From ab1bba9daba5500e1b154579518369974cc6041a Mon Sep 17 00:00:00 2001
From: Joey Hess <joeyh@joeyh.name>
Date: Thu, 14 May 2015 11:37:47 -0400
Subject: cloak user PII when making commits etc, and let cloaked PII be used
 in banned_users

This was needed due to emailauth, but I've also wrapped all IP address
exposure in cloak(), although the function doesn't yet cloak IP addresses.

(One IP address I didn't cloak is the one that appears on the password
reset email template. That is expected to be the user's own IP address,
so ok to show it to them.)

Thanks to smcv for the pointer to
http://xmlns.com/foaf/spec/#term_mbox_sha1sum
---
 IkiWiki/CGI.pm | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'IkiWiki/CGI.pm')

diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm
index d801c72a0..1763828a4 100644
--- a/IkiWiki/CGI.pm
+++ b/IkiWiki/CGI.pm
@@ -336,16 +336,19 @@ sub check_banned ($$) {
 
 	my $banned=0;
 	my $name=$session->param("name");
+	my $cloak=cloak($name) if defined $name;
 	if (defined $name && 
-	    grep { $name eq $_ } @{$config{banned_users}}) {
+	    grep { $name eq $_ || $cloak eq $_ } @{$config{banned_users}}) {
 		$banned=1;
 	}
 
 	foreach my $b (@{$config{banned_users}}) {
 		if (pagespec_match("", $b,
 			ip => $session->remote_addr(),
-			name => defined $name ? $name : "",
-		)) {
+			name => defined $name ? $name : "")
+		   || pagespec_match("", $b,
+		   	ip => cloak($session->remote_addr()),
+			name => defined $cloak ? $cloak : "")) {
 			$banned=1;
 			last;
 		}
-- 
cgit v1.2.3