]> git.vanrenterghem.biz Git - git.ikiwiki.info.git/blobdiff - IkiWiki/Plugin/comments.pm
describe unexpected situation where a logged-in user can delete other comments
[git.ikiwiki.info.git] / IkiWiki / Plugin / comments.pm
index 151e839d0bb826a7bda242a9d94b882e79e7cb17..edf5183a65afeff7ce1804ba69d3a3600e77ecd3 100644 (file)
@@ -35,6 +35,7 @@ sub import {
        # Load goto to fix up user page links for logged-in commenters
        IkiWiki::loadplugin("goto");
        IkiWiki::loadplugin("inline");
+       IkiWiki::loadplugin("transient");
 }
 
 sub getsetup () {
@@ -104,6 +105,9 @@ sub getsetup () {
 sub checkconfig () {
        $config{comments_commit} = 1
                unless defined $config{comments_commit};
+       if (! $config{comments_commit}) {
+               $config{only_committed_changes}=0;
+       }
        $config{comments_pagespec} = ''
                unless defined $config{comments_pagespec};
        $config{comments_closed_pagespec} = ''
@@ -122,7 +126,7 @@ sub htmlize {
 sub htmlize_pending {
        my %params = @_;
        return sprintf(gettext("this comment needs %s"),
-               '<a href="'.
+               '<a rel="nofollow" href="'.
                IkiWiki::cgiurl(do => "commentmoderation").'">'.
                gettext("moderation").'</a>');
 }
@@ -194,7 +198,6 @@ sub preprocess {
                $commentuser = $params{username};
 
                my $oiduser = eval { IkiWiki::openiduser($commentuser) };
-
                if (defined $oiduser) {
                        # looks like an OpenID
                        $commentauthorurl = $commentuser;
@@ -202,10 +205,17 @@ sub preprocess {
                        $commentopenid = $commentuser;
                }
                else {
-                       $commentauthorurl = IkiWiki::cgiurl(
-                               do => 'goto',
-                               page => IkiWiki::userpage($commentuser)
-                       );
+                       my $emailuser = IkiWiki::emailuser($commentuser);
+                       if (defined $emailuser) {
+                               $commentuser=$emailuser;
+                       }
+
+                       if (length $config{cgiurl}) {
+                               $commentauthorurl = IkiWiki::cgiurl(
+                                       do => 'goto',
+                                       page => IkiWiki::userpage($commentuser)
+                               );
+                       }
 
                        $commentauthor = $commentuser;
                }
@@ -217,22 +227,9 @@ sub preprocess {
                $commentauthor = gettext("Anonymous");
        }
 
-       $commentstate{$page}{commentuser} = $commentuser;
-       $commentstate{$page}{commentopenid} = $commentopenid;
-       $commentstate{$page}{commentip} = $commentip;
-       $commentstate{$page}{commentauthor} = $commentauthor;
-       $commentstate{$page}{commentauthorurl} = $commentauthorurl;
-       $commentstate{$page}{commentauthoravatar} = $params{avatar};
-       if (! defined $pagestate{$page}{meta}{author}) {
-               $pagestate{$page}{meta}{author} = $commentauthor;
-       }
-       if (! defined $pagestate{$page}{meta}{authorurl}) {
-               $pagestate{$page}{meta}{authorurl} = $commentauthorurl;
-       }
-
        if ($config{comments_allowauthor}) {
                if (defined $params{claimedauthor}) {
-                       $pagestate{$page}{meta}{author} = $params{claimedauthor};
+                       $commentauthor = $params{claimedauthor};
                }
 
                if (defined $params{url}) {
@@ -244,12 +241,21 @@ sub preprocess {
                        }
 
                        if (safeurl($url)) {
-                               $pagestate{$page}{meta}{authorurl} = $url;
+                               $commentauthorurl = $url;
                        }
                }
        }
-       else {
+
+       $commentstate{$page}{commentuser} = $commentuser;
+       $commentstate{$page}{commentopenid} = $commentopenid;
+       $commentstate{$page}{commentip} = $commentip;
+       $commentstate{$page}{commentauthor} = $commentauthor;
+       $commentstate{$page}{commentauthorurl} = $commentauthorurl;
+       $commentstate{$page}{commentauthoravatar} = $params{avatar};
+       if (! defined $pagestate{$page}{meta}{author}) {
                $pagestate{$page}{meta}{author} = $commentauthor;
+       }
+       if (! defined $pagestate{$page}{meta}{authorurl}) {
                $pagestate{$page}{meta}{authorurl} = $commentauthorurl;
        }
 
@@ -259,7 +265,7 @@ sub preprocess {
                $pagestate{$page}{meta}{title} = decode_entities($params{subject});
        }
 
-       if ($params{page} =~ m/\/\Q$config{comments_pagename}\E\d+_/) {
+       if ($params{page} =~ m/\/\Q$config{comments_pagename}\E\d+/) {
                $pagestate{$page}{meta}{permalink} = urlto(IkiWiki::dirname($params{page})).
                        "#".page_to_id($params{page});
        }
@@ -280,7 +286,7 @@ sub preprocess_moderation {
                unless defined $params{desc};
 
        if (length $config{cgiurl}) {
-               return '<a href="'.
+               return '<a rel="nofollow" href="'.
                        IkiWiki::cgiurl(do => 'commentmoderation').
                        '">'.$params{desc}.'</a>';
        }
@@ -350,7 +356,8 @@ sub editcomment ($$) {
        my @page_types;
        if (exists $IkiWiki::hooks{htmlize}) {
                foreach my $key (grep { !/^_/ && isallowed($_) } keys %{$IkiWiki::hooks{htmlize}}) {
-                       push @page_types, [$key, $IkiWiki::hooks{htmlize}{$key}{longname} || $key];
+                       push @page_types, [$key, $IkiWiki::hooks{htmlize}{$key}{longname} || $key]
+                               unless $IkiWiki::hooks{htmlize}{$key}{nocreate};
                }
        }
        @page_types=sort @page_types;
@@ -434,6 +441,16 @@ sub editcomment ($$) {
                        $page));
        }
 
+       # There's no UI to get here, but someone might construct the URL,
+       # leading to a comment that exists in the repository but isn't
+       # shown
+       if (!pagespec_match($page, $config{comments_pagespec},
+               location => $page)) {
+               error(sprintf(gettext(
+                       "comments on page '%s' are not allowed"),
+                       $page));
+       }
+
        if (pagespec_match($page, $config{comments_closed_pagespec},
                location => $page)) {
                error(sprintf(gettext(
@@ -450,20 +467,20 @@ sub editcomment ($$) {
        my $content = "[[!comment format=$type\n";
 
        if (defined $session->param('name')) {
-               my $username = $session->param('name');
+               my $username = IkiWiki::cloak($session->param('name'));
                $username =~ s/"/&quot;/g;
                $content .= " username=\"$username\"\n";
        }
+
        if (defined $session->param('nickname')) {
                my $nickname = $session->param('nickname');
                $nickname =~ s/"/&quot;/g;
                $content .= " nickname=\"$nickname\"\n";
        }
-       elsif (defined $session->remote_addr()) {
-               my $ip = $session->remote_addr();
-               if ($ip =~ m/^([.0-9]+)$/) {
-                       $content .= " ip=\"$1\"\n";
-               }
+
+       if (!(defined $session->param('name') || defined $session->param('nickname')) &&
+               defined $session->remote_addr()) {
+               $content .= " ip=\"".IkiWiki::cloak($session->remote_addr())."\"\n";
        }
 
        if ($config{comments_allowauthor}) {
@@ -493,8 +510,7 @@ sub editcomment ($$) {
                $subject = "comment ".(num_comments($page, $config{srcdir}) + 1);
        }
        $content .= " subject=\"$subject\"\n";
-
-       $content .= " date=\"" . strftime_utf8('%Y-%m-%dT%H:%M:%SZ', gmtime) . "\"\n";
+       $content .= " date=\"" . commentdate() . "\"\n";
 
        my $editcontent = $form->field('editcontent');
        $editcontent="" if ! defined $editcontent;
@@ -541,11 +557,12 @@ sub editcomment ($$) {
                }
                
                $postcomment=1;
-               my $ok=IkiWiki::check_content(content => $form->field('editcontent'),
-                       subject => $form->field('subject'),
+               my $ok=IkiWiki::check_content(
+                       content => scalar $form->field('editcontent'),
+                       subject => scalar $form->field('subject'),
                        $config{comments_allowauthor} ? (
-                               author => $form->field('author'),
-                               url => $form->field('url'),
+                               author => scalar $form->field('author'),
+                               url => scalar $form->field('url'),
                        ) : (),
                        page => $location,
                        cgi => $cgi,
@@ -555,8 +572,8 @@ sub editcomment ($$) {
                $postcomment=0;
 
                if (! $ok) {
-                       $location=unique_comment_location($page, $content, $config{srcdir}, "._comment_pending");
-                       writefile("$location._comment_pending", $config{srcdir}, $content);
+                       $location=unique_comment_location($page, $content, $IkiWiki::Plugin::transient::transientdir, "._comment_pending");
+                       writefile("$location._comment_pending", $IkiWiki::Plugin::transient::transientdir, $content);
 
                        # Refresh so anything that deals with pending
                        # comments can be updated.
@@ -585,7 +602,7 @@ sub editcomment ($$) {
                                length $form->field('subject')) {
                                $message = sprintf(
                                        gettext("Added a comment: %s"),
-                                       $form->field('subject'));
+                                       scalar $form->field('subject'));
                        }
 
                        IkiWiki::rcs_add($file);
@@ -622,6 +639,10 @@ sub editcomment ($$) {
        exit;
 }
 
+sub commentdate () {
+       strftime_utf8('%Y-%m-%dT%H:%M:%SZ', gmtime);
+}
+
 sub getavatar ($) {
        my $user=shift;
        return undef unless defined $user;
@@ -681,12 +702,17 @@ sub commentmoderation ($$) {
                                }
 
                                my $page=IkiWiki::dirname($f);
-                               my $file="$config{srcdir}/$f";
-                               my $filedir=$config{srcdir};
+                               my $filedir=$IkiWiki::Plugin::transient::transientdir;
+                               my $file="$filedir/$f";
                                if (! -e $file) {
                                        # old location
-                                       $file="$config{wikistatedir}/comments_pending/".$f;
-                                       $filedir="$config{wikistatedir}/comments_pending";
+                                       $file="$config{srcdir}/$f";
+                                       $filedir=$config{srcdir};
+                                       if (! -e $file) {
+                                               # older location
+                                               $file="$config{wikistatedir}/comments_pending/".$f;
+                                               $filedir="$config{wikistatedir}/comments_pending";
+                                       }
                                }
 
                                if ($action eq 'Accept') {
@@ -800,6 +826,8 @@ sub comments_pending () {
                chdir($origdir) || die "chdir $origdir: $!";
        };
        
+       $find_comments->($IkiWiki::Plugin::transient::transientdir, "._comment_pending");
+       # old location
        $find_comments->($config{srcdir}, "._comment_pending");
        # old location
        $find_comments->("$config{wikistatedir}/comments_pending/",
@@ -893,16 +921,18 @@ sub pagetemplate (@) {
        }
 
        if ($shown) {
+               my $absolute = $template->param('wants_absolute_urls');
+
                if ($template->query(name => 'commentsurl')) {
                        $template->param(commentsurl =>
-                               urlto($page).'#comments');
+                               urlto($page, undef, $absolute).'#comments');
                }
 
                if ($template->query(name => 'atomcommentsurl') && $config{usedirs}) {
                        # This will 404 until there are some comments, but I
                        # think that's probably OK...
                        $template->param(atomcommentsurl =>
-                               urlto($page).'comments.atom');
+                               urlto($page, undef, $absolute).'comments.atom');
                }
 
                if ($template->query(name => 'commentslink')) {
@@ -916,7 +946,7 @@ sub pagetemplate (@) {
                                );
                        }
                        elsif (commentsopen($page)) {
-                               $link = "<a href=\"".addcommenturl($page)."\">".
+                               $link = "<a rel=\"nofollow\" href=\"".addcommenturl($page)."\">".
                                        #translators: Here "Comment" is a verb;
                                        #translators: the user clicks on it to
                                        #translators: post a comment.
@@ -991,7 +1021,7 @@ sub num_comments ($$) {
        return int @comments;
 }
 
-sub unique_comment_location ($$$$) {
+sub unique_comment_location ($$$;$) {
        my $page=shift;
        eval q{use Digest::MD5 'md5_hex'};
        error($@) if $@;