X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/af9c5e4bbadc87850f435cfc530ffc1d81419564..ed05e40566a8d2a39530507598d835764885cf73:/IkiWiki/Plugin/remove.pm?ds=sidebyside

diff --git a/IkiWiki/Plugin/remove.pm b/IkiWiki/Plugin/remove.pm
index a37240680..21028cde3 100644
--- a/IkiWiki/Plugin/remove.pm
+++ b/IkiWiki/Plugin/remove.pm
@@ -30,7 +30,6 @@ sub confirmation_form ($$) { #{{{
 
 	eval q{use CGI::FormBuilder};
 	error($@) if $@;
-	my @fields=qw(do page);
 	my $f = CGI::FormBuilder->new(
 		name => "remove",
 		header => 0,
@@ -40,7 +39,7 @@ sub confirmation_form ($$) { #{{{
 		params => $q,
 		action => $config{cgiurl},
 		stylesheet => IkiWiki::baseurl()."style.css",
-		fields => \@fields,
+		fields => [qw{do page}],
 	);
 	
 	$f->field(name => "do", type => "hidden", value => "remove", force => 1);
@@ -98,7 +97,11 @@ sub formbuilder (@) { #{{{
 			removal_confirm($q, $session, 0, $form->field("page"));
 		}
 		elsif ($form->submitted eq "Remove Attachments") {
-			removal_confirm($q, $session, 1, $q->param("attachment_select"));
+			my @pages=$q->param("attachment_select");
+			if (! @pages) {
+				error(gettext("Please select the attachments to remove."));
+			}
+			removal_confirm($q, $session, 1, @pages);
 		}
 	}
 } #}}}
@@ -116,16 +119,30 @@ sub sessioncgi ($$) { #{{{
 		}
 		elsif ($form->submitted eq 'Remove' && $form->validate) {
 			my @pages=$q->param("page");
-			my @files = map { $pagesources{$_} } @pages;
 	
 			# Validate removal by checking that the page exists,
 			# and that the user is allowed to edit(/remove) it.
+			my @files;
 			foreach my $page (@pages) {
+				# Must be a known source file.
 				if (! exists $pagesources{$page}) {
 					error(sprintf(gettext("%s does not exist"),
 					htmllink("", "", $page, noimageinline => 1)));
 				}
+				
+				# Must be editiable.
 				IkiWiki::check_canedit($page, $q, $session);
+
+				# Must exist on disk, and be a regular file.
+				my $file=$pagesources{$page};
+				if (! -e "$config{srcdir}/$file") {
+					error(sprintf(gettext("%s is not in the srcdir, so it cannot be deleted"), $file));
+				}
+				elsif (-l "$config{srcdir}/$file" && ! -f _) {
+					error(sprintf(gettext("%s is not a file"), $file));
+				}
+
+				push @files, IkiWiki::possibly_foolish_untaint($file);
 			}
 
 			# Do removal, and update the wiki.
@@ -133,23 +150,25 @@ sub sessioncgi ($$) { #{{{
 			if ($config{rcs}) {
 				IkiWiki::disable_commit_hook();
 				foreach my $file (@files) {
+					my $token=IkiWiki::rcs_prepedit($file);
 					IkiWiki::rcs_remove($file);
 					IkiWiki::rcs_commit($file, gettext("removed"),
-						IkiWiki::rcs_prepedit($file),
-						$session->param("name"), $ENV{REMOTE_ADDR});
+						$token, $session->param("name"), $ENV{REMOTE_ADDR});
 				}
 				IkiWiki::enable_commit_hook();
 				IkiWiki::rcs_update();
 			}
-			foreach my $file (@files) {
-				IkiWiki::prune("$config{srcdir}/$file");
+			else {
+				foreach my $file (@files) {
+					IkiWiki::prune("$config{srcdir}/$file");
+				}
 			}
 			IkiWiki::refresh();
 			IkiWiki::saveindex();
 
 			if ($q->param("attachment")) {
 				# Attachments were deleted, so redirect
-				# to the edit form.
+				# back to the edit form.
 				postremove($session);
 			}
 			else {