hook(type => "formbuilder", id => "attachment", call => \&formbuilder);
} # }}}
+sub check_canattach ($$;$) {
+ my $session=shift;
+ my $dest=shift; # where it's going to be put, under the srcdir
+ my $file=shift; # the path to the attachment currently
+
+ # Don't allow an attachment to be uploaded with the same name as an
+ # existing page.
+ if (exists $pagesources{$dest} && $pagesources{$dest} ne $dest) {
+ error(sprintf(gettext("there is already a page named %s"), $dest));
+ }
+
+ # Use a special pagespec to test that the attachment is valid.
+ my $allowed=1;
+ foreach my $admin (@{$config{adminuser}}) {
+ my $allowed_attachments=IkiWiki::userinfo_get($admin, "allowed_attachments");
+ if (defined $allowed_attachments &&
+ length $allowed_attachments) {
+ $allowed=pagespec_match($dest,
+ $allowed_attachments,
+ file => $file,
+ user => $session->param("name"),
+ ip => $ENV{REMOTE_ADDR},
+ );
+ last if $allowed;
+ }
+ }
+ if (! $allowed) {
+ error(gettext("prohibited by allowed_attachments")." ($allowed)");
+ }
+ else {
+ return 1;
+ }
+}
+
sub checkconfig () { #{{{
$config{cgi_disable_uploads}=0;
} #}}}
}
}
- $filename=IkiWiki::titlepage(
+ $filename=IkiWiki::linkpage(
IkiWiki::possibly_foolish_untaint(
attachment_location($form->field('page')).
IkiWiki::basename($filename)));
# Check that the user is allowed to edit a page with the
# name of the attachment.
IkiWiki::check_canedit($filename, $q, $session, 1);
-
- # Use a special pagespec to test that the attachment is valid.
- my $allowed=1;
- foreach my $admin (@{$config{adminuser}}) {
- my $allowed_attachments=IkiWiki::userinfo_get($admin, "allowed_attachments");
- if (defined $allowed_attachments &&
- length $allowed_attachments) {
- $allowed=pagespec_match($filename,
- $allowed_attachments,
- file => $tempfile,
- user => $session->param("name"),
- ip => $ENV{REMOTE_ADDR},
- );
- last if $allowed;
- }
- }
- if (! $allowed) {
- error(gettext("attachment rejected")." ($allowed)");
- }
+ # And that the attachment itself is acceptable.
+ check_canattach($session, $filename, $tempfile);
# Needed for fast_file_copy and for rendering below.
require IkiWiki::Render;
if (defined $params{user} && lc $params{user} eq lc $user) {
return IkiWiki::SuccessReason->new("user is $user");
}
+ elsif (! defined $params{user}) {
+ return IkiWiki::FailReason->new("not logged in");
+ }
else {
return IkiWiki::FailReason->new("user is $params{user}, not $user");
}
ikiwiki (2.55) UNRELEASED; urgency=low
+ * remove: New plugin that adds the ability to remove pages via the web.
+ (Sponsored by The TOVA Company.)
+ * rename: New plugin that adds the ability to rename pages via the web.
+ (Sponsored by The TOVA Company.) (This one's for you, Kyle.)
+ * All rcs backends need to implement rcs_remove, rcs_commitstaged,
+ and rcs_rename. (Done for svn, git).
* prefix_directives enabled in doc wiki, all preprocessor directives
converted. (Simon McVittie)
* editpage: Don't show attachments link when attachments are disabled.
* Add allow_symlinks_before_srcdir config setting that can be used to avoid
a security check that is a good safe default, but problimatic overkill in
some situations.
+ * Don't allow uploading an attachment with the same name as an existing
+ page, to avoid confusion.
+ * Split out error messages from editpage.tmpl into several separate
+ templates.
+ * attachment: Do not escape _ when determining attachment filenames.
-- Joey Hess <joeyh@debian.org> Mon, 21 Jul 2008 11:35:46 -0400