diff options
author | friendica <info@friendica.com> | 2013-09-03 16:31:59 -0700 |
---|---|---|
committer | friendica <info@friendica.com> | 2013-09-03 16:31:59 -0700 |
commit | 7b84b8480fe825927ca646c427da5eb78c8b8dba (patch) | |
tree | bc04df1d833f10e6d6df36a5b06eb48713db08d8 | |
parent | 0be8e4061c42372a60e0274e7947edcb81625eaa (diff) | |
download | volse-hubzilla-7b84b8480fe825927ca646c427da5eb78c8b8dba.tar.gz volse-hubzilla-7b84b8480fe825927ca646c427da5eb78c8b8dba.tar.bz2 volse-hubzilla-7b84b8480fe825927ca646c427da5eb78c8b8dba.zip |
security fix and ability to change layout on webpage edit form
-rwxr-xr-x | boot.php | 16 | ||||
-rw-r--r-- | mod/editwebpage.php | 84 | ||||
-rw-r--r-- | mod/item.php | 3 |
3 files changed, 60 insertions, 43 deletions
@@ -2439,9 +2439,9 @@ function construct_page(&$a) { } } - // Let's say we have a comanche declaration '[region_nav][/region_nav][region_content]$region_nav $region_section[/region_content]'. - // The text 'region_' identifies a section of the layout by that name (without the 'region_' text). - // So what we want to do here is leave $a->page['nav'] empty and put the default content from $a->page['nav'] and $a->page['section'] + // Let's say we have a comanche declaration '[region=nav][/region][region=content]$nav $content[/region]'. + // The text 'region=' identifies a section of the layout by that name. So what we want to do here is leave + // $a->page['nav'] empty and put the default content from $a->page['nav'] and $a->page['section'] // into a new region called $a->data['content']. It is presumed that the chosen layout file for this comanche page // has a '<content>' element instead of a '<section>'. @@ -2454,6 +2454,16 @@ function construct_page(&$a) { if(strpos($v,'$region_') !== false) { $v = preg_replace_callback('/\$region_([a-zA-Z0-9]+)/ism','comanche_replace_region',$v); } + + // And a couple of convenience macros + + if(strpos($v,'$nav') !== false) { + $v = str_replace('$nav',$a->page['nav'],$v); + } + if(strpos($v,'$content') !== false) { + $v = str_replace('$content',$a->page['section'],$v); + } + $a->page[substr($k,7)] = $v; } } diff --git a/mod/editwebpage.php b/mod/editwebpage.php index cd901e7e3..d49a006c9 100644 --- a/mod/editwebpage.php +++ b/mod/editwebpage.php @@ -1,35 +1,29 @@ <?php -// What is this here for? I think it's cruft, but comment out for now in case it's here for a reason -// require_once('acl_selectors.php'); +// Required for setting permissions. (FIXME) + +require_once('acl_selectors.php'); function editwebpage_content(&$a) { -// We first need to figure out who owns the webpage, grab it from an argument - $which = argv(1); + // We first need to figure out who owns the webpage, grab it from an argument + + $which = argv(1); -// $a->get_channel() and stuff don't work here, so we've got to find the owner for ourselves. + // $a->get_channel() and stuff don't work here, so we've got to find the owner for ourselves. + $r = q("select channel_id from channel where channel_address = '%s'", dbesc($which) - ); - if($r) { - $owner = intval($r[0]['channel_id']); - //logger('owner: ' . print_r($owner,true)); - } - - - - - if((local_user()) && (argc() > 2) && (argv(2) === 'view')) { - $which = $channel['channel_address']; - } - - + ); + if($r) { + $owner = intval($r[0]['channel_id']); + //logger('owner: ' . print_r($owner,true)); + } + $o = ''; - -// Figure out which post we're editing + // Figure out which post we're editing $post_id = ((argc() > 2) ? intval(argv(2)) : 0); @@ -38,37 +32,41 @@ function editwebpage_content(&$a) { return; } -// Now we've got a post and an owner, let's find out if we're allowed to edit it + // Now we've got a post and an owner, let's find out if we're allowed to edit it - $observer = $a->get_observer(); - $ob_hash = (($observer) ? $observer['xchan_hash'] : ''); + $observer = $a->get_observer(); + $ob_hash = (($observer) ? $observer['xchan_hash'] : ''); - $perms = get_all_perms($owner,$ob_hash); - - if(! $perms['write_pages']) { - notice( t('Permission denied.') . EOL); - return; - } + $perms = get_all_perms($owner,$ob_hash); + if(! $perms['write_pages']) { + notice( t('Permission denied.') . EOL); + return; + } -// We've already figured out which item we want and whose copy we need, so we don't need anything fancy here - $itm = q("SELECT * FROM `item` WHERE `id` = %d and uid = %s LIMIT 1", - intval($post_id), - intval($owner) - ); + // We've already figured out which item we want and whose copy we need, so we don't need anything fancy here + $itm = q("SELECT * FROM `item` WHERE `id` = %d and uid = %s LIMIT 1", + intval($post_id), + intval($owner) + ); $plaintext = true; -// You may or may not be a local user. This won't work, - if(feature_enabled(local_user(),'richtext')) - $plaintext = false; - + if(feature_enabled($itm[0]['uid'],'richtext')) + $plaintext = false; $mimetype = $itm[0]['mimetype']; + if($mimetype === 'application/x-php') { + if((! local_user()) || (local_user() != $itm[0]['uid'])) { + notice( t('Permission denied.') . EOL); + return; + } + } + $mimeselect = ''; if($mimetype != 'text/bbcode') @@ -76,6 +74,13 @@ function editwebpage_content(&$a) { $mimeselect = '<input type="hidden" name="mimetype" value="' . $mimetype . '" />'; + $layout = get_config('system','page_layout'); + if($layout) + $layoutselect = '<input type="hidden" name="layout_mid" value="' . $layout . '" />'; + else + $layoutselect = layout_select($x['profile_uid']); + + $o .= replace_macros(get_markup_template('edpost_head.tpl'), array( '$title' => t('Edit post') )); @@ -130,6 +135,7 @@ function editwebpage_content(&$a) { '$public' => t('Public post'), '$jotnets' => $jotnets, '$mimeselect' => $mimeselect, + '$layoutselect' => $layoutselect, '$title' => htmlspecialchars($itm[0]['title']), '$placeholdertitle' => t('Set title'), '$category' => '', diff --git a/mod/item.php b/mod/item.php index 56fdda887..da703e916 100644 --- a/mod/item.php +++ b/mod/item.php @@ -624,11 +624,12 @@ function item_post(&$a) { if($orig_post) { - $r = q("UPDATE `item` SET `title` = '%s', `body` = '%s', `attach` = '%s', `edited` = '%s' WHERE `id` = %d AND `uid` = %d LIMIT 1", + $r = q("UPDATE `item` SET `title` = '%s', `body` = '%s', `attach` = '%s', `edited` = '%s', layout_mid = '%s' WHERE `id` = %d AND `uid` = %d LIMIT 1", dbesc($datarray['title']), dbesc($datarray['body']), dbesc($datarray['attach']), dbesc(datetime_convert()), + dbesc($layout_mid), intval($post_id), intval($profile_uid) ); |