[jspwiki] 30/36: Honor page ACLs on SisterSites.jsp + proper attachment detection

Sun, 29 Mar 2020 02:39:10 -0700 

This is an automated email from the ASF dual-hosted git repository.

juanpablo pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/jspwiki.git

commit d223f2a4e14e0d569231a9f30952a52d96482a38
Author: juanpablo <[email protected]>
AuthorDate: Sat Mar 28 18:25:01 2020 +0100

    Honor page ACLs on SisterSites.jsp + proper attachment detection
---
 jspwiki-war/src/main/webapp/SisterSites.jsp | 30 +++++++++++++++--------------
 1 file changed, 16 insertions(+), 14 deletions(-)

diff --git a/jspwiki-war/src/main/webapp/SisterSites.jsp 
b/jspwiki-war/src/main/webapp/SisterSites.jsp
index 18aad79..90481cc 100644
--- a/jspwiki-war/src/main/webapp/SisterSites.jsp
+++ b/jspwiki-war/src/main/webapp/SisterSites.jsp
@@ -22,7 +22,10 @@
 <%@ page import="org.apache.log4j.*" %>
 <%@ page import="org.apache.wiki.api.core.*" %>
 <%@ page import="org.apache.wiki.api.spi.Wiki" %>
+<%@ page import="org.apache.wiki.attachment.AttachmentManager" %>
 <%@ page import="org.apache.wiki.auth.AuthorizationManager" %>
+<%@ page import="org.apache.wiki.auth.permissions.*" %>
+<%@ page import="org.apache.wiki.pages.PageManager" %>
 <%@ page import="org.apache.wiki.preferences.Preferences" %>
 <%@ page import="org.apache.wiki.references.ReferenceManager" %>
 <%@ page import="org.apache.wiki.rss.*" %>
@@ -32,28 +35,27 @@
 %>
 <%
     /*
-     *  This JSP creates support for the SisterSites standard,
-     *  as specified by 
http://usemod.com/cgi-bin/mb.pl?SisterSitesImplementationGuide
-     *
-     *  FIXME: Does not honor the ACL's on the pages.
+     *  This JSP creates support for the SisterSites standard, as specified by
+     *  http://usemod.com/cgi-bin/mb.pl?SisterSitesImplementationGuide
      */
     Engine wiki = Wiki.engine().find( getServletConfig() );
     // Create wiki context and check for authorization
     Context wikiContext = Wiki.context().create( wiki, request, 
ContextEnum.PAGE_RSS.getRequestContext() );
-    if(!wiki.getManager( AuthorizationManager.class ).hasAccess( wikiContext, 
response )) return;
+    if( !wiki.getManager( AuthorizationManager.class ).hasAccess( wikiContext, 
response ) ) return;
     
     Set< String > allPages = wiki.getManager( ReferenceManager.class 
).findCreated();
     
     response.setContentType("text/plain; charset=UTF-8");
-    for( Iterator< String > i = allPages.iterator(); i.hasNext(); ) {
-        String pageName = i.next();
-        
+    for( String pageName : allPages ) {
         // Let's not add attachments.
-        // TODO: This is a kludge and not forward-compatible.
-        
-        if( pageName.indexOf("/") != -1 ) continue; 
-        String url = wikiContext.getViewURL( pageName );
-        
-        out.write( url + " " + pageName + "\n" );
+        if( wiki.getManager( AttachmentManager.class ).getAttachmentInfoName( 
wikiContext, pageName ) != null ) continue;
+
+        Page wikiPage = wiki.getManager( PageManager.class ).getPage( pageName 
);
+        PagePermission permission = PermissionFactory.getPagePermission( 
wikiPage, "view" );
+        boolean allowed = wiki.getManager( AuthorizationManager.class 
).checkPermission( wikiContext.getWikiSession(), permission );
+        if( allowed ) {
+            String url = wikiContext.getViewURL( pageName );
+            out.write( url + " " + pageName + "\n" );
+        }
     }
  %>
\ No newline at end of file

Reply via email to