From 64273335d1bae12b2fe7d9664e1665d6e69d47af Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Fri, 24 Aug 2012 09:43:50 +0200
Subject: more $INPUT use FS#2577

---
 lib/plugins/acl/admin.php | 46 +++++++++++++++++++++++++---------------------
 lib/plugins/acl/ajax.php  | 11 +++++++----
 2 files changed, 32 insertions(+), 25 deletions(-)

(limited to 'lib/plugins')

diff --git a/lib/plugins/acl/admin.php b/lib/plugins/acl/admin.php
index 64d6ff3ca..1197892f2 100644
--- a/lib/plugins/acl/admin.php
+++ b/lib/plugins/acl/admin.php
@@ -56,22 +56,23 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin {
         global $ID;
         global $auth;
         global $config_cascade;
+        global $INPUT;
 
         // fresh 1:1 copy without replacements
         $AUTH_ACL = file($config_cascade['acl']['default']);
 
 
         // namespace given?
-        if($_REQUEST['ns'] == '*'){
+        if($INPUT->str('ns') == '*'){
             $this->ns = '*';
         }else{
-            $this->ns = cleanID($_REQUEST['ns']);
+            $this->ns = cleanID($INPUT->str('ns'));
         }
 
-        if ($_REQUEST['current_ns']) {
-            $this->current_item = array('id' => cleanID($_REQUEST['current_ns']), 'type' => 'd');
-        } elseif ($_REQUEST['current_id']) {
-            $this->current_item = array('id' => cleanID($_REQUEST['current_id']), 'type' => 'f');
+        if ($INPUT->str('current_ns')) {
+            $this->current_item = array('id' => cleanID($INPUT->str('current_ns')), 'type' => 'd');
+        } elseif ($INPUT->str('current_id')) {
+            $this->current_item = array('id' => cleanID($INPUT->str('current_id')), 'type' => 'f');
         } elseif ($this->ns) {
             $this->current_item = array('id' => $this->ns, 'type' => 'd');
         } else {
@@ -79,24 +80,25 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin {
         }
 
         // user or group choosen?
-        $who = trim($_REQUEST['acl_w']);
-        if($_REQUEST['acl_t'] == '__g__' && $who){
+        $who = trim($INPUT->str('acl_w'));
+        if($INPUT->str('acl_t') == '__g__' && $who){
             $this->who = '@'.ltrim($auth->cleanGroup($who),'@');
-        }elseif($_REQUEST['acl_t'] == '__u__' && $who){
+        }elseif($INPUT->str('acl_t') == '__u__' && $who){
             $this->who = ltrim($who,'@');
             if($this->who != '%USER%' && $this->who != '%GROUP%'){ #keep wildcard as is
                 $this->who = $auth->cleanUser($this->who);
             }
-        }elseif($_REQUEST['acl_t'] &&
-                $_REQUEST['acl_t'] != '__u__' &&
-                $_REQUEST['acl_t'] != '__g__'){
-            $this->who = $_REQUEST['acl_t'];
+        }elseif($INPUT->str('acl_t') &&
+                $INPUT->str('acl_t') != '__u__' &&
+                $INPUT->str('acl_t') != '__g__'){
+            $this->who = $INPUT->str('acl_t');
         }elseif($who){
             $this->who = $who;
         }
 
         // handle modifications
-        if(isset($_REQUEST['cmd']) && checkSecurityToken()){
+        if($INPUT->has('cmd') && checkSecurityToken()){
+            $cmd = $INPUT->extract('cmd')->str('cmd');
 
             // scope for modifications
             if($this->ns){
@@ -109,19 +111,21 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin {
                 $scope = $ID;
             }
 
-            if(isset($_REQUEST['cmd']['save']) && $scope && $this->who && isset($_REQUEST['acl'])){
+            if($cmd == 'save' && $scope && $this->who && $INPUT->has('acl')){
                 // handle additions or single modifications
                 $this->_acl_del($scope, $this->who);
-                $this->_acl_add($scope, $this->who, (int) $_REQUEST['acl']);
-            }elseif(isset($_REQUEST['cmd']['del']) && $scope && $this->who){
+                $this->_acl_add($scope, $this->who, $INPUT->int('acl'));
+            }elseif($cmd == 'del' && $scope && $this->who){
                 // handle single deletions
                 $this->_acl_del($scope, $this->who);
-            }elseif(isset($_REQUEST['cmd']['update'])){
+            }elseif($cmd == 'update'){
+                $acl = $INPUT->arr('acl');
+
                 // handle update of the whole file
-                foreach((array) $_REQUEST['del'] as $where => $names){
+                foreach($INPUT->arr('del') as $where => $names){
                     // remove all rules marked for deletion
                     foreach($names as $who)
-                        unset($_REQUEST['acl'][$where][$who]);
+                        unset($acl[$where][$who]);
                 }
                 // prepare lines
                 $lines = array();
@@ -134,7 +138,7 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin {
                     }
                 }
                 // re-add all rules
-                foreach((array) $_REQUEST['acl'] as $where => $opt){
+                foreach($acl as $where => $opt){
                     foreach($opt as $who => $perm){
                         if ($who[0]=='@') {
                             if ($who!='@ALL') {
diff --git a/lib/plugins/acl/ajax.php b/lib/plugins/acl/ajax.php
index 3a5d89c08..10e18af97 100644
--- a/lib/plugins/acl/ajax.php
+++ b/lib/plugins/acl/ajax.php
@@ -11,6 +11,10 @@ require_once(DOKU_INC.'inc/init.php');
 //close session
 session_write_close();
 
+global $conf;
+global $ID;
+global $INPUT;
+
 //fix for Opera XMLHttpRequests
 $postData = http_get_raw_post_data();
 if(!count($_POST) && !empty($postData)){
@@ -22,20 +26,19 @@ if(!checkSecurityToken()) die('CRSF Attack');
 
 $ID    = getID();
 
+/** @var $acl admin_plugin_acl */
 $acl = plugin_load('admin','acl');
 $acl->handle();
 
-$ajax = $_REQUEST['ajax'];
+$ajax = $INPUT->str('ajax');
 header('Content-Type: text/html; charset=utf-8');
 
 if($ajax == 'info'){
     $acl->_html_info();
 }elseif($ajax == 'tree'){
-    global $conf;
-    global $ID;
 
     $dir = $conf['datadir'];
-    $ns  = $_REQUEST['ns'];
+    $ns  = $INPUT->str('ns');
     if($ns == '*'){
         $ns ='';
     }
-- 
cgit v1.2.3