]> git.vanrenterghem.biz Git - git.ikiwiki.info.git/blobdiff - ikiwiki
hmm..
[git.ikiwiki.info.git] / ikiwiki
diff --git a/ikiwiki b/ikiwiki
index 058b3ffa21e007cd0f956581e6412dc52b7884d8..84c7a2513c417d34c7c8beefd1c9ae673797e186 100755 (executable)
--- a/ikiwiki
+++ b/ikiwiki
@@ -306,6 +306,17 @@ sub finalize ($$) { #{{{
        return $template->output;
 } #}}}
 
+# Important security check. Make sure to call this before saving any files
+# to the source directory.
+sub check_overwrite ($$) { #{{{
+       my $dest=shift;
+       my $src=shift;
+       
+       if (! exists $renderedfiles{$src} && -e $dest) {
+               error("$dest exists and was not rendered from $src before, not overwriting");
+       }
+} #}}}
+               
 sub render ($) { #{{{
        my $file=shift;
        
@@ -320,12 +331,14 @@ sub render ($) { #{{{
                $content=htmlize($type, $content);
                $content=finalize($content, $page);
                
+               check_overwrite("$destdir/".htmlpage($page), $page);
                writefile("$destdir/".htmlpage($page), $content);
                $oldpagemtime{$page}=time;
                $renderedfiles{$page}=htmlpage($page);
        }
        else {
                $links{$file}=[];
+               check_overwrite("$destdir/$file", $file);
                writefile("$destdir/$file", $content);
                $oldpagemtime{$file}=time;
                $renderedfiles{$file}=$file;
@@ -433,7 +446,19 @@ sub rcs_recentchanges ($) { #{{{
                                $state='body';
                        }
                        elsif ($state eq 'body' && /$div/) {
-                               push @ret, { rev => $rev, user => $user,
+                               my $committype="web";
+                               if (defined $message[0] &&
+                                   $message[0]->{line}=~/^web commit by (\w+):?(.*)/) {
+                                       $user="$1";
+                                       $message[0]->{line}=$2;
+                               }
+                               else {
+                                       $committype="svn";
+                               }
+                               
+                               push @ret, { rev => $rev,
+                                       user => htmllink("", $user, 1),
+                                       committype => $committype,
                                        when => $when, message => [@message],
                                        pages => [@pages] } if @pages;
                                return @ret if @ret >= $num;
@@ -696,6 +721,35 @@ sub cgi_recentchanges ($) { #{{{
        print $q->header, $template->output;
 } #}}}
 
+sub userinfo_get ($$) { #{{{
+       my $user=shift;
+       my $field=shift;
+
+       eval q{use Storable};
+       my $userdata=eval{ Storable::lock_retrieve("$srcdir/.ikiwiki/userdb") };
+       if (! defined $userdata || ! ref $userdata || 
+           ! exists $userdata->{$user} || ! ref $userdata->{$user}) {
+               return "";
+       }
+       return $userdata->{$user}->{$field};
+} #}}}
+
+sub userinfo_set ($$) { #{{{
+       my $user=shift;
+       my $info=shift;
+       
+       eval q{use Storable};
+       my $userdata=eval{ Storable::lock_retrieve("$srcdir/.ikiwiki/userdb") };
+       if (! defined $userdata || ! ref $userdata) {
+               $userdata={};
+       }
+       $userdata->{$user}=$info;
+       my $oldmask=umask(077);
+       my $ret=Storable::lock_store($userdata, "$srcdir/.ikiwiki/userdb");
+       umask($oldmask);
+       return $ret;
+} #}}}
+
 sub cgi_signin ($$) { #{{{
        my $q=shift;
        my $session=shift;
@@ -707,7 +761,6 @@ sub cgi_signin ($$) { #{{{
                header => 1,
                method => 'POST',
                validate => {
-                       name => '/^\w+$/',
                        confirm_password => {
                                perl => q{eq $form->field("password")},
                        },
@@ -727,9 +780,6 @@ sub cgi_signin ($$) { #{{{
        $form->field(name => "password", type => "password", required => 0);
        $form->field(name => "confirm_password", type => "password", required => 0);
        $form->field(name => "email", required => 0);
-       if ($session->param("name")) {
-               $form->field(name => "name", value => $session->param("name"));
-       }
        if ($q->param("do") ne "signin") {
                $form->text("You need to log in before you can edit pages.");
        }
@@ -745,26 +795,52 @@ sub cgi_signin ($$) { #{{{
                        $form->field(name => $opt, required => 1);
                }
        
-               # Validate password differently depending on how form was
-               # submitted.
+               # Validate password differently depending on how
+               # form was submitted.
                if ($form->submitted eq 'Login') {
                        $form->field(
                                name => "password",
                                validate => sub {
-                                       # TODO get real user password
-                                       shift eq "foo";
+                                       length $form->field("name") &&
+                                       shift eq userinfo_get($form->field("name"), 'password');
                                },
                        );
+                       $form->field(name => "name", validate => '/^\w+$/');
                }
                else {
                        $form->field(name => "password", validate => 'VALUE');
                }
+               # And make sure the entered name exists when logging
+               # in or sending email, and does not when registering.
+               if ($form->submitted eq 'Register') {
+                       $form->field(
+                               name => "name",
+                               validate => sub {
+                                       my $name=shift;
+                                       length $name &&
+                                       ! userinfo_get($name, "regdate");
+                               },
+                       );
+               }
+               else {
+                       $form->field(
+                               name => "name",
+                               validate => sub {
+                                       my $name=shift;
+                                       length $name &&
+                                       userinfo_get($name, "regdate");
+                               },
+                       );
+               }
        }
        else {
-               # Comments only shown first time.
+               # First time settings.
                $form->field(name => "name", comment => "use FirstnameLastName");
                $form->field(name => "confirm_password", comment => "(only needed");
                $form->field(name => "email",            comment => "for registration)");
+               if ($session->param("name")) {
+                       $form->field(name => "name", value => $session->param("name"));
+               }
        }
 
        if ($form->submitted && $form->validate) {
@@ -781,16 +857,47 @@ sub cgi_signin ($$) { #{{{
                        }
                }
                elsif ($form->submitted eq 'Register') {
-                       # TODO: save registration info
-                       $form->field(name => "confirm_password", type => "hidden");
-                       $form->field(name => "email", type => "hidden");
-                       $form->text("Registration successful. Now you can Login.");
-                       print $session->header();
-                       print misctemplate($form->title, $form->render(submit => ["Login"]));
+                       my $user_name=$form->field('name');
+                       if (userinfo_set($user_name, {
+                                          'email' => $form->field('email'),
+                                          'password' => $form->field('password'),
+                                          'regdate' => time
+                                        })) {
+                               $form->field(name => "confirm_password", type => "hidden");
+                               $form->field(name => "email", type => "hidden");
+                               $form->text("Registration successful. Now you can Login.");
+                               print $session->header();
+                               print misctemplate($form->title, $form->render(submit => ["Login"]));
+                       }
+                       else {
+                               error("Error saving registration.");
+                       }
                }
                elsif ($form->submitted eq 'Mail Password') {
-                       # TODO mail password
+                       my $user_name=$form->field("name");
+                       my $template=HTML::Template->new(
+                               filename => "$templatedir/passwordmail.tmpl"
+                       );
+                       $template->param(
+                               user_name => $user_name,
+                               user_password => userinfo_get($user_name, "password"),
+                               wikiurl => $url,
+                               wikiname => $wikiname,
+                               REMOTE_ADDR => $ENV{REMOTE_ADDR},
+                       );
+                       
+                       eval q{use Mail::Sendmail};
+                       my ($fromhost) = $cgiurl =~ m!/([^/]+)!;
+                       print STDERR "$< $> >>> $cgiurl ".(getpwuid($>))[0]."@".$fromhost."\n";
+                       sendmail(
+                               To => userinfo_get($user_name, "email"),
+                               From => "$wikiname admin <".(getpwuid($>))[0]."@".$fromhost.">",
+                               Subject => "$wikiname information",
+                               Message => $template->output,
+                       ) or error("Failed to send mail");
+                       
                        $form->text("Your password has been emailed to you.");
+                       $form->field(name => "name", required => 0);
                        print $session->header();
                        print misctemplate($form->title, $form->render(submit => ["Login", "Register", "Mail Password"]));
                }
@@ -810,8 +917,10 @@ sub cgi_editpage ($$) { #{{{
                fields => [qw(do from page content comments)],
                header => 1,
                method => 'POST',
-               validate => {},
-               required => [qw{}],
+               validate => {
+                       content => '/.+/',
+               },
+               required => [qw{content}],
                javascript => 0,
                params => $q,
                action => $q->request_uri,
@@ -833,6 +942,10 @@ sub cgi_editpage ($$) { #{{{
        $form->field(name => "content", type => "textarea", rows => 20,
                cols => 80);
        
+       if ($form->submitted eq "Cancel") {
+               print $q->redirect("$url/".htmlpage($page));
+               return;
+       }
        if (! $form->submitted || ! $form->validate) {
                if ($form->field("do") eq "create") {
                        if (exists $pagesources{lc($page)}) {
@@ -880,7 +993,7 @@ sub cgi_editpage ($$) { #{{{
                
                $form->tmpl_param("can_commit", $svn);
                $form->tmpl_param("indexlink", indexlink());
-               print $form->render(submit => ["Save Page"]);
+               print $form->render(submit => ["Save Page", "Cancel"]);
        }
        else {
                # save page
@@ -903,7 +1016,8 @@ sub cgi_editpage ($$) { #{{{
                else {
                        $message.="from $ENV{REMOTE_ADDR}";
                }
-               if (length $form->field('comments')) {
+               if (defined $form->field('comments') &&
+                   length $form->field('comments')) {
                        $message.=": ".$form->field('comments');
                }
                
@@ -919,7 +1033,9 @@ sub cgi_editpage ($$) { #{{{
                        refresh();
                }
                
-               print $q->redirect("$url/".htmlpage($page));
+               # The trailing question mark tries to avoid broken
+               # caches and get the most recent version of the page.
+               print $q->redirect("$url/".htmlpage($page)."?");
        }
 } #}}}
 
@@ -941,12 +1057,22 @@ sub cgi () { #{{{
        }
        
        CGI::Session->name("ikiwiki_session");
-       my $session = CGI::Session->new(undef, $q,
-               { Directory=> "$srcdir/.ikiwiki/sessions" });
+
+       my $oldmask=umask(077);
+       my $session = CGI::Session->new("driver:db_file", $q,
+               { FileName => "$srcdir/.ikiwiki/sessions.db" });
+       umask($oldmask);
        
        # Everything below this point needs the user to be signed in.
-       if ((! $anonok && ! defined $session->param("name")) || $do eq 'signin') {
+       if ((! $anonok && ! defined $session->param("name") ||
+               ! userinfo_get($session->param("name"), "regdate")) || $do eq 'signin') {
                cgi_signin($q, $session);
+       
+               # Force session flush with safe umask.
+               my $oldmask=umask(077);
+               $session->flush;
+               umask($oldmask);
+               
                return;
        }