From 9410b63bbc819955964706c876bc2f7ecea10adf Mon Sep 17 00:00:00 2001 From: Andrew Manning Date: Wed, 8 Jun 2016 06:26:27 -0400 Subject: Revised permissions checks across API and enabled collaborative editing using the write_pages per-channel permission. --- Zotlabs/Module/Wiki.php | 139 +++++++++++++++++++++--------------------------- include/wiki.php | 13 ++++- 2 files changed, 71 insertions(+), 81 deletions(-) diff --git a/Zotlabs/Module/Wiki.php b/Zotlabs/Module/Wiki.php index 0945ad919..fbf751ddf 100644 --- a/Zotlabs/Module/Wiki.php +++ b/Zotlabs/Module/Wiki.php @@ -105,6 +105,13 @@ class Wiki extends \Zotlabs\Web\Controller { notice('Permission denied.' . EOL); goaway('/'.argv(0).'/'.argv(1)); } + if($perms['write']) { + $wiki_editor = true; + } else { + $wiki_editor = false; + } + } else { + $wiki_editor = true; } $wikiheader = urldecode($wikiUrlName) . ': ' . urldecode($pageUrlName); // show wiki name and page $p = wiki_get_page_content(array('resource_id' => $resource_id, 'pageUrlName' => $pageUrlName)); @@ -114,9 +121,9 @@ class Wiki extends \Zotlabs\Web\Controller { } $content = ($p['content'] !== '' ? $p['content'] : '"# New page\n"'); $hide_editor = false; - $showPageControls = $wiki_owner; + $showPageControls = $wiki_editor; $showNewWikiButton = $wiki_owner; - $showNewPageButton = $wiki_owner; + $showNewPageButton = $wiki_editor; $hidePageHistory = false; $showCommitMsg = true; $pageHistory = wiki_page_history(array('resource_id' => $resource_id, 'pageUrlName' => $pageUrlName)); @@ -168,11 +175,15 @@ class Wiki extends \Zotlabs\Web\Controller { // /wiki/channel/create/wiki if ((argc() > 3) && (argv(2) === 'create') && (argv(3) === 'wiki')) { $nick = argv(1); + $channel = get_channel_by_nick($nick); // Determine if observer has permission to create wiki $observer_hash = get_observer_hash(); - if (local_channel()) { - $channel = \App::get_channel(); - } else { + // Only the channel owner can create a wiki, at least until we create a + // more detail permissions framework + if (local_channel() !== intval($channel['channel_id'])) { + goaway('/'.argv(0).'/'.$nick.'/'); + } else { + /* $channel = get_channel_by_nick($nick); // Figure out who the page owner is. $perms = get_all_perms(intval($channel['channel_id']), $observer_hash); @@ -180,8 +191,9 @@ class Wiki extends \Zotlabs\Web\Controller { // then, use webpage permissions if (!$perms['write_pages']) { notice(t('Permission denied.') . EOL); - goaway('/'.argv(0).'/'.argv(1).'/'.argv(2)); + goaway('/'.argv(0).'/'.argv(1).'/'); } + */ } $wiki = array(); // Generate new wiki info from input name @@ -212,10 +224,14 @@ class Wiki extends \Zotlabs\Web\Controller { // Delete a wiki if ((argc() > 3) && (argv(2) === 'delete') && (argv(3) === 'wiki')) { $nick = argv(1); - // Determine if observer has permission to create wiki - if (local_channel()) { - $channel = \App::get_channel(); - } else { + $channel = get_channel_by_nick($nick); + // Only the channel owner can delete a wiki, at least until we create a + // more detail permissions framework + if (local_channel() !== intval($channel['channel_id'])) { + logger('Wiki delete permission denied.' . EOL); + json_return_and_die(array('message' => 'Wiki delete permission denied.', 'success' => false)); + } else { + /* $channel = get_channel_by_nick($nick); $observer_hash = get_observer_hash(); // Figure out who the page owner is. @@ -226,14 +242,15 @@ class Wiki extends \Zotlabs\Web\Controller { logger('Wiki delete permission denied.' . EOL); json_return_and_die(array('success' => false)); } + */ } $resource_id = $_POST['resource_id']; $deleted = wiki_delete_wiki($resource_id); if ($deleted['success']) { - json_return_and_die(array('success' => true)); + json_return_and_die(array('message' => '', 'success' => true)); } else { logger('Error deleting wiki: ' . $resource_id); - json_return_and_die(array('success' => false)); + json_return_and_die(array('message' => 'Error deleting wiki', 'success' => false)); } } @@ -241,23 +258,13 @@ class Wiki extends \Zotlabs\Web\Controller { if ((argc() === 4) && (argv(2) === 'create') && (argv(3) === 'page')) { $nick = argv(1); $resource_id = $_POST['resource_id']; - // Determine if observer has permission to create wiki - if (local_channel()) { - $channel = \App::get_channel(); - } else { - $channel = get_channel_by_nick($nick); + // Determine if observer has permission to create a page + $channel = get_channel_by_nick($nick); + if (local_channel() !== intval($channel['channel_id'])) { $observer_hash = get_observer_hash(); - // Figure out who the page owner is. - $perms = get_all_perms(intval($channel['channel_id']), $observer_hash); - // TODO: Create a new permission setting for wiki analogous to webpages. Until - // then, use webpage permissions - if (!$perms['write_pages']) { - logger('Wiki editing permission denied.' . EOL); - json_return_and_die(array('success' => false)); - } $perms = wiki_get_permissions($resource_id, intval($channel['channel_id']), $observer_hash); if(!$perms['write']) { - logger('Wiki write permission denied. Read only.' . EOL); + logger('Wiki write permission denied. ' . EOL); json_return_and_die(array('success' => false)); } } @@ -279,10 +286,12 @@ class Wiki extends \Zotlabs\Web\Controller { $resource_id = $_POST['resource_id']; // resource_id for wiki in db $channel = get_channel_by_nick(argv(1)); $observer_hash = get_observer_hash(); - $perms = wiki_get_permissions($resource_id, intval($channel['channel_id']), $observer_hash); - if(!$perms['read']) { - logger('Wiki read permission denied.' . EOL); - json_return_and_die(array('pages' => null, 'message' => 'Permission denied.', 'success' => false)); + if (local_channel() !== intval($channel['channel_id'])) { + $perms = wiki_get_permissions($resource_id, intval($channel['channel_id']), $observer_hash); + if(!$perms['read']) { + logger('Wiki read permission denied.' . EOL); + json_return_and_die(array('pages' => null, 'message' => 'Permission denied.', 'success' => false)); + } } $page_list_html = widget_wiki_pages(array( 'resource_id' => $resource_id, @@ -293,7 +302,7 @@ class Wiki extends \Zotlabs\Web\Controller { // Save a page if ((argc() === 4) && (argv(2) === 'save') && (argv(3) === 'page')) { - $nick = argv(1); + $resource_id = $_POST['resource_id']; $pageUrlName = $_POST['name']; $pageHtmlName = escape_tags($_POST['name']); @@ -302,26 +311,18 @@ class Wiki extends \Zotlabs\Web\Controller { if ($commitMsg === '') { $commitMsg = 'Updated ' . $pageHtmlName; } + $nick = argv(1); + $channel = get_channel_by_nick($nick); // Determine if observer has permission to save content - if (local_channel()) { - $channel = \App::get_channel(); - } else { - $channel = get_channel_by_nick($nick); + if (local_channel() !== intval($channel['channel_id'])) { $observer_hash = get_observer_hash(); - // Figure out who the page owner is. - $perms = get_all_perms(intval($channel['channel_id']), $observer_hash); - // TODO: Create a new permission setting for wiki analogous to webpages. Until - // then, use webpage permissions - if (!$perms['write_pages']) { - logger('Wiki editing permission denied.' . EOL); - json_return_and_die(array('success' => false)); - } $perms = wiki_get_permissions($resource_id, intval($channel['channel_id']), $observer_hash); if(!$perms['write']) { - logger('Wiki write permission denied. Read only.' . EOL); + logger('Wiki write permission denied. ' . EOL); json_return_and_die(array('success' => false)); } } + $saved = wiki_save_page(array('resource_id' => $resource_id, 'pageUrlName' => $pageUrlName, 'content' => $content)); if($saved['success']) { $ob = \App::get_observer(); @@ -344,17 +345,17 @@ class Wiki extends \Zotlabs\Web\Controller { // Update page history // /wiki/channel/history/page if ((argc() === 4) && (argv(2) === 'history') && (argv(3) === 'page')) { - $nick = argv(1); + $resource_id = $_POST['resource_id']; $pageUrlName = $_POST['name']; - // Determine if observer has permission to view content - if (local_channel()) { - $channel = \App::get_channel(); - } else { - $channel = get_channel_by_nick($nick); + + $nick = argv(1); + $channel = get_channel_by_nick($nick); + // Determine if observer has permission to read content + if (local_channel() !== intval($channel['channel_id'])) { $observer_hash = get_observer_hash(); $perms = wiki_get_permissions($resource_id, intval($channel['channel_id']), $observer_hash); - if (!$perms['read']) { + if(!$perms['read']) { logger('Wiki read permission denied.' . EOL); json_return_and_die(array('historyHTML' => '', 'message' => 'Permission denied.', 'success' => false)); } @@ -368,29 +369,19 @@ class Wiki extends \Zotlabs\Web\Controller { // Delete a page if ((argc() === 4) && (argv(2) === 'delete') && (argv(3) === 'page')) { - $nick = argv(1); $resource_id = $_POST['resource_id']; $pageUrlName = $_POST['name']; if ($pageUrlName === 'Home') { json_return_and_die(array('message' => 'Cannot delete Home','success' => false)); } // Determine if observer has permission to delete pages - if (local_channel()) { - $channel = \App::get_channel(); - } else { - $channel = get_channel_by_nick($nick); + $nick = argv(1); + $channel = get_channel_by_nick($nick); + if (local_channel() !== intval($channel['channel_id'])) { $observer_hash = get_observer_hash(); - // Figure out who the page owner is. - $perms = get_all_perms(intval($channel['channel_id']), $observer_hash); - // TODO: Create a new permission setting for wiki analogous to webpages. Until - // then, use webpage permissions - if (!$perms['write_pages']) { - logger('Wiki editing permission denied.' . EOL); - json_return_and_die(array('success' => false)); - } $perms = wiki_get_permissions($resource_id, intval($channel['channel_id']), $observer_hash); if(!$perms['write']) { - logger('Wiki write permission denied. Read only.' . EOL); + logger('Wiki write permission denied. ' . EOL); json_return_and_die(array('success' => false)); } } @@ -415,27 +406,17 @@ class Wiki extends \Zotlabs\Web\Controller { // Revert a page if ((argc() === 4) && (argv(2) === 'revert') && (argv(3) === 'page')) { - $nick = argv(1); $resource_id = $_POST['resource_id']; $pageUrlName = $_POST['name']; $commitHash = $_POST['commitHash']; // Determine if observer has permission to revert pages - if (local_channel()) { - $channel = \App::get_channel(); - } else { - $channel = get_channel_by_nick($nick); + $nick = argv(1); + $channel = get_channel_by_nick($nick); + if (local_channel() !== intval($channel['channel_id'])) { $observer_hash = get_observer_hash(); - // Figure out who the page owner is. - $perms = get_all_perms(intval($channel['channel_id']), $observer_hash); - // TODO: Create a new permission setting for wiki analogous to webpages. Until - // then, use webpage permissions - if (!$perms['write_pages']) { - logger('Wiki editing permission denied.' . EOL); - json_return_and_die(array('success' => false)); - } $perms = wiki_get_permissions($resource_id, intval($channel['channel_id']), $observer_hash); if(!$perms['write']) { - logger('Wiki write permission denied. Read only.' . EOL); + logger('Wiki write permission denied.' . EOL); json_return_and_die(array('success' => false)); } } diff --git a/include/wiki.php b/include/wiki.php index 23a22007f..f0785d549 100644 --- a/include/wiki.php +++ b/include/wiki.php @@ -196,10 +196,19 @@ function wiki_get_permissions($resource_id, $owner_id, $observer_hash) { dbesc(WIKI_ITEM_RESOURCE_TYPE), dbesc($resource_id) ); - if(!$r) { + + if (!$r) { return array('read' => false, 'write' => false, 'success' => true); } else { - return array('read' => true, 'write' => false, 'success' => true); + $perms = get_all_perms($owner_id, $observer_hash); + // TODO: Create a new permission setting for wiki analogous to webpages. Until + // then, use webpage permissions + if (!$perms['write_pages']) { + $write = false; + } else { + $write = true; + } + return array('read' => true, 'write' => $write, 'success' => true); } } -- cgit v1.2.3