]> git.vanrenterghem.biz Git - git.ikiwiki.info.git/blobdiff - IkiWiki/Plugin/comments.pm
passwordauth: avoid userinfo forgery via repeated email parameter
[git.ikiwiki.info.git] / IkiWiki / Plugin / comments.pm
old mode 100755 (executable)
new mode 100644 (file)
index 3ad2a0e..285013e
@@ -9,7 +9,6 @@ use warnings;
 use strict;
 use IkiWiki 3.00;
 use Encode;
-use POSIX qw(strftime);
 
 use constant PREVIEW => "Preview";
 use constant POST_COMMENT => "Post comment";
@@ -302,7 +301,8 @@ sub editcomment ($$) {
 
        my @buttons = (POST_COMMENT, PREVIEW, CANCEL);
        my $form = CGI::FormBuilder->new(
-               fields => [qw{do sid page subject editcontent type author url}],
+               fields => [qw{do sid page subject editcontent type author
+                       email url subscribe anonsubscribe}],
                charset => 'utf-8',
                method => 'POST',
                required => [qw{editcontent}],
@@ -347,18 +347,35 @@ sub editcomment ($$) {
        $form->field(name => "type", value => $type, force => 1,
                type => 'select', options => \@page_types);
 
-       $form->tmpl_param(username => $session->param('name'));
+       my $username=$session->param('name');
+       $form->tmpl_param(username => $username);
+               
+       $form->field(name => "subscribe", type => 'hidden');
+       $form->field(name => "anonsubscribe", type => 'hidden');
+       if (IkiWiki::Plugin::notifyemail->can("subscribe")) {
+               if (defined $username) {
+                       $form->field(name => "subscribe", type => "checkbox",
+                               options => [gettext("email replies to me")]);
+               }
+               elsif (IkiWiki::Plugin::passwordauth->can("anonuser")) {
+                       $form->field(name => "anonsubscribe", type => "checkbox",
+                               options => [gettext("email replies to me")]);
+               }
+       }
 
        if ($config{comments_allowauthor} and
            ! defined $session->param('name')) {
                $form->tmpl_param(allowauthor => 1);
                $form->field(name => 'author', type => 'text', size => '40');
+               $form->field(name => 'email', type => 'text', size => '40');
                $form->field(name => 'url', type => 'text', size => '40');
        }
        else {
                $form->tmpl_param(allowauthor => 0);
                $form->field(name => 'author', type => 'hidden', value => '',
                        force => 1);
+               $form->field(name => 'email', type => 'hidden', value => '',
+                       force => 1);
                $form->field(name => 'url', type => 'hidden', value => '',
                        force => 1);
        }
@@ -460,7 +477,7 @@ sub editcomment ($$) {
        }
        $content .= " subject=\"$subject\"\n";
 
-       $content .= " date=\"" . decode_utf8(strftime('%Y-%m-%dT%H:%M:%SZ', gmtime)) . "\"\n";
+       $content .= " date=\"" . strftime_utf8('%Y-%m-%dT%H:%M:%SZ', gmtime) . "\"\n";
 
        my $editcontent = $form->field('editcontent');
        $editcontent="" if ! defined $editcontent;
@@ -491,6 +508,20 @@ sub editcomment ($$) {
 
        if ($form->submitted eq POST_COMMENT && $form->validate) {
                IkiWiki::checksessionexpiry($cgi, $session);
+
+               if (IkiWiki::Plugin::notifyemail->can("subscribe")) {
+                       my $subspec="comment($page)";
+                       if (defined $username &&
+                           length $form->field("subscribe")) {
+                               IkiWiki::Plugin::notifyemail::subscribe(
+                                       $username, $subspec);
+                       }
+                       elsif (length $form->field("email") &&
+                              length $form->field("anonsubscribe")) {
+                               IkiWiki::Plugin::notifyemail::anonsubscribe(
+                                       $form->field("email"), $subspec);
+                       }
+               }
                
                $postcomment=1;
                my $ok=IkiWiki::check_content(content => $form->field('editcontent'),
@@ -576,7 +607,8 @@ sub editcomment ($$) {
 
 sub getavatar ($) {
        my $user=shift;
-       
+       return undef unless defined $user;
+
        my $avatar;
        eval q{use Libravatar::URL};
        if (! $@) {
@@ -633,9 +665,11 @@ sub commentmoderation ($$) {
 
                                my $page=IkiWiki::dirname($f);
                                my $file="$config{srcdir}/$f";
+                               my $filedir=$config{srcdir};
                                if (! -e $file) {
                                        # old location
                                        $file="$config{wikistatedir}/comments_pending/".$f;
+                                       $filedir="$config{wikistatedir}/comments_pending";
                                }
 
                                if ($action eq 'Accept') {
@@ -650,7 +684,7 @@ sub commentmoderation ($$) {
                                }
 
                                require IkiWiki::Render;
-                               IkiWiki::prune($file);
+                               IkiWiki::prune($file, $filedir);
                        }
                }