From 59bc3b48fdffb76ee65a4b630be3ffa1f6c20c80 Mon Sep 17 00:00:00 2001 From: Gerrit Uitslag Date: Mon, 29 Sep 2014 21:45:27 +0200 Subject: more scrutinizer issue improvements --- lib/plugins/acl/remote.php | 2 ++ 1 file changed, 2 insertions(+) (limited to 'lib/plugins/acl/remote.php') diff --git a/lib/plugins/acl/remote.php b/lib/plugins/acl/remote.php index 6d5201cf6..2fdc697db 100644 --- a/lib/plugins/acl/remote.php +++ b/lib/plugins/acl/remote.php @@ -18,11 +18,13 @@ class remote_plugin_acl extends DokuWiki_Remote_Plugin { } function addAcl($scope, $user, $level){ + /** @var admin_plugin_acl $apa */ $apa = plugin_load('admin', 'acl'); return $apa->_acl_add($scope, $user, $level); } function delAcl($scope, $user){ + /** @var admin_plugin_acl $apa */ $apa = plugin_load('admin', 'acl'); return $apa->_acl_del($scope, $user); } -- cgit v1.2.3 From 42ea7f447f39fbc2f79eaaec31f8c10ede59c5d0 Mon Sep 17 00:00:00 2001 From: Gerrit Uitslag Date: Wed, 1 Oct 2014 11:30:27 +0200 Subject: Many PHPDocs, some unused and dyn declared vars many PHPDocs some unused variables some dynamically declared variables declared --- lib/plugins/acl/remote.php | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) (limited to 'lib/plugins/acl/remote.php') diff --git a/lib/plugins/acl/remote.php b/lib/plugins/acl/remote.php index 2fdc697db..b10c544ee 100644 --- a/lib/plugins/acl/remote.php +++ b/lib/plugins/acl/remote.php @@ -1,7 +1,16 @@ array( 'args' => array('string','string','int'), @@ -17,13 +26,28 @@ class remote_plugin_acl extends DokuWiki_Remote_Plugin { ); } - function addAcl($scope, $user, $level){ + /** + * Add a new entry to ACL config + * + * @param string $scope + * @param string $user + * @param int $level see also inc/auth.php + * @return bool + */ + public function addAcl($scope, $user, $level){ /** @var admin_plugin_acl $apa */ $apa = plugin_load('admin', 'acl'); return $apa->_acl_add($scope, $user, $level); } - function delAcl($scope, $user){ + /** + * Remove an entry from ACL config + * + * @param string $scope + * @param string $user + * @return bool + */ + public function delAcl($scope, $user){ /** @var admin_plugin_acl $apa */ $apa = plugin_load('admin', 'acl'); return $apa->_acl_del($scope, $user); -- cgit v1.2.3 From 9cbf80e627322dee19852b953ef242b4e0ad514a Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Tue, 24 Feb 2015 19:45:03 +0100 Subject: check permissions in ACL plugin's RPC API component. #1056 Security Fix Severity: Medium Type: Remote Priviledge Escalation Remote: yes Vulnerability Details: This fixes a security hole in the ACL plugins remote API component. The plugin failed to check for superuser permissions before executing ACL addition or deletion. This means everybody with permissions to call the XMLRPC API also had permissions to set up their own ACL rules and thus circumventing any existing rules. Risk Assessment: The XMLRPC API in DokuWiki is marked experimental and off by default. It also implements an additional safeguard by giving access to a configured circle of users and groups only. So only a minor number of DokuWiki installations will be affected at all. For affected installations the risk is high if users with access to the API are not to be trusted. Thus the overall severity of medium. Resolution: Installations applying this commit are safe. A hotfix is about to be released. Meanwhile users are advised to disable the XMLRPC API in the config manager. --- lib/plugins/acl/remote.php | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'lib/plugins/acl/remote.php') diff --git a/lib/plugins/acl/remote.php b/lib/plugins/acl/remote.php index b10c544ee..42449428f 100644 --- a/lib/plugins/acl/remote.php +++ b/lib/plugins/acl/remote.php @@ -32,9 +32,14 @@ class remote_plugin_acl extends DokuWiki_Remote_Plugin { * @param string $scope * @param string $user * @param int $level see also inc/auth.php + * @throws RemoteAccessDeniedException * @return bool */ public function addAcl($scope, $user, $level){ + if(!auth_isadmin()) { + throw new RemoteAccessDeniedException('You are not allowed to access ACLs, superuser permission is required', 114); + } + /** @var admin_plugin_acl $apa */ $apa = plugin_load('admin', 'acl'); return $apa->_acl_add($scope, $user, $level); @@ -45,9 +50,14 @@ class remote_plugin_acl extends DokuWiki_Remote_Plugin { * * @param string $scope * @param string $user + * @throws RemoteAccessDeniedException * @return bool */ public function delAcl($scope, $user){ + if(!auth_isadmin()) { + throw new RemoteAccessDeniedException('You are not allowed to access ACLs, superuser permission is required', 114); + } + /** @var admin_plugin_acl $apa */ $apa = plugin_load('admin', 'acl'); return $apa->_acl_del($scope, $user); -- cgit v1.2.3 From 67b479b256ae7436b507860d32ee7e0b29b1657a Mon Sep 17 00:00:00 2001 From: Gerrit Uitslag Date: Tue, 30 Jun 2015 22:41:51 +0200 Subject: PHPDocs for remote and action --- lib/plugins/acl/remote.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/plugins/acl/remote.php') diff --git a/lib/plugins/acl/remote.php b/lib/plugins/acl/remote.php index 42449428f..031686f95 100644 --- a/lib/plugins/acl/remote.php +++ b/lib/plugins/acl/remote.php @@ -8,7 +8,7 @@ class remote_plugin_acl extends DokuWiki_Remote_Plugin { /** * Returns details about the remote plugin methods * - * @return array + * @return array Information about all provided methods. {@see RemoteAPI} */ public function _getMethods() { return array( -- cgit v1.2.3