From e11876b7003c700fbc3717ca9c5af5aac3b72ac2 Mon Sep 17 00:00:00 2001
From: Joey Hess <joey@gnu.kitenet.net>
Date: Thu, 11 Feb 2010 18:25:10 -0500
Subject: [PATCH] httpauth: Add httpauth_pagespec setting that can be used to
 limit pages to only being edited via users authed with httpauth.

---
 IkiWiki.pm                 |  7 +++-
 IkiWiki/Plugin/httpauth.pm | 75 ++++++++++++++++++++++++++++----------
 debian/changelog           |  2 +
 doc/plugins/httpauth.mdwn  |  9 +++++
 4 files changed, 72 insertions(+), 21 deletions(-)

diff --git a/IkiWiki.pm b/IkiWiki.pm
index 2a0132745..de7dbfc79 100644
--- a/IkiWiki.pm
+++ b/IkiWiki.pm
@@ -941,7 +941,12 @@ sub linkpage ($) {
 sub cgiurl (@) {
 	my %params=@_;
 
-	return $config{cgiurl}."?".
+	my $cgiurl=$config{cgiurl};
+	if (exists $params{cgiurl}) {
+		$cgiurl=$params{cgiurl};
+		delete $params{cgiurl};
+	}
+	return $cgiurl."?".
 		join("&amp;", map $_."=".uri_escape_utf8($params{$_}), keys %params);
 }
 
diff --git a/IkiWiki/Plugin/httpauth.pm b/IkiWiki/Plugin/httpauth.pm
index d0d4da0b7..202ca1153 100644
--- a/IkiWiki/Plugin/httpauth.pm
+++ b/IkiWiki/Plugin/httpauth.pm
@@ -9,10 +9,10 @@ use IkiWiki 3.00;
 sub import {
 	hook(type => "getsetup", id => "httpauth", call => \&getsetup);
 	hook(type => "auth", id => "httpauth", call => \&auth);
-	hook(type => "canedit", id => "httpauth", call => \&canedit,
-		last => 1);
 	hook(type => "formbuilder_setup", id => "httpauth",
 		call => \&formbuilder_setup);
+	hook(type => "canedit", id => "httpauth", call => \&canedit);
+	hook(type => "pagetemplate", id => "httpauth", call => \&pagetemplate);
 }
 
 sub getsetup () {
@@ -28,13 +28,20 @@ sub getsetup () {
 			safe => 1,
 			rebuild => 0,
 		},
+		httpauth_pagespec => {
+			type => "pagespec",
+			example => "!*/Discussion",
+			description => "PageSpec of pages where only httpauth will be used for authentication",
+			safe => 0,
+			rebuild => 0,
+		},
 }
 			
-sub redir_cgiauthurl ($$) {
+sub redir_cgiauthurl ($;@) {
 	my $cgi=shift;
-	my $params=shift;
 
-	IkiWiki::redirect($cgi, $config{cgiauthurl}.'?'.$params);
+	IkiWiki::redirect($cgi, 
+		IkiWiki::cgiurl(cgiurl => $config{cgiauthurl}, @_));
 	exit;
 }
 
@@ -47,19 +54,6 @@ sub auth ($$) {
 	}
 }
 
-sub canedit ($$$) {
-	my $page=shift;
-	my $cgi=shift;
-	my $session=shift;
-
-	if (! defined $cgi->remote_user() && defined $config{cgiauthurl}) {
-		return sub { redir_cgiauthurl($cgi, $cgi->query_string()) };
-	}
-	else {
-		return undef;
-	}
-}
-
 sub formbuilder_setup (@) {
 	my %params=@_;
 
@@ -74,10 +68,51 @@ sub formbuilder_setup (@) {
 		push @$buttons, $button_text;
 
 		if ($form->submitted && $form->submitted eq $button_text) {
-			redir_cgiauthurl($cgi, "do=postsignin");
-			exit;
+			# bounce thru cgiauthurl and then back to
+			# the stored postsignin action
+			redir_cgiauthurl($cgi, do => "postsignin");
 		}
 	}
 }
 
+sub test_httpauth_pagespec ($) {
+	my $page=shift;
+
+	return defined $config{httpauth_pagespec} &&
+	       length $config{httpauth_pagespec} &&
+	       defined $config{cgiauthurl} &&
+	       pagespec_match($page, $config{httpauth_pagespec});
+}
+
+sub canedit ($$$) {
+	my $page=shift;
+	my $cgi=shift;
+	my $session=shift;
+
+	if (! defined $cgi->remote_user() && test_httpauth_pagespec($page)) {
+		return sub {
+			IkiWiki::redirect($cgi, 
+				$config{cgiauthurl}.'?'.$cgi->query_string());
+			exit;
+		};
+	}
+	else {
+		return undef;
+	}
+}
+
+sub pagetemplate (@_) {
+	my %params=@_;
+	my $template=$params{template};
+
+	if ($template->param("editurl") &&
+	    test_httpauth_pagespec($params{page})) {
+		# go directly to cgiauthurl when editing a page matching
+		# the pagespec
+		$template->param(editurl => IkiWiki::cgiurl(
+			cgiurl => $config{cgiauthurl},
+			do => "edit", page => $params{page}));
+	}
+}
+
 1
diff --git a/debian/changelog b/debian/changelog
index 3dd68558e..14be7ec69 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -19,6 +19,8 @@ ikiwiki (3.20100123) UNRELEASED; urgency=low
     alongside other authentication methods (like openid or anonok). Rather
     than always redirect to the cgiauthurl for authentication, there is now
     a button on the login form to use it.
+  * httpauth: Add httpauth_pagespec setting that can be used to limit
+    pages to only being edited via users authed with httpauth.
 
  -- Joey Hess <joeyh@debian.org>  Tue, 26 Jan 2010 22:25:33 -0500
 
diff --git a/doc/plugins/httpauth.mdwn b/doc/plugins/httpauth.mdwn
index a7aac558b..0eda5554f 100644
--- a/doc/plugins/httpauth.mdwn
+++ b/doc/plugins/httpauth.mdwn
@@ -24,3 +24,12 @@ A typical setup is to make an `auth` subdirectory, and symlink `ikiwiki.cgi`
 into it. Then configure the web server to require authentication only for
 access to the `auth` subdirectory. Then `cgiauthurl` is pointed at this
 symlink.
+
+## using only httpauth for some pages
+
+If you want to only use httpauth for editing some pages, while allowing
+other authentication methods to be used for other pages, you can
+configure `httpauth_pagespec` in the setup file. This makes Edit
+links on pages that match the [[ikiwiki/PageSpec]] automatically use
+the `cgiauthurl`, and prevents matching pages from being edited by
+users authentication via other methods.
-- 
2.32.0.93.g670b81a890