aboutsummaryrefslogtreecommitdiffstats
path: root/Zotlabs/Module
diff options
context:
space:
mode:
authorAndrew Manning <tamanning@zoho.com>2016-05-29 20:16:17 -0400
committerAndrew Manning <tamanning@zoho.com>2016-05-29 20:16:17 -0400
commitfad27fc1e791dbe77321d4b45eb6293f8ff97310 (patch)
treea1b27297a47e64107df40f9a993bf29937033d47 /Zotlabs/Module
parent3e6af5c87692b5dbefd59d7b2350670d4e1cb3a4 (diff)
downloadvolse-hubzilla-fad27fc1e791dbe77321d4b45eb6293f8ff97310.tar.gz
volse-hubzilla-fad27fc1e791dbe77321d4b45eb6293f8ff97310.tar.bz2
volse-hubzilla-fad27fc1e791dbe77321d4b45eb6293f8ff97310.zip
Hide page controls when not owner. Fixed some serious access control issues.
Diffstat (limited to 'Zotlabs/Module')
-rw-r--r--Zotlabs/Module/Wiki.php49
1 files changed, 27 insertions, 22 deletions
diff --git a/Zotlabs/Module/Wiki.php b/Zotlabs/Module/Wiki.php
index efd4120ca..b369221c8 100644
--- a/Zotlabs/Module/Wiki.php
+++ b/Zotlabs/Module/Wiki.php
@@ -28,14 +28,11 @@ class Wiki extends \Zotlabs\Web\Controller {
function get() {
require_once('include/wiki.php');
require_once('include/acl_selectors.php');
+ $wiki_owner = false;
if(local_channel()) {
$channel = \App::get_channel();
}
- // TODO: check observer permissions
- //$ob = \App::get_observer();
- //$observer = get_observer_hash();
-
// Obtain the default permission settings of the channel
$channel_acl = array(
'allow_cid' => $channel['channel_allow_cid'],
@@ -58,13 +55,26 @@ class Wiki extends \Zotlabs\Web\Controller {
// GET /wiki/channel/wiki
// Check if wiki exists andr redirect if it does not
$channel = get_channel_by_nick(argv(1));
+ if(local_channel() === intval($channel['channel_id'])) {
+ $wiki_owner = true;
+ }
$w = wiki_exists_by_name($channel['channel_id'], argv(2));
- if(!$w['id']) {
+ if(!$w['resource_id']) {
+ notice('Wiki not found' . EOL);
goaway('/'.argv(0).'/'.argv(1));
- } else {
+ } else {
$resource_id = $w['resource_id'];
}
- }
+ if (!$wiki_owner) {
+ // Check for observer permissionswhich);
+ $observer_hash = get_observer_hash();
+ $perms = wiki_get_permissions($resource_id, intval($channel['channel_id']), $observer_hash);
+ if(!$perms['read']) {
+ notice('Permission denied.' . EOL);
+ goaway('/'.argv(0).'/'.argv(1));
+ }
+ }
+ }
if(argc()<3) {
// GET /wiki/channel
@@ -79,22 +89,23 @@ class Wiki extends \Zotlabs\Web\Controller {
$wikiheader = rawurldecode(argv(2)); // show wiki name
$content = '""';
$hide_editor = true;
- $showPageControls = true;
+ // Until separate read and write permissions are implemented, only allow
+ // the wiki owner to see page controls
+ $showPageControls = $wiki_owner;
} elseif (argc()<5) {
// GET /wiki/channel/wiki/page
$pagename = argv(3);
$wikiheader = rawurldecode(argv(2)) . ': ' . rawurldecode($pagename); // show wiki name and page
$p = wiki_get_page_content(array('wiki_resource_id' => $resource_id, 'page' => $pagename));
if(!$p['success']) {
- logger('Error getting page content');
+ logger('wiki_get_page_content: ' . $p['message']);
$content = 'Error retrieving page content. Try again.';
}
- $content = $p['content'];
+ logger('content: ' . $content);
+ $content = ($p['content'] !== '' ? $p['content'] : '"# New page\n"');
$hide_editor = false;
- $showPageControls = true;
+ $showPageControls = $wiki_owner;
}
- //$parsedown = new Parsedown();
- //$renderedContent = $parsedown->text(json_decode($content));
require_once('library/markdown.php');
$renderedContent = Markdown(json_decode($content));
@@ -120,23 +131,17 @@ class Wiki extends \Zotlabs\Web\Controller {
function post() {
require_once('include/wiki.php');
- // Render mardown-formatted text in HTML
+ // /wiki/channel/preview
+ // Render mardown-formatted text in HTML for preview
if((argc() > 2) && (argv(2) === 'preview')) {
$content = $_POST['content'];
- //$parsedown = new Parsedown();
- //$html = $parsedown->text($content);
require_once('library/markdown.php');
$html = Markdown($content);
json_return_and_die(array('html' => $html, 'success' => true));
}
- // Check if specified wiki exists and redirect if not
- if((argc() > 2)) {
- $wikiname = argv(2);
- // TODO: Check if specified wiki exists and redirect if not
- }
-
// Create a new wiki
+ // /wiki/channel/create/wiki
if ((argc() > 3) && (argv(2) === 'create') && (argv(3) === 'wiki')) {
$which = argv(1);
// Determine if observer has permission to create wiki