aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorfriendica <info@friendica.com>2013-09-03 16:31:59 -0700
committerfriendica <info@friendica.com>2013-09-03 16:31:59 -0700
commit7b84b8480fe825927ca646c427da5eb78c8b8dba (patch)
treebc04df1d833f10e6d6df36a5b06eb48713db08d8
parent0be8e4061c42372a60e0274e7947edcb81625eaa (diff)
downloadvolse-hubzilla-7b84b8480fe825927ca646c427da5eb78c8b8dba.tar.gz
volse-hubzilla-7b84b8480fe825927ca646c427da5eb78c8b8dba.tar.bz2
volse-hubzilla-7b84b8480fe825927ca646c427da5eb78c8b8dba.zip
security fix and ability to change layout on webpage edit form
-rwxr-xr-xboot.php16
-rw-r--r--mod/editwebpage.php84
-rw-r--r--mod/item.php3
3 files changed, 60 insertions, 43 deletions
diff --git a/boot.php b/boot.php
index 8ab617a97..de54ea986 100755
--- a/boot.php
+++ b/boot.php
@@ -2439,9 +2439,9 @@ function construct_page(&$a) {
}
}
- // Let's say we have a comanche declaration '[region_nav][/region_nav][region_content]$region_nav $region_section[/region_content]'.
- // The text 'region_' identifies a section of the layout by that name (without the 'region_' text).
- // So what we want to do here is leave $a->page['nav'] empty and put the default content from $a->page['nav'] and $a->page['section']
+ // Let's say we have a comanche declaration '[region=nav][/region][region=content]$nav $content[/region]'.
+ // The text 'region=' identifies a section of the layout by that name. So what we want to do here is leave
+ // $a->page['nav'] empty and put the default content from $a->page['nav'] and $a->page['section']
// into a new region called $a->data['content']. It is presumed that the chosen layout file for this comanche page
// has a '<content>' element instead of a '<section>'.
@@ -2454,6 +2454,16 @@ function construct_page(&$a) {
if(strpos($v,'$region_') !== false) {
$v = preg_replace_callback('/\$region_([a-zA-Z0-9]+)/ism','comanche_replace_region',$v);
}
+
+ // And a couple of convenience macros
+
+ if(strpos($v,'$nav') !== false) {
+ $v = str_replace('$nav',$a->page['nav'],$v);
+ }
+ if(strpos($v,'$content') !== false) {
+ $v = str_replace('$content',$a->page['section'],$v);
+ }
+
$a->page[substr($k,7)] = $v;
}
}
diff --git a/mod/editwebpage.php b/mod/editwebpage.php
index cd901e7e3..d49a006c9 100644
--- a/mod/editwebpage.php
+++ b/mod/editwebpage.php
@@ -1,35 +1,29 @@
<?php
-// What is this here for? I think it's cruft, but comment out for now in case it's here for a reason
-// require_once('acl_selectors.php');
+// Required for setting permissions. (FIXME)
+
+require_once('acl_selectors.php');
function editwebpage_content(&$a) {
-// We first need to figure out who owns the webpage, grab it from an argument
- $which = argv(1);
+ // We first need to figure out who owns the webpage, grab it from an argument
+
+ $which = argv(1);
-// $a->get_channel() and stuff don't work here, so we've got to find the owner for ourselves.
+ // $a->get_channel() and stuff don't work here, so we've got to find the owner for ourselves.
+
$r = q("select channel_id from channel where channel_address = '%s'",
dbesc($which)
- );
- if($r) {
- $owner = intval($r[0]['channel_id']);
- //logger('owner: ' . print_r($owner,true));
- }
-
-
-
-
- if((local_user()) && (argc() > 2) && (argv(2) === 'view')) {
- $which = $channel['channel_address'];
- }
-
-
+ );
+ if($r) {
+ $owner = intval($r[0]['channel_id']);
+ //logger('owner: ' . print_r($owner,true));
+ }
+
$o = '';
-
-// Figure out which post we're editing
+ // Figure out which post we're editing
$post_id = ((argc() > 2) ? intval(argv(2)) : 0);
@@ -38,37 +32,41 @@ function editwebpage_content(&$a) {
return;
}
-// Now we've got a post and an owner, let's find out if we're allowed to edit it
+ // Now we've got a post and an owner, let's find out if we're allowed to edit it
- $observer = $a->get_observer();
- $ob_hash = (($observer) ? $observer['xchan_hash'] : '');
+ $observer = $a->get_observer();
+ $ob_hash = (($observer) ? $observer['xchan_hash'] : '');
- $perms = get_all_perms($owner,$ob_hash);
-
- if(! $perms['write_pages']) {
- notice( t('Permission denied.') . EOL);
- return;
- }
+ $perms = get_all_perms($owner,$ob_hash);
+ if(! $perms['write_pages']) {
+ notice( t('Permission denied.') . EOL);
+ return;
+ }
-// We've already figured out which item we want and whose copy we need, so we don't need anything fancy here
- $itm = q("SELECT * FROM `item` WHERE `id` = %d and uid = %s LIMIT 1",
- intval($post_id),
- intval($owner)
- );
+ // We've already figured out which item we want and whose copy we need, so we don't need anything fancy here
+ $itm = q("SELECT * FROM `item` WHERE `id` = %d and uid = %s LIMIT 1",
+ intval($post_id),
+ intval($owner)
+ );
$plaintext = true;
-// You may or may not be a local user. This won't work,
- if(feature_enabled(local_user(),'richtext'))
- $plaintext = false;
-
+ if(feature_enabled($itm[0]['uid'],'richtext'))
+ $plaintext = false;
$mimetype = $itm[0]['mimetype'];
+ if($mimetype === 'application/x-php') {
+ if((! local_user()) || (local_user() != $itm[0]['uid'])) {
+ notice( t('Permission denied.') . EOL);
+ return;
+ }
+ }
+
$mimeselect = '';
if($mimetype != 'text/bbcode')
@@ -76,6 +74,13 @@ function editwebpage_content(&$a) {
$mimeselect = '<input type="hidden" name="mimetype" value="' . $mimetype . '" />';
+ $layout = get_config('system','page_layout');
+ if($layout)
+ $layoutselect = '<input type="hidden" name="layout_mid" value="' . $layout . '" />';
+ else
+ $layoutselect = layout_select($x['profile_uid']);
+
+
$o .= replace_macros(get_markup_template('edpost_head.tpl'), array(
'$title' => t('Edit post')
));
@@ -130,6 +135,7 @@ function editwebpage_content(&$a) {
'$public' => t('Public post'),
'$jotnets' => $jotnets,
'$mimeselect' => $mimeselect,
+ '$layoutselect' => $layoutselect,
'$title' => htmlspecialchars($itm[0]['title']),
'$placeholdertitle' => t('Set title'),
'$category' => '',
diff --git a/mod/item.php b/mod/item.php
index 56fdda887..da703e916 100644
--- a/mod/item.php
+++ b/mod/item.php
@@ -624,11 +624,12 @@ function item_post(&$a) {
if($orig_post) {
- $r = q("UPDATE `item` SET `title` = '%s', `body` = '%s', `attach` = '%s', `edited` = '%s' WHERE `id` = %d AND `uid` = %d LIMIT 1",
+ $r = q("UPDATE `item` SET `title` = '%s', `body` = '%s', `attach` = '%s', `edited` = '%s', layout_mid = '%s' WHERE `id` = %d AND `uid` = %d LIMIT 1",
dbesc($datarray['title']),
dbesc($datarray['body']),
dbesc($datarray['attach']),
dbesc(datetime_convert()),
+ dbesc($layout_mid),
intval($post_id),
intval($profile_uid)
);