]> git.vanrenterghem.biz Git - git.ikiwiki.info.git/blob - IkiWiki/Plugin/editpage.pm
move security to discussion
[git.ikiwiki.info.git] / IkiWiki / Plugin / editpage.pm
1 #!/usr/bin/perl
2 package IkiWiki::Plugin::editpage;
4 use warnings;
5 use strict;
6 use IkiWiki;
7 use open qw{:utf8 :std};
9 sub import {
10         hook(type => "getsetup", id => "editpage", call => \&getsetup);
11         hook(type => "refresh", id => "editpage", call => \&refresh);
12         hook(type => "sessioncgi", id => "editpage", call => \&IkiWiki::cgi_editpage);
13 }
15 sub getsetup () {
16         return
17                 plugin => {
18                         safe => 1,
19                         rebuild => 1,
20                 },
21 }
23 sub refresh () {
24         if (exists $wikistate{editpage} && exists $wikistate{editpage}{previews}) {
25                 # Expire old preview files after one hour.
26                 my $expire=time - (60 * 60);
28                 my @previews;
29                 foreach my $file (@{$wikistate{editpage}{previews}}) {
30                         my $mtime=(stat("$config{destdir}/$file"))[9];
31                         if (defined $mtime && $mtime <= $expire) {
32                                 # Avoid deleting a preview that was later saved.
33                                 my $delete=1;
34                                 foreach my $page (keys %renderedfiles) {
35                                         if (grep { $_ eq $file } @{$renderedfiles{$page}}) {
36                                                 $delete=0;
37                                         }
38                                 }
39                                 if ($delete) {
40                                         debug(sprintf(gettext("removing old preview %s"), $file));
41                                         IkiWiki::prune("$config{destdir}/$file");
42                                 }
43                         }
44                         elsif (defined $mtime) {
45                                 push @previews, $file;
46                         }
47                 }
48                 $wikistate{editpage}{previews}=\@previews;
49         }
50 }
52 # Back to ikiwiki namespace for the rest, this code is very much
53 # internal to ikiwiki even though it's separated into a plugin,
54 # and other plugins use the function below.
55 package IkiWiki;
57 sub cgi_editpage ($$) {
58         my $q=shift;
59         my $session=shift;
60         
61         my $do=$q->param('do');
62         return unless $do eq 'create' || $do eq 'edit';
64         decode_cgi_utf8($q);
66         my @fields=qw(do rcsinfo subpage from page type editcontent comments);
67         my @buttons=("Save Page", "Preview", "Cancel");
68         eval q{use CGI::FormBuilder};
69         error($@) if $@;
70         my $form = CGI::FormBuilder->new(
71                 fields => \@fields,
72                 charset => "utf-8",
73                 method => 'POST',
74                 required => [qw{editcontent}],
75                 javascript => 0,
76                 params => $q,
77                 action => $config{cgiurl},
78                 header => 0,
79                 table => 0,
80                 template => scalar template_params("editpage.tmpl"),
81         );
82         
83         decode_form_utf8($form);
84         run_hooks(formbuilder_setup => sub {
85                 shift->(form => $form, cgi => $q, session => $session,
86                         buttons => \@buttons);
87         });
88         decode_form_utf8($form);
89         
90         # This untaint is safe because we check file_pruned and
91         # wiki_file_regexp.
92         my ($page)=$form->field('page')=~/$config{wiki_file_regexp}/;
93         $page=possibly_foolish_untaint($page);
94         my $absolute=($page =~ s#^/+##);
95         if (! defined $page || ! length $page ||
96             file_pruned($page, $config{srcdir})) {
97                 error(gettext("bad page name"));
98         }
100         my $baseurl = urlto($page, undef, 1);
102         my $from;
103         if (defined $form->field('from')) {
104                 ($from)=$form->field('from')=~/$config{wiki_file_regexp}/;
105         }
106         
107         my $file;
108         my $type;
109         if (exists $pagesources{$page} && $form->field("do") ne "create") {
110                 $file=$pagesources{$page};
111                 $type=pagetype($file);
112                 if (! defined $type || $type=~/^_/) {
113                         error(sprintf(gettext("%s is not an editable page"), $page));
114                 }
115                 if (! $form->submitted) {
116                         $form->field(name => "rcsinfo",
117                                 value => rcs_prepedit($file), force => 1);
118                 }
119                 $form->field(name => "editcontent", validate => '/.*/');
120         }
121         else {
122                 $type=$form->param('type');
123                 if (defined $type && length $type && $hooks{htmlize}{$type}) {
124                         $type=possibly_foolish_untaint($type);
125                 }
126                 elsif (defined $from && exists $pagesources{$from}) {
127                         # favor the type of linking page
128                         $type=pagetype($pagesources{$from});
129                 }
130                 $type=$config{default_pageext} unless defined $type;
131                 $file=newpagefile($page, $type);
132                 if (! $form->submitted) {
133                         $form->field(name => "rcsinfo", value => "", force => 1);
134                 }
135                 $form->field(name => "editcontent", validate => '/.+/');
136         }
138         $form->field(name => "do", type => 'hidden');
139         $form->field(name => "sid", type => "hidden", value => $session->id,
140                 force => 1);
141         $form->field(name => "from", type => 'hidden');
142         $form->field(name => "rcsinfo", type => 'hidden');
143         $form->field(name => "subpage", type => 'hidden');
144         $form->field(name => "page", value => $page, force => 1);
145         $form->field(name => "type", value => $type, force => 1);
146         $form->field(name => "comments", type => "text", size => 80);
147         $form->field(name => "editcontent", type => "textarea", rows => 20,
148                 cols => 80);
149         $form->tmpl_param("can_commit", $config{rcs});
150         $form->tmpl_param("indexlink", indexlink());
151         $form->tmpl_param("helponformattinglink",
152                 htmllink($page, $page, "ikiwiki/formatting",
153                         noimageinline => 1,
154                         linktext => "FormattingHelp"));
155         
156         if ($form->submitted eq "Cancel") {
157                 if ($form->field("do") eq "create" && defined $from) {
158                         redirect($q, urlto($from, undef, 1));
159                 }
160                 elsif ($form->field("do") eq "create") {
161                         redirect($q, $config{url});
162                 }
163                 else {
164                         redirect($q, urlto($page, undef, 1));
165                 }
166                 exit;
167         }
168         elsif ($form->submitted eq "Preview") {
169                 my $new=not exists $pagesources{$page};
170                 if ($new) {
171                         # temporarily record its type
172                         $pagesources{$page}=$page.".".$type;
173                 }
174                 my %wasrendered=map { $_ => 1 } @{$renderedfiles{$page}};
176                 my $content=$form->field('editcontent');
178                 run_hooks(editcontent => sub {
179                         $content=shift->(
180                                 content => $content,
181                                 page => $page,
182                                 cgi => $q,
183                                 session => $session,
184                         );
185                 });
186                 my $preview=htmlize($page, $page, $type,
187                         linkify($page, $page,
188                         preprocess($page, $page,
189                         filter($page, $page, $content), 0, 1)));
190                 run_hooks(format => sub {
191                         $preview=shift->(
192                                 page => $page,
193                                 content => $preview,
194                         );
195                 });
196                 $form->tmpl_param("page_preview", $preview);
197                 
198                 if ($new) {
199                         delete $pagesources{$page};
200                 }
202                 # Previewing may have created files on disk.
203                 # Keep a list of these to be deleted later.
204                 my %previews = map { $_ => 1 } @{$wikistate{editpage}{previews}};
205                 foreach my $f (@{$renderedfiles{$page}}) {
206                         $previews{$f}=1 unless $wasrendered{$f};
207                 }
208                 @{$wikistate{editpage}{previews}} = keys %previews;
209                 $renderedfiles{$page}=[keys %wasrendered];
210                 saveindex();
211         }
212         elsif ($form->submitted eq "Save Page") {
213                 $form->tmpl_param("page_preview", "");
214         }
215         
216         if ($form->submitted ne "Save Page" || ! $form->validate) {
217                 if ($form->field("do") eq "create") {
218                         my @page_locs;
219                         my $best_loc;
220                         if (! defined $from || ! length $from ||
221                             $from ne $form->field('from') ||
222                             file_pruned($from, $config{srcdir}) ||
223                             $from=~/^\// || 
224                             $absolute ||
225                             $form->submitted) {
226                                 @page_locs=$best_loc=$page;
227                         }
228                         else {
229                                 my $dir=$from."/";
230                                 $dir=~s![^/]+/+$!!;
231                                 
232                                 if ((defined $form->field('subpage') && length $form->field('subpage')) ||
233                                     $page eq gettext('discussion')) {
234                                         $best_loc="$from/$page";
235                                 }
236                                 else {
237                                         $best_loc=$dir.$page;
238                                 }
239                                 
240                                 push @page_locs, $dir.$page;
241                                 push @page_locs, "$from/$page";
242                                 while (length $dir) {
243                                         $dir=~s![^/]+/+$!!;
244                                         push @page_locs, $dir.$page;
245                                 }
246                         
247                                 push @page_locs, "$config{userdir}/$page"
248                                         if length $config{userdir};
249                         }
251                         @page_locs = grep {
252                                 ! exists $pagecase{lc $_}
253                         } @page_locs;
254                         if (! @page_locs) {
255                                 # hmm, someone else made the page in the
256                                 # meantime?
257                                 if ($form->submitted eq "Preview") {
258                                         # let them go ahead with the edit
259                                         # and resolve the conflict at save
260                                         # time
261                                         @page_locs=$page;
262                                 }
263                                 else {
264                                         redirect($q, urlto($page, undef, 1));
265                                         exit;
266                                 }
267                         }
269                         my @editable_locs = grep {
270                                 check_canedit($_, $q, $session, 1)
271                         } @page_locs;
272                         if (! @editable_locs) {
273                                 # let it throw an error this time
274                                 map { check_canedit($_, $q, $session) } @page_locs;
275                         }
276                         
277                         my @page_types;
278                         if (exists $hooks{htmlize}) {
279                                 @page_types=grep { !/^_/ }
280                                         keys %{$hooks{htmlize}};
281                         }
282                         
283                         $form->tmpl_param("page_select", 1);
284                         $form->field(name => "page", type => 'select',
285                                 options => [ map { [ $_, pagetitle($_, 1) ] } @editable_locs ],
286                                 value => $best_loc);
287                         $form->field(name => "type", type => 'select',
288                                 options => \@page_types);
289                         $form->title(sprintf(gettext("creating %s"), pagetitle($page)));
290                         
291                 }
292                 elsif ($form->field("do") eq "edit") {
293                         check_canedit($page, $q, $session);
294                         if (! defined $form->field('editcontent') || 
295                             ! length $form->field('editcontent')) {
296                                 my $content="";
297                                 if (exists $pagesources{$page}) {
298                                         $content=readfile(srcfile($pagesources{$page}));
299                                         $content=~s/\n/\r\n/g;
300                                 }
301                                 $form->field(name => "editcontent", value => $content,
302                                         force => 1);
303                         }
304                         $form->tmpl_param("page_select", 0);
305                         $form->field(name => "page", type => 'hidden');
306                         $form->field(name => "type", type => 'hidden');
307                         $form->title(sprintf(gettext("editing %s"), pagetitle($page)));
308                 }
309                 
310                 showform($form, \@buttons, $session, $q, forcebaseurl => $baseurl);
311         }
312         else {
313                 # save page
314                 check_canedit($page, $q, $session);
315                 checksessionexpiry($q, $session, $q->param('sid'));
317                 my $exists=-e "$config{srcdir}/$file";
319                 if ($form->field("do") ne "create" && ! $exists &&
320                     ! defined srcfile($file, 1)) {
321                         $form->tmpl_param("message", template("editpagegone.tmpl")->output);
322                         $form->field(name => "do", value => "create", force => 1);
323                         $form->tmpl_param("page_select", 0);
324                         $form->field(name => "page", type => 'hidden');
325                         $form->field(name => "type", type => 'hidden');
326                         $form->title(sprintf(gettext("editing %s"), $page));
327                         showform($form, \@buttons, $session, $q, forcebaseurl => $baseurl);
328                         exit;
329                 }
330                 elsif ($form->field("do") eq "create" && $exists) {
331                         $form->tmpl_param("message", template("editcreationconflict.tmpl")->output);
332                         $form->field(name => "do", value => "edit", force => 1);
333                         $form->tmpl_param("page_select", 0);
334                         $form->field(name => "page", type => 'hidden');
335                         $form->field(name => "type", type => 'hidden');
336                         $form->title(sprintf(gettext("editing %s"), $page));
337                         $form->field("editcontent", 
338                                 value => readfile("$config{srcdir}/$file").
339                                          "\n\n\n".$form->field("editcontent"),
340                                 force => 1);
341                         showform($form, \@buttons, $session, $q, forcebaseurl => $baseurl);
342                         exit;
343                 }
344                         
345                 my $message="";
346                 if (defined $form->field('comments') &&
347                     length $form->field('comments')) {
348                         $message=$form->field('comments');
349                 }
350                 
351                 my $content=$form->field('editcontent');
352                 check_content(content => $content, page => $page,
353                         cgi => $q, session => $session,
354                         subject => $message);
355                 run_hooks(editcontent => sub {
356                         $content=shift->(
357                                 content => $content,
358                                 page => $page,
359                                 cgi => $q,
360                                 session => $session,
361                         );
362                 });
363                 $content=~s/\r\n/\n/g;
364                 $content=~s/\r/\n/g;
365                 $content.="\n" if $content !~ /\n$/;
367                 $config{cgi}=0; # avoid cgi error message
368                 eval { writefile($file, $config{srcdir}, $content) };
369                 $config{cgi}=1;
370                 if ($@) {
371                         $form->field(name => "rcsinfo", value => rcs_prepedit($file),
372                                 force => 1);
373                         my $mtemplate=template("editfailedsave.tmpl");
374                         $mtemplate->param(error_message => $@);
375                         $form->tmpl_param("message", $mtemplate->output);
376                         $form->field("editcontent", value => $content, force => 1);
377                         $form->tmpl_param("page_select", 0);
378                         $form->field(name => "page", type => 'hidden');
379                         $form->field(name => "type", type => 'hidden');
380                         $form->title(sprintf(gettext("editing %s"), $page));
381                         showform($form, \@buttons, $session, $q,
382                                 forcebaseurl => $baseurl);
383                         exit;
384                 }
385                 
386                 my $conflict;
387                 if ($config{rcs}) {
388                         if (! $exists) {
389                                 rcs_add($file);
390                         }
392                         # Prevent deadlock with post-commit hook by
393                         # signaling to it that it should not try to
394                         # do anything.
395                         disable_commit_hook();
396                         $conflict=rcs_commit($file, $message,
397                                 $form->field("rcsinfo"),
398                                 $session->param("name"), $ENV{REMOTE_ADDR});
399                         enable_commit_hook();
400                         rcs_update();
401                 }
402                 
403                 # Refresh even if there was a conflict, since other changes
404                 # may have been committed while the post-commit hook was
405                 # disabled.
406                 require IkiWiki::Render;
407                 refresh();
408                 saveindex();
410                 if (defined $conflict) {
411                         $form->field(name => "rcsinfo", value => rcs_prepedit($file),
412                                 force => 1);
413                         $form->tmpl_param("message", template("editconflict.tmpl")->output);
414                         $form->field("editcontent", value => $conflict, force => 1);
415                         $form->field("do", "edit", force => 1);
416                         $form->tmpl_param("page_select", 0);
417                         $form->field(name => "page", type => 'hidden');
418                         $form->field(name => "type", type => 'hidden');
419                         $form->title(sprintf(gettext("editing %s"), $page));
420                         showform($form, \@buttons, $session, $q,
421                                 forcebaseurl => $baseurl);
422                 }
423                 else {
424                         # The trailing question mark tries to avoid broken
425                         # caches and get the most recent version of the page.
426                         redirect($q, urlto($page, undef, 1)."?updated");
427                 }
428         }
430         exit;