do not repeat successful security checks. fixes #3363

This avoids creating lots of 403 errors for properly secured data
directories. Only one successful check per browser session will be
executed.

2 files changed, 36 insertions, 5 deletions

diff --git a/inc/Ui/Admin.php b/inc/Ui/Admin.php
index 07146e598..27a57225c 100644
--- a/inc/Ui/Admin.php
+++ b/inc/Ui/Admin.php
@@ -28,9 +28,10 @@ class Admin extends Ui {
         $this->menu = $this->getPluginList();
         echo '<div class="ui-admin">';
         echo p_locale_xhtml('admin');
-        $this->showSecurityCheck();
+
         $this->showMenu('admin');
         $this->showMenu('manager');
+        $this->showSecurityCheck();
         $this->showVersion();
         $this->showMenu('other');
         echo '</div>';
@@ -75,16 +76,16 @@ class Admin extends Ui {
      * it verifies either:
      *   'savedir' has been moved elsewhere, or
      *   has protection to prevent the webserver serving files from it
+     *
+     * The actual check is carried out via JavaScript. See behaviour.js
      */
     protected function showSecurityCheck() {
         global $conf;
         if(substr($conf['savedir'], 0, 2) !== './') return;
         $img = DOKU_URL . $conf['savedir'] .
             '/dont-panic-if-you-see-this-in-your-logs-it-means-your-directory-permissions-are-correct.png';
-        echo '<a style="border:none; float:right;"
-                href="http://www.dokuwiki.org/security#web_access_security">
-                <img src="' . $img . '" alt="Your data directory seems to be protected properly."
-                onerror="this.parentNode.style.display=\'none\'" /></a>';
+        echo '<a style="border:none; float:right;" id="security__check"
+                href="http://www.dokuwiki.org/security#web_access_security" data-src="' . $img . '">⚠</a>';
     }
 
     /**
diff --git a/lib/scripts/behaviour.js b/lib/scripts/behaviour.js
index 70b60ef9a..009081f80 100644
--- a/lib/scripts/behaviour.js
+++ b/lib/scripts/behaviour.js
@@ -56,6 +56,7 @@ var dw_behaviour = {
         dw_behaviour.checkWindowsShares();
         dw_behaviour.subscription();
         dw_behaviour.pageRestoreConfirm();
+        dw_behaviour.securityCheck();
 
         dw_behaviour.revisionBoxHandler();
         jQuery(document).on('click','#page__revisions input[type=checkbox]',
@@ -204,6 +205,35 @@ var dw_behaviour = {
                 }
             });
         }
+    },
+
+    /**
+     * Check that access to the data directory is properly secured
+     *
+     * A successful check (a 403 error was returned when loading the image) is saved
+     * to session storage and not repeated again until the next browser session. This
+     * avoids overeager security bans (see #3363)
+     */
+    securityCheck: function () {
+        var $checkA = jQuery('#security__check');
+        if (!$checkA.length) return;
+        if (sessionStorage.getItem('security-check')) {
+            // check was already executed successfully
+            $checkA.remove();
+            return;
+        }
+
+        var img = new Image(347, 63);
+        img.onerror = function () {
+            // successful check will not be repeated during session
+            $checkA.remove();
+            sessionStorage.setItem('security-check', true);
+        }
+        img.onload = function () {
+            // check failed, display the image
+            $checkA.html(img);
+        }
+        img.src = $checkA.data('src');
     }
 };