Unify the allowable views configury, and all support for disabling the
checkout view. The former is for sanity, the latter for security. * viewvc.conf.dist (allow_tar, allow_annotate, allow_markup): Removed. (allowed_views): New. * lib/config.py (Config._force_multi_value): Add 'allowed_views'. (Config.set_defaults): Set default for 'allowed_views'; no longer set defaults for 'allow_tar', 'allow_annotate', 'allow_markup'. * lib/viewvc.py (default_view, view_directory, download_tarball, get_file_view_info, view_annotate, view_diff, build_commit, view_revision, view_markup, view_checkout): Track changes, adding code to prevent checkout view URL generation when the view is disabled, and doing the same for markup views (which should have already been done, since we already had an allow_markup option!) * templates/query_results.ezt * templates/markup.ezt * templates/directory.ezt * templates/log.ezt * templates/log_table.ezt * templates/annotate.ezt Don't assume checkout and markup views are present. * docs/upgrading-howto.html Update to show the configuration changes. git-svn-id: http://viewvc.tigris.org/svn/viewvc/trunk@1544 8cb11bc2-c004-0410-86c3-e597b4017df7remotes/options-overhaul
parent
676ee09745
commit
2efd7cc4af
|
@ -114,6 +114,7 @@ td {
|
|||
<li>utilities/gzip</li>
|
||||
<li>utilities/sed</li>
|
||||
<li>options/use_py2html</li>
|
||||
<li>options/allowed_views</li>
|
||||
</ul>
|
||||
|
||||
<p>The following options have been removed:</p>
|
||||
|
@ -127,6 +128,9 @@ td {
|
|||
<li>options/py2html_path</li>
|
||||
<li>options/php_exe</li>
|
||||
<li>options/cvsgraph_path</li>
|
||||
<li>options/allow_annotate</li>
|
||||
<li>options/allow_markup</li>
|
||||
<li>options/allow_tar</li>
|
||||
</ul>
|
||||
|
||||
</div>
|
||||
|
|
|
@ -41,7 +41,7 @@ class Config:
|
|||
_sections = ('general', 'utilities', 'options', 'cvsdb', 'templates')
|
||||
_force_multi_value = ('cvs_roots', 'forbidden',
|
||||
'svn_roots', 'languages', 'kv_files',
|
||||
'root_parents')
|
||||
'root_parents', 'allowed_views')
|
||||
|
||||
def __init__(self):
|
||||
for section in self._sections:
|
||||
|
@ -195,6 +195,7 @@ class Config:
|
|||
self.options.root_as_url_component = 0
|
||||
self.options.default_file_view = "log"
|
||||
self.options.checkout_magic = 0
|
||||
self.options.allowed_views = ['markup', 'annotate']
|
||||
self.options.sort_by = 'file'
|
||||
self.options.sort_group_dirs = 1
|
||||
self.options.hide_attic = 1
|
||||
|
@ -206,8 +207,6 @@ class Config:
|
|||
self.options.hr_ignore_white = 1
|
||||
self.options.hr_ignore_keyword_subst = 1
|
||||
self.options.hr_intraline = 0
|
||||
self.options.allow_annotate = 1
|
||||
self.options.allow_markup = 1
|
||||
self.options.allow_compress = 1
|
||||
self.options.template_dir = "templates"
|
||||
self.options.docroot = None
|
||||
|
@ -224,7 +223,6 @@ class Config:
|
|||
self.options.source_highlight_line_numbers = 1
|
||||
self.options.use_py2html = 0
|
||||
self.options.use_php = 0
|
||||
self.options.allow_tar = 0
|
||||
self.options.use_cvsgraph = 0
|
||||
self.options.cvsgraph_conf = "cvsgraph.conf"
|
||||
self.options.use_re_search = 0
|
||||
|
|
100
lib/viewvc.py
100
lib/viewvc.py
|
@ -918,7 +918,7 @@ def default_view(mime_type, cfg):
|
|||
# very useful marked up. If the mime type is totally unknown (happens when
|
||||
# we encounter an unrecognized file extension) we also view it through
|
||||
# the markup page since that's better than sending it text/plain.
|
||||
if (cfg.options.allow_markup and
|
||||
if ('markup' in cfg.options.allowed_views and
|
||||
(is_viewable_image(mime_type) or is_text(mime_type))):
|
||||
return view_markup
|
||||
return view_checkout
|
||||
|
@ -930,28 +930,31 @@ def get_file_view_info(request, where, rev=None, mime_type=None, pathrev=-1):
|
|||
mime_type = mime_type or request.mime_type
|
||||
if pathrev == -1: # cheesy default value, since we need to preserve None
|
||||
pathrev = request.pathrev
|
||||
download_text_href = annotate_href = revision_href = None
|
||||
view_href = request.get_url(view_func=view_markup,
|
||||
where=where,
|
||||
pathtype=vclib.FILE,
|
||||
params={'revision': rev,
|
||||
'pathrev': pathrev},
|
||||
escape=1)
|
||||
download_href = request.get_url(view_func=view_checkout,
|
||||
where=where,
|
||||
pathtype=vclib.FILE,
|
||||
params={'revision': rev,
|
||||
'pathrev': pathrev},
|
||||
escape=1)
|
||||
if not is_plain_text(mime_type):
|
||||
download_text_href = request.get_url(view_func=view_checkout,
|
||||
where=where,
|
||||
pathtype=vclib.FILE,
|
||||
params={'content-type': 'text/plain',
|
||||
'revision': rev,
|
||||
'pathrev': pathrev},
|
||||
escape=1)
|
||||
if request.cfg.options.allow_annotate:
|
||||
view_href = download_href = download_text_href = annotate_href = revision_href = None
|
||||
|
||||
if 'markup' in request.cfg.options.allowed_views:
|
||||
view_href = request.get_url(view_func=view_markup,
|
||||
where=where,
|
||||
pathtype=vclib.FILE,
|
||||
params={'revision': rev,
|
||||
'pathrev': pathrev},
|
||||
escape=1)
|
||||
if 'co' in request.cfg.options.allowed_views:
|
||||
download_href = request.get_url(view_func=view_checkout,
|
||||
where=where,
|
||||
pathtype=vclib.FILE,
|
||||
params={'revision': rev,
|
||||
'pathrev': pathrev},
|
||||
escape=1)
|
||||
if not is_plain_text(mime_type):
|
||||
download_text_href = request.get_url(view_func=view_checkout,
|
||||
where=where,
|
||||
pathtype=vclib.FILE,
|
||||
params={'content-type': 'text/plain',
|
||||
'revision': rev,
|
||||
'pathrev': pathrev},
|
||||
escape=1)
|
||||
if 'annotate' in request.cfg.options.allowed_views:
|
||||
annotate_href = request.get_url(view_func=view_annotate,
|
||||
where=where,
|
||||
pathtype=vclib.FILE,
|
||||
|
@ -1390,6 +1393,10 @@ def make_rss_time_string(date, cfg):
|
|||
return time.strftime("%a, %d %b %Y %H:%M:%S", time.gmtime(date)) + ' UTC'
|
||||
|
||||
def view_markup(request):
|
||||
if 'markup' not in request.cfg.options.allowed_views:
|
||||
raise debug.ViewVCException('Markup view is disabled',
|
||||
'403 Forbidden')
|
||||
|
||||
cfg = request.cfg
|
||||
path, rev = _orig_path(request)
|
||||
fp, revision = request.repos.openfile(path, rev)
|
||||
|
@ -1457,7 +1464,8 @@ def view_markup(request):
|
|||
})
|
||||
|
||||
markup_fp = None
|
||||
if is_viewable_image(request.mime_type):
|
||||
if is_viewable_image(request.mime_type) \
|
||||
and 'co' in cfg.options.allowed_views:
|
||||
fp.close()
|
||||
url = request.get_url(view_func=view_checkout, params={'revision': rev},
|
||||
escape=1)
|
||||
|
@ -1791,7 +1799,7 @@ def view_directory(request):
|
|||
data['dir_paging_action'], data['dir_paging_hidden_values'] = \
|
||||
request.get_form(params={'dir_pagestart': None})
|
||||
|
||||
if cfg.options.allow_tar:
|
||||
if 'tar' in cfg.options.allowed_views:
|
||||
data['tarball_href'] = request.get_url(view_func=download_tarball,
|
||||
params={},
|
||||
escape=1)
|
||||
|
@ -2189,6 +2197,10 @@ def view_log(request):
|
|||
generate_page(request, "log", data)
|
||||
|
||||
def view_checkout(request):
|
||||
if 'co' not in request.cfg.options.allowed_views:
|
||||
raise debug.ViewVCException('Checkout view is disabled',
|
||||
'403 Forbidden')
|
||||
|
||||
path, rev = _orig_path(request)
|
||||
fp, revision = request.repos.openfile(path, rev)
|
||||
|
||||
|
@ -2200,7 +2212,7 @@ def view_checkout(request):
|
|||
fp.close()
|
||||
|
||||
def view_annotate(request):
|
||||
if not request.cfg.options.allow_annotate:
|
||||
if 'annotate' not in request.cfg.options.allowed_views:
|
||||
raise debug.ViewVCException('Annotation view is disabled',
|
||||
'403 Forbidden')
|
||||
|
||||
|
@ -2836,7 +2848,7 @@ def view_diff(request):
|
|||
data['patch_href'] = request.get_url(view_func=view_patch,
|
||||
params=orig_params,
|
||||
escape=1)
|
||||
if request.cfg.options.allow_annotate:
|
||||
if 'annotate' in request.cfg.options.allowed_views:
|
||||
data['annotate_href'] = request.get_url(view_func=view_annotate,
|
||||
where=path_right,
|
||||
pathtype=vclib.FILE,
|
||||
|
@ -3020,7 +3032,7 @@ def generate_tarball(out, request, reldir, stack, dir_mtime=None):
|
|||
def download_tarball(request):
|
||||
cfg = request.cfg
|
||||
|
||||
if not request.cfg.options.allow_tar:
|
||||
if 'tar' not in request.cfg.options.allowed_views:
|
||||
raise debug.ViewVCException('Tarball generation is disabled',
|
||||
'403 Forbidden')
|
||||
|
||||
|
@ -3120,11 +3132,13 @@ def view_revision(request):
|
|||
link_rev = str(rev)
|
||||
link_where = change.filename
|
||||
|
||||
change.view_href = request.get_url(view_func=view_func,
|
||||
where=link_where,
|
||||
pathtype=change.pathtype,
|
||||
params={'pathrev' : link_rev},
|
||||
escape=1)
|
||||
if view_func != view_markup \
|
||||
or 'markup' in request.cfg.options.allowed_views:
|
||||
change.view_href = request.get_url(view_func=view_func,
|
||||
where=link_where,
|
||||
pathtype=change.pathtype,
|
||||
params={'pathrev' : link_rev},
|
||||
escape=1)
|
||||
change.log_href = request.get_url(view_func=view_log,
|
||||
where=link_where,
|
||||
pathtype=change.pathtype,
|
||||
|
@ -3358,14 +3372,6 @@ def build_commit(request, files, limited_files, dir_strip):
|
|||
where=filename, pathtype=vclib.FILE,
|
||||
params=params,
|
||||
escape=1)
|
||||
view_href = request.get_url(view_func=view_markup,
|
||||
where=filename, pathtype=vclib.FILE,
|
||||
params={'revision': f.GetRevision() },
|
||||
escape=1)
|
||||
download_href = request.get_url(view_func=view_checkout,
|
||||
where=filename, pathtype=vclib.FILE,
|
||||
params={'revision': f.GetRevision() },
|
||||
escape=1)
|
||||
diff_href = request.get_url(view_func=view_diff,
|
||||
where=filename, pathtype=vclib.FILE,
|
||||
params={'r1': prev_rev(f.GetRevision()),
|
||||
|
@ -3373,6 +3379,18 @@ def build_commit(request, files, limited_files, dir_strip):
|
|||
'diff_format': None},
|
||||
escape=1)
|
||||
|
||||
view_href = download_href = None
|
||||
if 'markup' in request.cfg.options.allowed_views:
|
||||
view_href = request.get_url(view_func=view_markup,
|
||||
where=filename, pathtype=vclib.FILE,
|
||||
params={'revision': f.GetRevision() },
|
||||
escape=1)
|
||||
if 'co' in request.cfg.options.allowed_views:
|
||||
download_href = request.get_url(view_func=view_checkout,
|
||||
where=filename, pathtype=vclib.FILE,
|
||||
params={'revision': f.GetRevision() },
|
||||
escape=1)
|
||||
|
||||
# skip files in forbidden or hidden modules
|
||||
dir_parts = filter(None, string.split(dirname, '/'))
|
||||
if dir_parts \
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
<p>
|
||||
Revision [if-any revision_href]<a href="[revision_href]"><strong>[rev]</strong></a>[else]<strong>[rev]</strong>[end] -
|
||||
(<a href="[view_href]"><strong>view</strong></a>)
|
||||
(<a href="[download_href]"><strong>download</strong></a>)
|
||||
[if-any download_href](<a href="[download_href]"><strong>download</strong></a>)[end]
|
||||
[if-any download_text_href](<a href="[download_text_href]"><strong>as text</strong></a>)[end]
|
||||
[if-any orig_path]
|
||||
<br />Original Path: <a href="[orig_href]"><em>[orig_path]</em></a>
|
||||
|
|
|
@ -96,7 +96,8 @@
|
|||
[is entries.pathtype "dir"]
|
||||
<td> [if-any entries.rev]<a href="[entries.log_href]" title="View directory revision log"><strong>[entries.rev]</strong></a>[end]</td>
|
||||
[else]
|
||||
<td> [if-any entries.rev]<a href="[if-any entries.prefer_markup][entries.view_href][else][entries.download_href][end]" title="[if-any entries.prefer_markup]View[else]Download[end] file contents"><strong>[entries.rev]</strong></a>[end]</td>
|
||||
[define rev_href][if-any entries.prefer_markup][entries.view_href][else][if-any entries.download_href][entries.download_href][end][end][end]
|
||||
<td> [if-any entries.rev][if-any rev_href]<a href="[rev_href]" title="[if-any entries.prefer_markup]View[else]Download[end] file contents">[end]<strong>[entries.rev]</strong>[if-any rev_href]</a>[end][end]</td>
|
||||
[end]
|
||||
<td> [entries.ago]</td>
|
||||
<td> [entries.author]</td>
|
||||
|
|
|
@ -19,10 +19,12 @@
|
|||
[end]
|
||||
|
||||
Revision [is roottype "svn"]<a href="[entries.revision_href]"><strong>[entries.rev]</strong></a>[else]<strong>[entries.rev]</strong>[end] -
|
||||
[is pathtype "file"]
|
||||
(<a href="[entries.view_href]">view</a>)
|
||||
[else]
|
||||
<a href="[entries.view_href]">Directory Listing</a>
|
||||
[if-any entries.view_href]
|
||||
[is pathtype "file"]
|
||||
(<a href="[entries.view_href]">view</a>)
|
||||
[else]
|
||||
<a href="[entries.view_href]">Directory Listing</a>
|
||||
[end]
|
||||
[end]
|
||||
[if-any entries.download_href](<a href="[entries.download_href]">download</a>)[end]
|
||||
[if-any entries.download_text_href](<a href="[entries.download_text_href]">as text</a>)[end]
|
||||
|
|
|
@ -34,10 +34,12 @@
|
|||
|
||||
[# Tasks column]
|
||||
<td>
|
||||
[is pathtype "file"]
|
||||
<a href="[entries.view_href]"><strong>View</strong></a><br />
|
||||
[else]
|
||||
<a href="[entries.view_href]"><strong>Directory Listing</strong></a><br />
|
||||
[if-any entries.view_href]
|
||||
[is pathtype "file"]
|
||||
<a href="[entries.view_href]"><strong>View</strong></a><br />
|
||||
[else]
|
||||
<a href="[entries.view_href]"><strong>Directory Listing</strong></a><br />
|
||||
[end]
|
||||
[end]
|
||||
[if-any entries.download_href]<a href="[entries.download_href]"><strong>Download</strong></a><br />[end]
|
||||
[if-any entries.download_text_href]<a href="[entries.download_text_href]"><strong>As text</strong></a><br />[end]
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
<hr />
|
||||
<div class="vc_summary">
|
||||
Revision [if-any revision_href]<a href="[revision_href]"><strong>[rev]</strong></a>[else]<strong>[rev]</strong>[end] -
|
||||
(<a href="[download_href]"><strong>download</strong></a>)
|
||||
[if-any download_href](<a href="[download_href]"><strong>download</strong></a>)[end]
|
||||
[if-any download_text_href](<a href="[download_text_href]"><strong>as text</strong></a>)[end]
|
||||
[if-any annotate_href](<a href="[annotate_href]"><strong>annotate</strong></a>)[end]
|
||||
|
||||
|
|
|
@ -34,7 +34,8 @@
|
|||
<tbody>
|
||||
<tr class="vc_row_[if-index commits even]even[else]odd[end]">
|
||||
<td style="vertical-align: top;">
|
||||
[if-any commits.files.rev]<a href="[if-any commits.files.prefer_markup][commits.files.view_href][else][commits.files.download_href][end]">[commits.files.rev]</a>[else] [end]
|
||||
[define rev_href][if-any commits.files.prefer_markup][commits.files.view_href][else][if-any commits.files.download_href][commits.files.download_href][end][end][end]
|
||||
[if-any commits.files.rev][if-any rev_href]<a href="[rev_href]">[end][commits.files.rev][if-any rev_href]</a>[end][else] [end]
|
||||
</td>
|
||||
<td style="vertical-align: top;">
|
||||
<a href="[commits.files.dir_href]">[commits.files.dir]/</a>
|
||||
|
|
|
@ -347,6 +347,18 @@ sed =
|
|||
# any old ViewCVS URL which doesn't have an explicit "root" parameter.
|
||||
root_as_url_component = 0
|
||||
|
||||
# checkout_magic: Use checkout links with magic /*checkout*/ prefixes so
|
||||
# checked out HTML pages can have working links to other repository files
|
||||
# Note: This option is DEPRECATED and should not be used in new ViewVC
|
||||
# installations. Setting "default_file_view = co" achieves the same effect
|
||||
checkout_magic = 0
|
||||
|
||||
# allowed_views: List the ViewVC views which are enabled. Views not
|
||||
# in this comma-delited list will not be served (or, will return an
|
||||
# error on attempted access).
|
||||
# Possible values: "tar", "annotate", "co", "markup"
|
||||
allowed_views = markup, annotate
|
||||
|
||||
# default_file_view: "log" or "co"
|
||||
# Controls whether the default view for file URLs is a checkout view or
|
||||
# a log view. "log" is the default for backwards compatibility with old
|
||||
|
@ -355,14 +367,10 @@ root_as_url_component = 0
|
|||
# to other repository files
|
||||
# Note: Changing this option may cause old ViewCVS URLs that referred
|
||||
# to log pages to load checkout pages instead.
|
||||
# Also note: If you choose the "co" view, be sure to enable it (via
|
||||
# the allowed_views option)
|
||||
default_file_view = log
|
||||
|
||||
# checkout_magic: Use checkout links with magic /*checkout*/ prefixes so
|
||||
# checked out HTML pages can have working links to other repository files
|
||||
# Note: This option is DEPRECATED and should not be used in new ViewVC
|
||||
# installations. Setting "default_file_view = co" achieves the same effect
|
||||
checkout_magic = 0
|
||||
|
||||
# http_expiration_time: Expiration time (in seconds) for cacheable
|
||||
# pages served by ViewVC. Note that in most cases, a cache aware
|
||||
# client will only revalidate the page after it expires (using the
|
||||
|
@ -440,12 +448,6 @@ hr_ignore_keyword_subst = 1
|
|||
#
|
||||
hr_intraline = 0
|
||||
|
||||
# allow annotation of files.
|
||||
allow_annotate = 1
|
||||
|
||||
# allow pretty-printed version of files
|
||||
allow_markup = 1
|
||||
|
||||
# allow compression with gzip of output if the Browser accepts it
|
||||
# (HTTP_ACCEPT_ENCODING=gzip)
|
||||
# [make sure to have gzip in the path]
|
||||
|
@ -529,12 +531,6 @@ source_highlight_line_numbers = 1
|
|||
# use php to colorize .php and .inc files?
|
||||
use_php = 0
|
||||
|
||||
#
|
||||
# ViewVC can generate tarball from a repository on the fly.
|
||||
#
|
||||
allow_tar = 0
|
||||
# allow_tar = 1
|
||||
|
||||
#
|
||||
# Use CvsGraph. See http://www.akhphd.au.dk/~bertho/cvsgraph/ for
|
||||
# documentation and download.
|
||||
|
|
Loading…
Reference in New Issue