[dokuwiki] Re: Turn superuser or manager into lists (patch)
- From: Guy Brand <gb@xxxxxxxxxxxxxxxxx>
- To: dokuwiki@xxxxxxxxxxxxx
- Date: Wed, 27 Feb 2008 18:06:48 +0100
Andreas Gohr wrote:
Hi,
> This shouldn't be possible. Groups returned from getUserInfo have to be
> returned unencoded and without a leading @ in the grps array of
> $USERINFO.
As already discussed on IRC, all trouble came from a over-simplified
replacement of auth_nameencode. Following your fix of yesterday, I
managed to put together a new patch. It's attached to this mail. Test
cases are also in the patch. I haven't modified the config manager
plugin to reflect the changes.
--
bug
New patches:
[Superuser and manager now can be comma separated lists
Guy Brand <gb@xxxxxxxxxxxxxxxxx>**20080227142515
This patch allows $conf['superuser'] and $conf['manager'] to be lists
of values instead of only a single value. So one can put:
$conf['superuser'] = 'joe,user,@admin,root';
in the wiki config and have users joe, user and root be superusers and
also any user of group @admin.
Some additional test cases related to the change are also provided.
] {
hunk ./_test/cases/inc/auth_aclcheck.test.php 133
+
+ function test_multiadmin_restricted(){
+ global $conf;
+ global $AUTH_ACL;
+ $conf['superuser'] = 'john,@admin,doe,@roots';
+ $conf['useacl'] = 1;
+
+ $AUTH_ACL = array(
+ '* @ALL 0',
+ '* @user 8',
+ );
+
+ // anonymous user
+ $this->assertEqual(auth_aclcheck('page', '',array()),
AUTH_NONE);
+ $this->assertEqual(auth_aclcheck('namespace:page','',array()),
AUTH_NONE);
+ $this->assertEqual(auth_aclcheck('namespace:*', '',array()),
AUTH_NONE);
+
+ // user with no matching group
+ $this->assertEqual(auth_aclcheck('page',
'jill',array('foo')), AUTH_NONE);
+
$this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo')),
AUTH_NONE);
+ $this->assertEqual(auth_aclcheck('namespace:*',
'jill',array('foo')), AUTH_NONE);
+
+ // user with matching group
+ $this->assertEqual(auth_aclcheck('page',
'jill',array('foo','user')), AUTH_UPLOAD);
+
$this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo','user')),
AUTH_UPLOAD);
+ $this->assertEqual(auth_aclcheck('namespace:*',
'jill',array('foo','user')), AUTH_UPLOAD);
+
+ // super user john
+ $this->assertEqual(auth_aclcheck('page',
'john',array('foo')), AUTH_ADMIN);
+
$this->assertEqual(auth_aclcheck('namespace:page','john',array('foo')),
AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:*',
'john',array('foo')), AUTH_ADMIN);
+
+ // super user doe
+ $this->assertEqual(auth_aclcheck('page', 'doe',array('foo')),
AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:page','doe',array('foo')),
AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:*', 'doe',array('foo')),
AUTH_ADMIN);
+
+ // user with matching admin group
+ $this->assertEqual(auth_aclcheck('page',
'jill',array('foo','admin')), AUTH_ADMIN);
+
$this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo','admin')),
AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:*',
'jill',array('foo','admin')), AUTH_ADMIN);
+
+ // user with matching another admin group
+ $this->assertEqual(auth_aclcheck('page',
'jill',array('foo','roots')), AUTH_ADMIN);
+
$this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo','roots')),
AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:*',
'jill',array('foo','roots')), AUTH_ADMIN);
+ }
+
+ function test_multiadmin_restricted_ropage(){
+ global $conf;
+ global $AUTH_ACL;
+ $conf['superuser'] = 'john,@admin,doe,@roots';
+ $conf['useacl'] = 1;
+
+ $AUTH_ACL = array(
+ '* @ALL 0',
+ '* @user 8',
+ 'namespace:page @user 1',
+ );
+
+ // anonymous user
+ $this->assertEqual(auth_aclcheck('page', '',array()),
AUTH_NONE);
+ $this->assertEqual(auth_aclcheck('namespace:page','',array()),
AUTH_NONE);
+ $this->assertEqual(auth_aclcheck('namespace:*', '',array()),
AUTH_NONE);
+
+ // user with no matching group
+ $this->assertEqual(auth_aclcheck('page',
'jill',array('foo')), AUTH_NONE);
+
$this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo')),
AUTH_NONE);
+ $this->assertEqual(auth_aclcheck('namespace:*',
'jill',array('foo')), AUTH_NONE);
+
+ // user with matching group
+ $this->assertEqual(auth_aclcheck('page',
'jill',array('foo','user')), AUTH_UPLOAD);
+
$this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo','user')),
AUTH_READ);
+ $this->assertEqual(auth_aclcheck('namespace:*',
'jill',array('foo','user')), AUTH_UPLOAD);
+
+ // super user john
+ $this->assertEqual(auth_aclcheck('page',
'john',array('foo')), AUTH_ADMIN);
+
$this->assertEqual(auth_aclcheck('namespace:page','john',array('foo')),
AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:*',
'john',array('foo')), AUTH_ADMIN);
+
+ // super user doe
+ $this->assertEqual(auth_aclcheck('page', 'doe',array('foo')),
AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:page','doe',array('foo')),
AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:*', 'doe',array('foo')),
AUTH_ADMIN);
+
+ // user with matching admin group
+ $this->assertEqual(auth_aclcheck('page',
'jill',array('foo','admin')), AUTH_ADMIN);
+
$this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo','admin')),
AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:*',
'jill',array('foo','admin')), AUTH_ADMIN);
+
+ // user with matching another admin group
+ $this->assertEqual(auth_aclcheck('page',
'jill',array('foo','roots')), AUTH_ADMIN);
+
$this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo','roots')),
AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:*',
'jill',array('foo','roots')), AUTH_ADMIN);
+ }
+
addfile ./_test/cases/inc/auth_admincheck.test.php
hunk ./_test/cases/inc/auth_admincheck.test.php 1
+<?php
+
+require_once DOKU_INC.'inc/init.php';
+require_once DOKU_INC.'inc/auth.php';
+
+class auth_admin_test extends UnitTestCase {
+
+ function teardown() {
+ global $conf;
+ global $AUTH_ACL;
+ unset($conf);
+ unset($AUTH_ACL);
+
+ }
+
+ function test_ismanager(){
+ global $conf;
+ $conf['superuser'] = 'john,@admin';
+ $conf['manager'] = 'john,@managers,doe';
+
+ // anonymous user
+ $this->assertEqual(auth_ismanager('jill', '',false), false);
+
+ // admin or manager users
+ $this->assertEqual(auth_ismanager('john', '',false), true);
+ $this->assertEqual(auth_ismanager('doe', '',false), true);
+
+ // admin or manager groups
+ $this->assertEqual(auth_ismanager('jill', array('admin'),false), true);
+ $this->assertEqual(auth_ismanager('jill', array('managers'),false),
true);
+ }
+
+ function test_isadmin(){
+ global $conf;
+ $conf['superuser'] = 'john,@admin,doe,@roots';
+
+ // anonymous user
+ $this->assertEqual(auth_ismanager('jill', '',true), false);
+
+ // admin user
+ $this->assertEqual(auth_ismanager('john', '',true), true);
+ $this->assertEqual(auth_ismanager('doe', '',true), true);
+
+ // admin groups
+ $this->assertEqual(auth_ismanager('jill', array('admin'),true), true);
+ $this->assertEqual(auth_ismanager('jill', array('roots'),true), true);
+ $this->assertEqual(auth_ismanager('john', array('admin'),true), true);
+ $this->assertEqual(auth_ismanager('doe', array('admin'),true), true);
+ }
+
+}
+
+//Setup VIM: ex: et ts=4 enc=utf-8 :
hunk ./conf/dokuwiki.php 66
-$conf['superuser'] = '!!not set!!'; //The admin can be user or @group
-$conf['manager'] = '!!not set!!'; //The manager can be user or @group
+$conf['superuser'] = '!!not set!!'; //The admin can be user or @group or
comma separated list user1,@group1,user2
+$conf['manager'] = '!!not set!!'; //The manager can be user or @group
or comma separated list user1,@group1,user2
hunk ./inc/auth.php 276
- if(auth_nameencode($conf['superuser']) == $user) return true;
+ $superusers = explode(',', $conf['superuser']);
+ $superusers = array_unique($superusers);
+ $superusers = array_map('trim', $superusers);
+ // prepare an array containing only true values for array_map call
+ $alltrue = array_fill(0, count($superusers), true);
+ $superusers = array_map('auth_nameencode', $superusers, $alltrue);
+ if(in_array($user, $superusers)) return true;
+
hunk ./inc/auth.php 285
- if(auth_nameencode($conf['manager']) == $user) return true;
+ $managers = explode(',', $conf['manager']);
+ $managers = array_unique($managers);
+ $managers = array_map('trim', $managers);
+ // prepare an array containing only true values for array_map call
+ $alltrue = array_fill(0, count($managers), true);
+ $managers = array_map('auth_nameencode', $managers, $alltrue);
+ if(in_array($user, $managers)) return true;
hunk ./inc/auth.php 304
- if(in_array(auth_nameencode($conf['superuser'],true), $groups)) return
true;
+ foreach($superusers as $supu)
+ if(in_array($supu, $groups)) return true;
hunk ./inc/auth.php 307
- if(in_array(auth_nameencode($conf['manager'],true), $groups)) return
true;
+ foreach($managers as $mana)
+ if(in_array($mana, $groups)) return true;
}
Context:
[Update php & html tests in preformatted test file to reflect changes in parser
Chris Smith <chris@xxxxxxxxxxxxx>**20080223063145
This test file examines the handler. The decisions on htmlok & phpok settings
have been
moved from the handler to the renderer changing the nature of the test that
can be
carried out on these syntax modes in this file.
Refer other patch adding xhtml renderer tests for 'phpok' & 'htmlok' and their
associated syntax modes in parser_preformatted.test.php
]
[Test cases for 'phpok' & 'htmlok' config settings
Chris Smith <chris@xxxxxxxxxxxxx>**20080223062428]
[Fix for FS#1334, see also FS#1090
Chris Smith <chris@xxxxxxxxxxxxx>**20080223025539
FS#1090 ensured DW would never rebuild instructions in the same run by forcing
subsequent
instruction requests to use the version cached on the first request. That
introduced problems
when the caching of the instructions failed (FS#1334). This patch allows
subsequent rebuilds
when cache storage failed.
]
[fix usage of is_admin in auth_aclcheck
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080226172257
There were a few problems with name encoding for groups and users
introduced in the recent aclcheck change
]
[Don't depend on plugin for Zip/TarLib
Tom N Harris <tnharris@xxxxxxxxxxxxx>**20080226005222]
[INDEXER_TASKS_RUN event for index-time hooks
Tom N Harris <tnharris@xxxxxxxxxxxxx>**20080226011940
The event INDEXER_TASKS_RUN is fired by lib/exe/indexer.php when a page is
viewed. Plugins should only hook BEFORE the event if it is important for the
task to be run as often as possible. Otherwise, hook AFTER the even to be run
only when other tasks have completed.
Plugin authors must call stopPropagation() and preventDefault() if any work is
done. If your plugin does nothing, then you must allow the event to continue.
Not following these rules may cause DokuWiki to exceed the PHP execution time
limit.
]
[use fulltext index to search for used media files FS#1336 FS#1275
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080223205254
This changes how DokuWiki looks for reference toa media file which is
about to deleted. Instead of doing a full grep through all pages it now
uses the fulltext index first, then does an exact match on the found
pages.
This speeds up the search significantly on larger wikis. However the
fulltext search limits now apply: images with names shorter than 3 charcters
may not be found.
This needs extensive testing!
]
[Table Row And Col Classes
Pierre Spring <pierre.spring@xxxxxxx>**20080223175808
This patch adds classes to the table rows and cells (td and th). This can be
of usage when templating and within syntax plugins.
]
[cope with non-RFC-conform webservers in HTTPClient FS#1340
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080223183639
This fixes problems in the HTTP client for web servers which separate their
response headers with Unix linfeeds only (instead of CRLFs as stated in RFC
2616).
]
[Check memory settings on ?do=check
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080223180701
This should help with diagnosing memory related problems
]
[correct diff display when dealing with deleted or newly created pages
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080223143711]
[wl(): don't include empty id parameter FS#1138
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080223133200]
[mysql auth backend: check DB query result correctly FS#1039
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080223130827]
[alway initialize an empty toolbar first FS#1337
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080223125855]
[use strftime() instead of date() FS#1335 :!:
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080223124045
This patch replaces the use of the date() function with the strftime()
function. The latter will respect a set locale and will use localized
strings for things like month names.
Because the format options for strftime differ from the ones used in date,
DokuWiki will rest the value of $conf['dformat'] if it contains an old
date format string (detected by missing % characters).
Plugins or templates using the $conf['dformat'] need to be updated.
]
[renamed justlink option to linkonly
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080223101426]
[media_justlink
Pierre Spring <pierre.spring@xxxxxxx>**20080221160833]
[popularity plugin: record PCRE infos
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080220213222]
[updated year in copyright notice
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080220201711]
[add gidnumber to LDAP auth userdata FS#1338
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080219165659]
[popularity plugin added
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080219165223
This new default plugin allows to send feedback to the DokuWiki developers. An
introduction is available at
http://www.splitbrain.org/blog/2008-02/17-gathering_dokuwiki_usage_data
]
[Finnish language update
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080217172914]
[fix for plugin manager breaking multibyte chars
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215214857]
[do case insensitive search word highlighting in page FS#1297
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215180239]
[fix highlighting of search engine referer keywords for recent highlight change
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215175816]
[better highlighting for phrase searches FS#1193
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215174653
This patch makes the highlighting of phrases in search snippets and on
the pages itself much better.
Now a regexp gets passed to the ?s= parameter. I ask everybody to test
this feature throughly especially for the handling of malicious inputs
and the use of non-latin characters.
]
[Use auth backend to verify password on profile update FS#1328
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215154316]
[fix for resetting timelimit in fetch.php FS#1243
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215152132]
[Make session reference file check overridable for auth backends
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215121716]
[invalidate all user session cache when userdatabase is changed FS#1085
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215114923
A reference file is now stored in data/cache/sessionpurge and is used to
check if user sessions are still valid.
To accomondate for slow auth backends DokuWiki caches user info for
a certain time in the user session.
]
[redirect to root namespace in mediamanager when namespace was deleted FS#1286
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215105251]
[correctly encode namespace in mediapopup URL FS#1319
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215094453]
[fix line endings for meta data editing in media manager FS#1324
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215091527]
[add title attribute on page title FS#1330
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215090454]
[LDAP backend: try to rebind with current user for getUserData() FS#1053
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080215085556]
[fix for earlier phpok & htmlok path
Chris Smith <chris@xxxxxxxxxxxxx>**20080214113350]
[French strings update
Guy Brand <gb@xxxxxxxxxxxxxxxxx>**20080213214113]
[make sure not supported profile fields are not accepted FS#1329
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080213214505]
[check modMail capability correctly FS#1329
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080213213322]
[Hungarian update
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080213204325]
[filter usernames case-insensitive in user manager
Gabriel Birke <Gabriel.Birke@xxxxxxxxx>**20080213194342]
[Importoldchangelog: Added metadata support
'Simon Coffey <spc03@xxxxxxxxxxxx>'**20080213145734
Added function savePerPageMetadata() to populate creator and contributor fields
of metadata array from old-style changes.log.
]
[Rationalise Parser PHP & HTML syntax mode handling to renderer only.
Chris Smith <chris@xxxxxxxxxxxxx>**20080213024941
This patch corrects the problems with the previously (reversed) patch
"remove htmlok and phpok tests from Doku_Handler".
The handler will now write php, phpblock, html & htmlblock instructions
and let the renderer decide how these instructions should be processed.
The xhtml renderer will follow the "phpok" and "htmlok" config settings.
If these settings are turned off the any instructions will be rendered as
code with php or html syntax highlighting (as appropriate).
]
[Have aclcheck use auth_isadmin
Guy Brand <gb@xxxxxxxxxxxxxxxxx>**20080212213222]
[Hungarian update
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080209092859]
[make sure $ID is set correct when rendering metadata
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080208212733]
[removed security token requirement for login
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080208200733
This was discussed a while ago on the mailing list. We want to work cross-site
logins keep working.
]
[TAG develsnap 2008-02-01
Andreas Gohr <andi@xxxxxxxxxxxxxx>**20080201000001]
Patch bundle hash:
0046edeb074a5be826124d89dab4f3c166806dae
Other related posts:
