[phpwiki-checkins] SF.net SVN: phpwiki:[11200] trunk

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Revision: 11200
          http://sourceforge.net/p/phpwiki/code/11200
Author:   vargenau
Date:     2025-07-30 07:57:02 +0000 (Wed, 30 Jul 2025)
Log Message:
-----------
Add access checks for plugins AppendText, CreatePage and WikiAdminDeleteAcl (patches by Christof Meerwald)

Modified Paths:
--------------
    trunk/lib/plugin/AppendText.php
    trunk/lib/plugin/CreatePage.php
    trunk/lib/plugin/WikiAdminDeleteAcl.php
    trunk/pgsrc/ReleaseNotes

Modified: trunk/lib/plugin/AppendText.php
===================================================================

--- trunk/lib/plugin/AppendText.php	2025-05-05 19:11:33 UTC (rev 11199)
+++ trunk/lib/plugin/AppendText.php	2025-07-30 07:57:02 UTC (rev 11200)
@@ -106,6 +106,13 @@
             return HTML();
         }
 
+        if (!mayAccessPage('change', $pagename)) {
+            $message = HTML::div();
+            $message->setAttr('class', 'error');
+            $message->pushContent(HTML::p(fmt("Access denied to change page “%s”.", $pagename)));
+            return $message;
+        }
+
         $page = $dbi->getPage($pagename);
         $message = HTML();
 

Modified: trunk/lib/plugin/CreatePage.php
===================================================================
--- trunk/lib/plugin/CreatePage.php	2025-05-05 19:11:33 UTC (rev 11199)
+++ trunk/lib/plugin/CreatePage.php	2025-07-30 07:57:02 UTC (rev 11200)
@@ -85,6 +85,13 @@
             return $this->error(_("Page name too long"));
         }
 
+        if (!mayAccessPage('create', $s)) {
+            $message = HTML::div();
+            $message->setAttr('class', 'error');
+            $message->pushContent(HTML::p(fmt("Access denied to change page “%s”.", $s)));
+            return $message;
+        }
+
         $param = array('action' => 'edit');
         if ($template and $dbi->isWikiPage($template)) {
             $param['template'] = $template;

Modified: trunk/lib/plugin/WikiAdminDeleteAcl.php
===================================================================
--- trunk/lib/plugin/WikiAdminDeleteAcl.php	2025-05-05 19:11:33 UTC (rev 11199)
+++ trunk/lib/plugin/WikiAdminDeleteAcl.php	2025-07-30 07:57:02 UTC (rev 11200)
@@ -50,20 +50,25 @@
         $perm->sanify();
         foreach ($pages as $pagename) {
             // check if unchanged? we need a deep array_equal
-            $page = $dbi->getPage($pagename);
-            setPagePermissions($page, $perm);
-            $result->setAttr('class', 'feedback');
-            $result->pushContent(HTML::p(fmt("ACL deleted for page “%s”", $pagename)));
-            $current = $page->getCurrentRevision();
-            $version = $current->getVersion();
-            $meta = $current->_data;
-            $text = $current->getPackedContent();
-            $meta['summary'] = sprintf(_("ACL deleted for page “%s”"), $pagename);
-            $meta['is_minor_edit'] = 1;
-            $meta['author'] = $request->_user->UserName();
-            unset($meta['mtime']); // force new date
-            $page->save($text, $version + 1, $meta);
-            $count++;
+            if (mayAccessPage('change', $pagename)) {
+                $page = $dbi->getPage($pagename);
+                setPagePermissions($page, $perm);
+                $result->setAttr('class', 'feedback');
+                $result->pushContent(HTML::p(fmt("ACL deleted for page “%s”", $pagename)));
+                $current = $page->getCurrentRevision();
+                $version = $current->getVersion();
+                $meta = $current->_data;
+                $text = $current->getPackedContent();
+                $meta['summary'] = sprintf(_("ACL deleted for page “%s”"), $pagename);
+                $meta['is_minor_edit'] = 1;
+                $meta['author'] = $request->_user->UserName();
+                unset($meta['mtime']); // force new date
+                $page->save($text, $version + 1, $meta);
+                $count++;
+            } else {
+                $result->setAttr('class', 'error');
+                $result->pushContent(HTML::p(fmt("Access denied to change page “%s”.", $pagename)));
+            }
         }
         if ($count) {
             $dbi->touch();

Modified: trunk/pgsrc/ReleaseNotes
===================================================================
--- trunk/pgsrc/ReleaseNotes	2025-05-05 19:11:33 UTC (rev 11199)
+++ trunk/pgsrc/ReleaseNotes	2025-07-30 07:57:02 UTC (rev 11200)
@@ -1,4 +1,4 @@
-Date: Mon,  5 May 2025 19:51:55 +0000
+Date: Wed, 30 Jul 2025 09:42:13 +0000
 Mime-Version: 1.0 (Produced by PhpWiki 1.6.6)
 Content-Type: application/x-phpwiki;
   pagename=ReleaseNotes;
@@ -9,6 +9,10 @@
 
 <<CreateToc with_toclink||=1 headers||=1,2,3 width=300px position=right>>
 
+== 1.6.7 2025-XX-XX Marc-Etienne Vargenau, Christof Meerwald ==
+
+* Add access checks for plugins AppendText, CreatePage and WikiAdminDeleteAcl (patches by Christof Meerwald)
+
 == 1.6.6 2025-05-05 Marc-Etienne Vargenau, Christof Meerwald ==
 
 * Fix PDO SQL syntax (patch by Christof Meerwald)

This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.



