1.1 --- a/ApproveChangesSupport.py Tue Oct 11 01:20:51 2011 +0200
1.2 +++ b/ApproveChangesSupport.py Wed Oct 12 00:04:21 2011 +0200
1.3 @@ -17,14 +17,6 @@
1.4
1.5 from MoinMoin import user
1.6 import re
1.7 -import base64
1.8 -import md5
1.9 -import hmac
1.10 -
1.11 -try:
1.12 - from hashlib import sha1
1.13 -except ImportError:
1.14 - from sha import new as sha1
1.15
1.16 acl_pattern = re.compile(ur"^#acl .*$", re.UNICODE | re.MULTILINE)
1.17
1.18 @@ -55,6 +47,9 @@
1.19 request.dicts.has_member(get_approved_editors_group(request), request.user.name) or \
1.20 request.user.isSuperUser())
1.21
1.22 +def is_queued_changes_user(request):
1.23 + return request.user.valid and request.user.name == get_queued_changes_user(request)
1.24 +
1.25 def is_queued_changes_page(request, pagename):
1.26
1.27 "Return whether 'pagename' is a queued changes page by testing its name."
1.28 @@ -108,8 +103,8 @@
1.29
1.30 # Add the ACL.
1.31
1.32 - parts.insert(0, "#acl %s:read,write,delete,revert,admin %s:write All:\n" % (
1.33 - get_page_reviewers_group(request), get_queued_changes_user(request)))
1.34 + parts.insert(0, "#acl %s:read,write,delete,revert,admin All:\n" %
1.35 + get_page_reviewers_group(request))
1.36 return "".join(parts)
1.37
1.38 def remove_access_control(request, body):
1.39 @@ -127,45 +122,6 @@
1.40
1.41 return body
1.42
1.43 -def get_page_signature(request, body):
1.44 -
1.45 - """
1.46 - Using the 'request', return a signature/digest for the given page 'body'
1.47 - using a secret known only by the server.
1.48 - """
1.49 -
1.50 - secret_key = get_secret_key(request)
1.51 - hash = hmac.new(secret_key, body.encode("utf-8"), sha1)
1.52 - return base64.standard_b64encode(hash.digest())
1.53 -
1.54 -def sign_page(request, body):
1.55 -
1.56 - """
1.57 - Using the 'request', sign the page 'body' using a secret known only by the
1.58 - server.
1.59 - """
1.60 -
1.61 - return "#signature %s\n%s" % (get_page_signature(request, body), body)
1.62 -
1.63 -def check_page(request, body):
1.64 -
1.65 - """
1.66 - Using the 'request', find and check the signature in the page 'body',
1.67 - returning the original page or None (if no valid signature is found).
1.68 - """
1.69 -
1.70 - lines = body.split("\n")
1.71 - body = "\n".join(lines[1:])
1.72 -
1.73 - try:
1.74 - directive, signature = lines[0].split()
1.75 - if directive == "#signature" and signature == get_page_signature(request, body):
1.76 - return body
1.77 - except ValueError:
1.78 - pass
1.79 -
1.80 - return None
1.81 -
1.82 # Utility classes and associated functions.
1.83 # NOTE: These are a subset of EventAggregatorSupport.
1.84
2.1 --- a/actions/ApproveChanges.py Tue Oct 11 01:20:51 2011 +0200
2.2 +++ b/actions/ApproveChanges.py Wed Oct 12 00:04:21 2011 +0200
2.3 @@ -79,15 +79,9 @@
2.4 target_page_name = get_target_page_name(self.pagename)
2.5 target_page = PageEditor(request, target_page_name)
2.6
2.7 - # Save the target page, first removing the signature and then removing
2.8 - # any protective ACL.
2.9 + # Save the target page, removing any protective ACL.
2.10
2.11 body = self.page.get_raw_body()
2.12 -
2.13 - body = check_page(request, body)
2.14 - if not body:
2.15 - return 0, _("The queued changes have been modified somehow. Not saving!")
2.16 -
2.17 body = remove_access_control(request, body)
2.18
2.19 try:
3.1 --- a/events/queue_for_review.py Tue Oct 11 01:20:51 2011 +0200
3.2 +++ b/events/queue_for_review.py Wed Oct 12 00:04:21 2011 +0200
3.3 @@ -30,7 +30,7 @@
3.4 # Test the integrity of the page in order to prevent direct replacement
3.5 # of the page. Reviewers can change the page as they please.
3.6
3.7 - if check_page(request, body) or is_reviewer(request):
3.8 + if is_reviewer(request) or is_queued_changes_user(request):
3.9 return None
3.10 else:
3.11 return Abort(_("Queued changes may not be edited."))
3.12 @@ -50,25 +50,18 @@
3.13
3.14 body = add_access_control(request, body)
3.15
3.16 - # Sign the page to prevent modification in the queue.
3.17 -
3.18 - body = sign_page(request, body)
3.19 username = request.user.name
3.20 comment = (username or _("anonymous")) + " : " + _("Queued page edit")
3.21
3.22 try:
3.23 - try:
3.24 - new_page.saveText(body, 0, comment=comment)
3.25 -
3.26 # Switch user in order to save a page with an ACL.
3.27
3.28 - except PageEditor.AccessDenied:
3.29 - user = request.user
3.30 - request.user = get_user_for_saving(request)
3.31 - try:
3.32 - new_page.saveText(body, 0, comment=comment)
3.33 - finally:
3.34 - request.user = user
3.35 + user = request.user
3.36 + request.user = get_user_for_saving(request)
3.37 + try:
3.38 + new_page.saveText(body, 0, comment=comment)
3.39 + finally:
3.40 + request.user = user
3.41
3.42 except PageEditor.Unchanged:
3.43 pass
4.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
4.2 +++ b/resource_pages/ApprovedGroup Wed Oct 12 00:04:21 2011 +0200
4.3 @@ -0,0 +1,5 @@
4.4 +#acl ApprovedGroup:read,write,delete,revert
4.5 +
4.6 +The following list of users can edit without approval:
4.7 +
4.8 +## * WikiUser
5.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
5.2 +++ b/resource_pages/PageReviewersGroup Wed Oct 12 00:04:21 2011 +0200
5.3 @@ -0,0 +1,5 @@
5.4 +#acl PageReviewersGroup:read,write,delete,revert
5.5 +
5.6 +The following list of users can review and approve queued changes:
5.7 +
5.8 +## * WikiUser