mirror of
https://github.com/sbrl/Pepperminty-Wiki.git
synced 2024-11-21 16:13:00 +00:00
page-edit: fix user page permissions check to also occur in the save action
This commit is contained in:
parent
71544b5d9d
commit
e54bacdcac
2 changed files with 20 additions and 8 deletions
|
@ -23,6 +23,7 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t
|
||||||
- [security] Ensured that the `returnto` GET parameter leads you only to another place on your Pepperminty Wiki instance (thanks, @JamieSlome)
|
- [security] Ensured that the `returnto` GET parameter leads you only to another place on your Pepperminty Wiki instance (thanks, @JamieSlome)
|
||||||
- [security] Ensure that Javascript in SVGs never gets executed (it's too challenging to strip it, since it could be lurking in many different places - according to [this answer](https://stackoverflow.com/a/68505306/1460422) even Inkscape doesn't strip all Javascript when asked to)
|
- [security] Ensure that Javascript in SVGs never gets executed (it's too challenging to strip it, since it could be lurking in many different places - according to [this answer](https://stackoverflow.com/a/68505306/1460422) even Inkscape doesn't strip all Javascript when asked to)
|
||||||
- [security] Fixed XSS when the `action` GET param doesn't match a known action
|
- [security] Fixed XSS when the `action` GET param doesn't match a known action
|
||||||
|
- [security] User pages are now only savable in the HTTP API by either a moderator or the owning user (previously only the `edit` action was protected, so if you made a request direct to the `save` action, you could bypass the check)
|
||||||
- StorageBox: Create SQLite DB if it doesn't exist explicitly with `touch()`, because some systems are weird
|
- StorageBox: Create SQLite DB if it doesn't exist explicitly with `touch()`, because some systems are weird
|
||||||
- StorageBox: Fix crash when `index.php` is a symbolic link
|
- StorageBox: Fix crash when `index.php` is a symbolic link
|
||||||
- Fixed erroneous additional entries in complex tables of contents
|
- Fixed erroneous additional entries in complex tables of contents
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
|
|
||||||
register_module([
|
register_module([
|
||||||
"name" => "Page editor",
|
"name" => "Page editor",
|
||||||
"version" => "0.18.1",
|
"version" => "0.19",
|
||||||
"author" => "Starbeamrainbowlabs",
|
"author" => "Starbeamrainbowlabs",
|
||||||
"description" => "Allows you to edit pages by adding the edit and save actions. You should probably include this one.",
|
"description" => "Allows you to edit pages by adding the edit and save actions. You should probably include this one.",
|
||||||
"id" => "page-edit",
|
"id" => "page-edit",
|
||||||
|
@ -60,16 +60,11 @@ register_module([
|
||||||
if(!$unknownpagename)
|
if(!$unknownpagename)
|
||||||
$page_tags = htmlentities(implode(", ", (!empty($pageindex->{$env->page}->tags)) ? $pageindex->{$env->page}->tags : []));
|
$page_tags = htmlentities(implode(", ", (!empty($pageindex->{$env->page}->tags)) ? $pageindex->{$env->page}->tags : []));
|
||||||
|
|
||||||
$isOtherUsersPage = false;
|
$isOtherUsersPage = $settings->user_page_prefix == mb_substr($env->page, 0, mb_strlen($settings->user_page_prefix)) and // The current page is a user page of some sort
|
||||||
if(
|
|
||||||
$settings->user_page_prefix == mb_substr($env->page, 0, mb_strlen($settings->user_page_prefix)) and // The current page is a user page of some sort
|
|
||||||
(
|
(
|
||||||
!$env->is_logged_in or // the user isn't logged in.....
|
!$env->is_logged_in or // the user isn't logged in.....
|
||||||
extract_user_from_userpage($env->page) !== $env->user // ...or it's not under this user's own name
|
extract_user_from_userpage($env->page) !== $env->user // ...or it's not under this user's own name
|
||||||
)
|
);
|
||||||
) {
|
|
||||||
$isOtherUsersPage = true;
|
|
||||||
}
|
|
||||||
|
|
||||||
if((!$env->is_logged_in and !$settings->anonedits) or // if we aren't logged in and anonymous edits are disabled
|
if((!$env->is_logged_in and !$settings->anonedits) or // if we aren't logged in and anonymous edits are disabled
|
||||||
!$settings->editing or // or editing is disabled
|
!$settings->editing or // or editing is disabled
|
||||||
|
@ -387,6 +382,7 @@ window.addEventListener("load", function(event) {
|
||||||
|
|
||||||
if(!$settings->editing)
|
if(!$settings->editing)
|
||||||
{
|
{
|
||||||
|
http_response_code(403);
|
||||||
header("x-failure-reason: editing-disabled");
|
header("x-failure-reason: editing-disabled");
|
||||||
header("location: index.php?page=" . rawurlencode($env->page));
|
header("location: index.php?page=" . rawurlencode($env->page));
|
||||||
exit(page_renderer::render_main("Error saving edit", "<p>Editing is currently disabled on this wiki.</p>"));
|
exit(page_renderer::render_main("Error saving edit", "<p>Editing is currently disabled on this wiki.</p>"));
|
||||||
|
@ -406,12 +402,27 @@ window.addEventListener("load", function(event) {
|
||||||
{
|
{
|
||||||
http_response_code(403);
|
http_response_code(403);
|
||||||
header("refresh: 5; url=index.php?page=" . rawurlencode($env->page));
|
header("refresh: 5; url=index.php?page=" . rawurlencode($env->page));
|
||||||
|
header("x-failure-reason: protected-page");
|
||||||
exit(htmlentities($env->page) . " is protected, and you aren't logged in as an administrator or moderator. Your edit was not saved. Redirecting in 5 seconds...");
|
exit(htmlentities($env->page) . " is protected, and you aren't logged in as an administrator or moderator. Your edit was not saved. Redirecting in 5 seconds...");
|
||||||
}
|
}
|
||||||
|
if($settings->user_page_prefix == mb_substr($env->page, 0, mb_strlen($settings->user_page_prefix)) and ( // The current page is a user page of some sort
|
||||||
|
!$env->is_logged_in or // the user isn't logged in.....
|
||||||
|
(
|
||||||
|
extract_user_from_userpage($env->page) !== $env->user and // ...or it's not under this user's own name
|
||||||
|
!$env->is_admin // ....and the user is not an admin/moderator
|
||||||
|
)
|
||||||
|
) ) {
|
||||||
|
http_response_code(403);
|
||||||
|
header("x-failure-reason: permissions-other-user-page");
|
||||||
|
header("content-type: text-plain");
|
||||||
|
exit("Error: The page {$env->page} is a user page. You must be logged in as either that user or a moderator in order to edit it.");
|
||||||
|
}
|
||||||
if(!isset($_POST["content"]))
|
if(!isset($_POST["content"]))
|
||||||
{
|
{
|
||||||
http_response_code(400);
|
http_response_code(400);
|
||||||
header("refresh: 5; url=index.php?page=" . rawurlencode($env->page));
|
header("refresh: 5; url=index.php?page=" . rawurlencode($env->page));
|
||||||
|
header("x-failure-reason: no-content");
|
||||||
|
header("content-type: text-plain");
|
||||||
exit("Bad request: No content specified.");
|
exit("Bad request: No content specified.");
|
||||||
}
|
}
|
||||||
if(isset($_POST["prevent_save_if_exists"]) && isset($pageindex->{$env->page})) {
|
if(isset($_POST["prevent_save_if_exists"]) && isset($pageindex->{$env->page})) {
|
||||||
|
|
Loading…
Reference in a new issue