Fossil SCM
Disable all access to the /fileedit page and its associated AJAX entry points if the user lacks write privilege or if file editing is not enabled.
Commit
f2312397802722a2276f7944b6d6f933cb2a2064b89a6e500a6c7a7bc91d940f
Parent
2c9aa1b9391fa8c…
1 file changed
+27
-14
+27
-14
| --- src/fileedit.c | ||
| +++ src/fileedit.c | ||
| @@ -1767,11 +1767,37 @@ | ||
| 1767 | 1767 | function call, thus each |
| 1768 | 1768 | entry must end with a |
| 1769 | 1769 | semicolon. */ |
| 1770 | 1770 | const char *zAjax = P("name"); |
| 1771 | 1771 | |
| 1772 | - if(0!=zAjax){ | |
| 1772 | + /* Allow no access to this page without check-in privilege */ | |
| 1773 | + login_check_credentials(); | |
| 1774 | + if( !g.perm.Write ){ | |
| 1775 | + login_needed(g.anon.Write); | |
| 1776 | + return; | |
| 1777 | + } | |
| 1778 | + | |
| 1779 | + /* No access to anything on this page if the fileedit_glob is empty */ | |
| 1780 | + if( fileedit_glob()==0 ){ | |
| 1781 | + style_header("File Editor (disabled)"); | |
| 1782 | + CX("<h1>Online File Editing Is Disabled</h1>\n"); | |
| 1783 | + if( g.perm.Admin ){ | |
| 1784 | + CX("<p>To enable online editing, the " | |
| 1785 | + "<a href='%R/setup_settings'>" | |
| 1786 | + "<code>fileedit-glob</code> repository setting</a>\n" | |
| 1787 | + "must be set to a comma- and/or newine-delimited list of glob\n" | |
| 1788 | + "values matching files which may be edited online." | |
| 1789 | + "</p>\n"); | |
| 1790 | + }else{ | |
| 1791 | + CX("<p>Online editing is disabled for this repository.</p>\n"); | |
| 1792 | + } | |
| 1793 | + style_footer(); | |
| 1794 | + return; | |
| 1795 | + } | |
| 1796 | + | |
| 1797 | + /* Dispatch AJAX methods based tail of the request URI */ | |
| 1798 | + if( 0!=zAjax ){ | |
| 1773 | 1799 | if(0==strcmp("content",zAjax)){ |
| 1774 | 1800 | fileedit_ajax_content(); |
| 1775 | 1801 | }else if(0==strcmp("preview",zAjax)){ |
| 1776 | 1802 | fileedit_ajax_preview(); |
| 1777 | 1803 | }else if(0==strcmp("filelist",zAjax)){ |
| @@ -1783,15 +1809,10 @@ | ||
| 1783 | 1809 | }else{ |
| 1784 | 1810 | fileedit_ajax_error(500, "Unhandled ajax route name."); |
| 1785 | 1811 | } |
| 1786 | 1812 | return; |
| 1787 | 1813 | } |
| 1788 | - login_check_credentials(); | |
| 1789 | - if( !g.perm.Write ){ | |
| 1790 | - login_needed(g.anon.Write); | |
| 1791 | - return; | |
| 1792 | - } | |
| 1793 | 1814 | db_begin_transaction(); |
| 1794 | 1815 | CheckinMiniInfo_init(&cimi); |
| 1795 | 1816 | style_header("File Editor"); |
| 1796 | 1817 | /* As of this point, don't use return or fossil_fatal(). Write any |
| 1797 | 1818 | ** error in (&err) and goto end_footer instead so that we can be |
| @@ -1830,18 +1851,10 @@ | ||
| 1830 | 1851 | */ |
| 1831 | 1852 | style_emit_script_tag(0,0); |
| 1832 | 1853 | CX("document.body.classList.add('fileedit');\n"); |
| 1833 | 1854 | style_emit_script_tag(1,0); |
| 1834 | 1855 | } |
| 1835 | - | |
| 1836 | - if(fileedit_glob()==0){ | |
| 1837 | - CX("<div class='error'>To enable online editing, the " | |
| 1838 | - "<code>fileedit-glob</code> repository setting must be set to a " | |
| 1839 | - "comma- or newine-delimited list of glob values matching files " | |
| 1840 | - "which may be edited online." | |
| 1841 | - "</div>"); | |
| 1842 | - } | |
| 1843 | 1856 | |
| 1844 | 1857 | /* Status bar */ |
| 1845 | 1858 | CX("<div id='fossil-status-bar' " |
| 1846 | 1859 | "title='Status message area. Double-click to clear them.'>" |
| 1847 | 1860 | "Status messages will go here.</div>\n" |
| 1848 | 1861 |
| --- src/fileedit.c | |
| +++ src/fileedit.c | |
| @@ -1767,11 +1767,37 @@ | |
| 1767 | function call, thus each |
| 1768 | entry must end with a |
| 1769 | semicolon. */ |
| 1770 | const char *zAjax = P("name"); |
| 1771 | |
| 1772 | if(0!=zAjax){ |
| 1773 | if(0==strcmp("content",zAjax)){ |
| 1774 | fileedit_ajax_content(); |
| 1775 | }else if(0==strcmp("preview",zAjax)){ |
| 1776 | fileedit_ajax_preview(); |
| 1777 | }else if(0==strcmp("filelist",zAjax)){ |
| @@ -1783,15 +1809,10 @@ | |
| 1783 | }else{ |
| 1784 | fileedit_ajax_error(500, "Unhandled ajax route name."); |
| 1785 | } |
| 1786 | return; |
| 1787 | } |
| 1788 | login_check_credentials(); |
| 1789 | if( !g.perm.Write ){ |
| 1790 | login_needed(g.anon.Write); |
| 1791 | return; |
| 1792 | } |
| 1793 | db_begin_transaction(); |
| 1794 | CheckinMiniInfo_init(&cimi); |
| 1795 | style_header("File Editor"); |
| 1796 | /* As of this point, don't use return or fossil_fatal(). Write any |
| 1797 | ** error in (&err) and goto end_footer instead so that we can be |
| @@ -1830,18 +1851,10 @@ | |
| 1830 | */ |
| 1831 | style_emit_script_tag(0,0); |
| 1832 | CX("document.body.classList.add('fileedit');\n"); |
| 1833 | style_emit_script_tag(1,0); |
| 1834 | } |
| 1835 | |
| 1836 | if(fileedit_glob()==0){ |
| 1837 | CX("<div class='error'>To enable online editing, the " |
| 1838 | "<code>fileedit-glob</code> repository setting must be set to a " |
| 1839 | "comma- or newine-delimited list of glob values matching files " |
| 1840 | "which may be edited online." |
| 1841 | "</div>"); |
| 1842 | } |
| 1843 | |
| 1844 | /* Status bar */ |
| 1845 | CX("<div id='fossil-status-bar' " |
| 1846 | "title='Status message area. Double-click to clear them.'>" |
| 1847 | "Status messages will go here.</div>\n" |
| 1848 |
| --- src/fileedit.c | |
| +++ src/fileedit.c | |
| @@ -1767,11 +1767,37 @@ | |
| 1767 | function call, thus each |
| 1768 | entry must end with a |
| 1769 | semicolon. */ |
| 1770 | const char *zAjax = P("name"); |
| 1771 | |
| 1772 | /* Allow no access to this page without check-in privilege */ |
| 1773 | login_check_credentials(); |
| 1774 | if( !g.perm.Write ){ |
| 1775 | login_needed(g.anon.Write); |
| 1776 | return; |
| 1777 | } |
| 1778 | |
| 1779 | /* No access to anything on this page if the fileedit_glob is empty */ |
| 1780 | if( fileedit_glob()==0 ){ |
| 1781 | style_header("File Editor (disabled)"); |
| 1782 | CX("<h1>Online File Editing Is Disabled</h1>\n"); |
| 1783 | if( g.perm.Admin ){ |
| 1784 | CX("<p>To enable online editing, the " |
| 1785 | "<a href='%R/setup_settings'>" |
| 1786 | "<code>fileedit-glob</code> repository setting</a>\n" |
| 1787 | "must be set to a comma- and/or newine-delimited list of glob\n" |
| 1788 | "values matching files which may be edited online." |
| 1789 | "</p>\n"); |
| 1790 | }else{ |
| 1791 | CX("<p>Online editing is disabled for this repository.</p>\n"); |
| 1792 | } |
| 1793 | style_footer(); |
| 1794 | return; |
| 1795 | } |
| 1796 | |
| 1797 | /* Dispatch AJAX methods based tail of the request URI */ |
| 1798 | if( 0!=zAjax ){ |
| 1799 | if(0==strcmp("content",zAjax)){ |
| 1800 | fileedit_ajax_content(); |
| 1801 | }else if(0==strcmp("preview",zAjax)){ |
| 1802 | fileedit_ajax_preview(); |
| 1803 | }else if(0==strcmp("filelist",zAjax)){ |
| @@ -1783,15 +1809,10 @@ | |
| 1809 | }else{ |
| 1810 | fileedit_ajax_error(500, "Unhandled ajax route name."); |
| 1811 | } |
| 1812 | return; |
| 1813 | } |
| 1814 | db_begin_transaction(); |
| 1815 | CheckinMiniInfo_init(&cimi); |
| 1816 | style_header("File Editor"); |
| 1817 | /* As of this point, don't use return or fossil_fatal(). Write any |
| 1818 | ** error in (&err) and goto end_footer instead so that we can be |
| @@ -1830,18 +1851,10 @@ | |
| 1851 | */ |
| 1852 | style_emit_script_tag(0,0); |
| 1853 | CX("document.body.classList.add('fileedit');\n"); |
| 1854 | style_emit_script_tag(1,0); |
| 1855 | } |
| 1856 | |
| 1857 | /* Status bar */ |
| 1858 | CX("<div id='fossil-status-bar' " |
| 1859 | "title='Status message area. Double-click to clear them.'>" |
| 1860 | "Status messages will go here.</div>\n" |
| 1861 |