From f32ea7d383b84b507b68b73977054bb97ca4065c Mon Sep 17 00:00:00 2001 From: dairiki Date: Mon, 28 Jan 2002 01:57:13 +0000 Subject: [PATCH] Fixed bugs so now page deletion works again. Also added some minor safety features: o Require deletion confirmation to be sent via POST rather than GET. This makes it slightly more difficult to do mass damage via simple scripts... o Also include version serialization checks. If someone edits the page between when you hit the remove button and when you confirm the delete, the deletion will fail. (This also makes it a little harder for malicious hackers to trash a wiki...) git-svn-id: svn://svn.code.sf.net/p/phpwiki/code/trunk@1653 96ab9672-09ca-45d6-a79d-3d69d39ca109 --- lib/main.php | 3 ++- lib/removepage.php | 43 ++++++++++++++++++++++++++++++++++--------- 2 files changed, 36 insertions(+), 10 deletions(-) diff --git a/lib/main.php b/lib/main.php index 85cd5b8ce..e2dc24f8e 100644 --- a/lib/main.php +++ b/lib/main.php @@ -1,5 +1,5 @@ requireAuth(WIKIAUTH_ADMIN); include('lib/removepage.php'); + RemovePage($this); } diff --git a/lib/removepage.php b/lib/removepage.php index 363ad1a04..57ab17d71 100644 --- a/lib/removepage.php +++ b/lib/removepage.php @@ -1,25 +1,51 @@ getArg('pagename'); + $pagelink = $Theme->linkExistingWikiWord($pagename); + $page = $request->getPage(); + $rev = $page->getCurrentRevision(); + $version = $rev->getVersion(); + + if ($request->getArg('cancel')) { + $request->redirect(WikiURL($pagename)); + // The user probably doesn't see the rest of this. + $html[] = HTML::h2(_("Request Cancelled!")); + $html[] = HTML::p(fmt("Return to %s.", $pagelink)); + } + - if ($request->getArg('verify') != 'okay') { + if (!$request->isPost() || !$request->getArg('verify')) { $url = WikiURL($pagename, array('action' => 'remove', 'verify' => 'okay')); - $removeB = $Theme->makeButton(_("Remove the page now"), $url, 'wikiadmin'); - $cancelB = $Theme->makeButton(_("Cancel"), WikiURL($pagename), 'wikiaction'); + $removeB = $Theme->makeSubmitButton(_("Remove the page now"), 'verify', 'wikiadmin'); + $cancelB = $Theme->makeSubmitButton(_("Cancel"), 'cancel', 'wikiaction'); $html[] = HTML::h2(fmt("You are about to remove '%s' permanently!", $pagelink)); - $html[] =HTML::div(array('class' => 'toolbar'), - $removeB, - $Theme->getButtonSeparator(), - $cancelB); + $html[] = HTML::form(array('method' => 'post', + 'action' => WikiURL($pagename)), + HTML::input(array('type' => 'hidden', + 'name' => 'currentversion', + 'value' => $version)), + HTML::input(array('type' => 'hidden', + 'name' => 'action', + 'value' => 'remove')), + HTML::div(array('class' => 'toolbar'), + $removeB, + $Theme->getButtonSeparator(), + $cancelB)); + } + elseif ($request->getArg('currentversion') != $version) { + $html[] = HTML::h2(_("Someone has edited the page!")); + $html[] = HTML::p(fmt("Since you started the deletion process, someone has saved a new version of %s. Please check to make sure you still want to premanently remove the page from the database.", $pagelink)); } else { + // Real delete. $dbi = $request->getDbh(); $dbi->deletePage($pagename); $html[] = HTML::h2(fmt("Removed page '%s' succesfully.", $pagename)); @@ -28,7 +54,6 @@ function RemovePage (&$request) { GeneratePage($html, _("Remove page")); } -RemovePage($request); // For emacs users // Local Variables: -- 2.45.0