# HG changeset patch
# User Dan
# Date 1190147366 14400
# Node ID c5dbad7ec2d077e41c8f083fe1c64aa8d8099e86
# Parent  175776498ef17ab1453e2a24b34534d1bd95fc08
Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)

diff -r 175776498ef1 -r c5dbad7ec2d0 includes/clientside/static/misc.js
--- a/includes/clientside/static/misc.js	Tue Sep 18 00:31:22 2007 -0400
+++ b/includes/clientside/static/misc.js	Tue Sep 18 16:29:26 2007 -0400
@@ -449,7 +449,7 @@
   window.console.debug(json_data);
   json_data = toJSONString(json_data);
   window.console.debug(json_data);
-  json_data = ajaxAltEscape(json_data);
+  json_data = encodeURIComponent(json_data);
   window.console.debug(json_data);
   
   var loading_win = '<div align="center" style="text-align: center;"> \
diff -r 175776498ef1 -r c5dbad7ec2d0 includes/sessions.php
--- a/includes/sessions.php	Tue Sep 18 00:31:22 2007 -0400
+++ b/includes/sessions.php	Tue Sep 18 16:29:26 2007 -0400
@@ -151,7 +151,7 @@
    */
    
   //var $valid_username = '([A-Za-z0-9 \!\@\(\)-]+)';
-  var $valid_username = '([^<>_&\?\'"%\n\r\t\a]+)';
+  var $valid_username = '([^<>_&\?\'"%\n\r\t\a\/]+)';
    
   /**
    * What we're allowed to do as far as permissions go. This changes based on the value of the "auth" URI param.
@@ -578,19 +578,20 @@
     $success = false;
     
     // Escaped username
-    $db_username = $this->prepare_text(strtolower($username));
+    $db_username_lower = $this->prepare_text(strtolower($username));
+    $db_username       = $this->prepare_text($username);
     
     // Select the user data from the table, and decrypt that so we can verify the password
-    $this->sql('SELECT password,old_encryption,user_id,user_level,theme,style,temp_password,temp_password_time FROM '.table_prefix.'users WHERE lcase(username)=\''.$db_username.'\' OR username=\'' . $db_username . '\';');
+    $this->sql('SELECT password,old_encryption,user_id,user_level,theme,style,temp_password,temp_password_time FROM '.table_prefix.'users WHERE lcase(username)=\''.$db_username_lower.'\' OR username=\'' . $db_username . '\';');
     if($db->numrows() < 1)
     {
+      return "The username and/or password is incorrect.\n$db->latest_query";
       // This wasn't logged in <1.0.2, dunno how it slipped through
       if($level > USER_LEVEL_MEMBER)
         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
       else
         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
         
-      return "The username and/or password is incorrect.";
     }
     $row = $db->fetchrow();
     
@@ -1401,6 +1402,7 @@
     $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE);
     
     if(!preg_match('#^'.$this->valid_username.'$#', $username)) return 'The username you chose contains invalid characters.';
+    $user_orig = $username;
     $username = $this->prepare_text($username);
     $email = $this->prepare_text($email);
     $real_name = $this->prepare_text($real_name);
@@ -1485,6 +1487,30 @@
       $this->sql('INSERT INTO '.table_prefix.'users_extra(user_id) VALUES(' . $user_id . ');');
     }
     
+    // Grant edit and very limited mod access to the userpage
+    $acl_data = array(
+        'read' => AUTH_ALLOW,
+        'view_source' => AUTH_ALLOW,
+        'edit_page' => AUTH_ALLOW,
+        'post_comments' => AUTH_ALLOW,
+        'edit_comments' => AUTH_ALLOW, // only allows editing own comments
+        'history_view' => AUTH_ALLOW,
+        'history_rollback' => AUTH_ALLOW,
+        'rename' => AUTH_ALLOW,
+        'delete_page' => AUTH_ALLOW,
+        'tag_create' => AUTH_ALLOW,
+        'tag_delete_own' => AUTH_ALLOW,
+        'tag_delete_other' => AUTH_ALLOW,
+        'edit_cat' => AUTH_ALLOW,
+        'create_page' => AUTH_ALLOW
+      );
+    $acl_data = $db->escape($this->perm_to_string($acl_data));
+    $userpage = $db->escape(sanitize_page_id($user_orig));
+    $cols = "target_type, target_id, page_id, namespace, rules";
+    $vals = ACL_TYPE_USER . ", $user_id, '$userpage', 'User', '$acl_data'";
+    $q = "INSERT INTO ".table_prefix."acl($cols) VALUES($vals);";
+    $this->sql($q);
+    
     // Require the account to be activated?
     if ( $coppa )
     {
diff -r 175776498ef1 -r c5dbad7ec2d0 themes/printable/css/default.css
--- a/themes/printable/css/default.css	Tue Sep 18 00:31:22 2007 -0400
+++ b/themes/printable/css/default.css	Tue Sep 18 16:29:26 2007 -0400
@@ -61,7 +61,7 @@
 /* Well, not Midget and not comments (usually), but that's what the class is called ;-). Basically an informational window or used as a wrapper for tables. */
 .mdg-comment, .mdg-infobox        { margin-left: 1em; padding: 7px; border: 1px solid #AAAAAA; background-color: #E8E8E8; }
 
-.tblholder                        { margin: 10px 0 0 0; padding: 0; border: 1px solid #AAAAAA; background-color: #E8E8E8; }
+.tblholder                        { margin: 10px 0 0 0; padding: 0; border-width: 0 0 1px 1px; border-style: solid; border-color: #AAAAAA; background-color: #E8E8E8; }
 
 /* The beautiful tables inside what may not obviously be mdg-comment divs */
 div.tblholder td.row1             { padding: 4px; border-color: #E0E0E0; border-width: 1px 1px 0 0; border-style: solid; background-color: #FFFFFF; }