From 31bc8f119cd896f19085ea120b89356393d4f8e6 Mon Sep 17 00:00:00 2001 From: Michael Hamann Date: Tue, 24 May 2011 22:38:27 +0200 Subject: Check permissions + security token in lock + draft modification FS#2265 This disables lock and draft creation for pages the user can't edit. It additionally adds a security token to the draft creation and deletion request so - at least for logged in users - drafts can't be created, modified or deleted so easily anymore. --- inc/actions.php | 10 +++++++--- lib/exe/ajax.php | 24 ++++++++++++++++++------ lib/scripts/edit.js | 1 + lib/scripts/locktimer.js | 1 + 4 files changed, 27 insertions(+), 9 deletions(-) diff --git a/inc/actions.php b/inc/actions.php index a36fdfd5b..ecf09036f 100644 --- a/inc/actions.php +++ b/inc/actions.php @@ -509,10 +509,14 @@ function act_edit($act){ if(!$DATE) $DATE = $INFO['meta']['date']['modified']; //check if locked by anyone - if not lock for my self - $lockedby = checklock($ID); - if($lockedby) return 'locked'; + //do not lock when the user can't edit anyway + if ($INFO['writable']) { + $lockedby = checklock($ID); + if($lockedby) return 'locked'; + + lock($ID); + } - lock($ID); return $act; } diff --git a/lib/exe/ajax.php b/lib/exe/ajax.php index 7d594dc04..b2463ed3f 100644 --- a/lib/exe/ajax.php +++ b/lib/exe/ajax.php @@ -123,11 +123,22 @@ function ajax_suggestions() { function ajax_lock(){ global $conf; global $lang; - $id = cleanID($_POST['id']); - if(empty($id)) return; + global $ID; + global $INFO; + + $ID = cleanID($_POST['id']); + if(empty($ID)) return; + if (!checkSecurityToken()) return; + + $INFO = pageinfo(); + + if (!$INFO['writable']) { + echo 'Permission denied'; + return; + } - if(!checklock($id)){ - lock($id); + if(!checklock($ID)){ + lock($ID); echo 1; } @@ -135,14 +146,14 @@ function ajax_lock(){ $client = $_SERVER['REMOTE_USER']; if(!$client) $client = clientIP(true); - $draft = array('id' => $id, + $draft = array('id' => $ID, 'prefix' => substr($_POST['prefix'], 0, -1), 'text' => $_POST['wikitext'], 'suffix' => $_POST['suffix'], 'date' => (int) $_POST['date'], 'client' => $client, ); - $cname = getCacheName($draft['client'].$id,'.draft'); + $cname = getCacheName($draft['client'].$ID,'.draft'); if(io_saveFile($cname,serialize($draft))){ echo $lang['draftdate'].' '.dformat(); } @@ -158,6 +169,7 @@ function ajax_lock(){ function ajax_draftdel(){ $id = cleanID($_REQUEST['id']); if(empty($id)) return; + if (!checkSecurityToken()) return; $client = $_SERVER['REMOTE_USER']; if(!$client) $client = clientIP(true); diff --git a/lib/scripts/edit.js b/lib/scripts/edit.js index a96a346dc..31afcc126 100644 --- a/lib/scripts/edit.js +++ b/lib/scripts/edit.js @@ -275,6 +275,7 @@ function deleteDraft() { if(dwform){ var params = 'call=draftdel'; params += '&id='+encodeURIComponent(dwform.elements.id.value); + params += '§ok='+encodeURIComponent(dwform.elements.sectok.value); var sackobj = new sack(DOKU_BASE + 'lib/exe/ajax.php'); // this needs to be synchronous and GET to not be aborted upon page unload diff --git a/lib/scripts/locktimer.js b/lib/scripts/locktimer.js index 0db7d2b15..5335e228f 100644 --- a/lib/scripts/locktimer.js +++ b/lib/scripts/locktimer.js @@ -73,6 +73,7 @@ var locktimer = { if(now.getTime() - locktimer.lasttime.getTime() > 30*1000){ var params = 'call=lock&id='+encodeURIComponent(locktimer.pageid); var dwform = $('dw__editform'); + params += '§ok='+encodeURIComponent(dwform.elements.sectok.value); if(locktimer.draft && dwform.elements.wikitext){ params += '&prefix='+encodeURIComponent(dwform.elements.prefix.value); params += '&wikitext='+encodeURIComponent(dwform.elements.wikitext.value); -- cgit v1.2.3