# HG changeset patch # User Dan # Date 1239656240 14400 # Node ID 44851d7e9bda7c06a2cd54c39bd1c63191eab5d1 # Parent c949e82b8f49e178ff25349fa98acc6bad6016f6 Live Re-Auth is now required for deleting pages, editing ACLs, protecting pages, and clearing logs. Committing in a hurry as a storm is coming in, hope everything is in there. diff -r c949e82b8f49 -r 44851d7e9bda includes/clientside/static/acl.js --- a/includes/clientside/static/acl.js Mon Apr 13 14:43:28 2009 -0400 +++ b/includes/clientside/static/acl.js Mon Apr 13 16:57:20 2009 -0400 @@ -9,6 +9,21 @@ if(IE) return true; + void(page_id); + void(namespace); + + // require re-auth + if ( auth_level <= USER_LEVEL_MEMBER ) + { + load_component(['login', 'fadefilter', 'flyin', 'jquery', 'jquery-ui', 'crypto', 'messagebox']); + ajaxDynamicReauth(function(key) + { + ajaxOpenACLManager(page_id, namespace); + }, user_level); + + return false; + } + load_component(['l10n', 'messagebox', 'fadefilter', 'template-compiler', 'jquery', 'jquery-ui', 'autofill']); if(!page_id || !namespace) diff -r c949e82b8f49 -r 44851d7e9bda includes/clientside/static/ajax.js --- a/includes/clientside/static/ajax.js Mon Apr 13 14:43:28 2009 -0400 +++ b/includes/clientside/static/ajax.js Mon Apr 13 16:57:20 2009 -0400 @@ -42,6 +42,18 @@ // touch this variable to allow it to be used in child functions void(existing_level); + // require re-auth + if ( auth_level <= USER_LEVEL_MEMBER ) + { + load_component(['login', 'fadefilter', 'flyin', 'jquery', 'jquery-ui', 'crypto', 'messagebox']); + ajaxDynamicReauth(function(key) + { + ajaxProtect(existing_level); + }, user_level); + + return false; + } + load_component(['messagebox', 'jquery', 'jquery-ui', 'l10n', 'fadefilter', 'flyin']); // preload language @@ -312,6 +324,19 @@ // IE <6 pseudo-compatibility if ( KILL_SWITCH ) return true; + + // require re-auth + if ( auth_level <= USER_LEVEL_MEMBER ) + { + load_component(['login', 'fadefilter', 'flyin', 'jquery', 'jquery-ui', 'crypto', 'messagebox']); + ajaxDynamicReauth(function(key) + { + ajaxDeletePage(); + }, user_level); + + return false; + } + load_component(['l10n', 'messagebox', 'jquery', 'jquery-ui', 'fadefilter', 'flyin']); // stage 1: prompt for reason and confirmation @@ -705,6 +730,18 @@ if ( KILL_SWITCH ) return true; + // require re-auth + if ( auth_level <= USER_LEVEL_MEMBER ) + { + load_component(['login', 'fadefilter', 'flyin', 'jquery', 'jquery-ui', 'crypto', 'messagebox']); + ajaxDynamicReauth(function(key) + { + ajaxClearLogs(); + }, user_level); + + return false; + } + load_component(['l10n', 'messagebox', 'flyin', 'fadefilter']); miniPromptMessage({ diff -r c949e82b8f49 -r 44851d7e9bda includes/clientside/static/fadefilter.js --- a/includes/clientside/static/fadefilter.js Mon Apr 13 14:43:28 2009 -0400 +++ b/includes/clientside/static/fadefilter.js Mon Apr 13 16:57:20 2009 -0400 @@ -117,7 +117,7 @@ document.getElementById(layerid).destroying = true; var from = document.getElementById(layerid).myOpacVal; opacity(layerid, from, 0, 1000); - setTimeout("if ( document.getElementById('" + layerid + "').destroying ) { document.getElementById('" + layerid + "').destroying = false; document.getElementById('" + layerid + "').style.display = 'none'; }", 1000); + setTimeout("var l = document.getElementById('" + layerid + "'); var b = document.getElementsByTagName('body')[0]; b.removeChild(l);", 1000); } } return document.getElementById(layerid); diff -r c949e82b8f49 -r 44851d7e9bda includes/clientside/static/login.js --- a/includes/clientside/static/login.js Mon Apr 13 14:43:28 2009 -0400 +++ b/includes/clientside/static/login.js Mon Apr 13 16:57:20 2009 -0400 @@ -1123,7 +1123,17 @@ color: 'blue', onclick: function() { - miniPromptDestroy(this); + var mp = miniPromptGetParent(this); + var whitey = whiteOutMiniPrompt(mp); + setTimeout(function() + { + whiteOutReportSuccess(whitey); + setTimeout(function() + { + miniPromptDestroy(mp); + }, 1250); + }, 1000); + ajaxLoginPerformRequest({ mode: 'logout', level: auth_level, @@ -1408,4 +1418,5 @@ } window.location.hash = '#auth:false'; } + window.stdAjaxPrefix = append_sid(scriptPath + '/ajax.php?title=' + title); } diff -r c949e82b8f49 -r 44851d7e9bda includes/pageprocess.php --- a/includes/pageprocess.php Mon Apr 13 14:43:28 2009 -0400 +++ b/includes/pageprocess.php Mon Apr 13 16:57:20 2009 -0400 @@ -848,6 +848,15 @@ ); } + // Validate re-auth + if ( !$session->sid_super ) + { + return array( + 'success' => false, + 'error' => 'access_denied_need_reauth' + ); + } + // Validate input $reason = trim($reason); if ( !in_array($protection_level, array(PROTECT_NONE, PROTECT_FULL, PROTECT_SEMI)) || empty($reason) ) diff -r c949e82b8f49 -r 44851d7e9bda includes/pageutils.php --- a/includes/pageutils.php Mon Apr 13 14:43:28 2009 -0400 +++ b/includes/pageutils.php Mon Apr 13 16:57:20 2009 -0400 @@ -1110,6 +1110,10 @@ { return $lang->get('etc_access_denied'); } + if ( !$session->sid_super ) + { + return $lang->get('etc_access_denied_need_reauth'); + } $e = $db->sql_query('DELETE FROM ' . table_prefix.'logs WHERE page_id=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\';'); if(!$e) $db->_die('The log entries could not be deleted.'); @@ -1148,6 +1152,12 @@ return $lang->get('ajax_delete_need_reason'); } if(!$perms->get_permissions('delete_page')) return('Administrative privileges are required to delete pages, you loser.'); + + if ( !$session->sid_super ) + { + return $lang->get('etc_access_denied_need_reauth'); + } + $e = $db->sql_query('INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,page_id,namespace,author,edit_summary) VALUES('.time().', \''.enano_date('d M Y h:i a').'\', \'page\', \'delete\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $session->username . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\')'); if(!$e) $db->_die('The page log entry could not be inserted.'); $e = $db->sql_query('DELETE FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\''); @@ -1681,6 +1691,13 @@ 'error' => $lang->get('acl_err_access_denied') ); } + if ( !$session->sid_super ) + { + return Array( + 'mode' => 'error', + 'error' => $lang->get('etc_access_denied_need_reauth') + ); + } $parms['page_id'] = ( isset($parms['page_id']) ) ? $parms['page_id'] : false; $parms['namespace'] = ( isset($parms['namespace']) ) ? $parms['namespace'] : false; $page_id =& $parms['page_id']; diff -r c949e82b8f49 -r 44851d7e9bda index.php --- a/index.php Mon Apr 13 14:43:28 2009 -0400 +++ b/index.php Mon Apr 13 16:57:20 2009 -0400 @@ -329,6 +329,11 @@ $template->footer(); break; case 'protect': + if ( !$session->sid_super ) + { + redirect(makeUrlNS('Special', "Login/{$paths->page}", 'target_do=protect&level=' . $session->user_level, false), $lang->get('etc_access_denied_short'), $lang->get('etc_access_denied_need_reauth'), 0); + } + if ( isset($_POST['level']) && isset($_POST['reason']) ) { $level = intval($_POST['level']); @@ -442,6 +447,10 @@ { die_friendly($lang->get('etc_access_denied_short'), '
' . $lang->get('etc_access_denied') . '
'); } + if ( !$session->sid_super ) + { + redirect(makeUrlNS('Special', "Login/{$paths->page}", 'target_do=flushlogs&level=' . $session->user_level, false), $lang->get('etc_access_denied_short'), $lang->get('etc_access_denied_need_reauth'), 0); + } require_once(ENANO_ROOT.'/includes/pageutils.php'); if(isset($_POST['_downthejohn'])) { @@ -517,6 +526,11 @@ { die_friendly($lang->get('etc_access_denied_short'), '' . $lang->get('etc_access_denied') . '
'); } + if ( !$session->sid_super ) + { + redirect(makeUrlNS('Special', "Login/{$paths->page}", 'target_do=deletepage&level=' . $session->user_level, false), $lang->get('etc_access_denied_short'), $lang->get('etc_access_denied_need_reauth'), 0); + } + require_once(ENANO_ROOT.'/includes/pageutils.php'); if(isset($_POST['_adiossucker'])) { @@ -620,6 +634,11 @@ die_friendly($lang->get('page_detag_success_title'), '' . $lang->get('page_detag_success_body') . '
'); break; case 'aclmanager': + if ( !$session->sid_super ) + { + redirect(makeUrlNS('Special', "Login/{$paths->page}", 'target_do=aclmanager&level=' . $session->user_level, false), $lang->get('etc_access_denied_short'), $lang->get('etc_access_denied_need_reauth'), 0); + } + require_once(ENANO_ROOT.'/includes/pageutils.php'); $data = ( isset($_POST['data']) ) ? $_POST['data'] : Array('mode' => 'listgroups'); PageUtils::aclmanager($data); diff -r c949e82b8f49 -r 44851d7e9bda language/english/core.json --- a/language/english/core.json Mon Apr 13 14:43:28 2009 -0400 +++ b/language/english/core.json Mon Apr 13 16:57:20 2009 -0400 @@ -123,6 +123,7 @@ err_access_denied_siteadmin: 'site administrator', err_seeking_living_among_dead: 'You are trying to un-delete a page that has since been restored.\n\n"But the men said to them, \'Why do you look for the living among the dead?\'" (Luke 24:5b/NIV)', err_access_denied: 'Access to that action is denied.', + err_access_denied_need_reauth: '%this.etc_access_denied_need_reauth%', err_invalid_parameter: 'An invalid value (parameter) was sent to this action.', err_rb_action_not_supported: 'Rolling back actions of type "%action%" isn\'t supported.', err_rb_file_rename_failed: 'Could not rename the file to its new name (1.1.x format)', @@ -759,6 +760,7 @@ // Generic "Access denied" access_denied: 'Access to the specified file, resource, or action is denied.', access_denied_short: 'Access denied', + access_denied_need_reauth: 'You need to re-authenticate before you can do that.', return_to_page: 'Return to the page', invalid_request_short: 'Invalid request', // Message box buttons diff -r c949e82b8f49 -r 44851d7e9bda plugins/SpecialUserFuncs.php --- a/plugins/SpecialUserFuncs.php Mon Apr 13 14:43:28 2009 -0400 +++ b/plugins/SpecialUserFuncs.php Mon Apr 13 16:57:20 2009 -0400 @@ -344,8 +344,6 @@ - setHook('login_form_html'); foreach ( $code as $cmd ) { @@ -450,6 +448,29 @@ generate_aes_form(); + + // Any additional parameters that need to be passed back? + if ( $p = $paths->getAllParams() ) + { + // ... only if we have a return_to destination. + $get_fwd = $_GET; + unset($get_fwd['do']); + if ( isset($get_fwd['target_do']) ) + { + $get_fwd['do'] = $get_fwd['target_do']; + unset($get_fwd['target_do']); + } + if ( isset($get_fwd['level']) ) + unset($get_fwd['level']); + if ( isset($get_fwd['title']) ) + unset($get_fwd['title']); + + if ( !empty($get_fwd) ) + { + $get_string = htmlspecialchars(enano_json_encode($get_fwd)); + echo ''; + } + } ?> login_without_crypto($_POST['username'], $password, false, intval($_POST['auth_level']), $captcha_hash, $captcha_code, isset($_POST['remember'])); } - + if($result['success']) { $session->start(); + $get_add = false; + if ( isset($_POST['get_fwd']) ) + { + try + { + $get_fwd = enano_json_decode($_POST['get_fwd']); + $get_add = ''; + foreach ( $get_fwd as $key => $value ) + { + $get_add .= "&{$key}=" . urlencode($value); + } + $get_add = ltrim($get_add, '&'); + } + catch ( Exception $e ) + { + } + } + $template->load_theme($session->theme, $session->style); if(isset($_POST['return_to'])) { @@ -573,7 +612,7 @@ 'username' => $session->username, 'redir_target' => $name ); - redirect( makeUrl($_POST['return_to'], false, true), $lang->get('user_login_success_title'), $lang->get('user_login_success_body', $subst) ); + redirect( makeUrl($_POST['return_to'], $get_add), $lang->get('user_login_success_title'), $lang->get('user_login_success_body', $subst) ); } else { @@ -581,7 +620,7 @@ 'username' => $session->username, 'redir_target' => $lang->get('user_login_success_body_mainpage') ); - redirect( makeUrl(get_main_page(), false, true), $lang->get('user_login_success_title'), $lang->get('user_login_success_body', $subst) ); + redirect( makeUrl(get_main_page(), $get_add), $lang->get('user_login_success_title'), $lang->get('user_login_success_body', $subst) ); } } else