From 67a31a83dd6c8a3ff9e87da0c2070a2783aec44e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Gro=C3=9Fe?= Date: Thu, 12 Mar 2015 13:09:08 +0100 Subject: Create and use ad search for user, name and email --- lib/plugins/usermanager/admin.php | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'lib/plugins/usermanager') diff --git a/lib/plugins/usermanager/admin.php b/lib/plugins/usermanager/admin.php index 86562f1dd..b1f5c4023 100644 --- a/lib/plugins/usermanager/admin.php +++ b/lib/plugins/usermanager/admin.php @@ -81,6 +81,20 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { return 2; } + /** + * @return int current start value for pageination + */ + public function getStart() { + return $this->_start; + } + + /** + * @return int number of users per page + */ + public function getPagesize() { + return $this->_pagesize; + } + /** * Handle user request * -- cgit v1.2.3 From 462e9e37f38d6de9ec19ad1476b64bac3b851fc1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Gro=C3=9Fe?= Date: Thu, 12 Mar 2015 15:06:26 +0100 Subject: Disable the ``last`` button when filtering groups Since we cannot effectively filter for groups and have to work with incremental prefetching, the ``last`` button is mostly broken/buggy. Hence it is disabled in this usecase. --- lib/plugins/usermanager/admin.php | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'lib/plugins/usermanager') diff --git a/lib/plugins/usermanager/admin.php b/lib/plugins/usermanager/admin.php index b1f5c4023..cc4c4ae47 100644 --- a/lib/plugins/usermanager/admin.php +++ b/lib/plugins/usermanager/admin.php @@ -31,6 +31,7 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { protected $_edit_userdata = array(); protected $_disabled = ''; // if disabled set to explanatory string protected $_import_failures = array(); + protected $_lastdisabled = false; // set to true if last user is unknown and last button is hence buggy /** * Constructor @@ -95,6 +96,13 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { return $this->_pagesize; } + /** + * @param boolean $lastdisabled + */ + public function setLastdisabled($lastdisabled) { + $this->_lastdisabled = $lastdisabled; + } + /** * Handle user request * @@ -850,6 +858,10 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { $buttons['last'] = $buttons['next'] = (($this->_start + $this->_pagesize) >= $this->_user_total) ? $disabled : ''; } + if ($this->_lastdisabled) { + $buttons['last'] = $disabled; + } + return $buttons; } -- cgit v1.2.3 From f23f95941a400702f525923973f3612df6da82cb Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Wed, 18 Mar 2015 22:16:34 +0100 Subject: SECURITY escape user properties in user manager #1081 The user properties (login, real name, etc) where not properly escaped in the user manager's edit form. This allowed a XSS attack on the superuser by registered users. Thanks to Filippo Cavallarin from www.segment.technology for discovering this bug. --- lib/plugins/usermanager/admin.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'lib/plugins/usermanager') diff --git a/lib/plugins/usermanager/admin.php b/lib/plugins/usermanager/admin.php index cc4c4ae47..9cb9b0c40 100644 --- a/lib/plugins/usermanager/admin.php +++ b/lib/plugins/usermanager/admin.php @@ -222,9 +222,9 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { */ $groups = join(', ',$grps); ptln(" "); - ptln(" "); + ptln(" "); if ($editable) { - ptln(" 1, + ptln(" 1, 'do' => 'admin', 'page' => 'usermanager', 'sectok' => getSecurityToken())). @@ -356,7 +356,7 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { // save current $user, we need this to access details if the name is changed if ($user) - ptln(" ",$indent); + ptln(" ",$indent); $this->_htmlFilterSettings($indent+10); @@ -401,6 +401,7 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { $fieldtype = 'text'; $autocomp = ''; } + $value = hsc($value); echo ""; echo ""; -- cgit v1.2.3