Category lists and WikiReferences restrict to current Web.

Fix one sanitization test.

app/controllers/revision_sweeper.rb

@@ -22,7 +22,7 @@ class RevisionSweeper < ActionController::Caching::Sweeper
   
   def expire_caches(page)
     expire_cached_summary_pages(page.web)
-    pages_to_expire = ([page.name] + WikiReference.pages_that_reference(page.name)).uniq
+    pages_to_expire = ([page.name] + WikiReference.pages_that_reference(page.web, page.name)).uniq
     pages_to_expire.each { |page_name| expire_cached_page(page.web, page_name) }
   end
 

app/controllers/wiki_controller.rb

@@ -348,11 +348,11 @@ class WikiController < ApplicationController
   end
 
   def parse_category
-    @categories = WikiReference.list_categories.sort
+    @categories = WikiReference.list_categories(@web).sort
     @category = params['category']
     if @category
       @set_name = "category '#{@category}'"
-      pages = WikiReference.pages_in_category(@category).sort.map { |page_name| @web.page(page_name) }
+      pages = WikiReference.pages_in_category(@web, @category).sort.map { |page_name| @web.page(page_name) }
       @pages_in_category = PageSet.new(@web, pages)
     else
       # no category specified, return all pages of the web

app/models/page_set.rb

@@ -31,17 +31,17 @@ class PageSet < Array
   end
   
   def pages_that_reference(page_name)
-    all_referring_pages = WikiReference.pages_that_reference(page_name)
+    all_referring_pages = WikiReference.pages_that_reference(@web, page_name)
     self.select { |page| all_referring_pages.include?(page.name) }
   end
   
   def pages_that_link_to(page_name)
-    all_linking_pages = WikiReference.pages_that_link_to(page_name)
+    all_linking_pages = WikiReference.pages_that_link_to(@web, page_name)
     self.select { |page| all_linking_pages.include?(page.name) }
   end
 
   def pages_that_include(page_name)
-    all_including_pages = WikiReference.pages_that_include(page_name)
+    all_including_pages = WikiReference.pages_that_include(@web, page_name)
     self.select { |page| all_including_pages.include?(page.name) }
   end
 
@@ -85,7 +85,7 @@ class PageSet < Array
 
   def wiki_words
     self.inject([]) { |wiki_words, page|
-      wiki_words + page.wiki_words
+        wiki_words + page.wiki_words
     }.flatten.uniq.sort
   end
 

app/models/wiki_reference.rb

@@ -11,43 +11,53 @@ class WikiReference < ActiveRecord::Base
   belongs_to :page
   validates_inclusion_of :link_type, :in => [LINKED_PAGE, WANTED_PAGE, INCLUDED_PAGE, CATEGORY, AUTHOR, FILE, WANTED_FILE]
 
-  # FIXME all finders below MUST restrict their results to pages belonging to a particular web
-
   def self.link_type(web, page_name)
     web.has_page?(page_name) ? LINKED_PAGE : WANTED_PAGE
   end
 
-  def self.pages_that_reference(page_name)
-    query = 'SELECT name FROM pages JOIN wiki_references ON pages.id = wiki_references.page_id ' +
-        'WHERE wiki_references.referenced_name = ?' +
-        "AND wiki_references.link_type in ('#{LINKED_PAGE}', '#{WANTED_PAGE}', '#{INCLUDED_PAGE}')"
+  def self.pages_that_reference(web, page_name)
+    query = 'SELECT name FROM pages JOIN wiki_references ' +
+      'ON pages.id = wiki_references.page_id ' +
+      'WHERE wiki_references.referenced_name = ? ' +
+      "AND wiki_references.link_type in ('#{LINKED_PAGE}', '#{WANTED_PAGE}', '#{INCLUDED_PAGE}') " +
+      "AND pages.web_id = '#{web.id}'"
     names = connection.select_all(sanitize_sql([query, page_name])).map { |row| row['name'] }
   end
 
-  def self.pages_that_link_to(page_name)
-    query = 'SELECT name FROM pages JOIN wiki_references ON pages.id = wiki_references.page_id ' +
-        'WHERE wiki_references.referenced_name = ? ' +
-        "AND wiki_references.link_type in ('#{LINKED_PAGE}', '#{WANTED_PAGE}')"
+  def self.pages_that_link_to(web, page_name)
+    query = 'SELECT name FROM pages JOIN wiki_references ' +
+      'ON pages.id = wiki_references.page_id ' +
+      'WHERE wiki_references.referenced_name = ? ' +
+      "AND wiki_references.link_type in ('#{LINKED_PAGE}','#{WANTED_PAGE}') " +
+      "AND pages.web_id = '#{web.id}'"
+    names = connection.select_all(sanitize_sql([query, page_name])).map { |row| row['name'] }
+  end
+  
+  def self.pages_that_include(web, page_name)
+    query = 'SELECT name FROM pages JOIN wiki_references ' +
+      'ON pages.id = wiki_references.page_id ' +
+      'WHERE wiki_references.referenced_name = ? ' +
+      "AND wiki_references.link_type = '#{INCLUDED_PAGE}' " +
+      "AND pages.web_id = '#{web.id}'"
     names = connection.select_all(sanitize_sql([query, page_name])).map { |row| row['name'] }
   end
 
-  def self.pages_that_include(page_name)
-    query = 'SELECT name FROM pages JOIN wiki_references ON pages.id = wiki_references.page_id ' +
-        'WHERE wiki_references.referenced_name = ? ' +
-        "AND wiki_references.link_type = '#{INCLUDED_PAGE}'"
-    names = connection.select_all(sanitize_sql([query, page_name])).map { |row| row['name'] }
-  end
-
-  def self.pages_in_category(category)
+  def self.pages_in_category(web, category)
     query = 
-        'SELECT name FROM pages JOIN wiki_references ON pages.id = wiki_references.page_id ' +
-        'WHERE wiki_references.referenced_name = ? ' +
-        "AND wiki_references.link_type = '#{CATEGORY}'"
+      "SELECT name FROM pages JOIN wiki_references " +
+      "ON pages.id = wiki_references.page_id " +
+      "WHERE wiki_references.referenced_name = ? " +
+      "AND wiki_references.link_type = '#{CATEGORY}' " +
+      "AND pages.web_id = '#{web.id}'"
     names = connection.select_all(sanitize_sql([query, category])).map { |row| row['name'] }
   end
   
-  def self.list_categories
-    query = "SELECT DISTINCT referenced_name FROM wiki_references WHERE link_type = '#{CATEGORY}'"
+  def self.list_categories(web)
+    query = "SELECT DISTINCT wiki_references.referenced_name " +
+      "FROM wiki_references LEFT OUTER JOIN pages " +
+      "ON wiki_references.page_id = pages.id " +
+      "WHERE wiki_references.link_type = '#{CATEGORY}' " +
+      "AND pages.web_id = '#{web.id}'"
     connection.select_all(query).map { |row| row['referenced_name'] }
   end
 

test/unit/chunks/nowiki_test.rb

@@ -14,7 +14,7 @@ class NoWikiTest < Test::Unit::TestCase
 
   def test_sanitized_nowiki
        match(NoWiki, 'This sentence contains <nowiki><span>a b</span> <script>alert("XSS!");</script></nowiki>. Do not touch!',
-               :plain_text => '<span>a b</span> &lt;script&gt;alert("XSS!");&lt;/script&gt;'
+               :plain_text => '<span>a b</span> &lt;script>alert("XSS!");&lt;/script>'
        )
   end