X-Git-Url: https://git.octo.it/?a=blobdiff_plain;f=licom.cgi;h=68e3581208f9d3b12204193316885fe78b5b9c2e;hb=422cfd825089332848b3571d128a6ca3675e675c;hp=29dbec8cfc75d7bde2924614a24dbadf006ce390;hpb=c91ccdf851b05521441e9460d4605c1ca0eae277;p=licom.git

diff --git a/licom.cgi b/licom.cgi
index 29dbec8..68e3581 100755
--- a/licom.cgi
+++ b/licom.cgi
@@ -23,6 +23,7 @@ use lib (qw(lib));
 use CGI (':cgi');
 use CGI::Carp (qw(fatalsToBrowser));
 use URI::Escape;
+use HTML::Entities (qw(encode_entities));
 
 use LiCoM::Config (qw(get_config set_config read_config));
 use LiCoM::Connection ();
@@ -62,7 +63,9 @@ our %Actions =
 	verify	=> [\&html_start, \&action_verify,  \&html_end],
 	delete	=> [\&html_start, \&action_ask_del,  \&html_end],
 	expunge	=> [\&html_start, \&action_do_del,  \&html_end],
-	vcard	=> \&action_vcard
+	vcard	=> \&action_vcard,
+	edit_group => [\&html_start, \&action_edit_group, \&html_end],
+	save_group => [\&html_start, \&action_save_group, \&html_end]
 );
 
 read_config ();
@@ -97,7 +100,7 @@ if (!$UserCN)
 
 if (!defined ($Actions{$Action}))
 {
-	die;
+	die ("No such action: $Action");
 }
 
 if (ref ($Actions{$Action}) eq 'CODE')
@@ -128,18 +131,21 @@ sub action_browse
 	{
 		my @groups = LiCoM::Group->all ();
 
-		print qq(\t\t<h2>Contact Groups</h2>\n\t\t<ul class="groups">\n);
+		print qq(\t\t<h2>Contact groups</h2>\n\t\t<ul class="groups">\n);
 		for (@groups)
 		{
 			my $group = $_;
 			my @members = $group->get_members ();
 			my $members = scalar (@members);
 			my $group_name = $group->name ();
-			my $group_esc  = uri_escape ($group_name);
+			my $group_uri  = uri_escape ($group_name);
 			my $desc = $group->description ();
 
-			print qq#\t\t\t<li><a href="$MySelf?action=browse&group=$group_esc">$group_name</a> ($members Member#, ($members == 1 ? ')' : 's)');
-			print qq(<br />\n\t\t\t\t<span class="description">$desc</span>) if ($desc);
+			print qq#\t\t\t<li><a href="$MySelf?action=browse&group=$group_uri">#,
+			encode_entities ($group_name),
+			qq#</a> ($members Member#, ($members == 1 ? ')' : 's)');
+			print qq(<br />\n\t\t\t\t<span class="description">),
+			encode_entities ($desc) . '</span>' if ($desc);
 			print "</li>\n";
 		}
 		if (!@groups)
@@ -155,26 +161,31 @@ EOF
 	}
 	else
 	{
-		my $group_obj = LiCoM::Group->load ($group);
-		my $group_esc = uri_escape ($group_obj->name ());
+		my $group_obj    = LiCoM::Group->load ($group);
+		my $group_uri    = uri_escape ($group_obj->name ());
+		my $group_html   = encode_entities ($group_obj->name ());
 		my @member_names = $group_obj->get_members ();
+		my $desc         = $group_obj->description ();
+		my $desc_html    = encode_entities ($desc || '');
 		
-		print qq(\t\t<h2>Contact Group &quot;$group&quot;</h2>\n),
-		qq(\t\t<ul class="results">\n);
+		print qq(\t\t<h2>Contact group &quot;$group_html&quot;</h2>\n);
+		print qq(\t\t<div>$desc_html</div>\n) if ($desc);
+		print qq(\t\t<ul class="results">\n);
 		for (sort (@member_names))
 		{
 			my $cn = $_;
-			my $cn_esc = uri_escape ($cn);
+			my $cn_uri  = uri_escape ($cn);
+			my $cn_html = encode_entities ($cn);
 
-			print qq(\t\t\t<li><a href="$MySelf?action=detail&cn=$cn_esc">$cn</a></li>\n);
+			print qq(\t\t\t<li><a href="$MySelf?action=detail&cn=$cn_uri">$cn_html</a></li>\n);
 		}
 		
 		print <<EOF;
 		</ul>
 		<div class="menu">
-			[<a href="$MySelf?action=list&group=$group_esc">List</a>]
+			[<a href="$MySelf?action=list&group=$group_uri">List</a>]
 			[<a href="$MySelf?action=browse">Back</a>]
-			[Edit]
+			[<a href="$MySelf?action=edit_group&group=$group_uri">Edit</a>]
 		</div>
 EOF
 	}
@@ -225,7 +236,7 @@ EOF
 		{
 			my $field = $_;
 			my @values = $person->get ($field);
-			print "\t\t\t\t<td>" . join ('<br />', @values) . "</td>\n";
+			print "\t\t\t\t<td>" . join ('<br />', map { encode_entities ($_) } (@values)) . "</td>\n";
 		}
 
 		print "\t\t\t</tr>\n";
@@ -249,22 +260,23 @@ sub action_detail
 	$cn = shift if (@_);
 	die unless ($cn);
 
+	my $cn_html = encode_entities ($cn);
+	my $cn_uri  = uri_escape ($cn);
+
 	my $person = LiCoM::Person->load ($cn);
 	if (!$person)
 	{
-		print qq(\t<div>Entry &quot;$cn&quot; could not be loaded from DB.</div>\n);
+		print qq(\t<div>Entry &quot;$cn_html&quot; could not be loaded from DB.</div>\n);
 		return;
 	}
 
-	print qq(\t\t<h2>Details for $cn</h2>\n);
-
-	my $cn_esc = uri_escape ($cn);
+	print qq(\t\t<h2>Details for $cn_html</h2>\n);
 
 	print <<EOF;
 		<table class="detail">
 			<tr>
 				<th>Name</th>
-				<td>$cn</td>
+				<td>$cn_html</td>
 			</tr>
 EOF
 	for (@MultiFields)
@@ -272,38 +284,51 @@ EOF
 		my $field = $_;
 		my $values = $person->get ($field);
 		my $num = scalar (@$values);
-		my $print = defined ($FieldNames{$field}) ? $FieldNames{$field} : $field;
+		my $field_name = defined ($FieldNames{$field}) ? $FieldNames{$field} : $field;
 
 		next unless ($num);
 
+		$field_name = encode_entities ($field_name);
+
 		print "\t\t\t<tr>\n";
 		if ($num > 1)
 		{
-			print qq(\t\t\t\t<th rowspan="$num">$print</th>\n);
+			print qq(\t\t\t\t<th rowspan="$num">$field_name</th>\n);
 		}
 		else
 		{
-			print qq(\t\t\t\t<th>$print</th>\n);
+			print qq(\t\t\t\t<th>$field_name</th>\n);
 		}
 
 		for (my $i = 0; $i < $num; $i++)
 		{
 			my $val = $values->[$i];
+			my $val_uri  = uri_escape ($val);
+			my $val_html = encode_entities ($val);
 
 			if ($field eq 'group')
 			{
-				my $val_esc = uri_escape ($val);
-				$val = qq(<a href="$MySelf?action=browse&group=$val_esc">$val</a>);
+				$val = qq(<a href="$MySelf?action=browse&group=$val_uri">$val_html</a>);
 			}
 			elsif ($field eq 'uri')
 			{
-				my $uri = $val;
-				$uri = qq(http://$val) unless ($val =~ m#^[a-z]+://#);
-				$val = qq(<a href="$uri" class="extern">$val</a>);
+				if ($val =~ m#^([a-z]+)://(.+)$#)
+				{
+					$val_uri = $1 . '://' . uri_escape ($2);
+				}
+				else
+				{
+					$val_uri = 'http://' . uri_escape ($val);
+				}
+				$val = qq(<a href="$val_uri" class="extern">$val_html</a>);
 			}
 			elsif ($field eq 'mail')
 			{
-				$val = qq(<a href="mailto:$val" class="mail">$val</a>);
+				$val = qq(<a href="mailto:$val_uri" class="mail">$val_html</a>);
+			}
+			else
+			{
+				$val = $val_html;
 			}
 			
 			print "\t\t\t<tr>\n" if ($i);
@@ -322,10 +347,11 @@ EOF
 		{
 			my $group = $groups[$i];
 			my $group_name = $group->name ();
-			my $group_esc = uri_escape ($group_name);
+			my $group_uri  = uri_escape ($group_name);
+			my $group_html = encode_entities ($group_name);
 
 			print "\t\t\t<tr>\n" if ($i != 0);
-			print qq(\t\t\t\t<td><a href="$MySelf?action=browse&group=$group_esc">$group_name</a></td>\n),
+			print qq(\t\t\t\t<td><a href="$MySelf?action=browse&group=$group_uri">$group_html</a></td>\n),
 			"\t\t\t</tr>\n";
 		}
 	}
@@ -334,10 +360,10 @@ EOF
 		</table>
 
 		<div class="menu">
-			[<a href="$MySelf?action=verify&cn=$cn_esc">Verify</a>]
-			[<a href="$MySelf?action=vcard&cn=$cn_esc">vCard</a>]
-			[<a href="$MySelf?action=edit&cn=$cn_esc">Edit</a>]
-			[<a href="$MySelf?action=delete&cn=$cn_esc">Delete</a>]
+			[<a href="$MySelf?action=verify&cn=$cn_uri">Verify</a>]
+			[<a href="$MySelf?action=vcard&cn=$cn_uri">vCard</a>]
+			[<a href="$MySelf?action=edit&cn=$cn_uri">Edit</a>]
+			[<a href="$MySelf?action=delete&cn=$cn_uri">Delete</a>]
 		</div>
 
 EOF
@@ -387,9 +413,10 @@ sub action_search
 	{
 		my $person = $_;
 		my $cn = $person->name ();
-		my $cn_esc = uri_escape ($cn);
+		my $cn_uri  = uri_escape ($cn);
+		my $cn_html = encode_entities ($cn);
 
-		print qq(\t\t<li><a href="$MySelf?action=detail&cn=$cn_esc">$cn</a></li>\n);
+		print qq(\t\t<li><a href="$MySelf?action=detail&cn=$cn_uri">$cn_html</a></li>\n);
 	}
 	print qq(\t</ul>\n);
 }
@@ -403,6 +430,8 @@ sub action_edit
 	$cn = $opts{'cn'} if (defined ($opts{'cn'}));
 	$cn ||= '';
 
+	my $cn_html = encode_entities ($cn);
+
 	if (!$UserID)
 	{
 		$cn = $UserCN;
@@ -450,7 +479,7 @@ sub action_edit
 
 	if ($cn)
 	{
-		print "\t\t<h2>Edit contact $cn</h2>\n";
+		print "\t\t<h2>Edit contact $cn_html</h2>\n";
 	}
 	else
 	{
@@ -460,7 +489,7 @@ sub action_edit
 	print <<EOF;
 		<form action="$MySelf" method="post">
 		<input type="hidden" name="action" value="save" />
-		<input type="hidden" name="cn" value="$cn" />
+		<input type="hidden" name="cn" value="$cn_html" />
 		<table class="edit">
 			<tr>
 				<th>Lastname</th>
@@ -498,10 +527,13 @@ EOF
 		next if ($field eq 'group');
 
 		push (@values, '');
+
+		$field = encode_entities ($field);
+		$print = encode_entities ($print);
 		
 		for (@values)
 		{
-			my $value = $_;
+			my $value = encode_entities ($_);
 
 			print <<EOF;
 			<tr>
@@ -525,7 +557,7 @@ EOF
 			for (@all_groups)
 			{
 				my $group = $_;
-				my $group_name = $group->name ();
+				my $group_name = encode_entities ($group->name ());
 				my $selected = '';
 
 				if (grep { $cn eq $_ } ($group->get_members ()))
@@ -625,7 +657,8 @@ sub action_save
 		}
 		else
 		{
-			print qq(\t<div class="error">Group &quot;$group_name&quot; does not exist or could not be loaded.</div>\n);
+			my $group_html = encode_entities ($group_name);
+			print qq(\t<div class="error">Group &quot;$group_html&quot; does not exist or could not be loaded.</div>\n);
 		}
 	}
 
@@ -671,7 +704,10 @@ sub action_update
 		$person->firstname ($firstname) if ($firstname and $firstname ne $person->firstname ());
 
 		$cn = $person->name ();
-		# FIXME Fix groups
+		# FIXME Fix groups:
+		# Each group is one entry of type (objectClass=groupOfNames)
+		# with one or more `member' attributes. These attributes are
+		# the `dn' (distinguished name) of the member entries.
 	}
 
 	my $contacts = get_contacts ();
@@ -693,36 +729,49 @@ sub action_update
 		}
 	}
 
-	my %changed_groups = map { $_ => 1 } (param ('group'));
-	my @current_groups = LiCoM::Group->load_by_member ($cn);
-
-	for (@current_groups)
+	# only `authorized' users may see and change groups
+	if ($UserID)
 	{
-		my $group_obj = $_;
-		my $group_name = $group_obj->name ();
+		my %changed_groups = map { $_ => 1 } (param ('group'));
+		my @current_groups = LiCoM::Group->load_by_member ($cn);
 
-		if (!defined ($changed_groups{$group_name}))
+		for (@current_groups)
 		{
-			$group_obj->del_members ($cn);
+			my $group_obj = $_;
+			my $group_name = $group_obj->name ();
+
+			if (!defined ($changed_groups{$group_name}))
+			{
+				$group_obj->del_members ($cn);
+			}
+			else
+			{
+				delete ($changed_groups{$group_name});
+			}
 		}
-		else
+		for (keys %changed_groups)
 		{
-			delete ($changed_groups{$group_name});
+			my $group_name = $_;
+			my $group_obj = LiCoM::Group->load ($group_name) or die;
+
+			$group_obj->add_members ($cn);
 		}
-	}
-	for (keys %changed_groups)
-	{
-		my $group_name = $_;
-		my $group_obj = LiCoM::Group->load ($group_name) or die;
 
-		$group_obj->add_members ($cn);
+		if (param ('newgroup'))
+		{
+			# FIXME add error handling
+			my $group_name = param ('newgroup');
+			LiCoM::Group->create ($group_name, '', $cn);
+		}
 	}
 
-	if (param ('newgroup'))
+	if (!$UserID)
 	{
-		# FIXME add error handling
-		my $group_name = param ('newgroup');
-		LiCoM::Group->create ($group_name, '', $cn);
+		print <<HTML;
+		<h3>Your changes have been saved.</h3>
+		<p>Thank you very much for taking the time to keep this record up to date.</p>
+
+HTML
 	}
 
 	if ($button eq 'apply' or !$UserID)
@@ -792,6 +841,8 @@ sub action_verify
 	$cn = shift if (@_);
 	die unless ($cn);
 
+	my $cn_html = encode_entities ($cn);
+
 	my $person = LiCoM::Person->load ($cn);
 	die unless ($person);
 
@@ -799,21 +850,24 @@ sub action_verify
 	$mail ||= '';
 
 	my $message;
-	my $password = $person->get ('password');
+	my ($password) = $person->get ('password');
+	my $password_html;
 
 	if (!$password)
 	{
 		$password = pwgen ();
-		$person->set ('password', $password);
+		$person->set ('password', [$password]);
 	}
+	$password_html = encode_entities ($password);
 
-	$message = qq(The password for the record &quot;$cn&quot; is &quot;$password&quot;.);
+	$message = qq(The password for the record &quot;$cn_html&quot; is &quot;$password_html&quot;.);
 
 	if ($mail)
 	{
 		if (action_verify_send_mail ($person))
 		{
-			$message .= qq( A request for verification has been sent to $mail.);
+			my $mail_html = encode_entities ($mail);
+			$message .= qq( A request for verification has been sent to $mail_html.);
 		}
 	}
 	else
@@ -835,8 +889,8 @@ sub action_verify_send_mail
 	my ($owner_mail) = $owner->get ('mail');
 	if (!$owner_mail)
 	{
-		my $cn = uri_escape ($UserCN);
-		print qq(\t\t<div class="error">You have no email set in your own profile. <a href="$MySelf?action=edit&cn=$cn">Edit it now</a>!</div>\n);
+		my $cn_uri = uri_escape ($UserCN);
+		print qq(\t\t<div class="error">You have no email set in your own profile. <a href="$MySelf?action=edit&cn=$cn_uri">Edit it now</a>!</div>\n);
 		return (0);
 	}
 
@@ -847,15 +901,15 @@ sub action_verify_send_mail
 	}
 	$max_width++;
 
-	my $person_name = $person->name ();
+	my $person_name   = $person->name ();
 	my ($person_mail) = $person->get ('mail');
-	my $person_gn = $person->firstname ();
-	my $password = $person->get ('password');
+	my $person_gn     = $person->firstname ();
+	my ($password)    = $person->get ('password');
 
 	my $host = $ENV{'HTTP_HOST'};
 	my $url = (defined ($ENV{'HTTPS'}) ? 'https://' : 'http://') . $host . $MySelf;
 	
-	open ($smh, "| /usr/sbin/sendmail -t -f $owner_mail") or die ("open pipe to sendmail: $!");
+	open ($smh, '|-', '/usr/sbin/sendmail', '-t', '-f', $owner_mail) or die ("open (sendmail): $!");
 	print $smh <<EOM;
 To: $person_name <$person_mail>
 From: $UserCN <$owner_mail>
@@ -904,19 +958,20 @@ sub action_ask_del
 	my $person = LiCoM::Person->load ($cn);
 	$person or die;
 
-	my $cn_esc = uri_escape ($cn);
+	my $cn_uri  = uri_escape ($cn);
+	my $cn_html = encode_entities ($cn);
 
 	print <<EOF;
-		<h2>Really delete $cn?</h2>
+		<h2>Really delete $cn_html?</h2>
 
 		<div>
-			You are about to delete <strong>$cn</strong>. Are you
-			totally, absolutely sure you want to do this?
+			You are about to delete <strong>$cn_html</strong>.
+			Are you totally, absolutely sure you want to do this?
 		</div>
 
 		<div class="menu">
-			[<a href="$MySelf?action=expunge&cn=$cn_esc">Yes, delete</a>]
-			[<a href="$MySelf?action=detail&cn=$cn_esc">No, keep</a>]
+			[<a href="$MySelf?action=expunge&cn=$cn_uri">Yes, delete</a>]
+			[<a href="$MySelf?action=detail&cn=$cn_uri">No, keep</a>]
 		</div>
 
 EOF
@@ -927,23 +982,88 @@ sub action_do_del
 	my $cn = param ('cn');
 	$cn or die;
 
+	my $cn_html = encode_entities ($cn);
+
 	my $person = LiCoM::Person->load ($cn);
 	$person or die;
 
 	$person->delete ();
 
 	print <<EOF;
-		<div>$cn has been deleted.</div>
+		<div>$cn_html has been deleted.</div>
 
 EOF
 	action_browse ();
 }
 
+sub action_edit_group
+{
+	my $group_name = param ('group') or die;
+
+	my $group_name_html = encode_entities ($group_name);
+
+	my $group_obj = LiCoM::Group->load ($group_name);
+
+	if (!$group_obj)
+	{
+		print qq(\t<div class="error">Group &quot;$group_name_html&quot; does not exist or could not be loaded.</div>\n);
+		return;
+	}
+
+	$group_name_html = encode_entities ($group_obj->name ());
+
+	my $desc_html = encode_entities ($group_obj->description () || '');
+
+	print <<HTML;
+	<h2>Edit contact group &quot;$group_name_html&quot;</h2>
+	<form action="$MySelf" method="post">
+	  <input type="hidden" name="action" value="save_group" />
+	  <input type="hidden" name="group" value="$group_name_html" />
+	  <table>
+	    <tr>
+	      <th>Group Name</th>
+	      <td>$group_name_html</td>
+	    </tr>
+	    <tr>
+	      <th>Description</th>
+	      <td><input type="text" name="description" value="$desc_html" /></td>
+	    </tr>
+	    <tr>
+	      <th colspan="2"><input type="submit" name="button" value="Save" /></th>
+	    </tr>
+	  </table>
+	</form>
+HTML
+}
+
+sub action_save_group
+{
+	my $group_name = param ('group') or die;
+
+	my $group_name_html = encode_entities ($group_name);
+
+	my $group_obj = LiCoM::Group->load ($group_name);
+
+	if (!$group_obj)
+	{
+		print qq(\t<div class="error">Group &quot;$group_name_html&quot; does not exist or could not be loaded.</div>\n);
+		return;
+	}
+
+	my $desc = param ('description');
+	$group_obj->description ($desc);
+
+	action_browse ();
+	return;
+}
+
 sub html_start
 {
 	my $title = shift;
 	$title = q(Lightweight Contact Manager) unless ($title);
 
+	$title = encode_entities ($title);
+
 	print <<EOF;
 Content-Type: text/html; charset=UTF-8
 
@@ -1159,6 +1279,7 @@ EOF
 	if ($UserID)
 	{
 		my $search = param ('search') || '';
+		$search = encode_entities ($search);
 		print <<EOF;
 		<div class="topmenu">
 			<form action="$MySelf" method="post">