Skip to content
Snippets Groups Projects
Commit 11d215b6 authored by Jan-Hendrik Willms's avatar Jan-Hendrik Willms
Browse files

check every wiki page for correct context, fixes #4585 

Closes #4585

Merge request studip/studip!3395
parent 9514cdb9
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
app/controllers/course/wiki.php
+ 56
25
View file @ 11d215b6
......@@ -31,6 +31,7 @@ class Course_WikiController extends AuthenticatedController
Navigation::activateItem('/course/wiki/start');
$this->page = new WikiPage($page_id);
$this->validateWikiPage($this->page, $this->range);
$sidebar = Sidebar::Get();
if (!$this->page->isReadable()) {
......@@ -176,9 +177,8 @@ class Course_WikiController extends AuthenticatedController
public function pagesettings_action(WikiPage $page)
{
if (!$page->isEditable()) {
throw new AccessDeniedException();
}
$this->validateWikiPage($page, $this->range, true);
$options = [
'' => _('Keine')
];
......@@ -291,9 +291,8 @@ class Course_WikiController extends AuthenticatedController
public function ask_deleting_action(WikiPage $page)
{
if (!$page->isEditable()) {
throw new AccessDeniedException();
}
$this->validateWikiPage($page, $this->range, true);
PageLayout::setTitle(_('Was genau soll gelöscht werden?'));
}
......@@ -301,9 +300,7 @@ class Course_WikiController extends AuthenticatedController
{
CSRFProtection::verifyUnsafeRequest();
if (!$page->isEditable()) {
throw new AccessDeniedException();
}
$this->validateWikiPage($page, $this->range, true);
$name = $page->name;
$page->delete();
......@@ -315,9 +312,7 @@ class Course_WikiController extends AuthenticatedController
{
CSRFProtection::verifyUnsafeRequest();
if (!$page->isEditable()) {
throw new AccessDeniedException();
}
$this->validateWikiPage($page, $this->range, true);
$version = $page->versions[0];
if ($version) {
......@@ -430,6 +425,8 @@ class Course_WikiController extends AuthenticatedController
public function edit_action(WikiPage $page = null)
{
$this->validateWikiPage($page, $this->range, true);
if ($page->isNew() && Request::get('keyword')) {
$name = trim(Request::get('keyword'));
$page = WikiPage::findOneBySQL('`name` = :name AND `range_id` = :range_id', [
......@@ -446,7 +443,7 @@ class Course_WikiController extends AuthenticatedController
$this->redirect($this->editURL($page));
return;
}
if ($page->isNew() || !$page->isEditable()) {
if ($page->isNew()) {
throw new AccessDeniedException();
}
Navigation::activateItem('/course/wiki/start');
......@@ -486,8 +483,10 @@ class Course_WikiController extends AuthenticatedController
public function apply_editing_action(WikiPage $page)
{
if (!$page->isEditable() || !Request::isPost()) {
throw new AccessDeniedException();
$this->validateWikiPage($page, $this->range, true);
if (!Request::isPost()) {
throw new MethodNotAllowedException();
}
$user = User::findCurrent();
$pageData = [
......@@ -520,8 +519,10 @@ class Course_WikiController extends AuthenticatedController
public function cancel_apply_editing_action(WikiPage $page)
{
if (!$page->isEditable() || !Request::isPost()) {
throw new AccessDeniedException();
$this->validateWikiPage($page, $this->range,true);
if (!Request::isPost()) {
throw new MethodNotAllowedException();
}
$user = User::findCurrent();
$pageData = [
......@@ -545,9 +546,8 @@ class Course_WikiController extends AuthenticatedController
public function leave_editing_action(WikiPage $page)
{
if (!$page->isEditable()) {
throw new AccessDeniedException();
}
$this->validateWikiPage($page, $this->range, true);
$user = User::findCurrent();
$pageData = [
'page_id' => $page->id,
......@@ -562,8 +562,10 @@ class Course_WikiController extends AuthenticatedController
public function delegate_edit_mode_action(WikiPage $page, $user_id)
{
if (!$page->isEditable() || !Request::isPost()) {
throw new AccessDeniedException();
$this->validateWikiPage($page, $this->range, true);
if (!Request::isPost()) {
throw new MethodNotAllowedException();
}
$user = User::findCurrent();
$pageData = [
......@@ -607,9 +609,7 @@ class Course_WikiController extends AuthenticatedController
{
CSRFProtection::verifyUnsafeRequest();
if (!$page->isEditable()) {
throw new AccessDeniedException();
}
$this->validateWikiPage($page, $this->range, true);
$page->content = \Studip\Markup::markAsHtml(trim(Request::get('content')));
$user = User::findCurrent();
......@@ -699,12 +699,16 @@ class Course_WikiController extends AuthenticatedController
public function history_action(WikiPage $page)
{
$this->validateWikiPage($page, $this->range);
Navigation::activateItem('/course/wiki/start');
Sidebar::Get()->addWidget($this->getViewsWidget($this->page, 'history'));
}
public function version_action(WikiVersion $version)
{
$this->validateWikiPage($version->page, $this->range);
Navigation::activateItem('/course/wiki/start');
Sidebar::Get()->addWidget($this->getViewsWidget($version->page, 'history'));
$startPage = WikiPage::find($this->range->getConfiguration()->WIKI_STARTPAGE_ID);
......@@ -720,6 +724,8 @@ class Course_WikiController extends AuthenticatedController
public function blame_action(WikiPage $page)
{
$this->validateWikiPage($page, $this->range);
Navigation::activateItem('/course/wiki/start');
Sidebar::Get()->addWidget($this->getViewsWidget($page, 'blame'));
......@@ -762,6 +768,8 @@ class Course_WikiController extends AuthenticatedController
public function diff_action(WikiPage $page)
{
$this->validateWikiPage($page, $this->range);
Navigation::activateItem('/course/wiki/start');
Sidebar::Get()->addWidget($this->getViewsWidget($page, 'diff'));
......@@ -801,6 +809,8 @@ class Course_WikiController extends AuthenticatedController
public function versiondiff_action (WikiPage $page, $version_id = null)
{
$this->validateWikiPage($page, $this->range);
if ($version_id !== null) {
$this->version = WikiVersion::find($version_id);
}
......@@ -1003,6 +1013,8 @@ class Course_WikiController extends AuthenticatedController
public function searchpage_action(WikiPage $page)
{
$this->validateWikiPage($page, $this->range);
if (!$page->isReadable()) {
throw new AccessDeniedException();
}
......@@ -1027,6 +1039,8 @@ class Course_WikiController extends AuthenticatedController
public function pdf_action(WikiPage $page)
{
$this->validateWikiPage($page, $this->range);
if (!$page->isReadable()) {
throw new AccessDeniedException();
}
......@@ -1303,4 +1317,21 @@ class Course_WikiController extends AuthenticatedController
}
return implode('<br>', $output);
}
private function validateWikiPage(WikiPage $page, Range $context, bool $for_edit = false): void
{
if (
!$page->isNew()
&& $page->range_id !== $context->id
) {
throw new Exception(sprintf(
_('Diese Wikiseite gehört nicht zu dieser %s'),
$context->describeRange()
));
}
if ($for_edit && !$page->isEditable()) {
throw new Exception(_('Sie dürfen diese Wikiseite nicht bearbeiten'));
}
}
}
lib/models/WikiVersion.php
+ 2
0
View file @ 11d215b6
......@@ -16,6 +16,8 @@
* @property string page_id database column
* @property string id alias column for user_id
* @property string last_lifesign computed column read/write
*
* @property WikiPage $page
*/
class WikiVersion extends SimpleORMap
{
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment