acl scheme for [wiki] special pages

[shellwiki] / handlers / 20_attachment.sh

diff --git a/handlers/20_attachment.sh b/handlers/20_attachment.sh
index 63b42b4ea14058665ad850069e9082167153dd4a..1e0719037ee0d4642601abb1141ad456dbe64d2b 100755 (executable)
--- a/handlers/20_attachment.sh
+++ b/handlers/20_attachment.sh
@@ -2,6 +2,8 @@
 
 . "$_EXEC/cgilite/file.sh"
 
+# REV_ATTACHMENTS="${REV_ATTACHMENTS:-false}"
+
 attachment_convert(){
   local attpath="$1"
   local cachepath="${attpath%/#attachments/*}/#cache/${attpath#*/#attachments/}"
@@ -61,6 +63,7 @@ attachment_convert(){
       printf %s "$attpath"
       return 0
     ;;
+    *) printf "$attpath";;
   esac
 }
 
@@ -75,49 +78,17 @@ case ${PATH_INFO} in
     ;;
   */\[attachment\])
     # show attachment page
-    # receive uploads
-    tsid="$(POST session_key)"; tsid="${tsid%% *}"
-    attachment_delete="$(POST delete)"
     page="${PATH_INFO%\[attachment\]}"
 
     if [ ! -d "$_DATA/pages${page}" -a ! -d "$_DATA/pages${page}" ]; then
       # base page does not exist
       return 1
-    elif [ "${CONTENT_TYPE%%;*}" = "multipart/form-data" ] && acl_write "${page}"; then
-      . "$_EXEC/multipart.sh"
-      multipart_cache
-
-      # Validate session id from form to prevent CSRF
-      # Only validate if username is present, because no username means
-      # anonymous uploads are allowed via acl and cgilite/session.sh does not
-      # validate anonymous sessions from a multipart/formdata
-      if [ "$USER_NAME" -a "$(multipart session_id)" != "$SESSION_ID" ]; then
-        rm -- "$multipart_cachefile"
-        printf 'Refresh: %i\r\n' 4
-        theme_error 403
-        return 0
-      fi
-
-      mkdir -p "$_DATA/pages${page}#attachments/"
-      n=1; while filename=$(multipart_filename "file" "$n"); do
-        filename="$(printf %s "$filename" |tr /\\0 __)"
-        multipart "file" "$n" >"$_DATA/pages${page}#attachments/$filename"
-        n=$((n + 1))
-      done
-      rm -- "$multipart_cachefile"
-      REDIRECT "${_BASE}${PATH_INFO}"
     elif [ "${CONTENT_TYPE%%;*}" = "multipart/form-data" ]; then
-      printf 'Refresh: %i\r\n' 4
-      theme_error 403
-      head -c $((CONTENT_LENGTH)) >/dev/null
-      return 0
-    elif [ "$attachment_delete" -a "$SESSION_ID" = "$tsid" ]; then
-      rm -- "$_DATA/pages${page}#attachments/$attachment_delete"
-      REDIRECT "${_BASE}${PATH_INFO}"
-    elif [ "$attachment_delete" ]; then
-      printf 'Refresh: %i\r\n' 4
-      theme_error 403
-      return 0
+      # pass uploads to next handler
+      return 1
+    elif [ "$(POST action)" ]; then
+      # pass edits to next handler
+      return 1
     elif ! acl_read "${page}"; then
       theme_error 403
       return 0