olelo 0.9.0

data/plugins/security/acl.rb

@@ -0,0 +1,57 @@
+description 'Access control lists'
+
+class ::Olelo::Page
+  attributes do
+    group :acl do
+      list :write
+      list :create
+      list :delete
+    end
+  end
+
+  # New page is writable if parent allows page creation
+  # Existing page is writable if page is writable
+  def writable?
+    new? ? (root? || parent.access?(:create)) : access?(:write)
+  end
+
+  # Page is deletable if parent is writable
+  def deletable?
+    parent && parent.access?(:delete)
+  end
+
+  # Page is movable if page is deletable and destination is writable
+  def movable?(destination = nil)
+    deletable? && (!destination || (Page.find(destination) || Page.new(destination)).writable?)
+  end
+
+  def access?(type)
+    acl = saved_attributes['acl'] || {}
+    names = [*acl[type.to_s]].compact
+    names.empty? ||
+    names.include?(User.current.name) ||
+    User.current.groups.any? {|group| names.include?('@'+group) }
+  end
+
+  before :save, 999 do
+    raise(AccessDenied) if !writable?
+  end
+
+  before :delete, 999 do
+    raise(AccessDenied) if !deletable?
+  end
+
+  before :move, 999 do |destination|
+    raise(AccessDenied) if !movable?(destination)
+  end
+end
+
+class ::Olelo::Application
+  hook :menu, 999 do |menu|
+    if menu.name == :actions && page
+      menu.remove('edit/delete') if !page.deletable?
+      menu.remove('edit/move') if !page.movable?
+      menu['edit'].options.delete(:href) if menu['edit'] && !page.writable?
+    end
+  end
+end

data/plugins/security/basic_auth.rb

@@ -0,0 +1,21 @@
+description 'HTTP basic authentication'
+require 'rack/auth/basic'
+
+class ::Olelo::Application
+  hook :auto_login do
+    if params[:auth] && !User.current
+      auth = Rack::Auth::Basic::Request.new(env)
+      unauthorized if !auth.provided?
+      halt :bad_request if !auth.basic?
+      User.current = User.authenticate(auth.credentials[0], auth.credentials[1]) rescue nil
+      unauthorized if !User.current
+    end
+  end
+
+  private
+
+  def unauthorized
+    response['WWW-Authenticate'] = 'Basic realm="Olelo"'
+    halt :unauthorized
+  end
+end

data/plugins/security/locale.yml

@@ -0,0 +1,21 @@
+en:
+  attribute_acl_write:  'Write access'
+  attribute_acl_create: 'Create subpages'
+  attribute_acl_delete: 'Delete subpages'
+  group_acl:            'Access control lists'
+  persistent_login:     'Persistent login'
+  login_first:          'You have to login first'
+de:
+  attribute_acl_write:  'Schreibzugriff'
+  attribute_acl_create: 'Unterseiten anlegen'
+  attribute_acl_delete: 'Unterseiten löschen'
+  group_acl:            'Zugriffslisten'
+  persistent_login:     'Dauerhaft anmelden'
+  login_first:          'Sie müssen sich zuerst anmelden'
+cs_CZ:
+  attribute_acl_write:  'Právo zápisu'
+  attribute_acl_create: 'Vytvářet podstránky'
+  attribute_acl_delete: 'Mazat podstránky'
+  group_acl:            'Řízení přístupů (ACL)'
+  persistent_login:     'Trvalé přihlášení'
+  login_first:          'Musíte se nejprve přihlásit'

data/plugins/security/persistent_login.rb

@@ -0,0 +1,32 @@
+description  'Persistent login'
+
+class ::Olelo::Application
+  TOKEN_NAME = 'olelo.token'
+  TOKEN_LIFETIME = 24*60*60*365
+
+  hook :auto_login do
+    if !User.current
+      token = request.cookies[TOKEN_NAME]
+      if token
+        user, hash = token.split('-', 2)
+        User.current = User.find(user) if sha256(user + Config['rack.session_secret']) == hash
+      end
+    end
+  end
+
+  before :login_buttons do
+    %{<input type="checkbox" name="persistent" id="persistent" value="1"/>
+<label for="persistent">#{escape_html :persistent_login.t}</label><br/>}
+  end
+
+  after :action do |method, path|
+    if path == '/login'
+      if User.logged_in? && params[:persistent]
+        token = "#{User.current.name}-#{sha256(User.current.name + Config['rack.session_secret'])}"
+        response.set_cookie(TOKEN_NAME, :value => token, :expires => Time.now + TOKEN_LIFETIME)
+      end
+    elsif path == '/logout'
+      response.delete_cookie(TOKEN_NAME)
+    end
+  end
+end

data/plugins/security/portal.rb

@@ -0,0 +1,28 @@
+description 'Proprietary web portal based user storage'
+require 'open-uri'
+require 'openssl'
+
+class PortalService < User::Service
+  def initialize(config)
+    @url = config[:url]
+  end
+
+  # @override
+  def authenticate(name, password)
+    xml = open(@url,
+               :ssl_verify_mode => OpenSSL::SSL::VERIFY_NONE,
+               :http_basic_authentication => [name, password]).read
+    # User data is exposed via REST/XML-API
+    doc = Nokogiri::XML(xml)
+    email = (doc/'person/email').text
+    name = (doc/'person/user/name').text
+    groups = (doc/'person/groups/group/name').to_a.map(&:text)
+    raise AuthenticationError if name.blank?
+    email = "#{name}@localhost" if email.blank?
+    User.new(name, email, groups)
+  rescue
+    raise AuthenticationError, :wrong_user_or_pw.t
+  end
+end
+
+User::Service.register :portal, PortalService

data/plugins/security/private_wiki.rb

@@ -0,0 +1,24 @@
+description 'Forbid anonymous access, redirect to login'
+
+class ::Olelo::Application
+  PUBLIC_ACCESS = %w(/login)
+
+  redefine_method :include_page do |path|
+    User.logged_in? ? super(path) : ''
+  end
+
+  hook :menu, 999 do |menu|
+    menu.clear if menu.name == :actions && !User.logged_in?
+  end
+
+  before :routing do
+    if !User.logged_in?
+      if !PUBLIC_ACCESS.include?(request.path_info)
+        flash.error :login_first.t
+        session[:olelo_goto] = request.path_info if request.get? && request.path_info !~ %r{^/_/}
+        redirect build_path(:login)
+      end
+      @disable_assets = true
+    end
+  end
+end

data/plugins/security/readonly_wiki.rb

@@ -0,0 +1,25 @@
+description 'Read-only installation (editable only if logged in)'
+
+class ::Olelo::Page
+  before(:save, 999) do
+    raise(AccessDenied) if !User.logged_in?
+  end
+
+  before(:delete, 999) do
+    raise(AccessDenied) if !User.logged_in?
+  end
+
+  before(:move, 999) do |destination|
+    raise(AccessDenied) if !User.logged_in?
+  end
+end
+
+class ::Olelo::Application
+  hook :render, 999 do |name, xml, layout|
+    xml.gsub!(/<a[^>]+class="[^"]*editsection.*?<\/a>/, '') if !User.logged_in?
+  end
+
+  hook :menu, 999 do |menu|
+    menu.remove(:edit) if menu.name == :actions && !User.logged_in?
+  end
+end

data/plugins/security/stack.rb

@@ -0,0 +1,20 @@
+description 'Authentication service stack'
+
+class StackService < User::Service
+  def initialize(config)
+    @stack = config.map do |name|
+      User::Service[name].new(Config['authentication'][name])
+    end
+  end
+
+  # @override
+  def authenticate(name, password)
+    @stack.any? do |service|
+      user = service.authenticate(name, password) rescue nil
+      return user if user
+    end
+    raise AuthenticationError, :wrong_user_or_pw.t
+  end
+end
+
+User::Service.register :stack, StackService

data/plugins/security/yamlfile.rb

@@ -0,0 +1,66 @@
+description 'YAML based user storage'
+require 'yaml/store'
+
+class YamlfileService < User::Service
+  def initialize(config)
+    FileUtils.mkpath(File.dirname(config[:store]))
+    @store = ::YAML::Store.new(config[:store])
+  end
+
+  # @override
+  def find(name)
+    @store.transaction(true) do |store|
+      user = store[name]
+      user && User.new(name, user['email'], user['groups'])
+    end
+  end
+
+  # @override
+  def authenticate(name, password)
+    @store.transaction(true) do |store|
+      user = store[name]
+      raise AuthenticationError, :wrong_user_or_pw.t if !user || user['password'] != crypt(password)
+      User.new(name, user['email'], user['groups'])
+    end
+  end
+
+  # @override
+  def create(user, password)
+    @store.transaction do |store|
+      raise :user_already_exists.t(:name => user.name) if store[user.name]
+      store[user.name] = {
+        'email' => user.email,
+        'password' => crypt(password),
+	'groups' => user.groups.to_a
+      }
+    end
+  end
+
+  # @override
+  def update(user)
+    @store.transaction do |store|
+      raise NameError, "User #{user.name} not found" if !store[user.name]
+      store[user.name]['email'] = user.email
+      store[user.name]['groups'] = user.groups.to_a
+    end
+  end
+
+  # @override
+  def change_password(user, oldpassword, password)
+    @store.transaction do |store|
+      check do |errors|
+        errors << 'User not found' if !store[user.name]
+        errors << :wrong_password.t if crypt(oldpassword) != store[user.name]['password']
+      end
+      store[user.name]['password'] = crypt(password)
+    end
+  end
+
+  private
+
+  def crypt(s)
+    s.blank? ? s : sha256(s)
+  end
+end
+
+User::Service.register :yamlfile, YamlfileService

data/plugins/tags/code.rb

@@ -0,0 +1,6 @@
+description  'Code tag with syntax highlighting'
+dependencies 'utils/pygments'
+
+Tag.define :code, :requires => :lang do |context, attrs, content|
+  Pygments.pygmentize(content, attrs['lang'])
+end

data/plugins/tags/footnotes.rb

@@ -0,0 +1,35 @@
+description  'Footnote support'
+
+Tag.define :ref, :optional => :name, :description => 'Create footnote' do |context, attrs, content|
+  footnotes = context[:footnotes] ||= []
+  hash = context[:footnotes_hash] ||= {}
+  name = attrs['name']
+  if content.blank?
+    raise(ArgumentError, 'Attribute name missing') if name.blank?
+    raise(NameError, "Footnote #{name} not found") if !hash.include?(name)
+    note_id = hash[name]
+    ref_id = "#{note_id}_#{footnotes[note_id-1][2].size + 1}"
+    footnotes[note_id-1][2] << ref_id
+  else
+    note_id = ref_id = footnotes.size + 1
+    content = subfilter(context.subcontext, content)
+    footnotes << [note_id, content.gsub(/^\s*<p>\s*|\s*<\/p>\s*$/, ''), [ref_id]]
+    hash[name] = note_id if !name.blank?
+  end
+  %{<a class="ref" id="ref#{ref_id}" href="#note#{note_id}">[#{note_id}]</a>}
+end
+
+Tag.define :references, :description => 'Print all footnotes' do |context, attrs|
+  footnotes = context[:footnotes]
+  render :footnotes, :locals => {:footnotes => footnotes} if footnotes
+end
+
+__END__
+
+@@ footnotes.slim
+ol
+  - footnotes.each do |id, note, refs|
+    li id="note#{id}"
+      - refs.each do |ref|
+        a.backref ref="#ref#{ref}" ↑
+      == note

data/plugins/tags/gist-embed.css

@@ -0,0 +1,123 @@
+.gist {
+  color: #000;
+}
+
+  .gist div {
+    padding: 0;
+    margin: 0;
+  }
+
+  .gist .gist-file {
+    border: 1px solid #dedede; /* gray */
+    font-family: Monaco, "Courier New", "DejaVu Sans Mono", "Bitstream Vera Sans Mono", monospace;
+    margin-bottom: 1em;
+  }
+
+    .gist .gist-file .gist-meta {
+      overflow: hidden;
+      font-size: 85%;
+      padding: .5em;
+      color: #666;
+      background-color: #eaeaea;
+    }
+
+      .gist .gist-file .gist-meta a {
+        color: #369;
+      }
+
+      .gist .gist-file .gist-meta a:visited {
+        color: #737;
+      }
+
+    .gist .gist-file .gist-data {
+      overflow: auto;
+      word-wrap: normal;
+      background-color: #f8f8ff;
+      border-bottom: 1px solid #ddd;
+      font-size: 100%;
+    }
+
+      .gist .gist-file .gist-data pre {
+        font-family: 'Bitstream Vera Sans Mono', 'Courier', monospace;
+        background: transparent !important;
+        margin: 0 !important;
+        border: none !important;
+        padding: .25em .5em .5em .5em !important;
+      }
+
+        .gist .gist-file .gist-data .gist-highlight {
+          background: transparent !important;
+        }
+
+        .gist .gist-file .gist-data .gist-line-numbers {
+          background-color: #ececec;
+          color: #aaa;
+          border-right: 1px solid #ddd;
+          text-align: right;
+        }
+
+          .gist .gist-file .gist-data .gist-line-numbers span {
+            clear: right;
+            display: block;
+          }
+
+.gist-syntax  { background: #ffffff; }
+.gist-syntax .c { color: #999988; font-style: italic } /* Comment */
+.gist-syntax .err { color: #a61717; background-color: #e3d2d2 } /* Error */
+.gist-syntax .k { color: #000000; font-weight: bold } /* Keyword */
+.gist-syntax .o { color: #000000; font-weight: bold } /* Operator */
+.gist-syntax .cm { color: #999988; font-style: italic } /* Comment.Multiline */
+.gist-syntax .cp { color: #999999; font-weight: bold } /* Comment.Preproc */
+.gist-syntax .c1 { color: #999988; font-style: italic } /* Comment.Single */
+.gist-syntax .cs { color: #999999; font-weight: bold; font-style: italic } /* Comment.Special */
+.gist-syntax .gd { color: #000000; background-color: #ffdddd } /* Generic.Deleted */
+.gist-syntax .gd .x { color: #000000; background-color: #ffaaaa } /* Generic.Deleted.Specific */
+.gist-syntax .ge { color: #000000; font-style: italic } /* Generic.Emph */
+.gist-syntax .gr { color: #aa0000 } /* Generic.Error */
+.gist-syntax .gh { color: #999999 } /* Generic.Heading */
+.gist-syntax .gi { color: #000000; background-color: #ddffdd } /* Generic.Inserted */
+.gist-syntax .gi .x { color: #000000; background-color: #aaffaa } /* Generic.Inserted.Specific */
+.gist-syntax .go { color: #888888 } /* Generic.Output */
+.gist-syntax .gp { color: #555555 } /* Generic.Prompt */
+.gist-syntax .gs { font-weight: bold } /* Generic.Strong */
+.gist-syntax .gu { color: #aaaaaa } /* Generic.Subheading */
+.gist-syntax .gt { color: #aa0000 } /* Generic.Traceback */
+.gist-syntax .kc { color: #000000; font-weight: bold } /* Keyword.Constant */
+.gist-syntax .kd { color: #000000; font-weight: bold } /* Keyword.Declaration */
+.gist-syntax .kp { color: #000000; font-weight: bold } /* Keyword.Pseudo */
+.gist-syntax .kr { color: #000000; font-weight: bold } /* Keyword.Reserved */
+.gist-syntax .kt { color: #445588; font-weight: bold } /* Keyword.Type */
+.gist-syntax .m { color: #009999 } /* Literal.Number */
+.gist-syntax .s { color: #d14 } /* Literal.String */
+.gist-syntax .na { color: #008080 } /* Name.Attribute */
+.gist-syntax .nb { color: #0086B3 } /* Name.Builtin */
+.gist-syntax .nc { color: #445588; font-weight: bold } /* Name.Class */
+.gist-syntax .no { color: #008080 } /* Name.Constant */
+.gist-syntax .ni { color: #800080 } /* Name.Entity */
+.gist-syntax .ne { color: #990000; font-weight: bold } /* Name.Exception */
+.gist-syntax .nf { color: #990000; font-weight: bold } /* Name.Function */
+.gist-syntax .nn { color: #555555 } /* Name.Namespace */
+.gist-syntax .nt { color: #000080 } /* Name.Tag */
+.gist-syntax .nv { color: #008080 } /* Name.Variable */
+.gist-syntax .ow { color: #000000; font-weight: bold } /* Operator.Word */
+.gist-syntax .w { color: #bbbbbb } /* Text.Whitespace */
+.gist-syntax .mf { color: #009999 } /* Literal.Number.Float */
+.gist-syntax .mh { color: #009999 } /* Literal.Number.Hex */
+.gist-syntax .mi { color: #009999 } /* Literal.Number.Integer */
+.gist-syntax .mo { color: #009999 } /* Literal.Number.Oct */
+.gist-syntax .sb { color: #d14 } /* Literal.String.Backtick */
+.gist-syntax .sc { color: #d14 } /* Literal.String.Char */
+.gist-syntax .sd { color: #d14 } /* Literal.String.Doc */
+.gist-syntax .s2 { color: #d14 } /* Literal.String.Double */
+.gist-syntax .se { color: #d14 } /* Literal.String.Escape */
+.gist-syntax .sh { color: #d14 } /* Literal.String.Heredoc */
+.gist-syntax .si { color: #d14 } /* Literal.String.Interpol */
+.gist-syntax .sx { color: #d14 } /* Literal.String.Other */
+.gist-syntax .sr { color: #009926 } /* Literal.String.Regex */
+.gist-syntax .s1 { color: #d14 } /* Literal.String.Single */
+.gist-syntax .ss { color: #990073 } /* Literal.String.Symbol */
+.gist-syntax .bp { color: #999999 } /* Name.Builtin.Pseudo */
+.gist-syntax .vc { color: #008080 } /* Name.Variable.Class */
+.gist-syntax .vg { color: #008080 } /* Name.Variable.Global */
+.gist-syntax .vi { color: #008080 } /* Name.Variable.Instance */
+.gist-syntax .il { color: #009999 } /* Literal.Number.Integer.Long */