From cdd09a9619b7f9a119e303432b9ba4718a996f87 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Mon, 1 Aug 2016 16:59:54 +0200 Subject: [PATCH] do various checks before editing and saving ACLs, CSRF, page locking --- action/inline.php | 50 ++++++++++++++++++++++++++++++++++------------- script.js | 25 +++++++++++++++++------- 2 files changed, 54 insertions(+), 21 deletions(-) diff --git a/action/inline.php b/action/inline.php index e8082cf..3a16497 100644 --- a/action/inline.php +++ b/action/inline.php @@ -64,43 +64,55 @@ class action_plugin_struct_inline extends DokuWiki_Action_Plugin { echo $e->getMessage(); } } + + if(substr($event->data,$len) == 'cancel') { + $this->inline_cancel(); + } } - + /** + * Creates the inline editor + */ protected function inline_editor() { + // silently fail when editing not possible if(!$this->initFromInput()) return; + if(auth_quickaclcheck($this->pid) < AUTH_EDIT) return; + if(checklock($this->pid)) return; + // lock page + lock($this->pid); - // FIXME check read permission - - // FIXME lock page - + // output the editor $value = $this->schemadata->getDataColumn($this->column); echo '
'; echo $value->getValueEditor('entry'); echo '
'; - $hint = $this->column->getType()->getTranslatedHint(); if($hint) { echo '
'; echo hsc($hint); echo '
'; } + + // csrf protection + formSecurityToken(); } + /** + * Save the data posted by the inline editor + */ protected function inline_save() { global $INPUT; - if(!$this->initFromInput()) { + if ( + !$this->initFromInput() || // initialize + getSecurityToken() != $INPUT->str('sectoc') || // csrf check + auth_quickaclcheck($this->pid) < AUTH_EDIT || // edit permissions + checklock($this->pid) // page is locked + ) { throw new StructException('inline save error'); } - // FIXME - - // FIXME handle CSRF protection - // FIXME check write permission - // FIXME make sure page still locked - // validate $value = $INPUT->param('entry'); $validator = new Validator(); @@ -118,16 +130,26 @@ class action_plugin_struct_inline extends DokuWiki_Action_Plugin { $helper = plugin_load('helper', 'struct'); $helper->saveData($this->pid, $tosave, 'inline edit'); + // unlock + unlock($this->pid); // reinit then render $this->initFromInput(); $value = $this->schemadata->getDataColumn($this->column); $R = new Doku_Renderer_xhtml(); $value->render($R, 'xhtml'); // FIXME use configured default renderer - echo $R->doc; } + /** + * Unlock a page (on cancel action) + */ + protected function inline_cancel() { + global $INPUT; + $pid = $INPUT->str('pid'); + unlock($pid); + } + /** * Initialize internal state based on input variables * diff --git a/script.js b/script.js index a8c8466..deaca40 100644 --- a/script.js +++ b/script.js @@ -232,6 +232,9 @@ jQuery(function () { }); }); + /** + * Confirm Schema Deletion + */ jQuery('a.deleteSchema').click(function (event) { var schema = jQuery(this).closest('tr').find('td:nth-child(2)').text(); var page = jQuery(this).closest('tr').find('td:nth-child(1)').text(); @@ -241,8 +244,14 @@ jQuery(function () { } }); - + /** + * Inline Editor + * + * @todo move to separate file + */ jQuery('div.structaggregation table td').dblclick(function (e) { + e.preventDefault(); + var $self = jQuery(this); var pid = $self.parent().data('pid'); var field = $self.parents('table').find('tr th').eq($self.index()).data('field'); @@ -261,7 +270,6 @@ jQuery(function () { $form.append(''); $form.append(jQuery('
').append($save).append($cancel)); - /** * load the editor */ @@ -291,7 +299,6 @@ jQuery(function () { } ); - /** * Save the data, then close the form */ @@ -319,14 +326,18 @@ jQuery(function () { * Close the editor without saving */ $cancel.click(function (e) { - - // FIXME unlock page + // unlock page + jQuery.post( + DOKU_BASE + 'lib/exe/ajax.php', + { + call: 'plugin_struct_inline_cancel', + pid: pid + } + ); e.preventDefault(); $div.remove(); }); - - }); });