changeset 6093:cefd695e7572

merged Roger's changes
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Wed, 07 Sep 2016 03:05:27 +0200
parents 01e4a21a5d1d (diff) d811122349fb (current diff)
children 4716268c34e3
files
diffstat 4 files changed, 25 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/action/AttachFile.py	Mon Sep 05 20:42:50 2016 -0700
+++ b/MoinMoin/action/AttachFile.py	Wed Sep 07 03:05:27 2016 +0200
@@ -545,6 +545,7 @@
     _ = request.getText
     action = request.form.get('multifile')
     fnames = request.form.getlist('fn')
+    fails = []
     if action == 'rm':
         if not request.user.may.delete(pagename):
             return _('You are not allowed to delete attachments on this page.')
@@ -560,24 +561,34 @@
         if not request.user.may.write(dest_pagename):
             return _('You are not allowed to attach a file to this page.')
         for fn in fnames:
-            move_attachment(request, pagename, dest_pagename, fn, fn)
+            try:
+                move_attachment(request, pagename, dest_pagename, fn, fn)
+            except (DestPathExists, SamePath):
+                fails.append(fn)
         msg = _("Attachment '%(pagename)s/%(filename)s' moved to '%(new_pagename)s/%(new_filename)s'.") % dict(
                 pagename=pagename,
                 filename=u'{%s}' % ','.join(fnames),
                 new_pagename=dest_pagename,
                 new_filename=u'*')
+        if fails:
+            msg += " " + _("Failed: %s", ", ".join(fails))
         return upload_form(pagename, request, msg=msg)
     if action == 'cp':
         dest_pagename = request.form.get('multi_dest_pagename')
         if not request.user.may.write(dest_pagename):
             return _('You are not allowed to attach a file to this page.')
         for fn in fnames:
-            copy_attachment(request, pagename, dest_pagename, fn, fn)
+            try:
+                copy_attachment(request, pagename, dest_pagename, fn, fn)
+            except (DestPathExists, SamePath):
+                fails.append(fn)
         msg = _("Attachment '%(pagename)s/%(filename)s' copied to '%(new_pagename)s/%(new_filename)s'.") % dict(
                 pagename=pagename,
                 filename=u'{%s}' % ','.join(fnames),
                 new_pagename=dest_pagename,
                 new_filename=u'*')
+        if fails:
+            msg += " " + _("Failed: %s", ", ".join(fails))
         return upload_form(pagename, request, msg=msg)
     return u'unsupported multifile operation'
 
--- a/MoinMoin/config/multiconfig.py	Mon Sep 05 20:42:50 2016 -0700
+++ b/MoinMoin/config/multiconfig.py	Wed Sep 07 03:05:27 2016 +0200
@@ -1169,6 +1169,7 @@
     ('search_results_per_page', 25, "Number of hits shown per page in the search results"),
 
     ('siteid', 'default', None),
+    ('xmlrpc_overwrite_user', True, "Overwrite authenticated user at start of xmlrpc code"),
   )),
 }
 
--- a/MoinMoin/xmlrpc/__init__.py	Mon Sep 05 20:42:50 2016 -0700
+++ b/MoinMoin/xmlrpc/__init__.py	Wed Sep 07 03:05:27 2016 +0200
@@ -132,7 +132,8 @@
             else:
                 # overwrite any user there might be, if you need a valid user for
                 # xmlrpc, you have to use multicall and getAuthToken / applyAuthToken
-                request.user = user.User(request, auth_method='xmlrpc:invalid')
+                if request.cfg.xmlrpc_overwrite_user:
+                    request.user = user.User(request, auth_method='xmlrpc:invalid')
 
                 data = request.read()
 
--- a/docs/CHANGES	Mon Sep 05 20:42:50 2016 -0700
+++ b/docs/CHANGES	Wed Sep 07 03:05:27 2016 +0200
@@ -16,7 +16,7 @@
     editor_force = True
     editor_default = 'text'  # internal default, just for completeness
 
-Version 1.9.8:
+Version <not released yet>:
   SECURITY HINT: make sure you have allow_xslt = False (or just do not use
   allow_xslt at all in your wiki configs, False is the internal default).
   Allowing XSLT/4suite is very dangerous, see HelpOnConfiguration wiki page.
@@ -24,6 +24,14 @@
   HINT: Python >= 2.5 is maybe required! See docs/REQUIREMENTS for details.
 
   New features:
+  * cfg.xmlrpc_overwrite_user is a new setting to control whether the xmlrpc
+    code overwrites an already authenticated user before processing a request.
+    True (default): behaviour as in 1.9.8 and before
+    False: use this if you want to use GivenAuth (e.g. http basic auth) for
+           xmlrpc requests.
+
+Version 1.9.8:
+  New features:
   * cfg.recovery_token_lifetime to determine how long the password recovery
     token will be valid, default is 12 [h]. Check this setting to be adequate
     before doing (global) password resets, so your users have enough time to