Index: openacs-4/packages/acs-subsite/www/permissions/one.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/permissions/one.tcl,v diff -u -r1.2 -r1.2.2.1 --- openacs-4/packages/acs-subsite/www/permissions/one.tcl 6 Sep 2002 21:50:06 -0000 1.2 +++ openacs-4/packages/acs-subsite/www/permissions/one.tcl 7 Dec 2002 16:06:29 -0000 1.2.2.1 @@ -1,158 +1,51 @@ # packages/acs-core-ui/www/acs_object/permissions/index.tcl - ad_page_contract { + Display permissions and children for the given object_id - @author rhs@mit.edu - @creation-date 2000-08-20 - @cvs-id $Id$ + Templated + cross site scripting holes patched by davis@xarg.net + + @author rhs@mit.edu + @creation-date 2000-08-20 + @cvs-id $Id$ } { object_id:integer,notnull {children_p "f"} } +set user_id [ad_maybe_redirect_for_registration] ad_require_permission $object_id admin -set user_id [ad_maybe_redirect_for_registration] +set name [ad_quotehtml [db_string name {select acs_object.name(:object_id) from dual}]] -set name [db_string name {select acs_object.name(:object_id) from dual}] +set context [list [list "./" "Permissions"] "Permissions for $name"] -doc_body_append "[ad_header "Permissions for $name"] - -
" - if [string equal $children_p "t"] { - - doc_body_append "- - -[ad_footer]"" - - db_foreach children { - select object_id as c_object_id,acs_object.name(object_id) as c_name - from acs_objects o - where context_id = :object_id - and exists (select 1 - from acs_object_party_privilege_map - where object_id = o.object_id - and party_id = :user_id - and privilege = 'admin') - } { - doc_body_append "
" - } else { - db_1row children_count { - select count(*) as num_children - from acs_objects o - where context_id = :object_id - and exists (select 1 - from acs_object_party_privilege_map - where object_id = o.object_id - and party_id = :user_id - and privilege = 'admin') - } - - set children_p "t" - doc_body_append "$num_children Children Hidden " - if {$num_children > 0} { - doc_body_append "\[Show\] " - } + db_1row children_count { *SQL* } } - - -doc_body_append "- $c_name
\n" - } if_no_rows { - doc_body_append " (none)\n" + db_multirow children children { *SQL* } { + set c_name [ad_quotehtml $c_name] } - - doc_body_append "