# HG changeset patch
# User Dan
# Date 1182441616 14400
# Node ID ccad6026a16871e62ddcfe6d4fe9e523e671f361
# Parent 2f530ad04f1b8af90e41788257878503d35f364b
Finalized permissions on files and directories; adding PHP shutoff button (actual shutoff not implemented)
diff -r 2f530ad04f1b -r ccad6026a168 cache/.htaccess
diff -r 2f530ad04f1b -r ccad6026a168 cache/index.php
diff -r 2f530ad04f1b -r ccad6026a168 files/.htaccess
diff -r 2f530ad04f1b -r ccad6026a168 files/index.php
diff -r 2f530ad04f1b -r ccad6026a168 images/bad.gif
diff -r 2f530ad04f1b -r ccad6026a168 images/delete.png
diff -r 2f530ad04f1b -r ccad6026a168 images/disenable.png
diff -r 2f530ad04f1b -r ccad6026a168 images/edit.png
diff -r 2f530ad04f1b -r ccad6026a168 images/error.png
diff -r 2f530ad04f1b -r ccad6026a168 images/good.gif
diff -r 2f530ad04f1b -r ccad6026a168 images/grippy.gif
diff -r 2f530ad04f1b -r ccad6026a168 images/icons/empty.gif
diff -r 2f530ad04f1b -r ccad6026a168 images/icons/join.gif
diff -r 2f530ad04f1b -r ccad6026a168 images/icons/joinbottom.gif
diff -r 2f530ad04f1b -r ccad6026a168 images/icons/line.gif
diff -r 2f530ad04f1b -r ccad6026a168 images/icons/page.gif
diff -r 2f530ad04f1b -r ccad6026a168 images/info.png
diff -r 2f530ad04f1b -r ccad6026a168 images/lock16.png
diff -r 2f530ad04f1b -r ccad6026a168 images/minus.gif
diff -r 2f530ad04f1b -r ccad6026a168 images/move.png
diff -r 2f530ad04f1b -r ccad6026a168 images/php-shutoff.png
Binary file images/php-shutoff.png has changed
diff -r 2f530ad04f1b -r ccad6026a168 images/plus.gif
diff -r 2f530ad04f1b -r ccad6026a168 images/question.png
diff -r 2f530ad04f1b -r ccad6026a168 images/redirector.png
diff -r 2f530ad04f1b -r ccad6026a168 images/unknown.gif
diff -r 2f530ad04f1b -r ccad6026a168 images/wait.png
diff -r 2f530ad04f1b -r ccad6026a168 images/warning.png
diff -r 2f530ad04f1b -r ccad6026a168 includes/clientside/static/ajax.js
--- a/includes/clientside/static/ajax.js Tue Jun 19 18:41:10 2007 -0400
+++ b/includes/clientside/static/ajax.js Thu Jun 21 12:00:16 2007 -0400
@@ -569,3 +569,39 @@
window.location = loc;
}
+function ajaxDisableEmbeddedPHP()
+{
+ if ( !confirm('Are you really sure you want to do this? Some pages might not function if this emergency-only feature is activated.') )
+ return false;
+ var $killdiv = $dynano('php_killer');
+ if ( !$killdiv.object )
+ {
+ alert('Can\'t get kill div object');
+ return false;
+ }
+ $killdiv.object.innerHTML = ' Making request...';
+ var url = makeUrlNS('Admin', 'Home', 'src=ajax');
+ ajaxPost(url, 'act=kill_php', function() {
+ if ( ajax.readyState == 4 )
+ {
+ if ( ajax.responseText == '1' )
+ {
+ var $killdiv = $dynano('php_killer');
+ //$killdiv.object.innerHTML = ' Embedded PHP in pages has been disabled.';
+ $killdiv.object.parentNode.removeChild($killdiv.object);
+ var newdiv = document.createElement('div');
+ // newdiv.style = $killdiv.object.style;
+ newdiv.className = $killdiv.object.className;
+ newdiv.innerHTML = ' Embedded PHP in pages has been disabled.';
+ $killdiv.object.parentNode.appendChild(newdiv);
+ $killdiv.object.parentNode.removeChild($killdiv.object);
+ }
+ else
+ {
+ var $killdiv = $dynano('php_killer');
+ $killdiv.object.innerHTML = ajax.responseText;
+ }
+ }
+ });
+}
+
diff -r 2f530ad04f1b -r ccad6026a168 includes/paths.php
--- a/includes/paths.php Tue Jun 19 18:41:10 2007 -0400
+++ b/includes/paths.php Thu Jun 21 12:00:16 2007 -0400
@@ -44,7 +44,6 @@
);
// ACL types
- // Note: you can set any of these to AUTH_DENY to universally and unconditionally deny access to the selected action.
// These can also be added from within plugins
$session->register_acl_type('read', AUTH_ALLOW, 'Read page(s)');
@@ -71,7 +70,7 @@
$session->register_acl_type('upload_files', AUTH_DISALLOW, 'Upload files', Array('create_page'), 'Article|User|Project|Template|File|Help|System|Category|Special');
$session->register_acl_type('upload_new_version', AUTH_WIKIMODE, 'Upload new versions of files', Array('upload_files'), 'Article|User|Project|Template|File|Help|System|Category|Special');
$session->register_acl_type('create_page', AUTH_WIKIMODE, 'Create pages', Array(), 'Article|User|Project|Template|File|Help|System|Category|Special');
- $session->register_acl_type('php_in_pages', AUTH_DISALLOW, 'Embed PHP code in pages', Array('edit_page'), 'Article|User|Project|Template|File|Help|System|Category');
+ $session->register_acl_type('php_in_pages', AUTH_DISALLOW, 'Embed PHP code in pages', Array('edit_page'), 'Article|User|Project|Template|File|Help|System|Category|Admin');
$session->register_acl_type('edit_acl', AUTH_DISALLOW, 'Edit access control lists', Array('read', 'post_comments', 'edit_comments', 'edit_page', 'view_source', 'mod_comments', 'history_view', 'history_rollback', 'history_rollback_extra', 'protect', 'rename', 'clear_logs', 'vote_delete', 'vote_reset', 'delete_page', 'set_wiki_mode', 'password_set', 'password_reset', 'mod_misc', 'edit_cat', 'even_when_protected', 'upload_files', 'upload_new_version', 'create_page', 'php_in_pages'));
// DO NOT add new admin pages here! Use a plugin to call $paths->addAdminNode();
diff -r 2f530ad04f1b -r ccad6026a168 install.php
--- a/install.php Tue Jun 19 18:41:10 2007 -0400
+++ b/install.php Thu Jun 21 12:00:16 2007 -0400
@@ -12,7 +12,7 @@
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details.
*/
-//@include('config.php');
+@include('config.php');
if( ( defined('ENANO_INSTALLED') || defined('MIDGET_INSTALLED') ) && ((isset($_GET['mode']) && ($_GET['mode']!='finish' && $_GET['mode']!='css')) || !isset($_GET['mode']))) {
$_GET['title'] = 'Enano:WhoCaresWhatThisIs';
require('includes/common.php');
@@ -168,6 +168,61 @@
mysql_close($conn);
die('good');
break;
+ case 'pophelp':
+ $topic = ( isset($_GET['topic']) ) ? $_GET['topic'] : 'invalid';
+ switch($topic)
+ {
+ case 'admin_embed_php':
+ $title = 'Allow administrators to embed PHP';
+ $content = '
This option allows you to control whether anything between the standard <?php and ?> tags will be treated as
+ PHP code by Enano. If this option is enabled, and members of the Administrators group use these tags, Enano will
+ execute that code when the page is loaded. There are obvious potential security implications here, which should
+ be carefully considered before enabling this option.
+
If you are the only administrator of this site, or if you have a high level of trust for those will be administering
+ the site with you, you should enable this to allow extreme customization of pages.
+
Leave this option off if you are at all concerned about security – if your account is compromised and PHP embedding
+ is enabled, an attacker can run arbitrary code on your server! Enabling this will also allow administrators to
+ embed Javascript and arbitrary HTML and CSS.
+
If you don\'t have experience coding in PHP, you can safely disable this option. You may change this at any time
+ using the ACL editor by selecting the Administrators group and This Entire Website under the scope selection, or by
+ using the "embedded PHP kill switch" in the administration panel.
+ Allow administrative embedding of PHP:
+ Do not under any circumstances enable this option without reading these
+ important security implications.
+
+
+
+
+
+
+
+
If your browser supports Javascript, the password you enter here will be encrypted with AES before it is sent to the server.
