diff options
| author | Dominik Eckelmann <deckelmann@gmail.com> | 2012-11-25 15:00:01 -0800 |
|---|---|---|
| committer | Dominik Eckelmann <deckelmann@gmail.com> | 2012-11-25 15:00:01 -0800 |
| commit | e4a8ea5320c3baa946f9efb4b11d76f931aab7dc (patch) | |
| tree | d56fb1a469918b76d8e4e2462d5db3ca75c616b1 | |
| parent | b7183bb542c52e0826a76346fd9005da965a9ac5 (diff) | |
| parent | eb3ce0d55290dd4a60193e680aa50b46571350bd (diff) | |
| download | rpg-e4a8ea5320c3baa946f9efb4b11d76f931aab7dc.tar.gz rpg-e4a8ea5320c3baa946f9efb4b11d76f931aab7dc.tar.bz2 | |
Merge pull request #147 from kazmiya/2012_11_AclCaseSensitiveFix2
Fix case-insensitive match in ACL checking
| -rw-r--r-- | _test/tests/inc/auth_aclcheck_caseinsensitive.test.php | 131 | ||||
| -rw-r--r-- | inc/auth.php | 17 |
2 files changed, 143 insertions, 5 deletions
diff --git a/_test/tests/inc/auth_aclcheck_caseinsensitive.test.php b/_test/tests/inc/auth_aclcheck_caseinsensitive.test.php new file mode 100644 index 000000000..9f1fb6aa0 --- /dev/null +++ b/_test/tests/inc/auth_aclcheck_caseinsensitive.test.php @@ -0,0 +1,131 @@ +<?php + +class auth_acl_caseinsensitive_auth extends auth_basic { + function isCaseSensitive() { + return false; + } +} + +class auth_acl_caseinsensitive_test extends DokuWikiTest { + protected $oldConf; + protected $oldAuth; + protected $oldAuthAcl; + + function setup() { + global $conf; + global $auth; + global $AUTH_ACL; + + $this->oldConf = $conf; + $this->oldAuth = $auth; + $this->oldAuthAcl = $AUTH_ACL; + + $auth = new auth_acl_caseinsensitive_auth(); + } + + function teardown() { + global $conf; + global $AUTH_ACL; + global $auth; + + $conf = $this->oldConf; + $auth = $this->oldAuth; + $AUTH_ACL = $this->oldAuthAcl; + } + + function test_multiadmin_restricted_ropage() { + global $conf; + global $AUTH_ACL; + + $conf['superuser'] = 'John,doe,@Admin1,@admin2'; + $conf['useacl'] = 1; + + $AUTH_ACL = array( + '* @ALL 0', + '* @Group1 8', + '* @group2 8', + 'namespace:page @Group1 1', + 'namespace:page @group2 1', + ); + + // anonymous user + $this->assertEquals(auth_aclcheck('page', '', array()), AUTH_NONE); + $this->assertEquals(auth_aclcheck('namespace:page', '', array()), AUTH_NONE); + $this->assertEquals(auth_aclcheck('namespace:*', '', array()), AUTH_NONE); + + // user with no matching group + $this->assertEquals(auth_aclcheck('page', 'jill', array('foo')), AUTH_NONE); + $this->assertEquals(auth_aclcheck('namespace:page', 'jill', array('foo')), AUTH_NONE); + $this->assertEquals(auth_aclcheck('namespace:*', 'jill', array('foo')), AUTH_NONE); + + // user with matching group 1 + $this->assertEquals(auth_aclcheck('page', 'jill', array('foo', 'group1')), AUTH_UPLOAD); + $this->assertEquals(auth_aclcheck('namespace:page', 'jill', array('foo', 'group1')), AUTH_READ); + $this->assertEquals(auth_aclcheck('namespace:*', 'jill', array('foo', 'group1')), AUTH_UPLOAD); + + // user with matching group 2 + $this->assertEquals(auth_aclcheck('page', 'jill', array('foo', 'Group2')), AUTH_UPLOAD); + $this->assertEquals(auth_aclcheck('namespace:page', 'jill', array('foo', 'Group2')), AUTH_READ); + $this->assertEquals(auth_aclcheck('namespace:*', 'jill', array('foo', 'Group2')), AUTH_UPLOAD); + + // super user John + $this->assertEquals(auth_aclcheck('page', 'john', array('foo')), AUTH_ADMIN); + $this->assertEquals(auth_aclcheck('namespace:page', 'john', array('foo')), AUTH_ADMIN); + $this->assertEquals(auth_aclcheck('namespace:*', 'john', array('foo')), AUTH_ADMIN); + + // super user doe + $this->assertEquals(auth_aclcheck('page', 'Doe', array('foo')), AUTH_ADMIN); + $this->assertEquals(auth_aclcheck('namespace:page', 'Doe', array('foo')), AUTH_ADMIN); + $this->assertEquals(auth_aclcheck('namespace:*', 'Doe', array('foo')), AUTH_ADMIN); + + // user with matching admin group 1 + $this->assertEquals(auth_aclcheck('page', 'jill', array('foo', 'admin1')), AUTH_ADMIN); + $this->assertEquals(auth_aclcheck('namespace:page', 'jill', array('foo', 'admin1')), AUTH_ADMIN); + $this->assertEquals(auth_aclcheck('namespace:*', 'jill', array('foo', 'admin1')), AUTH_ADMIN); + + // user with matching admin group 2 + $this->assertEquals(auth_aclcheck('page', 'jill', array('foo', 'Admin2')), AUTH_ADMIN); + $this->assertEquals(auth_aclcheck('namespace:page', 'jill', array('foo', 'Admin2')), AUTH_ADMIN); + $this->assertEquals(auth_aclcheck('namespace:*', 'jill', array('foo', 'Admin2')), AUTH_ADMIN); + } + + /* + * Test aclcheck on @ALL group + * + * The default permission for @ALL group is AUTH_NONE. So we use an + * ACL entry which grants @ALL group an AUTH_READ permission to see + * whether ACL matching is properly done or not. + */ + function test_restricted_allread() { + global $conf; + global $AUTH_ACL; + + $conf['superuser'] = 'john'; + $conf['useacl'] = 1; + + $AUTH_ACL = array( + '* @ALL 1', + '* @group1 8', + ); + + // anonymous user + $this->assertEquals(auth_aclcheck('page', '', array()), AUTH_READ); + $this->assertEquals(auth_aclcheck('namespace:page', '', array()), AUTH_READ); + $this->assertEquals(auth_aclcheck('namespace:*', '', array()), AUTH_READ); + + // user with no matching group + $this->assertEquals(auth_aclcheck('page', 'jill', array('foo')), AUTH_READ); + $this->assertEquals(auth_aclcheck('namespace:page', 'jill', array('foo')), AUTH_READ); + $this->assertEquals(auth_aclcheck('namespace:*', 'jill', array('foo')), AUTH_READ); + + // user with matching group + $this->assertEquals(auth_aclcheck('page', 'jill', array('foo', 'Group1')), AUTH_UPLOAD); + $this->assertEquals(auth_aclcheck('namespace:page', 'jill', array('foo', 'Group1')), AUTH_UPLOAD); + $this->assertEquals(auth_aclcheck('namespace:*', 'jill', array('foo', 'Group1')), AUTH_UPLOAD); + + // super user + $this->assertEquals(auth_aclcheck('page', 'John', array('foo')), AUTH_ADMIN); + $this->assertEquals(auth_aclcheck('namespace:page', 'John', array('foo')), AUTH_ADMIN); + $this->assertEquals(auth_aclcheck('namespace:*', 'John', array('foo')), AUTH_ADMIN); + } +} diff --git a/inc/auth.php b/inc/auth.php index 1c8a8f5f5..9c458338d 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -535,9 +535,10 @@ function auth_aclcheck($id, $user, $groups) { return AUTH_ADMIN; } - $ci = ''; - if(!$auth->isCaseSensitive()) $ci = 'ui'; - + if(!$auth->isCaseSensitive()) { + $user = utf8_strtolower($user); + $groups = array_map('utf8_strtolower', $groups); + } $user = $auth->cleanUser($user); $groups = array_map(array($auth, 'cleanGroup'), (array) $groups); $user = auth_nameencode($user); @@ -561,11 +562,14 @@ function auth_aclcheck($id, $user, $groups) { } //check exact match first - $matches = preg_grep('/^'.preg_quote($id, '/').'\s+(\S+)\s+/'.$ci, $AUTH_ACL); + $matches = preg_grep('/^'.preg_quote($id, '/').'\s+(\S+)\s+/u', $AUTH_ACL); if(count($matches)) { foreach($matches as $match) { $match = preg_replace('/#.*$/', '', $match); //ignore comments $acl = preg_split('/\s+/', $match); + if(!$auth->isCaseSensitive() && $acl[1] !== '@ALL') { + $acl[1] = utf8_strtolower($acl[1]); + } if(!in_array($acl[1], $groups)) { continue; } @@ -588,11 +592,14 @@ function auth_aclcheck($id, $user, $groups) { } do { - $matches = preg_grep('/^'.preg_quote($path, '/').'\s+(\S+)\s+/'.$ci, $AUTH_ACL); + $matches = preg_grep('/^'.preg_quote($path, '/').'\s+(\S+)\s+/u', $AUTH_ACL); if(count($matches)) { foreach($matches as $match) { $match = preg_replace('/#.*$/', '', $match); //ignore comments $acl = preg_split('/\s+/', $match); + if(!$auth->isCaseSensitive() && $acl[1] !== '@ALL') { + $acl[1] = utf8_strtolower($acl[1]); + } if(!in_array($acl[1], $groups)) { continue; } |