Major corrections to access control and page construction.

This commit is contained in:
Andrew Manning
2016-06-02 22:27:26 -04:00
parent 8d284bab47
commit b70c680964
7 changed files with 137 additions and 122 deletions

View File

@@ -169,6 +169,7 @@ class Apps {
'Settings' => t('Settings'), 'Settings' => t('Settings'),
'Files' => t('Files'), 'Files' => t('Files'),
'Webpages' => t('Webpages'), 'Webpages' => t('Webpages'),
'Wiki' => t('Wiki'),
'Channel Home' => t('Channel Home'), 'Channel Home' => t('Channel Home'),
'View Profile' => t('View Profile'), 'View Profile' => t('View Profile'),
'Photos' => t('Photos'), 'Photos' => t('Photos'),

View File

@@ -6,19 +6,18 @@ class Wiki extends \Zotlabs\Web\Controller {
function init() { function init() {
// Determine which channel's wikis to display to the observer // Determine which channel's wikis to display to the observer
$which = null; $nick = null;
if(argc() > 1) if (argc() > 1)
$which = argv(1); // if the channel name is in the URL, use that $nick = argv(1); // if the channel name is in the URL, use that
if(! $which) { // if no channel name was provided, assume the current logged in channel if (!$nick && local_channel()) { // if no channel name was provided, assume the current logged in channel
if(local_channel()) { $channel = \App::get_channel();
$channel = \App::get_channel(); if ($channel && $channel['channel_address']) {
if($channel && $channel['channel_address']) $nick = $channel['channel_address'];
$which = $channel['channel_address']; goaway(z_root() . '/wiki/' . $nick);
goaway(z_root().'/wiki/'.$which);
} }
} }
if(! $which) { if (!$nick) {
notice( t('You must be logged in to see this page.') . EOL ); notice(t('You must be logged in to see this page.') . EOL);
goaway('/login'); goaway('/login');
} }
} }
@@ -31,95 +30,103 @@ class Wiki extends \Zotlabs\Web\Controller {
$wiki_owner = false; $wiki_owner = false;
$showNewWikiButton = false; $showNewWikiButton = false;
$pageHistory = array(); $pageHistory = array();
if(local_channel()) { $local_observer = null;
$channel = \App::get_channel();
}
// Obtain the default permission settings of the channel
$channel_acl = array(
'allow_cid' => $channel['channel_allow_cid'],
'allow_gid' => $channel['channel_allow_gid'],
'deny_cid' => $channel['channel_deny_cid'],
'deny_gid' => $channel['channel_deny_gid']
);
// Initialize the ACL to the channel default permissions
$x = array(
'lockstate' => (($channel['channel_allow_cid'] || $channel['channel_allow_gid'] || $channel['channel_deny_cid'] || $channel['channel_deny_gid']) ? 'lock' : 'unlock'),
'acl' => populate_acl($channel_acl),
'bang' => ''
);
$resource_id = ''; $resource_id = '';
$pagename = ''; $pagename = '';
if(argc() > 1) {
$channel = get_channel_by_nick(argv(1));
if(local_channel() === intval($channel['channel_id'])) {
$wiki_owner = true;
}
}
// GET https://hubzilla.hub/argv(0)/argv(1)/argv(2)/argv(3)/argv(4)/...
if(argc() > 2) {
// GET /wiki/channel/wiki
// Check if wiki exists andr redirect if it does not
$w = wiki_exists_by_name($channel['channel_id'], argv(2));
if(!$w['resource_id']) {
notice('Wiki not found' . EOL);
goaway('/'.argv(0).'/'.argv(1));
} else {
$resource_id = $w['resource_id'];
}
if (!$wiki_owner) {
// Check for observer permissionswhich);
$observer_hash = get_observer_hash();
$perms = wiki_get_permissions($resource_id, intval($channel['channel_id']), $observer_hash);
if(!$perms['read']) {
notice('Permission denied.' . EOL);
goaway('/'.argv(0).'/'.argv(1));
}
}
}
if(argc()<3) { // init() should have forced the URL to redirect to /wiki/channel so assume argc() > 1
// GET /wiki/channel $nick = argv(1);
$channel = get_channel_by_nick(argv(1)); $channel = get_channel_by_nick($nick); // The channel who owns the wikis being viewed
$wikiheader = t('Wiki Sandbox'); if(! $channel) {
$content = '"# Wiki Sandbox\n\nContent you **edit** and **preview** here *will not be saved*."'; notice('Invalid channel' . EOL);
$hide_editor = false; goaway('/' . argv(0));
$showPageControls = false;
$showNewWikiButton = $wiki_owner;
} elseif (argc()<4) {
// GET /wiki/channel/wiki
// No page was specified, so redirect to Home.md
goaway('/'.argv(0).'/'.argv(1).'/'.argv(2).'/Home.md');
$wikiheader = rawurldecode(argv(2)); // show wiki name
$content = '""';
$hide_editor = true;
// Until separate read and write permissions are implemented, only allow
// the wiki owner to see page controls
$showPageControls = $wiki_owner;
$showNewWikiButton = $wiki_owner;
} elseif (argc()<5) {
// GET /wiki/channel/wiki/page
$pagename = argv(3);
$wikiheader = rawurldecode(argv(2)) . ': ' . rawurldecode($pagename); // show wiki name and page
$p = wiki_get_page_content(array('wiki_resource_id' => $resource_id, 'page' => $pagename));
if(!$p['success']) {
$content = 'Error retrieving page content. Try again.';
}
$content = ($p['content'] !== '' ? $p['content'] : '"# New page\n"');
$hide_editor = false;
$showPageControls = $wiki_owner;
$showNewWikiButton = $wiki_owner;
$pageHistory = wiki_page_history(array('resource_id' => $resource_id, 'page' => $pagename));
} }
require_once('library/markdown.php'); // Determine if the observer is the channel owner so the ACL dialog can be populated
$renderedContent = Markdown(json_decode($content)); if (local_channel() === intval($channel['channel_id'])) {
$local_observer = \App::get_channel();
$wiki_owner = true;
// Obtain the default permission settings of the channel
$channel_acl = array(
'allow_cid' => $local_observer['channel_allow_cid'],
'allow_gid' => $local_observer['channel_allow_gid'],
'deny_cid' => $local_observer['channel_deny_cid'],
'deny_gid' => $local_observer['channel_deny_gid']
);
// Initialize the ACL to the channel default permissions
$x = array(
'lockstate' => (( $local_observer['channel_allow_cid'] ||
$local_observer['channel_allow_gid'] ||
$local_observer['channel_deny_cid'] ||
$local_observer['channel_deny_gid'])
? 'lock' : 'unlock'),
'acl' => populate_acl($channel_acl),
'bang' => ''
);
} else {
// Not the channel owner
$channel_acl = $x = array();
}
switch (argc()) {
case 2:
// Configure page template
$wikiheader = t('Wiki Sandbox');
$content = '"# Wiki Sandbox\n\nContent you **edit** and **preview** here *will not be saved*."';
$hide_editor = false;
$showPageControls = false;
$showNewWikiButton = $wiki_owner;
$showNewPageButton = false;
break;
case 3:
// /wiki/channel/wiki -> No page was specified, so redirect to Home.md
goaway('/'.argv(0).'/'.argv(1).'/'.argv(2).'/Home.md');
case 4:
// GET /wiki/channel/wiki/page
// Fetch the wiki info and determine observer permissions
$wikiname = argv(2);
$pagename = argv(3);
$w = wiki_exists_by_name($channel['channel_id'], $wikiname);
if(!$w['resource_id']) {
notice('Wiki not found' . EOL);
goaway('/'.argv(0).'/'.argv(1));
}
$resource_id = $w['resource_id'];
if (!$wiki_owner) {
// Check for observer permissions
$observer_hash = get_observer_hash();
$perms = wiki_get_permissions($resource_id, intval($channel['channel_id']), $observer_hash);
if(!$perms['read']) {
notice('Permission denied.' . EOL);
goaway('/'.argv(0).'/'.argv(1));
}
}
$wikiheader = rawurldecode($wikiname) . ': ' . rawurldecode($pagename); // show wiki name and page
$p = wiki_get_page_content(array('resource_id' => $resource_id, 'page' => $pagename));
if(!$p['success']) {
notice('Error retrieving page content' . EOL);
goaway('/'.argv(0).'/'.argv(1).'/'.argv(2));
}
$content = ($p['content'] !== '' ? $p['content'] : '"# New page\n"');
$hide_editor = false;
$showPageControls = $wiki_owner;
$showNewWikiButton = $wiki_owner;
$showNewPageButton = $wiki_owner;
$pageHistory = wiki_page_history(array('resource_id' => $resource_id, 'page' => $pagename));
break;
default: // Strip the extraneous URL components
goaway('/'.argv(0).'/'.argv(1).'/'.argv(2).'/'.argv(3));
}
// Render the Markdown-formatted page content in HTML
require_once('library/markdown.php');
$o .= replace_macros(get_markup_template('wiki.tpl'),array( $o .= replace_macros(get_markup_template('wiki.tpl'),array(
'$wikiheader' => $wikiheader, '$wikiheader' => $wikiheader,
'$hideEditor' => $hide_editor, '$hideEditor' => $hide_editor,
'$showPageControls' => $showPageControls, '$showPageControls' => $showPageControls,
'$showNewWikiButton'=> $showNewWikiButton, '$showNewWikiButton'=> $showNewWikiButton,
'$showNewPageButton'=> $showNewPageButton,
'$channel' => $channel['channel_address'], '$channel' => $channel['channel_address'],
'$resource_id' => $resource_id, '$resource_id' => $resource_id,
'$page' => $pagename, '$page' => $pagename,
@@ -127,12 +134,12 @@ class Wiki extends \Zotlabs\Web\Controller {
'$acl' => $x['acl'], '$acl' => $x['acl'],
'$bang' => $x['bang'], '$bang' => $x['bang'],
'$content' => $content, '$content' => $content,
'$renderedContent' => $renderedContent, '$renderedContent' => Markdown(json_decode($content)),
'$wikiName' => array('wikiName', t('Enter the name of your new wiki:'), '', ''), '$wikiName' => array('wikiName', t('Enter the name of your new wiki:'), '', ''),
'$pageName' => array('pageName', t('Enter the name of the new page:'), '', ''), '$pageName' => array('pageName', t('Enter the name of the new page:'), '', ''),
'$pageHistory' => $pageHistory['history'] '$pageHistory' => $pageHistory['history']
)); ));
head_add_js('library/ace/ace.js'); head_add_js('library/ace/ace.js'); // Ace Code Editor
return $o; return $o;
} }
@@ -151,13 +158,13 @@ class Wiki extends \Zotlabs\Web\Controller {
// Create a new wiki // Create a new wiki
// /wiki/channel/create/wiki // /wiki/channel/create/wiki
if ((argc() > 3) && (argv(2) === 'create') && (argv(3) === 'wiki')) { if ((argc() > 3) && (argv(2) === 'create') && (argv(3) === 'wiki')) {
$which = argv(1); $nick = argv(1);
// Determine if observer has permission to create wiki // Determine if observer has permission to create wiki
$observer_hash = get_observer_hash(); $observer_hash = get_observer_hash();
if (local_channel()) { if (local_channel()) {
$channel = \App::get_channel(); $channel = \App::get_channel();
} else { } else {
$channel = get_channel_by_nick($which); $channel = get_channel_by_nick($nick);
// Figure out who the page owner is. // Figure out who the page owner is.
$perms = get_all_perms(intval($channel['channel_id']), $observer_hash); $perms = get_all_perms(intval($channel['channel_id']), $observer_hash);
// TODO: Create a new permission setting for wiki analogous to webpages. Until // TODO: Create a new permission setting for wiki analogous to webpages. Until
@@ -180,9 +187,9 @@ class Wiki extends \Zotlabs\Web\Controller {
$homePage = wiki_create_page('Home.md', $r['item']['resource_id']); $homePage = wiki_create_page('Home.md', $r['item']['resource_id']);
if(!$homePage['success']) { if(!$homePage['success']) {
notice('Wiki created, but error creating Home page.'); notice('Wiki created, but error creating Home page.');
goaway('/wiki/'.$which.'/'.$name); goaway('/wiki/'.$nick.'/'.$name);
} }
goaway('/wiki/'.$which.'/'.$name.'/Home.md'); goaway('/wiki/'.$nick.'/'.$name.'/Home.md');
} else { } else {
notice('Error creating wiki'); notice('Error creating wiki');
goaway('/wiki'); goaway('/wiki');
@@ -191,12 +198,12 @@ class Wiki extends \Zotlabs\Web\Controller {
// Delete a wiki // Delete a wiki
if ((argc() > 3) && (argv(2) === 'delete') && (argv(3) === 'wiki')) { if ((argc() > 3) && (argv(2) === 'delete') && (argv(3) === 'wiki')) {
$which = argv(1); $nick = argv(1);
// Determine if observer has permission to create wiki // Determine if observer has permission to create wiki
if (local_channel()) { if (local_channel()) {
$channel = \App::get_channel(); $channel = \App::get_channel();
} else { } else {
$channel = get_channel_by_nick($which); $channel = get_channel_by_nick($nick);
$observer_hash = get_observer_hash(); $observer_hash = get_observer_hash();
// Figure out who the page owner is. // Figure out who the page owner is.
$perms = get_all_perms(intval($channel['channel_id']), $observer_hash); $perms = get_all_perms(intval($channel['channel_id']), $observer_hash);
@@ -219,13 +226,13 @@ class Wiki extends \Zotlabs\Web\Controller {
// Create a page // Create a page
if ((argc() === 4) && (argv(2) === 'create') && (argv(3) === 'page')) { if ((argc() === 4) && (argv(2) === 'create') && (argv(3) === 'page')) {
$which = argv(1); $nick = argv(1);
$resource_id = $_POST['resource_id']; $resource_id = $_POST['resource_id'];
// Determine if observer has permission to create wiki // Determine if observer has permission to create wiki
if (local_channel()) { if (local_channel()) {
$channel = \App::get_channel(); $channel = \App::get_channel();
} else { } else {
$channel = get_channel_by_nick($which); $channel = get_channel_by_nick($nick);
$observer_hash = get_observer_hash(); $observer_hash = get_observer_hash();
// Figure out who the page owner is. // Figure out who the page owner is.
$perms = get_all_perms(intval($channel['channel_id']), $observer_hash); $perms = get_all_perms(intval($channel['channel_id']), $observer_hash);
@@ -273,7 +280,7 @@ class Wiki extends \Zotlabs\Web\Controller {
// Save a page // Save a page
if ((argc() === 4) && (argv(2) === 'save') && (argv(3) === 'page')) { if ((argc() === 4) && (argv(2) === 'save') && (argv(3) === 'page')) {
$which = argv(1); $nick = argv(1);
$resource_id = $_POST['resource_id']; $resource_id = $_POST['resource_id'];
$pagename = escape_tags(urlencode($_POST['name'])); $pagename = escape_tags(urlencode($_POST['name']));
$content = escape_tags($_POST['content']); //Get new content $content = escape_tags($_POST['content']); //Get new content
@@ -281,7 +288,7 @@ class Wiki extends \Zotlabs\Web\Controller {
if (local_channel()) { if (local_channel()) {
$channel = \App::get_channel(); $channel = \App::get_channel();
} else { } else {
$channel = get_channel_by_nick($which); $channel = get_channel_by_nick($nick);
$observer_hash = get_observer_hash(); $observer_hash = get_observer_hash();
// Figure out who the page owner is. // Figure out who the page owner is.
$perms = get_all_perms(intval($channel['channel_id']), $observer_hash); $perms = get_all_perms(intval($channel['channel_id']), $observer_hash);
@@ -319,14 +326,14 @@ class Wiki extends \Zotlabs\Web\Controller {
// Update page history // Update page history
// /wiki/channel/history/page // /wiki/channel/history/page
if ((argc() === 4) && (argv(2) === 'history') && (argv(3) === 'page')) { if ((argc() === 4) && (argv(2) === 'history') && (argv(3) === 'page')) {
$which = argv(1); $nick = argv(1);
$resource_id = $_POST['resource_id']; $resource_id = $_POST['resource_id'];
$pagename = escape_tags(urlencode($_POST['name'])); $pagename = escape_tags(urlencode($_POST['name']));
// Determine if observer has permission to view content // Determine if observer has permission to view content
if (local_channel()) { if (local_channel()) {
$channel = \App::get_channel(); $channel = \App::get_channel();
} else { } else {
$channel = get_channel_by_nick($which); $channel = get_channel_by_nick($nick);
$observer_hash = get_observer_hash(); $observer_hash = get_observer_hash();
$perms = wiki_get_permissions($resource_id, intval($channel['channel_id']), $observer_hash); $perms = wiki_get_permissions($resource_id, intval($channel['channel_id']), $observer_hash);
if (!$perms['read']) { if (!$perms['read']) {

4
app/wiki.apd Normal file
View File

@@ -0,0 +1,4 @@
url: $baseurl/wiki/$nick
requires: local_channel
name: Wiki
photo: $baseurl/app/wiki.png

BIN
app/wiki.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 10 KiB

View File

@@ -857,27 +857,27 @@ function widget_chatroom_members() {
function widget_wiki_list($arr) { function widget_wiki_list($arr) {
require_once("include/wiki.php"); require_once("include/wiki.php");
if (argc() > 1) { $channel = null;
$nick = argv(1); if (argc() < 2 && local_channel()) {
$channel = get_channel_by_nick($nick); // This should not occur because /wiki should redirect to /wiki/channel ...
} else {
$channel = \App::get_channel(); $channel = \App::get_channel();
$nick = $channel['channel_address']; } else {
$channel = get_channel_by_nick(argv(1)); // Channel being viewed by observer
}
if (!$channel) {
return '';
} }
$wikis = wiki_list($channel, get_observer_hash()); $wikis = wiki_list($channel, get_observer_hash());
if (local_channel() === intval($channel['channel_id'])) {
$showControls = true;
} else {
$showControls = false;
}
if ($wikis) { if ($wikis) {
return replace_macros(get_markup_template('wikilist.tpl'), array( return replace_macros(get_markup_template('wikilist.tpl'), array(
'$header' => t('Wiki List'), '$header' => t('Wiki List'),
'$channel' => $nick, '$channel' => $channel['channel_address'],
'$wikis' => $wikis['wikis'], '$wikis' => $wikis['wikis'],
'$showControls' => $showControls // If the observer is the local channel owner, show the wiki controls
'$showControls' => ((local_channel() === intval($channel['channel_id'])) ? true : false)
)); ));
} }
return '';
} }
function widget_wiki_pages($arr) { function widget_wiki_pages($arr) {

View File

@@ -9,8 +9,9 @@ define ( 'WIKI_ITEM_RESOURCE_TYPE', 'wiki' );
function wiki_list($channel, $observer_hash) { function wiki_list($channel, $observer_hash) {
$sql_extra = item_permissions_sql($channel['channel_id'], $observer_hash); $sql_extra = item_permissions_sql($channel['channel_id'], $observer_hash);
$wikis = q("SELECT * FROM item WHERE resource_type = '%s' AND mid = parent_mid AND item_deleted = 0 $sql_extra", $wikis = q("SELECT * FROM item WHERE resource_type = '%s' AND mid = parent_mid AND uid = %d AND item_deleted = 0 $sql_extra",
dbesc(WIKI_ITEM_RESOURCE_TYPE) dbesc(WIKI_ITEM_RESOURCE_TYPE),
intval($channel['channel_id'])
); );
// TODO: query db for wikis the observer can access. Return with two lists, for read and write access // TODO: query db for wikis the observer can access. Return with two lists, for read and write access
return array('wikis' => $wikis); return array('wikis' => $wikis);
@@ -195,8 +196,8 @@ function wiki_create_page($name, $resource_id) {
function wiki_get_page_content($arr) { function wiki_get_page_content($arr) {
$page = ((array_key_exists('page',$arr)) ? $arr['page'] : ''); $page = ((array_key_exists('page',$arr)) ? $arr['page'] : '');
// TODO: look for page resource_id and retrieve that way alternatively // TODO: look for page resource_id and retrieve that way alternatively
$wiki_resource_id = ((array_key_exists('wiki_resource_id',$arr)) ? $arr['wiki_resource_id'] : ''); $resource_id = ((array_key_exists('resource_id',$arr)) ? $arr['resource_id'] : '');
$w = wiki_get_wiki($wiki_resource_id); $w = wiki_get_wiki($resource_id);
if (!$w['path']) { if (!$w['path']) {
return array('content' => null, 'message' => 'Error reading wiki', 'success' => false); return array('content' => null, 'message' => 'Error reading wiki', 'success' => false);
} }
@@ -230,7 +231,7 @@ function wiki_page_history($arr) {
if($reponame === '') { if($reponame === '') {
$reponame = 'repo'; $reponame = 'repo';
} }
$git = new GitRepo('sys', null, false, $w['wiki']['title'], $w['path']); $git = new GitRepo('', null, false, $w['wiki']['title'], $w['path']);
try { try {
$gitlog = $git->git->log('', $page_path , array('limit' => 50)); $gitlog = $git->git->log('', $page_path , array('limit' => 50));
logger('gitlog: ' . json_encode($gitlog)); logger('gitlog: ' . json_encode($gitlog));
@@ -272,7 +273,7 @@ function wiki_git_commit($arr) {
if($reponame === '') { if($reponame === '') {
$reponame = 'repo'; $reponame = 'repo';
} }
$git = new GitRepo('sys', null, false, $w['wiki']['title'], $w['path']); $git = new GitRepo($observer['xchan_addr'], null, false, $w['wiki']['title'], $w['path']);
try { try {
$git->setIdentity($observer['xchan_name'], $observer['xchan_addr']); $git->setIdentity($observer['xchan_name'], $observer['xchan_addr']);
if ($files === null) { if ($files === null) {

View File

@@ -16,6 +16,8 @@
<div class="pull-right"> <div class="pull-right">
{{if $showNewWikiButton}} {{if $showNewWikiButton}}
<button class="btn btn-primary btn-xs" onclick="$('#new-page-form-wrapper').hide(); openClose('new-wiki-form-wrapper');">New Wiki</button> <button class="btn btn-primary btn-xs" onclick="$('#new-page-form-wrapper').hide(); openClose('new-wiki-form-wrapper');">New Wiki</button>
{{/if}}
{{if $showNewPageButton}}
<button class="btn btn-success btn-xs" onclick="$('#new-wiki-form-wrapper').hide(); openClose('new-page-form-wrapper');">New Page</button> <button class="btn btn-success btn-xs" onclick="$('#new-wiki-form-wrapper').hide(); openClose('new-page-form-wrapper');">New Page</button>
{{/if}} {{/if}}
<button id="fullscreen-btn" type="button" class="btn btn-default btn-xs" onclick="makeFullScreen(); <button id="fullscreen-btn" type="button" class="btn btn-default btn-xs" onclick="makeFullScreen();