X-Git-Url: http://git.shiar.nl/minimedit.git/blobdiff_plain/47fdce547d48fe80bcaac1495bf12c7450a1380e..HEAD:/page.php diff --git a/page.php b/page.php index 21cc0a0..30f0e3c 100644 --- a/page.php +++ b/page.php @@ -2,120 +2,99 @@ error_reporting(E_ALL); ini_set('display_errors', TRUE); -function getoutput($blocks = []) -{ - $rep = []; - foreach ($blocks as $name => $html) { - $rep["[[$name]]"] = sprintf('%s', - is_numeric($name) ? '' : "[[$name]]", - preg_replace('{}', '', $html) - ); - } - return str_replace(array_keys($rep), array_values($rep), ob_get_clean()); -} - -# custom error handling +define('DOCROOT', getcwd()); +set_include_path(implode(PATH_SEPARATOR, [ DOCROOT, __DIR__ ])); -define('DOCROOT', getcwd().'/'); - -function fail($error) -{ - http_response_code(500); - include_once 'page.inc.php'; - ob_start(); - require_once DOCROOT.'500.html'; - print getoutput(['debug' => $error]); -} +include_once 'error.inc.php'; -set_exception_handler('fail'); +# setup requested page -define('E_FATAL', E_ERROR | E_CORE_ERROR | E_COMPILE_ERROR | E_USER_ERROR); +$request = preg_replace('/\?.*/', '', @$_SERVER['PATH_INFO'] ?: $_SERVER['REQUEST_URI']); +$request = urldecode(trim($request, '/')) ?: 'index'; -set_error_handler(function ($level, $error, $file, $line) { - if ($level & E_FATAL) { - fail($error); - return; +$staticpage = "$request.html"; +if (file_exists($staticpage)) { + if (is_link($staticpage)) { + $target = preg_replace('/\.html$/', '', readlink($staticpage)); + abort($target, '307 Shorthand'); } - return FALSE; -}); +} +elseif (file_exists("$request/index.html")) { + $staticpage = "$request/index.html"; +} -register_shutdown_function(function () { - # display failure page for fatal exceptions - $error = error_get_last(); - if (!($error['type'] & E_FATAL)) return; - fail("Fatal: $error[message] in $error[file]:$error[line]"); -}); +require_once('article.inc.php'); +$Page = new ArchiveArticle($staticpage); -error_reporting(error_reporting() & ~E_FATAL); +if (@$_SERVER['HTTP_ACCEPT'] === 'text/plain') { + $Page->api = TRUE; +} # user login and control -include_once 'auth.inc.php'; -$Edit = isset($_GET['edit']); - -# distinguish subpage Args from topmost Page script - -$Args = ''; -$Page = preg_replace('/\?.*/', '', @$_SERVER['PATH_INFO'] ?: $_SERVER['REQUEST_URI']); -$Page = urldecode(trim($Page, '/')) ?: 'index'; -while (TRUE) { - if (file_exists("$Page/.private")) { - # access restriction - if (!isset($User)) { - http_response_code(303); - $target = urlencode($_SERVER['REQUEST_URI']); - header("Location: /login?goto=$target"); - exit; - } - $PageAccess = $Page; - } +include_once 'auth.inc.php'; // sets global $User - if (file_exists("$Page.php")) { - break; +if ($Page->restricted) { + # access restriction + if (!$User->login) { + $target = urlencode($Page->link); + abort("/login?goto=$target", '303 Eerst inloggen'); } - - $up = strrpos($Page, '/'); - $Args = substr($Page, $up) . $Args; - $Page = substr($Page, 0, $up); - if ($up === FALSE) { - break; + elseif ($check = file_get_contents("{$Page->restricted}/.private") + and !$User->admin(trim($check))) { + http_response_code(403); + $Page->raw('403.inc.html'); } } -# load static contents +# prepare page contents -ob_start(); # page body -ob_start(); # inner html -print '
'."\n\n"; +header(sprintf('Content-Security-Policy: %s', implode('; ', [ + "default-src 'self' 'unsafe-inline' http://cdn.ckeditor.com", # some overrides remain + "img-src 'self' data: blob: http://cdn.ckeditor.com", # inline svg (in css) + "base-uri 'self'", # only local pages + "frame-ancestors 'none'", # prevent malicious embedding +]))); +header('Referrer-Policy: no-referrer-when-downgrade'); -$found = FALSE; -if (file_exists("$Page$Args/index.html")) { - $found = include "./$Page$Args/index.html"; -} -elseif (file_exists("$Page$Args.html")) { - $found = include "./$Page$Args.html"; +$Page->place += [ + 'user' => $User->login ?: '', + 'url' => htmlspecialchars($_SERVER['REQUEST_URI']), +]; + +if ($Page->editable = $User->admin("edit {$Page->link}")) { + include_once 'edit/head.inc.php'; } -elseif (isset($User) and $User['admin']) { - $found = include (file_exists("$Page/template.html") ? "$Page/template.html" : './template.html'); + +if (isset($Page->raw) +and @$_SERVER['HTTP_ACCEPT'] !== 'application/xml') { + $Page->raw = '
'."\n\n".$Page->raw."
\n\n"; } -print "
\n\n"; +# output dynamic and/or static html -# execute dynamic code +include_once 'format.inc.php'; -if ($Page) { - $found |= require "./$Page.php"; +ob_start(); +if ($Page->handler and !$Page->index($Page->api)) { + # replace contents by code output on false return + $Page->raw = ob_get_clean(); +} +else { + # keep article contents + if (!isset($Page->body)) { + # no resulting output + http_response_code(404); + @require '404.inc.html'; + $Page->raw = ob_get_clean() . $Page->raw; + } } -# global html - -include_once 'page.inc.php'; - -if (!$found) { - # no resulting output - http_response_code(404); - ob_start(); - @require "./404.html"; - print getoutput([ 'url' => htmlspecialchars($_SERVER['REQUEST_URI']) ]); +if (@$_SERVER['HTTP_ACCEPT'] === 'application/xml') { + header('Access-Control-Allow-Origin: *'); +} +elseif (!$Page->api) { + include_once 'page.inc.php'; } +print $Page->render();