Critical severity9.8NVD Advisory· Published May 4, 2024· Updated Apr 15, 2026
CVE-2024-34461
CVE-2024-34461
Description
Zenario before 9.5.60437 uses Twig filters insecurely in the Twig Snippet plugin, and in the site-wide HEAD and BODY elements, enabling code execution by a designer or an administrator.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tribalsystems/zenarioPackagist | < 9.5.60437 | 9.5.60437 |
Patches
172afb59da34bThis release contains a security patch related to the usage of Twig code in the Twig
11 files changed · +134 −40
package.json+1 −1 modified@@ -34,5 +34,5 @@ "wow.js": "^1.2.2", "zxcvbn": "^4.4.2" }, - "version": "9.5.60240" + "version": "9.5.60437" } \ No newline at end of file
zenario/admin/db_updates/latest_revision_no.inc.php+1 −1 modified@@ -39,6 +39,6 @@ define('ZENARIO_MINOR_VERSION', '5'); define('ZENARIO_CHANGELOG_URL', 'https://zenar.io/zenario-95'); define('ZENARIO_IS_BUILD', true); -define('ZENARIO_REVISION', '60240'); +define('ZENARIO_REVISION', '60437'); define('TINYMCE_DIR', 'zenario/libs/manually_maintained/lgpl/tinymce_4_7_3.1/');
zenario/autoload/fun/syncInlineFileContentLink.php+1 −1 modified@@ -129,7 +129,7 @@ } //Update the Content in the cache table -$text = trim(strip_tags($content)); +$text = trim(html_entity_decode(strip_tags($content))); \ze\row::set('content_cache', ['text' => $text, 'text_wordcount' => str_word_count($text)], ['content_id' => $cID, 'content_type' => $cType, 'content_version' => $cVersion]);
zenario/autoload/phi.php+23 −1 modified@@ -42,7 +42,6 @@ class phi { private static $initRun = false; - private static $twig; private static $vars = [ 'e' => M_E, 'pi' => M_PI, @@ -52,6 +51,19 @@ class phi { ]; + private static $twig; + + //A dummy filter, just used as a work-around to block other filters from working + public static function dummyFilter() { + return ''; + } + + protected static function blockFilter($name) { + $dummyFilter = new \Twig\TwigFilter($name, ['\\ze\\phi', 'dummyFilter']); + self::$twig->addFilter($dummyFilter); + } + + private static $testing = false; private static $output = null; private static $outputs = []; @@ -134,6 +146,16 @@ public static function init() { //Include a Twig extension that enables support for breaks and continues self::$twig->addExtension(new \MNBreakAndContinueTwigExtension()); + //Remove the "filter", "map" and "reduce" filters, as these have a very bad security vulnerability + //involving executing arbitrary functions/making arbitrary CLI calls, and I don't think we + //use them anywhere anyway. + //I'm also removing the "sort" filter. I can't actually reproduce the vulnerability with this one + //but it also accepts functions as an input so I'm blocking it out of paranoia. + self::blockFilter('filter'); + self::blockFilter('map'); + self::blockFilter('reduce'); + self::blockFilter('sort'); + //Set up the whitelist of allowed functions $whitelist = [
zenario/autoload/twig.php+20 −0 modified@@ -45,6 +45,16 @@ class twig { private static $twig; + //A dummy filter, just used as a work-around to block other filters from working + public static function dummyFilter() { + return ''; + } + + protected static function blockFilter($name) { + $dummyFilter = new \Twig\TwigFilter($name, ['\\ze\\twig', 'dummyFilter']); + self::$twig->addFilter($dummyFilter); + } + public static function init() { //Initialise Twig self::$twig = new \Twig\Environment(new \Zenario_Twig_Loader(), [ @@ -55,6 +65,16 @@ public static function init() { //Add the I18n extension to add support for translating text self::$twig->addExtension(new \Twig_Extensions_Extension_I18n()); + + //Remove the "filter", "map" and "reduce" filters, as these have a very bad security vulnerability + //involving executing arbitrary functions/making arbitrary CLI calls, and I don't think we + //use them anywhere anyway. + //I'm also removing the "sort" filter. I can't actually reproduce the vulnerability with this one + //but it also accepts functions as an input so I'm blocking it out of paranoia. + self::blockFilter('filter'); + self::blockFilter('map'); + self::blockFilter('reduce'); + self::blockFilter('sort'); //Create instances of any modules that say they are usable in Twig Frameworks
zenario/js/admin_organizer.js+1 −1 modified@@ -983,7 +983,7 @@ zenarioO.go = function(path, branch, refiner, queued, lastInQueue, backwards, do if (!zenarioO.followPathOnMap(path)) { //add some debug information here - zenarioA.showMessage('The requested path "' + requestedPath + '" was not found in the system. If you have just updated or added files to the CMS, you will need to reload the page.', undefined, 'error', false, true); + zenarioA.showMessage('A script attempted to access the path "' + requestedPath + '" in Organizer, but this was not found. This may be because the current administrator does not have access to that panel, because the module for that panel is not running, or because the path does not exist. It may help to reload the page.', undefined, 'error', false, true); return false; }
zenario/js/admin_organizer.min.js+30 −30 modified@@ -21,36 +21,36 @@ branch:!0,selectedItems:k,refinerId:g,refinerName:n});k=h}}return e};a.convertNa c[c.length-1]:{path:b}};var da=function(b,c){b=c?decodeURI(W(JSON.stringify(b))):W(b);return b.r(/'/g,"'1").r(/~/g,"'2")},ea=function(b,c,d,e){var f=b.indexOf(c);if(-1!=f){c=b.substr(f+2);d.path=b.substr(0,f);try{b=c;b=b.r(/'2/g,"~").r(/'1/g,"'");var g=e?JSON.parse(decodeURIComponent(b)):decodeURIComponent(b);d.info=g}catch(h){d.info=l}return!0}return!1};a.showableColumns=function(){var b,c=[];for(b in a.sortedColumns)if(q(a.sortedColumns,b)){var d=a.sortedColumns[b];a._7fm(d,!0)&&c.push(d)}return c}; a.exportPanelAsCSV=function(){var b=a._6h1(1E4);b&&t._ok1(b,{_export:1,_csvExport:1,_exportCols:a._5ps().join(",")});a._131(!1,!0)};a.exportPanelAsExcel=function(){var b=a._6h1(1E4);b&&t._ok1(b,{_export:1,_excelExport:1,_exportCols:a._5ps().join(",")});a._131(!1,!0)};a.getAJAXURL=function(b){return a.go(a.path,l,l,l,l,l,!1,l,l,l,!1,!1,l,l,!0,b)};a.goNum=0;a.loadNum=0;a.lastSuccessfulGoNum=0;a.go=function(b,c,d,e,f,g,h,k,n,r,w,x,v,C,K,G){w||(a.lastActivity=Date.now());if(t.isFullOrganizerWindow||t._l3w("og")){if(a.stop)return!1; if(a.map&&a.initRun){m.zenarioOCheckPaths&&(delete m.zenarioOCheckPaths,m.zenarioOTargetPath&&(m.zenarioOTargetPath=a._62b(m.zenarioOTargetPath).path),m.zenarioOMinPath&&(m.zenarioOMinPath=a._62b(m.zenarioOMinPath).path),m.zenarioOMaxPath&&y(m.zenarioOMaxPath)&&(m.zenarioOMaxPath=a._62b(m.zenarioOMaxPath).path));K||a._wse();e||(m.zenarioOQueue=!1);h={};if(u(b)){if(ea(b,"~k",h,!0)){b=h.path;var H=h.info}if(ea(b,"~t",h)){b=h.path;var P=h.info}if(ea(b,"~.",h)){b=h.path;var L=h.info}ea(b,"~_",h,!0)&& -(b=h.path,C=h.info);ea(b,"~-",h)&&(b=h.path,v=h.info);L&&!Y.isOpen&&Y.open(L,H,P)}if(L=b){H=b.s("//");P=H.length;if(2<P){k=l;x=!1;if(!(K=a._c5z(H,P,!0)))return!1;u(v)&&(K[K.length-1].searchTerm=v);u(C)&&(K[K.length-1].filters=C);m.zenarioOQueue=K;a._4p(!0);return}2==P?(k=l,x=!1,b=H[0],-1==H[1].indexOf(",")&&(k=H[1])&&(P=k.length-1,"/"==k.substr(P)&&(k=k.substr(0,P),x=!0))):k||(x=!1);b=a._lj(b)}b||(b=m.zenarioONotFull?a.defaultPathInIframePreload:a.defaultPath,x=!1);if(!a._c4t(b))return t._s34('The requested path "'+ -L+'" was not found in the system. If you have just updated or added files to the CMS, you will need to reload the page.',l,"error",!1,!0),!1;var Z=++a.goNum;n||++a.loadNum;var T=!1;u(C)||(C=a._8xv(b,c,"filters"));u(v)||(v=a._8xv(b,c,"searches"));u(d)||(d=a._tx1(b,c));if(!d&&y(a._c4t(b,"refiner_required")))t._s34("A refiner was required, but none was set.",!0,"error");else{var fa,aa={};L=a.branches.length-1;if(-1!==c){T=a._8xv(b,c,"panel_instances");for(H=0;H<L;++H)if(n=a.branches[H].refiners[a.branches[H+ -1].from])aa["refiner__"+(fa=n.name)]=n.id;if(n=a.branches[L].refiners[a.path])aa["refiner__"+(fa=n.name)]=n.id;d&&(aa["refiner__"+d.name]=d.id)}T?(T.cmsSetsPath(b),T.cmsSetsRefiner(d)):T=a._pj3(b,d);var O=a._c4t(b,"default_sort_column");O||(O="name");n=a._c4t(b);T.cmsSetsPanelTUIX(n);T.cmsSetsRequestedItem(k);T.cmsSetsSearchTerm(v);C=C&&!_._ruc(C)?z.clone(C):{};for(var M in C)q(C,M)&&(L=C[M],a._a0(M,C)?(u(L.not)&&(L.not?L.not=1:delete L.not),u(L.s)&&(L.s=y(L.s))):C[M]&&(C[M]={}));u(G)||(G=1*T.returnPageSize()); -M=n.reorder;var R=T.returnDoSortingAndSearchingOnServer(),S=T.returnAJAXURL(),X=T.returnDevToolsAJAXURL(),J={};L=function(U){a.go2(b,S,X,J,c,Z,O,G,x,k,T,v,C,d,fa,aa,R,g,r,U)};if(S){m.zenarioONotFull&&(m.zenarioOSelectMode?S+="&_select_mode=1":m.zenarioOQuickMode&&(S+="&_quick_mode=1"));a._h86(J);e&&!f&&(J._queued=1);u(d)&&(J.refinerId=d.id,J.refinerName=d.name,d.languageId&&(J.languageId=d.languageId));m.zenarioOCombineItem&&(J._combineItem=m.zenarioOCombineItem);for(var I in aa)q(aa,I)&&(J[I]=aa[I]); -if(R||a.CSVExport){if(G)if(J._limit=G,J._start=a.refreshToPage?(a.refreshToPage-1)*G:0,k)J._item=k;else if(g)if("object"==typeof g&&g.selectedItemFromLastPanel)J._item=g.selectedItemFromLastPanel;else if(e=a._dr1(b))J._item=e;M&&M.column?J._sort_col=M.column:a.prefs[b]&&a.prefs[b].sortBy?(J._sort_col=a.prefs[b].sortBy,J._sort_desc=a.prefs[b].sortDesc?1:0):(J._sort_col=O,J._sort_desc=y(a._c4t(b,"default_sort_desc")))}C&&!_._ruc(C)&&(J._filters=JSON.stringify(C));(R||a.CSVExport)&&u(v)&&(J._search= -v)}if(K)return S+z._488(J);a._t9n();b!=a.defaultPathInIframePreload&&(p("organizer_preloader_circle").style.display="block");u(m.zenarioOFirstLoad)&&(m.zenarioOFirstLoad?m.zenarioOFirstLoad=!1:a._jl9(b));S?z.ajax(S+z._488(J),!1,!0,!0,!0,!0).after(L):L(n)}}else m.zenarioONotFull||(m.zenarioOQueue=[{path:b,branch:-1}])}};a.go2=function(b,c,d,e,f,g,h,k,n,r,w,x,v,C,K,G,H,P,L,Z){Z&&u(Z.comment)&&m.console&&console.log(Z.comment);if((t.isFullOrganizerWindow||t._l3w("og"))&&g==a.goNum){a._t9n();var T=a.path; -if(a.tuix){var fa=K&&a.tuix.refiners&&a.tuix.refiners[K]&&a.tuix.refiners[K].title||a.tuix.title;var aa=y(a.tuix.no_return)}a.url=c+z._488(e);a.devToolsURL=d!=c?d+z._488(e):l;a.lastRequests=e;a.path=b;a.defaultSortColumn=h;a.thisPageSize=k;a.server_side=H;a.inspectionView=n;a.inspectionViewItem=r;a.prefs[b]||(a.prefs[b]={});-1===f?a._syv():f&&a._13q(b,T,fa,aa);a.pi=a.branches[a.branches.length-1].panel_instances[a.path]=w;u(Z._filters)&&(v=Z._filters,delete Z._filters);a.branches[a.branches.length- -1].filters[a.path]=v;a._28v(x);delete a.tuix;a.tuix=Z;a.focus=a.tuix;a.pi.cmsSetsPanelTUIX(a.tuix);a.filtersSet=!1;a.filtersSetInViewOptions=!1;for(var O in v)if(q(v,O)&&a._a0(O,v)&&(a.filtersSet=!0,a._d2p(O))){a.filtersSetInViewOptions=!0;break}a._6c();a._qse(C);a.lastRefiners=G;a.tuix.columns||(a.tuix.columns={name:{title:"Name"}});(c=a._c4t(b,"reorder"))&&c.column?(a.sortBy=c.column,a.sortDesc=!1):a.prefs[b].sortBy&&a.tuix.columns[a.prefs[b].sortBy]?(a.sortBy=a.prefs[b].sortBy,a.sortDesc=a.prefs[b].sortDesc): -((h=a._c4t(b,"default_sort_column"))?a.sortBy=h:a.sortBy=a.defaultSortColumn,a.sortDesc=y(a._c4t(b,"default_sort_desc")));a.pi.cmsSetsSortColumn(a.sortBy,a.sortDesc);a.sortedColumns=a._219("columns");a.sortedItemButtons=a._219("item_buttons");a.sortedInlineButtons=a._219("inline_buttons");a.sortedCollectionButtons=a._219("collection_buttons");a.sortedQuickFilterButtons=a._219("quick_filter_buttons");a.shownColumns=a._hrx(b,h,a.tuix.columns);if(a.prefs[b].sortedColumns){c={};for(var M in a.prefs[b].sortedColumns)q(a.prefs[b].sortedColumns, -M)&&(O=a.prefs[b].sortedColumns[M],c[O]=M);h=!1;for(M in a.sortedColumns)if(q(a.sortedColumns,M)){O=a.sortedColumns[M];if(a._7fm(O,!1,!0)&&!u(c[O])){h=c[h];h=u(h)?1*h+1:0;a.prefs[b].sortedColumns.splice(h,0,O);for(var R in c)q(c,R)&&c[R]>=h&&++c[R];c[O]=h}h=O}a.sortedColumns=a.prefs[b].sortedColumns}a.tuix.items&&1==a.tuix.__item_count__&&y(a.tuix.allow_bypass)?a.branches[a.branches.length-1].bypasses[a.path]=!0:delete a.branches[a.branches.length-1].bypasses[a.path];if(!a._4p(!0)){if(a.tuix.items&& -1==a.tuix.__item_count__&&y(a.tuix.allow_bypass))if(P){if(!1!==a._g03()){a.back();return}}else{if(a.tuix.items)for(var S in a.tuix.items)if(q(a.tuix.items,S)){M={};M[S]=!0;a.pi.cmsSetsSelectedItems(M);if(a._ex1(S))return;break}}else if((!a.tuix.items||!a.tuix.__item_count__)&&y(a.tuix.return_if_empty)&&!1!==a._g03()){a.back();return}S={};R={};M={};var X,J;for(O in a.tuix.columns)if(q(a.tuix.columns,O)&&(c=a.tuix.columns[O],a._7fm(O)&&(b=c.item_link)))switch(b){case "content_item":case "content_item_or_url":for(J in a.tuix.items)if(q(a.tuix.items, -J)&&(X=a.tuix.items[J][O])&&(c=X.s("_"),c[0]&&"null"!=c[0]&&c[0]===c[0].r(/\W/,"")&&c[1]&&c[1]==1*c[1])){var I=a._urh(J);var U=a._59(J);R[I]||(R[I]={});R[I][U]=R[I][U]?R[I][U]+",":"";R[I][U]+=c[0]+"_"+c[1]}break;case "menu_item":for(J in a.tuix.items)q(a.tuix.items,J)&&(X=a.tuix.items[J][O])&&X==1*X&&(I=a._urh(J),S[I]=S[I]?S[I]+",":"",S[I]+=X);break;default:for(J in a.tuix.items)q(a.tuix.items,J)&&(X=a.tuix.items[J][O])&&(M[b]=M[b]?M[b]+",":"",M[b]+=X)}a.contentItems={};a.menuItems={};a.otherItemLinks= -{};a.itemLinkRequestsLeft=0;a.shallowLinks={content_item:"zenario__content/panels/content",content_item_or_url:"zenario__content/panels/content",menu_item:"zenario__menu/panels/menu_nodes"};for(I in R)if(q(R,I))for(U in R)q(R,U)&&R[I][U]&&(a.contentItems[I]||(a.contentItems[I]={}),a.contentItems[I][U]||(a.contentItems[I][U]={}),c=A+"zenario/admin/organizer.ajax.php?path="+a.shallowLinks.content_item+"&_get_item_links="+R[I][U]+"&languageId="+W(I),++a.itemLinkRequestsLeft,a._baq(c,I,function(ha,ia){g== -a.goNum&&(a.contentItems[ha][U]=ia,--a.itemLinkRequestsLeft||a.go3(g,x,P,L))}));for(I in S)q(S,I)&&(O=S[I])&&(a.menuItems[I]||(a.menuItems[I]={}),c=A+"zenario/admin/organizer.ajax.php?path="+a.shallowLinks.menu_item+"&_get_item_links="+W(O)+"&languageId="+W(I)+"&refinerName=language&refinerId="+W(I)+"&refiner__language="+W(I),++a.itemLinkRequestsLeft,a._baq(c,I,function(ha,ia){g==a.goNum&&(a.menuItems[ha]=ia,--a.itemLinkRequestsLeft||a.go3(g,x,P,L))}));for(b in M)q(M,b)&&(O=M[b])&&(a.otherItemLinks[b]|| -(a.otherItemLinks[b]={}),c=A+"zenario/admin/organizer.ajax.php?path="+W(b)+"&_get_item_links="+W(O),++a.itemLinkRequestsLeft,a._baq(c,b,function(ha,ia){g==a.goNum&&(a.otherItemLinks[ha]=ia,--a.itemLinkRequestsLeft||a.go3(g,x,P,L))}));a.itemLinkRequestsLeft?(a.go3Timeout&&clearTimeout(a.go3Timeout),a.go3Timeout=setTimeout(function(){a.go3(g,x,P,L)},a.getItemLinkTimeoutTime)):a.go3(g,x,P,L)}}};a.getDataHack=function(b,c,d){z.ajax(b,2E3<b.length,!0,!0,!0).after(function(e){d(c,e)})};a.go3=function(b, -c,d,e){(t.isFullOrganizerWindow||t._l3w("og"))&&b==a.goNum&&(a.lastSuccessfulGoNum=++a.goNum,a.go3Timeout&&clearTimeout(a.go3Timeout),p("organizer_preloader_circle").style.display="none",a._wkp(),!d&&a.tuix.popout_message&&(u(a.refreshToPage)&&a.tuix.popout_message==a.lastPopoutMessage||t._s34(a.tuix.popout_message,!0,!1),a.lastPopoutMessage=a.tuix.popout_message),a._7jt(c),a.firstLoaded||(a.firstLoaded=!0,t._28e()),a._f5r("loaded",!0),a._f5r("filters_set",a.filtersSet),a._f5r("filters_set_in_view_options", -a.filtersSetInViewOptions),e&&e())};a.setWrapperClass=function(b,c){$("#organizer__box_inner").removeClass("organizer_"+(c?"not_":"")+b).addClass("organizer_"+(c?"":"not_")+b)};a.itemLanguage=function(b){return b&&a.tuix&&a.tuix.items&&a.tuix.items[b]&&(!a.tuix.items[b].css_class||-1==(""+a.tuix.items[b].css_class).indexOf("ghost"))&&a.tuix.items[b].language_id?a.tuix.items[b].language_id:a.tuix&&a.tuix.key?a.tuix.key.languageId||a.tuix.key.language:""};a.itemParent=function(b){return""};a.getShownColumns= -function(b,c,d){var e=!1,f=!1,g={};a.prefs&&a.prefs[b]&&a.prefs[b].shownColumns&&(g=a.prefs[b].shownColumns);if(d)for(var h in d)q(d,h)&&(e||(e=h),y(d[h].always_show)?f=g[h]=!0:u(g[h])?g[h]&&(f=!0):y(d[h].show_by_default)&&(f=g[h]=!0));f||(g[e||c]=!0);return g};a.nextPage=function(){if(a.lockPageClicks)return!1;a.page<a.pageCount&&a._6gn(a.page+1)};a.prevPage=function(){if(a.lockPageClicks)return!1;1<a.page&&a._6gn(a.page-1)};a.goToPage=function(b){if(a.stop)return!1;a.page!=b&&a._z8s();a.lockPageClicks= -!0;a.inspectionView=!1;a.pi.resetScrollPosition();a.server_side?a._gd0(b):a._18v(b)};a.goToLastPage=function(){if(a.stop)return!1;a._6gn(a.pageCount)};a.refreshAndShowPage=function(b){a.page=b||1;a.load()};a.showPage=function(b){a.page=b;a._9u()};a.searchAndSortItems=function(b){u(a.refreshToPage)||a._ju(b);a.server_side?(a.searchedItems=a.tuix.__item_sort_order__,a.searchMatches=a.tuix.__item_count__):(u(a.searchTerm)&&"hidden"!=p("organizer_search").style.visibility?a.searchedItems=a.pi.sortAndSearchItems(b): -a.searchedItems=a.pi.sortAndSearchItems(),a.searchMatches=a.searchedItems.length);a.itemsOrder={};for(var c in a.searchedItems)if(q(a.searchedItems,c)){var d=a.searchedItems[c];a.itemsOrder[d]=1*c}b=1;if(a.thisPageSize)if(a.server_side&&a.server_side)b=a.tuix.__page__||a.refreshToPage||1;else if(u(a.refreshToPage))b=a.refreshToPage;else{if(!a.inspectionViewItem)for(d in c=a.pi.returnSelectedItems(),c)if(q(c,d)){a.inspectionViewItem=d;break}if(d=a.itemsOrder[a.inspectionViewItem])b=Math.floor(d/a.thisPageSize)+ -1}delete a.refreshToPage;a._18v(b)};a.stop=!1;a.stopWarningMessage=!1;a.disableInteraction=function(b){a.stop=!0;b&&(a.stopWarningMessage=b);$("#organizer_search_term").prop("disabled",!0);a._f5r("interaction_disabled",!0)};a.enableInteraction=function(){a.stop=!1;a.stopWarningMessage=!1;$("#organizer_search_term").prop("disabled",!1);a._f5r("interaction_disabled",!1)};a.getHeader=function(){return $("#organizer_header")};a.getPanel=function(){return $("#organizer_rightColumnContent")};a.getFooter= -function(){return $("#organizer_lowerMiddleColumn")};var ka,ja;a.setPanel=function(){var b,c=a._6em(),d=a._c1k(),e=a._bfn(),f=!1,g=0;a.multipleSelectEnabled=m.zenarioOSelectMode?m.zenarioOMultipleSelect:a.pi.returnMultipleSelectEnabled();var h=_.clone(a.pi.returnSelectedItems());for(b in h)q(h,b)&&(a.tuix.items&&a.tuix.items[b]?++g:(delete h[b],""!==b&&ka&&ka[b]&&(f=!0)));f&&0==g?ja&&a.tuix.items&&a.tuix.items[ja]&&(h[ja]=!0,++g):!a.multipleSelectEnabled&&1<g&&(h={},g=0);ka=ja=l;if(0==g&&a.inspectionViewItem&& -a.tuix.items&&a.tuix.items[a.inspectionViewItem])g=1,h={},h[a.inspectionViewItem]=!0;else if(1<g||!a.inspectionViewItem||!a.tuix.items||!a.tuix.items[a.inspectionViewItem])a.inspectionView=!1;a.pi.cmsSetsSelectedItems(h);if(b=p("organizer_debug_button"))b.className=a.refiner?a.refiner.id?"zenario_debug zenario_debug_with_refiner_and_id":"zenario_debug zenario_debug_with_refiner_and_no_id":"zenario_debug zenario_debug_with_no_refiner";a._rj7();a._piy();a._s9q();a._dt1();p("organizer__box_wrap").className= -a.pi.returnPanelClassName();a.pi.showPanel(c,d,e);a.tuix.toast&&t.toast(a.tuix.toast);a._96o();a._os();a.size(!0);a.lockPageClicks=!1;a._1a4();m.zenarioONotFull||t.openedInIframe||t.seen_help_tour||!t.show_help_tour_next_time||t._on("dummy_item",!0);t.seen_help_tour=!0;setTimeout(function(){a.size(!0)},0)};a.back=function(b){if(a.stop)return a.stopWarningMessage&&alert(a.stopWarningMessage),!1;var c={},d={};if(!1!==a._204(a.branches.length-1,a.path,"title",!1,b,!1,c)){d.selectedItemFromLastPanel= -a._dr1(c.path);a._z8s();a._2af();a._bfs();for(b=c.pops;0<b;--b)a.branches.pop();a.go(c.path,l,l,l,l,d)}};a.knownBranches={};a.lookForBranches=function(b,c,d,e){var f,g;b._path_here&&(d=b._path_here);for(f in b)if(q(b,f)&&b[f]&&"object"==typeof b[f]){var h=c?c+"/"+f:f;var k=!1;u(e)&&(g=b[f].link)&&"object"==typeof g&&("nav"!=e?g.branch=k=!0:(g.branch=k=!1,g.refiner&&g.path&&-1==g.path.indexOf("//")&&(g.path+="/refiners/"+g.refiner+"//",g.refinerId&&(g.path+=g.refinerId),g.path+="//")));"refiners"!= -e||"object"!=typeof b[f]||u(b[f].link)||(b[f].link={path:d,refiner:f},b[f].link.branch=k=!0);k&&(a.knownBranches[d]||(a.knownBranches[d]={}),a.knownBranches[d][b[f].link.path]||(a.knownBranches[d][b[f].link.path]={}),a.knownBranches[d][b[f].link.path][b[f].link.refiner||1]&&"item"==(""+a.knownBranches[d][b[f].link.path][b[f].link.refiner||1]).substr(-4)||(a.knownBranches[d][b[f].link.path][b[f].link.refiner||1]=a._lj(h)));a._1j4(b[f],h,d,f)}};a.resetBranches=function(){a.branches=[{panel_instances:{}, -bypasses:{},filters:{},refiners:{},searches:{}}]};a.branch=function(b,c,d,e){b=a._lj(b);a.branches[a.branches.length]={from:c,to:b,title:d,no_return:e,panel_instances:{},bypasses:{},filters:{},refiners:{},searches:{}}};a.setHash=function(){if(!m.zenarioONotFull){if(!z._etm(7)){var b=a._hy();D.location.hash=b;z.currentHash=D.location.hash}t.homeLink&&p("home_page_button_link")&&(p("home_page_button_link").href=a._37l(t.homeLink));t.backLink&&p("last_page_button_link")&&(p("last_page_button_link").href= -a._37l(t.backLink))}};a.getHash=function(b){var c="",d=a.path,e,f=!1;var g=!1;var h="",k=a.pi&&a.pi.returnSelectedItems(),n=Y.isOpen&&Y.path,r=Y.isOpen&&Y.openingKey,w=Y.isOpen&&Y.tuix&&Y.tuix.tab;if(!b&&k){for(var x in k)if(q(k,x)&&k[x])if(!1===g)g=x;else{g=!1;break}g&&(h=a.inspectionView?g+"/":g)}for(x in a.branches)if(q(a.branches,x)&&0<x)if(g=a.branches[x],g.to&&a.knownBranches[g.from]&&a.knownBranches[g.from][g.to]&&(e=a.knownBranches[g.from][g.to][g.refiners[g.to]?g.refiners[g.to].name:1])){e= -a._lj(e);if(v){if(e.substr(0,v.length)==v)e=a._lj(e.substr(v.length+1));else{f=!0;break}c+="//"}c+=e+"//";var v=a.branches[x-1];if(v=v.panel_instances[g.from])c+=a._9sm(v.returnSelectedItems());v=g.to}else{f=!0;break}!f&&v&&d.substr(0,v.length)==v&&(d=c+"//"+a._lj(d.substr(v.length+1)));h&&(d="//"==z._yot(d,2)?d+h:"/"==z._yot(d,1)?d+("/"+h):d+("//"+h));!b&&u(a.searchTerm)&&(d+="~-"+da(a.searchTerm));!b&&a.path&&a.branches.length&&a.branches[a.branches.length-1]&&a.branches[a.branches.length-1].filters[a.path]&& -!_._ruc(a.branches[a.branches.length-1].filters[a.path])&&(d+="~_"+da(a.branches[a.branches.length-1].filters[a.path],!0));n&&(d+="~."+da(n),w&&(d+="~t"+da(w)),r&&(d+="~k"+da(r,!0)));return d};a.searchOnClick=function(b){};a.searchOnKeyUp=function(b){a.doSearchAfterDelay&&clearTimeout(a.doSearchAfterDelay);a.doSearchAfterDelay=setTimeout(function(){a._2y6(p("organizer_search_term"))},a.searchDelayTime)};a.searchOnChange=function(b){a.server_side&&a.doSearchAfterDelay&&(clearTimeout(a.doSearchAfterDelay), +(b=h.path,C=h.info);ea(b,"~-",h)&&(b=h.path,v=h.info);L&&!Y.isOpen&&Y.open(L,H,P)}if(L=b){H=b.s("//");P=H.length;if(2<P){k=l;x=!1;if(!(K=a._c5z(H,P,!0)))return!1;u(v)&&(K[K.length-1].searchTerm=v);u(C)&&(K[K.length-1].filters=C);m.zenarioOQueue=K;a._4p(!0);return}2==P?(k=l,x=!1,b=H[0],-1==H[1].indexOf(",")&&(k=H[1])&&(P=k.length-1,"/"==k.substr(P)&&(k=k.substr(0,P),x=!0))):k||(x=!1);b=a._lj(b)}b||(b=m.zenarioONotFull?a.defaultPathInIframePreload:a.defaultPath,x=!1);if(!a._c4t(b))return t._s34('A script attempted to access the path "'+ +L+'" in Organizer, but this was not found. This may be because the current administrator does not have access to that panel, because the module for that panel is not running, or because the path does not exist. It may help to reload the page.',l,"error",!1,!0),!1;var Z=++a.goNum;n||++a.loadNum;var T=!1;u(C)||(C=a._8xv(b,c,"filters"));u(v)||(v=a._8xv(b,c,"searches"));u(d)||(d=a._tx1(b,c));if(!d&&y(a._c4t(b,"refiner_required")))t._s34("A refiner was required, but none was set.",!0,"error");else{var fa, +aa={};L=a.branches.length-1;if(-1!==c){T=a._8xv(b,c,"panel_instances");for(H=0;H<L;++H)if(n=a.branches[H].refiners[a.branches[H+1].from])aa["refiner__"+(fa=n.name)]=n.id;if(n=a.branches[L].refiners[a.path])aa["refiner__"+(fa=n.name)]=n.id;d&&(aa["refiner__"+d.name]=d.id)}T?(T.cmsSetsPath(b),T.cmsSetsRefiner(d)):T=a._pj3(b,d);var O=a._c4t(b,"default_sort_column");O||(O="name");n=a._c4t(b);T.cmsSetsPanelTUIX(n);T.cmsSetsRequestedItem(k);T.cmsSetsSearchTerm(v);C=C&&!_._ruc(C)?z.clone(C):{};for(var M in C)q(C, +M)&&(L=C[M],a._a0(M,C)?(u(L.not)&&(L.not?L.not=1:delete L.not),u(L.s)&&(L.s=y(L.s))):C[M]&&(C[M]={}));u(G)||(G=1*T.returnPageSize());M=n.reorder;var R=T.returnDoSortingAndSearchingOnServer(),S=T.returnAJAXURL(),X=T.returnDevToolsAJAXURL(),J={};L=function(U){a.go2(b,S,X,J,c,Z,O,G,x,k,T,v,C,d,fa,aa,R,g,r,U)};if(S){m.zenarioONotFull&&(m.zenarioOSelectMode?S+="&_select_mode=1":m.zenarioOQuickMode&&(S+="&_quick_mode=1"));a._h86(J);e&&!f&&(J._queued=1);u(d)&&(J.refinerId=d.id,J.refinerName=d.name,d.languageId&& +(J.languageId=d.languageId));m.zenarioOCombineItem&&(J._combineItem=m.zenarioOCombineItem);for(var I in aa)q(aa,I)&&(J[I]=aa[I]);if(R||a.CSVExport){if(G)if(J._limit=G,J._start=a.refreshToPage?(a.refreshToPage-1)*G:0,k)J._item=k;else if(g)if("object"==typeof g&&g.selectedItemFromLastPanel)J._item=g.selectedItemFromLastPanel;else if(e=a._dr1(b))J._item=e;M&&M.column?J._sort_col=M.column:a.prefs[b]&&a.prefs[b].sortBy?(J._sort_col=a.prefs[b].sortBy,J._sort_desc=a.prefs[b].sortDesc?1:0):(J._sort_col=O, +J._sort_desc=y(a._c4t(b,"default_sort_desc")))}C&&!_._ruc(C)&&(J._filters=JSON.stringify(C));(R||a.CSVExport)&&u(v)&&(J._search=v)}if(K)return S+z._488(J);a._t9n();b!=a.defaultPathInIframePreload&&(p("organizer_preloader_circle").style.display="block");u(m.zenarioOFirstLoad)&&(m.zenarioOFirstLoad?m.zenarioOFirstLoad=!1:a._jl9(b));S?z.ajax(S+z._488(J),!1,!0,!0,!0,!0).after(L):L(n)}}else m.zenarioONotFull||(m.zenarioOQueue=[{path:b,branch:-1}])}};a.go2=function(b,c,d,e,f,g,h,k,n,r,w,x,v,C,K,G,H,P,L, +Z){Z&&u(Z.comment)&&m.console&&console.log(Z.comment);if((t.isFullOrganizerWindow||t._l3w("og"))&&g==a.goNum){a._t9n();var T=a.path;if(a.tuix){var fa=K&&a.tuix.refiners&&a.tuix.refiners[K]&&a.tuix.refiners[K].title||a.tuix.title;var aa=y(a.tuix.no_return)}a.url=c+z._488(e);a.devToolsURL=d!=c?d+z._488(e):l;a.lastRequests=e;a.path=b;a.defaultSortColumn=h;a.thisPageSize=k;a.server_side=H;a.inspectionView=n;a.inspectionViewItem=r;a.prefs[b]||(a.prefs[b]={});-1===f?a._syv():f&&a._13q(b,T,fa,aa);a.pi=a.branches[a.branches.length- +1].panel_instances[a.path]=w;u(Z._filters)&&(v=Z._filters,delete Z._filters);a.branches[a.branches.length-1].filters[a.path]=v;a._28v(x);delete a.tuix;a.tuix=Z;a.focus=a.tuix;a.pi.cmsSetsPanelTUIX(a.tuix);a.filtersSet=!1;a.filtersSetInViewOptions=!1;for(var O in v)if(q(v,O)&&a._a0(O,v)&&(a.filtersSet=!0,a._d2p(O))){a.filtersSetInViewOptions=!0;break}a._6c();a._qse(C);a.lastRefiners=G;a.tuix.columns||(a.tuix.columns={name:{title:"Name"}});(c=a._c4t(b,"reorder"))&&c.column?(a.sortBy=c.column,a.sortDesc= +!1):a.prefs[b].sortBy&&a.tuix.columns[a.prefs[b].sortBy]?(a.sortBy=a.prefs[b].sortBy,a.sortDesc=a.prefs[b].sortDesc):((h=a._c4t(b,"default_sort_column"))?a.sortBy=h:a.sortBy=a.defaultSortColumn,a.sortDesc=y(a._c4t(b,"default_sort_desc")));a.pi.cmsSetsSortColumn(a.sortBy,a.sortDesc);a.sortedColumns=a._219("columns");a.sortedItemButtons=a._219("item_buttons");a.sortedInlineButtons=a._219("inline_buttons");a.sortedCollectionButtons=a._219("collection_buttons");a.sortedQuickFilterButtons=a._219("quick_filter_buttons"); +a.shownColumns=a._hrx(b,h,a.tuix.columns);if(a.prefs[b].sortedColumns){c={};for(var M in a.prefs[b].sortedColumns)q(a.prefs[b].sortedColumns,M)&&(O=a.prefs[b].sortedColumns[M],c[O]=M);h=!1;for(M in a.sortedColumns)if(q(a.sortedColumns,M)){O=a.sortedColumns[M];if(a._7fm(O,!1,!0)&&!u(c[O])){h=c[h];h=u(h)?1*h+1:0;a.prefs[b].sortedColumns.splice(h,0,O);for(var R in c)q(c,R)&&c[R]>=h&&++c[R];c[O]=h}h=O}a.sortedColumns=a.prefs[b].sortedColumns}a.tuix.items&&1==a.tuix.__item_count__&&y(a.tuix.allow_bypass)? +a.branches[a.branches.length-1].bypasses[a.path]=!0:delete a.branches[a.branches.length-1].bypasses[a.path];if(!a._4p(!0)){if(a.tuix.items&&1==a.tuix.__item_count__&&y(a.tuix.allow_bypass))if(P){if(!1!==a._g03()){a.back();return}}else{if(a.tuix.items)for(var S in a.tuix.items)if(q(a.tuix.items,S)){M={};M[S]=!0;a.pi.cmsSetsSelectedItems(M);if(a._ex1(S))return;break}}else if((!a.tuix.items||!a.tuix.__item_count__)&&y(a.tuix.return_if_empty)&&!1!==a._g03()){a.back();return}S={};R={};M={};var X,J;for(O in a.tuix.columns)if(q(a.tuix.columns, +O)&&(c=a.tuix.columns[O],a._7fm(O)&&(b=c.item_link)))switch(b){case "content_item":case "content_item_or_url":for(J in a.tuix.items)if(q(a.tuix.items,J)&&(X=a.tuix.items[J][O])&&(c=X.s("_"),c[0]&&"null"!=c[0]&&c[0]===c[0].r(/\W/,"")&&c[1]&&c[1]==1*c[1])){var I=a._urh(J);var U=a._59(J);R[I]||(R[I]={});R[I][U]=R[I][U]?R[I][U]+",":"";R[I][U]+=c[0]+"_"+c[1]}break;case "menu_item":for(J in a.tuix.items)q(a.tuix.items,J)&&(X=a.tuix.items[J][O])&&X==1*X&&(I=a._urh(J),S[I]=S[I]?S[I]+",":"",S[I]+=X);break; +default:for(J in a.tuix.items)q(a.tuix.items,J)&&(X=a.tuix.items[J][O])&&(M[b]=M[b]?M[b]+",":"",M[b]+=X)}a.contentItems={};a.menuItems={};a.otherItemLinks={};a.itemLinkRequestsLeft=0;a.shallowLinks={content_item:"zenario__content/panels/content",content_item_or_url:"zenario__content/panels/content",menu_item:"zenario__menu/panels/menu_nodes"};for(I in R)if(q(R,I))for(U in R)q(R,U)&&R[I][U]&&(a.contentItems[I]||(a.contentItems[I]={}),a.contentItems[I][U]||(a.contentItems[I][U]={}),c=A+"zenario/admin/organizer.ajax.php?path="+ +a.shallowLinks.content_item+"&_get_item_links="+R[I][U]+"&languageId="+W(I),++a.itemLinkRequestsLeft,a._baq(c,I,function(ha,ia){g==a.goNum&&(a.contentItems[ha][U]=ia,--a.itemLinkRequestsLeft||a.go3(g,x,P,L))}));for(I in S)q(S,I)&&(O=S[I])&&(a.menuItems[I]||(a.menuItems[I]={}),c=A+"zenario/admin/organizer.ajax.php?path="+a.shallowLinks.menu_item+"&_get_item_links="+W(O)+"&languageId="+W(I)+"&refinerName=language&refinerId="+W(I)+"&refiner__language="+W(I),++a.itemLinkRequestsLeft,a._baq(c,I,function(ha, +ia){g==a.goNum&&(a.menuItems[ha]=ia,--a.itemLinkRequestsLeft||a.go3(g,x,P,L))}));for(b in M)q(M,b)&&(O=M[b])&&(a.otherItemLinks[b]||(a.otherItemLinks[b]={}),c=A+"zenario/admin/organizer.ajax.php?path="+W(b)+"&_get_item_links="+W(O),++a.itemLinkRequestsLeft,a._baq(c,b,function(ha,ia){g==a.goNum&&(a.otherItemLinks[ha]=ia,--a.itemLinkRequestsLeft||a.go3(g,x,P,L))}));a.itemLinkRequestsLeft?(a.go3Timeout&&clearTimeout(a.go3Timeout),a.go3Timeout=setTimeout(function(){a.go3(g,x,P,L)},a.getItemLinkTimeoutTime)): +a.go3(g,x,P,L)}}};a.getDataHack=function(b,c,d){z.ajax(b,2E3<b.length,!0,!0,!0).after(function(e){d(c,e)})};a.go3=function(b,c,d,e){(t.isFullOrganizerWindow||t._l3w("og"))&&b==a.goNum&&(a.lastSuccessfulGoNum=++a.goNum,a.go3Timeout&&clearTimeout(a.go3Timeout),p("organizer_preloader_circle").style.display="none",a._wkp(),!d&&a.tuix.popout_message&&(u(a.refreshToPage)&&a.tuix.popout_message==a.lastPopoutMessage||t._s34(a.tuix.popout_message,!0,!1),a.lastPopoutMessage=a.tuix.popout_message),a._7jt(c), +a.firstLoaded||(a.firstLoaded=!0,t._28e()),a._f5r("loaded",!0),a._f5r("filters_set",a.filtersSet),a._f5r("filters_set_in_view_options",a.filtersSetInViewOptions),e&&e())};a.setWrapperClass=function(b,c){$("#organizer__box_inner").removeClass("organizer_"+(c?"not_":"")+b).addClass("organizer_"+(c?"":"not_")+b)};a.itemLanguage=function(b){return b&&a.tuix&&a.tuix.items&&a.tuix.items[b]&&(!a.tuix.items[b].css_class||-1==(""+a.tuix.items[b].css_class).indexOf("ghost"))&&a.tuix.items[b].language_id?a.tuix.items[b].language_id: +a.tuix&&a.tuix.key?a.tuix.key.languageId||a.tuix.key.language:""};a.itemParent=function(b){return""};a.getShownColumns=function(b,c,d){var e=!1,f=!1,g={};a.prefs&&a.prefs[b]&&a.prefs[b].shownColumns&&(g=a.prefs[b].shownColumns);if(d)for(var h in d)q(d,h)&&(e||(e=h),y(d[h].always_show)?f=g[h]=!0:u(g[h])?g[h]&&(f=!0):y(d[h].show_by_default)&&(f=g[h]=!0));f||(g[e||c]=!0);return g};a.nextPage=function(){if(a.lockPageClicks)return!1;a.page<a.pageCount&&a._6gn(a.page+1)};a.prevPage=function(){if(a.lockPageClicks)return!1; +1<a.page&&a._6gn(a.page-1)};a.goToPage=function(b){if(a.stop)return!1;a.page!=b&&a._z8s();a.lockPageClicks=!0;a.inspectionView=!1;a.pi.resetScrollPosition();a.server_side?a._gd0(b):a._18v(b)};a.goToLastPage=function(){if(a.stop)return!1;a._6gn(a.pageCount)};a.refreshAndShowPage=function(b){a.page=b||1;a.load()};a.showPage=function(b){a.page=b;a._9u()};a.searchAndSortItems=function(b){u(a.refreshToPage)||a._ju(b);a.server_side?(a.searchedItems=a.tuix.__item_sort_order__,a.searchMatches=a.tuix.__item_count__): +(u(a.searchTerm)&&"hidden"!=p("organizer_search").style.visibility?a.searchedItems=a.pi.sortAndSearchItems(b):a.searchedItems=a.pi.sortAndSearchItems(),a.searchMatches=a.searchedItems.length);a.itemsOrder={};for(var c in a.searchedItems)if(q(a.searchedItems,c)){var d=a.searchedItems[c];a.itemsOrder[d]=1*c}b=1;if(a.thisPageSize)if(a.server_side&&a.server_side)b=a.tuix.__page__||a.refreshToPage||1;else if(u(a.refreshToPage))b=a.refreshToPage;else{if(!a.inspectionViewItem)for(d in c=a.pi.returnSelectedItems(), +c)if(q(c,d)){a.inspectionViewItem=d;break}if(d=a.itemsOrder[a.inspectionViewItem])b=Math.floor(d/a.thisPageSize)+1}delete a.refreshToPage;a._18v(b)};a.stop=!1;a.stopWarningMessage=!1;a.disableInteraction=function(b){a.stop=!0;b&&(a.stopWarningMessage=b);$("#organizer_search_term").prop("disabled",!0);a._f5r("interaction_disabled",!0)};a.enableInteraction=function(){a.stop=!1;a.stopWarningMessage=!1;$("#organizer_search_term").prop("disabled",!1);a._f5r("interaction_disabled",!1)};a.getHeader=function(){return $("#organizer_header")}; +a.getPanel=function(){return $("#organizer_rightColumnContent")};a.getFooter=function(){return $("#organizer_lowerMiddleColumn")};var ka,ja;a.setPanel=function(){var b,c=a._6em(),d=a._c1k(),e=a._bfn(),f=!1,g=0;a.multipleSelectEnabled=m.zenarioOSelectMode?m.zenarioOMultipleSelect:a.pi.returnMultipleSelectEnabled();var h=_.clone(a.pi.returnSelectedItems());for(b in h)q(h,b)&&(a.tuix.items&&a.tuix.items[b]?++g:(delete h[b],""!==b&&ka&&ka[b]&&(f=!0)));f&&0==g?ja&&a.tuix.items&&a.tuix.items[ja]&&(h[ja]= +!0,++g):!a.multipleSelectEnabled&&1<g&&(h={},g=0);ka=ja=l;if(0==g&&a.inspectionViewItem&&a.tuix.items&&a.tuix.items[a.inspectionViewItem])g=1,h={},h[a.inspectionViewItem]=!0;else if(1<g||!a.inspectionViewItem||!a.tuix.items||!a.tuix.items[a.inspectionViewItem])a.inspectionView=!1;a.pi.cmsSetsSelectedItems(h);if(b=p("organizer_debug_button"))b.className=a.refiner?a.refiner.id?"zenario_debug zenario_debug_with_refiner_and_id":"zenario_debug zenario_debug_with_refiner_and_no_id":"zenario_debug zenario_debug_with_no_refiner"; +a._rj7();a._piy();a._s9q();a._dt1();p("organizer__box_wrap").className=a.pi.returnPanelClassName();a.pi.showPanel(c,d,e);a.tuix.toast&&t.toast(a.tuix.toast);a._96o();a._os();a.size(!0);a.lockPageClicks=!1;a._1a4();m.zenarioONotFull||t.openedInIframe||t.seen_help_tour||!t.show_help_tour_next_time||t._on("dummy_item",!0);t.seen_help_tour=!0;setTimeout(function(){a.size(!0)},0)};a.back=function(b){if(a.stop)return a.stopWarningMessage&&alert(a.stopWarningMessage),!1;var c={},d={};if(!1!==a._204(a.branches.length- +1,a.path,"title",!1,b,!1,c)){d.selectedItemFromLastPanel=a._dr1(c.path);a._z8s();a._2af();a._bfs();for(b=c.pops;0<b;--b)a.branches.pop();a.go(c.path,l,l,l,l,d)}};a.knownBranches={};a.lookForBranches=function(b,c,d,e){var f,g;b._path_here&&(d=b._path_here);for(f in b)if(q(b,f)&&b[f]&&"object"==typeof b[f]){var h=c?c+"/"+f:f;var k=!1;u(e)&&(g=b[f].link)&&"object"==typeof g&&("nav"!=e?g.branch=k=!0:(g.branch=k=!1,g.refiner&&g.path&&-1==g.path.indexOf("//")&&(g.path+="/refiners/"+g.refiner+"//",g.refinerId&& +(g.path+=g.refinerId),g.path+="//")));"refiners"!=e||"object"!=typeof b[f]||u(b[f].link)||(b[f].link={path:d,refiner:f},b[f].link.branch=k=!0);k&&(a.knownBranches[d]||(a.knownBranches[d]={}),a.knownBranches[d][b[f].link.path]||(a.knownBranches[d][b[f].link.path]={}),a.knownBranches[d][b[f].link.path][b[f].link.refiner||1]&&"item"==(""+a.knownBranches[d][b[f].link.path][b[f].link.refiner||1]).substr(-4)||(a.knownBranches[d][b[f].link.path][b[f].link.refiner||1]=a._lj(h)));a._1j4(b[f],h,d,f)}};a.resetBranches= +function(){a.branches=[{panel_instances:{},bypasses:{},filters:{},refiners:{},searches:{}}]};a.branch=function(b,c,d,e){b=a._lj(b);a.branches[a.branches.length]={from:c,to:b,title:d,no_return:e,panel_instances:{},bypasses:{},filters:{},refiners:{},searches:{}}};a.setHash=function(){if(!m.zenarioONotFull){if(!z._etm(7)){var b=a._hy();D.location.hash=b;z.currentHash=D.location.hash}t.homeLink&&p("home_page_button_link")&&(p("home_page_button_link").href=a._37l(t.homeLink));t.backLink&&p("last_page_button_link")&& +(p("last_page_button_link").href=a._37l(t.backLink))}};a.getHash=function(b){var c="",d=a.path,e,f=!1;var g=!1;var h="",k=a.pi&&a.pi.returnSelectedItems(),n=Y.isOpen&&Y.path,r=Y.isOpen&&Y.openingKey,w=Y.isOpen&&Y.tuix&&Y.tuix.tab;if(!b&&k){for(var x in k)if(q(k,x)&&k[x])if(!1===g)g=x;else{g=!1;break}g&&(h=a.inspectionView?g+"/":g)}for(x in a.branches)if(q(a.branches,x)&&0<x)if(g=a.branches[x],g.to&&a.knownBranches[g.from]&&a.knownBranches[g.from][g.to]&&(e=a.knownBranches[g.from][g.to][g.refiners[g.to]? +g.refiners[g.to].name:1])){e=a._lj(e);if(v){if(e.substr(0,v.length)==v)e=a._lj(e.substr(v.length+1));else{f=!0;break}c+="//"}c+=e+"//";var v=a.branches[x-1];if(v=v.panel_instances[g.from])c+=a._9sm(v.returnSelectedItems());v=g.to}else{f=!0;break}!f&&v&&d.substr(0,v.length)==v&&(d=c+"//"+a._lj(d.substr(v.length+1)));h&&(d="//"==z._yot(d,2)?d+h:"/"==z._yot(d,1)?d+("/"+h):d+("//"+h));!b&&u(a.searchTerm)&&(d+="~-"+da(a.searchTerm));!b&&a.path&&a.branches.length&&a.branches[a.branches.length-1]&&a.branches[a.branches.length- +1].filters[a.path]&&!_._ruc(a.branches[a.branches.length-1].filters[a.path])&&(d+="~_"+da(a.branches[a.branches.length-1].filters[a.path],!0));n&&(d+="~."+da(n),w&&(d+="~t"+da(w)),r&&(d+="~k"+da(r,!0)));return d};a.searchOnClick=function(b){};a.searchOnKeyUp=function(b){a.doSearchAfterDelay&&clearTimeout(a.doSearchAfterDelay);a.doSearchAfterDelay=setTimeout(function(){a._2y6(p("organizer_search_term"))},a.searchDelayTime)};a.searchOnChange=function(b){a.server_side&&a.doSearchAfterDelay&&(clearTimeout(a.doSearchAfterDelay), a._2y6(b))};a.markIfViewIsFiltered=function(){a.filteredView=u(a.searchTerm)||a.filtersSet};a.doSearch=function(b){a.doSearchAfterDelay&&clearTimeout(a.doSearchAfterDelay);""===b.value?b=l:(b=b.value,"0"!==b.substr(0,1)&&b==1*b&&(b*=1));b!==a.searchTerm&&(a.searchTerm=b,a._6c(),a._28v(a.searchTerm),a._7qc())};a.runSearch=function(){if(a.stop)return!1;a.lockPageClicks=!0;a.inspectionView=!1;a.server_side||(a.server_side=a.pi.returnDoSortingAndSearchingOnServer())?a._gd0():a._7jt(a.searchTerm)};a.allItemsSelected= function(){if(0==a.shownItemsLength)return!1;var b,c=0,d=a.pi.returnSelectedItems();for(b in d)q(d,b)&&++c;return c==a.shownItemsLength};a.noItemsSelected=function(){if(0==a.shownItemsLength)return!0;var b,c=a.pi.returnSelectedItems();for(b in c)if(q(c,b))return!1;return!0};a.parseReturnLink=function(b){return z._ozg(b)};a.panelProp=function(b,c){var d,e;if(c=c||a.tuix)return(d=a.refiner&&a.refiner.name)&&(e=c.refiners&&c.refiners[d])&&u(e[b])?e[b]:c[b]};a.saveRefiner=function(b){a.branches[a.branches.length- 1].refiners[a.path]=a.refiner=b};a.loadRefiner=function(b,c){return-1===c||c?l:a.branches[a.branches.length-1].refiners[b]?a.branches[a.branches.length-1].refiners[b]:l};a.clearRefiner=function(){a.refiner=l;a._qse()};a.saveSearch=function(b){a.branches[a.branches.length-1].searches[a.path]=b;a.pi.cmsSetsSearchTerm(b)};a.loadFromBranches=function(b,c,d){return-1===c||c?l:a.branches[a.branches.length-1]&&a.branches[a.branches.length-1][d]&&a.branches[a.branches.length-1][d][b]?a.branches[a.branches.length-
zenario/js/panel_type_hierarchy_with_lazy_load.js+3 −0 modified@@ -103,6 +103,9 @@ methods.returnSearchingEnabled = function() { }; methods.returnDoSortingAndSearchingOnServer = function() { + + //If we're not actually showing the hierarchy view, and are showing a flat list instead, + //we should use the server-side ordering. if (!thus.showFlatView()) { return false; } else {
zenario/modules/zenario_common_features/classes/organizer/menu_nodes.php+51 −0 modified@@ -65,6 +65,57 @@ public function preFillOrganizerPanel($path, &$panel, $refinerName, $refinerId, $panel['custom__content_types_with_categories'] = ze\ray::valuesToKeys(ze\row::getValues('content_types', 'content_type_id', ['enable_categories' => 1])); } + + + //Some specific code to handle sorting items whilst searching in flat view. + //When not searching, items will be displayed in hierarchy view, and the JavaScript in the panel instance + //will need things sorted by the ordinal in each level. + //However when we are doing a search, hierarchy view will be switched off and items will be shown in flat view. + //We need to write some SQL to make sure they are sorted in the correct hierarchical order. + if (isset($_GET['_search'])) { + + //Work out what the largest possible depth is in the menu. + //(N.b. this field has an index so this query should be fast.) + $largestMenuDepth = (int) ze\sql::fetchValue("SELECT MAX(separation) FROM ". DB_PREFIX. "menu_hierarchy"); + + //Special case: + //If there are no menu nodes that are children of other menu nodes, we can just leave the sort column + //as the ordinal and skip this step. + if ($largestMenuDepth > 0) { + + //Start writing the SQL needed to sort the matched menu nodes into order hierarchically. + $join = ''; + $sortCol = 'mi.ordinal'; + + //For every possible parent-child relationship, add a new table join, + //and then add that table join to the ordinal column. + //The logic I've written below will show all of the top level nodes first, + //then second level, and so on. After that they'll be sorted in hierarchical menu node order. + //You could use different logic than that, but only if you could work out a way to write the joins/SQL. + for ($i = 1; $i <= $largestMenuDepth; ++$i) { + $l = $i - 1; + + $join .= ' + LEFT JOIN '. DB_PREFIX. 'menu_nodes AS p'. $i; + + if ($i == 1) { + $join .= ' + ON mi.parent_id != 0 + AND p'. $i. '.id = mi.parent_id'; + } else { + $join .= ' + ON p'. $l. '.parent_id != 0 + AND p'. $i. '.id = p'. $l. '.parent_id'; + } + + $sortCol = 'p'. $i. '.ordinal, '. $sortCol; + } + + + $panel['db_items']['table'] .= $join; + $panel['columns']['ordinal']['sort_column'] = $sortCol; + } + } } public function fillOrganizerPanel($path, &$panel, $refinerName, $refinerId, $mode) {
zenario/modules/zenario_common_features/tuix/organizer/content_items.yaml+2 −3 modified@@ -1286,10 +1286,9 @@ zenario__content: delete_archives: priv: _PRIV_PUBLISH_CONTENT_ITEM - visible_if_for_all_selected_items: | - zenarioA.checkSpecificPerms(id) visible_if_for_any_selected_items: | - item.archives_exist + item.archives_exist && + zenarioA.checkSpecificPerms(id) parent: action_dropdown hide_in_select_mode: true label: Delete archived versions
zenario/modules/zenario_ctype_document/tuix/organizer/content.yaml+1 −2 modified@@ -25,12 +25,11 @@ zenario__content: zenario_ctype_document__rescan_extract: priv: _PRIV_EDIT_DRAFT visible_if_for_all_selected_items: | + item.type == 'document' && zenarioA.checkSpecificPerms(id) parent: action_dropdown label: Rescan text/image extract multiple_select: true - visible_if_for_all_selected_items: | - item.type == 'document' ajax: confirm: message: |
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.