[dokuwiki] Re: [patch] hide pageinfo if no access
- From: David Lorentsen <zyberdog@xxxxxxxxxxxx>
- To: dokuwiki@xxxxxxxxxxxxx
- Date: Sat, 24 Feb 2007 12:47:34 +0100
Hello,
If you restrict access to an entire namespace, unauthorized users are
able to see if a certain page exists [1], when it was last edited, and
by who. This patch makes the tpl_pageinfo() function call
auth_quickaclcheck() to see if you are allowed to view the page. And
return if not.
[1] There might be other methods to see if pages exist, but it's a step
in the right direction.
--
David
Since you haven't applied this patch yet, and I found 2 more small things (one
of them in the same file), I figured I'd sum them up in one file:
a) tpl_pageinfo() explained above
b) tpl_actionlink('login') should use css class 'login' and not 'logout'
c) included page wiki:dokuwiki has bad link to FAQ on lisences
--
David
New patches:
[hide pageinfo if no access
David Lorentsen <zyberdog@xxxxxxxxxxxx>**20070221133007] {
hunk ./inc/template.php 764
-
+ global $ID;
+
+ // return if we are not allowed to view the page
+ if (!auth_quickaclcheck($ID)) { return; }
+
}
[css fix for tpl_actionlink login
David Lorentsen <zyberdog@xxxxxxxxxxxx>**20070224112634] {
hunk ./inc/template.php 570
-
tpl_link(wl($ID,'do=login'),$pre.$lang['btn_login'].$suf,'class="action
logout"');
+
tpl_link(wl($ID,'do=login'),$pre.$lang['btn_login'].$suf,'class="action
login"');
}
[wiki:dokuwiki licence FAQ link
David Lorentsen <zyberdog@xxxxxxxxxxxx>**20070224113223] {
hunk ./data/pages/wiki/dokuwiki.txt 65
-Not sure what this means? See the [[doku>wiki:faq#licenses_explained|FAQ on
the Licenses]].
+Not sure what this means? See the [[doku>wiki:faq:license|FAQ on the
Licenses]].
+
}
Context:
[added missing files for patch by wingedfox
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20070219210653]
[JS checks for .hasOwnProperty
wingedfox@xxxxxxxxxxx**20070111114236
This patch includes
- several helper functions - is* checks
- hasOwnProperty method emulator
- checks for .hasOwnProperty in all for..in loops
]
[Rar mime type added
wingedfox@xxxxxxxxxxx**20070111113557]
[better red-green blindness compatibility FS#1065
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20070218142625
This adds a dashed border for non-existing links to make it easier to
distinguish between existing and non existing links for users with
color-blindness.
]
[minor spelling fix in German language
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20070218135700]
[Fix namespace links and titles (FS 1005, 1006)
Guy Brand <gb@xxxxxxxxxxxxxxxxx>**20070217220746]
[Swedish update
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20070218134846]
[config plugin TOC refactoring
Ben Coburn <btcoburn@xxxxxxxxxxxxx>**20070215015318
Now uses the new toc_additem function in the Doku_Renderer_xhtml class.
]
[RFC2047 fix for mail subjects (FS #1080)
Guy Brand <gb@xxxxxxxxxxxxxxxxx>**20070215184609
Patch by Per Foreby
]
[Avoid missing file error if no changes
David Lorentsen <zyberdog@xxxxxxxxxxxx>**20070216070704]
[all style sheet addition
martin.tschofen@xxxxxxxxx**20070211024110]
[removed obsolite id #sidebar form print.css
Michael Klier <chi@xxxxxxxxxxx>**20070212153312]
[send notify mails for uploaded files
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20070212190216]
[check if uploaded content matches the given mime type
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20070211223230
A first attempt at fixing FS#1077
currently checks images and spam
]
[disable text uploads by default
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20070211201920
Spammers suck - see http://forum.dokuwiki.org/post/2213
]
[language-specific quotation marks (FS#438)
Anika Henke <a.c.henke@xxxxxxxx>**20070211172015]
[Korean update
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20070210201116]
[compatibility fix for the recent render_TOC change
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20070208195457
render_TOC now behaves like before when called non-statically without an
argument
Fixes a problem in the config manager and probably other plugins using the
function
as well
]
[workaround config for FS#852
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20070208195145
On certain platforms the ignore_user_abort function does not work as expected,
resulting
in a non working indexer webbug. Users with such a broken system (IIS+PHP as
CGI) can
enable this option to work around the problem (resulting in longer load times
for the
webbug).
]
[polish language update
Grzegorz Zur <grzegorz.zur@xxxxxxxxx>**20070208120717]
[do preconnects only once #1067
Stephane Chazelas <stephane@xxxxxxxxxxxxx>**20070206191629]
[give xhtml renderer method _xmlEntities standard parameter values
chris@xxxxxxxxxxxxx**20070206021203]
[refactor xhtml TOC creation into a class function, FS#1058
chris@xxxxxxxxxxxxx**20070206015454
- changed inc/parser/xhtml.php, render_TOC() function
it now takes a toc array as a parameter
- refactor render_TOC() and _tocitem() into static class functions
The xhtml renderer can build its TOC using $this->render_TOC($this->toc)
Templates can create a separate TOC using
echo Doku_Renderer_xhtml::render_TOC(p_get_metadata($ID, 'description
tableofcontents'));
]
[refactor renderer header() to separate out adding toc items
chris@xxxxxxxxxxxxx**20070206014821
adds a new render method toc_additem($id, $text, $level)
This allows toc items to be added separately from the header() function,
allowing
plugins to generate their own table of content items without having to copy dw
core code (which may in the future change).
]
[alter search callback to use call_user_func()
chris@xxxxxxxxxxxxx**20070206014428]
[fix for slashes in phrase search #1066
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20070205191848]
[Fix userewrite note in htaccess (FS#1013)
'Guy Brand <gb@xxxxxxxxxxxxxxxxx>'**20070128215856]
[Encode/Decode numeric HTML entities correctly.
Tom N Harris <tnharris@xxxxxxxxxxxxx>**20070202070509
utf8_tohtml handles all codepoints, and the inverse
function, utf8_unhtml, is added.
]
[Return true/false from all template output functions.
Tom N Harris <tnharris@xxxxxxxxxxxxx>**20070202064949
Any tpl_* function that doesn't otherwise return a value
will return true if something was printed.
]
[Show file name in debug comment when creating new cache.
Tom N Harris <tnharris@xxxxxxxxxxxxx>**20070202063800]
[Use new index format in bin/indexer.php
Tom N Harris <tnharris@xxxxxxxxxxxxx>**20070202063511]
[TAG develsnap 2007-02-01
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20070201000001]
Patch bundle hash:
5f795fc3e6c5e4c5d94bb11377bf765effd8db4b
- References:
- [dokuwiki] [patch] hide pageinfo if no access
- From: David Lorentsen
Other related posts:
- » [dokuwiki] [patch] hide pageinfo if no access
- » [dokuwiki] Re: [patch] hide pageinfo if no access
Hello,If you restrict access to an entire namespace, unauthorized users are able to see if a certain page exists [1], when it was last edited, and by who. This patch makes the tpl_pageinfo() function call auth_quickaclcheck() to see if you are allowed to view the page. And return if not.
[1] There might be other methods to see if pages exist, but it's a step in the right direction.
-- David
- [dokuwiki] [patch] hide pageinfo if no access
- From: David Lorentsen