[add] csrf defense and render_array functionality

8 files changed, 55 insertions, 21 deletions

diff --git a/codebase/base_connector.php b/codebase/base_connector.php
index 2c924a9..6f66ef8 100644
--- a/codebase/base_connector.php
+++ b/codebase/base_connector.php
@@ -327,6 +327,7 @@ class Connector {
 			"data_class"=>$data_type,
 			"render_class"=>$render_type
 		);
+		$this->attributes = array();
 		
 		$this->config = new DataConfig();
 		$this->request = new DataRequestConfig();
@@ -361,6 +362,11 @@ class Connector {
 	}
 
 
+	protected $attributes;
+	public function add_top_attribute($name, $string){
+		$this->attributes[$name] = $string;
+	}
+
 	//model is a class, which will be used for all data operations
 	//we expect that it has next methods get, update, insert, delete
 	//if method was not defined - we will use default logic
@@ -421,6 +427,12 @@ class Connector {
 		return $this->render();
 	}
 
+	public function render_array($data, $id, $fields, $extra=false, $relation_id=false){
+		$this->configure("-",$id,$fields,$extra,$relation_id);
+		$this->sql = new ArrayDBDataWrapper($data, null);
+		return $this->render();
+	}
+
 	public function render_complex_sql($sql,$id,$fields,$extra=false,$relation_id=false){
 		$this->config->init($id,$fields,$extra,$relation_id);
 		$this->request->parse_sql($sql, true);
@@ -475,9 +487,11 @@ class Connector {
 					$this->sql = new ArrayDBDataWrapper();
 					$result = new ArrayQueryWrapper(call_user_func(array($this->model, "get"), $this->request));
 					$this->output_as_xml($result);
-				} else
+				} else {
 					$this->output_as_xml($this->get_resource());
 			}
+
+			}
 		}
 		$this->end_run();
 	}
@@ -557,6 +571,9 @@ class Connector {
 				$this->request->set_filter($this->resolve_parameter($k),$v);
 			}
 			
+		$key = ConnectorSecurity::checkCSRF($this->editing);
+		if ($key !== "")
+			$this->add_top_attribute("dhx_security", $key);
 		
 	}
 
@@ -679,7 +696,11 @@ class Connector {
 	/*! renders self as  xml, starting part
 	*/
 	protected function xml_start(){
-		return "<data>";
+		$attributes = "";
+		foreach($this->attributes as $k=>$v)
+			$attributes .= " ".$k."='".$v."'";
+
+		return "<data".$attributes.">";
 	}
 	/*! renders self as  xml, ending part
 	*/
diff --git a/codebase/data_connector.php b/codebase/data_connector.php
index a5419e0..f094fb8 100644
--- a/codebase/data_connector.php
+++ b/codebase/data_connector.php
@@ -102,7 +102,6 @@ class DataConnector extends Connector{
 		if (!$data_type) $data_type="CommonDataProcessor";
 
 		$this->sections = array();
-		$this->attributes = array();
 
 		if (!$render_type) $render_type="RenderStrategy";
 		parent::__construct($res,$type,$item_type,$data_type,$render_type);
@@ -114,11 +113,6 @@ class DataConnector extends Connector{
 		$this->sections[$name] = $string;
 	}
 
-	protected $attributes;
-	public function add_top_attribute($name, $string){
-		$this->attributes[$name] = $string;
-	}
-
 	protected function parse_request_mode(){
 		//do nothing, at least for now
 	}
@@ -150,9 +144,6 @@ class DataConnector extends Connector{
 		if (isset($_GET["start"]) && isset($_GET["count"]))
 			$this->request->set_limit($_GET["start"],$_GET["count"]);
 
-		$key = ConnectorSecurity::checkCSRF($this->editing);
-		if ($key !== "")
-			$this->add_top_attribute("dhx_security", $key);
 	}
 	
 	/*! renders self as  xml, starting part
@@ -167,7 +158,6 @@ class DataConnector extends Connector{
 			$start .= "<".$k.">".$v."</".$k.">\n";
 		return $start;
 	}
-
 };
 
 class JSONDataConnector extends DataConnector{
@@ -232,10 +222,14 @@ class JSONDataConnector extends DataConnector{
 
 
 		$is_sections = sizeof($this->sections) && $this->is_first_call();
-		if ($this->dload || $is_sections){
+		if ($this->dload || $is_sections || sizeof($this->attributes)){
 			$start = $start.$end;
 			$end="";
 
+			$attributes = "";
+			foreach($this->attributes as $k=>$v)
+				$end .= ", ".$k.":\"".$v."\"";
+
 			if ($is_sections){
 				//extra sections
 				foreach($this->sections as $k=>$v)
diff --git a/codebase/dataview_connector.php b/codebase/dataview_connector.php
index 0c4ca0c..41b7387 100644
--- a/codebase/dataview_connector.php
+++ b/codebase/dataview_connector.php
@@ -56,14 +56,19 @@ class DataViewConnector extends Connector{
 	/*! renders self as  xml, starting part
 	*/
 	protected function xml_start(){
+		$attributes = "";
+		foreach($this->attributes as $k=>$v)
+			$attributes .= " ".$k."='".$v."'";
+
+		$start.= ">";
 		if ($this->dload){
 			if ($pos=$this->request->get_start())
-				return "<data pos='".$pos."'>";
+				return "<data pos='".$pos."'".$attributes.">";
 			else
-				return "<data total_count='".$this->sql->get_size($this->request)."'>";
+				return "<data total_count='".$this->sql->get_size($this->request)."'".$attributes.">";
 		}
 		else
-			return "<data>";
+			return "<data".$attributes.">";
 	}	
 }
 ?>
\ No newline at end of file
diff --git a/codebase/db_common.php b/codebase/db_common.php
index 7d738ee..8b5935a 100644
--- a/codebase/db_common.php
+++ b/codebase/db_common.php
@@ -930,6 +930,9 @@ class ArrayDBDataWrapper extends DBDataWrapper{
 		if ($res->index < sizeof($res->data))
 		return $res->data[$res->index++];
 	}
+	public function select($sql){
+		return new ArrayQueryWrapper($this->connection);
+	}
 	public function query($sql){
 		throw new Exception("Not implemented");
 	}
diff --git a/codebase/grid_connector.php b/codebase/grid_connector.php
index 6f41467..4d1926b 100644
--- a/codebase/grid_connector.php
+++ b/codebase/grid_connector.php
@@ -214,14 +214,18 @@ class GridConnector extends Connector{
 	/*! renders self as  xml, starting part
 	*/
 	protected function xml_start(){
+		$attributes = "";
+		foreach($this->attributes as $k=>$v)
+			$attributes .= " ".$k."='".$v."'";
+
 		if ($this->dload){
 			if ($pos=$this->request->get_start())
-				return "<rows pos='".$pos."'>";
+				return "<rows pos='".$pos."'".$attributes.">";
 			else
-				return "<rows total_count='".$this->sql->get_size($this->request)."'>";
+				return "<rows total_count='".$this->sql->get_size($this->request)."'".$attributes.">";
 		}
 		else
-			return "<rows>";
+			return "<rows".$attributes.">";
 	}
 	
 	
diff --git a/codebase/scheduler_connector.php b/codebase/scheduler_connector.php
index 7032fd8..11572b2 100644
--- a/codebase/scheduler_connector.php
+++ b/codebase/scheduler_connector.php
@@ -22,7 +22,6 @@ class SchedulerDataItem extends DataItem{
 			$extra = $this->config->text[$i]["name"];
 			$str.="<".$extra."><![CDATA[".$this->data[$extra]."]]></".$extra.">";
 		}
-
 		if ($this->userdata !== false)
 			foreach ($this->userdata as $key => $value)
 				$str.="<".$key."><![CDATA[".$value."]]></".$key.">";
@@ -164,6 +163,8 @@ class JSONSchedulerConnector extends SchedulerConnector {
 	protected function xml_end() {
 		$this->fill_collections();
 		$end = (!empty($this->extra_output)) ? ', "collections": {'.$this->extra_output.'}' : '';
+		foreach ($this->attributes as $k => $v)
+			$end.=", ".$k.":\"".$v."\"";
 		$end .= '}';
 		return $end;
 	}
diff --git a/codebase/tree_connector.php b/codebase/tree_connector.php
index ddc21e7..d94206a 100644
--- a/codebase/tree_connector.php
+++ b/codebase/tree_connector.php
@@ -188,7 +188,11 @@ class TreeConnector extends Connector{
    /*! renders self as  xml, starting part

 	*/

 	public function xml_start(){

-		return "<tree id='".$this->request->get_relation()."'>";

+		$attributes = "";

+		foreach($this->attributes as $k=>$v)

+			$attributes .= " ".$k."='".$v."'";

+

+		return "<tree id='".$this->request->get_relation()."'".$attributes.">";

 	}

 	

 	/*! renders self as  xml, ending part

diff --git a/codebase/xss_filter.php b/codebase/xss_filter.php
index 9018443..b68cb56 100644
--- a/codebase/xss_filter.php
+++ b/codebase/xss_filter.php
@@ -190,6 +190,8 @@ class ConnectorSecurity{
 
             return $_SESSION["dhx_security"];
         }
+
+        return "";
     }
 
 }
\ No newline at end of file