Fossil

Check-in [bff3df00]
Login

Check-in [bff3df00]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:/wikiedit can now be opened if the user has at least RdWiki permissions, primarily to allow access to the Sandbox for pikchr experimentation. A user without WrWiki still cannot save anything, and users without RdWiki cannot open it at all because it would give them access to the list of wiki pages, which they otherwise aren't privvy to without RdWiki. Also added a RdWiki check to the internal wikiedit ajax routes, as those could have potentially leaked pages to unprivileged users who decoded their internal ajax interfaces.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: bff3df00b80ffe478b89cf2a143445cf0b203f5d279c2bf79db1488d9f44bf9f
User & Date: stephan 2020-09-13 00:00:26
Context
2020-09-13
00:14
Sitemap: pointed wiki Sandbox at /wikiedit, instead of /wiki, to account for recent sandbox-handling changes. Added a Pikchr Sandbox (/pikchrshow) link under the Wiki section. ... (check-in: 27a26bb4 user: stephan tags: trunk)
00:00
/wikiedit can now be opened if the user has at least RdWiki permissions, primarily to allow access to the Sandbox for pikchr experimentation. A user without WrWiki still cannot save anything, and users without RdWiki cannot open it at all because it would give them access to the list of wiki pages, which they otherwise aren't privvy to without RdWiki. Also added a RdWiki check to the internal wikiedit ajax routes, as those could have potentially leaked pages to unprivileged users who decoded their internal ajax interfaces. ... (check-in: bff3df00 user: stephan tags: trunk)
2020-09-12
23:26
Adapted pixchrshow raw SVG preview to account for pixchr output containing an outer DIV. Resolves (for me, anyway) Inkscape import problem reported in the forum. ... (check-in: 2ffd9dd1 user: stephan tags: trunk)
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/wiki.c. 

1069
1070
1071
1072
1073
1074
1075



1076
1077
1078
1079
1080
1081
1082

    ajax_route_error(404,"Ajax route not found.");
    return;
  }
  login_check_credentials();
  if( pRoute->bWriteMode!=0 && g.perm.WrWiki==0 ){
    ajax_route_error(403,"Write permissions required.");
    return;



  }else if(0==cgi_csrf_safe(pRoute->bPost)){
    ajax_route_error(403,
                     "CSRF violation (make sure sending of HTTP "
                     "Referer headers is enabled for XHR "
                     "connections).");
    return;
  }








>
>
>








1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085

    ajax_route_error(404,"Ajax route not found.");
    return;
  }
  login_check_credentials();
  if( pRoute->bWriteMode!=0 && g.perm.WrWiki==0 ){
    ajax_route_error(403,"Write permissions required.");
    return;
  }else if( pRoute->bWriteMode==0 && g.perm.RdWiki==0 ){
    ajax_route_error(403,"Read-Wiki permissions required.");
    return;
  }else if(0==cgi_csrf_safe(pRoute->bPost)){
    ajax_route_error(403,
                     "CSRF violation (make sure sending of HTTP "
                     "Referer headers is enabled for XHR "
                     "connections).");
    return;
  }

1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126





1127
1128
1129
1130
1131
1132
1133

  login_check_credentials();
  zPageName = PD("name","");
  if(zPageName && *zPageName){
    if( check_name(zPageName) ) return;
  }
  isSandbox = is_sandbox(zPageName);
  if( isSandbox ){
    if( !g.perm.WrWiki ){
      login_needed(g.anon.WrWiki);
      return;
    }
    found = 1;
  }else if( zPageName!=0 ){
    int rid = 0;
    if( !wiki_special_permission(zPageName) ){
      login_needed(0);
      return;
    }
    found = wiki_fetch_by_name(zPageName, 0, &rid, 0);
    if( (rid && !g.perm.WrWiki) || (!rid && !g.perm.NewWiki) ){
      login_needed(rid ? g.anon.WrWiki : g.anon.NewWiki);





      return;
    }
  }
  style_header("Wiki Editor");
  style_emit_noscript_for_js_page();

  /* Status bar */








|
|



|






|
|
>
>
>
>
>








1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141

  login_check_credentials();
  zPageName = PD("name","");
  if(zPageName && *zPageName){
    if( check_name(zPageName) ) return;
  }
  isSandbox = is_sandbox(zPageName);
  if( isSandbox ){
    if( !g.perm.RdWiki ){
      login_needed(g.anon.RdWiki);
      return;
    }
    found = 1;
  }else if( zPageName!=0 && zPageName[0]!=0){
    int rid = 0;
    if( !wiki_special_permission(zPageName) ){
      login_needed(0);
      return;
    }
    found = wiki_fetch_by_name(zPageName, 0, &rid, 0);
    if( (rid && !g.perm.RdWiki) || (!rid && !g.perm.NewWiki) ){
      login_needed(rid ? g.anon.RdWiki : g.anon.NewWiki);
      return;
    }
  }else{
    if( !g.perm.RdWiki ){
      login_needed(g.anon.RdWiki);
      return;
    }
  }
  style_header("Wiki Editor");
  style_emit_noscript_for_js_page();

  /* Status bar */