1
0
Fork 0
mirror of https://github.com/sbrl/Pepperminty-Wiki.git synced 2024-11-22 04:23:01 +00:00

page-edit: fix user page permissions check to also occur in the save action

This commit is contained in:
Starbeamrainbowlabs 2022-05-26 01:12:51 +01:00
parent 71544b5d9d
commit e54bacdcac
Signed by: sbrl
GPG key ID: 1BE5172E637709C2
2 changed files with 20 additions and 8 deletions

View file

@ -23,6 +23,7 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t
- [security] Ensured that the `returnto` GET parameter leads you only to another place on your Pepperminty Wiki instance (thanks, @JamieSlome) - [security] Ensured that the `returnto` GET parameter leads you only to another place on your Pepperminty Wiki instance (thanks, @JamieSlome)
- [security] Ensure that Javascript in SVGs never gets executed (it's too challenging to strip it, since it could be lurking in many different places - according to [this answer](https://stackoverflow.com/a/68505306/1460422) even Inkscape doesn't strip all Javascript when asked to) - [security] Ensure that Javascript in SVGs never gets executed (it's too challenging to strip it, since it could be lurking in many different places - according to [this answer](https://stackoverflow.com/a/68505306/1460422) even Inkscape doesn't strip all Javascript when asked to)
- [security] Fixed XSS when the `action` GET param doesn't match a known action - [security] Fixed XSS when the `action` GET param doesn't match a known action
- [security] User pages are now only savable in the HTTP API by either a moderator or the owning user (previously only the `edit` action was protected, so if you made a request direct to the `save` action, you could bypass the check)
- StorageBox: Create SQLite DB if it doesn't exist explicitly with `touch()`, because some systems are weird - StorageBox: Create SQLite DB if it doesn't exist explicitly with `touch()`, because some systems are weird
- StorageBox: Fix crash when `index.php` is a symbolic link - StorageBox: Fix crash when `index.php` is a symbolic link
- Fixed erroneous additional entries in complex tables of contents - Fixed erroneous additional entries in complex tables of contents

View file

@ -5,7 +5,7 @@
register_module([ register_module([
"name" => "Page editor", "name" => "Page editor",
"version" => "0.18.1", "version" => "0.19",
"author" => "Starbeamrainbowlabs", "author" => "Starbeamrainbowlabs",
"description" => "Allows you to edit pages by adding the edit and save actions. You should probably include this one.", "description" => "Allows you to edit pages by adding the edit and save actions. You should probably include this one.",
"id" => "page-edit", "id" => "page-edit",
@ -60,16 +60,11 @@ register_module([
if(!$unknownpagename) if(!$unknownpagename)
$page_tags = htmlentities(implode(", ", (!empty($pageindex->{$env->page}->tags)) ? $pageindex->{$env->page}->tags : [])); $page_tags = htmlentities(implode(", ", (!empty($pageindex->{$env->page}->tags)) ? $pageindex->{$env->page}->tags : []));
$isOtherUsersPage = false; $isOtherUsersPage = $settings->user_page_prefix == mb_substr($env->page, 0, mb_strlen($settings->user_page_prefix)) and // The current page is a user page of some sort
if(
$settings->user_page_prefix == mb_substr($env->page, 0, mb_strlen($settings->user_page_prefix)) and // The current page is a user page of some sort
( (
!$env->is_logged_in or // the user isn't logged in..... !$env->is_logged_in or // the user isn't logged in.....
extract_user_from_userpage($env->page) !== $env->user // ...or it's not under this user's own name extract_user_from_userpage($env->page) !== $env->user // ...or it's not under this user's own name
) );
) {
$isOtherUsersPage = true;
}
if((!$env->is_logged_in and !$settings->anonedits) or // if we aren't logged in and anonymous edits are disabled if((!$env->is_logged_in and !$settings->anonedits) or // if we aren't logged in and anonymous edits are disabled
!$settings->editing or // or editing is disabled !$settings->editing or // or editing is disabled
@ -387,6 +382,7 @@ window.addEventListener("load", function(event) {
if(!$settings->editing) if(!$settings->editing)
{ {
http_response_code(403);
header("x-failure-reason: editing-disabled"); header("x-failure-reason: editing-disabled");
header("location: index.php?page=" . rawurlencode($env->page)); header("location: index.php?page=" . rawurlencode($env->page));
exit(page_renderer::render_main("Error saving edit", "<p>Editing is currently disabled on this wiki.</p>")); exit(page_renderer::render_main("Error saving edit", "<p>Editing is currently disabled on this wiki.</p>"));
@ -406,12 +402,27 @@ window.addEventListener("load", function(event) {
{ {
http_response_code(403); http_response_code(403);
header("refresh: 5; url=index.php?page=" . rawurlencode($env->page)); header("refresh: 5; url=index.php?page=" . rawurlencode($env->page));
header("x-failure-reason: protected-page");
exit(htmlentities($env->page) . " is protected, and you aren't logged in as an administrator or moderator. Your edit was not saved. Redirecting in 5 seconds..."); exit(htmlentities($env->page) . " is protected, and you aren't logged in as an administrator or moderator. Your edit was not saved. Redirecting in 5 seconds...");
} }
if($settings->user_page_prefix == mb_substr($env->page, 0, mb_strlen($settings->user_page_prefix)) and ( // The current page is a user page of some sort
!$env->is_logged_in or // the user isn't logged in.....
(
extract_user_from_userpage($env->page) !== $env->user and // ...or it's not under this user's own name
!$env->is_admin // ....and the user is not an admin/moderator
)
) ) {
http_response_code(403);
header("x-failure-reason: permissions-other-user-page");
header("content-type: text-plain");
exit("Error: The page {$env->page} is a user page. You must be logged in as either that user or a moderator in order to edit it.");
}
if(!isset($_POST["content"])) if(!isset($_POST["content"]))
{ {
http_response_code(400); http_response_code(400);
header("refresh: 5; url=index.php?page=" . rawurlencode($env->page)); header("refresh: 5; url=index.php?page=" . rawurlencode($env->page));
header("x-failure-reason: no-content");
header("content-type: text-plain");
exit("Bad request: No content specified."); exit("Bad request: No content specified.");
} }
if(isset($_POST["prevent_save_if_exists"]) && isset($pageindex->{$env->page})) { if(isset($_POST["prevent_save_if_exists"]) && isset($pageindex->{$env->page})) {