Index: openacs-4/packages/acs-subsite/catalog/acs-subsite.en_US.ISO-8859-1.xml
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/catalog/acs-subsite.en_US.ISO-8859-1.xml,v
diff -u -r1.4 -r1.5
--- openacs-4/packages/acs-subsite/catalog/acs-subsite.en_US.ISO-8859-1.xml	19 Dec 2002 16:20:21 -0000	1.4
+++ openacs-4/packages/acs-subsite/catalog/acs-subsite.en_US.ISO-8859-1.xml	20 Jan 2003 22:35:20 -0000	1.5
@@ -1,5 +1,5 @@
 <?xml version="1.0"?>
-<!-- Generated by lang::catalog::export_package_to_files on 2002 December 09 14:17 -->
+<!-- Generated by lang::catalog::export_messages_to_file on 2003 January 20 22:34 -->
 <message_catalog package_key="acs-subsite" package_version="4.6.1b" locale="en_US" charset="ISO-8859-1">
 
   <msg key="About_You">About You</msg>
@@ -216,6 +216,7 @@
   <msg key="to_site_link_1">restore your account to live status</msg>
   <msg key="Unauthorized_Access">Unauthorized Access</msg>
   <msg key="Unsubscribe">Unsubscribe</msg>
+  <msg key="up_to_context_name">up to %context_name%</msg>
   <msg key="Update">Update</msg>
   <msg key="update">update</msg>
   <msg key="Update_Password">Update Password</msg>
Index: openacs-4/packages/acs-subsite/www/permissions/one.adp
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/permissions/one.adp,v
diff -u -r1.2 -r1.3
--- openacs-4/packages/acs-subsite/www/permissions/one.adp	16 Jan 2003 13:40:37 -0000	1.2
+++ openacs-4/packages/acs-subsite/www/permissions/one.adp	20 Jan 2003 22:35:34 -0000	1.3
@@ -1,8 +1,8 @@
   <master>
-    <property name="title">Permissions for @name@</property>
+    <property name="title">#acs-subsite.Permissions_for_name#</property>
     <property name="context">@context@</property>
 
-    <h3>Inherited Permissions</h3>
+    <h3>#acs-subsite.lt_Inherited_Permissions#</h3>
     <if @inherited:rowcount@ gt 0>
       <ul>
         <multiple name="inherited">
@@ -11,9 +11,9 @@
       </ul>
     </if>
     <else>
-      <p><em>No inherited permissions</em></p>
+      <p><em>#acs-subsite.none#</em></p>
     </else>
-    <h3>Direct Permissions</h3>
+    <h3>#acs-subsite.Direct_Permissions#</h3>
     <if @acl:rowcount@ gt 0>
       <form method="get" action="revoke">
         <input type=hidden name="object_id" value="@object_id@">
@@ -24,15 +24,15 @@
           </ul>
     </if>
     <else>
-      <p><em>None</em></p>
+      <p><em>#acs-subsite.none#</em></p>
     </else>
     <if @acl:rowcount@ gt 0>
-    <input type=submit value="Revoke Checked">
+    <input type=submit value="#acs-subsite.Revoke_Checked#">
     </form>
     </if>
     @controls@
 
-    <h3>Children</h3>
+    <h3>#acs-subsite.Children#</h3>
     <if @children_p@>
       <if @children:rowcount@ gt 0>
         <ul>
@@ -42,13 +42,13 @@
         </ul>
       </if>
       <else>
-        <p><em>No children</em></p>
+        <p><em>#acs-subsite.none#</em></p>
       </else>
     </if>
     <if @children_p@ eq "f">
-      <if @num_children@ gt 0> @num_children@ Children Hidden [<a href="one?object_id=@object_id@&amp;children_p=t">Show</a>]</if>
+      <if @num_children@ gt 0> #acs-subsite.lt_num_children_Children# [<a href="one?object_id=@object_id@&amp;children_p=t">#acs-subsite.Show#</a>]</if>
       <else>
-        <em>No children</em>
+        <em>#acs-subsite.none#</em>
       </else>
     </if>
-    <if @context_id@ not nil><p>[<a href="one?object_id=@context_id@">up to @context_name@</a>]</p></if>      
\ No newline at end of file
+    <if @context_id@ not nil><p>[<a href="one?object_id=@context_id@">#acs-subsite.up_to_context_name#</a>]</p></if>
Index: openacs-4/packages/acs-subsite/www/permissions/one.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-subsite/www/permissions/one.tcl,v
diff -u -r1.3 -r1.4
--- openacs-4/packages/acs-subsite/www/permissions/one.tcl	7 Nov 2002 18:06:55 -0000	1.3
+++ openacs-4/packages/acs-subsite/www/permissions/one.tcl	20 Jan 2003 22:35:34 -0000	1.4
@@ -1,158 +1,50 @@
 # packages/acs-core-ui/www/acs_object/permissions/index.tcl
-
 ad_page_contract {
+    Display permissions and children for the given object_id
 
-  @author rhs@mit.edu
-  @creation-date 2000-08-20
-  @cvs-id $Id$
+    Templated + cross site scripting holes patched by davis@xarg.net
+
+    @author rhs@mit.edu
+    @creation-date 2000-08-20
+    @cvs-id $Id$
 } {
     object_id:integer,notnull
     {children_p "f"}
 }
 
+set user_id [ad_maybe_redirect_for_registration]
 ad_require_permission $object_id admin
 
-set user_id [ad_maybe_redirect_for_registration]
+set name [ad_quotehtml [db_string name {select acs_object.name(:object_id) from dual}]]
 
-set name [db_string name {select acs_object.name(:object_id) from dual}]
+set context [list [list "./" [_ acs-subsite.Permissions]] [_ acs-subsite.Permissions_for_name]]
 
-doc_body_append "[ad_header [_ acs-subsite.Permissions_for_name]]
-
-<h2>[_ acs-subsite.Permissions_for_name]</h2>
-
-[ad_context_bar [list "./" [_ acs-subsite.Permissions]] [_ acs-subsite.Permissions_for_name]]
-<hr>
-
-<h3>[_ acs-subsite.lt_Inherited_Permissions]</h3>
-
-<ul>
-"
-
-db_foreach inherited_permissions {
-  select grantee_id, grantee_name, privilege
-  from (select grantee_id, acs_object.name(grantee_id) as grantee_name,
-               privilege, 1 as counter
-        from acs_permissions_all
-        where object_id = :object_id
-        union all
-        select grantee_id, acs_object.name(grantee_id) as grantee_name,
-               privilege, -1 as counter
-        from acs_permissions
-        where object_id = :object_id)
-  group by grantee_id, grantee_name, privilege
-  having sum(counter) > 0
-} {
-  doc_body_append "  <li>$grantee_name, $privilege</li>\n"
-} if_no_rows {
-  doc_body_append "  <li>([_ acs-subsite.none])</li>\n"
+db_multirow inherited inherited_permissions { *SQL* } { 
+    set grantee_name [ad_quotehtml $grantee_name]
 }
 
-doc_body_append "
-</ul>
-
-<form method=get action=revoke>
-
-[export_form_vars object_id]
-
-<h3>[_ acs-subsite.Direct_Permissions]</h3>
-
-<ul>
-"
-
-db_foreach acl {
-  select grantee_id, acs_object.name(grantee_id) as grantee_name,
-         privilege
-  from acs_permissions
-  where object_id = :object_id
-} {
-  doc_body_append "  <li>$grantee_name, $privilege (<font size=-1><input type=checkbox name=revoke_list value=\"$grantee_id $privilege\"></font>)</li>\n"
-} if_no_rows {
-  doc_body_append "  <li>([_ acs-subsite.none])</li>\n"
+db_multirow acl acl { *SQL* } {
+    set grantee_name [ad_quotehtml $grantee_name]
 }
 
 set controls [list]
 
 lappend controls "<a href=grant?[export_url_vars object_id]>[_ acs-subsite.Grant_Permission]</a>"
 
-set context [db_string context {
-  select acs_object.name(context_id)
-  from acs_objects
-  where object_id = :object_id
-}]
+db_1row context { *SQL* }
 
-if {![empty_string_p $context]} {
-  db_1row security_inherit_p {
-    select security_inherit_p
-    from acs_objects
-    where object_id = :object_id
-  }
-
-
-  if {$security_inherit_p == "t"} {
-    lappend controls "<a href=toggle-inherit?[export_url_vars object_id]>[_ acs-subsite.lt_Dont_Inherit_Permissi]</a>"
-  } else {
-    lappend controls "<a href=toggle-inherit?[export_url_vars object_id]>[_ acs-subsite.lt_Inherit_Permissions_f]</a>"
-  }
+if { $security_inherit_p == "t" && ![empty_string_p $context_id] } {
+    lappend controls "<a href=toggle-inherit?[export_url_vars object_id]>Don't Inherit Permissions from $context_name</a>"
+} else {
+    lappend controls "<a href=toggle-inherit?[export_url_vars object_id]>Inherit Permissions from $context_name</a>"
 }
 
-doc_body_append "
-</ul>
+set controls "\[ [join $controls " | "] \]"
 
-<blockquote>
-
-\[ [join $controls " | "] \]
-
-</blockquote>
-
-<input type=submit value=\"[_ acs-subsite.Revoke_Checked]\">
-
-</form>"
-
-doc_body_append "<h3>[_ acs-subsite.Children]</h3>
-<blockquote>"
-
 if [string equal $children_p "t"] {
-
-    doc_body_append "<ul>"
-
-    db_foreach children {
-	select object_id as c_object_id,acs_object.name(object_id) as c_name
-	from acs_objects o
-	where context_id = :object_id
-              and exists (select 1
-                          from acs_object_party_privilege_map
-                          where object_id = o.object_id
-                          and party_id = :user_id
-                          and privilege = 'admin')    
-    } {
-	doc_body_append "  <li><a href=one?object_id=$c_object_id>$c_name</a></li>\n"
-    } if_no_rows {
-	doc_body_append "  <em>([_ acs-subsite.none])</em>\n"
+    db_multirow children children { *SQL* } {
+        set c_name [ad_quotehtml $c_name]
     }
-
-    doc_body_append "</ul>"
-
 } else {
-    db_1row children_count {
-	select count(*) as num_children
-	from acs_objects o
-	where context_id = :object_id
-              and exists (select 1
-                          from acs_object_party_privilege_map
-                          where object_id = o.object_id
-                          and party_id = :user_id
-                          and privilege = 'admin')    
-    }
-
-    set children_p "t"
-    doc_body_append "<em>[_ acs-subsite.lt_num_children_Children]</em> "
-    if {$num_children > 0} {
-	doc_body_append "\[<a href=\"one?[export_url_vars object_id children_p]\">[_ acs-subsite.Show]</a>\] "
-    }
+    db_1row children_count { *SQL* } 
 }
-
-
-doc_body_append "</blockquote>
-
-
-[ad_footer]"