From 747e753466abdb15aff337424f0c6ae8fb470502 Mon Sep 17 00:00:00 2001
From: Deon George <deon@leenooks.net>
Date: Tue, 21 Jul 2020 21:56:57 +1000
Subject: [PATCH] Editor security implemented, showing invalid routes to non
 existing *0x functions

---
 ctrl/videotex.ini |   2 +
 load/defs.js      |   1 +
 load/funcs.js     | 103 +++++++++++++++++++++++++------------
 main.js           | 126 +++++++++++++++++++++++++++++++++++++---------
 4 files changed, 175 insertions(+), 57 deletions(-)

diff --git a/ctrl/videotex.ini b/ctrl/videotex.ini
index 0759615..7d3a1c9 100644
--- a/ctrl/videotex.ini
+++ b/ctrl/videotex.ini
@@ -14,8 +14,10 @@ logo=AWgBUkEBR04BQlMBWUkBbgE3AWt0ZXgBbg==
 [prefix:9]
 key=0@videotex
 logo=AWgBUkEBR04BQlMBWUkBbgE3AWt0ZXgBbg==
+user=1
 
 ; Ansitex Help Pages
 [prefix:516]
 key=516@videotex
 logo=AWgBUkEBR04BQlMBWUkBbgE3AWt0ZXgBbg==
+user=1
diff --git a/load/defs.js b/load/defs.js
index 9453bf2..24270ca 100644
--- a/load/defs.js
+++ b/load/defs.js
@@ -10,6 +10,7 @@ var ACTION_NEXT				=4;		/* Goto next frame							*/
 var ACTION_TERMINATE		=5;		/* Terminate the session					*/
 var ACTION_SUBMITRF			=6;		/* Submit form contents						*/
 var ACTION_STAR				=7;		/* Star command entry						*/
+var ACTION_EDIT				=8;		/* Edit a frame								*/
 
 var MODE_BL					=1;		/* Typing * command on baseline				*/
 var MODE_FIELD				=2;		/* Field Input								*/
diff --git a/load/funcs.js b/load/funcs.js
index fe3bc93..a9534c5 100644
--- a/load/funcs.js
+++ b/load/funcs.js
@@ -94,6 +94,37 @@ function getArg(key,error,abort) {
 	}
 }
 
+function getPageOwners() {
+	// Load the owner configuration into memory
+	if (! pageowners.length) {
+		var f = new File(file_cfgname(system.mods_dir,'ansitex/ctrl/videotex.ini'));
+
+		if (f.open("r")) {
+			var logo = f.iniGetValue('prefix','logo');
+			var users = f.iniGetValue('prefix','user');
+			log(LOG_DEBUG,'+ pageOwner: users='+JSON.stringify(users));
+			pageowners.push({prefix: 0,logo: logo,user:users});
+
+			f.iniGetSections('prefix:').forEach(function (prefix) {
+				var p = parseInt(prefix.substr(7));
+				var logo = f.iniGetValue(prefix,'logo','');
+				var users = f.iniGetValue(prefix,'user','');
+				log(LOG_DEBUG,'+ pageOwner: users='+JSON.stringify(users));
+				pageowners.push({prefix: p,logo: logo,user: users});
+			});
+		}
+
+		f.close();
+
+		// Sort the pageowners ascending
+		pageowners.sort(compare);
+
+		log(LOG_DEBUG,'+ pageOwner: pageowners='+JSON.stringify(pageowners));
+	}
+
+	return pageowners;
+}
+
 function loadOptions() {
 	ini = new File(file_cfgname(system.mods_dir,'ansitex/ctrl/videotex.ini'));
 
@@ -143,44 +174,16 @@ function pageStr(page) {
  * @returns {undefined}
  */
 function pageOwner(page) {
-	// Load the owner configuration into memory
-	if (! pageowners.length) {
-		var f = new File(file_cfgname(system.mods_dir,'ansitex/ctrl/videotex.ini'));
-
-		if (f.open("r")) {
-			var logo = f.iniGetValue('prefix','logo');
-			pageowners.push({prefix: 0,logo: logo});
-
-			f.iniGetSections('prefix:').forEach(function (prefix) {
-				var p = parseInt(prefix.substr(7));
-				var logo = f.iniGetValue(prefix,'logo','');
-				pageowners.push({prefix: p,logo: logo});
-			});
-		}
-
-		f.close();
-
-		// Sort the pageowners ascending
-		pageowners.sort(compare);
-
-		log(LOG_DEBUG,'+ pageOwner: pageowners='+JSON.stringify(pageowners));
-	}
-
 	var BreakException = {};
-	var pageowner = o = null;
+	var o = null;
 
 	try {
-		pageowners.forEach(function(owner) {
+		getPageOwners().forEach(function(owner) {
 			var p = owner.prefix.toString();
 			o = owner;
 
-			//log(LOG_DEBUG,'- pageOwner: p='+p+'('+p.length+') ,o: '+o);
-			match = '';
-
 			var re = new RegExp('^' + p, 'g');
-			if (page.toString().match(re) && (p.length > match.length)) {
-				match = p;
-				pageowner = o;
+			if (page.toString().match(re)) {
 				//log(LOG_DEBUG,'= pageOwner: p='+p+',o: '+o);
 				throw BreakException;
 			}
@@ -190,9 +193,43 @@ function pageOwner(page) {
 		if (e !== BreakException) throw e;
 	}
 
-	//log(LOG_DEBUG,'+ pageOwner: page='+page+', owner: '+JSON.stringify(pageowner ? pageowner : o));
+	//log(LOG_DEBUG,'+ pageOwner: page='+page+', owner: '+JSON.stringify(o));
+	return  o;
+}
 
-	return pageowner ? pageowner : o;
+/**
+ * Can the user edit the frame
+ *
+ * @param page
+ * @param user
+ */
+function pageEditor(page) {
+	//log(LOG_DEBUG,'+ pageEditor: page='+page+', user #'+user.number);
+
+	var BreakException = {};
+	var pageditor = false;
+
+	try {
+		getPageOwners().forEach(function(owner) {
+			var p = owner.prefix.toString();
+			//log(LOG_DEBUG,'  - pageEditor: '+JSON.stringify(owner));
+			frameusers = owner.user ? owner.user.toString().split(',') : [1];
+
+			log(LOG_DEBUG,'  - pageEditor: p='+p+'('+p.length+') user ['+JSON.stringify(frameusers)+'] - :'+frameusers.indexOf(user.number.toString()));
+
+			var re = new RegExp('^' + p, 'g');
+			if (page.toString().match(re) && (frameusers.indexOf(user.number.toString()) == 1)) {
+				pageditor = true;
+				throw BreakException;
+			}
+		});
+
+	} catch (e) {
+		if (e !== BreakException) throw e;
+	}
+
+	//log(LOG_DEBUG,'+ pageEditor: page='+page+', editor: '+JSON.stringify(pageditor));
+	return pageditor;
 }
 
 function compare(a,b) {
diff --git a/main.js b/main.js
index d2577b2..9b072d0 100644
--- a/main.js
+++ b/main.js
@@ -29,6 +29,7 @@ while(bbs.online) {
 	var inkey_timeout = 60000;				// Timeout waiting for input
 	var fo = null;							// Current Frame
 	var fn = null;							// Current Field Number for an Input Frame
+	var fe = null;							// Frame to edit
 	var history = [];						// Page history
 
 	var cf = null;							// Current Input Field
@@ -166,52 +167,92 @@ while(bbs.online) {
 					break;
 				}
 
-				// Edit specific frame
-				if (cmd.match(/^04/) && read.match(/[a-z]/)) {
-					// @todo
+				// Invalid system pages.
+				if (cmd.match(/^0[2367]/)) {
+					cursorOff();
+					sendBaseline(ERR_ROUTE, false);
 					mode = action = false;
 					cmd = '';
-					cursorOff();
-					sendBaseline(ERR_NOT_IMPLEMENTED,false);
+				}
+
+				// Edit specific frame
+				if (cmd.match(/^04/) && read.match(/[a-z]/)) {
+					var page = cmd.substr(2,cmd.length-1);
+
+					// If we are not a user
+					if (! user.number) {
+						cursorOff();
+						sendBaseline(ERR_ROUTE,false);
+						action = false;
+
+					} else {
+						fe = { frame: page, index: read };
+						cursorOff();
+						action = ACTION_EDIT;
+
+						log(LOG_DEBUG,'- MODE_BL: EDIT ['+JSON.stringify(fe)+']');
+					}
+
+					mode = false;
+					cmd = '';
+
 					break;
 				}
 
 				// Bookmark frame
 				if (cmd == '05') {
-					// @todo
-					mode = action = false;
-					cmd = '';
-					cursorOff();
-					sendBaseline(ERR_NOT_IMPLEMENTED,false);
+					if (! user.number) {
+						cursorOff();
+						sendBaseline(ERR_ROUTE, false);
+						mode = action = false;
+						cmd = '';
+
+					} else {
+						// @todo
+						cursorOff();
+						sendBaseline(ERR_NOT_IMPLEMENTED,false);
+						mode = action = false;
+						cmd = '';
+					}
+
 					break;
 				}
 
 				// Report Problem
 				if (cmd == '08') {
-					// @todo
-					mode = action = false;
-					cmd = '';
-					cursorOff();
-					sendBaseline(ERR_NOT_IMPLEMENTED,false);
+					if (! user.number) {
+						cursorOff();
+						sendBaseline(ERR_ROUTE, false);
+						mode = action = false;
+						cmd = '';
+
+					} else {
+						// @todo
+						cursorOff();
+						sendBaseline(ERR_NOT_IMPLEMENTED,false);
+						mode = action = false;
+						cmd = '';
+					}
+
 					break;
 				}
 
 				// Reload frame
 				if (cmd == '09') {
-					// @todo
+					cursorOff();
 					action = ACTION_GOTO;
 					cmd = '';
-					cursorOff();
 					next_page = { frame: fo.frame, index: fo.index};
+
 					break;
 				}
 
 				// Another star aborts the command
 				if (read == '*') {
-					mode = action = false;
 					sendBaseline('',false);
-					cmd = '';
 					cursorOff();
+					mode = action = false;
+					cmd = '';
 
 					if (cf) {
 						// If there is a control for this field,
@@ -232,8 +273,6 @@ while(bbs.online) {
 					// Nothing typed between * and #
 					// *# means go back
 					if (cmd == '') {
-						mode = false;
-						cursorOff();
 						sendBaseline('',false);
 						action = ACTION_BACKUP;
 
@@ -243,10 +282,14 @@ while(bbs.online) {
 
 					// Edit frame
 					} else if (cmd == '04') {
-						mode = action = false;
+						// If we are not a user
+						if (! user.number) {
+							sendBaseline(ERR_ROUTE,false);
+							action = false;
 
-						require('ansitex/load/edit.js','CONTROL_EDIT');
-						control.push(new edit(fo));
+						} else {
+							action = ACTION_EDIT;
+						}
 
 					} else {
 						next_page = { frame: cmd };
@@ -634,6 +677,41 @@ while(bbs.online) {
 					break;
 				}
 
+			// Edit a frame
+			case ACTION_EDIT:
+				log(LOG_DEBUG,'- ACTION_EDIT: ['+JSON.stringify(fe)+']');
+
+				if (! pageEditor(fe ? fe.frame : fo.frame)) {
+					cursorOff();
+					sendBaseline(ACCESS_DENIED,false);
+					action = false;
+					break;
+				}
+
+				require('ansitex/load/edit.js','CONTROL_EDIT');
+
+				// @todo validate that the user is authorised to edit it.
+				// If we are editing a specific frame, attempt to load it
+				if (fe) {
+					current = fo;
+					fo = new TexFrame();
+					fo.load(pageStr(fe));
+
+					if (fo.page == null) {
+						fo = current;
+						// sendbaseline ERR_PAGE
+						sendBaseline(ERR_ROUTE,false);
+						mode = action = false;
+						break;
+					}
+				}
+
+				control.push(new edit(fo));
+
+				mode = false;
+				action = false;
+				break;
+
 			// Goto specific page
 			case ACTION_GOTO:
 				log(LOG_DEBUG,'- ACTION_GOTO: ['+(next_page ? pageStr(next_page) : '')+']');