diff --git a/docs/changelog/6.x.x.txt b/docs/changelog/6.x.x.txt
index 5403a6d9c..2341cf9b4 100644
--- a/docs/changelog/6.x.x.txt
+++ b/docs/changelog/6.x.x.txt
@@ -51,7 +51,9 @@
feature.
- Added new asset type: File Pile. This allows you to do a mass upload of
files and images.
- - Added CDG Commerce iTransact payment plugin. (Martin Kamerbeek)
+ - Added a privilege access handler to the uploads file system.
+ - Added CDG Commerce iTransact payment plugin.
+
6.2.9
- bugfix [ 1058105 ] input tag has to be closed with /
diff --git a/docs/gotcha.txt b/docs/gotcha.txt
index a36e9054f..1b84073eb 100644
--- a/docs/gotcha.txt
+++ b/docs/gotcha.txt
@@ -56,13 +56,29 @@ save you many hours of grief.
* The default path for WebGUI backups is now /tmp/backups rather than
/data/backups
-
+
+ * You may add optional protection for your uploaded WebGUI files. This
+ will check the privileges of the files from the WebGUI database
+ before sending them to the browser. To enable this you must use
+ these directives:
+
+ SetPerlVar WebguiRoot /data/WebGUI
+ PerlRequire /data/WebGUI/sbin/uploadAccessHandler.perl
+
+ And then add this to each virtual host you wish to protect:
+
+ PerlSetEnv WebguiConfig www.example.com.conf
+
+ PerlAccessHandler WebGUI::UploadsAccessHandler
+
+
* In order to use the CDG Commerce iTransact payment plugin you'll have to
make sure that the following modules are installed:
- XML::Simple
- LWP::UserAgent
- HTTP::Cookies
+
6.2.8
--------------------------------------------------------------------
* Due to a bug in the theme system, if you created any themes in any
diff --git a/docs/install.txt b/docs/install.txt
index 3ca1ba108..7687808be 100644
--- a/docs/install.txt
+++ b/docs/install.txt
@@ -6,11 +6,11 @@ The following is a rough overview of how to install WebGUI. For
more detailed instructions read the WebGUI installation
documentation.
- http://plainblack.com/installation
+ http://www.plainblack.com/installing_webgui
QnD INSTALL INSTRUCTIONS:
-1. Install Perl 5.6.x or greater.
+1. Install Perl 5.6.x or greater. (5.8.x recommended)
2. Install the following Perl modules:
diff --git a/lib/WebGUI.pm b/lib/WebGUI.pm
index 2cd9f9e37..e01bcace5 100644
--- a/lib/WebGUI.pm
+++ b/lib/WebGUI.pm
@@ -1,6 +1,6 @@
package WebGUI;
-our $VERSION = "6.2.7";
-our $STATUS = "gamma";
+our $VERSION = "6.3.0";
+our $STATUS = "beta";
#-------------------------------------------------------------------
# WebGUI is Copyright 2001-2004 Plain Black Corporation.
diff --git a/lib/WebGUI/Asset.pm b/lib/WebGUI/Asset.pm
index 501ce0eba..f285e4759 100644
--- a/lib/WebGUI/Asset.pm
+++ b/lib/WebGUI/Asset.pm
@@ -878,12 +878,12 @@ sub setRank {
if (isBetween($sibling->getRank, $newRank, $currentRank)) {
$sibling->cascadeLineage($previous);
$previous = $sibling->get("lineage");
- $sibling->updateHistory("changed rank");
}
}
$self->cascadeLineage($previous,$temp);
$self->{_properties}{lineage} = $previous;
WebGUI::SQL->commit;
+ $self->updateHistory("changed rank");
return 1;
}
diff --git a/lib/WebGUI/Asset/File.pm b/lib/WebGUI/Asset/File.pm
index 6cc79e68b..779490c93 100644
--- a/lib/WebGUI/Asset/File.pm
+++ b/lib/WebGUI/Asset/File.pm
@@ -160,8 +160,11 @@ sub processPropertiesFromFormPost {
$data{url} = $self->getParent->getUrl.'/'.$filename unless ($session{form}{url});
$self->update(\%data);
$self->setSize($storage->getFileSize($filename));
+ $storage->setPrivileges($self->get("ownerUserId"), $self->get("groupIdView"), $self->get("groupIdEdit"));
} else {
$storage->delete;
+ my $storage = WebGUI::Storage->get($self->get("storageId"));
+ $storage->setPrivileges($self->get("ownerUserId"), $self->get("groupIdView"), $self->get("groupIdEdit"));
}
}
diff --git a/lib/WebGUI/Session.pm b/lib/WebGUI/Session.pm
index 376c68ce7..d0f6c6075 100644
--- a/lib/WebGUI/Session.pm
+++ b/lib/WebGUI/Session.pm
@@ -25,6 +25,7 @@ use WebGUI::Config;
use WebGUI::ErrorHandler;
use WebGUI::SQL;
use WebGUI::Utility;
+use URI::Escape;
our @ISA = qw(Exporter);
our @EXPORT = qw(%session);
@@ -344,7 +345,7 @@ sub open {
###----------------------------
### cookies
foreach ($session{cgi}->cookie) {
- $session{cookie}{$_} = $session{cgi}->cookie($_);
+ $session{cookie}{$_} = $session{cgi}->cookie($_);
}
###----------------------------
### session variables
diff --git a/lib/WebGUI/Storage.pm b/lib/WebGUI/Storage.pm
index a07b27fd6..c58e64afe 100644
--- a/lib/WebGUI/Storage.pm
+++ b/lib/WebGUI/Storage.pm
@@ -65,6 +65,7 @@ This package provides a mechanism for storing and retrieving files that are not
$store->delete;
$store->deleteFile($filename);
$store->rename($filename, $newFilename);
+ $store->setPrivileges($userId, $groupIdView, $groupIdEdit);
=head1 METHODS
@@ -603,6 +604,36 @@ sub renameFile {
}
+#-------------------------------------------------------------------
+
+=head2 setPrivileges ( ownerUserId, groupIdView, groupIdEdit )
+
+Set filesystem level privileges for this file. Used with the uploads access handler.
+
+=head3 ownerUserId
+
+The userId of the owner of this storage location.
+
+=head3 groupIdView
+
+The groupId that is allowed to view the files in this storage location.
+
+=head3 groupIdEdit
+
+The groupId that is allowed to edit the files in this storage location.
+
+=cut
+
+sub setPrivileges {
+ my $self = shift;
+ my $owner = shift;
+ my $viewGroup = shift;
+ my $editGroup = shift;
+ $self->addFileFromScalar(".wgaccess",$owner."\n".$viewGroup."\n".$editGroup);
+}
+
+
+
#-------------------------------------------------------------------
=head2 tar ( filename )
diff --git a/sbin/preload.perl b/sbin/preload.perl
index af48ded7a..9f10c37e6 100644
--- a/sbin/preload.perl
+++ b/sbin/preload.perl
@@ -1,15 +1,15 @@
#!/usr/bin/perl
-use strict;
my $webguiRoot;
BEGIN {
- $webguiRoot = "/data/WebGUI"; # Edit to match your WebGUI installation directory.
+ $webguiRoot = "/data/WebGUI";
unshift (@INC, $webguiRoot."/lib");
}
$|=1;
+use strict;
print "\nStarting WebGUI ".$WebGUI::VERSION."\n";
$ENV{GATEWAY_INTERFACE} =~ /^CGI-Perl/ or die "GATEWAY_INTERFACE not Perl!";
diff --git a/sbin/uploadsAccessHandler.perl b/sbin/uploadsAccessHandler.perl
new file mode 100644
index 000000000..ab2911f74
--- /dev/null
+++ b/sbin/uploadsAccessHandler.perl
@@ -0,0 +1,61 @@
+package WebGUI::UploadsAccessHandler;
+
+#-------------------------------------------------------------------
+# WebGUI is Copyright 2001-2004 Plain Black Corporation.
+#-------------------------------------------------------------------
+# Please read the legal notices (docs/legal.txt) and the license
+# (docs/license.txt) that came with this distribution before using
+# this software.
+#-------------------------------------------------------------------
+# http://www.plainblack.com info@plainblack.com
+#-------------------------------------------------------------------
+
+our $webguiRoot;
+
+BEGIN {
+ use Apache;
+ my $s = Apache->server;
+ $webguiRoot = $s->dir_config('WebguiRoot');
+ unshift (@INC, $webguiRoot."/lib");
+}
+
+print "Starting WebGUI Uploads Access Handler\n";
+
+use strict;
+use Apache::Constants qw(:common);
+use CGI::Util qw/escape/;
+use WebGUI::Grouping;
+use WebGUI::Session;
+use WebGUI::URL;
+
+sub handler {
+ my $r = shift;
+ if (-e $r->filename) {
+ my $path = $r->filename;
+ $path =~ s/^(\/.*\/).*$/$1/;
+ if (-e $path.".wgaccess") {
+ my $fileContents;
+ open(FILE,"<".$path.".wgaccess");
+ while () {
+ $fileContents .= $_;
+ }
+ close(FILE);
+ my @privs = split("\n",$fileContents);
+ unless ($privs[1] eq "7" || $privs[1] eq "1") {
+ WebGUI::Session::open($webguiRoot, $r->dir_config('WebguiConfig'));
+ my $cookie = $r->header_in('Cookie');
+ $cookie =~ s/wgSession\=(.*)/$1/;
+ $cookie = WebGUI::URL::unescape($cookie);
+ WebGUI::Session::refreshSessionVars($cookie);
+ return OK if ($session{user}{userId} eq $privs[0] || WebGUI::Grouping::isInGroup($privs[1]) || WebGUI::Grouping::isInGroup($privs[2]));
+ WebGUI::Session::close();
+ return 401;
+ }
+ }
+ return OK;
+ } else {
+ return NOT_FOUND;
+ }
+}
+
+1;