security fix and ability to change layout on webpage edit form

boot.php

@@ -2439,9 +2439,9 @@ function construct_page(&$a) {
 		}
 	}
 
-	// Let's say we have a comanche declaration '[region_nav][/region_nav][region_content]$region_nav $region_section[/region_content]'.
-	// The text 'region_' identifies a section of the layout by that name (without the 'region_' text). 
-	// So what we want to do here is leave $a->page['nav'] empty and put the default content from $a->page['nav'] and $a->page['section'] 
+	// Let's say we have a comanche declaration '[region=nav][/region][region=content]$nav $content[/region]'.
+	// The text 'region=' identifies a section of the layout by that name. So what we want to do here is leave 
+	// $a->page['nav'] empty and put the default content from $a->page['nav'] and $a->page['section'] 
 	// into a new region called $a->data['content']. It is presumed that the chosen layout file for this comanche page
 	// has a '<content>' element instead of a '<section>'. 
 	
@@ -2454,6 +2454,16 @@ function construct_page(&$a) {
 				if(strpos($v,'$region_') !== false) {
 					$v = preg_replace_callback('/\$region_([a-zA-Z0-9]+)/ism','comanche_replace_region',$v);
 				}
+
+				// And a couple of convenience macros
+
+				if(strpos($v,'$nav') !== false) {
+					$v = str_replace('$nav',$a->page['nav'],$v);
+				}
+				if(strpos($v,'$content') !== false) {
+					$v = str_replace('$content',$a->page['section'],$v);
+				}
+
 				$a->page[substr($k,7)] = $v;
 			}
 		}

mod/editwebpage.php

@@ -1,35 +1,29 @@
  
 <?php
 
-// What is this here for?  I think it's cruft, but comment out for now in case it's here for a reason
-// require_once('acl_selectors.php');
+// Required for setting permissions. (FIXME)
+
+require_once('acl_selectors.php');
 
 function editwebpage_content(&$a) {
 
-// We first need to figure out who owns the webpage, grab it from an argument
-        $which = argv(1);
+	// We first need to figure out who owns the webpage, grab it from an argument
+
+	$which = argv(1);
+
+	// $a->get_channel() and stuff don't work here, so we've got to find the owner for ourselves.
 	
-// $a->get_channel() and stuff don't work here, so we've got to find the owner for ourselves.
 	$r = q("select channel_id from channel where channel_address = '%s'",
 		dbesc($which)
-		);
-               if($r) {
-                $owner = intval($r[0]['channel_id']);
-       //logger('owner: ' . print_r($owner,true));
-        }
-
-
-		
-		
-        if((local_user()) && (argc() > 2) && (argv(2) === 'view')) {
-                $which = $channel['channel_address'];
-        }
-
+	);
+	if($r) {
+		$owner = intval($r[0]['channel_id']);
+		//logger('owner: ' . print_r($owner,true));
+	}
 			
 	$o = '';
 
-
-// Figure out which post we're editing
+	// Figure out which post we're editing
 	$post_id = ((argc() > 2) ? intval(argv(2)) : 0);
 
 
@@ -38,37 +32,41 @@ function editwebpage_content(&$a) {
 		return;
 	}
 
-// Now we've got a post and an owner, let's find out if we're allowed to edit it
+	// Now we've got a post and an owner, let's find out if we're allowed to edit it
 
-        $observer = $a->get_observer();
-        $ob_hash = (($observer) ? $observer['xchan_hash'] : '');
+	$observer = $a->get_observer();
+	$ob_hash = (($observer) ? $observer['xchan_hash'] : '');
 
-        $perms = get_all_perms($owner,$ob_hash);
+	$perms = get_all_perms($owner,$ob_hash);
 
-        if(! $perms['write_pages']) {
-                notice( t('Permission denied.') . EOL);
-                return;
-        }
+	if(! $perms['write_pages']) {
+		notice( t('Permission denied.') . EOL);
+		return;
+	}
 
 
 
-// We've already figured out which item we want and whose copy we need, so we don't need anything fancy here
-        $itm = q("SELECT * FROM `item` WHERE `id` = %d and uid = %s LIMIT 1",
-                intval($post_id),
-                intval($owner)
-        );
-
+	// We've already figured out which item we want and whose copy we need, so we don't need anything fancy here
+	$itm = q("SELECT * FROM `item` WHERE `id` = %d and uid = %s LIMIT 1",
+		intval($post_id),
+		intval($owner)
+   );
 
 
 	$plaintext = true;
-// You may or may not be a local user.  This won't work,
-	if(feature_enabled(local_user(),'richtext'))
+
+	if(feature_enabled($itm[0]['uid'],'richtext'))
 		$plaintext = false;
 
-
-
 	$mimetype = $itm[0]['mimetype'];
 
+	if($mimetype === 'application/x-php') {
+		if((! local_user()) || (local_user() != $itm[0]['uid'])) {
+			notice( t('Permission denied.') . EOL);
+			return;
+		}
+	}
+	
 	$mimeselect = '';
 
 	if($mimetype != 'text/bbcode')
@@ -76,6 +74,13 @@ function editwebpage_content(&$a) {
     $mimeselect = '<input type="hidden" name="mimetype" value="' . $mimetype . '" />';
 	
 
+	$layout = get_config('system','page_layout');
+	if($layout)
+		$layoutselect = '<input type="hidden" name="layout_mid" value="' . $layout . '" />'; 			
+	else
+		$layoutselect = layout_select($x['profile_uid']);
+
+
 	$o .= replace_macros(get_markup_template('edpost_head.tpl'), array(
 		'$title' => t('Edit post')
 	));
@@ -130,6 +135,7 @@ function editwebpage_content(&$a) {
 		'$public' => t('Public post'),
 		'$jotnets' => $jotnets,
 		'$mimeselect' => $mimeselect,
+		'$layoutselect' => $layoutselect,
 		'$title' => htmlspecialchars($itm[0]['title']),
 		'$placeholdertitle' => t('Set title'),
 		'$category' => '',

mod/item.php

@@ -624,11 +624,12 @@ function item_post(&$a) {
 
 
 	if($orig_post) {
-		$r = q("UPDATE `item` SET `title` = '%s', `body` = '%s', `attach` = '%s', `edited` = '%s' WHERE `id` = %d AND `uid` = %d LIMIT 1",
+		$r = q("UPDATE `item` SET `title` = '%s', `body` = '%s', `attach` = '%s', `edited` = '%s', layout_mid = '%s' WHERE `id` = %d AND `uid` = %d LIMIT 1",
 			dbesc($datarray['title']),
 			dbesc($datarray['body']),
 			dbesc($datarray['attach']),
 			dbesc(datetime_convert()),
+			dbesc($layout_mid),
 			intval($post_id),
 			intval($profile_uid)
 		);