From 3587f73a9a6ca722b7501ec755c4eeb1214412d7 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 27 May 2019 17:10:36 +0100
Subject: [PATCH] wiki: Fix authorisation handling when editing pages

This is now a proper handler which uses the @authenticated decorator
which redirects people to the correct login URL.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/templates/wiki/404.html  |  2 +-
 src/templates/wiki/page.html |  2 +-
 src/web/__init__.py          |  2 +-
 src/web/wiki.py              | 31 ++++++++++++++++---------------
 4 files changed, 19 insertions(+), 18 deletions(-)

diff --git a/src/templates/wiki/404.html b/src/templates/wiki/404.html
index b09d76f2..9fc12c04 100644
--- a/src/templates/wiki/404.html
+++ b/src/templates/wiki/404.html
@@ -15,7 +15,7 @@
                         {{ _("This wiki page does not exist, yet.") }}
                     </p>
 
-                    <a class="btn btn-primary btn-block" href="{{ request.path }}?action=edit">
+                    <a class="btn btn-primary btn-block" href="/actions/edit/{{ request.path }}">
                         {{ _("Create Now") }}
                     </a>
                 </div>
diff --git a/src/templates/wiki/page.html b/src/templates/wiki/page.html
index 9e597969..c6ba9e3f 100644
--- a/src/templates/wiki/page.html
+++ b/src/templates/wiki/page.html
@@ -17,7 +17,7 @@
 		</div>
 	</div>
 
-	<a class="btn btn-primary btn-block mb-3" href="{{ request.path }}?action=edit">
+	<a class="btn btn-primary btn-block mb-3" href="/actions/edit{{ request.path }}">
 		<span class="fas fa-edit mr-2"></span> {{ _("Edit Page") }}
 		{% if not current_user %}&dash; {{ _("Yes, you can edit!") }}{% end %}
 	</a>
diff --git a/src/web/__init__.py b/src/web/__init__.py
index ae86c52c..7535e686 100644
--- a/src/web/__init__.py
+++ b/src/web/__init__.py
@@ -289,7 +289,7 @@ class Application(tornado.web.Application):
 			authentication_handlers + [
 
 			# Actions
-			(r"/actions/edit", wiki.ActionEditHandler),
+			(r"/actions/edit([A-Za-z0-9\-_\/]+)", wiki.ActionEditHandler),
 			(r"/action/(watch|unwatch)(.*)", wiki.ActionWatchHandler),
 			(r"/actions/upload", wiki.ActionUploadHandler),
 
diff --git a/src/web/wiki.py b/src/web/wiki.py
index 76433dc7..ab43c8b3 100644
--- a/src/web/wiki.py
+++ b/src/web/wiki.py
@@ -9,9 +9,23 @@ from . import ui_modules
 
 class ActionEditHandler(auth.CacheMixin, base.BaseHandler):
 	@tornado.web.authenticated
-	def post(self):
-		path = self.get_argument("path")
+	def get(self, path):
+		# Check permissions
+		if not self.backend.wiki.check_acl(path, self.current_user):
+			raise tornado.web.HTTPError(403, "Access to %s not allowed for %s" % (path, self.current_user))
+
+		# Fetch the wiki page
+		page = self.backend.wiki.get_page(path)
 
+		# Empty page if it was deleted
+		if page and page.was_deleted():
+			page = None
+
+		# Render page
+		self.render("wiki/edit.html", page=page)
+
+	@tornado.web.authenticated
+	def post(self, path):
 		# Check permissions
 		if not self.backend.wiki.check_acl(path, self.current_user):
 			raise tornado.web.HTTPError(403, "Access to %s not allowed for %s" % (path, self.current_user))
@@ -192,19 +206,6 @@ class PageHandler(auth.CacheMixin, base.BaseHandler):
 			self.render("wiki/diff.html", page=page, a=a, b=b)
 			return
 
-		# Edit
-		elif self.action == "edit":
-			if not self.current_user:
-				raise tornado.web.HTTPError(401)
-
-			# Empty page if it was deleted
-			if page and page.was_deleted():
-				page = None
-
-			# Render page
-			self.render("wiki/edit.html", page=page)
-			return
-
 		# Revisions
 		elif self.action == "revisions":
 			self.render("wiki/revisions.html", page=page)
-- 
2.47.3