From e11876b7003c700fbc3717ca9c5af5aac3b72ac2 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 11 Feb 2010 18:25:10 -0500 Subject: [PATCH] httpauth: Add httpauth_pagespec setting that can be used to limit pages to only being edited via users authed with httpauth. --- IkiWiki.pm | 7 +++- IkiWiki/Plugin/httpauth.pm | 75 ++++++++++++++++++++++++++++---------- debian/changelog | 2 + doc/plugins/httpauth.mdwn | 9 +++++ 4 files changed, 72 insertions(+), 21 deletions(-) diff --git a/IkiWiki.pm b/IkiWiki.pm index 2a0132745..de7dbfc79 100644 --- a/IkiWiki.pm +++ b/IkiWiki.pm @@ -941,7 +941,12 @@ sub linkpage ($) { sub cgiurl (@) { my %params=@_; - return $config{cgiurl}."?". + my $cgiurl=$config{cgiurl}; + if (exists $params{cgiurl}) { + $cgiurl=$params{cgiurl}; + delete $params{cgiurl}; + } + return $cgiurl."?". join("&", map $_."=".uri_escape_utf8($params{$_}), keys %params); } diff --git a/IkiWiki/Plugin/httpauth.pm b/IkiWiki/Plugin/httpauth.pm index d0d4da0b7..202ca1153 100644 --- a/IkiWiki/Plugin/httpauth.pm +++ b/IkiWiki/Plugin/httpauth.pm @@ -9,10 +9,10 @@ use IkiWiki 3.00; sub import { hook(type => "getsetup", id => "httpauth", call => \&getsetup); hook(type => "auth", id => "httpauth", call => \&auth); - hook(type => "canedit", id => "httpauth", call => \&canedit, - last => 1); hook(type => "formbuilder_setup", id => "httpauth", call => \&formbuilder_setup); + hook(type => "canedit", id => "httpauth", call => \&canedit); + hook(type => "pagetemplate", id => "httpauth", call => \&pagetemplate); } sub getsetup () { @@ -28,13 +28,20 @@ sub getsetup () { safe => 1, rebuild => 0, }, + httpauth_pagespec => { + type => "pagespec", + example => "!*/Discussion", + description => "PageSpec of pages where only httpauth will be used for authentication", + safe => 0, + rebuild => 0, + }, } -sub redir_cgiauthurl ($$) { +sub redir_cgiauthurl ($;@) { my $cgi=shift; - my $params=shift; - IkiWiki::redirect($cgi, $config{cgiauthurl}.'?'.$params); + IkiWiki::redirect($cgi, + IkiWiki::cgiurl(cgiurl => $config{cgiauthurl}, @_)); exit; } @@ -47,19 +54,6 @@ sub auth ($$) { } } -sub canedit ($$$) { - my $page=shift; - my $cgi=shift; - my $session=shift; - - if (! defined $cgi->remote_user() && defined $config{cgiauthurl}) { - return sub { redir_cgiauthurl($cgi, $cgi->query_string()) }; - } - else { - return undef; - } -} - sub formbuilder_setup (@) { my %params=@_; @@ -74,10 +68,51 @@ sub formbuilder_setup (@) { push @$buttons, $button_text; if ($form->submitted && $form->submitted eq $button_text) { - redir_cgiauthurl($cgi, "do=postsignin"); - exit; + # bounce thru cgiauthurl and then back to + # the stored postsignin action + redir_cgiauthurl($cgi, do => "postsignin"); } } } +sub test_httpauth_pagespec ($) { + my $page=shift; + + return defined $config{httpauth_pagespec} && + length $config{httpauth_pagespec} && + defined $config{cgiauthurl} && + pagespec_match($page, $config{httpauth_pagespec}); +} + +sub canedit ($$$) { + my $page=shift; + my $cgi=shift; + my $session=shift; + + if (! defined $cgi->remote_user() && test_httpauth_pagespec($page)) { + return sub { + IkiWiki::redirect($cgi, + $config{cgiauthurl}.'?'.$cgi->query_string()); + exit; + }; + } + else { + return undef; + } +} + +sub pagetemplate (@_) { + my %params=@_; + my $template=$params{template}; + + if ($template->param("editurl") && + test_httpauth_pagespec($params{page})) { + # go directly to cgiauthurl when editing a page matching + # the pagespec + $template->param(editurl => IkiWiki::cgiurl( + cgiurl => $config{cgiauthurl}, + do => "edit", page => $params{page})); + } +} + 1 diff --git a/debian/changelog b/debian/changelog index 3dd68558e..14be7ec69 100644 --- a/debian/changelog +++ b/debian/changelog @@ -19,6 +19,8 @@ ikiwiki (3.20100123) UNRELEASED; urgency=low alongside other authentication methods (like openid or anonok). Rather than always redirect to the cgiauthurl for authentication, there is now a button on the login form to use it. + * httpauth: Add httpauth_pagespec setting that can be used to limit + pages to only being edited via users authed with httpauth. -- Joey Hess Tue, 26 Jan 2010 22:25:33 -0500 diff --git a/doc/plugins/httpauth.mdwn b/doc/plugins/httpauth.mdwn index a7aac558b..0eda5554f 100644 --- a/doc/plugins/httpauth.mdwn +++ b/doc/plugins/httpauth.mdwn @@ -24,3 +24,12 @@ A typical setup is to make an `auth` subdirectory, and symlink `ikiwiki.cgi` into it. Then configure the web server to require authentication only for access to the `auth` subdirectory. Then `cgiauthurl` is pointed at this symlink. + +## using only httpauth for some pages + +If you want to only use httpauth for editing some pages, while allowing +other authentication methods to be used for other pages, you can +configure `httpauth_pagespec` in the setup file. This makes Edit +links on pages that match the [[ikiwiki/PageSpec]] automatically use +the `cgiauthurl`, and prevents matching pages from being edited by +users authentication via other methods.