diff options
author | Andrew Manning <tamanning@zoho.com> | 2016-05-29 20:16:17 -0400 |
---|---|---|
committer | Andrew Manning <tamanning@zoho.com> | 2016-05-29 20:16:17 -0400 |
commit | fad27fc1e791dbe77321d4b45eb6293f8ff97310 (patch) | |
tree | a1b27297a47e64107df40f9a993bf29937033d47 /Zotlabs/Module/Wiki.php | |
parent | 3e6af5c87692b5dbefd59d7b2350670d4e1cb3a4 (diff) | |
download | volse-hubzilla-fad27fc1e791dbe77321d4b45eb6293f8ff97310.tar.gz volse-hubzilla-fad27fc1e791dbe77321d4b45eb6293f8ff97310.tar.bz2 volse-hubzilla-fad27fc1e791dbe77321d4b45eb6293f8ff97310.zip |
Hide page controls when not owner. Fixed some serious access control issues.
Diffstat (limited to 'Zotlabs/Module/Wiki.php')
-rw-r--r-- | Zotlabs/Module/Wiki.php | 49 |
1 files changed, 27 insertions, 22 deletions
diff --git a/Zotlabs/Module/Wiki.php b/Zotlabs/Module/Wiki.php index efd4120ca..b369221c8 100644 --- a/Zotlabs/Module/Wiki.php +++ b/Zotlabs/Module/Wiki.php @@ -28,14 +28,11 @@ class Wiki extends \Zotlabs\Web\Controller { function get() { require_once('include/wiki.php'); require_once('include/acl_selectors.php'); + $wiki_owner = false; if(local_channel()) { $channel = \App::get_channel(); } - // TODO: check observer permissions - //$ob = \App::get_observer(); - //$observer = get_observer_hash(); - // Obtain the default permission settings of the channel $channel_acl = array( 'allow_cid' => $channel['channel_allow_cid'], @@ -58,13 +55,26 @@ class Wiki extends \Zotlabs\Web\Controller { // GET /wiki/channel/wiki // Check if wiki exists andr redirect if it does not $channel = get_channel_by_nick(argv(1)); + if(local_channel() === intval($channel['channel_id'])) { + $wiki_owner = true; + } $w = wiki_exists_by_name($channel['channel_id'], argv(2)); - if(!$w['id']) { + if(!$w['resource_id']) { + notice('Wiki not found' . EOL); goaway('/'.argv(0).'/'.argv(1)); - } else { + } else { $resource_id = $w['resource_id']; } - } + if (!$wiki_owner) { + // Check for observer permissionswhich); + $observer_hash = get_observer_hash(); + $perms = wiki_get_permissions($resource_id, intval($channel['channel_id']), $observer_hash); + if(!$perms['read']) { + notice('Permission denied.' . EOL); + goaway('/'.argv(0).'/'.argv(1)); + } + } + } if(argc()<3) { // GET /wiki/channel @@ -79,22 +89,23 @@ class Wiki extends \Zotlabs\Web\Controller { $wikiheader = rawurldecode(argv(2)); // show wiki name $content = '""'; $hide_editor = true; - $showPageControls = true; + // Until separate read and write permissions are implemented, only allow + // the wiki owner to see page controls + $showPageControls = $wiki_owner; } elseif (argc()<5) { // GET /wiki/channel/wiki/page $pagename = argv(3); $wikiheader = rawurldecode(argv(2)) . ': ' . rawurldecode($pagename); // show wiki name and page $p = wiki_get_page_content(array('wiki_resource_id' => $resource_id, 'page' => $pagename)); if(!$p['success']) { - logger('Error getting page content'); + logger('wiki_get_page_content: ' . $p['message']); $content = 'Error retrieving page content. Try again.'; } - $content = $p['content']; + logger('content: ' . $content); + $content = ($p['content'] !== '' ? $p['content'] : '"# New page\n"'); $hide_editor = false; - $showPageControls = true; + $showPageControls = $wiki_owner; } - //$parsedown = new Parsedown(); - //$renderedContent = $parsedown->text(json_decode($content)); require_once('library/markdown.php'); $renderedContent = Markdown(json_decode($content)); @@ -120,23 +131,17 @@ class Wiki extends \Zotlabs\Web\Controller { function post() { require_once('include/wiki.php'); - // Render mardown-formatted text in HTML + // /wiki/channel/preview + // Render mardown-formatted text in HTML for preview if((argc() > 2) && (argv(2) === 'preview')) { $content = $_POST['content']; - //$parsedown = new Parsedown(); - //$html = $parsedown->text($content); require_once('library/markdown.php'); $html = Markdown($content); json_return_and_die(array('html' => $html, 'success' => true)); } - // Check if specified wiki exists and redirect if not - if((argc() > 2)) { - $wikiname = argv(2); - // TODO: Check if specified wiki exists and redirect if not - } - // Create a new wiki + // /wiki/channel/create/wiki if ((argc() > 3) && (argv(2) === 'create') && (argv(3) === 'wiki')) { $which = argv(1); // Determine if observer has permission to create wiki |