accept form data for attachment deletion

diff --git a/handlers/20_attachment.sh b/handlers/20_attachment.sh
index ac73932a725b6f7ae195984f863148c6cacee0df..a1168978d769f5d57ce90829a5e1abed756c10fc 100755 (executable)
--- a/handlers/20_attachment.sh
+++ b/handlers/20_attachment.sh
@@ -2,6 +2,8 @@
 
 . "$_EXEC/cgilite/file.sh"
 
+REV_ATTACHMENTS="${REV_ATTACHMENTS:-false}"
+
 attachment_convert(){
   local attpath="$1"
   local cachepath="${attpath%/#attachments/*}/#cache/${attpath#*/#attachments/}"
@@ -78,6 +80,7 @@ case ${PATH_INFO} in
     # show attachment page
     # receive uploads
     tsid="$(POST session_key)"; tsid="${tsid%% *}"
+    action="$(POST action)"
     attachment_delete="$(POST delete)"
     page="${PATH_INFO%\[attachment\]}"
 
@@ -88,6 +91,13 @@ case ${PATH_INFO} in
       . "$_EXEC/multipart.sh"
       multipart_cache
 
+      # Use positional parameters for filename collection
+      # The positional array is the only array available
+      # in plain posix shells, see the documentation for
+      # your shells "set" builtin for a hint to this
+      # obscure use mode
+      set --
+
       # Validate session id from form to prevent CSRF
       # Only validate if username is present, because no username means
       # anonymous uploads are allowed via acl and cgilite/session.sh does not
@@ -102,23 +112,55 @@ case ${PATH_INFO} in
       mkdir -p "$_DATA/pages${page}#attachments/"
       n=1; while filename=$(multipart_filename "file" "$n"); do
         filename="$(printf %s "$filename" |tr /\\0 __)"
+        set -- "$@" "pages${page}#attachments/$filename"
         multipart "file" "$n" >"$_DATA/pages${page}#attachments/$filename"
         n=$((n + 1))
       done
       rm -- "$multipart_cachefile"
+      if [ "$REV_ATTACHMENTS" = true ]; then
+        git -C "$_DATA" add -- "$@"
+        git -C "$_DATA" commit -qm "Attachments to # $page # uploaded by @ $USER_NAME @" -- "$@"
+      fi
       REDIRECT "${_BASE}${PATH_INFO}"
     elif [ "${CONTENT_TYPE%%;*}" = "multipart/form-data" ]; then
       printf 'Refresh: %i\r\n' 4
       theme_error 403
       head -c $((CONTENT_LENGTH)) >/dev/null
       return 0
-    elif [ "$attachment_delete" -a "$SESSION_ID" = "$tsid" ]; then
-      rm -- "$_DATA/pages${page}#attachments/$attachment_delete"
+    elif [ "$action" = delete -a "$SESSION_ID" = "$tsid" ] && acl_write "${page}"; then
+      set --
+      n="$(POST_COUNT select)"; while [ $n -gt 0 ]; do
+        delete="$(POST select $n |PATH)"
+        set -- "$@" "pages${page}#attachments/${delete##*/}"
+        n=$((n - 1))
+      done
+      if [ "$REV_ATTACHMENTS" = true ]; then
+        git -C "$_DATA" rm -- "$@"
+        git -C "$_DATA" commit -qm \
+            "Attachment to # $page # deleted by @ $USER_NAME @" -- "$@"
+      else
+        rm -- "$@"
+      fi
       REDIRECT "${_BASE}${PATH_INFO}"
-    elif [ "$attachment_delete" ]; then
+    elif [ "$action" = delete ]; then
       printf 'Refresh: %i\r\n' 4
       theme_error 403
       return 0
+    # elif [ "$attachment_delete" -a "$SESSION_ID" = "$tsid" ]; then
+    #   if [ "$REV_ATTACHMENTS" = true ]; then
+    #     git -C "$_DATA" rm -- \
+    #         "$_DATA/pages${page}#attachments/$attachment_delete"
+    #     git -C "$_DATA" commit -qm \
+    #         "Attachment to # $page # deleted by @ $USER_NAME @" -- \
+    #         "$_DATA/pages${page}#attachments/$attachment_delete"
+    #   else
+    #     rm -- "$_DATA/pages${page}#attachments/$attachment_delete"
+    #   fi
+    #   REDIRECT "${_BASE}${PATH_INFO}"
+    # elif [ "$attachment_delete" ]; then
+    #   printf 'Refresh: %i\r\n' 4
+    #   theme_error 403
+    #   return 0
     elif ! acl_read "${page}"; then
       theme_error 403
       return 0