aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrew Manning <tamanning@zoho.com>2016-06-08 06:26:27 -0400
committerAndrew Manning <tamanning@zoho.com>2016-06-08 06:26:27 -0400
commit9410b63bbc819955964706c876bc2f7ecea10adf (patch)
tree81f1105f704d435597c0218ddd22e234d92c2e5b
parentd43a81438585f4fa188a13b96480dd3b38f13f89 (diff)
downloadvolse-hubzilla-9410b63bbc819955964706c876bc2f7ecea10adf.tar.gz
volse-hubzilla-9410b63bbc819955964706c876bc2f7ecea10adf.tar.bz2
volse-hubzilla-9410b63bbc819955964706c876bc2f7ecea10adf.zip
Revised permissions checks across API and enabled collaborative editing using the write_pages per-channel permission.
-rw-r--r--Zotlabs/Module/Wiki.php139
-rw-r--r--include/wiki.php13
2 files changed, 71 insertions, 81 deletions
diff --git a/Zotlabs/Module/Wiki.php b/Zotlabs/Module/Wiki.php
index 0945ad919..fbf751ddf 100644
--- a/Zotlabs/Module/Wiki.php
+++ b/Zotlabs/Module/Wiki.php
@@ -105,6 +105,13 @@ class Wiki extends \Zotlabs\Web\Controller {
notice('Permission denied.' . EOL);
goaway('/'.argv(0).'/'.argv(1));
}
+ if($perms['write']) {
+ $wiki_editor = true;
+ } else {
+ $wiki_editor = false;
+ }
+ } else {
+ $wiki_editor = true;
}
$wikiheader = urldecode($wikiUrlName) . ': ' . urldecode($pageUrlName); // show wiki name and page
$p = wiki_get_page_content(array('resource_id' => $resource_id, 'pageUrlName' => $pageUrlName));
@@ -114,9 +121,9 @@ class Wiki extends \Zotlabs\Web\Controller {
}
$content = ($p['content'] !== '' ? $p['content'] : '"# New page\n"');
$hide_editor = false;
- $showPageControls = $wiki_owner;
+ $showPageControls = $wiki_editor;
$showNewWikiButton = $wiki_owner;
- $showNewPageButton = $wiki_owner;
+ $showNewPageButton = $wiki_editor;
$hidePageHistory = false;
$showCommitMsg = true;
$pageHistory = wiki_page_history(array('resource_id' => $resource_id, 'pageUrlName' => $pageUrlName));
@@ -168,11 +175,15 @@ class Wiki extends \Zotlabs\Web\Controller {
// /wiki/channel/create/wiki
if ((argc() > 3) && (argv(2) === 'create') && (argv(3) === 'wiki')) {
$nick = argv(1);
+ $channel = get_channel_by_nick($nick);
// Determine if observer has permission to create wiki
$observer_hash = get_observer_hash();
- if (local_channel()) {
- $channel = \App::get_channel();
- } else {
+ // Only the channel owner can create a wiki, at least until we create a
+ // more detail permissions framework
+ if (local_channel() !== intval($channel['channel_id'])) {
+ goaway('/'.argv(0).'/'.$nick.'/');
+ } else {
+ /*
$channel = get_channel_by_nick($nick);
// Figure out who the page owner is.
$perms = get_all_perms(intval($channel['channel_id']), $observer_hash);
@@ -180,8 +191,9 @@ class Wiki extends \Zotlabs\Web\Controller {
// then, use webpage permissions
if (!$perms['write_pages']) {
notice(t('Permission denied.') . EOL);
- goaway('/'.argv(0).'/'.argv(1).'/'.argv(2));
+ goaway('/'.argv(0).'/'.argv(1).'/');
}
+ */
}
$wiki = array();
// Generate new wiki info from input name
@@ -212,10 +224,14 @@ class Wiki extends \Zotlabs\Web\Controller {
// Delete a wiki
if ((argc() > 3) && (argv(2) === 'delete') && (argv(3) === 'wiki')) {
$nick = argv(1);
- // Determine if observer has permission to create wiki
- if (local_channel()) {
- $channel = \App::get_channel();
- } else {
+ $channel = get_channel_by_nick($nick);
+ // Only the channel owner can delete a wiki, at least until we create a
+ // more detail permissions framework
+ if (local_channel() !== intval($channel['channel_id'])) {
+ logger('Wiki delete permission denied.' . EOL);
+ json_return_and_die(array('message' => 'Wiki delete permission denied.', 'success' => false));
+ } else {
+ /*
$channel = get_channel_by_nick($nick);
$observer_hash = get_observer_hash();
// Figure out who the page owner is.
@@ -226,14 +242,15 @@ class Wiki extends \Zotlabs\Web\Controller {
logger('Wiki delete permission denied.' . EOL);
json_return_and_die(array('success' => false));
}
+ */
}
$resource_id = $_POST['resource_id'];
$deleted = wiki_delete_wiki($resource_id);
if ($deleted['success']) {
- json_return_and_die(array('success' => true));
+ json_return_and_die(array('message' => '', 'success' => true));
} else {
logger('Error deleting wiki: ' . $resource_id);
- json_return_and_die(array('success' => false));
+ json_return_and_die(array('message' => 'Error deleting wiki', 'success' => false));
}
}
@@ -241,23 +258,13 @@ class Wiki extends \Zotlabs\Web\Controller {
if ((argc() === 4) && (argv(2) === 'create') && (argv(3) === 'page')) {
$nick = argv(1);
$resource_id = $_POST['resource_id'];
- // Determine if observer has permission to create wiki
- if (local_channel()) {
- $channel = \App::get_channel();
- } else {
- $channel = get_channel_by_nick($nick);
+ // Determine if observer has permission to create a page
+ $channel = get_channel_by_nick($nick);
+ if (local_channel() !== intval($channel['channel_id'])) {
$observer_hash = get_observer_hash();
- // Figure out who the page owner is.
- $perms = get_all_perms(intval($channel['channel_id']), $observer_hash);
- // TODO: Create a new permission setting for wiki analogous to webpages. Until
- // then, use webpage permissions
- if (!$perms['write_pages']) {
- logger('Wiki editing permission denied.' . EOL);
- json_return_and_die(array('success' => false));
- }
$perms = wiki_get_permissions($resource_id, intval($channel['channel_id']), $observer_hash);
if(!$perms['write']) {
- logger('Wiki write permission denied. Read only.' . EOL);
+ logger('Wiki write permission denied. ' . EOL);
json_return_and_die(array('success' => false));
}
}
@@ -279,10 +286,12 @@ class Wiki extends \Zotlabs\Web\Controller {
$resource_id = $_POST['resource_id']; // resource_id for wiki in db
$channel = get_channel_by_nick(argv(1));
$observer_hash = get_observer_hash();
- $perms = wiki_get_permissions($resource_id, intval($channel['channel_id']), $observer_hash);
- if(!$perms['read']) {
- logger('Wiki read permission denied.' . EOL);
- json_return_and_die(array('pages' => null, 'message' => 'Permission denied.', 'success' => false));
+ if (local_channel() !== intval($channel['channel_id'])) {
+ $perms = wiki_get_permissions($resource_id, intval($channel['channel_id']), $observer_hash);
+ if(!$perms['read']) {
+ logger('Wiki read permission denied.' . EOL);
+ json_return_and_die(array('pages' => null, 'message' => 'Permission denied.', 'success' => false));
+ }
}
$page_list_html = widget_wiki_pages(array(
'resource_id' => $resource_id,
@@ -293,7 +302,7 @@ class Wiki extends \Zotlabs\Web\Controller {
// Save a page
if ((argc() === 4) && (argv(2) === 'save') && (argv(3) === 'page')) {
- $nick = argv(1);
+
$resource_id = $_POST['resource_id'];
$pageUrlName = $_POST['name'];
$pageHtmlName = escape_tags($_POST['name']);
@@ -302,26 +311,18 @@ class Wiki extends \Zotlabs\Web\Controller {
if ($commitMsg === '') {
$commitMsg = 'Updated ' . $pageHtmlName;
}
+ $nick = argv(1);
+ $channel = get_channel_by_nick($nick);
// Determine if observer has permission to save content
- if (local_channel()) {
- $channel = \App::get_channel();
- } else {
- $channel = get_channel_by_nick($nick);
+ if (local_channel() !== intval($channel['channel_id'])) {
$observer_hash = get_observer_hash();
- // Figure out who the page owner is.
- $perms = get_all_perms(intval($channel['channel_id']), $observer_hash);
- // TODO: Create a new permission setting for wiki analogous to webpages. Until
- // then, use webpage permissions
- if (!$perms['write_pages']) {
- logger('Wiki editing permission denied.' . EOL);
- json_return_and_die(array('success' => false));
- }
$perms = wiki_get_permissions($resource_id, intval($channel['channel_id']), $observer_hash);
if(!$perms['write']) {
- logger('Wiki write permission denied. Read only.' . EOL);
+ logger('Wiki write permission denied. ' . EOL);
json_return_and_die(array('success' => false));
}
}
+
$saved = wiki_save_page(array('resource_id' => $resource_id, 'pageUrlName' => $pageUrlName, 'content' => $content));
if($saved['success']) {
$ob = \App::get_observer();
@@ -344,17 +345,17 @@ class Wiki extends \Zotlabs\Web\Controller {
// Update page history
// /wiki/channel/history/page
if ((argc() === 4) && (argv(2) === 'history') && (argv(3) === 'page')) {
- $nick = argv(1);
+
$resource_id = $_POST['resource_id'];
$pageUrlName = $_POST['name'];
- // Determine if observer has permission to view content
- if (local_channel()) {
- $channel = \App::get_channel();
- } else {
- $channel = get_channel_by_nick($nick);
+
+ $nick = argv(1);
+ $channel = get_channel_by_nick($nick);
+ // Determine if observer has permission to read content
+ if (local_channel() !== intval($channel['channel_id'])) {
$observer_hash = get_observer_hash();
$perms = wiki_get_permissions($resource_id, intval($channel['channel_id']), $observer_hash);
- if (!$perms['read']) {
+ if(!$perms['read']) {
logger('Wiki read permission denied.' . EOL);
json_return_and_die(array('historyHTML' => '', 'message' => 'Permission denied.', 'success' => false));
}
@@ -368,29 +369,19 @@ class Wiki extends \Zotlabs\Web\Controller {
// Delete a page
if ((argc() === 4) && (argv(2) === 'delete') && (argv(3) === 'page')) {
- $nick = argv(1);
$resource_id = $_POST['resource_id'];
$pageUrlName = $_POST['name'];
if ($pageUrlName === 'Home') {
json_return_and_die(array('message' => 'Cannot delete Home','success' => false));
}
// Determine if observer has permission to delete pages
- if (local_channel()) {
- $channel = \App::get_channel();
- } else {
- $channel = get_channel_by_nick($nick);
+ $nick = argv(1);
+ $channel = get_channel_by_nick($nick);
+ if (local_channel() !== intval($channel['channel_id'])) {
$observer_hash = get_observer_hash();
- // Figure out who the page owner is.
- $perms = get_all_perms(intval($channel['channel_id']), $observer_hash);
- // TODO: Create a new permission setting for wiki analogous to webpages. Until
- // then, use webpage permissions
- if (!$perms['write_pages']) {
- logger('Wiki editing permission denied.' . EOL);
- json_return_and_die(array('success' => false));
- }
$perms = wiki_get_permissions($resource_id, intval($channel['channel_id']), $observer_hash);
if(!$perms['write']) {
- logger('Wiki write permission denied. Read only.' . EOL);
+ logger('Wiki write permission denied. ' . EOL);
json_return_and_die(array('success' => false));
}
}
@@ -415,27 +406,17 @@ class Wiki extends \Zotlabs\Web\Controller {
// Revert a page
if ((argc() === 4) && (argv(2) === 'revert') && (argv(3) === 'page')) {
- $nick = argv(1);
$resource_id = $_POST['resource_id'];
$pageUrlName = $_POST['name'];
$commitHash = $_POST['commitHash'];
// Determine if observer has permission to revert pages
- if (local_channel()) {
- $channel = \App::get_channel();
- } else {
- $channel = get_channel_by_nick($nick);
+ $nick = argv(1);
+ $channel = get_channel_by_nick($nick);
+ if (local_channel() !== intval($channel['channel_id'])) {
$observer_hash = get_observer_hash();
- // Figure out who the page owner is.
- $perms = get_all_perms(intval($channel['channel_id']), $observer_hash);
- // TODO: Create a new permission setting for wiki analogous to webpages. Until
- // then, use webpage permissions
- if (!$perms['write_pages']) {
- logger('Wiki editing permission denied.' . EOL);
- json_return_and_die(array('success' => false));
- }
$perms = wiki_get_permissions($resource_id, intval($channel['channel_id']), $observer_hash);
if(!$perms['write']) {
- logger('Wiki write permission denied. Read only.' . EOL);
+ logger('Wiki write permission denied.' . EOL);
json_return_and_die(array('success' => false));
}
}
diff --git a/include/wiki.php b/include/wiki.php
index 23a22007f..f0785d549 100644
--- a/include/wiki.php
+++ b/include/wiki.php
@@ -196,10 +196,19 @@ function wiki_get_permissions($resource_id, $owner_id, $observer_hash) {
dbesc(WIKI_ITEM_RESOURCE_TYPE),
dbesc($resource_id)
);
- if(!$r) {
+
+ if (!$r) {
return array('read' => false, 'write' => false, 'success' => true);
} else {
- return array('read' => true, 'write' => false, 'success' => true);
+ $perms = get_all_perms($owner_id, $observer_hash);
+ // TODO: Create a new permission setting for wiki analogous to webpages. Until
+ // then, use webpage permissions
+ if (!$perms['write_pages']) {
+ $write = false;
+ } else {
+ $write = true;
+ }
+ return array('read' => true, 'write' => $write, 'success' => true);
}
}