protect columns

[Pman.Base] / Pman / Roo.php

diff --git a/Pman/Roo.php b/Pman/Roo.php
index 7335b3d..5334bbb 100644 (file)
--- a/Pman/Roo.php
+++ b/Pman/Roo.php
@@ -85,6 +85,9 @@ class Pman_Roo extends Pman
      *    lookup[key]=value  single fetch based on a single key value lookup.
      *                       multiple key/value can be used. eg. ontable+onid..
      *    _columns           what to return.
+     * 
+     *    _no_count          skip the default count query.
+     *                       use the number of records in the query result as the total
      *
      *    
      * JOINS:
@@ -196,7 +199,7 @@ class Pman_Roo extends Pman
         $tab = array_shift($tt);
         $x = $this->dataObject($tab);
         
-        $_columns = !empty($_REQUEST['_columns']) ? explode(',', $_REQUEST['_columns']) : false;
+        $_columns = !empty($_REQUEST['_columns']) && is_string(['_columns']) ? explode(',', $_REQUEST['_columns']) : false;
         
         if (isset( $_REQUEST['lookup'] ) && is_array($_REQUEST['lookup'] )) { // single fetch based on key/value pairs
              $this->selectSingle($x, $_REQUEST['lookup'],$_REQUEST);
@@ -266,16 +269,21 @@ class Pman_Roo extends Pman
             $xx=clone($x);
             
         }
-       
-        $total = $xx->count($this->countWhat);
+        $total = false;
+        if (!isset($_REQUEST['_no_count'])) {
+            $total = $xx->count($this->countWhat);
+        }
+        if (isset($xx->_real_total)) { // this is used when we subquery the search.
+            $total = $xx->_real_total;
+        }
         // sorting..
       //   
-        //var_dump($total);exit;
+        // var_dump($total);exit;
         $this->applySort($x);
         
         $fake_limit = false;
         
-        if (!empty($_REQUEST['_distinct']) && $total < 400) {
+        if (!empty($_REQUEST['_distinct']) && $total !== false && $total < 400) {
             $fake_limit  = true;
         }
         
@@ -307,7 +315,7 @@ class Pman_Roo extends Pman
         
         if (!empty($_REQUEST['query']['add_blank'])) {
             $ret[] = array( 'id' => 0, 'name' => '----');
-            $total+=1;
+            $total === false ? false : $total+1;
         }
          
         $rooar = method_exists($x, 'toRooArray');
@@ -338,7 +346,7 @@ class Pman_Roo extends Pman
         
         // filter results, and add any data that is needed...
         if (method_exists($x,'postListFilter')) {
-            $ret = $x->postListFilter($ret, $this->authUser, $_REQUEST);
+            $ret = $x->postListFilter($ret, $this->authUser, $_REQUEST, $this);
         }
         
         
@@ -364,7 +372,7 @@ class Pman_Roo extends Pman
         // this make take some time...
         $this->sessionState(0);
        // echo "<PRE>"; print_r($ret);
-        $this->jdata($ret, max(count($ret), $total), $extra );
+        $this->jdata($ret, max(count($ret), $total === false ? 0 : $total), $extra );
 
     
     }
@@ -746,11 +754,11 @@ class Pman_Roo extends Pman
     {
         
         // Db_DataObject::debugLevel(1);
-        $sort = empty($_REQUEST['sort']) ? $sort : $_REQUEST['sort'];
-        $dir = empty($_REQUEST['dir']) ? $dir : $_REQUEST['dir'];
+        $sort = empty($_REQUEST['sort']) || !is_string($_REQUEST['sort']) ? $sort : $_REQUEST['sort'];
+        $dir = empty($_REQUEST['dir']) || !is_string($_REQUEST['dir']) ? $dir : $_REQUEST['dir'];
         $dir = $dir == 'ASC' ? 'ASC' : 'DESC';
          
-        $ms = empty($_REQUEST['_multisort']) ? false : $_REQUEST['_multisort'];
+        $ms = empty($_REQUEST['_multisort']) || !is_string($_REQUEST['_multisort']) ? false : $_REQUEST['_multisort'];
         //var_Dump($ms);exit;
         $sorted = false;
         if (method_exists($x, 'applySort')) {
@@ -926,7 +934,7 @@ class Pman_Roo extends Pman
         }
 
         if ( $with_perm_check &&  !$this->checkPerm($x,'A', $req))  {
-            $this->jerr("PERMISSION DENIED (i)");
+            $this->jerr("PERMISSION DENIED {$x->tableName()}:checkPerm(A)");
         }
         $cols = $x->tableColumns();