X-Git-Url: http://git.shiar.nl/minimedit.git/blobdiff_plain/af5d5f4037aabc493afa60a5394ab3f8f6134917..HEAD:/page.php diff --git a/page.php b/page.php index 0c101f8..30f0e3c 100644 --- a/page.php +++ b/page.php @@ -16,7 +16,7 @@ $staticpage = "$request.html"; if (file_exists($staticpage)) { if (is_link($staticpage)) { $target = preg_replace('/\.html$/', '', readlink($staticpage)); - abort($target, '302 Shorthand'); + abort($target, '307 Shorthand'); } } elseif (file_exists("$request/index.html")) { @@ -26,7 +26,7 @@ elseif (file_exists("$request/index.html")) { require_once('article.inc.php'); $Page = new ArchiveArticle($staticpage); -if ($_SERVER['HTTP_ACCEPT'] === 'text/plain') { +if (@$_SERVER['HTTP_ACCEPT'] === 'text/plain') { $Page->api = TRUE; } @@ -40,6 +40,11 @@ if ($Page->restricted) { $target = urlencode($Page->link); abort("/login?goto=$target", '303 Eerst inloggen'); } + elseif ($check = file_get_contents("{$Page->restricted}/.private") + and !$User->admin(trim($check))) { + http_response_code(403); + $Page->raw('403.inc.html'); + } } # prepare page contents @@ -50,17 +55,19 @@ header(sprintf('Content-Security-Policy: %s', implode('; ', [ "base-uri 'self'", # only local pages "frame-ancestors 'none'", # prevent malicious embedding ]))); +header('Referrer-Policy: no-referrer-when-downgrade'); $Page->place += [ 'user' => $User->login ?: '', 'url' => htmlspecialchars($_SERVER['REQUEST_URI']), ]; -if ($User->admin("edit {$Page->link}")) { +if ($Page->editable = $User->admin("edit {$Page->link}")) { include_once 'edit/head.inc.php'; } -if (isset($Page->raw)) { +if (isset($Page->raw) +and @$_SERVER['HTTP_ACCEPT'] !== 'application/xml') { $Page->raw = '
'."\n\n".$Page->raw."
\n\n"; } @@ -83,7 +90,10 @@ else { } } -if (!$Page->api and $_SERVER['HTTP_ACCEPT'] !== 'application/xml') { +if (@$_SERVER['HTTP_ACCEPT'] === 'application/xml') { + header('Access-Control-Allow-Origin: *'); +} +elseif (!$Page->api) { include_once 'page.inc.php'; } print $Page->render();