[dokuwiki] ACL Enhancements: Rules by IP/Network/Host, and new auth_aclcheck function.

• From: Max Khitrov <maximkh@xxxxxxxxx>
• To: dokuwiki@xxxxxxxxxxxxx
• Date: Sun, 28 Aug 2005 16:10:18 -0700 (PDT)

Hello everyone,

First time posting to this list, though I've been using dokuwiki for a
while now. A few weeks back I wrote a mod back that allows me to
specify ACL rules based on the IP and network of the client (see here:
http://wiki.splitbrain.org/wiki:tips:ipacl). I sent Andi a message
about it, since I thought it might be useful to others as well. He
asked me post about it here, but because I've had very little time to
make some additional changes that I wanted, I didn't get around to it
till now. Sorry :)

Anyway, basically what this mod does is allows the ACL entries to be
not just by user and group, but also by the IP, network, or hostname
(new addition). It currently doesn't integrate with the ACL admin, so
any rules of those 3 types will currently show up as being user-based.

The way it works is pretty simple. Here are a few examples:

# Gives the client with IP of 192.168.1.2 read access to the home page.
home      %192.168.1.2   1

# Gives anyone on the 192.168.2.0/24 network read access to the wiki
namespace.
wiki:*    %192.168.2.0/24   1

# Gives the hostname delta.mxserve.net edit access to wiki:somepage
wiki:somepage    &delta.mxserve.net    2

Besides this extra functionality, there are also 2 other changes that
I've made.

First one is a minor one, but allows the comments within auth.acl.php
to appear anywhere in the file, not just on the first column. This can
be used to add some more descriptions to the ACL entries (like name of
the person this rule applies to, etc.)

The second one is a much bigger change. When writing this mod I noticed
that the default auth_aclcheck has some problems... no offence :) Not
in terms of the actual security, but in the way that it operates, and
also in its flexibility. I took a few hours to write my own, and would
really appreciate some feedback on what you guys think about it.

Three major reasons for this change:
1. The function that I've written is much easier to expend (as in
adding new ACL rule types).
2. It allows the user to easily change the precedence of the rules.
3. Minor one, but by removing some stuff from the AUTH_ACL array early
on, reformatting it, and only running through the array once when
checking the rules, the code should run a little faster (though I
haven't timed it).

If you're interested in testing this mod out, you can get the
instructions to install it here:
http://mxserve.com/files/IPACL.txt

Would highly recommend that you download that file and open in
something where you can change the tab size, otherwise it doesn't look
too good. I?ve tried to comment things as much as possible, but if you
have any questions on how something works or why I did it that way,
feel free to post to the list or e-mail me directly.

It's fairly easy to install, but it does require you to remove the
default auth_aclcheck function, so I wouldn't recommend using it on a
live site just yet. Ever since the first version I've done a bit of
testing on my own, and so far it seems to work rather well, but it
still needs some more people to go through it and check.

Let me know what you guys think about this.

- Max
-- 
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist

• Follow-Ups:
  • [dokuwiki] Re: ACL Enhancements: Rules by IP/Network/Host, and new auth_aclcheck function.
    • From: Christian Marg

Other related posts:

• » [dokuwiki] ACL Enhancements: Rules by IP/Network/Host, and new auth_aclcheck function.
• » [dokuwiki] Re: ACL Enhancements: Rules by IP/Network/Host, and new auth_aclcheck function.

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription