Feufochmar
/
feuforeve.v4
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Move some values into configuration.rkt, and check if secured when retrieving the user from its cookie (ignore the cookie in http unless in dev mode).

This commit is contained in:
Feufochmar 2021-05-20 19:11:17 +02:00
parent ab80cf5ef9
commit a02208ed74
3 changed files with 48 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
configuration.rkt Normal file
View File

@ -0,0 +1,12 @@
#lang racket/base
(provide
configuration:notepad:path
configuration:notepad:dev?
)
; Notepad configuration
; Path
(define configuration:notepad:path "./notepad")
; Development mode for notepad
(define configuration:notepad:dev? #f)

8
main.rkt
View File

@ -18,7 +18,8 @@
"src/pages/flag.rkt"
"src/pages/road-map.rkt"
"src/pages/island.rkt"
"src/pages/notepad.rkt")
"src/pages/notepad.rkt"
"configuration.rkt")
; Website
(define *website*
(website
@ -83,6 +84,7 @@
("edit" weblet pages:notepad:page-edit)
("edit/{page}" matching-weblet pages:notepad:page-edit)
("delete/{page}" matching-weblet pages:notepad:page-delete)
("preview" weblet pages:notepad:preview)
)
("media" symlink "/media/list"
("list" weblet pages:notepad:media-list)
@ -152,8 +154,8 @@
(make-webcontainer
#:static
(make-immutable-hash
'(("" . "./static")
("/media/get" . "./notepad/media")))))
`(("" . "./static")
("/media/get" . ,(string-append configuration:notepad:path "/media"))))))
(webcontainer-add-website! *webcontainer* *website*)
(webcontainer-set-404-weblet! *webcontainer* pages:not-found)
(display "Starting server...")(newline)

82
src/pages/notepad.rkt
View File

@ -8,6 +8,7 @@
"../notepad/notepad.rkt"
"../notepad/user.rkt"
"../notepad/notes.rkt"
"../../configuration.rkt"
web-server/http/redirect
web-server/http/request-structs
net/cookies/server
@ -32,12 +33,13 @@
pages:notepad:user-edit
)
; Notepad directory
(define notepad-dir "notepad")
; Dev mode
(define dev? #t)
; Notepad
(define notepad (make-notepad notepad-dir))
(define notepad (make-notepad configuration:notepad:path))
; Secured : either protocol is https or dev mode is active
(define (check-secured? param)
(or configuration:notepad:dev?
(eq? 'https (weblet-parameter-protocol param))))
; Cookie management
; Cookie key
@ -45,13 +47,9 @@
; User from weblet parameter
(define (get-user param)
(define cookie (weblet-parameter-cookie-ref param *cookie-key*))
(and cookie (get-user-by-usercookie-value (string->bytes/utf-8 cookie))))
; Secured : either protocol is https or dev mode is active
(define (check-secured? param)
(or dev?
(eq? 'https (weblet-parameter-protocol param))))
; Precondition: check-secured? must be #t
(and (check-secured? param)
cookie (get-user-by-usercookie-value (string->bytes/utf-8 cookie))))
; Error pages
; Type to code + title + message
@ -103,9 +101,7 @@
#:content
(lambda (param)
(define connected-usr (get-user param))
(define secured? (check-secured? param))
(define can-edit? (and connected-usr secured?))
(define notes (if can-edit? (get-all-notes) (get-public-notes)))
(define notes (if connected-usr (get-all-notes) (get-public-notes)))
`(article
,@(if (null? notes)
'("Pas de notes.")
@ -115,7 +111,7 @@
,(if (note-public? n) "" "🔒︎ ")
,(note-title n))))
notes))
,@(if can-edit?
,@(if connected-usr
'((hr)
(a ((href "/notes/edit")) "Ajouter une note"))
'(""))
@ -127,12 +123,10 @@
; If the page does not exists and user is logged in, redirect to the /notes/edit/xxx page.
(define (pages:notepad:page-show param)
(define connected-usr (get-user param))
(define secured? (check-secured? param))
(define can-edit? (and connected-usr secured?))
(define page (weblet-parameter-ref param 'page #f))
(define note (get-note-by-name page))
(cond
( (and note (or (note-public? note) can-edit?))
( (and note (or (note-public? note) connected-usr))
( (pages:template
#:title (note-title note)
#:author (note-author note)
@ -140,7 +134,7 @@
#:content
`(article
,@(format-note note)
,@(if can-edit?
,@(if connected-usr
`((hr)
(a ((href ,(note-link 'edit page))) "Éditer") ""
(a ((href ,(note-link 'delete page))) "Supprimer"))
@ -150,7 +144,7 @@
( note
; Note exists, but is private and user cannot edit it => not authorized
(pages:notepad:error param 'unauthorized))
( can-edit?
( connected-usr
; Page does not exists, but user can edit => redirect to page creation
(redirect-to
(note-link 'edit page)
@ -164,13 +158,12 @@
; Post => Save page
(define (pages:notepad:page-edit param)
(define connected-usr (get-user param))
(define secured? (check-secured? param))
(define method (weblet-parameter-method param))
(define page (weblet-parameter-ref param 'page #f))
(define note (get-note-by-name page))
(define err? (equal? "t" (weblet-parameter-ref param 'error #f)))
(cond
( (and connected-usr secured? (eq? method 'get))
( (and connected-usr (eq? method 'get))
; User connected, get method : read the page
(define title (or (and note (note-title note)) ""))
(define content (or (and note (note-content note)) ""))
@ -236,7 +229,7 @@
)
))
param))
( (and page connected-usr secured? (eq? method 'post))
( (and page connected-usr (eq? method 'post))
(define continue? (equal? "t" (weblet-parameter-ref param 'continue #f)))
(define page-name (weblet-parameter-ref param 'pagename #f))
(define new-note-title (weblet-parameter-ref param 'pagetitle #f))
@ -276,12 +269,11 @@
; Post => remove
(define (pages:notepad:page-delete param)
(define connected-usr (get-user param))
(define secured? (check-secured? param))
(define method (weblet-parameter-method param))
(define page (weblet-parameter-ref param 'page #f))
(define note (get-note-by-name page))
(cond
( (and note connected-usr secured? (eq? method 'get))
( (and note connected-usr (eq? method 'get))
; Method get => ask for confirmation
( (pages:template
#:title (string-append "Suppression de la page " page)
@ -298,7 +290,7 @@
(formmethod "get")(value "Non, garder la page")))
)))
param))
( (and note connected-usr secured? (eq? method 'post))
( (and note connected-usr (eq? method 'post))
; Method post => remove
(remove-note note)
; Redirect
@ -321,10 +313,8 @@
#:body
(lambda (param)
(define connected-usr (get-user param))
(define secured? (check-secured? param))
(define can-edit? (and connected-usr secured?))
(define content (weblet-parameter-ref param 'pagecontent #f))
(if (and can-edit? content)
(if (and connected-usr content)
`(article
,@(format-note-content content))
""))))
@ -353,8 +343,6 @@
#:content
(lambda (param)
(define connected-usr (get-user param))
(define secured? (check-secured? param))
(define can-edit? (and connected-usr secured?))
(define files (notepad-list-media notepad))
`(article
,@(if (null? files)
@ -363,7 +351,7 @@
(lambda (x)
`(div (a ((href ,(media-link 'show x))) ,x)))
files))
,@(if can-edit?
,@(if connected-usr
'((hr)
(a ((href "/media/new")) "Ajouter un fichier"))
'(""))
@ -374,8 +362,6 @@
; Show a given media of the notepad.
(define (pages:notepad:media-show param)
(define connected-usr (get-user param))
(define secured? (check-secured? param))
(define can-edit? (and connected-usr secured?))
(define media (weblet-parameter-ref param 'media #f))
(define direct-link (media-link 'get media))
(cond
@ -391,7 +377,7 @@
( else
'()))
(a ((href ,direct-link)) "Lien vers le fichier")
,@(if can-edit?
,@(if connected-usr
`((hr)
(a ((href ,(media-link 'edit media))) "Éditer") ""
(a ((href ,(media-link 'delete media))) "Supprimer"))
@ -411,11 +397,10 @@
; Post => Process the upload, and show the media
(define (pages:notepad:media-new param)
(define connected-usr (get-user param))
(define secured? (check-secured? param))
(define method (weblet-parameter-method param))
(define failed? (equal? "t" (weblet-parameter-ref param 'error #f)))
(cond
( (and connected-usr secured? (eq? method 'get))
( (and connected-usr (eq? method 'get))
; User connected, get method : new media form
( (pages:template
#:title "Ajouter un fichier"
@ -435,7 +420,7 @@
(value "Ajouter le fichier")))
)))
param))
( (and connected-usr secured? (eq? method 'post))
( (and connected-usr (eq? method 'post))
(define filename (weblet-parameter-ref param 'filename #f))
(define in (and filename (weblet-parameter-file-port-ref param 'filename)))
; Save file
@ -461,13 +446,12 @@
; Post => Process the upload, and show the media
(define (pages:notepad:media-edit param)
(define connected-usr (get-user param))
(define secured? (check-secured? param))
(define method (weblet-parameter-method param))
(define media (weblet-parameter-ref param 'media #f))
(define has-media? (notepad-has-media? notepad media))
(define failed? (equal? "t" (weblet-parameter-ref param 'error #f)))
(cond
( (and has-media? connected-usr secured? (eq? method 'get))
( (and has-media? connected-usr (eq? method 'get))
; User connected, get method : edit media form
( (pages:template
#:title "Éditer un fichier"
@ -486,7 +470,7 @@
(value "Renommer le fichier")))
)))
param))
( (and has-media? connected-usr secured? (eq? method 'post))
( (and has-media? connected-usr (eq? method 'post))
(define filename (weblet-parameter-ref param 'filename #f))
(cond
( (and filename (not (equal? filename "")) (not (equal? filename media)))
@ -514,12 +498,11 @@
; Post => remove
(define (pages:notepad:media-delete param)
(define connected-usr (get-user param))
(define secured? (check-secured? param))
(define method (weblet-parameter-method param))
(define media (weblet-parameter-ref param 'media #f))
(define has-media? (notepad-has-media? notepad media))
(cond
( (and has-media? connected-usr secured? (eq? method 'get))
( (and has-media? connected-usr (eq? method 'get))
; Method get => ask for confirmation
( (pages:template
#:title (string-append "Suppression du fichier " media)
@ -536,7 +519,7 @@
(formmethod "get")(value "Non, garder le fichier")))
)))
param))
( (and has-media? connected-usr secured? (eq? method 'post))
( (and has-media? connected-usr (eq? method 'post))
; Method post => remove
(notepad-delete-media notepad media)
(redirect-to
@ -587,7 +570,6 @@
(define usr (get-user-by-name (weblet-parameter-ref param 'name #f)))
(define connected-usr (get-user param))
(define edition-possible? (same-user? usr connected-usr))
(define secured? (check-secured? param))
(cond
(usr
(make-immutable-hash
@ -610,10 +592,10 @@
))
(hr)
,(cond
( (and secured? (not connected-usr))
( (and (check-secured? param) (not connected-usr))
`(p (a ((href ,(user-link 'login (user-name usr))))
"Se connecter en tant que " ,(user-pseudo usr))))
( (and secured? edition-possible?)
( edition-possible?
`(p (a ((href ,(string-append "/user/logout")))
"Se déconnecter")))
( #t
@ -698,7 +680,7 @@
#:expires (seconds->date (usercookie-expires usercookie))
#:domain (weblet-parameter-host param)
#:path "/"
#:secure? (not dev?)
#:secure? (not configuration:notepad:dev?)
#:http-only? #t))))
))
( usr
@ -716,11 +698,9 @@
(define usr (get-user-by-name (weblet-parameter-ref param 'name #f)))
(define connected-usr (get-user param))
(define edition-possible? (same-user? usr connected-usr))
(define secured? (check-secured? param))
(define method (weblet-parameter-method param))
(cond
( (and edition-possible?
secured?
(eq? method 'post))
(define pseudo (weblet-parameter-ref param 'pseudo (user-pseudo usr)))
(define about (weblet-parameter-ref param 'about (user-about usr)))