From d7554c0bb25241c1299af28785878d31ad02dbad Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Sun, 17 Jan 2010 10:52:59 +0100 Subject: Added CRSF security token checks in ACL plugin --- lib/plugins/acl/admin.php | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'lib/plugins/acl/admin.php') diff --git a/lib/plugins/acl/admin.php b/lib/plugins/acl/admin.php index 59671a0cb..a3fb4636d 100644 --- a/lib/plugins/acl/admin.php +++ b/lib/plugins/acl/admin.php @@ -31,7 +31,7 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { return array( 'author' => 'Andreas Gohr', 'email' => 'andi@splitbrain.org', - 'date' => '2009-08-07', + 'date' => '2010-01-17', 'name' => 'ACL Manager', 'desc' => 'Manage Page Access Control Lists', 'url' => 'http://dokuwiki.org/plugin:acl', @@ -67,6 +67,7 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { // fresh 1:1 copy without replacements $AUTH_ACL = file(DOKU_CONF.'acl.auth.php'); + // namespace given? if($_REQUEST['ns'] == '*'){ $this->ns = '*'; @@ -89,7 +90,8 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { } // handle modifications - if(isset($_REQUEST['cmd'])){ + if(isset($_REQUEST['cmd']) && checkSecurityToken()){ + // scope for modifications if($this->ns){ if($this->ns == '*'){ @@ -310,6 +312,7 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { echo ''.NL; echo ''.NL; echo ''.NL; + echo ''.NL; echo ''.NL; } @@ -480,11 +483,11 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { $alt = '+'; } $ret .= ''.$alt.''; - $ret .= ''; + $ret .= ''; $ret .= $base; $ret .= ''; }else{ - $ret .= ''; + $ret .= ''; $ret .= noNS($item['id']); $ret .= ''; } @@ -562,6 +565,7 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { echo ''.NL; echo ''.NL; echo ''.NL; + echo ''.NL; echo ''; echo ''; echo ''; -- cgit v1.2.3 From 4db7791517d8ffb7c863e0ca5bb455dad32877f8 Mon Sep 17 00:00:00 2001 From: Christian Marg Date: Thu, 21 Jan 2010 22:12:17 +0100 Subject: Apply group/user cleaning on saving ACLs FS#1859 --- lib/plugins/acl/admin.php | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'lib/plugins/acl/admin.php') diff --git a/lib/plugins/acl/admin.php b/lib/plugins/acl/admin.php index a3fb4636d..a7037047a 100644 --- a/lib/plugins/acl/admin.php +++ b/lib/plugins/acl/admin.php @@ -130,6 +130,13 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { // re-add all rules foreach((array) $_REQUEST['acl'] as $where => $opt){ foreach($opt as $who => $perm){ + if ($who[0]=='@') { + if ($who!='@ALL') { + $who = '@'.ltrim($auth->cleanGroup($who),'@'); + } + } else { + $who = $auth->cleanUser($who); + } $who = auth_nameencode($who,true); $lines[] = "$where\t$who\t$perm\n"; } -- cgit v1.2.3 From c2a6d81662045023bdf1617b6b49f71c274d55ca Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Mon, 1 Feb 2010 16:10:25 +0100 Subject: plugin related autoloading This patch moved the place where DOKU_PLUGIN is defined. It no longer can be set from a normal config (only via preload) --- lib/plugins/acl/admin.php | 4 ---- 1 file changed, 4 deletions(-) (limited to 'lib/plugins/acl/admin.php') diff --git a/lib/plugins/acl/admin.php b/lib/plugins/acl/admin.php index a7037047a..b38d2ac6e 100644 --- a/lib/plugins/acl/admin.php +++ b/lib/plugins/acl/admin.php @@ -10,9 +10,6 @@ // must be run within Dokuwiki if(!defined('DOKU_INC')) die(); -if(!defined('DOKU_PLUGIN')) define('DOKU_PLUGIN',DOKU_INC.'lib/plugins/'); -require_once(DOKU_PLUGIN.'admin.php'); - /** * All DokuWiki plugins to extend the admin function * need to inherit from this class @@ -216,7 +213,6 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { * @author Andreas Gohr */ function _html_explorer(){ - require_once(DOKU_INC.'inc/search.php'); global $conf; global $ID; global $lang; -- cgit v1.2.3 From d74913c6df41b27eb1ea8388a47d94e66f97c652 Mon Sep 17 00:00:00 2001 From: Michael Hamann Date: Sat, 3 Apr 2010 14:40:32 +0200 Subject: Fixed sorting in the acl manager treeview Previously the content of expanded namespaces was displayed below all other pages, now it is placed below it's parent namespace. The new comparison function is quite complex. Please have a look at it if it can done easier or if there are cases I haven't considered where the function produces incorrect results. --- lib/plugins/acl/admin.php | 39 ++++++++++++++++++++++++++++++++------- 1 file changed, 32 insertions(+), 7 deletions(-) (limited to 'lib/plugins/acl/admin.php') diff --git a/lib/plugins/acl/admin.php b/lib/plugins/acl/admin.php index b38d2ac6e..dcd72b611 100644 --- a/lib/plugins/acl/admin.php +++ b/lib/plugins/acl/admin.php @@ -267,8 +267,7 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { usort($data,array($this,'_tree_sort')); $count = count($data); if($count>0) for($i=1; $i<$count; $i++){ - if($data[$i]['type'] == 'f') break; // namespaces come first, we're done - if($data[$i-1]['id'] == $data[$i]['id']) unset($data[$i]); + if($data[$i-1]['id'] == $data[$i]['id'] && $data[$i-1]['type'] == $data[$i]['type']) unset($data[$i]); } return $data; } @@ -279,13 +278,39 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { * Sorts the combined trees of media and page files */ function _tree_sort($a,$b){ - if($a['type'] == 'd' && $b['type'] == 'f'){ + // handle the trivial cases first + if ($a['id'] == '') return -1; + if ($b['id'] == '') return 1; + // split up the id into parts + $a_ids = explode(':', $a['id']); + $b_ids = explode(':', $b['id']); + // now loop through the parts + while (count($a_ids) && count($b_ids)) { + // compare each level from upper to lower + // until a non-equal component is found + $cur_result = strcmp(array_shift($a_ids), array_shift($b_ids)); + if ($cur_result) { + // if one of the components is the last component and is a file + // and the other one is either of a deeper level or a directory, + // the file has to come after the deeper level or directory + if (empty($a_ids) && $a['type'] == 'f' && (count($b_ids) || $b['type'] == 'd')) return 1; + if (empty($b_ids) && $b['type'] == 'f' && (count($a_ids) || $a['type'] == 'd')) return -1; + return $cur_result; + } + } + // The two ids seem to be equal. One of them might however refer + // to a page, one to a namespace, the namespace needs to be first. + if (empty($a_ids) && empty($b_ids)) { + if ($a['type'] == $b['type']) return 0; + if ($a['type'] == 'f') return 1; return -1; - }elseif($a['type'] == 'f' && $b['type'] == 'd'){ - return 1; - }else{ - return strcmp($a['id'],$b['id']); } + // Now the empty part is either a page in the parent namespace + // that obviously needs to be after the namespace + // Or it is the namespace that contains the other part and should be + // before that other part. + if (empty($a_ids)) return ($a['type'] == 'd') ? -1 : 1; + if (empty($b_ids)) return ($b['type'] == 'd') ? 1 : -1; } /** -- cgit v1.2.3 From 40307ce67e9cb6cc8f00ddcddf1677f41b42fb83 Mon Sep 17 00:00:00 2001 From: Michael Hamann Date: Sat, 3 Apr 2010 16:57:58 +0200 Subject: Preserve selected item in the acl manager during ajax requests There are two new parameters submitted that contain the currently selected namespace and page id so it can be selected again indenpendently from the opened namespace. --- lib/plugins/acl/admin.php | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) (limited to 'lib/plugins/acl/admin.php') diff --git a/lib/plugins/acl/admin.php b/lib/plugins/acl/admin.php index dcd72b611..1f666660c 100644 --- a/lib/plugins/acl/admin.php +++ b/lib/plugins/acl/admin.php @@ -17,6 +17,15 @@ if(!defined('DOKU_INC')) die(); class admin_plugin_acl extends DokuWiki_Admin_Plugin { var $acl = null; var $ns = null; + /** + * The currently selected item, associative array with id and type. + * Populated from (in this order): + * $_REQUEST['current_ns'] + * $_REQUEST['current_id'] + * $ns + * $ID + */ + var $current_item = null; var $who = ''; var $usersgroups = array(); var $specials = array(); @@ -72,6 +81,16 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { $this->ns = cleanID($_REQUEST['ns']); } + if ($_REQUEST['current_ns']) { + $this->current_item = array('id' => cleanID($_REQUEST['current_ns']), 'type' => 'd'); + } elseif ($_REQUEST['current_id']) { + $this->current_item = array('id' => cleanID($_REQUEST['current_id']), 'type' => 'f'); + } elseif ($this->ns) { + $this->current_item = array('id' => $this->ns, 'type' => 'd'); + } else { + $this->current_item = array('id' => $ID, 'type' => 'f'); + } + // user or group choosen? $who = trim($_REQUEST['acl_w']); if($_REQUEST['acl_t'] == '__g__' && $who){ @@ -167,7 +186,7 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { echo '
'.NL; echo '
'.NL; - $this->_html_explorer($_REQUEST['ns']); + $this->_html_explorer(); echo '
'.NL; echo '
'.NL; @@ -498,8 +517,8 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { } // highlight? - if( ($item['type']=='d' && $item['id'] == $this->ns) || - ($item['type']!='d' && $item['id'] == $ID)) $cl = ' cur'; + if( ($item['type']== $this->current_item['type'] && $item['id'] == $this->current_item['id'])) + $cl = ' cur'; // namespace or page? if($item['type']=='d'){ -- cgit v1.2.3 From 80601d26897c5dced80645aaf904085aa08b7bb9 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Sat, 26 Jun 2010 11:20:25 +0200 Subject: fixed wildcard handling in ACL manager FS#1955 This patch also removes legacy support for @USER@. Only %USER% is valid now. --- lib/plugins/acl/admin.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'lib/plugins/acl/admin.php') diff --git a/lib/plugins/acl/admin.php b/lib/plugins/acl/admin.php index 1f666660c..673ffbc96 100644 --- a/lib/plugins/acl/admin.php +++ b/lib/plugins/acl/admin.php @@ -96,7 +96,10 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { if($_REQUEST['acl_t'] == '__g__' && $who){ $this->who = '@'.ltrim($auth->cleanGroup($who),'@'); }elseif($_REQUEST['acl_t'] == '__u__' && $who){ - $this->who = ltrim($auth->cleanUser($who),'@'); + $this->who = ltrim($who,'@'); + if($this->who != '%USER%'){ #keep wildcard as is + $this->who = $auth->cleanUser($this->who); + } }elseif($_REQUEST['acl_t'] && $_REQUEST['acl_t'] != '__u__' && $_REQUEST['acl_t'] != '__g__'){ @@ -150,7 +153,7 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { if ($who!='@ALL') { $who = '@'.ltrim($auth->cleanGroup($who),'@'); } - } else { + } elseif ($who != '%USER%'){ #keep wildcard as is $who = $auth->cleanUser($who); } $who = auth_nameencode($who,true); -- cgit v1.2.3 From c8f80b4e70ee1b73ecc08cac583d021979af9359 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Sun, 27 Jun 2010 14:43:56 +0200 Subject: Use config_cascade for ACLs and plain auth users FS#1677 --- lib/plugins/acl/admin.php | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'lib/plugins/acl/admin.php') diff --git a/lib/plugins/acl/admin.php b/lib/plugins/acl/admin.php index 673ffbc96..84932f7ac 100644 --- a/lib/plugins/acl/admin.php +++ b/lib/plugins/acl/admin.php @@ -69,6 +69,7 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { global $AUTH_ACL; global $ID; global $auth; + global $config_cascade; // fresh 1:1 copy without replacements $AUTH_ACL = file(DOKU_CONF.'acl.auth.php'); @@ -161,11 +162,11 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { } } // save it - io_saveFile(DOKU_CONF.'acl.auth.php', join('',$lines)); + io_saveFile($config_cascade['acl']['default'], join('',$lines)); } // reload ACL config - $AUTH_ACL = file(DOKU_CONF.'acl.auth.php'); + $AUTH_ACL = file($config_cascade['acl']['default']); } // initialize ACL array @@ -696,7 +697,8 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { * @author Frank Schubert */ function _acl_add($acl_scope, $acl_user, $acl_level){ - $acl_config = file_get_contents(DOKU_CONF.'acl.auth.php'); + global $config_cascade; + $acl_config = file_get_contents($config_cascade['acl']['default']); $acl_user = auth_nameencode($acl_user,true); // max level for pagenames is edit @@ -718,7 +720,8 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin { * @author Frank Schubert */ function _acl_del($acl_scope, $acl_user){ - $acl_config = file(DOKU_CONF.'acl.auth.php'); + global $config_cascade; + $acl_config = file($config_cascade['acl']['default']); $acl_user = auth_nameencode($acl_user,true); $acl_pattern = '^'.preg_quote($acl_scope,'/').'\s+'.$acl_user.'\s+[0-8].*$'; -- cgit v1.2.3
'.$this->getLang('where').'