summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthias Andreas Benkard <code@mail.matthias.benkard.de>2011-03-13 22:31:47 +0100
committerMatthias Andreas Benkard <code@mail.matthias.benkard.de>2011-03-13 22:31:47 +0100
commitde9195521b841984df547f7b85e5cb42351683d2 (patch)
tree4e61a3365894443902d2c1f5b44b59d1e43cd818
parent5165d815f44a7c5264d347f55d86d28da68d41b1 (diff)
Require authorization to edit articles.
-rw-r--r--mulkcms.lisp130
1 files changed, 79 insertions, 51 deletions
diff --git a/mulkcms.lisp b/mulkcms.lisp
index 12b3d14..b5083b3 100644
--- a/mulkcms.lisp
+++ b/mulkcms.lisp
@@ -397,6 +397,33 @@
:head head
:body body))))
+(defmacro with-authorization ((user-id-var &rest options) &body body)
+ `(call-with-authorization (lambda (,user-id-var) ,@body)
+ ,@options))
+
+(defun call-with-authorization (thunk &key require)
+ (multiple-value-bind (user-name password)
+ (hunchentoot:authorization)
+ (with-db
+ (let ((user-id (query (format nil
+ "SELECT id
+ FROM users u
+ JOIN passwords p ON u.id = p.user
+ WHERE p.password = $2
+ AND u.name = $1
+ AND ~A"
+ (ecase require
+ ((nil) "true")
+ ((:admin) "u.status = 'admin'")
+ ((:trusted) "u.status IN ('trusted', 'admin')")
+ ((:approved) "u.status IN ('approved', 'trusted', 'admin')")))
+ user-name
+ password
+ :single)))
+ (if user-id
+ (funcall thunk user-id)
+ (hunchentoot:require-authorization "MulkCMS"))))))
+
(defun find-article-request-handler (path params &optional action characteristics)
(with-db
(when-let ((article (query "SELECT article FROM article_aliases
@@ -406,65 +433,66 @@
(ecase action
(:edit
(lambda ()
- (with-db
- (with-transaction ()
- (let* ((revision (if (assoc "save" params :test #'equal)
- (query "INSERT INTO article_revisions(article, title, content, author, format, status)
+ (with-authorization (user-id :require :admin)
+ (with-db
+ (with-transaction ()
+ (let* ((revision (if (assoc "save" params :test #'equal)
+ (query "INSERT INTO article_revisions(article, title, content, author, format, status)
VALUES ($1, $2, $3, $4, $5, $6)
RETURNING *"
- article
- (cdr (assoc "title" params :test #'equal))
- (cdr (assoc "content" params :test #'equal))
- 1 ;FIXME
- "html"
- (if (hunchentoot:post-parameter "publish-p")
- "syndicated"
- "draft")
- :row)
- (query "SELECT * FROM article_revisions
+ article
+ (cdr (assoc "title" params :test #'equal))
+ (cdr (assoc "content" params :test #'equal))
+ user-id
+ "html"
+ (if (hunchentoot:post-parameter "publish-p")
+ "syndicated"
+ "draft")
+ :row)
+ (query "SELECT * FROM article_revisions
WHERE id = $1
AND article = $2"
- (parse-integer
- (cdr (assoc "revision"
- params
- :test #'equal)))
- article
- :row)))
- (article-params (paramify-article revision))
- (editor-template (template "edit_page")))
- (assert (not (null revision)))
- (when (assoc "save" params :test #'equal)
- (print (parse-integer (cdr (assoc "revision"
- params
- :test #'equal))))
- (query "INSERT INTO article_revision_parenthood(parent, child)
+ (parse-integer
+ (cdr (assoc "revision"
+ params
+ :test #'equal)))
+ article
+ :row)))
+ (article-params (paramify-article revision))
+ (editor-template (template "edit_page")))
+ (assert (not (null revision)))
+ (when (assoc "save" params :test #'equal)
+ (print (parse-integer (cdr (assoc "revision"
+ params
+ :test #'equal))))
+ (query "INSERT INTO article_revision_parenthood(parent, child)
VALUES ($1, $2)"
- (parse-integer (cdr (assoc "revision"
- params
- :test #'equal)))
- (first revision)
- :none)
- (query "INSERT INTO article_revision_characteristics(revision, characteristic, value)
+ (parse-integer (cdr (assoc "revision"
+ params
+ :test #'equal)))
+ (first revision)
+ :none)
+ (query "INSERT INTO article_revision_characteristics(revision, characteristic, value)
SELECT $2, characteristic, value
FROM article_revision_characteristics
WHERE revision = $1"
- (parse-integer (cdr (assoc "revision"
- params
- :test #'equal)))
- (first revision)
- :none))
- (expand-page editor-template
- (getf article-params :title)
- (list :article article-params
- :title (getf article-params :title)
- :root *base-uri*
- :site-name *site-name*
- :site-subtitle ""
- :link (link-to :edit :article-id article)
- :save-button-label "Save"
- :publish-flag-label "Publish"
- :title-label "Title"
- :content-label "Content")))))))
+ (parse-integer (cdr (assoc "revision"
+ params
+ :test #'equal)))
+ (first revision)
+ :none))
+ (expand-page editor-template
+ (getf article-params :title)
+ (list :article article-params
+ :title (getf article-params :title)
+ :root *base-uri*
+ :site-name *site-name*
+ :site-subtitle ""
+ :link (link-to :edit :article-id article)
+ :save-button-label "Save"
+ :publish-flag-label "Publish"
+ :title-label "Title"
+ :content-label "Content"))))))))
(:view
(lambda ()
(with-db