]> sipb.mit.edu Git - ikiwiki.git/blob - IkiWiki/Plugin/smcvpostcomment.pm
smcvpostcomment: remove HTML if not allowed
[ikiwiki.git] / IkiWiki / Plugin / smcvpostcomment.pm
1 #!/usr/bin/perl
2 # Copyright © 2006-2008 Joey Hess <joey@ikiwiki.info>
3 # Copyright © 2008 Simon McVittie <http://smcv.pseudorandom.co.uk/>
4 # Licensed under the GNU GPL, version 2, or any later version published by the
5 # Free Software Foundation
6 package IkiWiki::Plugin::smcvpostcomment;
7
8 use warnings;
9 use strict;
10 use IkiWiki 2.00;
11 use IkiWiki::Plugin::inline;
12 use IkiWiki::Plugin::mdwn;
13 use CGI 'escapeHTML';
14
15 use constant PLUGIN => "smcvpostcomment";
16 use constant PREVIEW => "Preview";
17 use constant POST_COMMENT => "Post comment";
18 use constant CANCEL => "Cancel";
19
20 sub import { #{{{
21         hook(type => "getsetup", id => PLUGIN,  call => \&getsetup);
22         hook(type => "preprocess", id => PLUGIN, call => \&preprocess);
23         hook(type => "sessioncgi", id => PLUGIN, call => \&sessioncgi);
24         hook(type => "htmlize", id => "_".PLUGIN,
25                 call => \&IkiWiki::Plugin::mdwn::htmlize);
26         IkiWiki::loadplugin("inline");
27 } # }}}
28
29 sub getsetup () { #{{{
30         return
31                 plugin => {
32                         safe => 1,
33                         rebuild => undef,
34                 },
35 } #}}}
36
37 # Somewhat based on IkiWiki::Plugin::inline blog posting support
38 sub preprocess (@) { #{{{
39         my %params=@_;
40
41         unless (length $config{cgiurl}) {
42                 error(sprintf (gettext("[[!%s plugin requires CGI enabled]]"),
43                         PLUGIN));
44         }
45
46         my $formtemplate = IkiWiki::template(PLUGIN . "_embed.tmpl",
47                 blind_cache => 1);
48         $formtemplate->param(cgiurl => $config{cgiurl});
49         $formtemplate->param(page => $params{page});
50
51         if ($params{preview}) {
52                 $formtemplate->param("disabled" =>
53                         gettext('not available during Preview'));
54         }
55
56         debug("page $params{page} => destpage $params{destpage}");
57
58         # I'm reasonably sure that this counts as abuse of [[!inline]]
59         return $formtemplate->output . "\n" .
60                 IkiWiki::preprocess_inline(
61                         pages => "internal($params{page}/_comment_*)",
62                         template => PLUGIN . "_display",
63                         show => 0,
64                         reverse => "yes",
65                         page => $params{page},
66                         destpage => $params{destpage},
67                         preview => $params{preview});
68 } # }}}
69
70 # FIXME: logic taken from editpage, should be common code?
71 sub getcgiuser ($) { # {{{
72         my $session = shift;
73         my $user = $session->param('name');
74         $user = $ENV{REMOTE_ADDR} unless defined $user;
75         debug("getcgiuser() -> $user");
76         return $user;
77 } # }}}
78
79 # FIXME: logic adapted from recentchanges, should be common code?
80 sub linkuser ($) { # {{{
81         my $user = shift;
82         my $oiduser = eval { IkiWiki::openiduser($user) };
83
84         if (defined $oiduser) {
85                 return ($user, $oiduser);
86         }
87         else {
88                 my $page = bestlink('', (length $config{userdir}
89                                 ? "$config{userdir}/"
90                                 : "").$user);
91                 return (urlto($page, undef, 1), $user);
92         }
93 } # }}}
94
95 # FIXME: taken from IkiWiki::Plugin::editpage, should be common?
96 sub checksessionexpiry ($$) { # {{{
97         my $session = shift;
98         my $sid = shift;
99
100         if (defined $session->param("name")) {
101                 if (! defined $sid || $sid ne $session->id) {
102                         error(gettext("Your login session has expired."));
103                 }
104         }
105 } # }}}
106
107 # Mostly cargo-culted from IkiWiki::plugin::editpage
108 sub sessioncgi ($$) { #{{{
109         my $cgi=shift;
110         my $session=shift;
111
112         my $do = $cgi->param('do');
113         return unless $do eq PLUGIN;
114
115         # These are theoretically configurable, but currently hard-coded
116         my $allow_directives = 0;
117         my $commit_comments = 1;
118
119         IkiWiki::decode_cgi_utf8($cgi);
120
121         eval q{use CGI::FormBuilder};
122         error($@) if $@;
123
124         my @buttons = (POST_COMMENT, PREVIEW, CANCEL);
125         my $form = CGI::FormBuilder->new(
126                 fields => [qw{do sid page subject body}],
127                 charset => 'utf-8',
128                 method => 'POST',
129                 required => [qw{body}],
130                 javascript => 0,
131                 params => $cgi,
132                 action => $config{cgiurl},
133                 header => 0,
134                 table => 0,
135                 template => scalar IkiWiki::template_params(PLUGIN . '_form.tmpl'),
136                 # wtf does this do in editpage?
137                 wikiname => $config{wikiname},
138         );
139
140         IkiWiki::decode_form_utf8($form);
141         IkiWiki::run_hooks(formbuilder_setup => sub {
142                         shift->(title => PLUGIN, form => $form, cgi => $cgi,
143                                 session => $session, buttons => \@buttons);
144                 });
145         IkiWiki::decode_form_utf8($form);
146
147         $form->field(name => 'do', type => 'hidden');
148         $form->field(name => 'sid', type => 'hidden', value => $session->id,
149                 force => 1);
150         $form->field(name => 'page', type => 'hidden');
151         $form->field(name => 'subject', type => 'text', size => 72);
152         $form->field(name => 'body', type => 'textarea', rows => 5,
153                 cols => 80);
154
155         # The untaint is OK (as in editpage) because we're about to pass
156         # it to file_pruned anyway
157         my $page = $form->field('page');
158         $page = IkiWiki::possibly_foolish_untaint($page);
159         if (!defined $page || !length $page ||
160                 IkiWiki::file_pruned($page, $config{srcdir})) {
161                 error(gettext("bad page name"));
162         }
163
164         # FIXME: is this right? Or should we be using the candidate subpage
165         # (whatever that might mean) as the base URL?
166         my $baseurl = urlto($page, undef, 1);
167
168         $form->title(sprintf(gettext("commenting on %s"),
169                         IkiWiki::pagetitle($page)));
170
171         $form->tmpl_param('helponformattinglink',
172                 htmllink($page, $page, 'ikiwiki/formatting',
173                         noimageinline => 1,
174                         linktext => 'FormattingHelp'));
175
176         if (not exists $pagesources{$page}) {
177                 error(sprintf(gettext(
178                         "page '%s' doesn't exist, so you can't comment"),
179                         $page));
180         }
181
182         if ($form->submitted eq CANCEL) {
183                 # bounce back to the page they wanted to comment on, and exit.
184                 # CANCEL need not be considered in future
185                 IkiWiki::redirect($cgi, urlto($page, undef, 1));
186                 exit;
187         }
188
189         IkiWiki::check_canedit($page . "[" . PLUGIN . "]", $cgi, $session);
190
191         my ($authorurl, $author) = linkuser(getcgiuser($session));
192
193         my $body = $form->field('body') || '';
194         $body =~ s/\r\n/\n/g;
195         $body =~ s/\r/\n/g;
196         $body = "\n" if $body !~ /\n$/;
197
198         unless ($allow_directives) {
199                 # don't allow new-style directives at all
200                 $body =~ s/(^|[^\\])\[\[!/$1\\[[!/g;
201
202                 # don't allow [[ unless it begins an old-style
203                 # wikilink, if prefix_directives is off
204                 $body =~ s/(^|[^\\])\[\[(?![^\n\s\]+]\]\])/$1\\[[!/g
205                         unless $config{prefix_directives};
206         }
207
208         unless ($allow_html) {
209                 $body =~ s/&(\w|#)/&amp;$1/g;
210                 $body =~ s/</&lt;/g;
211                 $body =~ s/>/&gt;/g;
212         }
213
214         # In this template, the [[!meta]] directives should stay at the end,
215         # so that they will override anything the user specifies. (For
216         # instance, [[!meta author="I can fake the author"]]...)
217         my $content_tmpl = template(PLUGIN . '_comment.tmpl');
218         $content_tmpl->param(author => $author);
219         $content_tmpl->param(authorurl => $authorurl);
220         $content_tmpl->param(subject => $form->field('subject'));
221         $content_tmpl->param(body => $body);
222
223         my $content = $content_tmpl->output;
224
225         # This is essentially a simplified version of editpage:
226         # - the user does not control the page that's created, only the parent
227         # - it's always a create operation, never an edit
228         # - this means that conflicts should never happen
229         # - this means that if they do, rocks fall and everyone dies
230
231         if ($form->submitted eq PREVIEW) {
232                 # $fake is a location that has the same number of slashes
233                 # as the eventual location of this comment.
234                 my $fake = "$page/_" . PLUGIN . "hypothetical";
235                 my $preview = IkiWiki::htmlize($fake, $page, 'mdwn',
236                                 IkiWiki::linkify($page, $page,
237                                         IkiWiki::preprocess($page, $page,
238                                                 IkiWiki::filter($fake, $page,
239                                                         $content),
240                                                 0, 1)));
241                 IkiWiki::run_hooks(format => sub {
242                                 $preview = shift->(page => $page,
243                                         content => $preview);
244                         });
245
246                 my $template = template(PLUGIN . "_display.tmpl");
247                 $template->param(content => $preview);
248                 $template->param(title => $form->field('subject'));
249                 $template->param(ctime => displaytime(time));
250                 $template->param(author => $author);
251                 $template->param(authorurl => $authorurl);
252
253                 $form->tmpl_param(page_preview => $template->output);
254         }
255         else {
256                 $form->tmpl_param(page_preview => "");
257         }
258
259         if ($form->submitted eq POST_COMMENT && $form->validate) {
260                 # Let's get posting. We don't check_canedit here because
261                 # that somewhat defeats the point of this plugin.
262
263                 checksessionexpiry($session, $cgi->param('sid'));
264
265                 # FIXME: check that the wiki is locked right now, because
266                 # if it's not, there are mad race conditions!
267
268                 # FIXME: rather a simplistic way to make the comments...
269                 my $i = 0;
270                 my $file;
271                 do {
272                         $i++;
273                         $file = "$page/_comment_${i}._" . PLUGIN;
274                 } while (-e "$config{srcdir}/$file");
275
276                 # FIXME: could probably do some sort of graceful retry
277                 # if I could be bothered
278                 writefile($file, $config{srcdir}, $content);
279
280                 my $conflict;
281
282                 if ($config{rcs} and $commit_comments) {
283                         my $message = gettext("Added a comment");
284                         if (defined $form->field('subject') &&
285                                 length $form->field('subject')) {
286                                 $message .= ": ".$form->field('subject');
287                         }
288
289                         IkiWiki::rcs_add($file);
290                         IkiWiki::disable_commit_hook();
291                         $conflict = IkiWiki::rcs_commit_staged($message,
292                                 $session->param('name'), $ENV{REMOTE_ADDR});
293                         IkiWiki::enable_commit_hook();
294                         IkiWiki::rcs_update();
295                 }
296
297                 # Now we need a refresh
298                 require IkiWiki::Render;
299                 IkiWiki::refresh();
300                 IkiWiki::saveindex();
301
302                 # this should never happen, unless a committer deliberately
303                 # breaks it or something
304                 error($conflict) if defined $conflict;
305
306                 # Bounce back to where we were, but defeat broken caches
307                 my $anticache = "?updated=$page/_comment_$i";
308                 IkiWiki::redirect($cgi, urlto($page, undef, 1).$anticache);
309         }
310         else {
311                 IkiWiki::showform ($form, \@buttons, $session, $cgi,
312                         forcebaseurl => $baseurl);
313         }
314
315         exit;
316 } #}}}
317
318 package IkiWiki::PageSpec;
319
320 sub match_smcvpostcomment ($$;@) {
321         my $page = shift;
322         my $glob = shift;
323
324         unless ($page =~ s/\[smcvpostcomment\]$//) {
325                 return IkiWiki::FailReason->new("not posting a comment");
326         }
327         return match_glob($page, $glob);
328 }
329
330 1