From afed0f2046d57ec597f330edc4e0fedf2b93c5c5 Mon Sep 17 00:00:00 2001
From: Andras Iklody <Andras.Iklody@ncirc.nato.int>
Date: Mon, 11 Feb 2013 11:26:34 +0100
Subject: [PATCH] Changes to link validation and minor fixes

- Links get validated now to filter malicios code

- removed a double edit button in the case of an admin editing himself

- fixed an error with adding new attributes
---
 app/Controller/AttributesController.php | 3 ++-
 app/Controller/UsersController.php      | 1 +
 app/Model/Attribute.php                 | 5 +++++
 app/View/Users/view.ctp                 | 4 ++--
 4 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/app/Controller/AttributesController.php b/app/Controller/AttributesController.php
index c6a5a4ba9..366a9a260 100755
--- a/app/Controller/AttributesController.php
+++ b/app/Controller/AttributesController.php
@@ -231,7 +231,8 @@ class AttributesController extends AppController {
 					//$this->request->data['Attribute']['event_id'] = $eventId;
 				}
 				// Notice (8): Undefined index: id [APP/Controller/AttributesController.php, line 234]
-				$savedId = $this->request->data['Attribute']['id'];
+				// Should be fixed
+				$savedId = $this->Attribute->getId();
 
 				if ($this->Attribute->save($this->request->data)) {
 					if ($this->_isRest()) {
diff --git a/app/Controller/UsersController.php b/app/Controller/UsersController.php
index 693c0377c..196ac0fce 100755
--- a/app/Controller/UsersController.php
+++ b/app/Controller/UsersController.php
@@ -237,6 +237,7 @@ class UsersController extends AppController {
 		if (!$this->User->exists()) {
 			throw new NotFoundException(__('Invalid user'));
 		}
+		$this->set('currentId', $id);
 		if ($this->request->is('post') || $this->request->is('put')) {
 			$fields = array();
 			foreach (array_keys($this->request->data['User']) as $field) {
diff --git a/app/Model/Attribute.php b/app/Model/Attribute.php
index 091f8a806..07f1def6e 100755
--- a/app/Model/Attribute.php
+++ b/app/Model/Attribute.php
@@ -644,6 +644,11 @@ class Attribute extends AppModel {
 					$returnValue = true;
 				}
 				break;
+			case 'link':
+				if (!preg_match("^(?:https?://)?(?:[a-z0-9-]+\\.)*((?:[a-z0-9-]+\\.)[a-z]+)", $value)) {
+					$returnValue = true;
+				}
+				break;
 			case 'url':
 				// no newline
 				if (!preg_match("#\n#", $value)) {
diff --git a/app/View/Users/view.ctp b/app/View/Users/view.ctp
index 9b1364c41..9cabf69c5 100755
--- a/app/View/Users/view.ctp
+++ b/app/View/Users/view.ctp
@@ -1,7 +1,7 @@
 <div class="users view">
 <div class="actions" style="float:right;">
 	<ul><li><?php if ($isAclAdmin && ($me['org'] == $user['User']['org'] || $me['org'] == 'ADMIN')) echo $this->Html->link(__('Edit Profile', true), array('admin' => true, 'action' => 'edit', $user['User']['id'])); ?> </li></ul>
-	<ul><li><?php if ($me['id'] == $user['User']['id']) echo $this->Html->link(__('Edit Profile', true), array('action' => 'edit', $user['User']['id'])); ?> </li></ul>
+	<ul><li><?php if ($me['id'] == $user['User']['id'] && (!$isAclAdmin)) echo $this->Html->link(__('Edit Profile', true), array('action' => 'edit', $user['User']['id'])); ?> </li></ul>
 </div>
 <h2><?php  echo __('User');?></h2>
 	<dl>
@@ -65,7 +65,7 @@ if (h($user['User']['gpgkey']) != 0) {
 if ($isAclAdmin && ($me['org'] == $user['User']['org'] || $me['org'] == 'ADMIN')) { ?>
 		<li><?php echo $this->Html->link(__('Edit User', true), array('admin' => true, 'action' => 'edit', $user['User']['id'])); ?></li>
 	<?php
-} else if ($me['id'] == $user['User']['id']) {
+} else if ($me['id'] == $user['User']['id'] && $me['org'] != 'ADMIN') {
 	?>
 	<li><?php echo $this->Html->link(__('Edit User', true), array('action' => 'edit', $user['User']['id'])); ?></li>
 	<?php