Commit Graph

177 Commits (13331e8243ae1eb5fafc0de14fb98990aafafa9c)

Author SHA1 Message Date
Simon McVittie 4e2bfe1e17 comments: don't log remote IP address for signed-in users
The intention was that signed-in users (for instance via httpauth,
passwordauth or openid) are already adequately identified, but
there's nothing to indicate who an anonymous commenter is unless
their IP address is recorded.
2014-10-12 18:03:28 +01:00
Simon McVittie ef7c80258d comments: use comments_pagespec for authorization, not just UI 2014-07-04 23:27:43 +01:00
Joey Hess 81aa58e7ca comments: Write pending moderation comments to the transient underlay to avoid conflict with only_committed_changes. 2013-11-17 13:07:00 -04:00
Joey Hess 7dd110ba51 disable only_committed_changes when uncommitted files are created by plugins 2013-11-17 00:04:05 -04:00
Joey Hess 5038f36cba Merge branch 'restrict-comment-formats' of git://rtime.felk.cvut.cz/sojka/ikiwiki 2013-06-23 14:04:42 -04:00
Michal Sojka c42fd7d758 Add configuration to restrict the formats allowed for comments
I want to write my blog posts in a convenient format (Emacs org mode)
but do not want commenters to be able to use this format for security
reasons. This patch allows to configure which formats are allowed for
writing comments.

Effectively, it restricts the formats enabled with add_plugin to those
mentioned in comments_allowformats. If this is empty, all formats are
allowed, which is the behavior without this patch.
2013-03-05 11:00:29 +01:00
Joey Hess a3c1768e10 comments: Remove ipv6 address specific code. 2012-08-25 10:43:24 -04:00
Joey Hess a434e3ed8d remove unnecessary quoting 2012-04-08 15:56:53 -04:00
Simon McVittie 5674e7fc12 prune: do not prune beyond an optional base directory, and add a test
Previously, prune("wiki/srcdir/sandbox/test.mdwn") could delete srcdir
or even wiki, if they happened to be empty. This is rarely what you
want: there's usually some base directory (destdir, srcdir, transientdir
or another subdirectory of wikistatedir) beyond which you do not want to
delete.
2012-04-07 17:52:29 +01:00
Joey Hess c885ec66e0 allow users to subscribe to comments w/o registering
Technically, when the user does this, a passwordless account is created
for them. The notify mails include a login url, and once logged in that
way, the user can enter a password to get a regular account (although
one with an annoying username).

This all requires the passwordauth plugin is enabled. A future enhancement
could be to split the passwordless user concept out into a separate plugin.
2012-04-02 13:45:39 -04:00
Joey Hess 1916f97472 integrate comments plugin with notifyemail 2012-03-28 18:38:37 -04:00
Joey Hess a78126c55e calendar, prettydate: Fix strftime encoding bug
strftime is a C function, it does not return decoded utf8.
Several places in ikiwiki manually decoded it, but at least two
forgot to.

Also, strftime might not return even encoded utf8, if LC_TIME is set
to a non-utf8 value. Went ahead and supported decoding whatever encoding
it uses.

The remaining direct calls to strftime() are all ones that first set
LC_TIME=C, in order to get times that are not for human display.
2012-01-30 15:09:37 -04:00
Joey Hess b8bf318b91 remove x bit from comments.pm
how did that get set?
2011-12-27 11:37:28 -04:00
Simon McVittie aae95b8d54 comments: collect metadata in a scan-phase preprocess hook 2011-06-04 16:55:02 +01:00
Joey Hess bb44bac175 look up avatar at comment post time
There is a tension between looking up the avatar at post time
and build time. I have not yet decided which is better.

Lookup at build time has the benefit that if a user changes their
email address, or sets up their own federated libravatar
server, on rebuild their new avatar will show up.

It also allows getting a https version of the avatar easily if
the site was using http but was changed to use https.

And it can look up avatars for posts that have already been made.
Which is a nice thing, especially as we roll this out, eh?

But it has a drawback, that it depends on the sessiondb contents
for emails and so rebuilding a site w/o that will lose info.

And, it means dns lookups every time a comment is rendered. A page
with a lot of comments on it would render them all whenever another is
posted or the page is changed, and that could significantly slow things
down. (This could be amelorated by caching the lookups.)

Since I'm undecided, I have moved it into a function that could be called
either way. Currently looking up only at post time.
2011-03-30 11:24:01 -04:00
Joey Hess 51e8a4eeda check site url for https
HTTPS won't be set when rebuilding a site at the command line
2011-03-30 11:00:55 -04:00
Joey Hess f4262696ad robustness fix
Don't fail if libravatar fails for some reason. Reasons I can think
of:

* too old version to do openid lookups (fall back to email lookup)
* network problem perhaps
2011-03-30 10:54:24 -04:00
Joey Hess c8cf2d1ed7 indentation 2011-03-30 10:48:57 -04:00
Francois Marier e2e1b1cd20 comments: add OpenID-based avatars (libravatar.org)
This requires version 1.04 or later of Libravatar::URL.
2011-03-30 20:59:18 +13:00
Francois Marier 83056abb87 comments: serve avatars over https in https wikis 2011-03-30 20:59:17 +13:00
Francois Marier 7723e94218 comments: add avatar picture of comment author
Use Libravatar::URL to pull the avatar picture for the comment
author if we have an email address for him/her.
2011-03-30 20:59:17 +13:00
Joey Hess a0e31f38d5 comment: Better fix to avoid showing comments of subpages, while not breaking manual inlining of comments. 2011-03-28 11:53:55 -04:00
Joey Hess 6908406989 Revert "comment: Don't show comments of subpages on parent pages. (Fixes bug introduced in version 3.20100505.)"
This reverts commit b34d31142b.

This was the wrong approach. It broke inlining of comment(*) on eg, a
toplevel comment page.
2011-03-28 11:42:21 -04:00
Joey Hess b34d31142b comment: Don't show comments of subpages on parent pages. (Fixes bug introduced in version 3.20100505.) 2011-02-27 18:16:07 -04:00
Joey Hess 2be49b623a bleagh 2011-01-24 16:56:28 -04:00
Joey Hess dcfeaaad5b comments: Fix XSS security hole due to missing validation of page name.
Values have to be checked against wiki_file_regexp, not just file_pruned.
Audited the rest of the code base for similar problems, found none.
2011-01-22 10:15:33 -04:00
Joey Hess d991ccf134 use cgitemplate, remove misctemplate 2011-01-05 17:15:38 -04:00
Joey Hess 4a6ac6b485 add cgitemplate
cgitemplate is a modified misctemplate that takes an optional cgi object
and uses it to set the baseurl, and also optionally the forcebaseurl,
if a page is provided.

If no cgi object is provided, it will fall back to using $config{url}.
I expect this will only be needed in exceptional cases where
that doesn't much matter, such as cgierror().

showform uses cgitemplate, so there is no more need for showform_preview.
2011-01-05 17:06:11 -04:00
Joey Hess ea734d451c better handling of relative permalinks
This way, do=goto will go to the page relative to
the current location, while the permalinks in feeds
will be absolute (unless an url is not configured at all).
2011-01-05 16:26:09 -04:00
Joey Hess 3eabf323f0 Fix permalinks to recentchanges items and comments, broken by last release.
permalinks always need to be full urls
2011-01-05 15:22:55 -04:00
Joey Hess 8c9c3915ec Fix base url when previewing. Was broken by urlto changes in last release.
Added a showform_preview that is like showform, but sets forcebaseurl
to point to the page being previewed.
2011-01-05 13:50:42 -04:00
Joey Hess beae7ef9db editpage, comment: Clean up title when editing or creating a page or comment.
Now that page.tmpl is used for cgi, the parentlinks are able to be
displayed even when creating or editing a page. So it's redundant to
include the path to the page in the title, remove it.
2010-12-25 13:38:26 -04:00
Joey Hess 1182e9d0ee use one-parameter form of urlto 2010-11-29 15:07:26 -04:00
Simon McVittie 4625e0c4d9 Pass a CGIURL into commentmoderation.tmpl
Omitting this resulted <form action=""> which is in fact a working
self-referential form, but is less obvious than it ought to be.
2010-11-23 00:20:57 +00:00
Simon McVittie 1f019ac2aa Use local paths for most references to pages 2010-11-23 00:19:10 +00:00
Simon McVittie 296e5cb2fd Use local paths for the CGI URL 2010-11-23 00:12:17 +00:00
Simon McVittie d2e3741a6f Use local paths for redirection where possible 2010-11-23 00:00:11 +00:00
Joey Hess d8de98911e comments: Make comment() pagespec also match comments that are being posted. 2010-11-12 00:36:03 -04:00
Joey Hess 78de33d2ea comments: Make postcomment() pagespec work when previewing a comment. 2010-11-12 00:28:27 -04:00
Joey Hess fd2b2f386f Merge branch 'filter-full' 2010-07-12 15:35:40 -04:00
Joey Hess 7e3fb8b8a2 comments: Added commentmoderation directive for easy linking to the comment moderation queue. 2010-07-05 20:19:31 -04:00
Joey Hess e72ef3b070 comment: Fix problem moderating comments of certian pages with utf-8 in their name. 2010-07-04 16:19:22 -04:00
Joey Hess 192ce7a238 remove unnecessary and troublesome filter calls
This better defines what the filter hook is passed, to only be the raw,
complete text of a page. Not some snippet, or data read in from an
unrelated template.

Several plugins that filtered text that originates from an (already
filtered) page were modified not to do that. Note that this was not
done very consistently before; other plugins that receive text from a
page called preprocess on it w/o first calling filter.

The template plugin gets text from elsewhere, and was also changed not to
filter it. That leads to one known regression -- the embed plugin cannot
be used to embed stuff in templates now. But that plugin is deprecated
anyway.

Later we may want to increase the coverage of what is filtered. Perhaps
a good goal would be to allow writing a filter plugin that filters
out unwanted words, from any input. We're not there yet; not only
does the template plugin load unfiltered text from its templates now,
but so can the table plugin, and other plugins that use templates (like
inline!). I think we can cross that bridge when we come to it. If I wanted
such a censoring plugin, I'd probably make it use a sanitize hook instead,
for the better coverage.

For now I am concentrating on the needs of the two non-deprecated users
of filter. This should fix bugs/po_vs_templates, and it probably fixes
an obscure bug around txt's use of filter for robots.txt.
2010-07-04 15:06:48 -04:00
Joey Hess 9a32451986 finializing openid nickname support
Renamed usershort => nickname.

Note that this means existing user login sessions will not have the nickname
recorded, and so it won't be used for those.
2010-06-23 20:16:01 -04:00
Joey Hess ecdfd1b864 rcs_commit and rcs_commit_staged api changes
Using named parameters for these is overdue. Passing the session in a
parameter instead of passing username and IP separately will later allow
storing other session info, like username or part of the email.

Note that these functions are not part of the exported API,
and the prototype change will catch (most) skew, so I am not changing
API versions. Any third-party plugins that call them will need updated
though.
2010-06-23 19:04:36 -04:00
Joey Hess 4292802ee5 stop using REMOTE_ADDR
Everywhere that REMOTE_ADDR was used, a session object is available, so
instead use its remote_addr method.

In IkiWiki::Receive, stop setting a dummy REMOTE_ADDR.

Note that it's possible for a session cookie to be obtained using one IP
address, and then used from another IP. In this case, the first IP will now
be used. I think that should be ok.
2010-06-23 16:35:51 -04:00
Joey Hess cb4b999297 avoid dying if cannot chdir to an underlaydir 2010-06-17 16:54:03 -04:00
Joey Hess 86a43aefb4 Fix issues with combining unicode srcdirs and source files.
A short story:

  Once there was a unicode string, let's call him Srcdir.

  Along came a crufy old File::Find, who went through a tree and pasted each
  of the leaves in turn onto Srcdir. But this 90's relic didn't decode the
  leaves -- despite some of them using unicode! Poor Srcdir, with these
  leaves stuck on him, tainted them with his nice unicode-ness. They didn't
  look like leaves at all, but instead garbage.

(In other words, perl's unicode support sucks mightily, and drives
us all to drink and bad storytelling. But we knew that..)

So, srcdir is not normally flagged as unicode, because typically it's pure
ascii. And in that case, things work ok; File::Find finds filenames, which
are not yet decoded to unicode, and appends them to the srcdir, and then
decode_utf8 happily converts the whole thing.

But, if the srcdir does contain utf8 characters, that breaks. Or, if a Yaml
setup file is used, Yaml::Syck's implicitunicode sets the unicode flag of
*all* strings, even those containing only ascii. In either case, srcdir
has the unicode flag set; a non-decoded filename is appended, and the flag
remains set; and decode_utf8 sees the flag and does *nothing*. The result
is that the filename is not decoded, so looks valid and gets skipped.

File::Find only sticks the directory and filenames together in no_chdir
mode .. but we need that mode for security. In order to retain the
security, and avoid the problem, I made it not pass srcdir to File::Find.
Instead, chdir to the srcdir, and pass ".". Since "." is ascii, the problem
is avoided.

Note that chdir srcdir is safe because we check for symlinks in the srcdir
path.

Note that it takes care to chdir back to the starting location. Because
the user may have specified relative paths and so staying in the srcdir
might break. A relative path could even be specifed for an underlay dir, so
it chdirs back after each.
2010-06-15 17:13:46 -04:00
Joey Hess c0bc2d0839 editpage, comments: Fix broken links in sidebar (due to forcebaseurl). (Thanks, privat) 2010-06-14 14:34:52 -04:00
Joey Hess 1bdf98a4a0 let's allow comments of "0" 2010-06-09 17:47:49 -04:00