]> sipb.mit.edu Git - ikiwiki.git/blob - IkiWiki/Plugin/editpage.pm
add missing page name sanity check
[ikiwiki.git] / IkiWiki / Plugin / editpage.pm
1 #!/usr/bin/perl
2 package IkiWiki::Plugin::editpage;
3
4 use warnings;
5 use strict;
6 use IkiWiki;
7 use open qw{:utf8 :std};
8
9 sub import { #{{{
10         hook(type => "getsetup", id => "editpage", call => \&getsetup);
11         hook(type => "sessioncgi", id => "editpage", call => \&IkiWiki::cgi_editpage);
12 } # }}}
13
14 sub getsetup () { #{{{
15         return
16                 plugin => {
17                         safe => 1,
18                         rebuild => 1,
19                 },
20 } #}}}
21
22 # Back to ikiwiki namespace for the rest, this code is very much
23 # internal to ikiwiki even though it's separated into a plugin,
24 # and other plugins use the functions below.
25 package IkiWiki;
26
27 sub check_canedit ($$$;$) { #{{{
28         my $page=shift;
29         my $q=shift;
30         my $session=shift;
31         my $nonfatal=shift;
32         
33         my $canedit;
34         run_hooks(canedit => sub {
35                 return if defined $canedit;
36                 my $ret=shift->($page, $q, $session);
37                 if (defined $ret) {
38                         if ($ret eq "") {
39                                 $canedit=1;
40                         }
41                         elsif (ref $ret eq 'CODE') {
42                                 $ret->() unless $nonfatal;
43                                 $canedit=0;
44                         }
45                         elsif (defined $ret) {
46                                 error($ret) unless $nonfatal;
47                                 $canedit=0;
48                         }
49                 }
50         });
51         return $canedit;
52 } #}}}
53
54 sub cgi_editpage ($$) { #{{{
55         my $q=shift;
56         my $session=shift;
57         
58         my $do=$q->param('do');
59         return unless $do eq 'create' || $do eq 'edit';
60
61         decode_cgi_utf8($q);
62
63         my @fields=qw(do rcsinfo subpage from page type editcontent comments);
64         my @buttons=("Save Page", "Preview", "Cancel");
65         eval q{use CGI::FormBuilder};
66         error($@) if $@;
67         my $form = CGI::FormBuilder->new(
68                 fields => \@fields,
69                 charset => "utf-8",
70                 method => 'POST',
71                 required => [qw{editcontent}],
72                 javascript => 0,
73                 params => $q,
74                 action => $config{cgiurl},
75                 header => 0,
76                 table => 0,
77                 template => scalar template_params("editpage.tmpl"),
78                 wikiname => $config{wikiname},
79         );
80         
81         decode_form_utf8($form);
82         run_hooks(formbuilder_setup => sub {
83                 shift->(form => $form, cgi => $q, session => $session,
84                         buttons => \@buttons);
85         });
86         decode_form_utf8($form);
87         
88         # This untaint is safe because we check file_pruned and
89         # wiki_file_regexp.
90         my ($page)=$form->field('page')=~/$config{wiki_file_regexp}/;
91         $page=possibly_foolish_untaint($page);
92         my $absolute=($page =~ s#^/+##);
93         if (! defined $page || ! length $page ||
94             file_pruned($page, $config{srcdir})) {
95                 error("bad page name");
96         }
97
98         my $baseurl=$config{url}."/".htmlpage($page);
99         
100         my $from;
101         if (defined $form->field('from')) {
102                 ($from)=$form->field('from')=~/$config{wiki_file_regexp}/;
103         }
104         
105         my $file;
106         my $type;
107         if (exists $pagesources{$page} && $form->field("do") ne "create") {
108                 $file=$pagesources{$page};
109                 $type=pagetype($file);
110                 if (! defined $type || $type=~/^_/) {
111                         error(sprintf(gettext("%s is not an editable page"), $page));
112                 }
113                 if (! $form->submitted) {
114                         $form->field(name => "rcsinfo",
115                                 value => rcs_prepedit($file), force => 1);
116                 }
117                 $form->field(name => "editcontent", validate => '/.*/');
118         }
119         else {
120                 $type=$form->param('type');
121                 if (defined $type && length $type && $hooks{htmlize}{$type}) {
122                         $type=possibly_foolish_untaint($type);
123                 }
124                 elsif (defined $from && exists $pagesources{$from}) {
125                         # favor the type of linking page
126                         $type=pagetype($pagesources{$from});
127                 }
128                 $type=$config{default_pageext} unless defined $type;
129                 $file=$page.".".$type;
130                 if (! $form->submitted) {
131                         $form->field(name => "rcsinfo", value => "", force => 1);
132                 }
133                 $form->field(name => "editcontent", validate => '/.+/');
134         }
135
136         $form->field(name => "do", type => 'hidden');
137         $form->field(name => "sid", type => "hidden", value => $session->id,
138                 force => 1);
139         $form->field(name => "from", type => 'hidden');
140         $form->field(name => "rcsinfo", type => 'hidden');
141         $form->field(name => "subpage", type => 'hidden');
142         $form->field(name => "page", value => $page, force => 1);
143         $form->field(name => "type", value => $type, force => 1);
144         $form->field(name => "comments", type => "text", size => 80);
145         $form->field(name => "editcontent", type => "textarea", rows => 20,
146                 cols => 80);
147         $form->tmpl_param("can_commit", $config{rcs});
148         $form->tmpl_param("indexlink", indexlink());
149         $form->tmpl_param("helponformattinglink",
150                 htmllink($page, $page, "ikiwiki/formatting",
151                         noimageinline => 1,
152                         linktext => "FormattingHelp"));
153         
154         if ($form->submitted eq "Cancel") {
155                 if ($form->field("do") eq "create" && defined $from) {
156                         redirect($q, "$config{url}/".htmlpage($from));
157                 }
158                 elsif ($form->field("do") eq "create") {
159                         redirect($q, $config{url});
160                 }
161                 else {
162                         redirect($q, "$config{url}/".htmlpage($page));
163                 }
164                 exit;
165         }
166         elsif ($form->submitted eq "Preview") {
167                 my $new=not exists $pagesources{$page};
168                 if ($new) {
169                         # temporarily record its type
170                         $pagesources{$page}=$page.".".$type;
171                 }
172
173                 my $content=$form->field('editcontent');
174
175                 run_hooks(editcontent => sub {
176                         $content=shift->(
177                                 content => $content,
178                                 page => $page,
179                                 cgi => $q,
180                                 session => $session,
181                         );
182                 });
183                 my $preview=htmlize($page, $page, $type,
184                         linkify($page, $page,
185                         preprocess($page, $page,
186                         filter($page, $page, $content), 0, 1)));
187                 run_hooks(format => sub {
188                         $preview=shift->(
189                                 page => $page,
190                                 content => $preview,
191                         );
192                 });
193                 $form->tmpl_param("page_preview", $preview);
194         
195                 if ($new) {
196                         delete $pagesources{$page};
197                 }
198                 # previewing may have created files on disk
199                 saveindex();
200         }
201         elsif ($form->submitted eq "Save Page") {
202                 $form->tmpl_param("page_preview", "");
203         }
204         
205         if ($form->submitted ne "Save Page" || ! $form->validate) {
206                 if ($form->field("do") eq "create") {
207                         my @page_locs;
208                         my $best_loc;
209                         if (! defined $from || ! length $from ||
210                             $from ne $form->field('from') ||
211                             file_pruned($from, $config{srcdir}) ||
212                             $from=~/^\// || 
213                             $absolute ||
214                             $form->submitted eq "Preview") {
215                                 @page_locs=$best_loc=$page;
216                         }
217                         else {
218                                 my $dir=$from."/";
219                                 $dir=~s![^/]+/+$!!;
220                                 
221                                 if ((defined $form->field('subpage') && length $form->field('subpage')) ||
222                                     $page eq gettext('discussion')) {
223                                         $best_loc="$from/$page";
224                                 }
225                                 else {
226                                         $best_loc=$dir.$page;
227                                 }
228                                 
229                                 push @page_locs, $dir.$page;
230                                 push @page_locs, "$from/$page";
231                                 while (length $dir) {
232                                         $dir=~s![^/]+/+$!!;
233                                         push @page_locs, $dir.$page;
234                                 }
235                         
236                                 push @page_locs, "$config{userdir}/$page"
237                                         if length $config{userdir};
238                         }
239
240                         @page_locs = grep {
241                                 ! exists $pagecase{lc $_}
242                         } @page_locs;
243                         if (! @page_locs) {
244                                 # hmm, someone else made the page in the
245                                 # meantime?
246                                 if ($form->submitted eq "Preview") {
247                                         # let them go ahead with the edit
248                                         # and resolve the conflict at save
249                                         # time
250                                         @page_locs=$page;
251                                 }
252                                 else {
253                                         redirect($q, "$config{url}/".htmlpage($page));
254                                         exit;
255                                 }
256                         }
257
258                         my @editable_locs = grep {
259                                 check_canedit($_, $q, $session, 1)
260                         } @page_locs;
261                         if (! @editable_locs) {
262                                 # let it throw an error this time
263                                 map { check_canedit($_, $q, $session) } @page_locs;
264                         }
265                         
266                         my @page_types;
267                         if (exists $hooks{htmlize}) {
268                                 @page_types=grep { !/^_/ }
269                                         keys %{$hooks{htmlize}};
270                         }
271                         
272                         $form->tmpl_param("page_select", 1);
273                         $form->field(name => "page", type => 'select',
274                                 options => [ map { [ $_, pagetitle($_, 1) ] } @editable_locs ],
275                                 value => $best_loc);
276                         $form->field(name => "type", type => 'select',
277                                 options => \@page_types);
278                         $form->title(sprintf(gettext("creating %s"), pagetitle($page)));
279                         
280                 }
281                 elsif ($form->field("do") eq "edit") {
282                         check_canedit($page, $q, $session);
283                         if (! defined $form->field('editcontent') || 
284                             ! length $form->field('editcontent')) {
285                                 my $content="";
286                                 if (exists $pagesources{$page}) {
287                                         $content=readfile(srcfile($pagesources{$page}));
288                                         $content=~s/\n/\r\n/g;
289                                 }
290                                 $form->field(name => "editcontent", value => $content,
291                                         force => 1);
292                         }
293                         $form->tmpl_param("page_select", 0);
294                         $form->field(name => "page", type => 'hidden');
295                         $form->field(name => "type", type => 'hidden');
296                         $form->title(sprintf(gettext("editing %s"), pagetitle($page)));
297                 }
298                 
299                 showform($form, \@buttons, $session, $q, forcebaseurl => $baseurl);
300         }
301         else {
302                 # save page
303                 check_canedit($page, $q, $session);
304         
305                 # The session id is stored on the form and checked to
306                 # guard against CSRF. But only if the user is logged in,
307                 # as anonok can allow anonymous edits.
308                 if (defined $session->param("name")) {
309                         my $sid=$q->param('sid');
310                         if (! defined $sid || $sid ne $session->id) {
311                                 error(gettext("Your login session has expired."));
312                         }
313                 }
314
315                 my $exists=-e "$config{srcdir}/$file";
316
317                 if ($form->field("do") ne "create" && ! $exists &&
318                     ! defined srcfile($file, 1)) {
319                         $form->tmpl_param("message", template("editpagegone.tmpl")->output);
320                         $form->field(name => "do", value => "create", force => 1);
321                         $form->tmpl_param("page_select", 0);
322                         $form->field(name => "page", type => 'hidden');
323                         $form->field(name => "type", type => 'hidden');
324                         $form->title(sprintf(gettext("editing %s"), $page));
325                         showform($form, \@buttons, $session, $q, forcebaseurl => $baseurl);
326                         exit;
327                 }
328                 elsif ($form->field("do") eq "create" && $exists) {
329                         $form->tmpl_param("message", template("editcreationconflict.tmpl")->output);
330                         $form->field(name => "do", value => "edit", force => 1);
331                         $form->tmpl_param("page_select", 0);
332                         $form->field(name => "page", type => 'hidden');
333                         $form->field(name => "type", type => 'hidden');
334                         $form->title(sprintf(gettext("editing %s"), $page));
335                         $form->field("editcontent", 
336                                 value => readfile("$config{srcdir}/$file").
337                                          "\n\n\n".$form->field("editcontent"),
338                                 force => 1);
339                         showform($form, \@buttons, $session, $q, forcebaseurl => $baseurl);
340                         exit;
341                 }
342                 
343                 my $content=$form->field('editcontent');
344                 run_hooks(editcontent => sub {
345                         $content=shift->(
346                                 content => $content,
347                                 page => $page,
348                                 cgi => $q,
349                                 session => $session,
350                         );
351                 });
352                 $content=~s/\r\n/\n/g;
353                 $content=~s/\r/\n/g;
354                 $content.="\n" if $content !~ /\n$/;
355
356                 $config{cgi}=0; # avoid cgi error message
357                 eval { writefile($file, $config{srcdir}, $content) };
358                 $config{cgi}=1;
359                 if ($@) {
360                         $form->field(name => "rcsinfo", value => rcs_prepedit($file),
361                                 force => 1);
362                         my $mtemplate=template("editfailedsave.tmpl");
363                         $mtemplate->param(error_message => $@);
364                         $form->tmpl_param("message", $mtemplate->output);
365                         $form->field("editcontent", value => $content, force => 1);
366                         $form->tmpl_param("page_select", 0);
367                         $form->field(name => "page", type => 'hidden');
368                         $form->field(name => "type", type => 'hidden');
369                         $form->title(sprintf(gettext("editing %s"), $page));
370                         showform($form, \@buttons, $session, $q,
371                                 forcebaseurl => $baseurl);
372                         exit;
373                 }
374                 
375                 my $conflict;
376                 if ($config{rcs}) {
377                         my $message="";
378                         if (defined $form->field('comments') &&
379                             length $form->field('comments')) {
380                                 $message=$form->field('comments');
381                         }
382                         
383                         if (! $exists) {
384                                 rcs_add($file);
385                         }
386
387                         # Prevent deadlock with post-commit hook by
388                         # signaling to it that it should not try to
389                         # do anything.
390                         disable_commit_hook();
391                         $conflict=rcs_commit($file, $message,
392                                 $form->field("rcsinfo"),
393                                 $session->param("name"), $ENV{REMOTE_ADDR});
394                         enable_commit_hook();
395                         rcs_update();
396                 }
397                 
398                 # Refresh even if there was a conflict, since other changes
399                 # may have been committed while the post-commit hook was
400                 # disabled.
401                 require IkiWiki::Render;
402                 refresh();
403                 saveindex();
404
405                 if (defined $conflict) {
406                         $form->field(name => "rcsinfo", value => rcs_prepedit($file),
407                                 force => 1);
408                         $form->tmpl_param("message", template("editconflict.tmpl")->output);
409                         $form->field("editcontent", value => $conflict, force => 1);
410                         $form->field("do", "edit", force => 1);
411                         $form->tmpl_param("page_select", 0);
412                         $form->field(name => "page", type => 'hidden');
413                         $form->field(name => "type", type => 'hidden');
414                         $form->title(sprintf(gettext("editing %s"), $page));
415                         showform($form, \@buttons, $session, $q,
416                                 forcebaseurl => $baseurl);
417                 }
418                 else {
419                         # The trailing question mark tries to avoid broken
420                         # caches and get the most recent version of the page.
421                         redirect($q, "$config{url}/".htmlpage($page)."?updated");
422                 }
423         }
424
425         exit;
426 } #}}}
427
428 1