vitalif
/
viewvc-4intranet
mirror of https://github.com/vitalif/viewvc-4intranet
1
0
Fork 0
Code Issues Releases Wiki Activity

Unify the allowable views configury, and all support for disabling the 

checkout view.  The former is for sanity, the latter for security.

* viewvc.conf.dist
  (allow_tar, allow_annotate, allow_markup): Removed.
  (allowed_views): New.

* lib/config.py
  (Config._force_multi_value): Add 'allowed_views'.
  (Config.set_defaults): Set default for 'allowed_views'; no longer set
    defaults for 'allow_tar', 'allow_annotate', 'allow_markup'.

* lib/viewvc.py
  (default_view, view_directory, download_tarball, get_file_view_info,
   view_annotate, view_diff, build_commit, view_revision, view_markup,
   view_checkout): Track changes, adding code to prevent checkout view
    URL generation when the view is disabled, and doing the same for
    markup views (which should have already been done, since we already
    had an allow_markup option!)

* templates/query_results.ezt
* templates/markup.ezt
* templates/directory.ezt
* templates/log.ezt
* templates/log_table.ezt
* templates/annotate.ezt
  Don't assume checkout and markup views are present.

* docs/upgrading-howto.html
  Update to show the configuration changes.


git-svn-id: http://viewvc.tigris.org/svn/viewvc/trunk@1544 8cb11bc2-c004-0410-86c3-e597b4017df7
remotes/options-overhaul
cmpilato 2007-03-27 19:03:37 +00:00
parent 676ee09745
commit 2efd7cc4af
10 changed files with 97 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/upgrading-howto.html
View File

@ -114,6 +114,7 @@ td {
<li>utilities/gzip</li>
<li>utilities/sed</li>
<li>options/use_py2html</li>
<li>options/allowed_views</li>
</ul>
<p>The following options have been removed:</p>
@ -127,6 +128,9 @@ td {
<li>options/py2html_path</li>
<li>options/php_exe</li>
<li>options/cvsgraph_path</li>
<li>options/allow_annotate</li>
<li>options/allow_markup</li>
<li>options/allow_tar</li>
</ul>
</div>

6
lib/config.py
View File

@ -41,7 +41,7 @@ class Config:
_sections = ('general', 'utilities', 'options', 'cvsdb', 'templates')
_force_multi_value = ('cvs_roots', 'forbidden',
'svn_roots', 'languages', 'kv_files',
'root_parents')
'root_parents', 'allowed_views')
def __init__(self):
for section in self._sections:
@ -195,6 +195,7 @@ class Config:
self.options.root_as_url_component = 0
self.options.default_file_view = "log"
self.options.checkout_magic = 0
self.options.allowed_views = ['markup', 'annotate']
self.options.sort_by = 'file'
self.options.sort_group_dirs = 1
self.options.hide_attic = 1
@ -206,8 +207,6 @@ class Config:
self.options.hr_ignore_white = 1
self.options.hr_ignore_keyword_subst = 1
self.options.hr_intraline = 0
self.options.allow_annotate = 1
self.options.allow_markup = 1
self.options.allow_compress = 1
self.options.template_dir = "templates"
self.options.docroot = None
@ -224,7 +223,6 @@ class Config:
self.options.source_highlight_line_numbers = 1
self.options.use_py2html = 0
self.options.use_php = 0
self.options.allow_tar = 0
self.options.use_cvsgraph = 0
self.options.cvsgraph_conf = "cvsgraph.conf"
self.options.use_re_search = 0

100
lib/viewvc.py
View File

@ -918,7 +918,7 @@ def default_view(mime_type, cfg):
# very useful marked up. If the mime type is totally unknown (happens when
# we encounter an unrecognized file extension) we also view it through
# the markup page since that's better than sending it text/plain.
if (cfg.options.allow_markup and
if ('markup' in cfg.options.allowed_views and
(is_viewable_image(mime_type) or is_text(mime_type))):
return view_markup
return view_checkout
@ -930,28 +930,31 @@ def get_file_view_info(request, where, rev=None, mime_type=None, pathrev=-1):
mime_type = mime_type or request.mime_type
if pathrev == -1: # cheesy default value, since we need to preserve None
pathrev = request.pathrev
download_text_href = annotate_href = revision_href = None
view_href = request.get_url(view_func=view_markup,
where=where,
pathtype=vclib.FILE,
params={'revision': rev,
'pathrev': pathrev},
escape=1)
download_href = request.get_url(view_func=view_checkout,
where=where,
pathtype=vclib.FILE,
params={'revision': rev,
'pathrev': pathrev},
escape=1)
if not is_plain_text(mime_type):
download_text_href = request.get_url(view_func=view_checkout,
where=where,
pathtype=vclib.FILE,
params={'content-type': 'text/plain',
'revision': rev,
'pathrev': pathrev},
escape=1)
if request.cfg.options.allow_annotate:
view_href = download_href = download_text_href = annotate_href = revision_href = None
if 'markup' in request.cfg.options.allowed_views:
view_href = request.get_url(view_func=view_markup,
where=where,
pathtype=vclib.FILE,
params={'revision': rev,
'pathrev': pathrev},
escape=1)
if 'co' in request.cfg.options.allowed_views:
download_href = request.get_url(view_func=view_checkout,
where=where,
pathtype=vclib.FILE,
params={'revision': rev,
'pathrev': pathrev},
escape=1)
if not is_plain_text(mime_type):
download_text_href = request.get_url(view_func=view_checkout,
where=where,
pathtype=vclib.FILE,
params={'content-type': 'text/plain',
'revision': rev,
'pathrev': pathrev},
escape=1)
if 'annotate' in request.cfg.options.allowed_views:
annotate_href = request.get_url(view_func=view_annotate,
where=where,
pathtype=vclib.FILE,
@ -1390,6 +1393,10 @@ def make_rss_time_string(date, cfg):
return time.strftime("%a, %d %b %Y %H:%M:%S", time.gmtime(date)) + ' UTC'
def view_markup(request):
if 'markup' not in request.cfg.options.allowed_views:
raise debug.ViewVCException('Markup view is disabled',
'403 Forbidden')
cfg = request.cfg
path, rev = _orig_path(request)
fp, revision = request.repos.openfile(path, rev)
@ -1457,7 +1464,8 @@ def view_markup(request):
})
markup_fp = None
if is_viewable_image(request.mime_type):
if is_viewable_image(request.mime_type) \
and 'co' in cfg.options.allowed_views:
fp.close()
url = request.get_url(view_func=view_checkout, params={'revision': rev},
escape=1)
@ -1791,7 +1799,7 @@ def view_directory(request):
data['dir_paging_action'], data['dir_paging_hidden_values'] = \
request.get_form(params={'dir_pagestart': None})
if cfg.options.allow_tar:
if 'tar' in cfg.options.allowed_views:
data['tarball_href'] = request.get_url(view_func=download_tarball,
params={},
escape=1)
@ -2189,6 +2197,10 @@ def view_log(request):
generate_page(request, "log", data)
def view_checkout(request):
if 'co' not in request.cfg.options.allowed_views:
raise debug.ViewVCException('Checkout view is disabled',
'403 Forbidden')
path, rev = _orig_path(request)
fp, revision = request.repos.openfile(path, rev)
@ -2200,7 +2212,7 @@ def view_checkout(request):
fp.close()
def view_annotate(request):
if not request.cfg.options.allow_annotate:
if 'annotate' not in request.cfg.options.allowed_views:
raise debug.ViewVCException('Annotation view is disabled',
'403 Forbidden')
@ -2836,7 +2848,7 @@ def view_diff(request):
data['patch_href'] = request.get_url(view_func=view_patch,
params=orig_params,
escape=1)
if request.cfg.options.allow_annotate:
if 'annotate' in request.cfg.options.allowed_views:
data['annotate_href'] = request.get_url(view_func=view_annotate,
where=path_right,
pathtype=vclib.FILE,
@ -3020,7 +3032,7 @@ def generate_tarball(out, request, reldir, stack, dir_mtime=None):
def download_tarball(request):
cfg = request.cfg
if not request.cfg.options.allow_tar:
if 'tar' not in request.cfg.options.allowed_views:
raise debug.ViewVCException('Tarball generation is disabled',
'403 Forbidden')
@ -3120,11 +3132,13 @@ def view_revision(request):
link_rev = str(rev)
link_where = change.filename
change.view_href = request.get_url(view_func=view_func,
where=link_where,
pathtype=change.pathtype,
params={'pathrev' : link_rev},
escape=1)
if view_func != view_markup \
or 'markup' in request.cfg.options.allowed_views:
change.view_href = request.get_url(view_func=view_func,
where=link_where,
pathtype=change.pathtype,
params={'pathrev' : link_rev},
escape=1)
change.log_href = request.get_url(view_func=view_log,
where=link_where,
pathtype=change.pathtype,
@ -3358,14 +3372,6 @@ def build_commit(request, files, limited_files, dir_strip):
where=filename, pathtype=vclib.FILE,
params=params,
escape=1)
view_href = request.get_url(view_func=view_markup,
where=filename, pathtype=vclib.FILE,
params={'revision': f.GetRevision() },
escape=1)
download_href = request.get_url(view_func=view_checkout,
where=filename, pathtype=vclib.FILE,
params={'revision': f.GetRevision() },
escape=1)
diff_href = request.get_url(view_func=view_diff,
where=filename, pathtype=vclib.FILE,
params={'r1': prev_rev(f.GetRevision()),
@ -3373,6 +3379,18 @@ def build_commit(request, files, limited_files, dir_strip):
'diff_format': None},
escape=1)
view_href = download_href = None
if 'markup' in request.cfg.options.allowed_views:
view_href = request.get_url(view_func=view_markup,
where=filename, pathtype=vclib.FILE,
params={'revision': f.GetRevision() },
escape=1)
if 'co' in request.cfg.options.allowed_views:
download_href = request.get_url(view_func=view_checkout,
where=filename, pathtype=vclib.FILE,
params={'revision': f.GetRevision() },
escape=1)
# skip files in forbidden or hidden modules
dir_parts = filter(None, string.split(dirname, '/'))
if dir_parts \

2
templates/annotate.ezt
View File

@ -6,7 +6,7 @@
<p>
Revision [if-any revision_href]<a href="[revision_href]"><strong>[rev]</strong></a>[else]<strong>[rev]</strong>[end] -
(<a href="[view_href]"><strong>view</strong></a>)
(<a href="[download_href]"><strong>download</strong></a>)
[if-any download_href](<a href="[download_href]"><strong>download</strong></a>)[end]
[if-any download_text_href](<a href="[download_text_href]"><strong>as text</strong></a>)[end]
[if-any orig_path]
<br />Original Path: <a href="[orig_href]"><em>[orig_path]</em></a>

3
templates/directory.ezt
View File

@ -96,7 +96,8 @@
[is entries.pathtype "dir"]
<td>&nbsp;[if-any entries.rev]<a href="[entries.log_href]" title="View directory revision log"><strong>[entries.rev]</strong></a>[end]</td>
[else]
<td>&nbsp;[if-any entries.rev]<a href="[if-any entries.prefer_markup][entries.view_href][else][entries.download_href][end]" title="[if-any entries.prefer_markup]View[else]Download[end] file contents"><strong>[entries.rev]</strong></a>[end]</td>
[define rev_href][if-any entries.prefer_markup][entries.view_href][else][if-any entries.download_href][entries.download_href][end][end][end]
<td>&nbsp;[if-any entries.rev][if-any rev_href]<a href="[rev_href]" title="[if-any entries.prefer_markup]View[else]Download[end] file contents">[end]<strong>[entries.rev]</strong>[if-any rev_href]</a>[end][end]</td>
[end]
<td>&nbsp;[entries.ago]</td>
<td>&nbsp;[entries.author]</td>

10
templates/log.ezt
View File

@ -19,10 +19,12 @@
[end]
Revision [is roottype "svn"]<a href="[entries.revision_href]"><strong>[entries.rev]</strong></a>[else]<strong>[entries.rev]</strong>[end] -
[is pathtype "file"]
(<a href="[entries.view_href]">view</a>)
[else]
<a href="[entries.view_href]">Directory Listing</a>
[if-any entries.view_href]
[is pathtype "file"]
(<a href="[entries.view_href]">view</a>)
[else]
<a href="[entries.view_href]">Directory Listing</a>
[end]
[end]
[if-any entries.download_href](<a href="[entries.download_href]">download</a>)[end]
[if-any entries.download_text_href](<a href="[entries.download_text_href]">as text</a>)[end]

10
templates/log_table.ezt
View File

@ -34,10 +34,12 @@
[# Tasks column]
<td>
[is pathtype "file"]
<a href="[entries.view_href]"><strong>View</strong></a><br />
[else]
<a href="[entries.view_href]"><strong>Directory Listing</strong></a><br />
[if-any entries.view_href]
[is pathtype "file"]
<a href="[entries.view_href]"><strong>View</strong></a><br />
[else]
<a href="[entries.view_href]"><strong>Directory Listing</strong></a><br />
[end]
[end]
[if-any entries.download_href]<a href="[entries.download_href]"><strong>Download</strong></a><br />[end]
[if-any entries.download_text_href]<a href="[entries.download_text_href]"><strong>As text</strong></a><br />[end]

2
templates/markup.ezt
View File

@ -8,7 +8,7 @@
<hr />
<div class="vc_summary">
Revision [if-any revision_href]<a href="[revision_href]"><strong>[rev]</strong></a>[else]<strong>[rev]</strong>[end] -
(<a href="[download_href]"><strong>download</strong></a>)
[if-any download_href](<a href="[download_href]"><strong>download</strong></a>)[end]
[if-any download_text_href](<a href="[download_text_href]"><strong>as text</strong></a>)[end]
[if-any annotate_href](<a href="[annotate_href]"><strong>annotate</strong></a>)[end]

3
templates/query_results.ezt
View File

@ -34,7 +34,8 @@
<tbody>
<tr class="vc_row_[if-index commits even]even[else]odd[end]">
<td style="vertical-align: top;">
[if-any commits.files.rev]<a href="[if-any commits.files.prefer_markup][commits.files.view_href][else][commits.files.download_href][end]">[commits.files.rev]</a>[else]&nbsp;[end]
[define rev_href][if-any commits.files.prefer_markup][commits.files.view_href][else][if-any commits.files.download_href][commits.files.download_href][end][end][end]
[if-any commits.files.rev][if-any rev_href]<a href="[rev_href]">[end][commits.files.rev][if-any rev_href]</a>[end][else]&nbsp;[end]
</td>
<td style="vertical-align: top;">
<a href="[commits.files.dir_href]">[commits.files.dir]/</a>

32
viewvc.conf.dist
View File

@ -347,6 +347,18 @@ sed =
# any old ViewCVS URL which doesn't have an explicit "root" parameter.
root_as_url_component = 0
# checkout_magic: Use checkout links with magic /*checkout*/ prefixes so
# checked out HTML pages can have working links to other repository files
# Note: This option is DEPRECATED and should not be used in new ViewVC
# installations. Setting "default_file_view = co" achieves the same effect
checkout_magic = 0
# allowed_views: List the ViewVC views which are enabled. Views not
# in this comma-delited list will not be served (or, will return an
# error on attempted access).
# Possible values: "tar", "annotate", "co", "markup"
allowed_views = markup, annotate
# default_file_view: "log" or "co"
# Controls whether the default view for file URLs is a checkout view or
# a log view. "log" is the default for backwards compatibility with old
@ -355,14 +367,10 @@ root_as_url_component = 0
# to other repository files
# Note: Changing this option may cause old ViewCVS URLs that referred
# to log pages to load checkout pages instead.
# Also note: If you choose the "co" view, be sure to enable it (via
# the allowed_views option)
default_file_view = log
# checkout_magic: Use checkout links with magic /*checkout*/ prefixes so
# checked out HTML pages can have working links to other repository files
# Note: This option is DEPRECATED and should not be used in new ViewVC
# installations. Setting "default_file_view = co" achieves the same effect
checkout_magic = 0
# http_expiration_time: Expiration time (in seconds) for cacheable
# pages served by ViewVC. Note that in most cases, a cache aware
# client will only revalidate the page after it expires (using the
@ -440,12 +448,6 @@ hr_ignore_keyword_subst = 1
#
hr_intraline = 0
# allow annotation of files.
allow_annotate = 1
# allow pretty-printed version of files
allow_markup = 1
# allow compression with gzip of output if the Browser accepts it
# (HTTP_ACCEPT_ENCODING=gzip)
# [make sure to have gzip in the path]
@ -529,12 +531,6 @@ source_highlight_line_numbers = 1
# use php to colorize .php and .inc files?
use_php = 0
#
# ViewVC can generate tarball from a repository on the fly.
#
allow_tar = 0
# allow_tar = 1
#
# Use CvsGraph. See http://www.akhphd.au.dk/~bertho/cvsgraph/ for
# documentation and download.