From ba9418bca378a6759305e3b388926df4f5a0af9c Mon Sep 17 00:00:00 2001 From: Hakan Sandell Date: Sat, 13 Nov 2010 18:20:28 +0100 Subject: Added XMLRPC dokuwiki:appendPage --- lib/exe/xmlrpc.php | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) (limited to 'lib/exe/xmlrpc.php') diff --git a/lib/exe/xmlrpc.php b/lib/exe/xmlrpc.php index f06792361..8c2bec6f9 100644 --- a/lib/exe/xmlrpc.php +++ b/lib/exe/xmlrpc.php @@ -7,7 +7,7 @@ if(isset($HTTP_RAW_POST_DATA)) $HTTP_RAW_POST_DATA = trim($HTTP_RAW_POST_DATA); /** * Increased whenever the API is changed */ -define('DOKU_XMLRPC_API_VERSION',4); +define('DOKU_XMLRPC_API_VERSION',5); require_once(DOKU_INC.'inc/init.php'); session_write_close(); //close session @@ -143,6 +143,13 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { true ); + $this->addCallback( + 'dokuwiki.appendPage', + 'this:appendPage', + array('int', 'string', 'string', 'struct'), + 'Append text to a wiki page.' + ); + /* Wiki API v2 http://www.jspwiki.org/wiki/WikiRPCInterface2 */ $this->addCallback( 'wiki.getRPCVersionSupported', @@ -577,6 +584,17 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { return 0; } + /** + * Appends text to a wiki page. + */ + function appendPage($id, $text, $params) { + $currentpage = $this->rawPage($id); + if (!is_string($currentpage)) { + return $currentpage; + } + return $this->putPage($id, $currentpage.$text, $params); + } + /** * Uploads a file to the wiki. * -- cgit v1.2.3 From 7c2ef4e8d524fb9262c5a08831220f9fb2dc11fe Mon Sep 17 00:00:00 2001 From: Tom N Harris Date: Wed, 17 Nov 2010 17:02:31 -0500 Subject: Use a different indexer version when external tokenizer is enabled --- lib/exe/xmlrpc.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/exe/xmlrpc.php') diff --git a/lib/exe/xmlrpc.php b/lib/exe/xmlrpc.php index f06792361..410d4f6ba 100644 --- a/lib/exe/xmlrpc.php +++ b/lib/exe/xmlrpc.php @@ -1,7 +1,7 @@ Date: Mon, 29 Nov 2010 01:34:36 +0100 Subject: Remove enc=utf-8 in VIM modeline as it is not allowed in VIM 7.3 As of VIM 7.3 it is no longer possible to specify the encoding in the modeline. This gives an error message whenever such a file is opened, thus this commit removes the enc setting from the modeline. --- lib/exe/xmlrpc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/exe/xmlrpc.php') diff --git a/lib/exe/xmlrpc.php b/lib/exe/xmlrpc.php index 8c2bec6f9..d232930a3 100644 --- a/lib/exe/xmlrpc.php +++ b/lib/exe/xmlrpc.php @@ -968,4 +968,4 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { $server = new dokuwiki_xmlrpc_server(); -// vim:ts=4:sw=4:et:enc=utf-8: +// vim:ts=4:sw=4:et: -- cgit v1.2.3 From 9b41be2446ea725a496f34b28ac4db84bece57c9 Mon Sep 17 00:00:00 2001 From: Tom N Harris Date: Wed, 29 Dec 2010 03:50:05 -0500 Subject: Indexer v3 Rewrite part two, update uses of indexer --- lib/exe/xmlrpc.php | 27 +++------------------------ 1 file changed, 3 insertions(+), 24 deletions(-) (limited to 'lib/exe/xmlrpc.php') diff --git a/lib/exe/xmlrpc.php b/lib/exe/xmlrpc.php index 410d4f6ba..84068f96e 100644 --- a/lib/exe/xmlrpc.php +++ b/lib/exe/xmlrpc.php @@ -355,9 +355,8 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { */ function listPages(){ $list = array(); - $pages = array_filter(array_filter(idx_getIndex('page', ''), - 'isVisiblePage'), - 'page_exists'); + $pages = idx_get_indexer()->getPages(); + $pages = array_filter(array_filter($pages,'isVisiblePage'),'page_exists'); foreach(array_keys($pages) as $idx) { $perm = auth_quickaclcheck($pages[$idx]); @@ -552,27 +551,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { unlock($id); // run the indexer if page wasn't indexed yet - if(!@file_exists(metaFN($id, '.indexed'))) { - // try to aquire a lock - $lock = $conf['lockdir'].'/_indexer.lock'; - while(!@mkdir($lock,$conf['dmode'])){ - usleep(50); - if(time()-@filemtime($lock) > 60*5){ - // looks like a stale lock - remove it - @rmdir($lock); - }else{ - return false; - } - } - if($conf['dperm']) chmod($lock, $conf['dperm']); - - // do the work - idx_addPage($id); - - // we're finished - save and free lock - io_saveFile(metaFN($id,'.indexed'), idx_get_version()); - @rmdir($lock); - } + idx_addPage($id); return 0; } -- cgit v1.2.3 From eff795ac6482d5885761f6688ce183c66becd7e1 Mon Sep 17 00:00:00 2001 From: Michael Hamann Date: Sun, 16 Jan 2011 13:30:49 +0100 Subject: Fix several security issues in the XML-RPC interface For locks and getRevisions there hasn't been any acl check. In many other cases the id hadn't been cleaned before the acl check was done which means that many acl rules that should be applied weren't applied. So e.g. when you have read permissions for the root namespace but not for a subnamespace you could add a leading ":" and the permissions for the root namespace will be used instead of the permissions for the subnamespace. This did not apply to writing pages and reading media files, but writing and deleting media files have been concerned as well as reading both plain and html versions of pages. This only concerns installations where XML-RPC is enabled (default is disabled) and XML-RPC is allowed for all or untrusted users. --- lib/exe/xmlrpc.php | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) (limited to 'lib/exe/xmlrpc.php') diff --git a/lib/exe/xmlrpc.php b/lib/exe/xmlrpc.php index d232930a3..d40e338b2 100644 --- a/lib/exe/xmlrpc.php +++ b/lib/exe/xmlrpc.php @@ -296,6 +296,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { * Return a raw wiki page */ function rawPage($id,$rev=''){ + $id = cleanID($id); if(auth_quickaclcheck($id) < AUTH_READ){ return new IXR_Error(1, 'You are not allowed to read this page'); } @@ -351,6 +352,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { * Return a wiki page rendered to html */ function htmlPage($id,$rev=''){ + $id = cleanID($id); if(auth_quickaclcheck($id) < AUTH_READ){ return new IXR_Error(1, 'You are not allowed to read this page'); } @@ -488,6 +490,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { * Return some basic data about a page */ function pageInfo($id,$rev=''){ + $id = cleanID($id); if(auth_quickaclcheck($id) < AUTH_READ){ return new IXR_Error(1, 'You are not allowed to read this page'); } @@ -601,6 +604,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { * Michael Klier */ function putAttachment($id, $file, $params) { + $id = cleanID($id); global $conf; global $lang; @@ -668,6 +672,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { * @author Gina Haeussge */ function deleteAttachment($id){ + $id = cleanID($id); $auth = auth_quickaclcheck(getNS($id).':*'); if($auth < AUTH_DELETE) return new IXR_ERROR(1, "You don't have permissions to delete files."); global $conf; @@ -725,6 +730,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { * Returns the permissions of a given wiki page */ function aclCheck($id) { + $id = cleanID($id); return auth_quickaclcheck($id); } @@ -734,13 +740,14 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { * @author Michael Klier */ function listLinks($id) { + $id = cleanID($id); if(auth_quickaclcheck($id) < AUTH_READ){ return new IXR_Error(1, 'You are not allowed to read this page'); } $links = array(); // resolve page instructions - $ins = p_cached_instructions(wikiFN(cleanID($id))); + $ins = p_cached_instructions(wikiFN($id)); // instantiate new Renderer - needed for interwiki links include(DOKU_INC.'inc/parser/xhtml.php'); @@ -848,6 +855,10 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { * @author Michael Klier */ function pageVersions($id, $first) { + $id = cleanID($id); + if(auth_quickaclcheck($id) < AUTH_READ){ + return new IXR_Error(1, 'You are not allowed to read this page'); + } global $conf; $versions = array(); @@ -923,7 +934,8 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { $unlockfail = array(); foreach((array) $set['lock'] as $id){ - if(checklock($id)){ + $id = cleanID($id); + if(auth_quickaclcheck($id) < AUTH_EDIT || checklock($id)){ $lockfail[] = $id; }else{ lock($id); @@ -932,10 +944,11 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { } foreach((array) $set['unlock'] as $id){ - if(unlock($id)){ - $unlocked[] = $id; - }else{ + $id = cleanID($id); + if(auth_quickaclcheck($id) < AUTH_EDIT || !unlock($id)){ $unlockfail[] = $id; + }else{ + $unlocked[] = $id; } } -- cgit v1.2.3 From 87229c84afbda98679146558235bc7212ea404ee Mon Sep 17 00:00:00 2001 From: Adrian Lang Date: Sun, 6 Feb 2011 12:51:09 +0100 Subject: XML-RPC deleteAttachment now uses media_delete Functionality changes: * deleteAttachment now triggers MEDIA_DELETE_FILE (closes FS#1568) * deletion success msg in mediamanager is correct, even when the ns dir was deleted * media_delete changed quite a bit --- lib/exe/xmlrpc.php | 28 ++++++++-------------------- 1 file changed, 8 insertions(+), 20 deletions(-) (limited to 'lib/exe/xmlrpc.php') diff --git a/lib/exe/xmlrpc.php b/lib/exe/xmlrpc.php index d40e338b2..945dc3f67 100644 --- a/lib/exe/xmlrpc.php +++ b/lib/exe/xmlrpc.php @@ -674,27 +674,15 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { function deleteAttachment($id){ $id = cleanID($id); $auth = auth_quickaclcheck(getNS($id).':*'); - if($auth < AUTH_DELETE) return new IXR_ERROR(1, "You don't have permissions to delete files."); - global $conf; - global $lang; - - // check for references if needed - $mediareferences = array(); - if($conf['refcheck']){ - $mediareferences = ft_mediause($id,$conf['refshow']); - } - - if(!count($mediareferences)){ - $file = mediaFN($id); - if(@unlink($file)){ - addMediaLogEntry(time(), $id, DOKU_CHANGE_TYPE_DELETE); - io_sweepNS($id,'mediadir'); - return 0; - } - //something went wrong - return new IXR_ERROR(1, 'Could not delete file'); - } else { + $res = media_delete($id, $auth); + if ($res & DOKU_MEDIA_DELETED) { + return 0; + } elseif ($res & DOKU_MEDIA_NOT_AUTH) { + return new IXR_ERROR(1, "You don't have permissions to delete files."); + } elseif ($res & DOKU_MEDIA_INUSE) { return new IXR_ERROR(1, 'File is still referenced'); + } else { + return new IXR_ERROR(1, 'Could not delete file'); } } -- cgit v1.2.3 From ffb291f214dd47aa34d4e84b166de6e62714307f Mon Sep 17 00:00:00 2001 From: Adrian Lang Date: Sun, 6 Feb 2011 14:25:05 +0100 Subject: Use common media_save in media_upload and putAttachment Changes: * XML-RPC now correctly allows leading and trailing _ * Error messages from XML-RPC are correct * MEDIA_UPLOAD_FINISH has a sixth param specifying the move function * Not having upload rights when using media_upload throws a msg --- lib/exe/xmlrpc.php | 92 ++++++++---------------------------------------------- 1 file changed, 13 insertions(+), 79 deletions(-) (limited to 'lib/exe/xmlrpc.php') diff --git a/lib/exe/xmlrpc.php b/lib/exe/xmlrpc.php index 945dc3f67..9749a2e16 100644 --- a/lib/exe/xmlrpc.php +++ b/lib/exe/xmlrpc.php @@ -605,64 +605,26 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { */ function putAttachment($id, $file, $params) { $id = cleanID($id); - global $conf; - global $lang; - $auth = auth_quickaclcheck(getNS($id).':*'); - if($auth >= AUTH_UPLOAD) { - if(!isset($id)) { - return new IXR_ERROR(1, 'Filename not given.'); - } - - $ftmp = $conf['tmpdir'] . '/' . md5($id.clientIP()); - // save temporary file - @unlink($ftmp); - $buff = base64_decode($file); - io_saveFile($ftmp, $buff); + if(!isset($id)) { + return new IXR_ERROR(1, 'Filename not given.'); + } - // get filename - list($iext, $imime,$dl) = mimetype($id); - $id = cleanID($id); - $fn = mediaFN($id); - - // get filetype regexp - $types = array_keys(getMimeTypes()); - $types = array_map(create_function('$q','return preg_quote($q,"/");'),$types); - $regex = join('|',$types); - - // because a temp file was created already - if(preg_match('/\.('.$regex.')$/i',$fn)) { - //check for overwrite - $overwrite = @file_exists($fn); - if($overwrite && (!$params['ow'] || $auth < AUTH_DELETE)) { - return new IXR_ERROR(1, $lang['uploadexist'].'1'); - } - // check for valid content - $ok = media_contentcheck($ftmp, $imime); - if($ok == -1) { - return new IXR_ERROR(1, sprintf($lang['uploadexist'].'2', ".$iext")); - } elseif($ok == -2) { - return new IXR_ERROR(1, $lang['uploadspam']); - } elseif($ok == -3) { - return new IXR_ERROR(1, $lang['uploadxss']); - } + global $conf; - // prepare event data - $data[0] = $ftmp; - $data[1] = $fn; - $data[2] = $id; - $data[3] = $imime; - $data[4] = $overwrite; + $ftmp = $conf['tmpdir'] . '/' . md5($id.clientIP()); - // trigger event - return trigger_event('MEDIA_UPLOAD_FINISH', $data, array($this, '_media_upload_action'), true); + // save temporary file + @unlink($ftmp); + $buff = base64_decode($file); + io_saveFile($ftmp, $buff); - } else { - return new IXR_ERROR(1, $lang['uploadwrong']); - } + $res = media_save(array('name' => $ftmp), $id, $params['ow'], $auth, 'rename'); + if (is_array($res)) { + return new IXR_ERROR(-$res[1], $res[0]); } else { - return new IXR_ERROR(1, "You don't have permissions to upload files."); + return $res; } } @@ -686,34 +648,6 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer { } } - /** - * Moves the temporary file to its final destination. - * - * Michael Klier - */ - function _media_upload_action($data) { - global $conf; - - if(is_array($data) && count($data)===5) { - io_createNamespace($data[2], 'media'); - if(rename($data[0], $data[1])) { - chmod($data[1], $conf['fmode']); - media_notify($data[2], $data[1], $data[3]); - // add a log entry to the media changelog - if ($data[4]) { - addMediaLogEntry(time(), $data[2], DOKU_CHANGE_TYPE_EDIT); - } else { - addMediaLogEntry(time(), $data[2], DOKU_CHANGE_TYPE_CREATE); - } - return $data[2]; - } else { - return new IXR_ERROR(1, 'Upload failed.'); - } - } else { - return new IXR_ERROR(1, 'Upload failed.'); - } - } - /** * Returns the permissions of a given wiki page */ -- cgit v1.2.3