1 # ===================================================================== 2 # getAttachment: W-TW private page attachment visualizer. 3 # 4 # Copyright (c) 2007,2008,2009,2010 Carlo Strozzi 5 # 6 # This program is free software; you can redistribute it and/or modify 7 # it under the terms of the GNU General Public License as published by 8 # the Free Software Foundation; version 2 dated June, 1991. 9 # 10 # This program is distributed in the hope that it will be useful, 11 # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 # GNU General Public License for more details. 14 # 15 # You should have received a copy of the GNU General Public License 16 # along with this program; if not, write to the Free Software 17 # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. 18 # 19 # ===================================================================== 20 21 # ===================================================================== 22 # Local variables and functions 23 # ===================================================================== 24 25 cgi.group = () 26 cgi.group.literal = () 27 cgi.page = () 28 cgi.page.literal = () 29 cgi.attname = () 30 cgi.fileext = bin 31 32 # ===================================================================== 33 # Main program 34 # ===================================================================== 35 36 csaGetArgs GET 37 38 #~ $REMOTE_ADDR 192.168.1.2 && csaExit.env 39 40 . $CSA_ROOT/lib/group-stuff.rc 41 42 . $CSA_ROOT/lib/page-stuff.rc 43 44 . $CSA_ROOT/lib/group-editor.rc 45 46 # Check required args. 47 ~ $'cgi.attname' () && csaExit.fault 0038 48 49 tbl_att.k_attach = () 50 51 # If the specified attachment does not exist it means that the relevant URL 52 # was typed manually by the user so simply redirect to the default page. 53 # This will also save us a further check to block invalid file extensions 54 # possibly specified by the user in the URL. 55 56 csaIsFullPath --exists --quiet $tw_pstem+att && 57 keysearch wiki/$'cgi.attname' $tw_pstem+att | 58 csa-tbl2rc --prefix tbl_att. > $tmp1; . $tmp1 59 60 #~ $REMOTE_ADDR 192.168.1.2 && csaExit.env 61 62 ~ $'tbl_att.k_attach' () && 63 csaExit.location $CSA_RPC_URI/$CSA_LANG/$'cgi.group'/$TNS_GROUP_HOME(2) 64 65 # Private attachments of a hidden page are also hidden to non-editors 66 # for the present run if: 67 # 68 # 1) the relevant page is already hidden. 69 # 2) the relevant page has expired. 70 # 3) the requesting user is not an editor. 71 # 4) TNS_GROUP_MISC_PROP(6) is 'true'. 72 # 73 # Note that page-expiration is done regardless of whether the page 74 # has possibly been redirected, which is irrelevant here. 75 76 !~ $'tbl_page.p_descr' -* && 77 ~ `{expr $CSA_TIME_ISO '>=' $'tbl_page.p_etime'} 1 && 78 !~ ,$TNS_AUTH_GRP, *,editor,* && 79 csaTrue $TNS_GROUP_MISC_PROP(6) && 80 tbl_page.p_descr = -$'tbl_page.p_descr' 81 82 !~ ,$TNS_AUTH_GRP, *,editor,* && ~ $'tbl_page.p_descr' -* && 83 csaTrue $TNS_GROUP_MISC_PROP(6) && 84 csaExit.location $CSA_RPC_URI/$CSA_LANG/$'cgi.group'/$TNS_GROUP_HOME(2) 85 86 # Set page name to return to after successful authentication, in case 87 # the requested object requires restricted access. Note that I send the 88 # user to the parent object (supposedly a web page) rather than directly 89 # to the failing link, as the latter may not necessarily be a web page 90 # or other MIME type that can be displayed directly in the browser. 91 # Redirecting to a non-browser object would work, but then the browser 92 # would simply pop up the relevant save/open dialog to the user, without 93 # moving from the missing authentication page. Note the further 94 # escaping of selected URI-encoded characters, see the CSA library 95 # function '_uriencode()' for more information. 96 97 csaIsInteractive && csaSession.set \ 98 ``$nl{echo $HTTP_REFERER | sed 's/%\(2[6Ff]\|3[dDfF]\)/%25\1/g'} 18 99 100 # Check authorizations. An empty group list means that everyone can get 101 # the attachment. Editors are allowed to access attachments in any case. 102 103 if (!~ $'tbl_att.a_allow' ()) { 104 if (!csvMatch $TNS_AUTH_GRP $'tbl_att.a_allow',editor) { 105 106 # Show self-registration form if appropriate. 107 csaIsInteractive && ~ $TNS_SELFREG_AUTH *[a-z]* && 108 csaTrue $TNS_SELFREG_AUTOASK && 109 csaExit.location $CSA_RPC_URI'?0=showStatic&x-csa-lang='$CSA_LANG^'&1='$'cgi.group'^'&2=tw-reg-form' 110 111 csaExit.needauth 112 } 113 } 114 115 # Locate the correct MIME type. 116 mime_type=`{_awk '-vext_='$'cgi.fileext' -- \ 117 '/^[ \t]*(#|$)/{next} 118 {for(i=2;i<=NF;i++){if($i==ext_){print $1;exit}}}' /etc/mime.types} 119 120 ~ $mime_type () && mime_type = application/octet-stream 121 122 csaExit.bdata --mime $mime_type $tw_pstem+$'cgi.attname' 123 124 # End of program.