Menu
▾
▴
[phpwiki-checkins] SF.net SVN: phpwiki:[11200] trunk
|
From: <var...@us...> - 2025-07-30 07:57:03
|
Revision: 11200
http://sourceforge.net/p/phpwiki/code/11200
Author: vargenau
Date: 2025-07-30 07:57:02 +0000 (Wed, 30 Jul 2025)
Log Message:
-----------
Add access checks for plugins AppendText, CreatePage and WikiAdminDeleteAcl (patches by Christof Meerwald)
Modified Paths:
--------------
trunk/lib/plugin/AppendText.php
trunk/lib/plugin/CreatePage.php
trunk/lib/plugin/WikiAdminDeleteAcl.php
trunk/pgsrc/ReleaseNotes
Modified: trunk/lib/plugin/AppendText.php
===================================================================
--- trunk/lib/plugin/AppendText.php 2025-05-05 19:11:33 UTC (rev 11199)
+++ trunk/lib/plugin/AppendText.php 2025-07-30 07:57:02 UTC (rev 11200)
@@ -106,6 +106,13 @@
return HTML();
}
+ if (!mayAccessPage('change', $pagename)) {
+ $message = HTML::div();
+ $message->setAttr('class', 'error');
+ $message->pushContent(HTML::p(fmt("Access denied to change page “%s”.", $pagename)));
+ return $message;
+ }
+
$page = $dbi->getPage($pagename);
$message = HTML();
Modified: trunk/lib/plugin/CreatePage.php
===================================================================
--- trunk/lib/plugin/CreatePage.php 2025-05-05 19:11:33 UTC (rev 11199)
+++ trunk/lib/plugin/CreatePage.php 2025-07-30 07:57:02 UTC (rev 11200)
@@ -85,6 +85,13 @@
return $this->error(_("Page name too long"));
}
+ if (!mayAccessPage('create', $s)) {
+ $message = HTML::div();
+ $message->setAttr('class', 'error');
+ $message->pushContent(HTML::p(fmt("Access denied to change page “%s”.", $s)));
+ return $message;
+ }
+
$param = array('action' => 'edit');
if ($template and $dbi->isWikiPage($template)) {
$param['template'] = $template;
Modified: trunk/lib/plugin/WikiAdminDeleteAcl.php
===================================================================
--- trunk/lib/plugin/WikiAdminDeleteAcl.php 2025-05-05 19:11:33 UTC (rev 11199)
+++ trunk/lib/plugin/WikiAdminDeleteAcl.php 2025-07-30 07:57:02 UTC (rev 11200)
@@ -50,20 +50,25 @@
$perm->sanify();
foreach ($pages as $pagename) {
// check if unchanged? we need a deep array_equal
- $page = $dbi->getPage($pagename);
- setPagePermissions($page, $perm);
- $result->setAttr('class', 'feedback');
- $result->pushContent(HTML::p(fmt("ACL deleted for page “%s”", $pagename)));
- $current = $page->getCurrentRevision();
- $version = $current->getVersion();
- $meta = $current->_data;
- $text = $current->getPackedContent();
- $meta['summary'] = sprintf(_("ACL deleted for page “%s”"), $pagename);
- $meta['is_minor_edit'] = 1;
- $meta['author'] = $request->_user->UserName();
- unset($meta['mtime']); // force new date
- $page->save($text, $version + 1, $meta);
- $count++;
+ if (mayAccessPage('change', $pagename)) {
+ $page = $dbi->getPage($pagename);
+ setPagePermissions($page, $perm);
+ $result->setAttr('class', 'feedback');
+ $result->pushContent(HTML::p(fmt("ACL deleted for page “%s”", $pagename)));
+ $current = $page->getCurrentRevision();
+ $version = $current->getVersion();
+ $meta = $current->_data;
+ $text = $current->getPackedContent();
+ $meta['summary'] = sprintf(_("ACL deleted for page “%s”"), $pagename);
+ $meta['is_minor_edit'] = 1;
+ $meta['author'] = $request->_user->UserName();
+ unset($meta['mtime']); // force new date
+ $page->save($text, $version + 1, $meta);
+ $count++;
+ } else {
+ $result->setAttr('class', 'error');
+ $result->pushContent(HTML::p(fmt("Access denied to change page “%s”.", $pagename)));
+ }
}
if ($count) {
$dbi->touch();
Modified: trunk/pgsrc/ReleaseNotes
===================================================================
--- trunk/pgsrc/ReleaseNotes 2025-05-05 19:11:33 UTC (rev 11199)
+++ trunk/pgsrc/ReleaseNotes 2025-07-30 07:57:02 UTC (rev 11200)
@@ -1,4 +1,4 @@
-Date: Mon, 5 May 2025 19:51:55 +0000
+Date: Wed, 30 Jul 2025 09:42:13 +0000
Mime-Version: 1.0 (Produced by PhpWiki 1.6.6)
Content-Type: application/x-phpwiki;
pagename=ReleaseNotes;
@@ -9,6 +9,10 @@
<<CreateToc with_toclink||=1 headers||=1,2,3 width=300px position=right>>
+== 1.6.7 2025-XX-XX Marc-Etienne Vargenau, Christof Meerwald ==
+
+* Add access checks for plugins AppendText, CreatePage and WikiAdminDeleteAcl (patches by Christof Meerwald)
+
== 1.6.6 2025-05-05 Marc-Etienne Vargenau, Christof Meerwald ==
* Fix PDO SQL syntax (patch by Christof Meerwald)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
