# HG changeset patch # User Paul Boddie # Date 1318370661 -7200 # Node ID ea25178d273956741d33c2f36c1f29be27383434 # Parent 44879e4ceb2606979c1ae2f811963fd2bd905c62 Removed page signing, instead ensuring that queued changes can only be saved by reviewers or the queued changes user. Added some example resource pages. diff -r 44879e4ceb26 -r ea25178d2739 ApproveChangesSupport.py --- a/ApproveChangesSupport.py Tue Oct 11 01:20:51 2011 +0200 +++ b/ApproveChangesSupport.py Wed Oct 12 00:04:21 2011 +0200 @@ -17,14 +17,6 @@ from MoinMoin import user import re -import base64 -import md5 -import hmac - -try: - from hashlib import sha1 -except ImportError: - from sha import new as sha1 acl_pattern = re.compile(ur"^#acl .*$", re.UNICODE | re.MULTILINE) @@ -55,6 +47,9 @@ request.dicts.has_member(get_approved_editors_group(request), request.user.name) or \ request.user.isSuperUser()) +def is_queued_changes_user(request): + return request.user.valid and request.user.name == get_queued_changes_user(request) + def is_queued_changes_page(request, pagename): "Return whether 'pagename' is a queued changes page by testing its name." @@ -108,8 +103,8 @@ # Add the ACL. - parts.insert(0, "#acl %s:read,write,delete,revert,admin %s:write All:\n" % ( - get_page_reviewers_group(request), get_queued_changes_user(request))) + parts.insert(0, "#acl %s:read,write,delete,revert,admin All:\n" % + get_page_reviewers_group(request)) return "".join(parts) def remove_access_control(request, body): @@ -127,45 +122,6 @@ return body -def get_page_signature(request, body): - - """ - Using the 'request', return a signature/digest for the given page 'body' - using a secret known only by the server. - """ - - secret_key = get_secret_key(request) - hash = hmac.new(secret_key, body.encode("utf-8"), sha1) - return base64.standard_b64encode(hash.digest()) - -def sign_page(request, body): - - """ - Using the 'request', sign the page 'body' using a secret known only by the - server. - """ - - return "#signature %s\n%s" % (get_page_signature(request, body), body) - -def check_page(request, body): - - """ - Using the 'request', find and check the signature in the page 'body', - returning the original page or None (if no valid signature is found). - """ - - lines = body.split("\n") - body = "\n".join(lines[1:]) - - try: - directive, signature = lines[0].split() - if directive == "#signature" and signature == get_page_signature(request, body): - return body - except ValueError: - pass - - return None - # Utility classes and associated functions. # NOTE: These are a subset of EventAggregatorSupport. diff -r 44879e4ceb26 -r ea25178d2739 actions/ApproveChanges.py --- a/actions/ApproveChanges.py Tue Oct 11 01:20:51 2011 +0200 +++ b/actions/ApproveChanges.py Wed Oct 12 00:04:21 2011 +0200 @@ -79,15 +79,9 @@ target_page_name = get_target_page_name(self.pagename) target_page = PageEditor(request, target_page_name) - # Save the target page, first removing the signature and then removing - # any protective ACL. + # Save the target page, removing any protective ACL. body = self.page.get_raw_body() - - body = check_page(request, body) - if not body: - return 0, _("The queued changes have been modified somehow. Not saving!") - body = remove_access_control(request, body) try: diff -r 44879e4ceb26 -r ea25178d2739 events/queue_for_review.py --- a/events/queue_for_review.py Tue Oct 11 01:20:51 2011 +0200 +++ b/events/queue_for_review.py Wed Oct 12 00:04:21 2011 +0200 @@ -30,7 +30,7 @@ # Test the integrity of the page in order to prevent direct replacement # of the page. Reviewers can change the page as they please. - if check_page(request, body) or is_reviewer(request): + if is_reviewer(request) or is_queued_changes_user(request): return None else: return Abort(_("Queued changes may not be edited.")) @@ -50,25 +50,18 @@ body = add_access_control(request, body) - # Sign the page to prevent modification in the queue. - - body = sign_page(request, body) username = request.user.name comment = (username or _("anonymous")) + " : " + _("Queued page edit") try: - try: - new_page.saveText(body, 0, comment=comment) - # Switch user in order to save a page with an ACL. - except PageEditor.AccessDenied: - user = request.user - request.user = get_user_for_saving(request) - try: - new_page.saveText(body, 0, comment=comment) - finally: - request.user = user + user = request.user + request.user = get_user_for_saving(request) + try: + new_page.saveText(body, 0, comment=comment) + finally: + request.user = user except PageEditor.Unchanged: pass diff -r 44879e4ceb26 -r ea25178d2739 resource_pages/ApprovedGroup --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/resource_pages/ApprovedGroup Wed Oct 12 00:04:21 2011 +0200 @@ -0,0 +1,5 @@ +#acl ApprovedGroup:read,write,delete,revert + +The following list of users can edit without approval: + +## * WikiUser diff -r 44879e4ceb26 -r ea25178d2739 resource_pages/PageReviewersGroup --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/resource_pages/PageReviewersGroup Wed Oct 12 00:04:21 2011 +0200 @@ -0,0 +1,5 @@ +#acl PageReviewersGroup:read,write,delete,revert + +The following list of users can review and approve queued changes: + +## * WikiUser