From ae1825c12e20290042327a3d2b2f4c168650be34 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Paul=20H=C3=A4nsch?= Date: Thu, 9 Jun 2022 15:24:45 +0200 Subject: [PATCH] accept form data for attachment deletion --- handlers/20_attachment.sh | 48 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 45 insertions(+), 3 deletions(-) diff --git a/handlers/20_attachment.sh b/handlers/20_attachment.sh index ac73932..a116897 100755 --- a/handlers/20_attachment.sh +++ b/handlers/20_attachment.sh @@ -2,6 +2,8 @@ . "$_EXEC/cgilite/file.sh" +REV_ATTACHMENTS="${REV_ATTACHMENTS:-false}" + attachment_convert(){ local attpath="$1" local cachepath="${attpath%/#attachments/*}/#cache/${attpath#*/#attachments/}" @@ -78,6 +80,7 @@ case ${PATH_INFO} in # show attachment page # receive uploads tsid="$(POST session_key)"; tsid="${tsid%% *}" + action="$(POST action)" attachment_delete="$(POST delete)" page="${PATH_INFO%\[attachment\]}" @@ -88,6 +91,13 @@ case ${PATH_INFO} in . "$_EXEC/multipart.sh" multipart_cache + # Use positional parameters for filename collection + # The positional array is the only array available + # in plain posix shells, see the documentation for + # your shells "set" builtin for a hint to this + # obscure use mode + set -- + # Validate session id from form to prevent CSRF # Only validate if username is present, because no username means # anonymous uploads are allowed via acl and cgilite/session.sh does not @@ -102,23 +112,55 @@ case ${PATH_INFO} in mkdir -p "$_DATA/pages${page}#attachments/" n=1; while filename=$(multipart_filename "file" "$n"); do filename="$(printf %s "$filename" |tr /\\0 __)" + set -- "$@" "pages${page}#attachments/$filename" multipart "file" "$n" >"$_DATA/pages${page}#attachments/$filename" n=$((n + 1)) done rm -- "$multipart_cachefile" + if [ "$REV_ATTACHMENTS" = true ]; then + git -C "$_DATA" add -- "$@" + git -C "$_DATA" commit -qm "Attachments to # $page # uploaded by @ $USER_NAME @" -- "$@" + fi REDIRECT "${_BASE}${PATH_INFO}" elif [ "${CONTENT_TYPE%%;*}" = "multipart/form-data" ]; then printf 'Refresh: %i\r\n' 4 theme_error 403 head -c $((CONTENT_LENGTH)) >/dev/null return 0 - elif [ "$attachment_delete" -a "$SESSION_ID" = "$tsid" ]; then - rm -- "$_DATA/pages${page}#attachments/$attachment_delete" + elif [ "$action" = delete -a "$SESSION_ID" = "$tsid" ] && acl_write "${page}"; then + set -- + n="$(POST_COUNT select)"; while [ $n -gt 0 ]; do + delete="$(POST select $n |PATH)" + set -- "$@" "pages${page}#attachments/${delete##*/}" + n=$((n - 1)) + done + if [ "$REV_ATTACHMENTS" = true ]; then + git -C "$_DATA" rm -- "$@" + git -C "$_DATA" commit -qm \ + "Attachment to # $page # deleted by @ $USER_NAME @" -- "$@" + else + rm -- "$@" + fi REDIRECT "${_BASE}${PATH_INFO}" - elif [ "$attachment_delete" ]; then + elif [ "$action" = delete ]; then printf 'Refresh: %i\r\n' 4 theme_error 403 return 0 + # elif [ "$attachment_delete" -a "$SESSION_ID" = "$tsid" ]; then + # if [ "$REV_ATTACHMENTS" = true ]; then + # git -C "$_DATA" rm -- \ + # "$_DATA/pages${page}#attachments/$attachment_delete" + # git -C "$_DATA" commit -qm \ + # "Attachment to # $page # deleted by @ $USER_NAME @" -- \ + # "$_DATA/pages${page}#attachments/$attachment_delete" + # else + # rm -- "$_DATA/pages${page}#attachments/$attachment_delete" + # fi + # REDIRECT "${_BASE}${PATH_INFO}" + # elif [ "$attachment_delete" ]; then + # printf 'Refresh: %i\r\n' 4 + # theme_error 403 + # return 0 elif ! acl_read "${page}"; then theme_error 403 return 0 -- 2.39.2