--- docman.php	2002/07/29 12:04:43	1.27
+++ docman.php	2002/07/29 12:53:50	1.30
@@ -230,7 +230,7 @@
 	}
 	if ( !$file_lock && $ext!="" && strstr(join(' ',$gblImages),$ext) ) {  
 		$info  = getimagesize($fsPath) ;
-		$tstr = "<IMG SRC=\"$webRoot".urlpath($relPath)."\" BORDER=0 " ;
+		$tstr = "<IMG SRC=\"$self?A=V&D=".urlpath(dirname($relPath))."&F=".urlpath(basename($relPath))."\" BORDER=0 " ;
 		$tstr .= $info[3] . " ALT=\"" . $fn . " - " ;
 		$tstr .= (int)(($fsize+1023)/1024) . "Kb\">" ;
 //		echo htmlentities($tstr) . "<BR><BR>" . $tstr ;
@@ -481,18 +481,10 @@
 
 //////////////////////////////////////////////////////////////////
 
-function GifIcon($txt) {
-	global $gblIconLocation ;
+function GifIcon($txt = "") {
+	global $gblIconLocation, $gblImages ;
 
 	switch (strtolower($txt)) {
-	case ".bmp" :
-	case ".gif" :
-	case ".jpg" :
-	case ".jpeg":
-	case ".tif" :
-	case ".tiff": 
-		$d = "image2.gif" ;
-		break ;
 	case ".doc" :
 		$d = "layout.gif" ;
 		break ;
@@ -570,9 +562,14 @@
 		$d = "quill.gif";
 		break;
 	default :
-		$d = "generic.gif" ;
+		if (in_array(strtolower($txt),$gblImages)) {
+			$d = "image2.gif" ;
+		} else {
+			$d = "generic.gif" ;
+		}
 	}
 
+
 	return "<IMG SRC=\"$gblIconLocation" . $d . "\" BORDER=0>" ;
 } // end function GifIcon
 
@@ -1011,6 +1008,9 @@
 	$file=basename($target);
 
 	$note=fopen("$dir/.note/$file","w");
+	if (! $note) {
+		Error("Error writing note","Can't open note file <tt>$dir/.note/$file</tt> for writing",1);
+	}
 	fputs($note,"$msg\n");
 	fclose($note);
 
@@ -1769,6 +1769,9 @@
 			$target = "$fsDir/$FILENAME";
 		}
 
+		if (! check_perm("$relDir/".basename($target), trperm_w))
+			Error("Access denied","User <tt>$gblLogin</tt> tried to upload <tt>$relDir/".basename($target)."</tt> without valid trustee.",1);
+
 		// backup old files first
 		$dir=dirname($target);
 		if (! file_exists($dir."/.bak")) {
@@ -1797,10 +1800,14 @@
 	case "SAVE" :
 		$path = $gblFsRoot . $RELPATH ;
 		$path=stripSlashes($path);
+
+		if (! check_perm("$RELPATH", trperm_w))
+			Error("Access denied","User <tt>$gblLogin</tt> tried to save <tt>$RELPATH</tt> without valid trustee.",1);
+
 		$writable = is_writeable($path) ;
 		$legaldir = is_writeable(dirname($path)) ;
 		$exists   = (file_exists($path)) ? 1 : 0 ; 
-// check for legal extension here as well
+		// FIX: more verbose error message
 	 	if (!($writable || (!$exists && $legaldir))) 
 			Error("Write denied",$RELPATH) ;
 		$fh = fopen($path, "w") ;
@@ -1895,6 +1902,9 @@
 		if (substr($FN,0,4) != ".del") break ;
 		$file=substr($FN,4,strlen($FN)-4);
 
+		if (! check_perm("$relDir/$file", trperm_w))
+			Error("Access denied","User <tt>$gblLogin</tt> tried to undelete <tt>$relDir/$file</tt> without valid trustee.",1);
+
 		LogIt("$fsDir/.del/$file","undeleted",trperm_w);
 		MoveTo("$fsDir/.del/$file","$fsDir/");
 		MoveTo("$fsDir/.del/.log/$file","$fsDir/.log/");
@@ -1918,9 +1928,13 @@
 		safe_rename($fsDir,$FN,$NEWNAME);
 		break ;
 
-	case "NOTE" :  
-		$NOTE=stripSlashes($HTTP_POST_VARS["NOTE"]);
-		WriteNote("$fsDir/$FN","$NOTE");
+	case "NOTE" :
+		if (! HTTP_POST_VAR("NOTE"))
+			Error("Can't add note to object","Can't find var <tt>\$NOTE</tt>",1);
+		if (! check_perm("$relDir/$FN", trperm_w))
+			Error("Access denied","User <tt>$gblLogin</tt> tried to add note to <tt>$relDir/$FN</tt> without valid trustee.",1);
+
+		WriteNote("$fsDir/$FN",$NOTE);
 		break ;
 
 	case "UNLOCK" :  
@@ -1938,7 +1952,7 @@
 		header("Location: ".$tstr) ;   
 		exit ;
  	}
-	
+
 	// check for mode.. navigate, code display, upload, or detail?
 	// $A=U : upload to path given in $D
 	// $A=E : display detail of file $D/$F and edit