]> git.vanrenterghem.biz Git - git.ikiwiki.info.git/blob - IkiWiki/CGI.pm
resp
[git.ikiwiki.info.git] / IkiWiki / CGI.pm
1 #!/usr/bin/perl
3 use warnings;
4 use strict;
5 use IkiWiki;
6 use IkiWiki::UserInfo;
7 use open qw{:utf8 :std};
8 use Encode;
10 package IkiWiki;
12 sub printheader ($) { #{{{
13         my $session=shift;
14         
15         if ($config{sslcookie}) {
16                 print $session->header(-charset => 'utf-8',
17                         -cookie => $session->cookie(-secure => 1));
18         } else {
19                 print $session->header(-charset => 'utf-8');
20         }
22 } #}}}
23         
24 sub showform ($$$$) { #{{{
25         my $form=shift;
26         my $buttons=shift;
27         my $session=shift;
28         my $cgi=shift;
30         if (exists $hooks{formbuilder}) {
31                 run_hooks(formbuilder => sub {
32                         shift->(form => $form, cgi => $cgi, session => $session,
33                                 buttons => $buttons);
34                 });
35         }
36         else {
37                 printheader($session);
38                 print misctemplate($form->title, $form->render(submit => $buttons));
39         }
40 }
42 sub redirect ($$) { #{{{
43         my $q=shift;
44         my $url=shift;
45         if (! $config{w3mmode}) {
46                 print $q->redirect($url);
47         }
48         else {
49                 print "Content-type: text/plain\n";
50                 print "W3m-control: GOTO $url\n\n";
51         }
52 } #}}}
54 sub check_canedit ($$$;$) { #{{{
55         my $page=shift;
56         my $q=shift;
57         my $session=shift;
58         my $nonfatal=shift;
59         
60         my $canedit;
61         run_hooks(canedit => sub {
62                 return if defined $canedit;
63                 my $ret=shift->($page, $q, $session);
64                 if (defined $ret && $ret eq "") {
65                         $canedit=1;
66                 }
67                 elsif (defined $ret) {
68                         $canedit=0;
69                         error($ret) unless $nonfatal;
70                 }
71         });
72         return $canedit;
73 } #}}}
75 sub decode_form_utf8 ($) { #{{{
76         my $form = shift;
77         foreach my $f ($form->field) {
78                 next if Encode::is_utf8(scalar $form->field($f));
79                 $form->field(name  => $f,
80                              value => decode_utf8($form->field($f)),
81                              force => 1,
82                             );
83         }
84 } #}}}
86 sub cgi_recentchanges ($) { #{{{
87         my $q=shift;
88         
89         # Optimisation: building recentchanges means calculating lots of
90         # links. Memoizing htmllink speeds it up a lot (can't be memoized
91         # during page builds as the return values may change, but they
92         # won't here.)
93         eval q{use Memoize};
94         error($@) if $@;
95         memoize("htmllink");
97         eval q{use Time::Duration};
98         error($@) if $@;
100         my $changelog=[rcs_recentchanges(100)];
101         foreach my $change (@$changelog) {
102                 $change->{when} = concise(ago($change->{when}));
104                 $change->{user} = userlink($change->{user});
106                 my $is_excess = exists $change->{pages}[10]; # limit pages to first 10
107                 delete @{$change->{pages}}[10 .. @{$change->{pages}}] if $is_excess;
108                 $change->{pages} = [
109                         map {
110                                 $_->{link} = htmllink("", "", $_->{page},
111                                         noimageinline => 1,
112                                         linktext => pagetitle($_->{page}));
113                                 $_;
114                         } @{$change->{pages}}
115                 ];
116                 push @{$change->{pages}}, { link => '...' } if $is_excess;
117         }
119         my $template=template("recentchanges.tmpl"); 
120         $template->param(
121                 title => "RecentChanges",
122                 indexlink => indexlink(),
123                 wikiname => $config{wikiname},
124                 changelog => $changelog,
125                 baseurl => baseurl(),
126         );
127         run_hooks(pagetemplate => sub {
128                 shift->(page => "", destpage => "", template => $template);
129         });
130         print $q->header(-charset => 'utf-8'), $template->output;
131 } #}}}
133 # Check if the user is signed in. If not, redirect to the signin form and
134 # save their place to return to later.
135 sub needsignin ($$) { #{{{
136         my $q=shift;
137         my $session=shift;
139         if (! defined $session->param("name") ||
140             ! userinfo_get($session->param("name"), "regdate")) {
141                 if (! defined $session->param("postsignin")) {
142                         $session->param(postsignin => $ENV{QUERY_STRING});
143                 }
144                 cgi_signin($q, $session);
145                 cgi_savesession($session);
146                 exit;
147         }
148 } #}}}  
150 sub cgi_signin ($$) { #{{{
151         my $q=shift;
152         my $session=shift;
154         eval q{use CGI::FormBuilder};
155         error($@) if $@;
156         my $form = CGI::FormBuilder->new(
157                 title => "signin",
158                 name => "signin",
159                 charset => "utf-8",
160                 method => 'POST',
161                 required => 'NONE',
162                 javascript => 0,
163                 params => $q,
164                 action => $config{cgiurl},
165                 header => 0,
166                 template => {type => 'div'},
167                 stylesheet => baseurl()."style.css",
168         );
169         my $buttons=["Login"];
170         
171         if ($q->param("do") ne "signin" && !$form->submitted) {
172                 $form->text(gettext("You need to log in first."));
173         }
174         $form->field(name => "do", type => "hidden", value => "signin",
175                 force => 1);
176         
177         decode_form_utf8($form);
178         
179         run_hooks(formbuilder_setup => sub {
180                 shift->(form => $form, cgi => $q, session => $session,
181                         buttons => $buttons);
182         });
184         if ($form->submitted) {
185                 $form->validate;
186         }
188         showform($form, $buttons, $session, $q);
189 } #}}}
191 sub cgi_postsignin ($$) { #{{{
192         my $q=shift;
193         my $session=shift;
194         
195         # Continue with whatever was being done before the signin process.
196         if (defined $session->param("postsignin")) {
197                 my $postsignin=CGI->new($session->param("postsignin"));
198                 $session->clear("postsignin");
199                 cgi($postsignin, $session);
200                 cgi_savesession($session);
201                 exit;
202         }
203         else {
204                 # This can occur, for example, if a user went to the signin
205                 # url via a bookmark.
206                 redirect($q, $config{url});
207         }
208 } #}}}
210 sub cgi_prefs ($$) { #{{{
211         my $q=shift;
212         my $session=shift;
214         needsignin($q, $session);
216         eval q{use CGI::FormBuilder};
217         error($@) if $@;
218         my $form = CGI::FormBuilder->new(
219                 title => "preferences",
220                 name => "preferences",
221                 header => 0,
222                 charset => "utf-8",
223                 method => 'POST',
224                 validate => {
225                         email => 'EMAIL',
226                 },
227                 required => 'NONE',
228                 javascript => 0,
229                 params => $q,
230                 action => $config{cgiurl},
231                 template => {type => 'div'},
232                 stylesheet => baseurl()."style.css",
233                 fieldsets => [
234                         [login => gettext("Login")],
235                         [preferences => gettext("Preferences")],
236                         [admin => gettext("Admin")]
237                 ],
238         );
239         my $buttons=["Save Preferences", "Logout", "Cancel"];
241         decode_form_utf8($form);
243         run_hooks(formbuilder_setup => sub {
244                 shift->(form => $form, cgi => $q, session => $session,
245                         buttons => $buttons);
246         });
247         
248         $form->field(name => "do", type => "hidden");
249         $form->field(name => "email", size => 50, fieldset => "preferences");
250         $form->field(name => "subscriptions", size => 50,
251                 fieldset => "preferences",
252                 comment => "(".htmllink("", "", "PageSpec", noimageinline => 1).")");
253         $form->field(name => "banned_users", size => 50,
254                 fieldset => "admin");
255         
256         my $user_name=$session->param("name");
257         if (! is_admin($user_name)) {
258                 $form->field(name => "banned_users", type => "hidden");
259         }
261         if (! $form->submitted) {
262                 $form->field(name => "email", force => 1,
263                         value => userinfo_get($user_name, "email"));
264                 $form->field(name => "subscriptions", force => 1,
265                         value => userinfo_get($user_name, "subscriptions"));
266                 if (is_admin($user_name)) {
267                         $form->field(name => "banned_users", force => 1,
268                                 value => join(" ", get_banned_users()));
269                 }
270         }
271         
272         if ($form->submitted eq 'Logout') {
273                 $session->delete();
274                 redirect($q, $config{url});
275                 return;
276         }
277         elsif ($form->submitted eq 'Cancel') {
278                 redirect($q, $config{url});
279                 return;
280         }
281         elsif ($form->submitted eq 'Save Preferences' && $form->validate) {
282                 foreach my $field (qw(email subscriptions)) {
283                         if (defined $form->field($field) && length $form->field($field)) {
284                                 userinfo_set($user_name, $field, $form->field($field)) ||
285                                         error("failed to set $field");
286                         }
287                 }
288                 if (is_admin($user_name)) {
289                         set_banned_users(grep { ! is_admin($_) }
290                                         split(' ',
291                                                 $form->field("banned_users"))) ||
292                                 error("failed saving changes");
293                 }
294                 $form->text(gettext("Preferences saved."));
295         }
296         
297         showform($form, $buttons, $session, $q);
298 } #}}}
300 sub cgi_editpage ($$) { #{{{
301         my $q=shift;
302         my $session=shift;
304         my @fields=qw(do rcsinfo subpage from page type editcontent comments);
305         my @buttons=("Save Page", "Preview", "Cancel");
306         
307         eval q{use CGI::FormBuilder};
308         error($@) if $@;
309         my $form = CGI::FormBuilder->new(
310                 title => "editpage",
311                 fields => \@fields,
312                 charset => "utf-8",
313                 method => 'POST',
314                 validate => {
315                         editcontent => '/.+/',
316                 },
317                 required => [qw{editcontent}],
318                 javascript => 0,
319                 params => $q,
320                 action => $config{cgiurl},
321                 header => 0,
322                 table => 0,
323                 template => scalar template_params("editpage.tmpl"),
324                 wikiname => $config{wikiname},
325         );
326         
327         decode_form_utf8($form);
328         
329         run_hooks(formbuilder_setup => sub {
330                 shift->(form => $form, cgi => $q, session => $session,
331                         buttons => \@buttons);
332         });
333         
334         # This untaint is safe because titlepage removes any problematic
335         # characters.
336         my ($page)=$form->field('page');
337         $page=titlepage(possibly_foolish_untaint($page));
338         if (! defined $page || ! length $page || file_pruned($page, $config{srcdir}) || $page=~/^\//) {
339                 error("bad page name");
340         }
341         
342         my $from;
343         if (defined $form->field('from')) {
344                 ($from)=$form->field('from')=~/$config{wiki_file_regexp}/;
345         }
346         
347         my $file;
348         my $type;
349         if (exists $pagesources{$page} && $form->field("do") ne "create") {
350                 $file=$pagesources{$page};
351                 $type=pagetype($file);
352                 if (! defined $type) {
353                         error(sprintf(gettext("%s is not an editable page"), $page));
354                 }
355                 if (! $form->submitted) {
356                         $form->field(name => "rcsinfo",
357                                 value => rcs_prepedit($file), force => 1);
358                 }
359         }
360         else {
361                 $type=$form->param('type');
362                 if (defined $type && length $type && $hooks{htmlize}{$type}) {
363                         $type=possibly_foolish_untaint($type);
364                 }
365                 elsif (defined $from) {
366                         # favor the type of linking page
367                         $type=pagetype($pagesources{$from});
368                 }
369                 $type=$config{default_pageext} unless defined $type;
370                 $file=$page.".".$type;
371                 if (! $form->submitted) {
372                         $form->field(name => "rcsinfo", value => "", force => 1);
373                 }
374         }
376         $form->field(name => "do", type => 'hidden');
377         $form->field(name => "from", type => 'hidden');
378         $form->field(name => "rcsinfo", type => 'hidden');
379         $form->field(name => "subpage", type => 'hidden');
380         $form->field(name => "page", value => pagetitle($page, 1), force => 1);
381         $form->field(name => "type", value => $type, force => 1);
382         $form->field(name => "comments", type => "text", size => 80);
383         $form->field(name => "editcontent", type => "textarea", rows => 20,
384                 cols => 80);
385         $form->tmpl_param("can_commit", $config{rcs});
386         $form->tmpl_param("indexlink", indexlink());
387         $form->tmpl_param("helponformattinglink",
388                 htmllink("", "", "HelpOnFormatting", noimageinline => 1));
389         $form->tmpl_param("baseurl", baseurl());
390         
391         if ($form->submitted eq "Cancel") {
392                 if ($form->field("do") eq "create" && defined $from) {
393                         redirect($q, "$config{url}/".htmlpage($from));
394                 }
395                 elsif ($form->field("do") eq "create") {
396                         redirect($q, $config{url});
397                 }
398                 else {
399                         redirect($q, "$config{url}/".htmlpage($page));
400                 }
401                 return;
402         }
403         elsif ($form->submitted eq "Preview") {
404                 $form->tmpl_param("page_preview",
405                         htmlize($page, $type,
406                         linkify($page, "",
407                         preprocess($page, $page,
408                         filter($page, $page, $form->field('editcontent')), 0, 1))));
409         }
410         elsif ($form->submitted eq "Save Page") {
411                 $form->tmpl_param("page_preview", "");
412         }
413         $form->tmpl_param("page_conflict", "");
414         
415         if ($form->submitted ne "Save Page" || 
416             ! $form->validate) {
417                 if ($form->field("do") eq "create") {
418                         my @page_locs;
419                         my $best_loc;
420                         if (! defined $from || ! length $from ||
421                             $from ne $form->field('from') ||
422                             file_pruned($from, $config{srcdir}) ||
423                             $from=~/^\// ||
424                             $form->submitted eq "Preview") {
425                                 @page_locs=$best_loc=$page;
426                         }
427                         else {
428                                 my $dir=$from."/";
429                                 $dir=~s![^/]+/+$!!;
430                                 
431                                 if ((defined $form->field('subpage') && length $form->field('subpage')) ||
432                                     $page eq gettext('discussion')) {
433                                         $best_loc="$from/$page";
434                                 }
435                                 else {
436                                         $best_loc=$dir.$page;
437                                 }
438                                 
439                                 push @page_locs, $dir.$page;
440                                 push @page_locs, "$from/$page";
441                                 while (length $dir) {
442                                         $dir=~s![^/]+/+$!!;
443                                         push @page_locs, $dir.$page;
444                                 }
445                         }
446                         push @page_locs, "$config{userdir}/$page"
447                                 if length $config{userdir};
449                         @page_locs = grep {
450                                 ! exists $pagecase{lc $_}
451                         } @page_locs;
452                         if (! @page_locs) {
453                                 # hmm, someone else made the page in the
454                                 # meantime?
455                                 redirect($q, "$config{url}/".htmlpage($page));
456                                 return;
457                         }
459                         my @editable_locs = grep {
460                                 check_canedit($_, $q, $session, 1)
461                         } @page_locs;
462                         if (! @editable_locs) {
463                                 # let it throw an error this time
464                                 map { check_canedit($_, $q, $session) } @page_locs;
465                         }
466                         
467                         my @page_types;
468                         if (exists $hooks{htmlize}) {
469                                 @page_types=keys %{$hooks{htmlize}};
470                         }
471                         
472                         $form->tmpl_param("page_select", 1);
473                         $form->field(name => "page", type => 'select',
474                                 options => [ map { pagetitle($_, 1) } @editable_locs ],
475                                 value => pagetitle($best_loc, 1));
476                         $form->field(name => "type", type => 'select',
477                                 options => \@page_types);
478                         $form->title(sprintf(gettext("creating %s"), pagetitle($page)));
479                         
480                 }
481                 elsif ($form->field("do") eq "edit") {
482                         check_canedit($page, $q, $session);
483                         if (! defined $form->field('editcontent') || 
484                             ! length $form->field('editcontent')) {
485                                 my $content="";
486                                 if (exists $pagesources{$page}) {
487                                         $content=readfile(srcfile($pagesources{$page}));
488                                         $content=~s/\n/\r\n/g;
489                                 }
490                                 $form->field(name => "editcontent", value => $content,
491                                         force => 1);
492                         }
493                         $form->tmpl_param("page_select", 0);
494                         $form->field(name => "page", type => 'hidden');
495                         $form->field(name => "type", type => 'hidden');
496                         $form->title(sprintf(gettext("editing %s"), pagetitle($page)));
497                 }
498                 
499                 showform($form, \@buttons, $session, $q);
500         }
501         else {
502                 # save page
503                 check_canedit($page, $q, $session);
505                 my $exists=-e "$config{srcdir}/$file";
507                 if ($form->field("do") ne "create" &&
508                     ! $exists && ! -e "$config{underlaydir}/$file") {
509                         $form->tmpl_param("page_gone", 1);
510                         $form->field(name => "do", value => "create", force => 1);
511                         $form->tmpl_param("page_select", 0);
512                         $form->field(name => "page", type => 'hidden');
513                         $form->field(name => "type", type => 'hidden');
514                         $form->title(sprintf(gettext("editing %s"), $page));
515                         showform($form, \@buttons, $session, $q);
516                         return;
517                 }
518                 elsif ($form->field("do") eq "create" && $exists) {
519                         $form->tmpl_param("creation_conflict", 1);
520                         $form->field(name => "do", value => "edit", force => 1);
521                         $form->tmpl_param("page_select", 0);
522                         $form->field(name => "page", type => 'hidden');
523                         $form->field(name => "type", type => 'hidden');
524                         $form->title(sprintf(gettext("editing %s"), $page));
525                         $form->field("editcontent", 
526                                 value => readfile("$config{srcdir}/$file").
527                                          "\n\n\n".$form->field("editcontent"),
528                                 force => 1);
529                         showform($form, \@buttons, $session, $q);
530                         return;
531                 }
532                 
533                 my $content=$form->field('editcontent');
535                 $content=~s/\r\n/\n/g;
536                 $content=~s/\r/\n/g;
538                 $config{cgi}=0; # avoid cgi error message
539                 eval { writefile($file, $config{srcdir}, $content) };
540                 $config{cgi}=1;
541                 if ($@) {
542                         $form->field(name => "rcsinfo", value => rcs_prepedit($file),
543                                 force => 1);
544                         $form->tmpl_param("failed_save", 1);
545                         $form->tmpl_param("error_message", $@);
546                         $form->field("editcontent", value => $content, force => 1);
547                         $form->tmpl_param("page_select", 0);
548                         $form->field(name => "page", type => 'hidden');
549                         $form->field(name => "type", type => 'hidden');
550                         $form->title(sprintf(gettext("editing %s"), $page));
551                         showform($form, \@buttons, $session, $q);
552                         return;
553                 }
554                 
555                 my $conflict;
556                 if ($config{rcs}) {
557                         my $message="";
558                         if (defined $form->field('comments') &&
559                             length $form->field('comments')) {
560                                 $message=$form->field('comments');
561                         }
562                         
563                         if (! $exists) {
564                                 rcs_add($file);
565                         }
567                         # Prevent deadlock with post-commit hook by
568                         # signaling to it that it should not try to
569                         # do anything (except send commit mails).
570                         disable_commit_hook();
571                         $conflict=rcs_commit($file, $message,
572                                 $form->field("rcsinfo"),
573                                 $session->param("name"), $ENV{REMOTE_ADDR});
574                         enable_commit_hook();
575                         rcs_update();
576                 }
577                 
578                 # Refresh even if there was a conflict, since other changes
579                 # may have been committed while the post-commit hook was
580                 # disabled.
581                 require IkiWiki::Render;
582                 refresh();
583                 saveindex();
585                 if (defined $conflict) {
586                         $form->field(name => "rcsinfo", value => rcs_prepedit($file),
587                                 force => 1);
588                         $form->tmpl_param("page_conflict", 1);
589                         $form->field("editcontent", value => $conflict, force => 1);
590                         $form->field("do", "edit", force => 1);
591                         $form->tmpl_param("page_select", 0);
592                         $form->field(name => "page", type => 'hidden');
593                         $form->field(name => "type", type => 'hidden');
594                         $form->title(sprintf(gettext("editing %s"), $page));
595                         showform($form, \@buttons, $session, $q);
596                         return;
597                 }
598                 else {
599                         # The trailing question mark tries to avoid broken
600                         # caches and get the most recent version of the page.
601                         redirect($q, "$config{url}/".htmlpage($page)."?updated");
602                 }
603         }
604 } #}}}
606 sub cgi_getsession ($) { #{{{
607         my $q=shift;
609         eval q{use CGI::Session};
610         CGI::Session->name("ikiwiki_session_".encode_utf8($config{wikiname}));
611         
612         my $oldmask=umask(077);
613         my $session = CGI::Session->new("driver:DB_File", $q,
614                 { FileName => "$config{wikistatedir}/sessions.db" });
615         umask($oldmask);
617         return $session;
618 } #}}}
620 sub cgi_savesession ($) { #{{{
621         my $session=shift;
623         # Force session flush with safe umask.
624         my $oldmask=umask(077);
625         $session->flush;
626         umask($oldmask);
627 } #}}}
629 sub cgi (;$$) { #{{{
630         my $q=shift;
631         my $session=shift;
633         if (! $q) {
634                 eval q{use CGI};
635                 error($@) if $@;
636         
637                 $q=CGI->new;
638         
639                 run_hooks(cgi => sub { shift->($q) });
640         }
642         my $do=$q->param('do');
643         if (! defined $do || ! length $do) {
644                 my $error = $q->cgi_error;
645                 if ($error) {
646                         error("Request not processed: $error");
647                 }
648                 else {
649                         error("\"do\" parameter missing");
650                 }
651         }
652         
653         # Things that do not need a session.
654         if ($do eq 'recentchanges') {
655                 cgi_recentchanges($q);
656                 return;
657         }
659         # Need to lock the wiki before getting a session.
660         lockwiki();
661         
662         if (! $session) {
663                 $session=cgi_getsession($q);
664         }
665         
666         # Auth hooks can sign a user in.
667         if ($do ne 'signin' && ! defined $session->param("name")) {
668                 run_hooks(auth => sub {
669                         shift->($q, $session)
670                 });
671                 if (defined $session->param("name")) {
672                         # Make sure whatever user was authed is in the
673                         # userinfo db.
674                         if (! userinfo_get($session->param("name"), "regdate")) {
675                                 userinfo_setall($session->param("name"), {
676                                         email => "",
677                                         password => "",
678                                         regdate => time,
679                                 }) || error("failed adding user");
680                         }
681                 }
682         }
683         
684         if (defined $session->param("name") &&
685             userinfo_get($session->param("name"), "banned")) {
686                 print $q->header(-status => "403 Forbidden");
687                 $session->delete();
688                 print gettext("You are banned.");
689                 cgi_savesession($session);
690         }
692         run_hooks(sessioncgi => sub { shift->($q, $session) });
694         if ($do eq 'signin') {
695                 cgi_signin($q, $session);
696                 cgi_savesession($session);
697         }
698         elsif (defined $session->param("postsignin")) {
699                 cgi_postsignin($q, $session);
700         }
701         elsif ($do eq 'prefs') {
702                 cgi_prefs($q, $session);
703         }
704         elsif ($do eq 'create' || $do eq 'edit') {
705                 cgi_editpage($q, $session);
706         }
707         elsif ($do eq 'postsignin') {
708                 error(gettext("login failed, perhaps you need to turn on cookies?"));
709         }
710         else {
711                 error("unknown do parameter");
712         }
713 } #}}}
715 sub userlink ($) { #{{{
716         my $user=shift;
718         eval q{use CGI 'escapeHTML'};
719         error($@) if $@;
720         if ($user =~ m!^https?://! &&
721             eval q{use Net::OpenID::VerifiedIdentity; 1} && !$@) {
722                 # Munge user-urls, as used by eg, OpenID.
723                 my $oid=Net::OpenID::VerifiedIdentity->new(identity => $user);
724                 my $display=$oid->display;
725                 # Convert "user.somehost.com" to "user [somehost.com]".
726                 if ($display !~ /\[/) {
727                         $display=~s/^(.*?)\.([^.]+\.[a-z]+)$/$1 [$2]/;
728                 }
729                 # Convert "http://somehost.com/user" to "user [somehost.com]".
730                 if ($display !~ /\[/) {
731                         $display=~s/^https?:\/\/(.+)\/([^\/]+)$/$2 [$1]/;
732                 }
733                 $display=~s!^https?://!!; # make sure this is removed
734                 return "<a href=\"$user\">".escapeHTML($display)."</a>";
735         }
736         else {
737                 return htmllink("", "", escapeHTML(
738                         length $config{userdir} ? $config{userdir}."/".$user : $user
739                 ), noimageinline => 1);
740         }
741 } #}}}