Andreas Gohr wrote: Hi, > This shouldn't be possible. Groups returned from getUserInfo have to be > returned unencoded and without a leading @ in the grps array of > $USERINFO. As already discussed on IRC, all trouble came from a over-simplified replacement of auth_nameencode. Following your fix of yesterday, I managed to put together a new patch. It's attached to this mail. Test cases are also in the patch. I haven't modified the config manager plugin to reflect the changes. -- bug
New patches: [Superuser and manager now can be comma separated lists Guy Brand <gb@xxxxxxxxxxxxxxxxx>**20080227142515 This patch allows $conf['superuser'] and $conf['manager'] to be lists of values instead of only a single value. So one can put: $conf['superuser'] = 'joe,user,@admin,root'; in the wiki config and have users joe, user and root be superusers and also any user of group @admin. Some additional test cases related to the change are also provided. ] { hunk ./_test/cases/inc/auth_aclcheck.test.php 133 + + function test_multiadmin_restricted(){ + global $conf; + global $AUTH_ACL; + $conf['superuser'] = 'john,@admin,doe,@roots'; + $conf['useacl'] = 1; + + $AUTH_ACL = array( + '* @ALL 0', + '* @user 8', + ); + + // anonymous user + $this->assertEqual(auth_aclcheck('page', '',array()), AUTH_NONE); + $this->assertEqual(auth_aclcheck('namespace:page','',array()), AUTH_NONE); + $this->assertEqual(auth_aclcheck('namespace:*', '',array()), AUTH_NONE); + + // user with no matching group + $this->assertEqual(auth_aclcheck('page', 'jill',array('foo')), AUTH_NONE); + $this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo')), AUTH_NONE); + $this->assertEqual(auth_aclcheck('namespace:*', 'jill',array('foo')), AUTH_NONE); + + // user with matching group + $this->assertEqual(auth_aclcheck('page', 'jill',array('foo','user')), AUTH_UPLOAD); + $this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo','user')), AUTH_UPLOAD); + $this->assertEqual(auth_aclcheck('namespace:*', 'jill',array('foo','user')), AUTH_UPLOAD); + + // super user john + $this->assertEqual(auth_aclcheck('page', 'john',array('foo')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:page','john',array('foo')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:*', 'john',array('foo')), AUTH_ADMIN); + + // super user doe + $this->assertEqual(auth_aclcheck('page', 'doe',array('foo')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:page','doe',array('foo')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:*', 'doe',array('foo')), AUTH_ADMIN); + + // user with matching admin group + $this->assertEqual(auth_aclcheck('page', 'jill',array('foo','admin')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo','admin')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:*', 'jill',array('foo','admin')), AUTH_ADMIN); + + // user with matching another admin group + $this->assertEqual(auth_aclcheck('page', 'jill',array('foo','roots')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo','roots')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:*', 'jill',array('foo','roots')), AUTH_ADMIN); + } + + function test_multiadmin_restricted_ropage(){ + global $conf; + global $AUTH_ACL; + $conf['superuser'] = 'john,@admin,doe,@roots'; + $conf['useacl'] = 1; + + $AUTH_ACL = array( + '* @ALL 0', + '* @user 8', + 'namespace:page @user 1', + ); + + // anonymous user + $this->assertEqual(auth_aclcheck('page', '',array()), AUTH_NONE); + $this->assertEqual(auth_aclcheck('namespace:page','',array()), AUTH_NONE); + $this->assertEqual(auth_aclcheck('namespace:*', '',array()), AUTH_NONE); + + // user with no matching group + $this->assertEqual(auth_aclcheck('page', 'jill',array('foo')), AUTH_NONE); + $this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo')), AUTH_NONE); + $this->assertEqual(auth_aclcheck('namespace:*', 'jill',array('foo')), AUTH_NONE); + + // user with matching group + $this->assertEqual(auth_aclcheck('page', 'jill',array('foo','user')), AUTH_UPLOAD); + $this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo','user')), AUTH_READ); + $this->assertEqual(auth_aclcheck('namespace:*', 'jill',array('foo','user')), AUTH_UPLOAD); + + // super user john + $this->assertEqual(auth_aclcheck('page', 'john',array('foo')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:page','john',array('foo')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:*', 'john',array('foo')), AUTH_ADMIN); + + // super user doe + $this->assertEqual(auth_aclcheck('page', 'doe',array('foo')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:page','doe',array('foo')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:*', 'doe',array('foo')), AUTH_ADMIN); + + // user with matching admin group + $this->assertEqual(auth_aclcheck('page', 'jill',array('foo','admin')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo','admin')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:*', 'jill',array('foo','admin')), AUTH_ADMIN); + + // user with matching another admin group + $this->assertEqual(auth_aclcheck('page', 'jill',array('foo','roots')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo','roots')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:*', 'jill',array('foo','roots')), AUTH_ADMIN); + } + addfile ./_test/cases/inc/auth_admincheck.test.php hunk ./_test/cases/inc/auth_admincheck.test.php 1 +<?php + +require_once DOKU_INC.'inc/init.php'; +require_once DOKU_INC.'inc/auth.php'; + +class auth_admin_test extends UnitTestCase { + + function teardown() { + global $conf; + global $AUTH_ACL; + unset($conf); + unset($AUTH_ACL); + + } + + function test_ismanager(){ + global $conf; + $conf['superuser'] = 'john,@admin'; + $conf['manager'] = 'john,@managers,doe'; + + // anonymous user + $this->assertEqual(auth_ismanager('jill', '',false), false); + + // admin or manager users + $this->assertEqual(auth_ismanager('john', '',false), true); + $this->assertEqual(auth_ismanager('doe', '',false), true); + + // admin or manager groups + $this->assertEqual(auth_ismanager('jill', array('admin'),false), true); + $this->assertEqual(auth_ismanager('jill', array('managers'),false), true); + } + + function test_isadmin(){ + global $conf; + $conf['superuser'] = 'john,@admin,doe,@roots'; + + // anonymous user + $this->assertEqual(auth_ismanager('jill', '',true), false); + + // admin user + $this->assertEqual(auth_ismanager('john', '',true), true); + $this->assertEqual(auth_ismanager('doe', '',true), true); + + // admin groups + $this->assertEqual(auth_ismanager('jill', array('admin'),true), true); + $this->assertEqual(auth_ismanager('jill', array('roots'),true), true); + $this->assertEqual(auth_ismanager('john', array('admin'),true), true); + $this->assertEqual(auth_ismanager('doe', array('admin'),true), true); + } + +} + +//Setup VIM: ex: et ts=4 enc=utf-8 : hunk ./conf/dokuwiki.php 66 -$conf['superuser'] = '!!not set!!'; //The admin can be user or @group -$conf['manager'] = '!!not set!!'; //The manager can be user or @group +$conf['superuser'] = '!!not set!!'; //The admin can be user or @group or comma separated list user1,@group1,user2 +$conf['manager'] = '!!not set!!'; //The manager can be user or @group or comma separated list user1,@group1,user2 hunk ./inc/auth.php 276 - if(auth_nameencode($conf['superuser']) == $user) return true; + $superusers = explode(',', $conf['superuser']); + $superusers = array_unique($superusers); + $superusers = array_map('trim', $superusers); + // prepare an array containing only true values for array_map call + $alltrue = array_fill(0, count($superusers), true); + $superusers = array_map('auth_nameencode', $superusers, $alltrue); + if(in_array($user, $superusers)) return true; + hunk ./inc/auth.php 285 - if(auth_nameencode($conf['manager']) == $user) return true; + $managers = explode(',', $conf['manager']); + $managers = array_unique($managers); + $managers = array_map('trim', $managers); + // prepare an array containing only true values for array_map call + $alltrue = array_fill(0, count($managers), true); + $managers = array_map('auth_nameencode', $managers, $alltrue); + if(in_array($user, $managers)) return true; hunk ./inc/auth.php 304 - if(in_array(auth_nameencode($conf['superuser'],true), $groups)) return true; + foreach($superusers as $supu) + if(in_array($supu, $groups)) return true; hunk ./inc/auth.php 307 - if(in_array(auth_nameencode($conf['manager'],true), $groups)) return true; + foreach($managers as $mana) + if(in_array($mana, $groups)) return true; } Context: [Update php & html tests in preformatted test file to reflect changes in parser Chris Smith <chris@xxxxxxxxxxxxx>**20080223063145 This test file examines the handler. The decisions on htmlok & phpok settings have been moved from the handler to the renderer changing the nature of the test that can be carried out on these syntax modes in this file. Refer other patch adding xhtml renderer tests for 'phpok' & 'htmlok' and their associated syntax modes in parser_preformatted.test.php ] [Test cases for 'phpok' & 'htmlok' config settings Chris Smith <chris@xxxxxxxxxxxxx>**20080223062428] [Fix for FS#1334, see also FS#1090 Chris Smith <chris@xxxxxxxxxxxxx>**20080223025539 FS#1090 ensured DW would never rebuild instructions in the same run by forcing subsequent instruction requests to use the version cached on the first request. That introduced problems when the caching of the instructions failed (FS#1334). This patch allows subsequent rebuilds when cache storage failed. ] [fix usage of is_admin in auth_aclcheck Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080226172257 There were a few problems with name encoding for groups and users introduced in the recent aclcheck change ] [Don't depend on plugin for Zip/TarLib Tom N Harris <tnharris@xxxxxxxxxxxxx>**20080226005222] [INDEXER_TASKS_RUN event for index-time hooks Tom N Harris <tnharris@xxxxxxxxxxxxx>**20080226011940 The event INDEXER_TASKS_RUN is fired by lib/exe/indexer.php when a page is viewed. Plugins should only hook BEFORE the event if it is important for the task to be run as often as possible. Otherwise, hook AFTER the even to be run only when other tasks have completed. Plugin authors must call stopPropagation() and preventDefault() if any work is done. If your plugin does nothing, then you must allow the event to continue. Not following these rules may cause DokuWiki to exceed the PHP execution time limit. ] [use fulltext index to search for used media files FS#1336 FS#1275 Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080223205254 This changes how DokuWiki looks for reference toa media file which is about to deleted. Instead of doing a full grep through all pages it now uses the fulltext index first, then does an exact match on the found pages. This speeds up the search significantly on larger wikis. However the fulltext search limits now apply: images with names shorter than 3 charcters may not be found. This needs extensive testing! ] [Table Row And Col Classes Pierre Spring <pierre.spring@xxxxxxx>**20080223175808 This patch adds classes to the table rows and cells (td and th). This can be of usage when templating and within syntax plugins. ] [cope with non-RFC-conform webservers in HTTPClient FS#1340 Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080223183639 This fixes problems in the HTTP client for web servers which separate their response headers with Unix linfeeds only (instead of CRLFs as stated in RFC 2616). ] [Check memory settings on ?do=check Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080223180701 This should help with diagnosing memory related problems ] [correct diff display when dealing with deleted or newly created pages Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080223143711] [wl(): don't include empty id parameter FS#1138 Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080223133200] [mysql auth backend: check DB query result correctly FS#1039 Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080223130827] [alway initialize an empty toolbar first FS#1337 Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080223125855] [use strftime() instead of date() FS#1335 :!: Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080223124045 This patch replaces the use of the date() function with the strftime() function. The latter will respect a set locale and will use localized strings for things like month names. Because the format options for strftime differ from the ones used in date, DokuWiki will rest the value of $conf['dformat'] if it contains an old date format string (detected by missing % characters). Plugins or templates using the $conf['dformat'] need to be updated. ] [renamed justlink option to linkonly Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080223101426] [media_justlink Pierre Spring <pierre.spring@xxxxxxx>**20080221160833] [popularity plugin: record PCRE infos Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080220213222] [updated year in copyright notice Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080220201711] [add gidnumber to LDAP auth userdata FS#1338 Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080219165659] [popularity plugin added Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080219165223 This new default plugin allows to send feedback to the DokuWiki developers. An introduction is available at http://www.splitbrain.org/blog/2008-02/17-gathering_dokuwiki_usage_data ] [Finnish language update Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080217172914] [fix for plugin manager breaking multibyte chars Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215214857] [do case insensitive search word highlighting in page FS#1297 Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215180239] [fix highlighting of search engine referer keywords for recent highlight change Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215175816] [better highlighting for phrase searches FS#1193 Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215174653 This patch makes the highlighting of phrases in search snippets and on the pages itself much better. Now a regexp gets passed to the ?s= parameter. I ask everybody to test this feature throughly especially for the handling of malicious inputs and the use of non-latin characters. ] [Use auth backend to verify password on profile update FS#1328 Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215154316] [fix for resetting timelimit in fetch.php FS#1243 Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215152132] [Make session reference file check overridable for auth backends Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215121716] [invalidate all user session cache when userdatabase is changed FS#1085 Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215114923 A reference file is now stored in data/cache/sessionpurge and is used to check if user sessions are still valid. To accomondate for slow auth backends DokuWiki caches user info for a certain time in the user session. ] [redirect to root namespace in mediamanager when namespace was deleted FS#1286 Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215105251] [correctly encode namespace in mediapopup URL FS#1319 Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215094453] [fix line endings for meta data editing in media manager FS#1324 Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215091527] [add title attribute on page title FS#1330 Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215090454] [LDAP backend: try to rebind with current user for getUserData() FS#1053 Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215085556] [fix for earlier phpok & htmlok path Chris Smith <chris@xxxxxxxxxxxxx>**20080214113350] [French strings update Guy Brand <gb@xxxxxxxxxxxxxxxxx>**20080213214113] [make sure not supported profile fields are not accepted FS#1329 Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080213214505] [check modMail capability correctly FS#1329 Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080213213322] [Hungarian update Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080213204325] [filter usernames case-insensitive in user manager Gabriel Birke <Gabriel.Birke@xxxxxxxxx>**20080213194342] [Importoldchangelog: Added metadata support 'Simon Coffey <spc03@xxxxxxxxxxxx>'**20080213145734 Added function savePerPageMetadata() to populate creator and contributor fields of metadata array from old-style changes.log. ] [Rationalise Parser PHP & HTML syntax mode handling to renderer only. Chris Smith <chris@xxxxxxxxxxxxx>**20080213024941 This patch corrects the problems with the previously (reversed) patch "remove htmlok and phpok tests from Doku_Handler". The handler will now write php, phpblock, html & htmlblock instructions and let the renderer decide how these instructions should be processed. The xhtml renderer will follow the "phpok" and "htmlok" config settings. If these settings are turned off the any instructions will be rendered as code with php or html syntax highlighting (as appropriate). ] [Have aclcheck use auth_isadmin Guy Brand <gb@xxxxxxxxxxxxxxxxx>**20080212213222] [Hungarian update Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080209092859] [make sure $ID is set correct when rendering metadata Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080208212733] [removed security token requirement for login Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080208200733 This was discussed a while ago on the mailing list. We want to work cross-site logins keep working. ] [TAG develsnap 2008-02-01 Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080201000001] Patch bundle hash: 0046edeb074a5be826124d89dab4f3c166806dae