wiki.ohea.xyz/gollum
10
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

Lockdown write access to custom.css and js

Browse Source
This commit is contained in:
Dawa Ometto
2018-10-02 23:56:46 +02:00
parent 6d4f97fdc4
commit f8673f565a
2 changed files with 23 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/gollum/app.rb
+5 -5
View File
@@ -144,7 +144,11 @@ module Precious
end end
end end
get %r{\/edit\/custom.(js|css)} do get %r{\/(edit|create)\/custom.(js|css)} do
forbid
end
post %r{\/(deleteFile|rename|edit|revert|create)\/custom.(js|css)(\/.*)?} do
forbid forbid
end end
@@ -216,10 +220,6 @@ module Precious
end end
end end
post %r{\/(deleteFile|rename|edit|revert)\/custom.(js|css)} do
forbid
end
post '/deleteFile/*' do post '/deleteFile/*' do
forbid unless @allow_editing forbid unless @allow_editing
wiki = wiki_new wiki = wiki_new
test/test_app.rb
+18 -15
View File
@@ -505,25 +505,28 @@ context "Frontend" do
Precious::App.set(:wiki_options, { :js => nil }) Precious::App.set(:wiki_options, { :js => nil })
end end
test "don't allow editing custom js or css" do test "don't allow changing custom js or css" do
Precious::App.set(:wiki_options, { :js => true, :css => true }) Precious::App.set(:wiki_options, { :js => true, :css => true })
page = 'yaycustom'
text = 'customized!' ['create', 'edit'].each do |route|
@wiki.write_page(page, :markdown, text,
{ :name => 'user1', :email => 'user1' });
['.css', '.js'].each do |ext|
get "/edit/custom#{ext}"
assert_equal last_response.status 403
end
['deleteFile', 'rename', 'edit', 'revert'].each do |route|
['.css', '.js'].each do |ext| ['.css', '.js'].each do |ext|
post "/#{route}/custom#{ext}" get "/#{route}/custom#{ext}"
assert_equal last_response.status 403 assert_equal 403, last_response.status, "get /#{route}/custom#{ext} -- #{last_response.inspect}"
end end
end end
['deleteFile', 'rename', 'edit', 'create'].each do |route|
['.css', '.js'].each do |ext|
post "/#{route}/custom#{ext}"
assert_equal 403, last_response.status, "post /#{route}/custom#{ext} -- #{last_response.inspect}"
end
end
['.css', '.js'].each do |ext|
post "/revert/custom#{ext}/02796b1450691f90db5d6dc6a816a4980ce80d07/2f6485c2702c7c8b9b6613672337ffa7d933ddcf"
assert_equal 403, last_response.status, "post /revert/custom#{ext} -- #{last_response.inspect}"
end
Precious::App.set(:wiki_options, { :js => nil }) Precious::App.set(:wiki_options, { :js => nil })
end end