• R/O
  • HTTP
  • SSH
  • HTTPS

pukiwiki: Commit


Commit MetaInfo

Revisiona1e83eb7cdd3a0af4629817701104287c051cdc3 (tree)
Time2017-02-16 02:36:50
Authorumorigu <umorigu@gmai...>
Commiterumorigu

Log Message

BugTrack/598 Stop reading page that is not readable as template

Change Summary

Incremental Difference

--- a/lib/auth.php
+++ b/lib/auth.php
@@ -1,7 +1,7 @@
11 <?php
22 // PukiWiki - Yet another WikiWikiWeb clone
3-// $Id: auth.php,v 1.22 2011/01/25 15:01:01 henoheno Exp $
4-// Copyright (C) 2003-2005, 2007 PukiWiki Developers Team
3+// auth.php
4+// Copyright 2003-2017 PukiWiki Development Team
55 // License: GPL v2 or (at your option) any later version
66 //
77 // Authentication related functions
@@ -154,16 +154,16 @@ function pkwk_ldap_escape_dn($value) {
154154 // Basic-auth related ----
155155
156156 // Check edit-permission
157-function check_editable($page, $auth_flag = TRUE, $exit_flag = TRUE)
157+function check_editable($page, $auth_enabled = TRUE, $exit_on_fail = TRUE)
158158 {
159159 global $script, $_title_cannotedit, $_msg_unfreeze;
160160
161- if (edit_auth($page, $auth_flag, $exit_flag) && is_editable($page)) {
161+ if (edit_auth($page, $auth_enabled, $exit_on_fail) && is_editable($page)) {
162162 // Editable
163163 return TRUE;
164164 } else {
165165 // Not editable
166- if ($exit_flag === FALSE) {
166+ if ($exit_on_fail === FALSE) {
167167 return FALSE; // Without exit
168168 } else {
169169 // With exit
@@ -179,31 +179,32 @@ function check_editable($page, $auth_flag = TRUE, $exit_flag = TRUE)
179179 }
180180 }
181181
182-// Check read-permission
183-function check_readable($page, $auth_flag = TRUE, $exit_flag = TRUE)
184-{
185- return read_auth($page, $auth_flag, $exit_flag);
182+/**
183+ * Whether the page is readable from current user or not.
184+ */
185+function is_page_readable($page) {
186+ global $read_auth_pages;
187+ return _is_page_accessible($page, $read_auth_pages);
186188 }
187189
188-function edit_auth($page, $auth_flag = TRUE, $exit_flag = TRUE)
189-{
190- global $edit_auth, $edit_auth_pages, $_title_cannotedit;
191- return $edit_auth ? basic_auth($page, $auth_flag, $exit_flag,
192- $edit_auth_pages, $_title_cannotedit) : TRUE;
190+/**
191+ * Whether the page is writable from current user or not.
192+ */
193+function is_page_writable($page) {
194+ global $edit_auth_pages;
195+ return _is_page_accessible($page, $edit_auth_pages);
193196 }
194197
195-function read_auth($page, $auth_flag = TRUE, $exit_flag = TRUE)
196-{
197- global $read_auth, $read_auth_pages, $_title_cannotread;
198- return $read_auth ? basic_auth($page, $auth_flag, $exit_flag,
199- $read_auth_pages, $_title_cannotread) : TRUE;
200-}
198+/**
199+ * Get whether a current auth user can access the page
200+ *
201+ * @param $page page name
202+ * @param $auth_pages pagepattern -> groups map
203+ * @return true if a current user can access the page
204+ */
205+function _is_page_accessible($page, $auth_pages) {
206+ global $auth_method_type, $auth_user_groups, $auth_user;
201207
202-// Basic authentication
203-function basic_auth($page, $auth_flag, $exit_flag, $auth_pages, $title_cannot)
204-{
205- global $auth_method_type, $auth_users, $_msg_auth, $auth_user, $auth_groups;
206- global $auth_user_groups, $auth_type, $g_query_string;
207208 // Checked by:
208209 $target_str = '';
209210 if ($auth_method_type == 'pagename') {
@@ -211,22 +212,96 @@ function basic_auth($page, $auth_flag, $exit_flag, $auth_pages, $title_cannot)
211212 } else if ($auth_method_type == 'contents') {
212213 $target_str = join('', get_source($page)); // Its contents
213214 }
214-
215215 $user_list = array();
216- foreach($auth_pages as $key=>$val)
217- if (preg_match($key, $target_str))
216+ foreach($auth_pages as $key=>$val) {
217+ if (preg_match($key, $target_str)) {
218218 $user_list = array_merge($user_list, explode(',', $val));
219-
219+ }
220+ }
220221 if (empty($user_list)) return TRUE; // No limit
222+ if (!$auth_user) {
223+ // Current user doesen't yet log in.
224+ return FALSE;
225+ }
226+ if (count(array_intersect($auth_user_groups, $user_list)) === 0) {
227+ return FALSE;
228+ }
229+ return TRUE;
230+}
221231
222- $matches = array();
223- if (PKWK_READONLY ||
224- ! $auth_user ||
225- count(array_intersect($auth_user_groups, $user_list)) === 0)
226- {
232+/**
233+ * Ensure the page is readable, or show Login UI.
234+ * @param $page page
235+ */
236+function ensure_page_readable($page) {
237+ global $read_auth, $read_auth_pages, $_title_cannotread;
238+ if (!$read_auth) {
239+ return true;
240+ }
241+ return basic_auth($page, true, true,
242+ $read_auth_pages, $_title_cannotread);
243+}
244+
245+/**
246+ * Ensure the page is writable, or show Login UI.
247+ * @param $page page
248+ */
249+function ensure_page_writable($page) {
250+ global $edit_auth, $edit_auth_pages, $_title_cannotedit;
251+ if (!$edit_auth) {
252+ return true;
253+ }
254+ return basic_auth($page, true, true,
255+ $edit_auth_pages, $_title_cannotedit);
256+}
257+
258+/**
259+ * Check a page is readable or not, show Auth UI in some cases.
260+ *
261+ * @param $page page name
262+ * @param $auth_enabled true if auth is available (Normally true)
263+ * @param $exit_on_fail (Normally true)
264+ * @return true if the page is readable
265+ */
266+function check_readable($page, $auth_enabled = TRUE, $exit_on_fail = TRUE)
267+{
268+ return read_auth($page, $auth_enabled, $exit_on_fail);
269+}
270+
271+function edit_auth($page, $auth_enabled = TRUE, $exit_on_fail = TRUE)
272+{
273+ global $edit_auth, $edit_auth_pages, $_title_cannotedit;
274+ return $edit_auth ? basic_auth($page, $auth_enabled, $exit_on_fail,
275+ $edit_auth_pages, $_title_cannotedit) : TRUE;
276+}
277+
278+function read_auth($page, $auth_enabled = TRUE, $exit_on_fail = TRUE)
279+{
280+ global $read_auth, $read_auth_pages, $_title_cannotread;
281+ return $read_auth ? basic_auth($page, $auth_enabled, $exit_on_fail,
282+ $read_auth_pages, $_title_cannotread) : TRUE;
283+}
284+
285+/**
286+ * Authentication
287+ *
288+ * @param $page page name
289+ * @param $auth_enabled true if auth is available
290+ * @param $exit_on_fail Show forbidden message and stop all following processes
291+ * @param $auth_pages accessible users -> pages pattern map
292+ * @param $title_cannot forbidden message
293+ */
294+function basic_auth($page, $auth_enabled, $exit_on_fail, $auth_pages, $title_cannot)
295+{
296+ global $auth_users, $_msg_auth, $auth_user;
297+ global $auth_type, $g_query_string;
298+ $is_accessible = _is_page_accessible($page, $auth_pages);
299+ if ($is_accessible) {
300+ return TRUE;
301+ } else {
227302 // Auth failed
228303 pkwk_common_headers();
229- if ($auth_flag && !$auth_user) {
304+ if ($auth_enabled && !$auth_user) {
230305 if (AUTH_TYPE_BASIC === $auth_type) {
231306 header('WWW-Authenticate: Basic realm="' . $_msg_auth . '"');
232307 header('HTTP/1.0 401 Unauthorized');
@@ -244,7 +319,7 @@ function basic_auth($page, $auth_flag, $exit_flag, $auth_pages, $title_cannot)
244319 header('Location: ' . $loginurl);
245320 }
246321 }
247- if ($exit_flag) {
322+ if ($exit_on_fail) {
248323 $body = $title = str_replace('$1',
249324 htmlsc(strip_bracket($page)), $title_cannot);
250325 $page = str_replace('$1', make_search($page), $title_cannot);
@@ -252,8 +327,6 @@ function basic_auth($page, $auth_flag, $exit_flag, $auth_pages, $title_cannot)
252327 exit;
253328 }
254329 return FALSE;
255- } else {
256- return TRUE;
257330 }
258331 }
259332
--- a/plugin/edit.inc.php
+++ b/plugin/edit.inc.php
@@ -1,7 +1,7 @@
11 <?php
22 // PukiWiki - Yet another WikiWikiWeb clone.
33 // edit.inc.php
4-// Copyright (C) 2001-2016 PukiWiki Development Team
4+// Copyright 2001-2017 PukiWiki Development Team
55 // License: GPL v2 or (at your option) any later version
66 //
77 // Edit plugin (cmd=edit)
@@ -42,12 +42,14 @@ function plugin_edit_preview()
4242 $page = isset($vars['page']) ? $vars['page'] : '';
4343
4444 // Loading template
45- if (isset($vars['template_page']) && is_page($vars['template_page'])) {
46- $vars['msg'] = remove_author_info(get_source($vars['template_page'], TRUE, TRUE));
47- // Cut fixed anchors
48- $vars['msg'] = preg_replace('/^(\*{1,3}.*)\[#[A-Za-z][\w-]+\](.*)$/m', '$1$2', $vars['msg']);
45+ $template_page;
46+ if (isset($vars['template_page']) && is_page($template_page = $vars['template_page'])) {
47+ if (is_page_readable($template_page)) {
48+ $vars['msg'] = remove_author_info(get_source($vars['template_page'], TRUE, TRUE));
49+ // Cut fixed anchors
50+ $vars['msg'] = preg_replace('/^(\*{1,3}.*)\[#[A-Za-z][\w-]+\](.*)$/m', '$1$2', $vars['msg']);
51+ }
4952 }
50-
5153 $vars['msg'] = preg_replace(PLUGIN_EDIT_FREEZE_REGEX, '', $vars['msg']);
5254 $postdata = $vars['msg'];
5355
Show on old repository browser