bugfixes for yesterdays template patch

darcs-hash:20050307192954-9977f-ec263f3b0a3b4d9e35210789d2bb78c3a6011ae0.gz

1 files changed, 30 insertions, 3 deletions

diff --git a/inc/actions.php b/inc/actions.php
index 345ef8e37..6208e1970 100644
--- a/inc/actions.php
+++ b/inc/actions.php
@@ -9,6 +9,7 @@
   if(!defined('DOKU_INC')) define('DOKU_INC',realpath(dirname(__FILE__).'/../').'/');
   require_once(DOKU_INC.'inc/template.php');
 
+
 /**
  * Call the needed action handlers
  *
@@ -22,6 +23,9 @@ function act_dispatch(){
   global $lang;
   global $conf;
 
+  //sanitize $ACT
+  $ACT = act_clean($ACT);
+
   //check permissions
   $ACT = act_permcheck($ACT);
 
@@ -35,7 +39,7 @@ function act_dispatch(){
 
   //edit
   if(($ACT == 'edit' || $ACT == $lang['btn_preview']) && $INFO['editable']){
-    $ACT = act_save($ACT);
+    $ACT = act_edit($ACT);
   }else{
     unlock($ID); //try to unlock 
   }
@@ -55,14 +59,36 @@ function act_dispatch(){
     $ACT = 'show';
   }
 
-  //fixme sanitize $ACT
- 
   //call template FIXME: all needed vars available?
   header('Content-Type: text/html; charset=utf-8'); 
   include(DOKU_INC.'tpl/'.$conf['template'].'/main.php');
 }
 
 /**
+ * Sanitize the action command
+ *
+ * Add all allowed commands here.
+ *
+ * @author Andreas Gohr <andi@splitbrain.org>
+ */
+function act_clean($act){
+  global $lang;
+  global $conf;
+
+  if($act == 'register' && !$conf['openregister'])
+    return 'show';
+
+  if(!array_search($act,array('login','logout','register','save','edit',
+                              $lang['btn_preview'],'export_raw','export_html',
+                              'search','show','check','index','revisions',
+                              'diff','recent','backlink',))){
+    msg('Unknown command',-1);
+    return 'show';
+  }
+  return $act;
+}
+
+/**
  * Run permissionchecks
  *
  * @author Andreas Gohr <andi@splitbrain.org>
@@ -83,6 +109,7 @@ function act_permcheck($act){
     return 'denied';
   }
 
+
   return $act;
 }