From: Joey Hess <joey@kodama.kitenet.net>
Date: Wed, 23 Jul 2008 19:00:07 +0000 (-0400)
Subject: Merge branch 'master' into tova
X-Git-Tag: 2.55~61
X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/335a6a59e66ee7c2cf0c68c659259b885f7e8a07?hp=-c

Merge branch 'master' into tova
---

335a6a59e66ee7c2cf0c68c659259b885f7e8a07
diff --combined IkiWiki/Plugin/attachment.pm
index c6711aa05,3982c4883..e08aa3677
--- a/IkiWiki/Plugin/attachment.pm
+++ b/IkiWiki/Plugin/attachment.pm
@@@ -11,40 -11,6 +11,40 @@@ sub import { #{{
  	hook(type => "formbuilder", id => "attachment", call => \&formbuilder);
  } # }}}
  
 +sub check_canattach ($$;$) {
 +	my $session=shift;
 +	my $dest=shift; # where it's going to be put, under the srcdir
 +	my $file=shift; # the path to the attachment currently
 +
 +	# Don't allow an attachment to be uploaded with the same name as an
 +	# existing page.
 +	if (exists $pagesources{$dest} && $pagesources{$dest} ne $dest) {
 +		error(sprintf(gettext("there is already a page named %s"), $dest));
 +	}
 +
 +	# Use a special pagespec to test that the attachment is valid.
 +	my $allowed=1;
 +	foreach my $admin (@{$config{adminuser}}) {
 +		my $allowed_attachments=IkiWiki::userinfo_get($admin, "allowed_attachments");
 +		if (defined $allowed_attachments &&
 +		    length $allowed_attachments) {
 +			$allowed=pagespec_match($dest,
 +				$allowed_attachments,
 +				file => $file,
 +				user => $session->param("name"),
 +				ip => $ENV{REMOTE_ADDR},
 +			);
 +			last if $allowed;
 +		}
 +	}
 +	if (! $allowed) {
 +		error(gettext("prohibited by allowed_attachments")." ($allowed)");
 +	}
 +	else {
 +		return 1;
 +	}
 +}
 +
  sub checkconfig () { #{{{
  	$config{cgi_disable_uploads}=0;
  } #}}}
@@@ -136,7 -102,7 +136,7 @@@ sub formbuilder (@) { #{{
  			}
  		}
  
- 		$filename=IkiWiki::titlepage(
+ 		$filename=IkiWiki::linkpage(
  			IkiWiki::possibly_foolish_untaint(
  				attachment_location($form->field('page')).
  				IkiWiki::basename($filename)));
@@@ -147,8 -113,25 +147,8 @@@
  		# Check that the user is allowed to edit a page with the
  		# name of the attachment.
  		IkiWiki::check_canedit($filename, $q, $session, 1);
 -		
 -		# Use a special pagespec to test that the attachment is valid.
 -		my $allowed=1;
 -		foreach my $admin (@{$config{adminuser}}) {
 -			my $allowed_attachments=IkiWiki::userinfo_get($admin, "allowed_attachments");
 -			if (defined $allowed_attachments &&
 -			    length $allowed_attachments) {
 -				$allowed=pagespec_match($filename,
 -					$allowed_attachments,
 -					file => $tempfile,
 -					user => $session->param("name"),
 -					ip => $ENV{REMOTE_ADDR},
 -				);
 -				last if $allowed;
 -			}
 -		}
 -		if (! $allowed) {
 -			error(gettext("attachment rejected")." ($allowed)");
 -		}
 +		# And that the attachment itself is acceptable.
 +		check_canattach($session, $filename, $tempfile);
  
  		# Needed for fast_file_copy and for rendering below.
  		require IkiWiki::Render;
@@@ -436,9 -419,6 +436,9 @@@ sub match_user ($$;@) { #{{
  	if (defined $params{user} && lc $params{user} eq lc $user) {
  		return IkiWiki::SuccessReason->new("user is $user");
  	}
 +	elsif (! defined $params{user}) {
 +		return IkiWiki::FailReason->new("not logged in");
 +	}
  	else {
  		return IkiWiki::FailReason->new("user is $params{user}, not $user");
  	}
diff --combined debian/changelog
index 57a36eeec,c699f698b..a0d526f88
--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,11 -1,5 +1,11 @@@
  ikiwiki (2.55) UNRELEASED; urgency=low
  
 +  * remove: New plugin that adds the ability to remove pages via the web.
 +    (Sponsored by The TOVA Company.)
 +  * rename: New plugin that adds the ability to rename pages via the web.
 +    (Sponsored by The TOVA Company.) (This one's for you, Kyle.)
 +  * All rcs backends need to implement rcs_remove, rcs_commitstaged,
 +    and rcs_rename. (Done for svn, git).
    * prefix_directives enabled in doc wiki, all preprocessor directives
      converted. (Simon McVittie)
    * editpage: Don't show attachments link when attachments are disabled.
@@@ -17,10 -11,7 +17,11 @@@
    * Add allow_symlinks_before_srcdir config setting that can be used to avoid
      a security check that is a good safe default, but problimatic overkill in
      some situations.
 +  * Don't allow uploading an attachment with the same name as an existing
 +    page, to avoid confusion.
 +  * Split out error messages from editpage.tmpl into several separate
 +    templates.
+   * attachment: Do not escape _ when determining attachment filenames.
  
   -- Joey Hess <joeyh@debian.org>  Mon, 21 Jul 2008 11:35:46 -0400