2012-07-19 18:03:10 +02:00
|
|
|
<?php
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @group phame
|
|
|
|
|
*/
|
2012-10-15 23:51:04 +02:00
|
|
|
final class PhameBlog extends PhameDAO
|
|
|
|
|
implements PhabricatorPolicyInterface, PhabricatorMarkupInterface {
|
|
|
|
|
|
|
|
|
|
const MARKUP_FIELD_DESCRIPTION = 'markup:description';
|
|
|
|
|
|
2012-10-17 17:36:48 +02:00
|
|
|
const SKIN_DEFAULT = 'oblivious';
|
2012-10-13 01:01:33 +02:00
|
|
|
|
2012-07-19 18:03:10 +02:00
|
|
|
protected $name;
|
|
|
|
|
protected $description;
|
2012-10-01 02:10:27 +02:00
|
|
|
protected $domain;
|
2012-07-19 18:03:10 +02:00
|
|
|
protected $configData;
|
|
|
|
|
protected $creatorPHID;
|
2012-10-15 23:49:52 +02:00
|
|
|
protected $viewPolicy;
|
|
|
|
|
protected $editPolicy;
|
|
|
|
|
protected $joinPolicy;
|
2012-10-13 01:01:33 +02:00
|
|
|
|
2013-09-03 15:02:14 +02:00
|
|
|
private $bloggerPHIDs = self::ATTACHABLE;
|
|
|
|
|
private $bloggers = self::ATTACHABLE;
|
2012-07-19 18:03:10 +02:00
|
|
|
|
2012-10-13 01:01:33 +02:00
|
|
|
static private $requestBlog;
|
|
|
|
|
|
2012-07-19 18:03:10 +02:00
|
|
|
public function getConfiguration() {
|
|
|
|
|
return array(
|
|
|
|
|
self::CONFIG_AUX_PHID => true,
|
|
|
|
|
self::CONFIG_SERIALIZATION => array(
|
|
|
|
|
'configData' => self::SERIALIZATION_JSON,
|
|
|
|
|
),
|
|
|
|
|
) + parent::getConfiguration();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function generatePHID() {
|
|
|
|
|
return PhabricatorPHID::generateNewPHID(
|
2013-07-26 21:19:12 +02:00
|
|
|
PhabricatorPhamePHIDTypeBlog::TYPECONST);
|
2012-07-19 18:03:10 +02:00
|
|
|
}
|
|
|
|
|
|
Move skins toward modularization
Summary:
Two high-level things happening here:
- We no longer ever need to put meta-UI (content creation, editing, notices, etc.) on live blog views, since this is all in Phame now. I pulled this out.
- On the other hand, I pushed more routing/control logic into Skins and made the root skin a Controller instead of a View. This simplifies some of the code above skins, and the theory behind this is that it gives us greater flexibility to, e.g., put a glue layer between Phame and Wordpress templates or whatever else, and allows skins to handle routing and thus add pages like "About" or "Bio".
- I added a basic skin below the root skin which is more like the old root skin and has standard rendering hooks.
- "Ten Eleven" is a play on the popular (default?) Wordpress themes called "Twenty Ten", "Twenty Eleven" and "Twenty Twelve".
Test Plan: Viewed live blog and live posts. They aren't pretty, but they don't have extraneous resources.
Reviewers: btrahan
Reviewed By: btrahan
CC: aran
Maniphest Tasks: T1373
Differential Revision: https://secure.phabricator.com/D3714
2012-10-17 17:36:25 +02:00
|
|
|
public function getSkinRenderer(AphrontRequest $request) {
|
2012-10-17 17:36:48 +02:00
|
|
|
$spec = PhameSkinSpecification::loadOneSkinSpecification(
|
|
|
|
|
$this->getSkin());
|
|
|
|
|
|
|
|
|
|
if (!$spec) {
|
|
|
|
|
$spec = PhameSkinSpecification::loadOneSkinSpecification(
|
|
|
|
|
self::SKIN_DEFAULT);
|
2012-10-13 03:05:55 +02:00
|
|
|
}
|
2012-10-13 01:01:33 +02:00
|
|
|
|
2012-10-17 17:37:05 +02:00
|
|
|
if (!$spec) {
|
|
|
|
|
throw new Exception(
|
|
|
|
|
"This blog has an invalid skin, and the default skin failed to ".
|
|
|
|
|
"load.");
|
|
|
|
|
}
|
|
|
|
|
|
2012-10-17 17:36:48 +02:00
|
|
|
$skin = newv($spec->getSkinClass(), array($request));
|
|
|
|
|
$skin->setSpecification($spec);
|
|
|
|
|
|
2012-10-13 03:05:55 +02:00
|
|
|
return $skin;
|
2012-10-13 01:01:33 +02:00
|
|
|
}
|
|
|
|
|
|
2012-10-01 02:10:27 +02:00
|
|
|
/**
|
|
|
|
|
* Makes sure a given custom blog uri is properly configured in DNS
|
|
|
|
|
* to point at this Phabricator instance. If there is an error in
|
|
|
|
|
* the configuration, return a string describing the error and how
|
|
|
|
|
* to fix it. If there is no error, return an empty string.
|
|
|
|
|
*
|
|
|
|
|
* @return string
|
|
|
|
|
*/
|
|
|
|
|
public function validateCustomDomain($custom_domain) {
|
2014-03-11 23:53:15 +01:00
|
|
|
$example_domain = 'blog.example.com';
|
2012-10-01 02:10:27 +02:00
|
|
|
|
|
|
|
|
// note this "uri" should be pretty busted given the desired input
|
|
|
|
|
// so just use it to test if there's a protocol specified
|
|
|
|
|
$uri = new PhutilURI($custom_domain);
|
|
|
|
|
if ($uri->getProtocol()) {
|
2014-03-11 23:53:15 +01:00
|
|
|
return pht(
|
|
|
|
|
'The custom domain should not include a protocol. Just provide '.
|
|
|
|
|
'the bare domain name (for example, "%s").',
|
|
|
|
|
$example_domain);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ($uri->getPort()) {
|
|
|
|
|
return pht(
|
|
|
|
|
'The custom domain should not include a port number. Just provide '.
|
|
|
|
|
'the bare domain name (for example, "%s").',
|
|
|
|
|
$example_domain);
|
2012-10-01 02:10:27 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (strpos($custom_domain, '/') !== false) {
|
2014-03-11 23:53:15 +01:00
|
|
|
return pht(
|
|
|
|
|
'The custom domain should not specify a path (hosting a Phame '.
|
|
|
|
|
'blog at a path is currently not supported). Instead, just provide '.
|
|
|
|
|
'the bare domain name (for example, "%s").',
|
|
|
|
|
$example_domain);
|
2012-10-01 02:10:27 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (strpos($custom_domain, '.') === false) {
|
2014-03-11 23:53:15 +01:00
|
|
|
return pht(
|
|
|
|
|
'The custom domain should contain at least one dot (.) because '.
|
|
|
|
|
'some browsers fail to set cookies on domains without a dot. Instead, '.
|
|
|
|
|
'use a normal looking domain name like "%s".',
|
|
|
|
|
$example_domain);
|
2012-10-01 02:10:27 +02:00
|
|
|
}
|
|
|
|
|
|
2014-03-11 23:53:15 +01:00
|
|
|
return null;
|
2012-10-01 02:10:27 +02:00
|
|
|
}
|
|
|
|
|
|
2012-07-19 18:03:10 +02:00
|
|
|
public function getBloggerPHIDs() {
|
2013-09-03 15:02:14 +02:00
|
|
|
return $this->assertAttached($this->bloggerPHIDs);
|
2012-07-19 18:03:10 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function attachBloggers(array $bloggers) {
|
|
|
|
|
assert_instances_of($bloggers, 'PhabricatorObjectHandle');
|
|
|
|
|
|
|
|
|
|
$this->bloggers = $bloggers;
|
|
|
|
|
|
|
|
|
|
return $this;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function getBloggers() {
|
2013-09-03 15:02:14 +02:00
|
|
|
return $this->assertAttached($this->bloggers);
|
2012-07-19 18:03:10 +02:00
|
|
|
}
|
|
|
|
|
|
2012-10-13 01:01:33 +02:00
|
|
|
public function getSkin() {
|
|
|
|
|
$config = coalesce($this->getConfigData(), array());
|
|
|
|
|
return idx($config, 'skin', self::SKIN_DEFAULT);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function setSkin($skin) {
|
|
|
|
|
$config = coalesce($this->getConfigData(), array());
|
|
|
|
|
$config['skin'] = $skin;
|
|
|
|
|
return $this->setConfigData($config);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static public function getSkinOptionsForSelect() {
|
|
|
|
|
$classes = id(new PhutilSymbolLoader())
|
|
|
|
|
->setAncestorClass('PhameBlogSkin')
|
|
|
|
|
->setType('class')
|
|
|
|
|
->setConcreteOnly(true)
|
|
|
|
|
->selectSymbolsWithoutLoading();
|
|
|
|
|
|
|
|
|
|
return ipull($classes, 'name', 'name');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public static function setRequestBlog(PhameBlog $blog) {
|
|
|
|
|
self::$requestBlog = $blog;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public static function getRequestBlog() {
|
|
|
|
|
return self::$requestBlog;
|
|
|
|
|
}
|
2012-10-15 23:49:52 +02:00
|
|
|
|
Don't 302 to an external URI, even after CSRF POST
Summary:
Via HackerOne. This defuses an attack which allows users to steal OAuth tokens through a clever sequence of steps:
- The attacker begins the OAuth workflow and copies the Facebook URL.
- The attacker mutates the URL to use the JS/anchor workflow, and to redirect to `/phame/live/X/` instead of `/login/facebook:facebook.com/`, where `X` is the ID of some blog they control. Facebook isn't strict about paths, so this is allowed.
- The blog has an external domain set (`blog.evil.com`), and the attacker controls that domain.
- The user gets stopped on the "live" controller with credentials in the page anchor (`#access_token=...`) and a message ("This blog has moved...") in a dialog. They click "Continue", which POSTs a CSRF token.
- When a user POSTs a `<form />` with no `action` attribute, the browser retains the page anchor. So visiting `/phame/live/8/#anchor` and clicking the "Continue" button POSTs you to a page with `#anchor` intact.
- Some browsers (including Firefox and Chrome) retain the anchor after a 302 redirect.
- The OAuth credentials are thus preserved when the user reaches `blog.evil.com`, and the attacker's site can read them.
This 302'ing after CSRF post is unusual in Phabricator and unique to Phame. It's not necessary -- instead, just use normal links, which drop anchors.
I'm going to pursue further steps to mitigate this class of attack more thoroughly:
- Ideally, we should render forms with an explicit `action` attribute, but this might be a lot of work. I might render them with `#` if no action is provided. We never expect anchors to survive POST, and it's surprising to me that they do.
- I'm going to blacklist OAuth parameters (like `access_token`) from appearing in GET on all pages except whitelisted pages (login pages). Although it's not important here, I think these could be captured from referrers in some cases. See also T4342.
Test Plan: Browsed all the affected Phame interfaces.
Reviewers: btrahan
Reviewed By: btrahan
CC: aran, arice
Differential Revision: https://secure.phabricator.com/D8481
2014-03-11 00:21:07 +01:00
|
|
|
public function getLiveURI(PhamePost $post = null) {
|
|
|
|
|
if ($this->getDomain()) {
|
|
|
|
|
$base = new PhutilURI('http://'.$this->getDomain().'/');
|
|
|
|
|
} else {
|
|
|
|
|
$base = '/phame/live/'.$this->getID().'/';
|
|
|
|
|
$base = PhabricatorEnv::getURI($base);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ($post) {
|
|
|
|
|
$base .= '/post/'.$post->getPhameTitle();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return $base;
|
|
|
|
|
}
|
|
|
|
|
|
2012-10-15 23:49:52 +02:00
|
|
|
|
|
|
|
|
/* -( PhabricatorPolicyInterface Implementation )-------------------------- */
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
public function getCapabilities() {
|
|
|
|
|
return array(
|
|
|
|
|
PhabricatorPolicyCapability::CAN_VIEW,
|
|
|
|
|
PhabricatorPolicyCapability::CAN_EDIT,
|
|
|
|
|
PhabricatorPolicyCapability::CAN_JOIN,
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
public function getPolicy($capability) {
|
|
|
|
|
switch ($capability) {
|
|
|
|
|
case PhabricatorPolicyCapability::CAN_VIEW:
|
|
|
|
|
return $this->getViewPolicy();
|
|
|
|
|
case PhabricatorPolicyCapability::CAN_EDIT:
|
|
|
|
|
return $this->getEditPolicy();
|
|
|
|
|
case PhabricatorPolicyCapability::CAN_JOIN:
|
|
|
|
|
return $this->getJoinPolicy();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function hasAutomaticCapability($capability, PhabricatorUser $user) {
|
|
|
|
|
$can_edit = PhabricatorPolicyCapability::CAN_EDIT;
|
|
|
|
|
$can_join = PhabricatorPolicyCapability::CAN_JOIN;
|
|
|
|
|
|
|
|
|
|
switch ($capability) {
|
|
|
|
|
case PhabricatorPolicyCapability::CAN_VIEW:
|
|
|
|
|
// Users who can edit or post to a blog can always view it.
|
|
|
|
|
if (PhabricatorPolicyFilter::hasCapability($user, $this, $can_edit)) {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
if (PhabricatorPolicyFilter::hasCapability($user, $this, $can_join)) {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case PhabricatorPolicyCapability::CAN_JOIN:
|
|
|
|
|
// Users who can edit a blog can always post to it.
|
|
|
|
|
if (PhabricatorPolicyFilter::hasCapability($user, $this, $can_edit)) {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2012-10-15 23:51:04 +02:00
|
|
|
|
2013-09-27 17:43:41 +02:00
|
|
|
public function describeAutomaticCapability($capability) {
|
|
|
|
|
switch ($capability) {
|
|
|
|
|
case PhabricatorPolicyCapability::CAN_VIEW:
|
|
|
|
|
return pht(
|
|
|
|
|
'Users who can edit or post on a blog can always view it.');
|
|
|
|
|
case PhabricatorPolicyCapability::CAN_JOIN:
|
|
|
|
|
return pht(
|
|
|
|
|
'Users who can edit a blog can always post on it.');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2012-10-15 23:51:04 +02:00
|
|
|
/* -( PhabricatorMarkupInterface Implementation )-------------------------- */
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
public function getMarkupFieldKey($field) {
|
|
|
|
|
$hash = PhabricatorHash::digest($this->getMarkupText($field));
|
|
|
|
|
return $this->getPHID().':'.$field.':'.$hash;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
public function newMarkupEngine($field) {
|
|
|
|
|
return PhabricatorMarkupEngine::newPhameMarkupEngine();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
public function getMarkupText($field) {
|
|
|
|
|
return $this->getDescription();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
public function didMarkupText(
|
|
|
|
|
$field,
|
|
|
|
|
$output,
|
|
|
|
|
PhutilMarkupEngine $engine) {
|
|
|
|
|
return $output;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function shouldUseMarkupCache($field) {
|
|
|
|
|
return (bool)$this->getPHID();
|
|
|
|
|
}
|
|
|
|
|
|
2012-07-19 18:03:10 +02:00
|
|
|
}
|
