From a9000ea21cb412b7b550b47e05b3b270ff5def05 Mon Sep 17 00:00:00 2001
From: Bob Trahan <bob.trahan@gmail.com>
Date: Sun, 20 May 2012 08:54:25 -0700
Subject: [PATCH] Phriction - lock down /project/ wiki docs

Summary:
only show the blank, "create new" wiki page for the project if the project actually exists; only allow edit if the project actually exists.
Small wrinkle here is not checking if the project actually exists if the page already exists.

Test Plan:
- viewed a project wiki page
- viewed a prokect wiki page for a fake project and got a 404
- edited a project wiki page
- edited a project wiki page for a fake project and got a 404

Reviewers: epriestley, jacktrades

Reviewed By: epriestley

CC: aran, Koolvin

Maniphest Tasks: T1248

Differential Revision: https://secure.phabricator.com/D2506
---
 .../document/PhrictionDocumentController.php  | 40 ++++++++++++-------
 .../edit/PhrictionEditController.php          |  8 ++++
 .../phriction/controller/edit/__init__.php    |  1 +
 3 files changed, 35 insertions(+), 14 deletions(-)

diff --git a/src/applications/phriction/controller/document/PhrictionDocumentController.php b/src/applications/phriction/controller/document/PhrictionDocumentController.php
index 3da625f360..1a99de9cb2 100644
--- a/src/applications/phriction/controller/document/PhrictionDocumentController.php
+++ b/src/applications/phriction/controller/document/PhrictionDocumentController.php
@@ -50,21 +50,25 @@ final class PhrictionDocumentController
     $version_note = null;
 
     if (!$document) {
-      $create_uri = '/phriction/edit/?slug='.$slug;
 
-      $page_content =
-        '<div class="phriction-content">'.
-          '<em>No content here!</em><br />'.
-          'No document found at <tt>'.phutil_escape_html($slug).'</tt>. '.
-          'You can <strong>'.
-          phutil_render_tag(
-            'a',
-            array(
-              'href' => $create_uri,
-            ),
-            'create a new document').'</strong>.'.
-        '</div>';
-      $page_title = 'Page Not Found';
+      if (PhrictionDocument::isProjectSlug($slug)) {
+        $project = id(new PhabricatorProject())->loadOneWhere(
+          'phrictionSlug = %s',
+          PhrictionDocument::getProjectSlugIdentifier($slug));
+        if (!$project) {
+          return new Aphront404Response();
+        }
+      }
+      $create_uri = '/phriction/edit/?slug='.$slug;
+      $create_sentence =
+        'You can <strong>'.
+        phutil_render_tag(
+          'a',
+          array(
+            'href' => $create_uri,
+          ),
+          'create a new document').
+          '</strong>.';
       $button = phutil_render_tag(
         'a',
         array(
@@ -72,6 +76,14 @@ final class PhrictionDocumentController
           'class' => 'green button',
         ),
         'Create Page');
+
+      $page_content =
+        '<div class="phriction-content">'.
+          '<em>No content here!</em><br />'.
+          'No document found at <tt>'.phutil_escape_html($slug).'</tt>. '.
+          $create_sentence.
+        '</div>';
+      $page_title = 'Page Not Found';
       $buttons = $button;
     } else {
       $version = $request->getInt('v');
diff --git a/src/applications/phriction/controller/edit/PhrictionEditController.php b/src/applications/phriction/controller/edit/PhrictionEditController.php
index fafd42bb8c..d896169b0a 100644
--- a/src/applications/phriction/controller/edit/PhrictionEditController.php
+++ b/src/applications/phriction/controller/edit/PhrictionEditController.php
@@ -66,6 +66,14 @@ final class PhrictionEditController
       if ($document) {
         $content = id(new PhrictionContent())->load($document->getContentID());
       } else {
+        if (PhrictionDocument::isProjectSlug($slug)) {
+          $project = id(new PhabricatorProject())->loadOneWhere(
+            'phrictionSlug = %s',
+            PhrictionDocument::getProjectSlugIdentifier($slug));
+          if (!$project) {
+            return new Aphront404Response();
+          }
+        }
         $document = new PhrictionDocument();
         $document->setSlug($slug);
 
diff --git a/src/applications/phriction/controller/edit/__init__.php b/src/applications/phriction/controller/edit/__init__.php
index ba786145d3..11224e2536 100644
--- a/src/applications/phriction/controller/edit/__init__.php
+++ b/src/applications/phriction/controller/edit/__init__.php
@@ -13,6 +13,7 @@ phutil_require_module('phabricator', 'applications/phriction/controller/base');
 phutil_require_module('phabricator', 'applications/phriction/editor/document');
 phutil_require_module('phabricator', 'applications/phriction/storage/content');
 phutil_require_module('phabricator', 'applications/phriction/storage/document');
+phutil_require_module('phabricator', 'applications/project/storage/project');
 phutil_require_module('phabricator', 'infrastructure/celerity/api');
 phutil_require_module('phabricator', 'infrastructure/env');
 phutil_require_module('phabricator', 'infrastructure/javelin/api');