@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Phriction - lock down /project/ wiki docs
Summary:
only show the blank, "create new" wiki page for the project if the project actually exists; only allow edit if the project actually exists.
Small wrinkle here is not checking if the project actually exists if the page already exists.
Test Plan:
- viewed a project wiki page
- viewed a prokect wiki page for a fake project and got a 404
- edited a project wiki page
- edited a project wiki page for a fake project and got a 404
Reviewers: epriestley, jacktrades
Reviewed By: epriestley
CC: aran, Koolvin
Maniphest Tasks: T1248
Differential Revision: https://secure.phabricator.com/D2506
+35
-14
+26
-14
src/applications/phriction/controller/document/PhrictionDocumentController.php
+26
-14
src/applications/phriction/controller/document/PhrictionDocumentController.php
···
50
50
$version_note = null;
51
51
52
52
if (!$document) {
53
-
$create_uri = '/phriction/edit/?slug='.$slug;
54
53
55
-
$page_content =
56
-
'<div class="phriction-content">'.
57
-
'<em>No content here!</em><br />'.
58
-
'No document found at <tt>'.phutil_escape_html($slug).'</tt>. '.
59
-
'You can <strong>'.
60
-
phutil_render_tag(
61
-
'a',
62
-
array(
63
-
'href' => $create_uri,
64
-
),
65
-
'create a new document').'</strong>.'.
66
-
'</div>';
67
-
$page_title = 'Page Not Found';
54
+
if (PhrictionDocument::isProjectSlug($slug)) {
55
+
$project = id(new PhabricatorProject())->loadOneWhere(
56
+
'phrictionSlug = %s',
57
+
PhrictionDocument::getProjectSlugIdentifier($slug));
58
+
if (!$project) {
59
+
return new Aphront404Response();
60
+
}
61
+
}
62
+
$create_uri = '/phriction/edit/?slug='.$slug;
63
+
$create_sentence =
64
+
'You can <strong>'.
65
+
phutil_render_tag(
66
+
'a',
67
+
array(
68
+
'href' => $create_uri,
69
+
),
70
+
'create a new document').
71
+
'</strong>.';
68
72
$button = phutil_render_tag(
69
73
'a',
70
74
array(
···
72
76
'class' => 'green button',
73
77
),
74
78
'Create Page');
79
+
80
+
$page_content =
81
+
'<div class="phriction-content">'.
82
+
'<em>No content here!</em><br />'.
83
+
'No document found at <tt>'.phutil_escape_html($slug).'</tt>. '.
84
+
$create_sentence.
85
+
'</div>';
86
+
$page_title = 'Page Not Found';
75
87
$buttons = $button;
76
88
} else {
77
89
$version = $request->getInt('v');
+8
src/applications/phriction/controller/edit/PhrictionEditController.php
+8
src/applications/phriction/controller/edit/PhrictionEditController.php
···
66
66
if ($document) {
67
67
$content = id(new PhrictionContent())->load($document->getContentID());
68
68
} else {
69
+
if (PhrictionDocument::isProjectSlug($slug)) {
70
+
$project = id(new PhabricatorProject())->loadOneWhere(
71
+
'phrictionSlug = %s',
72
+
PhrictionDocument::getProjectSlugIdentifier($slug));
73
+
if (!$project) {
74
+
return new Aphront404Response();
75
+
}
76
+
}
69
77
$document = new PhrictionDocument();
70
78
$document->setSlug($slug);
71
79
+1
src/applications/phriction/controller/edit/__init__.php
+1
src/applications/phriction/controller/edit/__init__.php
···
13
13
phutil_require_module('phabricator', 'applications/phriction/editor/document');
14
14
phutil_require_module('phabricator', 'applications/phriction/storage/content');
15
15
phutil_require_module('phabricator', 'applications/phriction/storage/document');
16
+
phutil_require_module('phabricator', 'applications/project/storage/project');
16
17
phutil_require_module('phabricator', 'infrastructure/celerity/api');
17
18
phutil_require_module('phabricator', 'infrastructure/env');
18
19
phutil_require_module('phabricator', 'infrastructure/javelin/api');