From 710dee58fbcc335ca82bdb0d9f2cada221a8d5cc Mon Sep 17 00:00:00 2001
From: rurban <rurban@96ab9672-09ca-45d6-a79d-3d69d39ca109>
Date: Fri, 12 Mar 2004 13:31:43 +0000
Subject: [PATCH] enforce PagePermissions, errormsg if not Admin

git-svn-id: svn://svn.code.sf.net/p/phpwiki/code/trunk@3144 96ab9672-09ca-45d6-a79d-3d69d39ca109
---
 lib/PageList.php                      |  5 ++++-
 lib/plugin/RecentChanges.php          | 31 +++++++++++++++++----------
 lib/plugin/WikiAdminChmod.php         | 19 +++++++++++-----
 lib/plugin/WikiAdminRemove.php        | 19 +++++++++++-----
 lib/plugin/WikiAdminRename.php        | 19 ++++++++++++----
 lib/plugin/WikiAdminSearchReplace.php | 19 +++++++++++-----
 lib/plugin/WikiAdminSetAcl.php        | 19 +++++++++++-----
 lib/plugin/WikiAdminUtils.php         |  8 ++++---
 8 files changed, 100 insertions(+), 39 deletions(-)

diff --git a/lib/PageList.php b/lib/PageList.php
index 151035e48..7cb23c78a 100644
--- a/lib/PageList.php
+++ b/lib/PageList.php
@@ -1,4 +1,4 @@
-<?php rcs_id('$Id: PageList.php,v 1.65 2004-03-12 11:58:21 rurban Exp $');
+<?php rcs_id('$Id: PageList.php,v 1.66 2004-03-12 13:31:42 rurban Exp $');
 
 /**
  * List a number of pagenames, optionally as table with various columns.
@@ -517,6 +517,9 @@ class PageList {
           if (in_array($page_handle->getName(), $this->_excluded_pages))
             return;             // exclude page.
         }
+        // enforce view permission
+        if (!mayAccessPage('view',$page_handle->getName()))
+            return;
 
         $group = (int)(count($this->_rows) / $this->_group_rows);
         $class = ($group % 2) ? 'oddrow' : 'evenrow';
diff --git a/lib/plugin/RecentChanges.php b/lib/plugin/RecentChanges.php
index 17a7e70ab..318c7212c 100644
--- a/lib/plugin/RecentChanges.php
+++ b/lib/plugin/RecentChanges.php
@@ -1,5 +1,5 @@
 <?php // -*-php-*-
-rcs_id('$Id: RecentChanges.php,v 1.85 2004-02-17 12:11:36 rurban Exp $');
+rcs_id('$Id: RecentChanges.php,v 1.86 2004-03-12 13:31:43 rurban Exp $');
 /**
  Copyright 1999, 2000, 2001, 2002 $ThePhpWikiProgrammingTeam
 
@@ -307,11 +307,14 @@ extends _RecentChanges_Formatter
                 $last_date = $date;
 
             }
-            $lines->pushContent($this->format_revision($rev));
+            // enforce view permission
+            if (mayAccessPage('view',$rev->_pagename)) {
+                $lines->pushContent($this->format_revision($rev));
 
-            if ($first)
-                $this->setValidators($rev);
-            $first = false;
+                if ($first)
+                    $this->setValidators($rev);
+                $first = false;
+            }
         }
         if ($lines)
             $html->pushContent($lines);
@@ -480,11 +483,14 @@ extends _RecentChanges_Formatter
 
         $first = true;
         while ($rev = $changes->next()) {
-            $rss->addItem($this->item_properties($rev),
-                          $this->pageURI($rev));
-            if ($first)
-                $this->setValidators($rev);
-            $first = false;
+            // enforce view permission
+            if (mayAccessPage('view',$rev->_pagename)) {
+                $rss->addItem($this->item_properties($rev),
+                              $this->pageURI($rev));
+                if ($first)
+                    $this->setValidators($rev);
+                $first = false;
+            }
         }
 
         global $request;
@@ -607,7 +613,7 @@ extends WikiPlugin
 
     function getVersion() {
         return preg_replace("/[Revision: $]/", '',
-                            "\$Revision: 1.85 $");
+                            "\$Revision: 1.86 $");
     }
 
     function managesValidators() {
@@ -774,6 +780,9 @@ class DayButtonBar extends HtmlElement {
 }
 
 // $Log: not supported by cvs2svn $
+// Revision 1.85  2004/02/17 12:11:36  rurban
+// added missing 4th basepage arg at plugin->run() to almost all plugins. This caused no harm so far, because it was silently dropped on normal usage. However on plugin internal ->run invocations it failed. (InterWikiSearch, IncludeSiteMap, ...)
+//
 // Revision 1.84  2004/02/15 22:29:42  rurban
 // revert premature performance fix
 //
diff --git a/lib/plugin/WikiAdminChmod.php b/lib/plugin/WikiAdminChmod.php
index 1cfcaf17e..0d6a3ee7f 100644
--- a/lib/plugin/WikiAdminChmod.php
+++ b/lib/plugin/WikiAdminChmod.php
@@ -1,5 +1,5 @@
 <?php // -*-php-*-
-rcs_id('$Id: WikiAdminChmod.php,v 1.4 2004-02-24 15:20:06 rurban Exp $');
+rcs_id('$Id: WikiAdminChmod.php,v 1.5 2004-03-12 13:31:43 rurban Exp $');
 /*
  Copyright 2004 $ThePhpWikiProgrammingTeam
 
@@ -48,7 +48,7 @@ extends WikiPlugin_WikiAdminSelect
 
     function getVersion() {
         return preg_replace("/[Revision: $]/", '',
-                            "\$Revision: 1.4 $");
+                            "\$Revision: 1.5 $");
     }
 
     function getDefaultArguments() {
@@ -113,9 +113,15 @@ extends WikiPlugin_WikiAdminSelect
         $pages = array();
         if ($p && !$request->isPost())
             $pages = $p;
-        if ($p && $request->isPost() && $request->_user->isAdmin()
-            && !empty($post_args['chmod']) && empty($post_args['cancel'])) {
-            // FIXME: error message if not admin.
+        if ($p && $request->isPost() &&
+            !empty($post_args['chmod']) && empty($post_args['cancel'])) {
+
+            // FIXME: check individual PagePermissions
+            if (!$request->_user->isAdmin()) {
+                $request->_notAuthorized(WIKIAUTH_ADMIN);
+                $this->disabled("! user->isAdmin");
+            }
+
             if ($post_args['action'] == 'verify') {
                 // Real action
                 return $this->chmodPages($dbi, $request, $p, 
@@ -192,6 +198,9 @@ extends WikiPlugin_WikiAdminSelect
 }
 
 // $Log: not supported by cvs2svn $
+// Revision 1.4  2004/02/24 15:20:06  rurban
+// fixed minor warnings: unchecked args, POST => Get urls for sortby e.g.
+//
 // Revision 1.3  2004/02/24 04:02:06  rurban
 // Better warning messages
 //
diff --git a/lib/plugin/WikiAdminRemove.php b/lib/plugin/WikiAdminRemove.php
index 80ea76259..30f262062 100644
--- a/lib/plugin/WikiAdminRemove.php
+++ b/lib/plugin/WikiAdminRemove.php
@@ -1,5 +1,5 @@
 <?php // -*-php-*-
-rcs_id('$Id: WikiAdminRemove.php,v 1.15 2004-03-01 13:48:46 rurban Exp $');
+rcs_id('$Id: WikiAdminRemove.php,v 1.16 2004-03-12 13:31:43 rurban Exp $');
 /*
  Copyright 2002,2004 $ThePhpWikiProgrammingTeam
 
@@ -45,7 +45,7 @@ extends WikiPlugin
 
     function getVersion() {
         return preg_replace("/[Revision: $]/", '',
-                            "\$Revision: 1.15 $");
+                            "\$Revision: 1.16 $");
     }
 
     function getDefaultArguments() {
@@ -142,9 +142,14 @@ extends WikiPlugin
         $next_action = 'select';
         $pages = array();
         
-        if ($p && $request->isPost() && $request->_user->isAdmin()
-            && !empty($post_args['remove']) && empty($post_args['cancel'])) {
-            // FIXME: error message if not admin.
+        if ($p && $request->isPost() &&
+            !empty($post_args['remove']) && empty($post_args['cancel'])) {
+
+            // FIXME: check individual PagePermissions
+            if (!$request->_user->isAdmin()) {
+                $request->_notAuthorized(WIKIAUTH_ADMIN);
+                $this->disabled("! user->isAdmin");
+            }
             if ($post_args['action'] == 'verify') {
                 // Real delete.
                 return $this->removePages($request, $p);
@@ -213,6 +218,10 @@ extends WikiPlugin
 }
 
 // $Log: not supported by cvs2svn $
+// Revision 1.15  2004/03/01 13:48:46  rurban
+// rename fix
+// p[] consistency fix
+//
 // Revision 1.14  2004/02/22 23:20:33  rurban
 // fixed DumpHtmlToDir,
 // enhanced sortby handling in PageList
diff --git a/lib/plugin/WikiAdminRename.php b/lib/plugin/WikiAdminRename.php
index 106b2d45f..1864648be 100644
--- a/lib/plugin/WikiAdminRename.php
+++ b/lib/plugin/WikiAdminRename.php
@@ -1,5 +1,5 @@
 <?php // -*-php-*-
-rcs_id('$Id: WikiAdminRename.php,v 1.8 2004-03-01 13:48:46 rurban Exp $');
+rcs_id('$Id: WikiAdminRename.php,v 1.9 2004-03-12 13:31:43 rurban Exp $');
 /*
  Copyright 2004 $ThePhpWikiProgrammingTeam
 
@@ -45,7 +45,7 @@ extends WikiPlugin_WikiAdminSelect
 
     function getVersion() {
         return preg_replace("/[Revision: $]/", '',
-                            "\$Revision: 1.8 $");
+                            "\$Revision: 1.9 $");
     }
 
     function getDefaultArguments() {
@@ -106,8 +106,15 @@ extends WikiPlugin_WikiAdminSelect
         $pages = array();
         if ($p && !$request->isPost())
             $pages = $p;
-        if ($p && $request->isPost() && $request->_user->isAdmin()
-            && !empty($post_args['rename']) && empty($post_args['cancel'])) {
+        if ($p && $request->isPost() &&
+            !empty($post_args['rename']) && empty($post_args['cancel'])) {
+
+            // FIXME: check individual PagePermissions
+            if (!$request->_user->isAdmin()) {
+                $request->_notAuthorized(WIKIAUTH_ADMIN);
+                $this->disabled("! user->isAdmin");
+            }
+
             // FIXME: error message if not admin.
             if ($post_args['action'] == 'verify') {
                 // Real action
@@ -187,6 +194,10 @@ extends WikiPlugin_WikiAdminSelect
 }
 
 // $Log: not supported by cvs2svn $
+// Revision 1.8  2004/03/01 13:48:46  rurban
+// rename fix
+// p[] consistency fix
+//
 // Revision 1.7  2004/02/22 23:20:33  rurban
 // fixed DumpHtmlToDir,
 // enhanced sortby handling in PageList
diff --git a/lib/plugin/WikiAdminSearchReplace.php b/lib/plugin/WikiAdminSearchReplace.php
index 9857444e4..3775da2cd 100644
--- a/lib/plugin/WikiAdminSearchReplace.php
+++ b/lib/plugin/WikiAdminSearchReplace.php
@@ -1,5 +1,5 @@
 <?php // -*-php-*-
-rcs_id('$Id: WikiAdminSearchReplace.php,v 1.6 2004-02-24 15:20:07 rurban Exp $');
+rcs_id('$Id: WikiAdminSearchReplace.php,v 1.7 2004-03-12 13:31:43 rurban Exp $');
 /*
  Copyright 2004 $ThePhpWikiProgrammingTeam
 
@@ -45,7 +45,7 @@ extends WikiPlugin_WikiAdminSelect
 
     function getVersion() {
         return preg_replace("/[Revision: $]/", '',
-                            "\$Revision: 1.6 $");
+                            "\$Revision: 1.7 $");
     }
 
     function getDefaultArguments() {
@@ -127,9 +127,15 @@ extends WikiPlugin_WikiAdminSelect
         $pages = array();
         if ($p && !$request->isPost())
             $pages = $p;
-        if ($p && $request->isPost() && $request->_user->isAdmin()
-            && empty($post_args['cancel'])) {
-            // FIXME: error message if not admin.
+        if ($p && $request->isPost() &&
+            empty($post_args['cancel'])) {
+
+            // FIXME: check individual PagePermissions
+            if (!$request->_user->isAdmin()) {
+                $request->_notAuthorized(WIKIAUTH_ADMIN);
+                $this->disabled("! user->isAdmin");
+            }
+
             if ($post_args['action'] == 'verify' and !empty($post_args['from'])) {
                 // Real action
                 return $this->searchReplacePages($dbi, $request, $p, $post_args['from'], $post_args['to']);
@@ -237,6 +243,9 @@ function stri_replace($find,$replace,$string) {
 }
 
 // $Log: not supported by cvs2svn $
+// Revision 1.6  2004/02/24 15:20:07  rurban
+// fixed minor warnings: unchecked args, POST => Get urls for sortby e.g.
+//
 // Revision 1.5  2004/02/17 12:11:36  rurban
 // added missing 4th basepage arg at plugin->run() to almost all plugins. This caused no harm so far, because it was silently dropped on normal usage. However on plugin internal ->run invocations it failed. (InterWikiSearch, IncludeSiteMap, ...)
 //
diff --git a/lib/plugin/WikiAdminSetAcl.php b/lib/plugin/WikiAdminSetAcl.php
index b3975a5a1..3494dac95 100644
--- a/lib/plugin/WikiAdminSetAcl.php
+++ b/lib/plugin/WikiAdminSetAcl.php
@@ -1,5 +1,5 @@
 <?php // -*-php-*-
-rcs_id('$Id: WikiAdminSetAcl.php,v 1.2 2004-02-24 04:02:07 rurban Exp $');
+rcs_id('$Id: WikiAdminSetAcl.php,v 1.3 2004-03-12 13:31:43 rurban Exp $');
 /*
  Copyright 2004 $ThePhpWikiProgrammingTeam
 
@@ -47,7 +47,7 @@ extends WikiPlugin_WikiAdminSelect
 
     function getVersion() {
         return preg_replace("/[Revision: $]/", '',
-                            "\$Revision: 1.2 $");
+                            "\$Revision: 1.3 $");
     }
 
     function getDefaultArguments() {
@@ -107,9 +107,15 @@ extends WikiPlugin_WikiAdminSelect
         $pages = array();
         if ($p && !$request->isPost())
             $pages = $p;
-        if ($p && $request->isPost() && $request->_user->isAdmin()
-            && !empty($post_args['acl']) && empty($post_args['cancel'])) {
-            // FIXME: error message if not admin.
+        if ($p && $request->isPost() &&
+            !empty($post_args['acl']) && empty($post_args['cancel'])) {
+
+            // FIXME: check individual PagePermissions
+            if (!$request->_user->isAdmin()) {
+                $request->_notAuthorized(WIKIAUTH_ADMIN);
+                $this->disabled("! user->isAdmin");
+            }
+
             if ($post_args['action'] == 'verify') {
                 // Real action
                 return $this->setaclPages($dbi, $request, $p, 
@@ -207,6 +213,9 @@ extends WikiPlugin_WikiAdminSelect
 }
 
 // $Log: not supported by cvs2svn $
+// Revision 1.2  2004/02/24 04:02:07  rurban
+// Better warning messages
+//
 // Revision 1.1  2004/02/23 21:30:25  rurban
 // more PagePerm stuff: (working against 1.4.0)
 //   ACL editing and simplification of ACL's to simple rwx------ string
diff --git a/lib/plugin/WikiAdminUtils.php b/lib/plugin/WikiAdminUtils.php
index 0d86bdd25..23dd1a4a2 100644
--- a/lib/plugin/WikiAdminUtils.php
+++ b/lib/plugin/WikiAdminUtils.php
@@ -1,5 +1,5 @@
 <?php // -*-php-*-
-rcs_id('$Id: WikiAdminUtils.php,v 1.5 2004-02-17 12:11:36 rurban Exp $');
+rcs_id('$Id: WikiAdminUtils.php,v 1.6 2004-03-12 13:31:43 rurban Exp $');
 /**
  Copyright 2003 $ThePhpWikiProgrammingTeam
 
@@ -35,7 +35,7 @@ extends WikiPlugin
 
     function getVersion() {
         return preg_replace("/[Revision: $]/", '',
-                            "\$Revision: 1.5 $");
+                            "\$Revision: 1.6 $");
     }
 
     function getDefaultArguments() {
@@ -61,8 +61,10 @@ extends WikiPlugin
 
         if ($request->isPost()) {
             $user = $request->getUser();
-            if (!$user->isAdmin())
+            if (!$user->isAdmin()) {
+                $request->_notAuthorized(WIKIAUTH_ADMIN);
                 return $this->error(_("You must be an administrator to use this plugin."));
+            }
             return $this->do_action($request, $posted);
         }
 
-- 
2.45.0