From d1b62b480279f6ef7943b96e9ae35e581c8a4e67 Mon Sep 17 00:00:00 2001 From: x2000habouzit Date: Sat, 22 Jul 2006 12:53:15 +0000 Subject: [PATCH] no more smarty in the templates, that was a BIG security flaw !!! removed 90% of the security scheme, we will build one outside from pmwiki, with our own credentials, filtered at wiki.php time. cache is still used, and assigned to a smarty variable, outputed raw git-svn-id: svn+ssh://murphy/home/svn/platal/trunk@557 839d8a87-29fc-0310-9880-83ba4fa771e5 --- htdocs/.htaccess | 2 +- htdocs/css/wiki.css | 20 ++++---- htdocs/wiki.php | 16 ++++-- plugins/pmwiki.platalAuth.php | 112 +----------------------------------------- templates/wiki.tpl | 56 +++++++++++++++++++++ 5 files changed, 79 insertions(+), 127 deletions(-) create mode 100644 templates/wiki.tpl diff --git a/htdocs/.htaccess b/htdocs/.htaccess index 8ef633e..73d78b6 100644 --- a/htdocs/.htaccess +++ b/htdocs/.htaccess @@ -1,7 +1,7 @@ Options +FollowSymLinks RewriteEngine on -RewriteBase /~x2002bobillot +RewriteBase /~x2000habouzit # wiki diff --git a/htdocs/css/wiki.css b/htdocs/css/wiki.css index 4dcaec1..4c16034 100644 --- a/htdocs/css/wiki.css +++ b/htdocs/css/wiki.css @@ -1,16 +1,16 @@ -div.frame { - border-collapse: collapse; - margin: 0px; padding: 0px; +table.wiki { + margin-left: auto; + margin-right: auto; + border: 1px dotted gray; } -div.frame p { padding: 0px; margin: 0px; } -div.frame a { - border-collapse: collapse; - float: left; - display: block; +table.wiki td { padding: 2px 1em; - border-top: 1px dotted gray; - border-bottom: 1px dotted gray; + vertical-align: middle; +} + +table.wiki select { + font-size: 80%; } div.frame br { diff --git a/htdocs/wiki.php b/htdocs/wiki.php index be90e7c..490e261 100644 --- a/htdocs/wiki.php +++ b/htdocs/wiki.php @@ -21,7 +21,7 @@ require_once 'xorg.inc.php'; -new_skinned_page(''); +new_skinned_page('wiki.tpl'); if (!S::identified()) { XorgSession::doAuth(); } @@ -51,20 +51,26 @@ if ($n = wiki_pagename()) { if (Env::get('action')) { // clean old tmp files wiki_clean_tmp(); - $page->assign('xorg_extra_header', substr($wikiAll, 0, $i)); // create new tmp files with editing page from wiki engine - $wiki_template = wiki_create_tmp(substr($wikiAll, $j)); + $page->assign('xorg_extra_header', substr($wikiAll, 0, $i)); + $wikiAll = substr($wikiAll, $j); + $wiki_template = wiki_create_tmp($wikiAll); } else { if (!$tmpfile_exists) { $f = fopen($wiki_template, 'w'); - fputs($f, substr($wikiAll, $j)); + $wikiAll = substr($wikiAll, $j); + fputs($f, $wikiAll); fclose($f); + } else { + $wikiAll = file_get_contents($wiki_template); } } + + $page->assign('wikipage', str_replace('.', '/', $n)); } -$page->changeTpl($wiki_template); +$page->assign('pmwiki', $wikiAll); wiki_assign_auth(); $page->addCssLink('css/wiki.css'); diff --git a/plugins/pmwiki.platalAuth.php b/plugins/pmwiki.platalAuth.php index 0950b38..2c05253 100644 --- a/plugins/pmwiki.platalAuth.php +++ b/plugins/pmwiki.platalAuth.php @@ -10,92 +10,10 @@ $Conditions['public'] = 'true'; $HandleAuth['diff'] = 'edit'; $HandleAuth['source'] = 'edit'; -$InputTags['e_textarea'][':html'] = ""; - // impossible to see the diff without the source because of the smarty tags $DiffShow['source'] = 'y'; $DiffSourceFmt = ''; -$DiffStartFmt = "{literal}
\$DiffTime \$[by] \$DiffAuthor
"; -$DiffEndFmt = "
{/literal}"; - -// compute permissions based on the permission string (key) -// if could is true, compute permission that could be enabled with a mdp -// if smarty is true, return a string to insert in a smarty if tag -// otherwise return true or false -function authPerms($pagename, $key, $could=false, $smarty=false) -{ - $words = explode(' ', $key); - $auth = $smarty?"":false; - $and = false; - foreach ($words as $word) { - if (strpos($word, '@') === 0) $word = substr($word,1); - $iauth = false; - if ($word == 'and:') { - $and = true; - continue; - } - $parts = explode(':', $word); - $cond = $parts[0]; - $param = $parts[1]; - if ($cond == 'identified' && $could) { - $cond = 'logged'; - } - if ($smarty) { - $iauth = '$'.$cond.($param?(' eq "'.$param.'"'):''); - } else { - if (strpos($cond, "smarty.") === 0) { - $vars = explode('.', $cond); - $iauth = false; - switch ($vars[1]) - { - case 'session':$iauth = S::v($vars[2]) == $param; break; - case 'request':$iauth = Env::get($vars[2]) == $param; break; - } - } - else $iauth = CondText($pagename, 'if '.$cond.' '.$param, true); - } - - if ($and) { - if ($smarty) - $auth = ($auth?"($auth) and ":"").$iauth; - else - $auth &= $iauth; - } else { - if ($smarty) - $auth = ($auth?"($auth) or ":"").$iauth; - else - $auth |= $iauth; - } - $and = false; - } - return $auth; -} - -// try to find the best permission for a given page and a given level of auth -// in order: page > site -function TryAllAuths($pagename, $level, $page_read) -{ - global $DefaultPasswords; - if (isset($page_read['passwd'.$level]) && $page_read['passwd'.$level] != '*') { - return array('page', $page_read['passwd'.$level]); - } - if (isset($DefaultPasswords[$level])) { - return array('site', $DefaultPasswords[$level]); - } - return array('none', ''); -} - -function auth_pmwiki_to_smarty($text, $pass) -{ - $ifc = authPerms("", $pass, false, true); - if (!$ifc) - return ""; - return "{if $ifc}\n".$text."\n{else}(:div class='erreur':Droits insuffisants.:){/if}"; -} - // for read pages: will come only once so we have to be careful // and translate any auth from the wiki to smarty auth function AuthPlatal($pagename, $level, $authprompt) @@ -106,39 +24,11 @@ function AuthPlatal($pagename, $level, $authprompt) $levels = array('read', 'attr', 'edit', 'upload'); - foreach ($levels as $l) { - list($from, $pass) = TryAllAuths($pagename, $l, $page_read); - $passwds[$l] = $pass; - $pwsources[$l] = $from; - } - - $canedit = authPerms($pagename, $passwds['edit'], true, true); - $canattr = authPerms($pagename, $passwds['attr'], true, true); - $panel = "{if ($canedit) or ($canattr)}\n"; - $panel .= ">>frame<<\n"; - $panel .= "[[{\$FullName}|Voir la page]]"; - $panel .= "{if ($canedit)}\n"; - $panel .= "[[{\$FullName}?action=edit |Editer]]"; - $panel .= "[[{\$FullName}?action=diff |Historique]]"; - $panel .= "[[{\$FullName}?action=upload |Upload]]"; - $panel .= "{/if}{if ($canattr)}\n"; - $panel .= "[[{\$FullName}?action=attr |Droits]]"; - $panel .= "{/if}\n"; - $panel .= "\\\\\n\n"; - $panel .= ">><<\n"; - $panel .= "{/if}\n"; - - if ((S::identified() && S::has_perms()) || authPerms($pagename, $passwds[$level])) + if (S::identified() && S::has_perms()) { $page_read['=passwd'] = $passwds; $page_read['=pwsource'] = $pwsources; - // if try to read, add the permission limitation as a smarty if tag - if ($level == 'read') { - $page_read['text'] = auth_pmwiki_to_smarty($page_read['text'], $passwds['read']); - $page_read['text'] = $panel.$page_read['text']; - } - return $page_read; } diff --git a/templates/wiki.tpl b/templates/wiki.tpl new file mode 100644 index 0000000..07355ec --- /dev/null +++ b/templates/wiki.tpl @@ -0,0 +1,56 @@ +{**************************************************************************} +{* *} +{* Copyright (C) 2003-2006 Polytechnique.org *} +{* http://opensource.polytechnique.org/ *} +{* *} +{* This program is free software; you can redistribute it and/or modify *} +{* it under the terms of the GNU General Public License as published by *} +{* the Free Software Foundation; either version 2 of the License, or *} +{* (at your option) any later version. *} +{* *} +{* This program is distributed in the hope that it will be useful, *} +{* but WITHOUT ANY WARRANTY; without even the implied warranty of *} +{* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *} +{* GNU General Public License for more details. *} +{* *} +{* You should have received a copy of the GNU General Public License *} +{* along with this program; if not, write to the Free Software *} +{* Foundation, Inc., *} +{* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *} +{* *} +{**************************************************************************} + + + + + {if true} + + {/if} + {if $has_perms} + + + {/if} + +
+ Voir la page + + + Éditer + + + Historique + + Upload +
+ +{$pmwiki|smarty:nodefaults} -- 2.1.4