fu: Close-up of Fu, bringing a scoop of water to her mouth (Default)
fu ([personal profile] fu) wrote in [site community profile] changelog2010-07-01 10:52 am

[dw-free] With save password off, xposter does not chal/resp the password on edit, only update

[commit: http://hg.dwscoalition.org/dw-free/rev/6d97226eea40]

http://bugs.dwscoalition.org/show_bug.cgi?id=2667

Fix crossposting when editing an entry, and password is not saved.

Patch by [personal profile] allen.

Files modified:
  • cgi-bin/weblib.pl
  • htdocs/editjournal.bml
  • htdocs/js/xpost.js
--------------------------------------------------------------------------------
diff -r 4cd29aaf2434 -r 6d97226eea40 cgi-bin/weblib.pl
--- a/cgi-bin/weblib.pl	Thu Jul 01 15:55:26 2010 +0800
+++ b/cgi-bin/weblib.pl	Thu Jul 01 18:58:17 2010 +0800
@@ -1722,11 +1722,16 @@ MOODS
             $out .= "<span class='inputgroup-right'>";
             # extra submit button so make sure it posts the form when person presses enter key
             if ($opts->{'mode'} eq "edit") {
-                $out .= "<input type='submit' name='action:save' class='hidden_submit' />";
+                $out .= "<input type='submit' name='action:save' class='hidden_submit xpost_submit' />";
             }
             if ($opts->{'mode'} eq "update") {
-                $out .= "<input type='submit' name='action:update' class='hidden_submit' />";
+                $out .= "<input type='submit' name='action:update' class='hidden_submit xpost_submit' />";
             }
+
+            # submit_value field to emulate the submit button selected if we
+            # have to submit with javascript
+            $out .= "<input type='hidden' name='submit_value' />";
+
             my $preview;
             $preview    = "<input type='button' value='" . BML::ml('entryform.preview') . "' onclick='entryPreview(this.form)' tabindex='" . $tabindex->() . "' />";
             if(!$opts->{'disabled_save'}) {
@@ -1917,7 +1922,9 @@ PREVIEW
             $$onload .= " changeSecurityOptions('$defaultjournal');" unless $opts->{'security'};
 
             $out .= LJ::html_submit('action:update', BML::ml('entryform.update4'),
-                    { 'onclick' => $onclick, 'class' => 'submit', 'id' => 'formsubmit',
+                    { 'onclick' => $onclick, 
+                      'class' => 'submit xpost_submit', 
+                      'id' => 'formsubmit',
                       'tabindex' => $tabindex->() }) . "&nbsp;\n";
         }
 
@@ -1927,17 +1934,23 @@ PREVIEW
 
             if (!$opts->{'disabled_save'}) {
                 $out .= LJ::html_submit('action:save', BML::ml('entryform.save'),
-                                        { 'onclick' => $onclick, 'disabled' => $opts->{'disabled_save'},
+                                        { 'onclick' => $onclick, 
+                                          'disabled' => $opts->{'disabled_save'},
+                                          'class' => 'xpost_submit',
                                           'tabindex' => $tabindex->() }) . "&nbsp;\n";
             } elsif ( $opts->{maintainer_mode} ) {
                 $out .= LJ::html_submit('action:savemaintainer', BML::ml('entryform.save.maintainer'),
-                                        { 'onclick' => $onclick, 'disabled' => !$opts->{'maintainer_mode'},
+                                        { 'onclick' => $onclick, 
+                                          'disabled' => !$opts->{'maintainer_mode'},
+                                          'class' => 'xpost_submit',
                                           'tabindex' => $tabindex->() }) . "&nbsp;\n";
             }
 
             if (!$opts->{'disabled_save'} && $opts->{suspended} && !$opts->{unsuspend_supportid}) {
                 $out .= LJ::html_submit('action:saveunsuspend', BML::ml('entryform.saveandrequestunsuspend2'),
-                                        { 'onclick' => $onclick, 'disabled' => $opts->{'disabled_save'},
+                                        { 'onclick' => $onclick, 
+                                          'disabled' => $opts->{'disabled_save'},
+                                          'class' => 'xpost_submit',
                                           'tabindex' => $tabindex->() }) . "&nbsp;\n";
             }
 
@@ -1946,12 +1959,14 @@ PREVIEW
             my $delete_onclick = "return XPostAccount.confirmDelete('" . LJ::ejs(BML::ml('entryform.delete.confirm')) . "', '" . LJ::ejs(BML::ml('entryform.delete.xposts.confirm')) . "')";
             $out .= LJ::html_submit('action:delete', BML::ml('entryform.delete'), {
                 'disabled' => $opts->{'disabled_delete'},
+                'class' => 'xpost_submit',
                 'tabindex' => $tabindex->(),
                 'onclick' => $delete_onclick }) . "&nbsp;\n";
 
             if (!$opts->{'disabled_spamdelete'}) {
                 $out .= LJ::html_submit('action:deletespam', BML::ml('entryform.deletespam'), {
                     'onclick' => "return confirm('" . LJ::ejs(BML::ml('entryform.deletespam.confirm')) . "')",
+                    'class' => 'xpost_submit',
                     'tabindex' => $tabindex->() }) . "\n";
             }
         }
diff -r 4cd29aaf2434 -r 6d97226eea40 htdocs/editjournal.bml
--- a/htdocs/editjournal.bml	Thu Jul 01 15:55:26 2010 +0800
+++ b/htdocs/editjournal.bml	Thu Jul 01 18:58:17 2010 +0800
@@ -189,6 +189,12 @@ body<=
             ###
             ### SAVE EDITS
             ###
+
+            # add in this value in case we had to submit the form using
+            # javascript
+            if ( $POST{'submit_value'} ) {
+                $POST{$POST{'submit_value'}} = 1;
+            }
 
             # are we spellchecking before we post?
             my $spellcheck_html;
diff -r 4cd29aaf2434 -r 6d97226eea40 htdocs/js/xpost.js
--- a/htdocs/js/xpost.js	Thu Jul 01 15:55:26 2010 +0800
+++ b/htdocs/js/xpost.js	Thu Jul 01 18:58:17 2010 +0800
@@ -42,6 +42,16 @@ XPostAccount = new Class(Object, {
       }
     },
 
+    /**
+     * does an ajax call for challenge/response, so if we have an xpost account
+     * where we're not saving the password, we can avoid sending the password
+     * in plaintext.  also checks to see if a required password is not filled
+     * in.
+     *
+     * returns true if this account requires a password and some work has
+     * to be done, false if this account doesn't need a password to be
+     * provided in the form.
+     */
     doChallengeResponse: function () {
       var xpost_button = $("prop_xpost_check");
 
@@ -55,7 +65,7 @@ XPostAccount = new Class(Object, {
           this.setError(xpostPwRequired);
           this.failed = true;
           this.locked = false;
-          return;
+          return true;
         }
         this.setMessage(xpostCheckingMessage + "<input type='button' onclick='XPostAccount.cancelSubmit()' value='" + xpostCancelLabel + "'/>");
 
@@ -67,7 +77,10 @@ XPostAccount = new Class(Object, {
           "onData": this.gotInfo.bind(this)
         };
         window.parent.HTTPReq.getJSON(opts);
+
+        return true;
       }
+      return false;
     },
 
     gotError: function (err) {
@@ -203,9 +216,23 @@ XPostAccount.setUpXpostForm = function (
   if ( ! updateForm ) return;
 
   DOM.addEventListener(updateForm, "submit", XPostAccount.xpostFormSubmitted.bindEventListener(updateForm));
+
+  var domObjects = document.getElementsByTagName("input");
+  var submitButtons = DOM.filterElementsByClassName(domObjects, "xpost_submit") || [];
+  for (var i = 0; i < submitButtons.length; i++) {
+    DOM.addEventListener(submitButtons[i], "click", XPostAccount.saveSubmitValue.bindEventListener(submitButtons[i]));
+  }
+
   XPostAccount.loadAccounts();
   XPostAccount.xpostAcctUpdated();
   XPostAccount.updateXpostFromJournal(xpostUser);
+}
+
+/**
+ *  Saves the value for the submit button selected.
+ */
+XPostAccount.saveSubmitValue = function () {
+  XPostAccount.submitName = this.name;
 }
 
 // When the form is submitted, compute the challenge response and clear out the plaintext password field
@@ -217,14 +244,18 @@ XPostAccount.xpostFormSubmitted = functi
 
   if (! XPostAccount.skipChecks) {
 
-    $('formsubmit').disabled=true;
-    evt.preventDefault();
-
+    var preventDefault = false;
     for (var i = 0; i < XPostAccount.accounts.length; i++) {
-      XPostAccount.accounts[i].doChallengeResponse();
+      if (XPostAccount.accounts[i].doChallengeResponse()) {
+        preventDefault = true;
+      }
     }
 
-    XPostAccount.checkComplete();
+    if (preventDefault) {
+      XPostAccount.setSubmitDisabled(true);
+      evt.stop();
+      XPostAccount.checkComplete();
+    }
   }
 }
 
@@ -265,7 +296,7 @@ XPostAccount.doCancel = function() {
   for (var i = 0; i < XPostAccount.accounts.length; i++) {
     XPostAccount.accounts[i].clearSettings();
   }
-  $('formsubmit').disabled=false;
+  XPostAccount.setSubmitDisabled(false);
 }
 
 XPostAccount.doSpellcheck = function() {
@@ -281,9 +312,21 @@ XPostAccount.doFormSubmit = function() {
   for (var i = 0; i < XPostAccount.accounts.length; i++) {
     XPostAccount.accounts[i].clearPassword();
   }
+  // we can't properly emulate pressing the submit button, so instead include
+  // the value here.
+  updateForm['submit_value'].value = XPostAccount.submitName;
   updateForm.submit();
 
   return false;
 }
 
+// sets the disabled status of all xpost_submit buttons.
+XPostAccount.setSubmitDisabled = function(value) {
+  var domObjects = document.getElementsByTagName("input");
+  var submitButtons = DOM.filterElementsByClassName(domObjects, "xpost_submit") || [];
+  for (var i = 0; i < submitButtons.length; i++) {
+    submitButtons[i].disabled=value;
+  }
+}
+
 LiveJournal.register_hook("page_load", XPostAccount.setUpXpostForm);
--------------------------------------------------------------------------------