Fossil SCM
Per forum discussion, moved the /fileedit ajax dispatching back down below the login check, but have it emit a JSON response if an ajax route was requested, else an HTML response.
Commit
62263b9cb0597b543ef9f32fee8b6632438d69fdecc037ef166fcf6761a9857c
Parent
6849d9a5579ac4b…
1 file changed
+36
-27
+36
-27
| --- src/fileedit.c | ||
| +++ src/fileedit.c | ||
| @@ -1765,14 +1765,48 @@ | ||
| 1765 | 1765 | end. This content will be |
| 1766 | 1766 | combined into a single JS |
| 1767 | 1767 | function call, thus each |
| 1768 | 1768 | entry must end with a |
| 1769 | 1769 | semicolon. */ |
| 1770 | - const char *zAjax = P("name"); | |
| 1770 | + const char *zAjax = P("name"); /* Name of AJAX route for | |
| 1771 | + sub-dispatching. */ | |
| 1772 | + | |
| 1773 | + /* Allow no access to this page without check-in privilege */ | |
| 1774 | + login_check_credentials(); | |
| 1775 | + if( !g.perm.Write ){ | |
| 1776 | + if(zAjax!=0){ | |
| 1777 | + fileedit_ajax_error(403, "Write permissions required."); | |
| 1778 | + }else{ | |
| 1779 | + login_needed(g.anon.Write); | |
| 1780 | + } | |
| 1781 | + return; | |
| 1782 | + } | |
| 1783 | + /* No access to anything on this page if the fileedit-glob is empty */ | |
| 1784 | + if( fileedit_glob()==0 ){ | |
| 1785 | + if(zAjax!=0){ | |
| 1786 | + fileedit_ajax_error(403, "Online editing is disabled for this " | |
| 1787 | + "repository."); | |
| 1788 | + return; | |
| 1789 | + } | |
| 1790 | + style_header("File Editor (disabled)"); | |
| 1791 | + CX("<h1>Online File Editing Is Disabled</h1>\n"); | |
| 1792 | + if( g.perm.Admin ){ | |
| 1793 | + CX("<p>To enable online editing, the " | |
| 1794 | + "<a href='%R/setup_settings'>" | |
| 1795 | + "<code>fileedit-glob</code> repository setting</a>\n" | |
| 1796 | + "must be set to a comma- and/or newine-delimited list of glob\n" | |
| 1797 | + "values matching files which may be edited online." | |
| 1798 | + "</p>\n"); | |
| 1799 | + }else{ | |
| 1800 | + CX("<p>Online editing is disabled for this repository.</p>\n"); | |
| 1801 | + } | |
| 1802 | + style_footer(); | |
| 1803 | + return; | |
| 1804 | + } | |
| 1771 | 1805 | |
| 1772 | 1806 | /* Dispatch AJAX methods based tail of the request URI. |
| 1773 | - ** The ajax parts do their own permissions/CSRF check and | |
| 1807 | + ** The AJAX parts do their own permissions/CSRF check and | |
| 1774 | 1808 | ** fail with a JSON-format response if needed. |
| 1775 | 1809 | */ |
| 1776 | 1810 | if( 0!=zAjax ){ |
| 1777 | 1811 | if(0==strcmp("content",zAjax)){ |
| 1778 | 1812 | fileedit_ajax_content(); |
| @@ -1788,35 +1822,10 @@ | ||
| 1788 | 1822 | fileedit_ajax_error(500, "Unhandled ajax route name."); |
| 1789 | 1823 | } |
| 1790 | 1824 | return; |
| 1791 | 1825 | } |
| 1792 | 1826 | |
| 1793 | - /* Allow no access to this page without check-in privilege */ | |
| 1794 | - login_check_credentials(); | |
| 1795 | - if( !g.perm.Write ){ | |
| 1796 | - login_needed(g.anon.Write); | |
| 1797 | - return; | |
| 1798 | - } | |
| 1799 | - | |
| 1800 | - /* No access to anything on this page if the fileedit-glob is empty */ | |
| 1801 | - if( fileedit_glob()==0 ){ | |
| 1802 | - style_header("File Editor (disabled)"); | |
| 1803 | - CX("<h1>Online File Editing Is Disabled</h1>\n"); | |
| 1804 | - if( g.perm.Admin ){ | |
| 1805 | - CX("<p>To enable online editing, the " | |
| 1806 | - "<a href='%R/setup_settings'>" | |
| 1807 | - "<code>fileedit-glob</code> repository setting</a>\n" | |
| 1808 | - "must be set to a comma- and/or newine-delimited list of glob\n" | |
| 1809 | - "values matching files which may be edited online." | |
| 1810 | - "</p>\n"); | |
| 1811 | - }else{ | |
| 1812 | - CX("<p>Online editing is disabled for this repository.</p>\n"); | |
| 1813 | - } | |
| 1814 | - style_footer(); | |
| 1815 | - return; | |
| 1816 | - } | |
| 1817 | - | |
| 1818 | 1827 | db_begin_transaction(); |
| 1819 | 1828 | CheckinMiniInfo_init(&cimi); |
| 1820 | 1829 | style_header("File Editor"); |
| 1821 | 1830 | /* As of this point, don't use return or fossil_fatal(). Write any |
| 1822 | 1831 | ** error in (&err) and goto end_footer instead so that we can be |
| 1823 | 1832 |
| --- src/fileedit.c | |
| +++ src/fileedit.c | |
| @@ -1765,14 +1765,48 @@ | |
| 1765 | end. This content will be |
| 1766 | combined into a single JS |
| 1767 | function call, thus each |
| 1768 | entry must end with a |
| 1769 | semicolon. */ |
| 1770 | const char *zAjax = P("name"); |
| 1771 | |
| 1772 | /* Dispatch AJAX methods based tail of the request URI. |
| 1773 | ** The ajax parts do their own permissions/CSRF check and |
| 1774 | ** fail with a JSON-format response if needed. |
| 1775 | */ |
| 1776 | if( 0!=zAjax ){ |
| 1777 | if(0==strcmp("content",zAjax)){ |
| 1778 | fileedit_ajax_content(); |
| @@ -1788,35 +1822,10 @@ | |
| 1788 | fileedit_ajax_error(500, "Unhandled ajax route name."); |
| 1789 | } |
| 1790 | return; |
| 1791 | } |
| 1792 | |
| 1793 | /* Allow no access to this page without check-in privilege */ |
| 1794 | login_check_credentials(); |
| 1795 | if( !g.perm.Write ){ |
| 1796 | login_needed(g.anon.Write); |
| 1797 | return; |
| 1798 | } |
| 1799 | |
| 1800 | /* No access to anything on this page if the fileedit-glob is empty */ |
| 1801 | if( fileedit_glob()==0 ){ |
| 1802 | style_header("File Editor (disabled)"); |
| 1803 | CX("<h1>Online File Editing Is Disabled</h1>\n"); |
| 1804 | if( g.perm.Admin ){ |
| 1805 | CX("<p>To enable online editing, the " |
| 1806 | "<a href='%R/setup_settings'>" |
| 1807 | "<code>fileedit-glob</code> repository setting</a>\n" |
| 1808 | "must be set to a comma- and/or newine-delimited list of glob\n" |
| 1809 | "values matching files which may be edited online." |
| 1810 | "</p>\n"); |
| 1811 | }else{ |
| 1812 | CX("<p>Online editing is disabled for this repository.</p>\n"); |
| 1813 | } |
| 1814 | style_footer(); |
| 1815 | return; |
| 1816 | } |
| 1817 | |
| 1818 | db_begin_transaction(); |
| 1819 | CheckinMiniInfo_init(&cimi); |
| 1820 | style_header("File Editor"); |
| 1821 | /* As of this point, don't use return or fossil_fatal(). Write any |
| 1822 | ** error in (&err) and goto end_footer instead so that we can be |
| 1823 |
| --- src/fileedit.c | |
| +++ src/fileedit.c | |
| @@ -1765,14 +1765,48 @@ | |
| 1765 | end. This content will be |
| 1766 | combined into a single JS |
| 1767 | function call, thus each |
| 1768 | entry must end with a |
| 1769 | semicolon. */ |
| 1770 | const char *zAjax = P("name"); /* Name of AJAX route for |
| 1771 | sub-dispatching. */ |
| 1772 | |
| 1773 | /* Allow no access to this page without check-in privilege */ |
| 1774 | login_check_credentials(); |
| 1775 | if( !g.perm.Write ){ |
| 1776 | if(zAjax!=0){ |
| 1777 | fileedit_ajax_error(403, "Write permissions required."); |
| 1778 | }else{ |
| 1779 | login_needed(g.anon.Write); |
| 1780 | } |
| 1781 | return; |
| 1782 | } |
| 1783 | /* No access to anything on this page if the fileedit-glob is empty */ |
| 1784 | if( fileedit_glob()==0 ){ |
| 1785 | if(zAjax!=0){ |
| 1786 | fileedit_ajax_error(403, "Online editing is disabled for this " |
| 1787 | "repository."); |
| 1788 | return; |
| 1789 | } |
| 1790 | style_header("File Editor (disabled)"); |
| 1791 | CX("<h1>Online File Editing Is Disabled</h1>\n"); |
| 1792 | if( g.perm.Admin ){ |
| 1793 | CX("<p>To enable online editing, the " |
| 1794 | "<a href='%R/setup_settings'>" |
| 1795 | "<code>fileedit-glob</code> repository setting</a>\n" |
| 1796 | "must be set to a comma- and/or newine-delimited list of glob\n" |
| 1797 | "values matching files which may be edited online." |
| 1798 | "</p>\n"); |
| 1799 | }else{ |
| 1800 | CX("<p>Online editing is disabled for this repository.</p>\n"); |
| 1801 | } |
| 1802 | style_footer(); |
| 1803 | return; |
| 1804 | } |
| 1805 | |
| 1806 | /* Dispatch AJAX methods based tail of the request URI. |
| 1807 | ** The AJAX parts do their own permissions/CSRF check and |
| 1808 | ** fail with a JSON-format response if needed. |
| 1809 | */ |
| 1810 | if( 0!=zAjax ){ |
| 1811 | if(0==strcmp("content",zAjax)){ |
| 1812 | fileedit_ajax_content(); |
| @@ -1788,35 +1822,10 @@ | |
| 1822 | fileedit_ajax_error(500, "Unhandled ajax route name."); |
| 1823 | } |
| 1824 | return; |
| 1825 | } |
| 1826 | |
| 1827 | db_begin_transaction(); |
| 1828 | CheckinMiniInfo_init(&cimi); |
| 1829 | style_header("File Editor"); |
| 1830 | /* As of this point, don't use return or fossil_fatal(). Write any |
| 1831 | ** error in (&err) and goto end_footer instead so that we can be |
| 1832 |