Allow site config to be overridden by trusted users

edg2s · edg2s · commit d44b45693cf9 · 2021-12-07T14:23:26.000Z
Fixes #19
diff --git a/config.default.php b/config.default.php
@@ -14,7 +14,14 @@
 		'key' => null,
 		'secret' => null,
 		// OAuth admins can delete any wiki
-		'admins' => []
+		'admins' => [],
+		// These users can override site configs. This is the same level of trust as V+2,
+		// as those users can also execute arbitrary code.
+		'configurers' => [],
+		// Same as above, but regexes e.g. / \(WMF\)$/
+		'configurersMatch' => [],
+		// Instructions to request 'configurers' user status, e.g. "File a request <a href=...>here</a>."
+		'configurersRequestHtml' => '',
 	],
 	// Conduit API key for bot cross-posting to Phabricator
 	'conduitApiKey' => null,
diff --git a/css/common.css b/css/common.css
@@ -156,6 +156,14 @@ summary > .oo-ui-labelElement-label:not( .oo-ui-inline-help ) {
 	padding-left: 2px;
 }
 
+.form-siteConfig .oo-ui-inputWidget-input {
+	font-family: monospace, monospace;
+}
+
+.form-siteConfig-message {
+	font-style: italic;
+}
+
 @media ( min-width: 721px ) {
 	.enableNotifications {
 		margin-left: 40%;
diff --git a/includes.php b/includes.php
@@ -14,6 +14,7 @@
 include 'config.default.php';
 if ( file_exists( 'config.php' ) ) {
 	include 'config.php';
+	// TODO: Make this recursive
 	$config = array_merge( $config, $localConfig );
 }
 
@@ -406,6 +407,27 @@ function can_delete( string $creator = null ): bool {
 	return ( $username && $username === $creator ) || can_admin();
 }
 
+function can_configure(): bool {
+	global $config, $user, $useOAuth;
+	if ( !$useOAuth ) {
+		// Unauthenticated site
+		return true;
+	}
+	$username = $user ? $user->username : null;
+	$admins = $config[ 'oauth' ][ 'admins' ];
+	$configurers = $config[ 'oauth' ][ 'configurers' ];
+	if ( $username && in_array( $username, $admins, true ) ) {
+		return true;
+	}
+	$configurersMatch = $config[ 'oauth' ][ 'configurersMatch' ];
+	foreach ( $configurersMatch as $pattern ) {
+		if ( preg_match( $pattern, $username ) ) {
+			return true;
+		}
+	}
+	return false;
+}
+
 function can_admin(): bool {
 	global $config, $user, $useOAuth;
 	if ( !$useOAuth ) {
diff --git a/index.php b/index.php
@@ -139,6 +139,25 @@
 							'align' => 'left',
 						]
 					),
+					new OOUI\FieldLayout(
+						can_configure() ?
+							new OOUI\MultilineTextInputWidget( [
+								'classes' => [ 'form-siteConfig' ],
+								'name' => 'siteConfig',
+								'placeholder' => "e.g. \$wgSitename = 'Test wiki';",
+								'rows' => 3,
+							] ) :
+							new OOUI\LabelWidget( [
+								'classes' => [ 'form-siteConfig-message' ],
+								'label' => new OOUI\HtmlSnippet( 'Only approved users can modify site config. ' . $config['oauth']['configurersRequestHtml'] ),
+							] ),
+						[
+							'label' => 'Site config:',
+							'help' => new OOUI\HtmlSnippet( 'This config will be <strong>public</strong> on the wiki\'s main page.' ),
+							'helpInline' => true,
+							'align' => 'left',
+						]
+					),
 					new DetailsFieldLayout(
 						new OOUI\CheckboxMultiselectInputWidget( [
 							'classes' => [ 'form-repos' ],
diff --git a/new.php b/new.php
@@ -23,6 +23,7 @@
 $patches = trim( $_POST['patches'] );
 $announce = !empty( $_POST['announce'] );
 $language = trim( $_POST['language'] );
+$siteConfig = can_configure() ? trim( $_POST['siteConfig'] ) : '';
 
 $namePath = substr( md5( $branch . $patches . time() ), 0, 10 );
 $server = detectProtocol() . '://' . $_SERVER['HTTP_HOST'];
@@ -303,6 +304,17 @@ function set_progress( float $pc, string $label ) {
 	$allowedRepos[] = 'mediawiki/extensions/MobileFrontendContentProvider';
 }
 
+if ( $siteConfig ) {
+	$mainPage .= "\n;Extra config\n";
+	$tag = 'pre';
+	$attrs = '';
+	if ( in_array( 'mediawiki/extensions/SyntaxHighlight_GeSHi', $allowedRepos ) ) {
+		$tag = 'syntaxhighlight';
+		$attrs = ' lang="php"';
+	}
+	$mainPage .= "<$tag$attrs style=\"margin-left: 1.6em\">\n$siteConfig\n</$tag>";
+}
+
 foreach ( array_keys( $repos ) as $repo ) {
 	// Unchecked the checkbox
 	if ( $repo !== 'mediawiki/core' && !in_array( $repo, $allowedRepos ) ) {
@@ -416,6 +428,7 @@ static function ( string $repo ) use ( $repos ): bool {
 		'SERVERPATH' => $serverPath,
 		'LANGUAGE' => $language,
 		'REPOSITORIES' => $reposString,
+		'SITECONFIG' => $siteConfig,
 	]
 );
 if ( $error ) {
diff --git a/new/install.sh b/new/install.sh
@@ -30,6 +30,9 @@ while IFS=' ' read -r repo dir; do
 	fi
 done <<< "$REPOSITORIES"
 
+# apply settings from install form
+echo "$SITECONFIG" >> $PATCHDEMO/wikis/$NAME/w/LocalSettings.php
+
 # create htaccess
 echo "RewriteEngine On
 # main rewrite rule
