2 files changed, 63 insertions, 4 deletions

diff --git a/_test/cases/inc/remote.test.php b/_test/cases/inc/remote.test.php
index b6a683f45..07ca9d0e8 100644
--- a/_test/cases/inc/remote.test.php
+++ b/_test/cases/inc/remote.test.php
@@ -54,7 +54,13 @@ class RemoteAPICoreTest {
                 'return' => 'string',
                 'doc' => 'Test method',
                 'name' => 'twoArgWithDefaultArg',
-            ),
+            ), 'wiki.publicCall' => array(
+                'args' => array(),
+                'return' => 'boolean',
+                'doc' => 'testing for public access',
+                'name' => 'publicCall',
+                'public' => 1
+            )
         );
     }
     function stringTestMethod() { return 'success'; }
@@ -66,6 +72,7 @@ class RemoteAPICoreTest {
     function oneStringArgMethod($arg) {return $arg; }
     function twoArgMethod($string, $int) { return array($string, $int); }
     function twoArgWithDefaultArg($string1, $string2 = 'default') { return array($string1, $string2); }
+    function publicCall() {return true;}
 
 }
 
@@ -86,6 +93,12 @@ class remote_plugin_testplugin extends DokuWiki_Remote_Plugin {
                 'args' => array('string', 'int', 'bool'),
                 'return' => 'array',
                 'name' => 'method2',
+            ), 'publicCall' => array(
+                'args' => array(),
+                'return' => 'boolean',
+                'doc' => 'testing for public access',
+                'name' => 'publicCall',
+                'public' => 1
             )
         );
     }
@@ -93,6 +106,8 @@ class remote_plugin_testplugin extends DokuWiki_Remote_Plugin {
     function method1() { return null; }
     function methodString() { return 'success'; }
     function method2($str, $int, $bool = false) { return array($str, $int, $bool); }
+    function publicCall() {return true;}
+
 }
 
 
@@ -134,7 +149,7 @@ class remote_test extends UnitTestCase {
         $methods = $this->remote->getPluginMethods();
         $actual = array_keys($methods);
         sort($actual);
-        $expect = array('plugin.testplugin.method1', 'plugin.testplugin.method2', 'plugin.testplugin.methodString', 'plugin.testplugin.method2ext');
+        $expect = array('plugin.testplugin.method1', 'plugin.testplugin.method2', 'plugin.testplugin.methodString', 'plugin.testplugin.method2ext', 'plugin.testplugin.publicCall');
         sort($expect);
         $this->assertEqual($expect,$actual);
     }
@@ -253,4 +268,37 @@ class remote_test extends UnitTestCase {
         $this->expectException('RemoteException');
         $remoteApi->call('dose not exist');
     }
+
+    function test_publicCallCore() {
+        global $conf;
+        $conf['useacl'] = 1;
+        $remoteApi = new RemoteApi();
+        $remoteApi->getCoreMethods(new RemoteAPICoreTest());
+        $this->assertTrue($remoteApi->call('wiki.publicCall'));
+    }
+
+    function test_publicCallPlugin() {
+        global $conf;
+        $conf['useacl'] = 1;
+        $remoteApi = new RemoteApi();
+        $this->assertTrue($remoteApi->call('plugin.testplugin.publicCall'));
+    }
+
+    function test_publicCallCoreDeny() {
+        global $conf;
+        $conf['useacl'] = 1;
+        $remoteApi = new RemoteApi();
+        $remoteApi->getCoreMethods(new RemoteAPICoreTest());
+        $this->expectException('RemoteAccessDenied');
+        $remoteApi->call('wiki.stringTestMethod');
+    }
+
+    function test_publicCallPluginDeny() {
+        global $conf;
+        $conf['useacl'] = 1;
+        $remoteApi = new RemoteApi();
+        $this->expectException('RemoteAccessDenied');
+        $remoteApi->call('plugin.testplugin.methodString');
+    }
+
 }
diff --git a/inc/remote.php b/inc/remote.php
index 94d428e8c..15d2308f8 100644
--- a/inc/remote.php
+++ b/inc/remote.php
@@ -82,7 +82,6 @@ class RemoteAPI {
      * @return mixed result of method call, must be a primitive type.
      */
     public function call($method, $args = array()) {
-        $this->forceAccess();
         list($type, $pluginName, $call) = explode('.', $method, 3);
         if ($type === 'plugin') {
             $plugin = plugin_load('remote', $pluginName);
@@ -90,10 +89,12 @@ class RemoteAPI {
             if (!$plugin) {
                 throw new RemoteException('Method dose not exists');
             }
+            $this->checkAccess($methods[$method]);
             $name = $this->getMethodName($methods, $method);
             return call_user_func_array(array($plugin, $name), $args);
         } else {
             $coreMethods = $this->getCoreMethods();
+            $this->checkAccess($coreMethods[$method]);
             if (!isset($coreMethods[$method])) {
                 throw new RemoteException('Method dose not exists');
             }
@@ -102,6 +103,16 @@ class RemoteAPI {
         }
     }
 
+    private function checkAccess($methodMeta) {
+        if (!isset($methodMeta['public'])) {
+            $this->forceAccess();
+        } else{
+            if ($methodMeta['public'] == '0') {
+                $this->forceAccess();
+            }
+        }
+    }
+
     private function checkArgumentLength($method, $args) {
         if (count($method['args']) < count($args)) {
             throw new RemoteException('Method dose not exists - wrong parameter count.');
@@ -141,7 +152,7 @@ class RemoteAPI {
      */
     public function forceAccess() {
         if (!$this->hasAccess()) {
-            throw new RemoteException('Access denied');
+            throw new RemoteAccessDenied();
         }
     }