists, then fill in the data
 		if ($valid_incident)
 		{
-			$sql = "SELECT form_field.*, form_response.form_response
-			FROM form_field
-			LEFT JOIN roles ON (roles.id = field_ispublic_visible)
+			$sql = "SELECT ff.*, fr.form_response
+			FROM `{$table_prefix}form_field` ff
+			LEFT JOIN `{$table_prefix}roles` r ON (r.id = field_ispublic_visible)
 			LEFT JOIN
-				form_response ON (
-					form_response.form_field_id = form_field.id AND
-					form_response.incident_id = :incident_id
+				`{$table_prefix}form_response` fr ON (
+					fr.form_field_id = ff.id AND
+					fr.incident_id = :incident_id
 				)
 			WHERE (access_level <= :user_level OR access_level IS NULL) "
 			. ( ! empty($form_id) ? "AND form_id = :form_id " : '')
 			. "ORDER BY field_position ASC";
 		}
 		else
 		{
-			$sql = "SELECT form_field.*
-			FROM form_field
-			LEFT JOIN roles ON (roles.id = field_ispublic_visible)
+			$sql = "SELECT ff.*
+			FROM `{$table_prefix}form_field` ff
+			LEFT JOIN `{$table_prefix}roles` r ON (r.id = field_ispublic_visible)
 			WHERE (access_level <= :user_level OR access_level IS NULL) "
 			. ( ! empty($form_id) ? "AND form_id = :form_id " : '')
 			. "ORDER BY field_position ASC";

application/hooks/2_settings.php

@@ -60,3 +60,13 @@
 // Additional Mime Types (KMZ/KML)
 Kohana::config_set('mimes.kml', array('text/xml'));
 Kohana::config_set('mimes.kmz', array('text/xml'));
+
+// Set 'settings.forgot_password_key' if not set already
+if ( ! Kohana::config('settings.forgot_password_secret'))
+{
+	$pool = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()_+[]{};:,.?`~';
+	$key = text::random($pool, 64);
+	Settings_Model::save_setting('forgot_password_secret', $key);
+	Kohana::config_set('settings.forgot_password_secret', $key);
+	$cache->delete($subdomain.'_settings');
+}

application/models/settings.php

@@ -78,6 +78,7 @@ public static function save_setting($key, $value)
 		{
 			$setting = ORM::factory('settings')->where('key', $key)->find();
 
+			$setting->key = $key;
 			$setting->value = $value;
 			$setting->save();
 		}

application/models/user.php

@@ -360,5 +360,40 @@ public function dashboard()
 		// Send anyone else to login
 		return 'login';
 	}
+	
+	/**
+	 * Get a new forgotten password challenge token for this user
+	 * @param string $salt Optional salt for token generation (use this)
+	 * @return string
+	 */
+	public function forgot_password_token()
+	{
+		return $this->_forgot_password_token();
+	}
+
+	/**
+	 * Check to see if forgotten password token is valid
+	 * @param string $token token to check
+	 * @return boolean is token valid
+	 **/
+	public function check_forgot_password_token($token)
+	{
+		$salt = substr($token, 0, 32);
+		return $this->_forgot_password_token($salt) == $token;
+	}
+
+	/**
+	 * Generate a forgotten password challenge token for this user
+	 * @param string $salt Optional salt for token generation (only use this for checking a token in URL)
+	 * @return string token
+	 */
+	private function _forgot_password_token($salt = FALSE)
+	{
+		// Secret consists of email and the last_login field.
+		// So as soon as the user logs in again, the reset link expires automatically.
+		$salt = $salt ? $salt : text::random('alnum', 32); // Limited charset to keep it URL friendly
+		$key = Kohana::config('settings.forgot_password_secret');
+		return $salt . hash_hmac('sha1', $this->last_login . $this->email, $salt . $key);
+	}
 
 } // End User_Model

application/views/admin/manage/categories/main.php

@@ -211,9 +211,9 @@
 												<?php if($category_trusted == 1) { ?>
 												<div class="right">
 													<?php if($category_id == '4') { ?>
-													<a href="#" class="tooltip" title="<?php echo htmlentities(Kohana::lang('ui_admin.special_category_explanation'),ENT_QUOTES);?>"><strong><?php echo Kohana::lang('ui_admin.special_category');?></strong></a>
+													<a href="#" class="tooltip" title="<?php echo htmlentities(Kohana::lang('ui_admin.special_category_explanation'),ENT_QUOTES, "UTF-8");?>"><strong><?php echo Kohana::lang('ui_admin.special_category');?></strong></a>
 													<?php } else {?>
-														<a href="#" class="tooltip" title="<?php echo htmlentities(Kohana::lang('ui_admin.none_category_explanation'),ENT_QUOTES); ?>"><strong><?php echo Kohana::lang('ui_admin.special_category');?></strong></a>
+														<a href="#" class="tooltip" title="<?php echo htmlentities(Kohana::lang('ui_admin.none_category_explanation'),ENT_QUOTES, "UTF-8"); ?>"><strong><?php echo Kohana::lang('ui_admin.special_category');?></strong></a>
 													<?php } ?>
 												</div>
 												<?php } ?>

application/views/header_nav.php

@@ -13,7 +13,7 @@
 		<li class="header_nav_user header_nav_has_dropdown">
 		<?php if($loggedin_user != FALSE){ ?>
 
-			<a href="<?php echo url::site().$loggedin_role;?>"><span class="header_nav_label"><?php echo htmlentities($loggedin_user->username); ?></span> <img alt="<?php echo htmlentities($loggedin_user->username, ENT_QUOTES); ?>" src="<?php echo htmlentities(members::gravatar($loggedin_user->email, 20), ENT_QUOTES); ?>" width="20" /></a>
+			<a href="<?php echo url::site().$loggedin_role;?>"><span class="header_nav_label"><?php echo htmlentities($loggedin_user->username, ENT_QUOTES, "UTF-8"); ?></span> <img alt="<?php echo htmlentities($loggedin_user->username, ENT_QUOTES, "UTF-8"); ?>" src="<?php echo htmlentities(members::gravatar($loggedin_user->email, 20), ENT_QUOTES); ?>" width="20" /></a>
 
 			<ul class="header_nav_dropdown" style="display:none;">
 			<?php if($loggedin_role != ""){ ?>