#!/usr/bin/perl -w

# Webedit - a CGI website editor
# Copyright Jonathan Riddell (jr@jriddell.org) 2001
# May be copied under the term of the GNU GPL only

use strict;
use CGI qw(:standard);

# TODO: improve session management, maybe with cookies

# Hopefully this script will be portable to other sites by changing these 
# variables.  %passwords is obvious.  $rootdir is where the webserver
# points to - don't follow it with a slash.  $this_script is URL of
# this script.  @forbidden is a list of file or directory names that are not allowed to
# be edited - anything containing one of these will not be able to be
# edited
# Needs to be run with Apaches suexec (see man suexec)

my %passwords = (
    foo => 'bar',
    );
my $rootdir = "/www/vhtdocs/foo";
my $this_script = "http://www.example.com/cgi-bin/webedit";
my @forbidden = qw(template cgi-bin);
my $logfile = $rootdir . "/webedit-log";

########

open(LOG, ">>$logfile") or die "Failed to open log file: $!";
my $logmessage = "";
my $authenticated = 0;
print header(-type => 'text/html');

print <<FIN;
<html>
<head>
<title>Website Editor for u19s</title>
</head>
<body bgcolor="white">
<h1>Website Editor for u19s (<a href="/webedit-help.html" target="_new">Help!</a>)</h1>
<form action="$this_script" method="post">
FIN

if (checkpassword() ) {$authenticated = 1;}
else {print "<h2>Please enter username and password and file to open</h2>";}
print "<p>\n",
      'username: <input type="text" size="10" name="username" value="', 
      param('username'),
      '" />', "  \n",
      'password: <input type="password" size="10" name="password" value="', 
      param('password'),
      '" />', "  \n<p>";

if (param('newfile') && $authenticated) {newfile()}
elsif (param('saveas') && $authenticated) {savefile(param('file')) }
elsif (param('file') && $authenticated) {readfile(param('file')) } 
elsif (!param('file')) { param(-name=>'file', -value=>'/filename.html') }

print "<p>\n",
      'file: <input type="text" size="40" name="file" value="', param('file'), '" />',  " \n",
    '<input type="submit" name="open" value="Open" />', "  \n";
if (param('file')) {
    print '<input type="submit" name="saveas" value="Save As" />', " \n",;
}
print '<input type="submit" name="newfile" value="New File" />',
      "</p>\n";

print "</body>\n</html>";

logmessage($logmessage);

# And now some subroutines

#returns true is password and username match, else prints messasge and
#returns false
sub checkpassword {

    if (param('username') && param('password') && $passwords{param('username')} eq param('password')) {
	$logmessage .= "User: " . param('username') . " ";
	return 1;
    }
    elsif (param('username') && $passwords{param('username')}) {
	$logmessage .= "Incorrect password from " . param('username') . " ";
	print "<h2>Incorrect password</h2>";
	return 0;
    }
    elsif (param('username') && (! $passwords{param('username')}) ) {
	$logmessage .= "Incorrect username: " . param('username') . " ";
	print "<h2>Incorrect username</h2>";
	return 0;
    }
    else {
	return 0;
    }
}

#opens and prints the file if it may
sub readfile {
    my $file = shift;

    my $first_char = substr($file, 0, 1);
    ($first_char ne '/') && ($file = '/' . $file);

    $file = $rootdir . $file;
    foreach (@forbidden) {
	if ($file =~ $_) {
	    print "<h2>You are not allowed to access that file or directory</h2>";
	    $logmessage .= "Attempt to read forbidden file: $file ";
	    return 0;
	}
    }

    if (!-e $file) {
	print "<h2>That file does not exist - creating a new one</h2>";
	$logmessage .= "New file: $file ";
	newfile();
	return 0;
    }
    -d $file && ($file .= "/index.html");
    if (!-r $file) {
	print "<h2>That file is not readable</h2>";
	$logmessage .= "Non readable file: $file ";
	return 0;
    }
    open (INFILE, $file) || die ("Could not open: $!");
    print '<textarea name="filetext" rows="50" cols="100">';
# the < are replaced because files which contain textareas cause problems
    while (<INFILE>) {s/</&lt;/g; print;}
    close INFILE;
    print '</textarea>';
    $logmessage .= "File opened: $file ";
} # readfile()
	
#prints out textbox for a new file
sub newfile {
print <<FIN;
<h2>New File</h2>
<textarea name="filetext" rows="50" cols="100">
<?php
    require("\$DOCUMENT_ROOT/template/quaker.php");
    QHeader("INSERT TITLE HERE", 2);
?>

<h1>HEADER HERE</h1>

<p>
AND SOME TEXT HERE
</p>


<?php QFooter(); ?>
</textarea>
FIN
 $logmessage .= "New file ";
} # newfile()

# saves the text to the file
# a lot of this is copied out of readfile() which means 
# something is probably badly designed
sub savefile {
    my $file = shift;
    my $first_char = substr($file, 0, 1);
    ($first_char ne '/') && ($file = '/' . $file);

    $file = $rootdir . $file;
    foreach (@forbidden) {
	if ($file =~ $_) {
	    print "<h2>You are not allowed to access that file or directory</h2>";
	    $logmessage .= "Attempt to save to forbidden file: $file ";
	    return 0;
	}
    }

    if (!-e $file) {
	print "<h2>That file does not exist - saving to new file</h2>";
	$logmessage .= "Saving to new file new file ";
    }
    -d $file && ($file .= "/index.html");
    if (-e $file && !-w $file) {
	print "<h2>You do not have permition to write to that file</h2>";
	$logmessage .="No permitions to save to file: $file ";
	return 0;
    }
    open (OUTFILE, ">$file") || die ("Could not open: $!");
    print OUTFILE param('filetext');
    close OUTFILE;
    chmod 0664, $file || print "<h2>Could not change permitions on file</h2>";
    $logmessage .="Save to file: $file ";
    print "<h2>Saved to $file</h2>\n";

    print '<textarea name="filetext" rows="50" cols="100">';
    print param('filetext');
    close INFILE;
    print '</textarea>';
	    
}

sub logmessage {
    my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday) = localtime(time());
    my $time = $mday.'/'.$mon.'/'.$year.' ' . $hour . ':' .$min. '.' . $sec;
    my $remote_address = $ENV{'REMOTE_HOST'}? $ENV{'REMOTE_HOST'} : $ENV{'REMOTE_ADDR'};

    print LOG ($time . ' ' . $remote_address . ' ' . shift() . "\n");
}