Live Re-Auth is now required for deleting pages, editing ACLs, protecting pages, and clearing logs. Committing in a hurry as a storm is coming in, hope everything is in there.
authorDan
Mon, 13 Apr 2009 16:57:20 -0400
changeset 907 44851d7e9bda
parent 906 c949e82b8f49
child 908 44302dd20d62
Live Re-Auth is now required for deleting pages, editing ACLs, protecting pages, and clearing logs. Committing in a hurry as a storm is coming in, hope everything is in there.
includes/clientside/static/acl.js
includes/clientside/static/ajax.js
includes/clientside/static/fadefilter.js
includes/clientside/static/login.js
includes/pageprocess.php
includes/pageutils.php
index.php
language/english/core.json
plugins/SpecialUserFuncs.php
--- a/includes/clientside/static/acl.js	Mon Apr 13 14:43:28 2009 -0400
+++ b/includes/clientside/static/acl.js	Mon Apr 13 16:57:20 2009 -0400
@@ -9,6 +9,21 @@
   if(IE)
     return true;
   
+  void(page_id);
+  void(namespace);
+  
+  // require re-auth
+  if ( auth_level <= USER_LEVEL_MEMBER )
+  {
+    load_component(['login', 'fadefilter', 'flyin', 'jquery', 'jquery-ui', 'crypto', 'messagebox']);
+    ajaxDynamicReauth(function(key)
+      {
+        ajaxOpenACLManager(page_id, namespace);
+      }, user_level);
+    
+    return false;
+  }
+  
   load_component(['l10n', 'messagebox', 'fadefilter', 'template-compiler', 'jquery', 'jquery-ui', 'autofill']);
   
   if(!page_id || !namespace)
--- a/includes/clientside/static/ajax.js	Mon Apr 13 14:43:28 2009 -0400
+++ b/includes/clientside/static/ajax.js	Mon Apr 13 16:57:20 2009 -0400
@@ -42,6 +42,18 @@
   // touch this variable to allow it to be used in child functions
   void(existing_level);
   
+  // require re-auth
+  if ( auth_level <= USER_LEVEL_MEMBER )
+  {
+    load_component(['login', 'fadefilter', 'flyin', 'jquery', 'jquery-ui', 'crypto', 'messagebox']);
+    ajaxDynamicReauth(function(key)
+      {
+        ajaxProtect(existing_level);
+      }, user_level);
+    
+    return false;
+  }
+  
   load_component(['messagebox', 'jquery', 'jquery-ui', 'l10n', 'fadefilter', 'flyin']);
   
   // preload language
@@ -312,6 +324,19 @@
   // IE <6 pseudo-compatibility
   if ( KILL_SWITCH )
     return true;
+  
+  // require re-auth
+  if ( auth_level <= USER_LEVEL_MEMBER )
+  {
+    load_component(['login', 'fadefilter', 'flyin', 'jquery', 'jquery-ui', 'crypto', 'messagebox']);
+    ajaxDynamicReauth(function(key)
+      {
+        ajaxDeletePage();
+      }, user_level);
+    
+    return false;
+  }
+  
   load_component(['l10n', 'messagebox', 'jquery', 'jquery-ui', 'fadefilter', 'flyin']);
   
   // stage 1: prompt for reason and confirmation
@@ -705,6 +730,18 @@
   if ( KILL_SWITCH )
     return true;
   
+  // require re-auth
+  if ( auth_level <= USER_LEVEL_MEMBER )
+  {
+    load_component(['login', 'fadefilter', 'flyin', 'jquery', 'jquery-ui', 'crypto', 'messagebox']);
+    ajaxDynamicReauth(function(key)
+      {
+        ajaxClearLogs();
+      }, user_level);
+    
+    return false;
+  }
+  
   load_component(['l10n', 'messagebox', 'flyin', 'fadefilter']);
   
   miniPromptMessage({
--- a/includes/clientside/static/fadefilter.js	Mon Apr 13 14:43:28 2009 -0400
+++ b/includes/clientside/static/fadefilter.js	Mon Apr 13 16:57:20 2009 -0400
@@ -117,7 +117,7 @@
       document.getElementById(layerid).destroying = true;
       var from = document.getElementById(layerid).myOpacVal;
       opacity(layerid, from, 0, 1000);
-      setTimeout("if ( document.getElementById('" + layerid + "').destroying ) { document.getElementById('" + layerid + "').destroying = false; document.getElementById('" + layerid + "').style.display = 'none'; }", 1000);
+      setTimeout("var l = document.getElementById('" + layerid + "'); var b = document.getElementsByTagName('body')[0]; b.removeChild(l);", 1000);
     }
   }
   return document.getElementById(layerid);
--- a/includes/clientside/static/login.js	Mon Apr 13 14:43:28 2009 -0400
+++ b/includes/clientside/static/login.js	Mon Apr 13 16:57:20 2009 -0400
@@ -1123,7 +1123,17 @@
         color: 'blue',
         onclick: function()
         {
-          miniPromptDestroy(this);
+          var mp = miniPromptGetParent(this);
+          var whitey = whiteOutMiniPrompt(mp);
+          setTimeout(function()
+            {
+              whiteOutReportSuccess(whitey);
+              setTimeout(function()
+                {
+                  miniPromptDestroy(mp);
+                }, 1250);
+            }, 1000);
+          
           ajaxLoginPerformRequest({
               mode:  'logout',
               level: auth_level,
@@ -1408,4 +1418,5 @@
     }
     window.location.hash = '#auth:false';
   }
+  window.stdAjaxPrefix = append_sid(scriptPath + '/ajax.php?title=' + title);
 }
--- a/includes/pageprocess.php	Mon Apr 13 14:43:28 2009 -0400
+++ b/includes/pageprocess.php	Mon Apr 13 16:57:20 2009 -0400
@@ -848,6 +848,15 @@
         );
     }
     
+    // Validate re-auth
+    if ( !$session->sid_super )
+    {
+      return array(
+        'success' => false,
+        'error' => 'access_denied_need_reauth'
+        );
+    }
+    
     // Validate input
     $reason = trim($reason);
     if ( !in_array($protection_level, array(PROTECT_NONE, PROTECT_FULL, PROTECT_SEMI)) || empty($reason) )
--- a/includes/pageutils.php	Mon Apr 13 14:43:28 2009 -0400
+++ b/includes/pageutils.php	Mon Apr 13 16:57:20 2009 -0400
@@ -1110,6 +1110,10 @@
     {
       return $lang->get('etc_access_denied');
     }
+    if ( !$session->sid_super )
+    {
+      return $lang->get('etc_access_denied_need_reauth');
+    }
     $e = $db->sql_query('DELETE FROM ' . table_prefix.'logs WHERE page_id=\'' . $db->escape($page_id) . '\' AND namespace=\'' . $db->escape($namespace) . '\';');
     if(!$e) $db->_die('The log entries could not be deleted.');
     
@@ -1148,6 +1152,12 @@
       return $lang->get('ajax_delete_need_reason');
     }
     if(!$perms->get_permissions('delete_page')) return('Administrative privileges are required to delete pages, you loser.');
+    
+    if ( !$session->sid_super )
+    {
+      return $lang->get('etc_access_denied_need_reauth');
+    }
+    
     $e = $db->sql_query('INSERT INTO ' . table_prefix.'logs(time_id,date_string,log_type,action,page_id,namespace,author,edit_summary) VALUES('.time().', \''.enano_date('d M Y h:i a').'\', \'page\', \'delete\', \'' . $page_id . '\', \'' . $namespace . '\', \'' . $session->username . '\', \'' . $db->escape(htmlspecialchars($reason)) . '\')');
     if(!$e) $db->_die('The page log entry could not be inserted.');
     $e = $db->sql_query('DELETE FROM ' . table_prefix.'categories WHERE page_id=\'' . $page_id . '\' AND namespace=\'' . $namespace . '\'');
@@ -1681,6 +1691,13 @@
         'error' => $lang->get('acl_err_access_denied')
         );
     }
+    if ( !$session->sid_super )
+    {
+      return Array(
+        'mode' => 'error',
+        'error' => $lang->get('etc_access_denied_need_reauth')
+        );
+    }
     $parms['page_id'] = ( isset($parms['page_id']) ) ? $parms['page_id'] : false;
     $parms['namespace'] = ( isset($parms['namespace']) ) ? $parms['namespace'] : false;
     $page_id =& $parms['page_id'];
--- a/index.php	Mon Apr 13 14:43:28 2009 -0400
+++ b/index.php	Mon Apr 13 16:57:20 2009 -0400
@@ -329,6 +329,11 @@
       $template->footer();
       break;
     case 'protect':
+      if ( !$session->sid_super )
+      {
+        redirect(makeUrlNS('Special', "Login/{$paths->page}", 'target_do=protect&level=' . $session->user_level, false), $lang->get('etc_access_denied_short'), $lang->get('etc_access_denied_need_reauth'), 0);
+      }
+      
       if ( isset($_POST['level']) && isset($_POST['reason']) )
       {
         $level = intval($_POST['level']);
@@ -442,6 +447,10 @@
       {
         die_friendly($lang->get('etc_access_denied_short'), '<p>' . $lang->get('etc_access_denied') . '</p>');
       }
+      if ( !$session->sid_super )
+      {
+        redirect(makeUrlNS('Special', "Login/{$paths->page}", 'target_do=flushlogs&level=' . $session->user_level, false), $lang->get('etc_access_denied_short'), $lang->get('etc_access_denied_need_reauth'), 0);
+      }
       require_once(ENANO_ROOT.'/includes/pageutils.php');
       if(isset($_POST['_downthejohn']))
       {
@@ -517,6 +526,11 @@
       {
         die_friendly($lang->get('etc_access_denied_short'), '<p>' . $lang->get('etc_access_denied') . '</p>');
       }
+      if ( !$session->sid_super )
+      {
+        redirect(makeUrlNS('Special', "Login/{$paths->page}", 'target_do=deletepage&level=' . $session->user_level, false), $lang->get('etc_access_denied_short'), $lang->get('etc_access_denied_need_reauth'), 0);
+      }
+      
       require_once(ENANO_ROOT.'/includes/pageutils.php');
       if(isset($_POST['_adiossucker']))
       {
@@ -620,6 +634,11 @@
       die_friendly($lang->get('page_detag_success_title'), '<p>' . $lang->get('page_detag_success_body') . '</p>');
       break;
     case 'aclmanager':
+      if ( !$session->sid_super )
+      {
+        redirect(makeUrlNS('Special', "Login/{$paths->page}", 'target_do=aclmanager&level=' . $session->user_level, false), $lang->get('etc_access_denied_short'), $lang->get('etc_access_denied_need_reauth'), 0);
+      }
+      
       require_once(ENANO_ROOT.'/includes/pageutils.php');
       $data = ( isset($_POST['data']) ) ? $_POST['data'] : Array('mode' => 'listgroups');
       PageUtils::aclmanager($data);
--- a/language/english/core.json	Mon Apr 13 14:43:28 2009 -0400
+++ b/language/english/core.json	Mon Apr 13 16:57:20 2009 -0400
@@ -123,6 +123,7 @@
       err_access_denied_siteadmin: 'site administrator',
       err_seeking_living_among_dead: 'You are trying to un-delete a page that has since been restored.\n\n"But the men said to them, \'Why do you look for the living among the dead?\'" (Luke 24:5b/NIV)',
       err_access_denied: 'Access to that action is denied.',
+      err_access_denied_need_reauth: '%this.etc_access_denied_need_reauth%',
       err_invalid_parameter: 'An invalid value (parameter) was sent to this action.',
       err_rb_action_not_supported: 'Rolling back actions of type "%action%" isn\'t supported.',
       err_rb_file_rename_failed: 'Could not rename the file to its new name (1.1.x format)',
@@ -759,6 +760,7 @@
       // Generic "Access denied"
       access_denied: 'Access to the specified file, resource, or action is denied.',
       access_denied_short: 'Access denied',
+      access_denied_need_reauth: 'You need to re-authenticate before you can do that.',
       return_to_page: 'Return to the page',
       invalid_request_short: 'Invalid request',
       // Message box buttons
--- a/plugins/SpecialUserFuncs.php	Mon Apr 13 14:43:28 2009 -0400
+++ b/plugins/SpecialUserFuncs.php	Mon Apr 13 16:57:20 2009 -0400
@@ -344,8 +344,6 @@
            </tr>
            <?php
          }
-         ?>
-         <?php
          $code = $plugins->setHook('login_form_html');
          foreach ( $code as $cmd )
          {
@@ -450,6 +448,29 @@
       <?php endif; ?>
       <?php
       echo $session->generate_aes_form();
+      
+      // Any additional parameters that need to be passed back?
+      if ( $p = $paths->getAllParams() )
+      {
+        // ... only if we have a return_to destination.
+        $get_fwd = $_GET;
+        unset($get_fwd['do']);
+        if ( isset($get_fwd['target_do']) )
+        {
+          $get_fwd['do'] = $get_fwd['target_do'];
+          unset($get_fwd['target_do']);
+        }
+        if ( isset($get_fwd['level']) )
+          unset($get_fwd['level']);
+        if ( isset($get_fwd['title']) )
+          unset($get_fwd['title']);
+        
+        if ( !empty($get_fwd) )
+        {
+          $get_string = htmlspecialchars(enano_json_encode($get_fwd));
+          echo '<input type="hidden" name="get_fwd" value="' . $get_string . '" />';
+        }
+      }
       ?>
     </form>
     <?php
@@ -560,11 +581,29 @@
     {
       $result = $session->login_without_crypto($_POST['username'], $password, false, intval($_POST['auth_level']), $captcha_hash, $captcha_code, isset($_POST['remember']));
     }
-   
+    
     if($result['success'])
     {
       $session->start();
       
+      $get_add = false;
+      if ( isset($_POST['get_fwd']) )
+      {
+        try
+        {
+          $get_fwd = enano_json_decode($_POST['get_fwd']);
+          $get_add = '';
+          foreach ( $get_fwd as $key => $value )
+          {
+            $get_add .= "&{$key}=" . urlencode($value);
+          }
+          $get_add = ltrim($get_add, '&');
+        }
+        catch ( Exception $e )
+        {
+        }
+      }
+      
       $template->load_theme($session->theme, $session->style);
       if(isset($_POST['return_to']))
       {
@@ -573,7 +612,7 @@
             'username' => $session->username,
             'redir_target' => $name
           );
-        redirect( makeUrl($_POST['return_to'], false, true), $lang->get('user_login_success_title'), $lang->get('user_login_success_body', $subst) );
+        redirect( makeUrl($_POST['return_to'], $get_add), $lang->get('user_login_success_title'), $lang->get('user_login_success_body', $subst) );
       }
       else
       {
@@ -581,7 +620,7 @@
             'username' => $session->username,
             'redir_target' => $lang->get('user_login_success_body_mainpage')
           );
-        redirect( makeUrl(get_main_page(), false, true), $lang->get('user_login_success_title'), $lang->get('user_login_success_body', $subst) );
+        redirect( makeUrl(get_main_page(), $get_add), $lang->get('user_login_success_title'), $lang->get('user_login_success_body', $subst) );
       }
     }
     else