From ad3d68d738ab9057164c5d13a1836bd2791ab2f7 Mon Sep 17 00:00:00 2001
From: Christopher Smith <chris@jalakai.co.uk>
Date: Sat, 3 Aug 2013 14:04:06 +0200
Subject: Fix a couple of bugs in ACL substitution mechanism

- %GROUP% & %USER% can now both be used in the same rule, e.g.

%GROUP%:%USER%    2

- rules with tokens will be skipped when the user is not logged in
  previously %USER% was attempted
---
 inc/auth.php | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/inc/auth.php b/inc/auth.php
index be6b7ebbe..1c0bf5b4f 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -136,22 +136,30 @@ function auth_loadACL() {
 
     $acl = file($config_cascade['acl']['default']);
 
-    //support user wildcard
     $out = array();
     foreach($acl as $line) {
         $line = trim($line);
         if($line{0} == '#') continue;
         list($id,$rest) = preg_split('/\s+/',$line,2);
 
+        // substitue user wildcard first (its 1:1)
+        if(strstr($line, '%USER%')){
+            // if user is not logged in, this ACL line is meaningless - skip it
+            if (!isset($_SERVER['REMOTE_USER'])) continue;
+
+            $id   = str_replace('%USER%',cleanID($_SERVER['REMOTE_USER']),$id);
+            $rest = str_replace('%USER%',auth_nameencode($_SERVER['REMOTE_USER']),$rest);
+        }
+
+        // substitute group wildcard (its 1:m)
         if(strstr($line, '%GROUP%')){
+            // if user is not logged in, grps is empty, no output will be added (i.e. skipped)
             foreach((array) $USERINFO['grps'] as $grp){
                 $nid   = str_replace('%GROUP%',cleanID($grp),$id);
                 $nrest = str_replace('%GROUP%','@'.auth_nameencode($grp),$rest);
                 $out[] = "$nid\t$nrest";
             }
         } else {
-            $id   = str_replace('%USER%',cleanID($_SERVER['REMOTE_USER']),$id);
-            $rest = str_replace('%USER%',auth_nameencode($_SERVER['REMOTE_USER']),$rest);
             $out[] = "$id\t$rest";
         }
     }
-- 
cgit v1.2.3


From 041a602de97e0bb0e06b7a5a92564e6aadbfa81a Mon Sep 17 00:00:00 2001
From: Christopher Smith <chris@jalakai.co.uk>
Date: Sat, 3 Aug 2013 14:27:05 +0200
Subject: fix a bug in acl manager where it attempted to correct too high page
 permission levels using the wrong var

---
 lib/plugins/acl/admin.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/plugins/acl/admin.php b/lib/plugins/acl/admin.php
index 0d9cd742a..50377da81 100644
--- a/lib/plugins/acl/admin.php
+++ b/lib/plugins/acl/admin.php
@@ -724,7 +724,7 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin {
         static $label = 0; //number labels
         $ret = '';
 
-        if($ispage && $setperm > AUTH_EDIT) $perm = AUTH_EDIT;
+        if($ispage && $setperm > AUTH_EDIT) $setperm = AUTH_EDIT;
 
         foreach(array(AUTH_NONE,AUTH_READ,AUTH_EDIT,AUTH_CREATE,AUTH_UPLOAD,AUTH_DELETE) as $perm){
             $label += 1;
-- 
cgit v1.2.3