# HG changeset patch
# User Dan
# Date 1190147366 14400
# Node ID c5dbad7ec2d077e41c8f083fe1c64aa8d8099e86
# Parent 175776498ef17ab1453e2a24b34534d1bd95fc08
Enano should now fully support UTF-8 usernames; newly registered users are now granted automatic edit access to their user pages (admins can still use protection on the page)
diff -r 175776498ef1 -r c5dbad7ec2d0 includes/clientside/static/misc.js
--- a/includes/clientside/static/misc.js Tue Sep 18 00:31:22 2007 -0400
+++ b/includes/clientside/static/misc.js Tue Sep 18 16:29:26 2007 -0400
@@ -449,7 +449,7 @@
window.console.debug(json_data);
json_data = toJSONString(json_data);
window.console.debug(json_data);
- json_data = ajaxAltEscape(json_data);
+ json_data = encodeURIComponent(json_data);
window.console.debug(json_data);
var loading_win = '
\
diff -r 175776498ef1 -r c5dbad7ec2d0 includes/sessions.php
--- a/includes/sessions.php Tue Sep 18 00:31:22 2007 -0400
+++ b/includes/sessions.php Tue Sep 18 16:29:26 2007 -0400
@@ -151,7 +151,7 @@
*/
//var $valid_username = '([A-Za-z0-9 \!\@\(\)-]+)';
- var $valid_username = '([^<>_&\?\'"%\n\r\t\a]+)';
+ var $valid_username = '([^<>_&\?\'"%\n\r\t\a\/]+)';
/**
* What we're allowed to do as far as permissions go. This changes based on the value of the "auth" URI param.
@@ -578,19 +578,20 @@
$success = false;
// Escaped username
- $db_username = $this->prepare_text(strtolower($username));
+ $db_username_lower = $this->prepare_text(strtolower($username));
+ $db_username = $this->prepare_text($username);
// Select the user data from the table, and decrypt that so we can verify the password
- $this->sql('SELECT password,old_encryption,user_id,user_level,theme,style,temp_password,temp_password_time FROM '.table_prefix.'users WHERE lcase(username)=\''.$db_username.'\' OR username=\'' . $db_username . '\';');
+ $this->sql('SELECT password,old_encryption,user_id,user_level,theme,style,temp_password,temp_password_time FROM '.table_prefix.'users WHERE lcase(username)=\''.$db_username_lower.'\' OR username=\'' . $db_username . '\';');
if($db->numrows() < 1)
{
+ return "The username and/or password is incorrect.\n$db->latest_query";
// This wasn't logged in <1.0.2, dunno how it slipped through
if($level > USER_LEVEL_MEMBER)
$this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
else
$this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
- return "The username and/or password is incorrect.";
}
$row = $db->fetchrow();
@@ -1401,6 +1402,7 @@
$aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE);
if(!preg_match('#^'.$this->valid_username.'$#', $username)) return 'The username you chose contains invalid characters.';
+ $user_orig = $username;
$username = $this->prepare_text($username);
$email = $this->prepare_text($email);
$real_name = $this->prepare_text($real_name);
@@ -1485,6 +1487,30 @@
$this->sql('INSERT INTO '.table_prefix.'users_extra(user_id) VALUES(' . $user_id . ');');
}
+ // Grant edit and very limited mod access to the userpage
+ $acl_data = array(
+ 'read' => AUTH_ALLOW,
+ 'view_source' => AUTH_ALLOW,
+ 'edit_page' => AUTH_ALLOW,
+ 'post_comments' => AUTH_ALLOW,
+ 'edit_comments' => AUTH_ALLOW, // only allows editing own comments
+ 'history_view' => AUTH_ALLOW,
+ 'history_rollback' => AUTH_ALLOW,
+ 'rename' => AUTH_ALLOW,
+ 'delete_page' => AUTH_ALLOW,
+ 'tag_create' => AUTH_ALLOW,
+ 'tag_delete_own' => AUTH_ALLOW,
+ 'tag_delete_other' => AUTH_ALLOW,
+ 'edit_cat' => AUTH_ALLOW,
+ 'create_page' => AUTH_ALLOW
+ );
+ $acl_data = $db->escape($this->perm_to_string($acl_data));
+ $userpage = $db->escape(sanitize_page_id($user_orig));
+ $cols = "target_type, target_id, page_id, namespace, rules";
+ $vals = ACL_TYPE_USER . ", $user_id, '$userpage', 'User', '$acl_data'";
+ $q = "INSERT INTO ".table_prefix."acl($cols) VALUES($vals);";
+ $this->sql($q);
+
// Require the account to be activated?
if ( $coppa )
{
diff -r 175776498ef1 -r c5dbad7ec2d0 themes/printable/css/default.css
--- a/themes/printable/css/default.css Tue Sep 18 00:31:22 2007 -0400
+++ b/themes/printable/css/default.css Tue Sep 18 16:29:26 2007 -0400
@@ -61,7 +61,7 @@
/* Well, not Midget and not comments (usually), but that's what the class is called ;-). Basically an informational window or used as a wrapper for tables. */
.mdg-comment, .mdg-infobox { margin-left: 1em; padding: 7px; border: 1px solid #AAAAAA; background-color: #E8E8E8; }
-.tblholder { margin: 10px 0 0 0; padding: 0; border: 1px solid #AAAAAA; background-color: #E8E8E8; }
+.tblholder { margin: 10px 0 0 0; padding: 0; border-width: 0 0 1px 1px; border-style: solid; border-color: #AAAAAA; background-color: #E8E8E8; }
/* The beautiful tables inside what may not obviously be mdg-comment divs */
div.tblholder td.row1 { padding: 4px; border-color: #E0E0E0; border-width: 1px 1px 0 0; border-style: solid; background-color: #FFFFFF; }