[dokuwiki] Turn superuser or manager into lists (patch)
- From: Guy Brand <gb@xxxxxxxxxxxxxxxxx>
- To: dokuwiki@xxxxxxxxxxxxx
- Date: Sat, 23 Feb 2008 00:29:19 +0100
One more before the feature freeze.
Attached is a patch which allows the superuser or manager setting to
be a list instead of a single value. So for example, you can use:
$conf['superuser'] = 'john,@root,doe';
and have users john and do, and group 'root' be superusers (admin
level access) of your wiki. This helps in situation where grouping
users in a dedicated group is a simple but unpractical solution. It
works the same way for managers (through $conf['manager']).
The auth_aclcheck testcase is also updated and a new testcase for
auth_ismanager is provided.
Comments and critics are welcome.
--
bug
New patches:
[List of superuser/manager
Guy Brand <gb@xxxxxxxxxxxxxxxxx>**20080222231548] {
hunk ./_test/cases/inc/auth_aclcheck.test.php 133
+
+ function test_multiadmin_restricted(){
+ global $conf;
+ global $AUTH_ACL;
+ $conf['superuser'] = 'john,@admin,doe,@roots';
+ $conf['useacl'] = 1;
+
+ $AUTH_ACL = array(
+ '* @ALL 0',
+ '* @user 8',
+ );
+
+ // anonymous user
+ $this->assertEqual(auth_aclcheck('page', '',array()),
AUTH_NONE);
+ $this->assertEqual(auth_aclcheck('namespace:page','',array()),
AUTH_NONE);
+ $this->assertEqual(auth_aclcheck('namespace:*', '',array()),
AUTH_NONE);
+
+ // user with no matching group
+ $this->assertEqual(auth_aclcheck('page',
'jill',array('foo')), AUTH_NONE);
+
$this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo')),
AUTH_NONE);
+ $this->assertEqual(auth_aclcheck('namespace:*',
'jill',array('foo')), AUTH_NONE);
+
+ // user with matching group
+ $this->assertEqual(auth_aclcheck('page',
'jill',array('foo','user')), AUTH_UPLOAD);
+
$this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo','user')),
AUTH_UPLOAD);
+ $this->assertEqual(auth_aclcheck('namespace:*',
'jill',array('foo','user')), AUTH_UPLOAD);
+
+ // super user john
+ $this->assertEqual(auth_aclcheck('page',
'john',array('foo')), AUTH_ADMIN);
+
$this->assertEqual(auth_aclcheck('namespace:page','john',array('foo')),
AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:*',
'john',array('foo')), AUTH_ADMIN);
+
+ // super user doe
+ $this->assertEqual(auth_aclcheck('page', 'doe',array('foo')),
AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:page','doe',array('foo')),
AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:*', 'doe',array('foo')),
AUTH_ADMIN);
+
+ // user with matching admin group
+ $this->assertEqual(auth_aclcheck('page',
'jill',array('foo','admin')), AUTH_ADMIN);
+
$this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo','admin')),
AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:*',
'jill',array('foo','admin')), AUTH_ADMIN);
+
+ // user with matching another admin group
+ $this->assertEqual(auth_aclcheck('page',
'jill',array('foo','roots')), AUTH_ADMIN);
+
$this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo','roots')),
AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:*',
'jill',array('foo','roots')), AUTH_ADMIN);
+ }
+
+ function test_multiadmin_restricted_ropage(){
+ global $conf;
+ global $AUTH_ACL;
+ $conf['superuser'] = 'john,@admin,doe,@roots';
+ $conf['useacl'] = 1;
+
+ $AUTH_ACL = array(
+ '* @ALL 0',
+ '* @user 8',
+ 'namespace:page @user 1',
+ );
+
+ // anonymous user
+ $this->assertEqual(auth_aclcheck('page', '',array()),
AUTH_NONE);
+ $this->assertEqual(auth_aclcheck('namespace:page','',array()),
AUTH_NONE);
+ $this->assertEqual(auth_aclcheck('namespace:*', '',array()),
AUTH_NONE);
+
+ // user with no matching group
+ $this->assertEqual(auth_aclcheck('page',
'jill',array('foo')), AUTH_NONE);
+
$this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo')),
AUTH_NONE);
+ $this->assertEqual(auth_aclcheck('namespace:*',
'jill',array('foo')), AUTH_NONE);
+
+ // user with matching group
+ $this->assertEqual(auth_aclcheck('page',
'jill',array('foo','user')), AUTH_UPLOAD);
+
$this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo','user')),
AUTH_READ);
+ $this->assertEqual(auth_aclcheck('namespace:*',
'jill',array('foo','user')), AUTH_UPLOAD);
+
+ // super user john
+ $this->assertEqual(auth_aclcheck('page',
'john',array('foo')), AUTH_ADMIN);
+
$this->assertEqual(auth_aclcheck('namespace:page','john',array('foo')),
AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:*',
'john',array('foo')), AUTH_ADMIN);
+
+ // super user doe
+ $this->assertEqual(auth_aclcheck('page', 'doe',array('foo')),
AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:page','doe',array('foo')),
AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:*', 'doe',array('foo')),
AUTH_ADMIN);
+
+ // user with matching admin group
+ $this->assertEqual(auth_aclcheck('page',
'jill',array('foo','admin')), AUTH_ADMIN);
+
$this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo','admin')),
AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:*',
'jill',array('foo','admin')), AUTH_ADMIN);
+
+ // user with matching another admin group
+ $this->assertEqual(auth_aclcheck('page',
'jill',array('foo','roots')), AUTH_ADMIN);
+
$this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo','roots')),
AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:*',
'jill',array('foo','roots')), AUTH_ADMIN);
+ }
+
addfile ./_test/cases/inc/auth_admincheck.test.php
hunk ./_test/cases/inc/auth_admincheck.test.php 1
+<?php
+
+require_once DOKU_INC.'inc/init.php';
+require_once DOKU_INC.'inc/auth.php';
+
+class auth_admin_test extends UnitTestCase {
+
+ function teardown() {
+ global $conf;
+ global $AUTH_ACL;
+ unset($conf);
+ unset($AUTH_ACL);
+
+ }
+
+ function test_ismanager(){
+ global $conf;
+ $conf['superuser'] = 'john,@admin';
+ $conf['manager'] = 'john,@managers,doe';
+
+ // anonymous user
+ $this->assertEqual(auth_ismanager('jill', '',false), false);
+
+ // admin or manager users
+ $this->assertEqual(auth_ismanager('john', '',false), true);
+ $this->assertEqual(auth_ismanager('doe', '',false), true);
+
+ // admin or manager groups
+ $this->assertEqual(auth_ismanager('jill', array('admin'),false), true);
+ $this->assertEqual(auth_ismanager('jill', array('managers'),false),
true);
+ }
+
+ function test_isadmin(){
+ global $conf;
+ $conf['superuser'] = 'john,@admin,doe,@roots';
+
+ // anonymous user
+ $this->assertEqual(auth_ismanager('jill', '',true), false);
+
+ // admin user
+ $this->assertEqual(auth_ismanager('john', '',true), true);
+ $this->assertEqual(auth_ismanager('doe', '',true), true);
+
+ // admin groups
+ $this->assertEqual(auth_ismanager('jill', array('admin'),true), true);
+ $this->assertEqual(auth_ismanager('jill', array('roots'),true), true);
+ $this->assertEqual(auth_ismanager('john', array('admin'),true), true);
+ $this->assertEqual(auth_ismanager('doe', array('admin'),true), true);
+ }
+
+}
+
+//Setup VIM: ex: et ts=4 enc=utf-8 :
hunk ./inc/auth.php 275
- // check username against superuser and manager
- if(auth_nameencode($conf['superuser']) == $user) return true;
+ // check username against superuser and manager arrays
+ $superusers = explode(',', $conf['superuser']);
+ $superusers = array_unique($superusers);
+ $superusers = array_map('trim',$superusers);
+ $superusers = array_map('auth_nameencode',$superusers);
+ if(in_array($user, $superusers)) return true;
+
hunk ./inc/auth.php 283
- if(auth_nameencode($conf['manager']) == $user) return true;
+ $managers = explode(',', $conf['manager']);
+ $managers = array_unique($managers);
+ $managers = array_map('trim',$managers);
+ $managers = array_map('auth_nameencode',$managers);
+ if(in_array($user, $managers)) return true;
hunk ./inc/auth.php 296
- $groups[$i] = '@'.auth_nameencode($groups[$i]);
+ $groups[$i] = auth_nameencode('@' . $groups[$i]);
hunk ./inc/auth.php 299
- // check groups against superuser and manager
- if(in_array(auth_nameencode($conf['superuser'],true), $groups)) return
true;
+ // check groups against superuser and manager arrays
+ foreach($superusers as $supu)
+ if(in_array($supu, $groups)) return true;
hunk ./inc/auth.php 303
- if(in_array(auth_nameencode($conf['manager'],true), $groups)) return
true;
+ foreach($managers as $mana)
+ if(in_array($mana, $groups)) return true;
}
Context:
[popularity plugin: record PCRE infos
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080220213222]
[updated year in copyright notice
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080220201711]
[add gidnumber to LDAP auth userdata FS#1338
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080219165659]
[popularity plugin added
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080219165223
This new default plugin allows to send feedback to the DokuWiki developers. An
introduction is available at
http://www.splitbrain.org/blog/2008-02/17-gathering_dokuwiki_usage_data
]
[Finnish language update
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080217172914]
[fix for plugin manager breaking multibyte chars
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215214857]
[do case insensitive search word highlighting in page FS#1297
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215180239]
[fix highlighting of search engine referer keywords for recent highlight change
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215175816]
[better highlighting for phrase searches FS#1193
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215174653
This patch makes the highlighting of phrases in search snippets and on
the pages itself much better.
Now a regexp gets passed to the ?s= parameter. I ask everybody to test
this feature throughly especially for the handling of malicious inputs
and the use of non-latin characters.
]
[Use auth backend to verify password on profile update FS#1328
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215154316]
[fix for resetting timelimit in fetch.php FS#1243
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215152132]
[Make session reference file check overridable for auth backends
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215121716]
[invalidate all user session cache when userdatabase is changed FS#1085
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215114923
A reference file is now stored in data/cache/sessionpurge and is used to
check if user sessions are still valid.
To accomondate for slow auth backends DokuWiki caches user info for
a certain time in the user session.
]
[redirect to root namespace in mediamanager when namespace was deleted FS#1286
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215105251]
[correctly encode namespace in mediapopup URL FS#1319
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215094453]
[fix line endings for meta data editing in media manager FS#1324
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215091527]
[add title attribute on page title FS#1330
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215090454]
[LDAP backend: try to rebind with current user for getUserData() FS#1053
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215085556]
[fix for earlier phpok & htmlok path
Chris Smith <chris@xxxxxxxxxxxxx>**20080214113350]
[French strings update
Guy Brand <gb@xxxxxxxxxxxxxxxxx>**20080213214113]
[make sure not supported profile fields are not accepted FS#1329
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080213214505]
[check modMail capability correctly FS#1329
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080213213322]
[Hungarian update
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080213204325]
[filter usernames case-insensitive in user manager
Gabriel Birke <Gabriel.Birke@xxxxxxxxx>**20080213194342]
[Importoldchangelog: Added metadata support
'Simon Coffey <spc03@xxxxxxxxxxxx>'**20080213145734
Added function savePerPageMetadata() to populate creator and contributor fields
of metadata array from old-style changes.log.
]
[Rationalise Parser PHP & HTML syntax mode handling to renderer only.
Chris Smith <chris@xxxxxxxxxxxxx>**20080213024941
This patch corrects the problems with the previously (reversed) patch
"remove htmlok and phpok tests from Doku_Handler".
The handler will now write php, phpblock, html & htmlblock instructions
and let the renderer decide how these instructions should be processed.
The xhtml renderer will follow the "phpok" and "htmlok" config settings.
If these settings are turned off the any instructions will be rendered as
code with php or html syntax highlighting (as appropriate).
]
[Have aclcheck use auth_isadmin
Guy Brand <gb@xxxxxxxxxxxxxxxxx>**20080212213222]
[Hungarian update
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080209092859]
[make sure $ID is set correct when rendering metadata
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080208212733]
[removed security token requirement for login
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080208200733
This was discussed a while ago on the mailing list. We want to work cross-site
logins keep working.
]
[TAG develsnap 2008-02-01
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080201000001]
Patch bundle hash:
ed73325ffdd87c0a76495fb01de286945ca08e79
- Follow-Ups:
- [dokuwiki] Re: Turn superuser or manager into lists (patch)
- From: Andreas Gohr
Other related posts:
- » [dokuwiki] Turn superuser or manager into lists (patch)
- » [dokuwiki] Re: Turn superuser or manager into lists (patch)
- » [dokuwiki] Re: Turn superuser or manager into lists (patch)
- » [dokuwiki] Re: Turn superuser or manager into lists (patch)
- » [dokuwiki] Re: Turn superuser or manager into lists (patch)
- » [dokuwiki] Re: Turn superuser or manager into lists (patch)
- [dokuwiki] Re: Turn superuser or manager into lists (patch)
- From: Andreas Gohr