diff options
| author | Guy Brand <gb@isis.u-strasbg.fr> | 2008-02-27 15:25:15 +0100 |
|---|---|---|
| committer | Guy Brand <gb@isis.u-strasbg.fr> | 2008-02-27 15:25:15 +0100 |
| commit | 7651d633d828ae1f70ca70634c5ebfe0686db25a (patch) | |
| tree | d4d1aadeff14bdd43a83af4fc6daa7bae59e5b45 | |
| parent | 52b0dd6759c3a1c726ae81acf5ab430b1ee6f308 (diff) | |
| download | rpg-7651d633d828ae1f70ca70634c5ebfe0686db25a.tar.gz rpg-7651d633d828ae1f70ca70634c5ebfe0686db25a.tar.bz2 | |
Superuser and manager now can be comma separated lists
This patch allows $conf['superuser'] and $conf['manager'] to be lists
of values instead of only a single value. So one can put:
$conf['superuser']
darcs-hash:20080227142515-19e2d-c160914589f71531583e7ddaab1fc6a81996efa1.gz
| -rw-r--r-- | _test/cases/inc/auth_aclcheck.test.php | 96 | ||||
| -rw-r--r-- | _test/cases/inc/auth_admincheck.test.php | 53 | ||||
| -rw-r--r-- | conf/dokuwiki.php | 4 | ||||
| -rw-r--r-- | inc/auth.php | 23 |
4 files changed, 170 insertions, 6 deletions
diff --git a/_test/cases/inc/auth_aclcheck.test.php b/_test/cases/inc/auth_aclcheck.test.php index 18242fd16..d8a8f285a 100644 --- a/_test/cases/inc/auth_aclcheck.test.php +++ b/_test/cases/inc/auth_aclcheck.test.php @@ -130,6 +130,102 @@ class auth_acl_test extends UnitTestCase { $this->assertEqual(auth_aclcheck('devel:marketing', 'jane' ,array('devel')) , AUTH_UPLOAD); } + + function test_multiadmin_restricted(){ + global $conf; + global $AUTH_ACL; + $conf['superuser'] = 'john,@admin,doe,@roots'; + $conf['useacl'] = 1; + + $AUTH_ACL = array( + '* @ALL 0', + '* @user 8', + ); + + // anonymous user + $this->assertEqual(auth_aclcheck('page', '',array()), AUTH_NONE); + $this->assertEqual(auth_aclcheck('namespace:page','',array()), AUTH_NONE); + $this->assertEqual(auth_aclcheck('namespace:*', '',array()), AUTH_NONE); + + // user with no matching group + $this->assertEqual(auth_aclcheck('page', 'jill',array('foo')), AUTH_NONE); + $this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo')), AUTH_NONE); + $this->assertEqual(auth_aclcheck('namespace:*', 'jill',array('foo')), AUTH_NONE); + + // user with matching group + $this->assertEqual(auth_aclcheck('page', 'jill',array('foo','user')), AUTH_UPLOAD); + $this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo','user')), AUTH_UPLOAD); + $this->assertEqual(auth_aclcheck('namespace:*', 'jill',array('foo','user')), AUTH_UPLOAD); + + // super user john + $this->assertEqual(auth_aclcheck('page', 'john',array('foo')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:page','john',array('foo')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:*', 'john',array('foo')), AUTH_ADMIN); + + // super user doe + $this->assertEqual(auth_aclcheck('page', 'doe',array('foo')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:page','doe',array('foo')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:*', 'doe',array('foo')), AUTH_ADMIN); + + // user with matching admin group + $this->assertEqual(auth_aclcheck('page', 'jill',array('foo','admin')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo','admin')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:*', 'jill',array('foo','admin')), AUTH_ADMIN); + + // user with matching another admin group + $this->assertEqual(auth_aclcheck('page', 'jill',array('foo','roots')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo','roots')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:*', 'jill',array('foo','roots')), AUTH_ADMIN); + } + + function test_multiadmin_restricted_ropage(){ + global $conf; + global $AUTH_ACL; + $conf['superuser'] = 'john,@admin,doe,@roots'; + $conf['useacl'] = 1; + + $AUTH_ACL = array( + '* @ALL 0', + '* @user 8', + 'namespace:page @user 1', + ); + + // anonymous user + $this->assertEqual(auth_aclcheck('page', '',array()), AUTH_NONE); + $this->assertEqual(auth_aclcheck('namespace:page','',array()), AUTH_NONE); + $this->assertEqual(auth_aclcheck('namespace:*', '',array()), AUTH_NONE); + + // user with no matching group + $this->assertEqual(auth_aclcheck('page', 'jill',array('foo')), AUTH_NONE); + $this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo')), AUTH_NONE); + $this->assertEqual(auth_aclcheck('namespace:*', 'jill',array('foo')), AUTH_NONE); + + // user with matching group + $this->assertEqual(auth_aclcheck('page', 'jill',array('foo','user')), AUTH_UPLOAD); + $this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo','user')), AUTH_READ); + $this->assertEqual(auth_aclcheck('namespace:*', 'jill',array('foo','user')), AUTH_UPLOAD); + + // super user john + $this->assertEqual(auth_aclcheck('page', 'john',array('foo')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:page','john',array('foo')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:*', 'john',array('foo')), AUTH_ADMIN); + + // super user doe + $this->assertEqual(auth_aclcheck('page', 'doe',array('foo')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:page','doe',array('foo')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:*', 'doe',array('foo')), AUTH_ADMIN); + + // user with matching admin group + $this->assertEqual(auth_aclcheck('page', 'jill',array('foo','admin')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo','admin')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:*', 'jill',array('foo','admin')), AUTH_ADMIN); + + // user with matching another admin group + $this->assertEqual(auth_aclcheck('page', 'jill',array('foo','roots')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo','roots')), AUTH_ADMIN); + $this->assertEqual(auth_aclcheck('namespace:*', 'jill',array('foo','roots')), AUTH_ADMIN); + } + } //Setup VIM: ex: et ts=4 enc=utf-8 : diff --git a/_test/cases/inc/auth_admincheck.test.php b/_test/cases/inc/auth_admincheck.test.php new file mode 100644 index 000000000..c00271a26 --- /dev/null +++ b/_test/cases/inc/auth_admincheck.test.php @@ -0,0 +1,53 @@ +<?php + +require_once DOKU_INC.'inc/init.php'; +require_once DOKU_INC.'inc/auth.php'; + +class auth_admin_test extends UnitTestCase { + + function teardown() { + global $conf; + global $AUTH_ACL; + unset($conf); + unset($AUTH_ACL); + + } + + function test_ismanager(){ + global $conf; + $conf['superuser'] = 'john,@admin'; + $conf['manager'] = 'john,@managers,doe'; + + // anonymous user + $this->assertEqual(auth_ismanager('jill', '',false), false); + + // admin or manager users + $this->assertEqual(auth_ismanager('john', '',false), true); + $this->assertEqual(auth_ismanager('doe', '',false), true); + + // admin or manager groups + $this->assertEqual(auth_ismanager('jill', array('admin'),false), true); + $this->assertEqual(auth_ismanager('jill', array('managers'),false), true); + } + + function test_isadmin(){ + global $conf; + $conf['superuser'] = 'john,@admin,doe,@roots'; + + // anonymous user + $this->assertEqual(auth_ismanager('jill', '',true), false); + + // admin user + $this->assertEqual(auth_ismanager('john', '',true), true); + $this->assertEqual(auth_ismanager('doe', '',true), true); + + // admin groups + $this->assertEqual(auth_ismanager('jill', array('admin'),true), true); + $this->assertEqual(auth_ismanager('jill', array('roots'),true), true); + $this->assertEqual(auth_ismanager('john', array('admin'),true), true); + $this->assertEqual(auth_ismanager('doe', array('admin'),true), true); + } + +} + +//Setup VIM: ex: et ts=4 enc=utf-8 : diff --git a/conf/dokuwiki.php b/conf/dokuwiki.php index 0229a5af3..723d44de7 100644 --- a/conf/dokuwiki.php +++ b/conf/dokuwiki.php @@ -63,8 +63,8 @@ $conf['autopasswd'] = 1; //autogenerate passwords and email them $conf['authtype'] = 'plain'; //which authentication backend should be used $conf['passcrypt'] = 'smd5'; //Used crypt method (smd5,md5,sha1,ssha,crypt,mysql,my411) $conf['defaultgroup']= 'user'; //Default groups new Users are added to -$conf['superuser'] = '!!not set!!'; //The admin can be user or @group -$conf['manager'] = '!!not set!!'; //The manager can be user or @group +$conf['superuser'] = '!!not set!!'; //The admin can be user or @group or comma separated list user1,@group1,user2 +$conf['manager'] = '!!not set!!'; //The manager can be user or @group or comma separated list user1,@group1,user2 $conf['profileconfirm'] = '1'; //Require current password to confirm changes to user profile $conf['disableactions'] = ''; //comma separated list of actions to disable $conf['sneaky_index'] = 0; //check for namespace read permission in index view (0|1) (1 might cause unexpected behavior) diff --git a/inc/auth.php b/inc/auth.php index 85576b680..5316ca382 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -273,9 +273,22 @@ function auth_ismanager($user=null,$groups=null,$adminonly=false){ $user = auth_nameencode($user); // check username against superuser and manager - if(auth_nameencode($conf['superuser']) == $user) return true; + $superusers = explode(',', $conf['superuser']); + $superusers = array_unique($superusers); + $superusers = array_map('trim', $superusers); + // prepare an array containing only true values for array_map call + $alltrue = array_fill(0, count($superusers), true); + $superusers = array_map('auth_nameencode', $superusers, $alltrue); + if(in_array($user, $superusers)) return true; + if(!$adminonly){ - if(auth_nameencode($conf['manager']) == $user) return true; + $managers = explode(',', $conf['manager']); + $managers = array_unique($managers); + $managers = array_map('trim', $managers); + // prepare an array containing only true values for array_map call + $alltrue = array_fill(0, count($managers), true); + $managers = array_map('auth_nameencode', $managers, $alltrue); + if(in_array($user, $managers)) return true; } // check user's groups against superuser and manager @@ -288,9 +301,11 @@ function auth_ismanager($user=null,$groups=null,$adminonly=false){ } // check groups against superuser and manager - if(in_array(auth_nameencode($conf['superuser'],true), $groups)) return true; + foreach($superusers as $supu) + if(in_array($supu, $groups)) return true; if(!$adminonly){ - if(in_array(auth_nameencode($conf['manager'],true), $groups)) return true; + foreach($managers as $mana) + if(in_array($mana, $groups)) return true; } } |