Trusted Site Hack
This hack adds a configuration setting to wakka.config.php. When turned on, it checks the current user's domain name if they are not logged in, and if it does not match the domains in the whitelist, prevents them from editing (unless they log in) even if the ACL is set to allow all visitors to edit. Ideally I would also change the message people see when they can't edit to explain why but that has not been done yet.
You could of course simply set the default write ACL to require login, but in this case we have more flexibility - people in the trusted domains can still edit without logging in.
So far I've found one flaw. If the web server is behind a caching proxy, every connection will seem to come from within the domain. This completely obliterates the whole "trusted sites" concept. To alleviate that would require excluding the proxy; I'm not sure that can be done reliably although it may still be worth a try (in the situation where I came across it, only connections coming from outside the domain were proxied so excluding the proxy would only affect people outside the trusted domain. This may not be true for other servers.).
In wakka.config.php, added
<?php
"trusted_write_acl" => "1",
"trusted_whitelist" => "rutgers.edu",
?>
The "trusted_whitelist" can be a comma-separated list of domains. Setting "trusted_write_acl" to "0" should turn off the feature, but I haven't tested it. ;-)
In wakka.php, added just after the
function HasAccess() section:
<?php
// TrustedSites hack to alleviate spamming
// returns true if referrer is in trusted whitelist
function isTrusted
() {
$truststring =
$this->
config["trusted_whitelist"];
$trustarray =
explode(",",
$truststring);
$userhost =
gethostbyaddr($_SERVER["REMOTE_ADDR"]);
foreach ($trustarray as $stritem) $stritem =
trim($stritem);
if ($userhost !==
false) {
foreach ($trustarray as $trusted) {
if (stristr($userhost,
$trusted) !==
false ) {
return true;
}
} // end of for loop
} // end if $userhost has a value
return false;
}
?>
Also in wakka.php, changed the
function HasAccess() to include the following, replacing the existing
case "*":
<?php
// everyone
case "*":
// first check if editing is restricted to "trusted" domains
if ($this->config["trusted_write_acl"] === "1" && $privilege === "write") {
// It matters where you are from. You must be from a trusted domain or registered
if ($this->IsTrusted()) {
return !$negate;
} else {
return false;
}
} else {
// we don't care where you are from! Go ahead, edit if the acl permits!
return !$negate;
}
?>
Finally, some code to correctly write the configuration file in new installations, also in wakka.php, in the
default configuration values section:
<?php
// default configuration values
// figure out the current domain, this will be "trusted" by default
$domainPieces =
explode(".",
$_SERVER["HTTP_HOST"]);
$numPieces =
count($domainPieces);
// too simple - what happens if this host has more than 3 items in the name
// the following may be too broad for non-US sites that may look like www.yyy.co.zz - we would want the trustedDomain to be "yyy.co.zz"
$trustedDomain =
$domainPieces[$numPieces-2].
".".
$domainPieces[$numPieces-1];
$wakkaDefaultConfig =
array(
"mysql_host" =>
"mysql.rci.rutgers.edu",
"mysql_database" =>
"username_wakka",
"mysql_user" =>
"",
"table_prefix" =>
"wakka_",
"root_page" =>
"HomePage",
"wakka_name" =>
"MyWakkaSite",
"base_url" =>
"http://".
$_SERVER["SERVER_NAME"].
($_SERVER["SERVER_PORT"] !=
80 ?
":".
$_SERVER["SERVER_PORT"]\
:
"").
$_SERVER["REQUEST_URI"].
(preg_match("/".
preg_quote("wakka.php").
"$/",
$_SERVER["REQUEST_URI"]) ?
"?wakka=" :
""),
"rewrite_mode" =>
(preg_match("/".
preg_quote("wakka.php").
"$/",
$_SERVER["REQUEST_URI"]) ?
"0" :
"1"),
"action_path" =>
"actions",
"handler_path" =>
"handlers",
"header_action" =>
"header",
"footer_action" =>
"footer",
"navigation_links" =>
"PageIndex :: RecentChanges :: RecentlyCommented :: UserSettings",
"referrers_purge_time" =>
1,
"pages_purge_time" =>
0,
"hide_comments" =>
0,
"default_write_acl" =>
"*",
"default_read_acl" =>
"*",
"default_comment_acl" =>
"*",
"trusted_write_acl" =>
"1",
"trusted_whitelist" =>
$trustedDomain,
"admin_users" =>
"");
?>
And one additional change, added in November 2007 to stop people who had created a method to register multiple times - this will stop anyone outside of the trusted sites networks from registering, and it is overkill. What is really needed is challenge/response registration system that emails a link that must be clicked to complete the registration.
in action/usersettings.php
<?php
else // otherwise, proceed to registration
{
// added by jpd - restrict registration to trusted sites, using TrustedSites hack
if ($this->IsTrusted()) {
// (only addition is the if clause, which encases the entire block -- the closing bracket must be added too but is not shown here
?>
There are no comments on this page. [Add comment]