Live Re-Auth is now required for deleting pages, editing ACLs, protecting pages, and clearing logs. Committing in a hurry as a storm is coming in, hope everything is in there.
--- a/includes/clientside/static/acl.js Mon Apr 13 14:43:28 2009 -0400
+++ b/includes/clientside/static/acl.js Mon Apr 13 16:57:20 2009 -0400
@@ -9,6 +9,21 @@
if(IE)
return true;
+ void(page_id);
+ void(namespace);
+
+ // require re-auth
+ if ( auth_level <= USER_LEVEL_MEMBER )
+ {
+ load_component(['login', 'fadefilter', 'flyin', 'jquery', 'jquery-ui', 'crypto', 'messagebox']);
+ ajaxDynamicReauth(function(key)
+ {
+ ajaxOpenACLManager(page_id, namespace);
+ }, user_level);
+
+ return false;
+ }
+
load_component(['l10n', 'messagebox', 'fadefilter', 'template-compiler', 'jquery', 'jquery-ui', 'autofill']);
if(!page_id || !namespace)
--- a/includes/clientside/static/ajax.js Mon Apr 13 14:43:28 2009 -0400
+++ b/includes/clientside/static/ajax.js Mon Apr 13 16:57:20 2009 -0400
@@ -42,6 +42,18 @@
// touch this variable to allow it to be used in child functions
void(existing_level);
+ // require re-auth
+ if ( auth_level <= USER_LEVEL_MEMBER )
+ {
+ load_component(['login', 'fadefilter', 'flyin', 'jquery', 'jquery-ui', 'crypto', 'messagebox']);
+ ajaxDynamicReauth(function(key)
+ {
+ ajaxProtect(existing_level);
+ }, user_level);
+
+ return false;
+ }
+
load_component(['messagebox', 'jquery', 'jquery-ui', 'l10n', 'fadefilter', 'flyin']);
// preload language
@@ -312,6 +324,19 @@
// IE <6 pseudo-compatibility
if ( KILL_SWITCH )
return true;
+
+ // require re-auth
+ if ( auth_level <= USER_LEVEL_MEMBER )
+ {
+ load_component(['login', 'fadefilter', 'flyin', 'jquery', 'jquery-ui', 'crypto', 'messagebox']);
+ ajaxDynamicReauth(function(key)
+ {
+ ajaxDeletePage();
+ }, user_level);
+
+ return false;
+ }
+
load_component(['l10n', 'messagebox', 'jquery', 'jquery-ui', 'fadefilter', 'flyin']);
// stage 1: prompt for reason and confirmation
@@ -705,6 +730,18 @@
if ( KILL_SWITCH )
return true;
+ // require re-auth
+ if ( auth_level <= USER_LEVEL_MEMBER )
+ {
+ load_component(['login', 'fadefilter', 'flyin', 'jquery', 'jquery-ui', 'crypto', 'messagebox']);
+ ajaxDynamicReauth(function(key)
+ {
+ ajaxClearLogs();
+ }, user_level);
+
+ return false;
+ }
+
load_component(['l10n', 'messagebox', 'flyin', 'fadefilter']);
miniPromptMessage({
--- a/includes/clientside/static/fadefilter.js Mon Apr 13 14:43:28 2009 -0400
+++ b/includes/clientside/static/fadefilter.js Mon Apr 13 16:57:20 2009 -0400
@@ -117,7 +117,7 @@
document.getElementById(layerid).destroying = true;
var from = document.getElementById(layerid).myOpacVal;
opacity(layerid, from, 0, 1000);
- setTimeout("if ( document.getElementById('" + layerid + "').destroying ) { document.getElementById('" + layerid + "').destroying = false; document.getElementById('" + layerid + "').style.display = 'none'; }", 1000);
+ setTimeout("var l = document.getElementById('" + layerid + "'); var b = document.getElementsByTagName('body')[0]; b.removeChild(l);", 1000);
}
}
return document.getElementById(layerid);
--- a/includes/clientside/static/login.js Mon Apr 13 14:43:28 2009 -0400
+++ b/includes/clientside/static/login.js Mon Apr 13 16:57:20 2009 -0400
@@ -1123,7 +1123,17 @@
color: 'blue',
onclick: function()
{
- miniPromptDestroy(this);
+ var mp = miniPromptGetParent(this);
+ var whitey = whiteOutMiniPrompt(mp);
+ setTimeout(function()
+ {
+ whiteOutReportSuccess(whitey);
+ setTimeout(function()
+ {
+ miniPromptDestroy(mp);
+ }, 1250);
+ }, 1000);
+
ajaxLoginPerformRequest({
mode: 'logout',
level: auth_level,
@@ -1408,4 +1418,5 @@
}
window.location.hash = '#auth:false';
}
+ window.stdAjaxPrefix = append_sid(scriptPath + '/ajax.php?title=' + title);
}
--- a/includes/pageprocess.php Mon Apr 13 14:43:28 2009 -0400
+++ b/includes/pageprocess.php Mon Apr 13 16:57:20 2009 -0400
@@ -848,6 +848,15 @@
);
}
+ // Validate re-auth
+ if ( !$session->sid_super )
+ {
+ return array(
+ 'success' => false,
+ 'error' => 'access_denied_need_reauth'
+ );
+ }
+
// Validate input
$reason = trim($reason);
if ( !in_array($protection_level, array(PROTECT_NONE, PROTECT_FULL, PROTECT_SEMI)) || empty($reason) )
--- a/includes/pageutils.php Mon Apr 13 14:43:28 2009 -0400
+++ b/includes/pageutils.php Mon Apr 13 16:57:20 2009 -0400
@@ -1110,6 +1110,10 @@
{
return $lang->get('etc_access_denied');
}
+ if ( !$session->sid_super )
+ {
+ return $lang->get('etc_access_denied_need_reauth');
+ }
$e = $db->sql_query('DELETE FROM ' . table_prefix.'logs WHERE page_id=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\';');
if(!$e) $db->_die('The log entries could not be deleted.');
@@ -1148,6 +1152,12 @@
return $lang->get('ajax_delete_need_reason');
}
if(!$perms->get_permissions('delete_page')) return('Administrative privileges are required to delete pages, you loser.');
+
+ if ( !$session->sid_super )
+ {
+ return $lang->get('etc_access_denied_need_reauth');
+ }
+
$e = $db->sql_query('INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,page_id,namespace,author,edit_summary) VALUES('.time().', \''.enano_date('d M Y h:i a').'\', \'page\', \'delete\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $session->username . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\')');
if(!$e) $db->_die('The page log entry could not be inserted.');
$e = $db->sql_query('DELETE FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'');
@@ -1681,6 +1691,13 @@
'error' => $lang->get('acl_err_access_denied')
);
}
+ if ( !$session->sid_super )
+ {
+ return Array(
+ 'mode' => 'error',
+ 'error' => $lang->get('etc_access_denied_need_reauth')
+ );
+ }
$parms['page_id'] = ( isset($parms['page_id']) ) ? $parms['page_id'] : false;
$parms['namespace'] = ( isset($parms['namespace']) ) ? $parms['namespace'] : false;
$page_id =& $parms['page_id'];
--- a/index.php Mon Apr 13 14:43:28 2009 -0400
+++ b/index.php Mon Apr 13 16:57:20 2009 -0400
@@ -329,6 +329,11 @@
$template->footer();
break;
case 'protect':
+ if ( !$session->sid_super )
+ {
+ redirect(makeUrlNS('Special', "Login/{$paths->page}", 'target_do=protect&level=' . $session->user_level, false), $lang->get('etc_access_denied_short'), $lang->get('etc_access_denied_need_reauth'), 0);
+ }
+
if ( isset($_POST['level']) && isset($_POST['reason']) )
{
$level = intval($_POST['level']);
@@ -442,6 +447,10 @@
{
die_friendly($lang->get('etc_access_denied_short'), '<p>' . $lang->get('etc_access_denied') . '</p>');
}
+ if ( !$session->sid_super )
+ {
+ redirect(makeUrlNS('Special', "Login/{$paths->page}", 'target_do=flushlogs&level=' . $session->user_level, false), $lang->get('etc_access_denied_short'), $lang->get('etc_access_denied_need_reauth'), 0);
+ }
require_once(ENANO_ROOT.'/includes/pageutils.php');
if(isset($_POST['_downthejohn']))
{
@@ -517,6 +526,11 @@
{
die_friendly($lang->get('etc_access_denied_short'), '<p>' . $lang->get('etc_access_denied') . '</p>');
}
+ if ( !$session->sid_super )
+ {
+ redirect(makeUrlNS('Special', "Login/{$paths->page}", 'target_do=deletepage&level=' . $session->user_level, false), $lang->get('etc_access_denied_short'), $lang->get('etc_access_denied_need_reauth'), 0);
+ }
+
require_once(ENANO_ROOT.'/includes/pageutils.php');
if(isset($_POST['_adiossucker']))
{
@@ -620,6 +634,11 @@
die_friendly($lang->get('page_detag_success_title'), '<p>' . $lang->get('page_detag_success_body') . '</p>');
break;
case 'aclmanager':
+ if ( !$session->sid_super )
+ {
+ redirect(makeUrlNS('Special', "Login/{$paths->page}", 'target_do=aclmanager&level=' . $session->user_level, false), $lang->get('etc_access_denied_short'), $lang->get('etc_access_denied_need_reauth'), 0);
+ }
+
require_once(ENANO_ROOT.'/includes/pageutils.php');
$data = ( isset($_POST['data']) ) ? $_POST['data'] : Array('mode' => 'listgroups');
PageUtils::aclmanager($data);
--- a/language/english/core.json Mon Apr 13 14:43:28 2009 -0400
+++ b/language/english/core.json Mon Apr 13 16:57:20 2009 -0400
@@ -123,6 +123,7 @@
err_access_denied_siteadmin: 'site administrator',
err_seeking_living_among_dead: 'You are trying to un-delete a page that has since been restored.\n\n"But the men said to them, \'Why do you look for the living among the dead?\'" (Luke 24:5b/NIV)',
err_access_denied: 'Access to that action is denied.',
+ err_access_denied_need_reauth: '%this.etc_access_denied_need_reauth%',
err_invalid_parameter: 'An invalid value (parameter) was sent to this action.',
err_rb_action_not_supported: 'Rolling back actions of type "%action%" isn\'t supported.',
err_rb_file_rename_failed: 'Could not rename the file to its new name (1.1.x format)',
@@ -759,6 +760,7 @@
// Generic "Access denied"
access_denied: 'Access to the specified file, resource, or action is denied.',
access_denied_short: 'Access denied',
+ access_denied_need_reauth: 'You need to re-authenticate before you can do that.',
return_to_page: 'Return to the page',
invalid_request_short: 'Invalid request',
// Message box buttons
--- a/plugins/SpecialUserFuncs.php Mon Apr 13 14:43:28 2009 -0400
+++ b/plugins/SpecialUserFuncs.php Mon Apr 13 16:57:20 2009 -0400
@@ -344,8 +344,6 @@
</tr>
<?php
}
- ?>
- <?php
$code = $plugins->setHook('login_form_html');
foreach ( $code as $cmd )
{
@@ -450,6 +448,29 @@
<?php endif; ?>
<?php
echo $session->generate_aes_form();
+
+ // Any additional parameters that need to be passed back?
+ if ( $p = $paths->getAllParams() )
+ {
+ // ... only if we have a return_to destination.
+ $get_fwd = $_GET;
+ unset($get_fwd['do']);
+ if ( isset($get_fwd['target_do']) )
+ {
+ $get_fwd['do'] = $get_fwd['target_do'];
+ unset($get_fwd['target_do']);
+ }
+ if ( isset($get_fwd['level']) )
+ unset($get_fwd['level']);
+ if ( isset($get_fwd['title']) )
+ unset($get_fwd['title']);
+
+ if ( !empty($get_fwd) )
+ {
+ $get_string = htmlspecialchars(enano_json_encode($get_fwd));
+ echo '<input type="hidden" name="get_fwd" value="' . $get_string . '" />';
+ }
+ }
?>
</form>
<?php
@@ -560,11 +581,29 @@
{
$result = $session->login_without_crypto($_POST['username'], $password, false, intval($_POST['auth_level']), $captcha_hash, $captcha_code, isset($_POST['remember']));
}
-
+
if($result['success'])
{
$session->start();
+ $get_add = false;
+ if ( isset($_POST['get_fwd']) )
+ {
+ try
+ {
+ $get_fwd = enano_json_decode($_POST['get_fwd']);
+ $get_add = '';
+ foreach ( $get_fwd as $key => $value )
+ {
+ $get_add .= "&{$key}=" . urlencode($value);
+ }
+ $get_add = ltrim($get_add, '&');
+ }
+ catch ( Exception $e )
+ {
+ }
+ }
+
$template->load_theme($session->theme, $session->style);
if(isset($_POST['return_to']))
{
@@ -573,7 +612,7 @@
'username' => $session->username,
'redir_target' => $name
);
- redirect( makeUrl($_POST['return_to'], false, true), $lang->get('user_login_success_title'), $lang->get('user_login_success_body', $subst) );
+ redirect( makeUrl($_POST['return_to'], $get_add), $lang->get('user_login_success_title'), $lang->get('user_login_success_body', $subst) );
}
else
{
@@ -581,7 +620,7 @@
'username' => $session->username,
'redir_target' => $lang->get('user_login_success_body_mainpage')
);
- redirect( makeUrl(get_main_page(), false, true), $lang->get('user_login_success_title'), $lang->get('user_login_success_body', $subst) );
+ redirect( makeUrl(get_main_page(), $get_add), $lang->get('user_login_success_title'), $lang->get('user_login_success_body', $subst) );
}
}
else