Mischa POSLAWSKY [Fri, 20 Apr 2018 13:44:50 +0000 (15:44 +0200)]
login: exclude cookie data from user name default
Apparently included in $_REQUEST in Xenat's PHP environment.
Mischa POSLAWSKY [Tue, 12 Dec 2017 21:49:42 +0000 (22:49 +0100)]
admin/visits: list entries of last logins
Mischa POSLAWSKY [Fri, 22 Dec 2017 23:57:49 +0000 (00:57 +0100)]
login: include form to set email address
Mischa POSLAWSKY [Fri, 22 Dec 2017 23:16:11 +0000 (00:16 +0100)]
login: prevent admin contents on profile subpages
Mischa POSLAWSKY [Fri, 22 Dec 2017 23:02:32 +0000 (00:02 +0100)]
login: move logged in message to static contents
Allow site customisation.
Mischa POSLAWSKY [Fri, 22 Dec 2017 22:49:13 +0000 (23:49 +0100)]
admin/pass: form to change current password
Mischa POSLAWSKY [Fri, 22 Dec 2017 22:37:30 +0000 (23:37 +0100)]
auth: reusable functions for password verification
Page to change passwords will need to run the same code.
Mischa POSLAWSKY [Tue, 12 Dec 2017 22:06:58 +0000 (23:06 +0100)]
admin: disallow access to unauthorised visitors
Regardless of login include, this page can now be retrieved separately
so needs its own user check.
Mischa POSLAWSKY [Tue, 12 Dec 2017 22:03:30 +0000 (23:03 +0100)]
login: move admin contents to separate page
Separates text from code and makes it more manageable.
Mischa POSLAWSKY [Tue, 12 Dec 2017 21:35:52 +0000 (22:35 +0100)]
login: introduction for admin users
Mischa POSLAWSKY [Tue, 12 Dec 2017 20:56:28 +0000 (21:56 +0100)]
admin/commits: smaller page size on login
Option ?pagesize to customise. Prefer later page number on change.
Mischa POSLAWSKY [Tue, 12 Dec 2017 20:53:55 +0000 (21:53 +0100)]
admin/commits: link dedicated page if included elsewhere
First page only at login overview.
Mischa POSLAWSKY [Tue, 12 Dec 2017 21:02:12 +0000 (22:02 +0100)]
login: include commits page for admins
Mischa POSLAWSKY [Tue, 12 Dec 2017 20:40:56 +0000 (21:40 +0100)]
admin/commits: order navigation links chronologically
Start with reoccurring link back to keep consistent placement.
Mischa POSLAWSKY [Tue, 12 Dec 2017 20:09:11 +0000 (21:09 +0100)]
admin/commits: page indication and navigation
Mischa POSLAWSKY [Tue, 12 Dec 2017 19:36:59 +0000 (20:36 +0100)]
admin/commits: page to list last git log messages
Mischa POSLAWSKY [Mon, 27 Nov 2017 23:38:16 +0000 (00:38 +0100)]
auth: support unhashed passwords
String comparison for anything not starting with dollar (which identifies
all modern crypts) to keep originals for later resend (deliberate user
friendliness over security).
Mischa POSLAWSKY [Sat, 21 Oct 2017 00:05:26 +0000 (02:05 +0200)]
page: show edit link for new pages
Only existing files can be writable. Otherwise parent directory should be
checked (recursively), but just assume unrestricted permissions for now.
Mischa POSLAWSKY [Sat, 21 Oct 2017 00:05:49 +0000 (02:05 +0200)]
edit: recursively create missing directories
Mischa POSLAWSKY [Fri, 6 Oct 2017 11:48:53 +0000 (13:48 +0200)]
login: preserve input value after failure
Mischa POSLAWSKY [Wed, 4 Oct 2017 22:58:16 +0000 (00:58 +0200)]
consistently use empty() to check user existence
Succinct without causing PHP notices even for array access.
Mischa POSLAWSKY [Wed, 4 Oct 2017 22:43:30 +0000 (00:43 +0200)]
login: save user access details to last.log
Mainly to check time of last successful login, with ip address and browser
to help debugging client issues (matching earlier data in forum columns
users.lastontime, users.lastip, users.useragent).
Mischa POSLAWSKY [Wed, 4 Oct 2017 22:34:11 +0000 (00:34 +0200)]
login: derive user permissions from .admin file
Replaces site-specific name exceptions.
Mischa POSLAWSKY [Tue, 3 Oct 2017 01:41:10 +0000 (03:41 +0200)]
edit: save changes as git commit
Assume direct access to repository if .git is writable, which is preferable
to daily crons to save authors and reedits.
Mischa POSLAWSKY [Wed, 4 Oct 2017 22:24:38 +0000 (00:24 +0200)]
login: log authenticated user in apache note
Allows user names to be logged instead of %u using LogFormat "%{user}n".
Mischa POSLAWSKY [Mon, 2 Oct 2017 20:45:09 +0000 (22:45 +0200)]
page: link user name in header bar to login page
Feature logout option.
Mischa POSLAWSKY [Mon, 2 Oct 2017 20:38:19 +0000 (22:38 +0200)]
login: separate include for unauthorised form
Static page for user contents to match edit.
Mischa POSLAWSKY [Mon, 2 Oct 2017 20:24:53 +0000 (22:24 +0200)]
login: store passwords in separate user files
Instead of unneeded .htpasswd compatibility, move password hashes into
simple login/$username/.passwd files.
Mischa POSLAWSKY [Sun, 17 Sep 2017 00:46:13 +0000 (02:46 +0200)]
login: show user after login; explicit option for logout
Mischa POSLAWSKY [Mon, 2 Oct 2017 19:59:12 +0000 (21:59 +0200)]
login: move title to static page
Allows custom introduction.
Mischa POSLAWSKY [Mon, 2 Oct 2017 00:12:00 +0000 (02:12 +0200)]
page: override request by given script path
Support direct requests of page.php/path for internal redirects.
Mischa POSLAWSKY [Fri, 29 Sep 2017 12:11:11 +0000 (14:11 +0200)]
edit: enable image uploads in ckeditor
Mischa POSLAWSKY [Fri, 29 Sep 2017 12:08:26 +0000 (14:08 +0200)]
edit: store file uploads to data/$year/
Mischa POSLAWSKY [Fri, 29 Sep 2017 12:02:14 +0000 (14:02 +0200)]
edit: extend abort() to output success messages
Mischa POSLAWSKY [Fri, 29 Sep 2017 11:11:10 +0000 (13:11 +0200)]
edit: replace double linebreaks by paragraphs
Works within lists, so currently the only workaround in CKEditor to create
multiple paragraphs for a list item.
Mischa POSLAWSKY [Fri, 29 Sep 2017 11:06:04 +0000 (13:06 +0200)]
edit: paste limited html, enforce filter on all events
Recent feature for more advanced restrictions, allowing rich text without
unwanted styling attributes. Unfortunately, the filter is not applied for
"internal" sources which apparently includes Word in Linux, so manually
execute for any contaminated contents.
Mischa POSLAWSKY [Thu, 28 Sep 2017 01:40:05 +0000 (03:40 +0200)]
edit: replace save confirmation by page close protection
Warn about exceptional unsaved changes (save pending or forgotten),
not about common save results.
Mischa POSLAWSKY [Thu, 28 Sep 2017 02:01:34 +0000 (04:01 +0200)]
edit: drop underline/strike from ckeditor toolbar
Should be used to mark insertions and deletions, but probably too technical
to warrant an accessible spot.
Mischa POSLAWSKY [Thu, 28 Sep 2017 01:16:07 +0000 (03:16 +0200)]
edit: drop rare options from ckeditor toolbar
- ShowBlocks not really interesting for simple structures; would be useful
for floating sections but these aren't supported.
- Anchor once used for article links, replaced by proper pages.
- RemoveFormat now done automatically on paste.
- Sourcedialog reordered at end since it's a last resort.
Mischa POSLAWSKY [Thu, 28 Sep 2017 00:47:51 +0000 (02:47 +0200)]
edit: copy page stylesheet for ckeditor contents
Replace hardcoded link specific to Excelsior by a generic solution.
Mischa POSLAWSKY [Tue, 19 Sep 2017 00:49:16 +0000 (02:49 +0200)]
page: omit edit link if unwritable
Mischa POSLAWSKY [Wed, 27 Sep 2017 22:59:28 +0000 (00:59 +0200)]
page: redirect to login on access denial
Mischa POSLAWSKY [Tue, 19 Sep 2017 00:43:19 +0000 (02:43 +0200)]
login: optionally redirect to ?goto
Upcoming feature to continue from forbidden requests.
Mischa POSLAWSKY [Mon, 18 Sep 2017 23:41:36 +0000 (01:41 +0200)]
edit: static edit link
Replace existing html instead of delayed append.
Mischa POSLAWSKY [Mon, 18 Sep 2017 23:33:35 +0000 (01:33 +0200)]
page: replace login placeholder by precomposed paragraph
Prepare for more elaborate user details.
Mischa POSLAWSKY [Sat, 16 Sep 2017 16:08:39 +0000 (18:08 +0200)]
page: save granted access for admin options
Page code will want to show encountered restrictions.
Mischa POSLAWSKY [Sat, 16 Sep 2017 15:41:40 +0000 (17:41 +0200)]
page: restore error display in page includes
Successful executions should not be silenced.
Mischa POSLAWSKY [Sat, 16 Sep 2017 15:11:46 +0000 (17:11 +0200)]
page: save document root for includes during shutdown
Current directory is unavailable in fatal error handler.
Mischa POSLAWSKY [Sat, 16 Sep 2017 15:11:03 +0000 (17:11 +0200)]
page: catch triggered php errors
Mischa POSLAWSKY [Sat, 16 Sep 2017 14:14:41 +0000 (16:14 +0200)]
page: silence php reporting of handled fatal errors
Prevent duplicate output.
Mischa POSLAWSKY [Sat, 16 Sep 2017 14:06:36 +0000 (16:06 +0200)]
page: .private to restrict access to subdirectories
Mischa POSLAWSKY [Sat, 16 Sep 2017 13:57:10 +0000 (15:57 +0200)]
page: unconditional declaration of getoutput()
Move up front to allow usage in fail() error handler.
Mischa POSLAWSKY [Fri, 15 Sep 2017 19:59:53 +0000 (21:59 +0200)]
edit: ignore html elements in sentence wrapping
Assume whitespace is safe to be wrapped anywhere. Exceptions could still
occur inside of tags, but deemed very unlikely. Rather have large code
blobs be counted as separate characters.
Mischa POSLAWSKY [Fri, 15 Sep 2017 18:54:24 +0000 (20:54 +0200)]
page: write edit includes from common script
Enforce on all sites, appending (editable) footer.html instead for
site-specific contents.
Mischa POSLAWSKY [Fri, 15 Sep 2017 17:33:50 +0000 (19:33 +0200)]
page: strip nested placeholder indicators
Allow replacements within replacements.
Mischa POSLAWSKY [Fri, 15 Sep 2017 17:32:23 +0000 (19:32 +0200)]
page: prefer page template from script root
Allow different defaults for prepending scripts.
Mischa POSLAWSKY [Fri, 15 Sep 2017 17:31:19 +0000 (19:31 +0200)]
edit: replace custom paragraph breaks by sentence wrapping
Attempt to improve readability of HTML source (and line-based diffs).
Mischa POSLAWSKY [Fri, 15 Sep 2017 14:07:00 +0000 (16:07 +0200)]
page: omit numeric placeholders during edit
Support automatically appended (not replaced) contents.
Mischa POSLAWSKY [Thu, 14 Sep 2017 20:36:08 +0000 (22:36 +0200)]
edit: reenforce xml slash in self-closing elements
Originally disabled to keep in line with legacy html,
but an outdated rule for new contents.
Mischa POSLAWSKY [Fri, 15 Sep 2017 13:42:59 +0000 (15:42 +0200)]
page: edit template in static contents
Allow post-processing by relevant scripts.
Mischa POSLAWSKY [Thu, 14 Sep 2017 15:45:48 +0000 (17:45 +0200)]
edit: allow any non-hidden filename
Mischa POSLAWSKY [Sun, 10 Sep 2017 14:33:51 +0000 (16:33 +0200)]
edit: enable placeholder plugin
User-friendly styling and control of dynamic parts.
Mischa POSLAWSKY [Thu, 14 Sep 2017 15:41:51 +0000 (17:41 +0200)]
edit: restore placeholders on edit
Mischa POSLAWSKY [Thu, 14 Sep 2017 15:44:57 +0000 (17:44 +0200)]
page: common getoutput() to replace placeholders
Mischa POSLAWSKY [Thu, 14 Sep 2017 15:41:12 +0000 (17:41 +0200)]
edit: create missing directories on save
Mischa POSLAWSKY [Thu, 14 Sep 2017 15:40:39 +0000 (17:40 +0200)]
edit: autostart mode on #edit hash
Mischa POSLAWSKY [Thu, 14 Sep 2017 15:40:08 +0000 (17:40 +0200)]
edit: right-align ckeditor toolbar
Avoid overlap with [static] titles.
Mischa POSLAWSKY [Wed, 13 Sep 2017 23:40:30 +0000 (01:40 +0200)]
page: catch fatal php errors
Mischa POSLAWSKY [Wed, 13 Sep 2017 22:59:16 +0000 (00:59 +0200)]
page: user-dependent filter menu links
Remove .logout items for users, .login for guests.
Mischa POSLAWSKY [Wed, 13 Sep 2017 20:20:22 +0000 (22:20 +0200)]
page: replace error scripts by editable html with placeholders
Mischa POSLAWSKY [Wed, 13 Sep 2017 19:51:47 +0000 (21:51 +0200)]
page: prepare static output before dynamic code
Give script includes full access to prepared html, greatly simplifying
buffer logic and allowing potential substitutions. Assumes small pages
since all data flushes are delayed (can be worked around if ever needed).
Mischa POSLAWSKY [Wed, 13 Sep 2017 18:03:32 +0000 (20:03 +0200)]
edit: replace executable check by filename validation
No more distinction in php files; prefer a-x.
Mischa POSLAWSKY [Wed, 13 Sep 2017 15:16:03 +0000 (17:16 +0200)]
page: return 500 status and page on php exceptions
Significantly catch syntax errors in editor saves.
Mischa POSLAWSKY [Wed, 13 Sep 2017 11:44:27 +0000 (13:44 +0200)]
page: rework script control
Do not match *.html contents to subrequests, only traverse parents for *.php
scripts which now support an additional output layer for appended output.
This allows parent code to prepare how its subpages will be displayed
(for example, a news directory can surround static articles with metadata).
Mischa POSLAWSKY [Wed, 13 Sep 2017 02:04:12 +0000 (04:04 +0200)]
login: avoid php notice on missing user
Mischa POSLAWSKY [Wed, 13 Sep 2017 02:00:59 +0000 (04:00 +0200)]
edit: toggle editor dynamically
Replace predetermined ?edit mode by javascript activation link in header.
Same results without page reload.
Mischa POSLAWSKY [Wed, 13 Sep 2017 02:00:15 +0000 (04:00 +0200)]
edit: distinct admin template for missing pages
Similar results to javascript modification but much easier to maintain.
Mischa POSLAWSKY [Tue, 12 Sep 2017 21:40:13 +0000 (23:40 +0200)]
page: exclude dynamic output from article container
Restrict editor to only static contents.
Mischa POSLAWSKY [Tue, 12 Sep 2017 21:39:35 +0000 (23:39 +0200)]
login: replace http authentication by cookie system
Extend PHP_AUTH/.htpasswd parser to also control input and storage
for complete control. No longer shares Apache access control; should be
replaced if still needed to prevent duplicate login requests.
Mischa POSLAWSKY [Tue, 12 Sep 2017 19:07:05 +0000 (21:07 +0200)]
page: include path in page includes
Prefer site customisations over minimedit defaults.
Mischa POSLAWSKY [Tue, 12 Sep 2017 18:56:23 +0000 (20:56 +0200)]
page: rename head includes
Site specific header from head.inc.html to head.inc.php to allow code,
replacing generic page container renamed to more appropriate page.inc.php.
Mischa POSLAWSKY [Tue, 12 Sep 2017 18:36:11 +0000 (20:36 +0200)]
page: skip head formatting for script overrides (edit)
Can be included explicitly if wanted.
Mischa POSLAWSKY [Tue, 12 Sep 2017 00:40:41 +0000 (02:40 +0200)]
page: global var to indicate edit mode
Mischa POSLAWSKY [Tue, 12 Sep 2017 00:19:31 +0000 (02:19 +0200)]
page: replace links to current page in menu include
Replaces similar client-side javascript on Excelsior for direct/static
results.
Mischa POSLAWSKY [Tue, 12 Sep 2017 00:16:37 +0000 (02:16 +0200)]
page: wrap menu in header container
Mischa POSLAWSKY [Tue, 12 Sep 2017 00:08:06 +0000 (02:08 +0200)]
page: route requests through global php handler
Move contents of all *.php pages to source *.html, to be included by
page.php depending on requested path. Dynamic contents can optionally be
added by corresponding *.php includes.
Mischa POSLAWSKY [Mon, 11 Sep 2017 23:57:41 +0000 (01:57 +0200)]
page: split head/foot includes
Separate menu.html for site-specific navigation from head.inc.html,
and move mandatory div/body closing tags out of foot.inc.php.
Mischa POSLAWSKY [Tue, 11 Jul 2017 16:13:46 +0000 (18:13 +0200)]
logout: clear user var to prevent disallowed edit option
Mischa POSLAWSKY [Tue, 11 Jul 2017 15:30:57 +0000 (17:30 +0200)]
login: replace page editability var by admin status
Code cleanup, same results.
Mischa POSLAWSKY [Tue, 11 Jul 2017 15:25:57 +0000 (17:25 +0200)]
page: authorise user logins at page start
Move from foot to head to allow usage in all pages.
Mischa POSLAWSKY [Tue, 11 Jul 2017 15:04:38 +0000 (17:04 +0200)]
login: custom welcome page after login
Mischa POSLAWSKY [Tue, 11 Jul 2017 15:57:03 +0000 (17:57 +0200)]
login: separate logout page
Move login fallback to a distinct page to allow forced relogin.
Mischa POSLAWSKY [Mon, 10 Jul 2017 04:49:41 +0000 (06:49 +0200)]
login: emulate apache authentication to check admin login
Send 401 response until user validates as admin (replacing ip whitelisting).
Assume all users except for generic 'lid' are allowed.
Mischa POSLAWSKY [Mon, 10 Jul 2017 03:20:16 +0000 (05:20 +0200)]
page: move client authentication to php include
Mischa POSLAWSKY [Tue, 11 Jul 2017 16:19:47 +0000 (18:19 +0200)]
edit: root include from parent directory on subpages
Mischa POSLAWSKY [Mon, 10 Jul 2017 01:52:57 +0000 (03:52 +0200)]
rename all html files to php
Server permissions to set "AddHandler application/x-httpd-php html"
may not be available. Appropriate extension should work everywhere.
Mischa POSLAWSKY [Mon, 10 Jul 2017 02:09:49 +0000 (04:09 +0200)]
convert ssi html files to php code
Replace includes by equivalent php: single head.inc.php sets up same static
head.inc.html but with mandatory edit container, and existing foot.inc.php
(similar ssi variant no longer needed).
Requires httpd to change .html handler from server-parsed (ssi) to
application/x-httpd-php.
Mischa POSLAWSKY [Mon, 10 Jul 2017 01:36:40 +0000 (03:36 +0200)]
edit: emulate ip authentication in php footer
Equivalent to .htaccess rules for SSI foot.inc.html.
Mischa POSLAWSKY [Mon, 10 Jul 2017 02:44:38 +0000 (04:44 +0200)]
edit: detect executable files as uneditable
Mischa POSLAWSKY [Mon, 10 Jul 2017 01:49:44 +0000 (03:49 +0200)]
404: convert error pages to php code
Only remaining usage of SSI aside from head/foot inclusion.