diff --git a/action/ajax.php b/action/ajax.php --- a/action/ajax.php +++ b/action/ajax.php @@ -1,172 +1,178 @@ hlp =& plugin_load('helper','davcal'); } function register(Doku_Event_Handler $controller) { $controller->register_hook('AJAX_CALL_UNKNOWN', 'BEFORE', $this, 'handle_ajax_call_unknown'); } function handle_ajax_call_unknown(&$event, $param) { if($event->data != 'plugin_davcal') return; $event->preventDefault(); $event->stopPropagation(); global $INPUT; $action = trim($INPUT->post->str('action')); $id = trim($INPUT->post->str('id')); $page = trim($INPUT->post->str('page')); $params = $INPUT->post->arr('params'); if(isset($_SERVER['REMOTE_USER']) && !is_null($_SERVER['REMOTE_USER'])) $user = $_SERVER['REMOTE_USER']; else $user = null; $write = false; $multi = false; + if(!checkSecurityToken()) + { + echo "CSRF Attack."; + return; + } + $data = array(); $data['result'] = false; $data['html'] = $this->getLang('unknown_error'); // Check if we have access to the calendar ($id is given by parameters, // that's not necessarily the page we come from) $acl = auth_quickaclcheck($id); if($acl > AUTH_READ) { $write = true; } elseif($acl < AUTH_READ) { $data['result'] = false; $data['html'] = $this->getLang('no_permission'); // Set to an invalid action in order to just return the result $action = 'invalid'; } // Retrieve the calendar pages based on the meta data $calendarPages = $this->hlp->getCalendarPagesByMeta($page); if($calendarPages === false) { $calendarPages = array($page => null); } if(count($calendarPages) > 1) $multi = true; // Parse the requested action switch($action) { // Add a new Event case 'newEvent': if($write) { $data['result'] = true; $data['html'] = $this->getLang('event_added'); $this->hlp->addCalendarEntryToCalendarForPage($id, $user, $params); } else { $data['result'] = false; $data['html'] = $this->getLang('no_permission'); } break; // Retrieve existing Events case 'getEvents': $startDate = $INPUT->post->str('start'); $endDate = $INPUT->post->str('end'); $timezone = $INPUT->post->str('timezone'); $data = array(); foreach($calendarPages as $calPage => $color) { $data = array_merge($data, $this->hlp->getEventsWithinDateRange($calPage, $user, $startDate, $endDate, $timezone, $color)); } break; // Edit an event case 'editEvent': if($write) { $data['result'] = true; $data['html'] = $this->getLang('event_edited'); $this->hlp->editCalendarEntryForPage($id, $user, $params); } else { $data['result'] = false; $data['html'] = $this->getLang('no_permission'); } break; // Delete an Event case 'deleteEvent': if($write) { $data['result'] = true; $data['html'] = $this->getLang('event_deleted'); $this->hlp->deleteCalendarEntryForPage($id, $params); } else { $data['result'] = false; $data['html'] = $this->getLang('no_permission'); } break; // Get personal settings case 'getSettings': $data['result'] = true; $data['settings'] = $this->hlp->getPersonalSettings($user); $data['settings']['multi'] = $multi; $data['settings']['calids'] = $this->hlp->getCalendarMapForIDs($calendarPages); $data['settings']['readonly'] = !$write; $data['settings']['syncurl'] = $this->hlp->getSyncUrlForPage($page, $user); $data['settings']['privateurl'] = $this->hlp->getPrivateURLForPage($page); $data['settings']['principalurl'] = $this->hlp->getPrincipalUrlForUser($user); $data['settings']['meta'] = $this->hlp->getCalendarMetaForPage($page); break; // Save personal settings case 'saveSettings': $settings = array(); $settings['weeknumbers'] = $params['weeknumbers']; $settings['timezone'] = $params['timezone']; $settings['workweek'] = $params['workweek']; $settings['monday'] = $params['monday']; $settings['timeformat'] = $params['timeformat']; if($this->hlp->savePersonalSettings($settings, $user)) { $data['result'] = true; $data['html'] = $this->getLang('settings_saved'); } else { $data['result'] = false; $data['html'] = $this->getLang('error_saving'); } break; } // If we are still here, JSON output is requested //json library of DokuWiki require_once DOKU_INC . 'inc/JSON.php'; $json = new JSON(); //set content type header('Content-Type: application/json'); echo $json->encode($data); } } diff --git a/action/jsinfo.php b/action/jsinfo.php --- a/action/jsinfo.php +++ b/action/jsinfo.php @@ -1,53 +1,54 @@ register_hook('DOKUWIKI_STARTED', 'AFTER', $this, 'add_jsinfo_information'); } /** * Add the language variable to the JSINFO variable */ function add_jsinfo_information(&$event, $param) { global $conf; global $JSINFO; $lang = $conf['lang']; switch($lang) { case 'de': case 'de-informal': $lc = 'de'; break; case 'nl': $lc = 'nl'; break; case 'fr': $lc = 'fr'; break; default: $lc = 'en'; } + $JSINFO['plugin']['davcal']['sectok'] = getSecurityToken(); $JSINFO['plugin']['davcal']['language'] = $lc; if(isset($_SERVER['REMOTE_USER']) && !is_null($_SERVER['REMOTE_USER'])) { $JSINFO['plugin']['davcal']['disable_sync'] = $this->getConf('disable_sync'); $JSINFO['plugin']['davcal']['disable_settings'] = $this->getConf('hide_settings'); } else { $JSINFO['plugin']['davcal']['disable_settings'] = 1; $JSINFO['plugin']['davcal']['disable_sync'] = 1; } $JSINFO['plugin']['davcal']['disable_ics'] = $this->getConf('disable_ics'); } } diff --git a/plugin.info.txt b/plugin.info.txt --- a/plugin.info.txt +++ b/plugin.info.txt @@ -1,7 +1,7 @@ base davcal author Andreas Boehler email dev@aboehler.at -date 2016-05-03 +date 2016-05-06 name Calendar PlugIn with CalDAV sharing support desc Create one calendar per page and share/subscribe via CalDAV url http://www.dokuwiki.org/plugin:davcal diff --git a/script.js b/script.js --- a/script.js +++ b/script.js @@ -1,816 +1,822 @@ /* DOKUWIKI:include_once fullcalendar-2.4.0/moment.js */ /* DOKUWIKI:include_once fullcalendar-2.4.0/fullcalendar.js */ /* DOKUWIKI:include_once fullcalendar-2.4.0/lang/de.js */ /* DOKUWIKI:include_once fullcalendar-2.4.0/lang/en.js */ /* DOKUWIKI:include_once fullcalendar-2.4.0/lang/fr.js */ /* DOKUWIKI:include_once fullcalendar-2.4.0/lang/nl.js */ /* DOKUWIKI:include_once datetimepicker-2.4.5/jquery.datetimepicker.js */ /* DOKUWIKI:include_once jstz.js */ /** * Initialize the DAVCal script, attaching some event handlers and triggering * the initial load of the fullcalendar JS */ jQuery(function() { // Redefine functions for using moment.js with datetimepicker Date.parseDate = function( input, format ){ return moment(input,format).toDate(); }; Date.prototype.dateFormat = function( format ){ return moment(this).format(format); }; // Attach to event links var calendarpage = jQuery('#fullCalendar').data('calendarpage'); if(!calendarpage) return; dw_davcal__modals.page = calendarpage; jQuery('div.fullCalendarSettings a').each(function() { var $link = jQuery(this); var href = $link.attr('href'); if (!href) return; $link.click( function(e) { dw_davcal__modals.showSettingsDialog(); e.preventDefault(); return ''; } ); } ); // First, retrieve the current settings. // Upon success, initialize fullcalendar. var postArray = { }; jQuery.post( DOKU_BASE + 'lib/exe/ajax.php', { call: 'plugin_davcal', id: dw_davcal__modals.page, page: dw_davcal__modals.page, action: 'getSettings', - params: postArray + params: postArray, + sectok: JSINFO.plugin.davcal['sectok'] }, function(data) { var result = data['result']; if(result === true) { dw_davcal__modals.settings = data['settings']; var tz = false; if(data['settings']['timezone'] !== '') tz = data['settings']['timezone']; // Force-overwrite thhe timezone setting if requested if(data['settings']['meta']['forcetimezone'] !== 'no') tz = data['settings']['meta']['forcetimezone']; var fcOptions = { dayClick: function(date, jsEvent, view) { dw_davcal__modals.showEditEventDialog(date, false); }, eventClick: function(calEvent, jsEvent, view) { dw_davcal__modals.showEditEventDialog(calEvent, true); }, events: { url: DOKU_BASE + 'lib/exe/ajax.php', type: 'POST', data: { call: 'plugin_davcal', action: 'getEvents', id: dw_davcal__modals.page, - page: dw_davcal__modals.page + page: dw_davcal__modals.page, + sectok: JSINFO.plugin.davcal['sectok'] }, error: function() { dw_davcal__modals.msg = LANG.plugins.davcal['error_retrieving_data']; dw_davcal__modals.showDialog(false); } }, header: { left: 'title', center: 'today prev,next', right: 'month,agendaWeek,agendaDay' }, lang: JSINFO.plugin.davcal['language'], weekNumbers: (data['settings']['weeknumbers'] == 1) ? true : false, timezone: tz, weekends: (data['settings']['workweek'] == 1) ? false : true, firstDay: (data['settings']['monday'] == 1) ? 1 : 0, defaultView: data['settings']['meta']['view'] }; var timeformat = data['settings']['timeformat']; // Force-overwrite the user's timezone setting if requested by the calendar if(data['settings']['meta']['forcetimeformat'] !== 'no') timeformat = data['settings']['meta']['forcetimeformat']; if(timeformat !== 'lang') { // If the time format is language-based, we don't need to pass // the timeFormat option to fullCalendar if(timeformat == '24h') { fcOptions.timeFormat = 'H:mm'; } if(timeformat == '12h') { fcOptions.timeFormat = 'h:mmt'; } } var detectedTz = jstz.determine().name(); dw_davcal__modals.detectedTz = detectedTz; // The current TZ value holds either the uers's selection or // the force timezone value dw_davcal__modals.currentTz = (tz === false) ? '' : tz; // Initialize the davcal popup var res = jQuery('#fullCalendar').fullCalendar(fcOptions); } } ); }); /** * This holds all modal windows that DAVCal uses. */ var dw_davcal__modals = { $editEventDialog: null, $dialog: null, $settingsDialog: null, $inputDialog: null, msg: null, completeCb: null, action: null, uid: null, settings: null, page: null, detectedTz: null, currentTz: null, /** * Show the settings dialog */ // FIXME: Hide URLs for multi-calendar showSettingsDialog : function() { if(dw_davcal__modals.$settingsDialog) return; // Dialog buttons are language-dependent and defined here. // Attach event handlers for save and cancel. var dialogButtons = {}; if(!JSINFO.plugin.davcal['disable_settings']) { dialogButtons[LANG.plugins.davcal['save']] = function() { var postArray = { }; jQuery("input[class=dw_davcal__settings], select[class=dw_davcal__settings]").each(function() { if(jQuery(this).attr('type') == 'checkbox') { postArray[jQuery(this).prop('name')] = jQuery(this).prop('checked') ? 1 : 0; } else { postArray[jQuery(this).prop('name')] = jQuery(this).val(); } }); jQuery('#dw_davcal__ajaxsettings').html(''); jQuery.post( DOKU_BASE + 'lib/exe/ajax.php', { call: 'plugin_davcal', id: dw_davcal__modals.page, page: dw_davcal__modals.page, action: 'saveSettings', - params: postArray + params: postArray, + sectok: JSINFO.plugin.davcal['sectok'] }, function(data) { var result = data['result']; var html = data['html']; jQuery('#dw_davcal__ajaxsettings').html(html); if(result === true) { location.reload(); } } ); }; } dialogButtons[LANG.plugins.davcal['cancel']] = function () { dw_davcal__modals.hideSettingsDialog(); }; var settingsHtml = '
'; if(JSINFO.plugin.davcal['disable_settings'] && JSINFO.plugin.davcal['disable_sync'] && JSINFO.plugin.davcal['disable_ics']) { settingsHtml += LANG.plugins.davcal['nothing_to_show']; } if(!JSINFO.plugin.davcal['disable_settings']) { settingsHtml += '' + '' + '' + '' + ''; } if(!JSINFO.plugin.davcal['disable_sync']) { settingsHtml += ''; settingsHtml += ''; } if(!JSINFO.plugin.davcal['disable_ics']) { settingsHtml += ''; } settingsHtml += '
' + LANG.plugins.davcal['timezone'] + '
' + LANG.plugins.davcal['timeformat'] + '
' + LANG.plugins.davcal['weeknumbers'] + '
' + LANG.plugins.davcal['only_workweek'] + '
' + LANG.plugins.davcal['start_monday'] + '
' + LANG.plugins.davcal['sync_url'] + '
' + LANG.plugins.davcal['sync_ical'] + '
' + LANG.plugins.davcal['private_url'] + '
' + '
' + '
'; dw_davcal__modals.$settingsDialog = jQuery(document.createElement('div')) .dialog({ autoOpen: false, draggable: true, title: LANG.plugins.davcal['settings'], resizable: true, buttons: dialogButtons, }) .html( settingsHtml ) .parent() .attr('id','dw_davcal__settings') .show() .appendTo('.dokuwiki:first'); jQuery('#dw_davcal__settings').position({ my: "center", at: "center", of: window }); // Initialize current settings if(!JSINFO.plugin.davcal['disable_settings']) { var $tzdropdown = jQuery('#dw_davcal__settings_timezone'); jQuery('#fullCalendarTimezoneList option').each(function() { jQuery(''); } if(edit || (dw_davcal__modals.settings['calids'].length < 1)) { $dropdown.prop('disabled', true); } // Set up existing/predefined values jQuery('#dw_davcal__tz_edit').val(dw_davcal__modals.detectedTz); jQuery('#dw_davcal__currenttz_edit').val(dw_davcal__modals.currentTz); jQuery('#dw_davcal__uid_edit').val(calEvent.id); jQuery('#dw_davcal__eventname_edit').val(calEvent.title); jQuery('#dw_davcal__eventfrom_edit').val(calEvent.start.format('YYYY-MM-DD')); jQuery('#dw_davcal__eventfromtime_edit').val(calEvent.start.format('HH:mm')); jQuery('#dw_davcal__eventdescription_edit').val(calEvent.description); if(calEvent.attachments && (calEvent.attachments !== null)) { for(var i=0; i' + url + '' + LANG.plugins.davcal['delete'] + ''; jQuery('#dw_davcal__editevent_attachments > tbody:last').append(row); } } dw_davcal__modals.attachAttachmentDeleteHandlers(); jQuery('#dw_davcal__editevent_attach').on("click", function(e) { e.preventDefault(); var url = jQuery('#dw_davcal__editevent_attachment').val(); jQuery('#dw_davcal__editevent_attachment').val('http://'); var row = '' + url + '' + LANG.plugins.davcal['delete'] + ''; jQuery('#dw_davcal__editevent_attachments > tbody:last').append(row); dw_davcal__modals.attachAttachmentDeleteHandlers(); return false; }); if(calEvent.allDay && (calEvent.end === null)) { jQuery('#dw_davcal__eventto_edit').val(calEvent.start.format('YYYY-MM-DD')); jQuery('#dw_davcal__eventtotime_edit').val(calEvent.start.format('HH:mm')); } else if(calEvent.allDay) { endEvent = moment(calEvent.end); endEvent.subtract(1, 'days'); jQuery('#dw_davcal__eventto_edit').val(endEvent.format('YYYY-MM-DD')); jQuery('#dw_davcal__eventotime_edit').val(endEvent.format('HH:mm')); } else { jQuery('#dw_davcal__eventto_edit').val(calEvent.end.format('YYYY-MM-DD')); jQuery('#dw_davcal__eventtotime_edit').val(calEvent.end.format('HH:mm')); } jQuery('#dw_davcal__allday_edit').prop('checked', calEvent.allDay); // attach event handlers jQuery('#dw_davcal__edit .ui-dialog-titlebar-close').click(function(){ dw_davcal__modals.hideEditEventDialog(); }); jQuery('#dw_davcal__eventfrom_edit').datetimepicker({format:'YYYY-MM-DD', formatDate:'YYYY-MM-DD', datepicker: true, timepicker: false, }); jQuery('#dw_davcal__eventfromtime_edit').datetimepicker({format:'HH:mm', formatTime:'HH:mm', datepicker: false, timepicker: true, step: 15}); jQuery('#dw_davcal__eventto_edit').datetimepicker({format:'YYYY-MM-DD', formatDate:'YYYY-MM-DD', datepicker: true, timepicker: false, }); jQuery('#dw_davcal__eventtotime_edit').datetimepicker({format:'HH:mm', formatTime:'HH:mm', datepicker: false, timepicker: true, step:15}); jQuery('#dw_davcal__allday_edit').change(function() { if(jQuery(this).is(":checked")) { jQuery('#dw_davcal__eventfromtime_edit').prop('readonly', true); jQuery('#dw_davcal__eventtotime_edit').prop('readonly', true); } else { jQuery('#dw_davcal__eventfromtime_edit').prop('readonly', false); jQuery('#dw_davcal__eventtotime_edit').prop('readonly', false); } }); jQuery('#dw_davcal__allday_edit').change(); }, /** * Attach handles to delete the attachments to all 'delete' links */ attachAttachmentDeleteHandlers: function() { jQuery("#dw_davcal__editevent_attachments .deleteLink").on("click", function(e) { e.preventDefault(); var tr = jQuery(this).closest('tr'); tr.css("background-color", "#FF3700"); tr.fadeOut(400, function() { tr.remove(); }); return false; }); }, /** * Show an info/confirmation dialog * @param {Object} confirm Whether a confirmation dialog (true) or an info dialog (false) is requested */ showDialog : function(confirm) { if(dw_davcal__modals.$confirmDialog) return; var dialogButtons = {}; var title = ''; if(confirm) { title = LANG.plugins.davcal['confirmation']; var pageid = dw_davcal__modals.page; if(dw_davcal__modals.settings['multi']) { pageid = jQuery("#dw_davcal__editevent_calendar option:selected").val(); } dialogButtons[LANG.plugins.davcal['yes']] = function() { jQuery.post( DOKU_BASE + 'lib/exe/ajax.php', { call: 'plugin_davcal', id: pageid, page: dw_davcal__modals.page, action: dw_davcal__modals.action, params: { uid: dw_davcal__modals.uid - } + }, + sectok: JSINFO.plugin.davcal['sectok'] }, function(data) { dw_davcal__modals.completeCb(data); } ); dw_davcal__modals.hideDialog(); }; dialogButtons[LANG.plugins.davcal['cancel']] = function() { dw_davcal__modals.hideDialog(); }; } else { title = LANG.plugins.davcal['info']; dialogButtons[LANG.plugins.davcal['ok']] = function() { dw_davcal__modals.hideDialog(); }; } dw_davcal__modals.$dialog = jQuery(document.createElement('div')) .dialog({ autoOpen: false, draggable: true, title: title, resizable: true, buttons: dialogButtons, }) .html( '
' + dw_davcal__modals.msg + '
' ) .parent() .attr('id','dw_davcal__confirm') .show() .appendTo('.dokuwiki:first'); jQuery('#dw_davcal__confirm').position({ my: "center", at: "center", of: window }); // attach event handlers jQuery('#dw_davcal__confirm .ui-dialog-titlebar-close').click(function(){ dw_davcal__modals.hideDialog(); }); }, /** * Hide the edit event dialog */ hideEditEventDialog : function() { dw_davcal__modals.$editEventDialog.empty(); dw_davcal__modals.$editEventDialog.remove(); dw_davcal__modals.$editEventDialog = null; }, /** * Hide the confirm/info dialog */ hideDialog: function() { dw_davcal__modals.$dialog.empty(); dw_davcal__modals.$dialog.remove(); dw_davcal__modals.$dialog = null; }, /** * Hide the settings dialog */ hideSettingsDialog: function() { dw_davcal__modals.$settingsDialog.empty(); dw_davcal__modals.$settingsDialog.remove(); dw_davcal__modals.$settingsDialog = null; } };