zena 1.2.2 → 1.2.3

data/lib/zena/use/display.rb

@@ -13,6 +13,8 @@ module Zena
 
       module ImageTags
         include Common
+        IMG_TAG_EXTRA_RE = %r{UUID|(PATH)_([a-z]+)\.([a-z]+)}
+        IMG_TAG_EXTRA_JS = %r{\[JS\](.*?)\[/JS\]}
 
         # This is used by _crop.rhtml
         def crop_formats(obj)
@@ -48,7 +50,7 @@ module Zena
               return img_tag(icon, opts.merge(:alt_src => nil))
             end
           end
-
+          
           # 3. generic icon
           res ||= generic_img_tag(obj, opts)
 
@@ -67,6 +69,30 @@ module Zena
         # <img> tag definition to show an Image / mp3 document
         # FIXME: this should live inside zafu
         def asset_img_tag(obj, opts)
+          if img_tag = obj.prop["img_tag_#{opts[:mode] || 'std'}"]
+            # Hand made image tag
+            if img_tag.kind_of?(String)
+              # We use code to make it raw.
+              uuid = "img#{UUIDTools::UUID.random_create.to_s.gsub('-','')[0..6]}"
+              tag = img_tag.gsub(IMG_TAG_EXTRA_RE) do
+                if $& == 'UUID'
+                  uuid
+                elsif $1 == 'PATH'
+                  zen_path(obj, :mode => $2, :format => $3)
+                end
+              end
+              tag.gsub!(IMG_TAG_EXTRA_JS) do
+                self.js_data << $1
+                ''
+              end
+              return raw_content(tag)
+            end
+          elsif img_tag = obj.prop["img_tag"]
+            if img_tag.kind_of?(Hash) && img_tag = img_tag[opts[:mode] || 'std']
+              return raw_content(img_tag.gsub('UUID', "img#{UUIDTools::UUID.random_create.to_s.gsub('-','')[0..6]}"))
+            end
+          end
+          
           if obj.kind_of?(Image)
             res     = {}
             format  = Iformat[opts[:mode]] || Iformat['std']
@@ -208,7 +234,7 @@ module Zena
         include ImageTags
         include RubyLess
         safe_method  [:sprintf,     String, Number]                     => {:class => String, :method => 'sprintf'}
-        safe_method  [:search_box,  {:ajax => String, :type => String}] => String
+        safe_method  [:search_box,  {:ajax => String, :type => String}] => {:class => String, :method => 'search_box', :html_safe => true}
         safe_context [:admin_links, {:list => String}]                  => [String]
 
         # Return sprintf formated entry. Return '' for values eq to zero.
@@ -432,6 +458,7 @@ module Zena
                 :class  => String,
                 :method => 'zazen',
                 :accept_nil => true,
+                :html_safe => true,
                 :append_hash => {:node => ::RubyLess::TypedString.new(node.to_s, :class => node.klass)}
               }
             else
@@ -488,6 +515,7 @@ module Zena
         end
 
         def extract_label(res, attribute)
+          return res if @params[:type] == 'hidden'
           attribute ||= @params[:param]
           if (label = param(:label) || param(:tlabel)) && attribute
             case label
@@ -517,13 +545,13 @@ module Zena
 
         # ??? <r:h do='foasfa'/> ?
         # def r_h
-        #   out "<%= h ??? %>"
+        #   out "<%=h ??? %>"
         # end
 
         # Insert javascript asset tags
         def r_javascripts
           if @params[:list] == 'all' || @params[:list].nil?
-            list = %w{ prototype effects dragdrop window zena grid }
+            list = %w{ prototype effects dragdrop window zena grid upload-progress }
           else
             list = @params[:list].split(',').map{|e| e.strip}
           end
@@ -570,7 +598,7 @@ module Zena
         # Insert stylesheet asset tags
         def r_stylesheets
           if @params[:list] == 'all' || @params[:list].nil?
-            list = %w{ reset window zena code grid }
+            list = %w{ reset window zena code grid upload-progress }
           else
             list = @params[:list].split(',').map{|e| e.strip}
           end
@@ -698,10 +726,24 @@ module Zena
 
         # Also used by rubyless_expand
         def show_string(method)
-          if param(:h) == 'false'
+          if method.kind_of?(RubyLess::TypedString)
+            if lit = method.literal
+              if method.opts[:html_safe]
+                lit
+              elsif param(:h) == 'false'
+                erb_escape(lit)
+              else
+                ::ERB::Util.html_escape(lit)
+              end
+            elsif param(:h) == 'false' || method.opts[:html_safe]
+              "<%= #{method} %>"
+            else
+              "<%=h #{method} %>"
+            end
+          elsif param(:h) == 'false'
             "<%= #{method} %>"
           else
-            "<%= h #{method} %>"
+            "<%=h #{method} %>"
           end
         end
 

data/lib/zena/use/forms.rb

@@ -238,8 +238,16 @@ module Zena
               error_messages = r_errors + "\n"
             end
 
-            opts[:form_tag]    = %Q{
-<% form_for(:#{node.form_name}, #{node}, :url => #{node}.new_record? ? #{node.form_name.pluralize}_path : #{node.form_name}_path(#{node}.zip), :html => {:method => #{node}.new_record? ? :post : :put, :id => \"\#{ndom_id(#{node})}_form_t\"}) do |f| %>
+            html_id = "#{node.dom_prefix}_form_t".inspect
+            if descendant('upload_field')
+              uuid = UUIDTools::UUID.random_create.to_s.gsub('-','')
+              set_context_var('upload', 'uuid', uuid)
+              upload_html = ", :multipart => true, :onsubmit => %Q{submitUploadForm(#{html_id}, '#{uuid}');}"
+              upload_url  = "'#{Zena::Use::Upload::UPLOAD_KEY}' => '#{uuid}'"
+            end
+            
+            opts[:form_tag] = %Q{
+<% form_for(:#{node.form_name}, #{node}, :url => #{node}.new_record? ? #{node.form_name.pluralize}_path(#{upload_url}) : #{node.form_name}_path(#{node}.zip#{upload_url ? ", #{upload_url}" : ""}), :html => {:method => #{node}.new_record? ? :post : :put, :id => #{html_id}#{upload_html}}) do |f| %>
 #{error_messages}}
           end
 
@@ -247,6 +255,8 @@ module Zena
         end
 
         def form_hidden_fields(opts)
+          dom_name = node.dom_prefix || dom_name
+          
           hidden_fields = super
           add_params = @context[:add] ? @context[:add].params : {}
           set_fields = []
@@ -317,15 +327,17 @@ module Zena
                   break
                 end
               end
-              if params[:done] == 'focus'
-                if params[:focus]
-                  hidden_fields['done'] = "'$(\"#{erb_dom_id}_#{params[:focus]}\").focus();'"
-                else
+              
+              if params[:done]
+                if params[:done] == 'focus'
                   hidden_fields['done'] = "'$(\"#{erb_dom_id}_form_t\").focusFirstElement();'"
+                else
+                  done = RubyLess.translate_string(self, params[:done])
                 end
-              elsif params[:done]
-                done = RubyLess.translate_string(self, params[:done])
+              elsif params[:focus]
+                hidden_fields['done'] = "'$(\"#{erb_dom_id}_#{params[:focus]}\").focus();'"
               end
+              
             else
               # ajax form, not in 'add'
               done = RubyLess.translate_string(self, @params[:done])
@@ -338,6 +350,13 @@ module Zena
               end
               hidden_fields['done'] = done
             end
+          elsif upd = @params.delete(:preview)
+            hidden_fields['t_url']  = template_url(upd)
+            hidden_fields['dom_id'] = upd
+            hidden_fields['s']      = "<%= start_node_zip %>"
+            loading = @params[:loading]
+            loading = 'Zena.loading' if loading == 'true'
+            out "<% filter_form(#{node}, \"#{dom_name}_form_t\", #{loading.inspect}, '#{upd}') %>"
           else
             # no ajax
             cancel = "" # link to normal node ?
@@ -398,6 +417,10 @@ module Zena
 
           hidden_fields
         end
+        
+        def r_upload_field
+          "<%= upload_field(:uuid => #{get_context_var('upload', 'uuid').inspect}, :dom => #{node.dom_prefix.inspect}) %>"
+        end
 
         def r_textarea
           html_attributes, attribute = get_input_params()
@@ -436,9 +459,15 @@ module Zena
             attribute = param
           else
             return parser_error("missing name") unless attribute
-
-            if value = @params[:selected]
-              selected = ::RubyLess.translate_string(self, value)
+            # {:value=>"<%= fquote((@node.prop['settings'] ? @node.prop['settings'][\"foo\"] : nil)) %>", :name=>"node[settings][foo]"}
+            # "settings_foo"
+            
+            
+            if selected = @params[:value] || @params[:selected]
+              selected = ::RubyLess.translate(self, selected)
+              unless selected.klass <= String
+                selected = "#{selected}.to_s"
+              end
             elsif @context[:in_filter]
               selected = "param_value(#{attribute.inspect}).to_s"
             elsif %w{parent_id}.include?(attribute)
@@ -448,18 +477,21 @@ module Zena
             elsif attribute =~ /^(.*)_id$/
               # relation
               selected = "#{node}.rel[#{$1.inspect}].other_zip.to_s"
-            elsif type = node.klass.safe_method_type([attribute])
-              selected = "#{node}.#{type[:method]}.to_s"
+            elsif selected = html_attributes[:value]
+              if selected =~ /\A<%= .*?\((.+)\)\s*%>/
+                # remove <%= %>
+                selected = "#{$1}.to_s"
+              else
+                selected = selected.inspect
+              end
             else
-              # ???
-              selected = "#{node}.prop[#{attribute.inspect}].to_s"
+              # FIXME: This would not work for a [asdf][asdf] hash property type...
+              selected = ::RubyLess.translate(self, "this.#{attribute}")
             end
           end
           
           if @context[:in_filter] || @params[:param]
             html_attributes[:name] = attribute
-          else
-            html_attributes[:name] = "#{node.form_name}[#{attribute}]"
           end
           html_attributes.delete(:value)
           select_tag = Zafu::Markup.new('select', html_attributes)
@@ -480,7 +512,7 @@ module Zena
                 end
               end
             end
-            select_tag.wrap "<%= options_for_select(#{options_list.inspect}, (#{node}.new_record? ? #{selected} : #{node}.klass)) %>"
+            select_tag.wrap "<%= options_for_select(#{options_list.inspect}, #{selected}) %>"
           elsif @params[:type] == 'time_zone'
             # <r:select name='d_tz' type='time_zone'/>
             select_tag.wrap "<%= options_for_select(TZInfo::Timezone.all_identifiers, #{selected}) %>"
@@ -802,6 +834,7 @@ module Zena
                 show_values = translate_list(show)
               else
                 tprefix = @params[:tprefix] || @params[:name] || @params[:param]
+                tprefix = tprefix.gsub('[','_').gsub(']','')
                 if tprefix == 'false'
                   tprefix = ''
                 else

data/lib/zena/use/html_tags.rb

@@ -6,9 +6,9 @@ module Zena
 
       module FormTags
         #TODO: test
-      	# Return the list of groups from the visitor for forms
-      	def form_groups
-      	  @form_groups ||= Group.find(:all, :select=>'id, name', :conditions=>"id IN (#{visitor.group_ids.join(',')})", :order=>"name ASC").collect {|p| [p.name, p.id]}
+        # Return the list of groups from the visitor for forms
+        def form_groups
+          @form_groups ||= Group.find(:all, :select=>'id, name', :conditions=>"id IN (#{visitor.group_ids.join(',')})", :order=>"name ASC").collect {|p| [p.name, p.id]}
         end
 
         #TODO: test
@@ -163,7 +163,7 @@ module Zena
         include LinkTags
         include RubyLess
 
-        safe_method [:flash_messages] => String
+        safe_method [:flash_messages] => {:class => String, :method => 'flash_messages', :html_safe => true}
         # TODO: replace 'flash_messages' with a FlashHash context or a list
         # of Flash messages.
 
@@ -171,11 +171,11 @@ module Zena
           type = opts[:show] || 'both'
 
           if (type == 'notice' || type == 'both') && flash[:notice]
-            notice = "<div class='auto_fade notice' onclick='new Effect.Fade(this)'>#{flash[:notice]}</div>"
+            notice = "<div class='auto_fade notice' onclick='new Effect.Fade(this)'>#{::ERB::Util.html_escape(flash[:notice])}</div>"
           end
 
           if (type == 'error'  || type == 'both') && flash[:error ]
-            error = "<div class='error' onclick='new Effect.Fade(this)'>#{flash[:error]}</div>"
+            error = "<div class='error' onclick='new Effect.Fade(this)'>#{::ERB::Util.html_escape(flash[:error])}</div>"
           end
 
           if page = opts[:page]

data/lib/zena/use/i18n.rb

@@ -14,7 +14,7 @@ module Zena
         include RubyLess
 
         # never returns nil
-        safe_method [:get, String] => {:class => String, :accept_nil => true}
+        safe_method [:get, String] => {:class => String, :accept_nil => true, :html_safe => true}
 
         def initialize(node_id, static = nil)
           @node_id = node_id
@@ -27,6 +27,7 @@ module Zena
         end
 
         def get_without_loading(key, use_global = true)
+          # SECURITY: We consider all strings in dictionaries as SAFE.
           @dict[key] || (use_global && ApplicationController.send(:_, key))
         end
 
@@ -205,7 +206,7 @@ module Zena
       module ViewMethods
         include RubyLess
 
-        safe_method [:lang_links, {:wrap => String, :join => String}] => String
+        safe_method [:lang_links, {:wrap => String, :join => String}] => {:class => String, :method => 'lang_links', :html_safe => true}
 
         def self.included(base)
           base.send(:alias_method_chain, :will_paginate, :i18n) if base.respond_to?(:will_paginate)
@@ -349,13 +350,21 @@ module Zena
             { :class  => String,
               :method => "#{dict}.get",
               :accept_nil => true,
-              :pre_processor => Proc.new {|this, str| trans(str)}
+              :html_safe  => true,
+              :pre_processor => Proc.new {|this, str| 
+                t = erb_escape(trans(str))
+                RubyLess::TypedString.new(t.inspect, :html_safe => true, :literal => t, :class => String)
+              }
             }
           else
             { :class  => String,
               :method => 'trans',
               :accept_nil => true,
-              :pre_processor => Proc.new {|this, str| trans(str)}
+              :html_safe  => true,
+              :pre_processor => Proc.new {|this, str| 
+                t = erb_escape(trans(str))
+                RubyLess::TypedString.new(t.inspect, :html_safe => true, :literal => t, :class => String)
+              }
             }
           end
         end

data/lib/zena/use/image_builder.rb

@@ -1,5 +1,7 @@
 require 'tempfile'
 require 'digest/sha1'
+# convert PDF to JPG
+# convert -geometry 1600x1600 -density 200x200 -quality 90 test.pdf test.jpg
 unless defined?(Magick)
   begin
     # this works on the deb box

data/lib/zena/use/query_builder.rb

@@ -4,8 +4,12 @@ module Zena
       DATE_FIELD_REGEXP = %r{\d+[\.-/]\d+[\.-/]\d+}
       module ViewMethods
         include RubyLess
+        # Pseudo string comming from params.
         safe_method [:query_parse, String] => {:class => String, :accept_nil => true}
-        safe_method :query_errors => {:class => String, :nil => true}
+        safe_method [:query_parse, Hash] => {:class => String, :accept_nil => true}
+        safe_method [:query_parse, String, Hash] => {:class => String, :accept_nil => true}
+        
+        safe_method :query_errors => {:class => String, :nil => true, :html_safe => true}
 
         def find_node_by_zip(zip)
           return nil unless zip
@@ -17,7 +21,7 @@ module Zena
         end
 
         def query(class_name, node_name, pseudo_sql, opts = {})
-          type = opts[:type] || :find
+          type = opts[:type] || (opts[:find] == :count ? :count : :find)
           @query_errors = nil
           if klass = VirtualClass[class_name]
             begin
@@ -28,13 +32,16 @@ module Zena
                 # mixed in and strangely RubyLess cannot access the helpers from 'self'.
                 :rubyless_helper => zafu_helper.helpers
               )
+              
+              # Node.logger.warn eval(query.to_s(type == :count ? :count : :find), opts[:binding] || binding)
+              
               if type == :count
                 return klass.do_find(:count, eval(query.to_s(:count), opts[:binding] || binding))
               else
                 return klass.do_find(opts[:find] || :all, eval(query.to_s, opts[:binding] || binding))
               end
             rescue ::QueryBuilder::Error => err
-              @query_errors = "<span class='query'>#{pseudo_sql}</span> <span class='error'>#{err}</span>"
+              @query_errors = "<span class='query'>#{::ERB::Util.html_escape(pseudo_sql)}</span> <span class='error'>#{::ERB::Util.html_escape(err)}</span>"
             end
           end
           # error
@@ -43,13 +50,15 @@ module Zena
 
         # Takes a hash of parameters and builds query arguments for SQLiss
         # the query ends up like ' AND param_name = "foo" AND param_name > 35'...
-        def query_parse(params)
+        def query_parse(params, opts = {})
+          ignore_params = (opts[:ignore] || '').split(',').map(&:strip)
           params ||= {}
           res = []
           if params.kind_of?(String)
             return params
           elsif params.kind_of?(Hash)
             params.each do |k,v|
+              next if ignore_params.include?(k.to_s)
               clause = query_build_clause(k,v)
               res << clause unless clause.blank?
             end
@@ -77,7 +86,6 @@ module Zena
             end
 
             if arg =~ DATE_FIELD_REGEXP
-              # FIXME: Use to_utc and date function in Zena::Db
               arg = query_parse_dates(arg)
               first = arg.first
             end
@@ -107,8 +115,10 @@ module Zena
 
           def query_parse_dates(str)
             str.gsub(DATE_FIELD_REGEXP) do |date_str|
-              if date = DateTime.parse(date_str) rescue nil
-                date.strftime("'%Y-%m-%d'")
+              # Consider params as coming from the visitor's timezone.
+              if time = parse_date(date_str)
+                # We now have an UTC field.
+                time.strftime("'%Y-%m-%d %H:%M'")
               else
                 date_str
               end
@@ -174,7 +184,6 @@ module Zena
         # Open a list context with a query comming from the url params. Default param name is
         # "qb"
         def r_query
-          return parser_error("Cannot be used in list context (#{node.class_name})") if node.list_context?
           return parser_error("Missing 'default' query") unless default_psql = @params[:default]
 
           count = get_count(default_psql, {:find => @params[:find]})
@@ -184,9 +193,21 @@ module Zena
           rescue ::QueryBuilder::Error => err
             return parser_error(err.message)
           end
-
-          klass = count == :all ? [default_query.main_class] : default_query.main_class
-
+          
+          if count == :all
+            klass = [default_query.main_class]
+            type = :find
+            res_nil = true
+          elsif count == :first
+            klass = default_query.main_class
+            type = :find
+            res_nil = true
+          else
+            klass = Number
+            type = :count
+            res_nil = false
+          end
+          
           can_be_nil = true
           if sql = @params[:eval]
             sql = RubyLess.translate(self, sql)
@@ -205,8 +226,12 @@ module Zena
             sql = "#{sql} || #{default_psql.inspect}"
           end
 
-          query = DynamicQuery.new(default_query, node, sql, count)
-          expand_with_finder(:method => query.to_s, :class => klass, :nil => true, :query => query)
+          query = DynamicQuery.new(default_query, single_node, sql, count)
+          if @blocks.empty? && type == :count
+            out "<%= #{query.to_s} %>"
+          else
+            expand_with_finder(:method => query.to_s, :class => klass, :nil => res_nil, :query => query)
+          end
         end
 
         # Pre-processing of the 'find("...")' method.
@@ -292,7 +317,7 @@ module Zena
         private
           def single_node
             node = self.node
-            while node.list_context?
+            while node.list_context? || node.klass <= String || node.klass <= Number
               node = node.up
               if !node
                 raise ::QueryBuilder::Error.new("Could not access node context  query builder from list #{self.node.class_name}")

data/lib/zena/use/query_link.rb

@@ -0,0 +1,57 @@
+require 'querybuilder'
+
+module Zena
+  module Use
+    class QueryLink
+
+      module ModelMethods
+        def self.included(base)
+          base.send(:include, ::QueryBuilder)
+          base.extend ClassMethods
+          base.query_compiler = Zena::Use::QueryLink::Compiler
+        end
+      end
+
+      module ClassMethods
+        # Find a node and propagate visitor
+        def do_find(count, query)
+          case count
+          when :all
+            res = find_by_sql(query)
+            res.empty? ? nil : res
+          when :first
+            find_by_sql(query).first
+          when :count
+            count_by_sql(query)
+          else
+            nil
+          end
+        end
+      end
+
+      
+      class Compiler < ::QueryBuilder::Processor
+        attr_reader :node_name
+        set_main_table 'links'
+        set_main_class 'Link'
+        set_default :order,   'comment ASC'
+
+        # Overwrite this and take car to check for valid fields.
+        def process_field(field_name)
+          if %w{comment status date name}.include?(field_name)
+            field_name = 'comment' if field_name == 'name'
+            "#{table}.#{field_name}"
+          else
+            super # raise an error
+          end
+        end
+
+        def map_attr(fld)
+          # error
+          nil
+        end
+      end # Compiler
+      
+    end # QueryLink
+  end # Use
+end # Zena