From c2a2396e45a7ec8a14d573c89719463e765b1074 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lvaro=20Iradier?= Date: Fri, 13 Feb 2015 16:01:39 +0100 Subject: translation update --- lib/plugins/extension/lang/es/lang.php | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'lib/plugins') diff --git a/lib/plugins/extension/lang/es/lang.php b/lib/plugins/extension/lang/es/lang.php index 63742c3b3..a835cb630 100644 --- a/lib/plugins/extension/lang/es/lang.php +++ b/lib/plugins/extension/lang/es/lang.php @@ -6,6 +6,7 @@ * @author Antonio Bueno * @author Antonio Castilla * @author Jonathan Hernández + * @author Álvaro Iradier */ $lang['menu'] = 'Administrador de Extensiones '; $lang['tab_plugins'] = 'Plugins instalados'; @@ -64,6 +65,7 @@ $lang['status_bundled'] = 'agrupado'; $lang['msg_enabled'] = 'Plugin %s activado'; $lang['msg_disabled'] = 'Plugin %s desactivado'; $lang['msg_delete_success'] = 'Extensión desinstalada'; +$lang['msg_delete_failed'] = 'La desinstalación de la extensión %s ha fallado'; $lang['msg_template_install_success'] = 'Plantilla %s instalada con éxito'; $lang['msg_template_update_success'] = 'Plantilla %s actualizada con éxito'; $lang['msg_plugin_install_success'] = 'Plugin %s instalado con éxito'; @@ -78,6 +80,9 @@ $lang['url_change'] = 'URL actualizada: El Download $lang['error_badurl'] = 'URLs deberían empezar con http o https'; $lang['error_dircreate'] = 'No es posible de crear un directorio temporero para poder recibir el download'; $lang['error_download'] = 'No es posible descargar el documento: %s'; +$lang['error_decompress'] = 'No se pudo descomprimir el fichero descargado. Puede ser a causa de una descarga incorrecta, en cuyo caso puedes intentarlo de nuevo; o puede que el formato de compresión sea desconocido, en cuyo caso necesitarás descargar e instalar manualmente.'; +$lang['noperms'] = 'El directorio de extensiones no tiene permiso de escritura.'; +$lang['notplperms'] = 'El directorio de plantillas no tiene permiso de escritura.'; $lang['git'] = 'Esta extensión fue instalada a través de git, quizás usted no quiera actualizarla aquí mismo.'; $lang['install_url'] = 'Instalar desde URL:'; $lang['install_upload'] = 'Subir Extensión:'; -- cgit v1.2.3 From 9cbf80e627322dee19852b953ef242b4e0ad514a Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Tue, 24 Feb 2015 19:45:03 +0100 Subject: check permissions in ACL plugin's RPC API component. #1056 Security Fix Severity: Medium Type: Remote Priviledge Escalation Remote: yes Vulnerability Details: This fixes a security hole in the ACL plugins remote API component. The plugin failed to check for superuser permissions before executing ACL addition or deletion. This means everybody with permissions to call the XMLRPC API also had permissions to set up their own ACL rules and thus circumventing any existing rules. Risk Assessment: The XMLRPC API in DokuWiki is marked experimental and off by default. It also implements an additional safeguard by giving access to a configured circle of users and groups only. So only a minor number of DokuWiki installations will be affected at all. For affected installations the risk is high if users with access to the API are not to be trusted. Thus the overall severity of medium. Resolution: Installations applying this commit are safe. A hotfix is about to be released. Meanwhile users are advised to disable the XMLRPC API in the config manager. --- lib/plugins/acl/remote.php | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'lib/plugins') diff --git a/lib/plugins/acl/remote.php b/lib/plugins/acl/remote.php index b10c544ee..42449428f 100644 --- a/lib/plugins/acl/remote.php +++ b/lib/plugins/acl/remote.php @@ -32,9 +32,14 @@ class remote_plugin_acl extends DokuWiki_Remote_Plugin { * @param string $scope * @param string $user * @param int $level see also inc/auth.php + * @throws RemoteAccessDeniedException * @return bool */ public function addAcl($scope, $user, $level){ + if(!auth_isadmin()) { + throw new RemoteAccessDeniedException('You are not allowed to access ACLs, superuser permission is required', 114); + } + /** @var admin_plugin_acl $apa */ $apa = plugin_load('admin', 'acl'); return $apa->_acl_add($scope, $user, $level); @@ -45,9 +50,14 @@ class remote_plugin_acl extends DokuWiki_Remote_Plugin { * * @param string $scope * @param string $user + * @throws RemoteAccessDeniedException * @return bool */ public function delAcl($scope, $user){ + if(!auth_isadmin()) { + throw new RemoteAccessDeniedException('You are not allowed to access ACLs, superuser permission is required', 114); + } + /** @var admin_plugin_acl $apa */ $apa = plugin_load('admin', 'acl'); return $apa->_acl_del($scope, $user); -- cgit v1.2.3 From 6401de3d8cba9f2c76724a2c2c68c7d3fc97d2e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Schplurtz=20le=20D=C3=A9boulonn=C3=A9?= Date: Tue, 24 Feb 2015 22:16:02 +0100 Subject: translation update --- lib/plugins/authldap/lang/fr/settings.php | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'lib/plugins') diff --git a/lib/plugins/authldap/lang/fr/settings.php b/lib/plugins/authldap/lang/fr/settings.php index dc475071e..aa75105cf 100644 --- a/lib/plugins/authldap/lang/fr/settings.php +++ b/lib/plugins/authldap/lang/fr/settings.php @@ -5,6 +5,7 @@ * * @author Bruno Veilleux * @author schplurtz + * @author Schplurtz le Déboulonné */ $lang['server'] = 'Votre serveur LDAP. Soit le nom d\'hôte (localhost) ou l\'URL complète (ldap://serveur.dom:389)'; $lang['port'] = 'Port du serveur LDAP si l\'URL complète n\'a pas été indiquée ci-dessus'; @@ -26,3 +27,6 @@ $lang['deref_o_0'] = 'LDAP_DEREF_NEVER'; $lang['deref_o_1'] = 'LDAP_DEREF_SEARCHING'; $lang['deref_o_2'] = 'LDAP_DEREF_FINDING'; $lang['deref_o_3'] = 'LDAP_DEREF_ALWAYS'; +$lang['referrals_o_-1'] = 'comportement par défaut'; +$lang['referrals_o_0'] = 'ne pas suivre les références'; +$lang['referrals_o_1'] = 'suivre les références'; -- cgit v1.2.3 From 6619ddf4b04390e1d1273dd79bd16bfb9eb6cf89 Mon Sep 17 00:00:00 2001 From: Sascha Klopp Date: Tue, 3 Mar 2015 11:09:21 +0100 Subject: Two new authldap config options: 'userkey' denotes the LDAP attribute holding the username, 'modPass' allows to disable password changing by the user. --- lib/plugins/authldap/auth.php | 5 +++-- lib/plugins/authldap/conf/default.php | 4 +++- lib/plugins/authldap/conf/metadata.php | 4 +++- lib/plugins/authldap/lang/de/settings.php | 1 + 4 files changed, 10 insertions(+), 4 deletions(-) (limited to 'lib/plugins') diff --git a/lib/plugins/authldap/auth.php b/lib/plugins/authldap/auth.php index 50735882f..9d031c049 100644 --- a/lib/plugins/authldap/auth.php +++ b/lib/plugins/authldap/auth.php @@ -37,7 +37,7 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin { } // Add the capabilities to change the password - $this->cando['modPass'] = true; + $this->cando['modPass'] = $this->getConf('modPass'); } /** @@ -360,8 +360,9 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin { $sr = ldap_search($this->con, $this->getConf('usertree'), $all_filter); $entries = ldap_get_entries($this->con, $sr); $users_array = array(); + $userkey = $this->getConf('userkey'); for($i = 0; $i < $entries["count"]; $i++) { - array_push($users_array, $entries[$i]["uid"][0]); + array_push($users_array, $entries[$i][$userkey][0]); } asort($users_array); $result = $users_array; diff --git a/lib/plugins/authldap/conf/default.php b/lib/plugins/authldap/conf/default.php index c2e462c5c..116cb9d3f 100644 --- a/lib/plugins/authldap/conf/default.php +++ b/lib/plugins/authldap/conf/default.php @@ -16,5 +16,7 @@ $conf['bindpw'] = ''; //$conf['mapping']['grps'] unsupported in config manager $conf['userscope'] = 'sub'; $conf['groupscope'] = 'sub'; +$conf['userkey'] = 'uid'; $conf['groupkey'] = 'cn'; -$conf['debug'] = 0; \ No newline at end of file +$conf['debug'] = 0; +$conf['modPass'] = 1; diff --git a/lib/plugins/authldap/conf/metadata.php b/lib/plugins/authldap/conf/metadata.php index 4649ba5bf..a67b11ca6 100644 --- a/lib/plugins/authldap/conf/metadata.php +++ b/lib/plugins/authldap/conf/metadata.php @@ -15,5 +15,7 @@ $meta['bindpw'] = array('password','_caution' => 'danger'); //$meta['mapping']['grps'] unsupported in config manager $meta['userscope'] = array('multichoice','_choices' => array('sub','one','base'),'_caution' => 'danger'); $meta['groupscope'] = array('multichoice','_choices' => array('sub','one','base'),'_caution' => 'danger'); +$meta['userkey'] = array('string','_caution' => 'danger'); $meta['groupkey'] = array('string','_caution' => 'danger'); -$meta['debug'] = array('onoff','_caution' => 'security'); \ No newline at end of file +$meta['debug'] = array('onoff','_caution' => 'security'); +$meta['modPass'] = array('onoff'); diff --git a/lib/plugins/authldap/lang/de/settings.php b/lib/plugins/authldap/lang/de/settings.php index d788da876..ecb407820 100644 --- a/lib/plugins/authldap/lang/de/settings.php +++ b/lib/plugins/authldap/lang/de/settings.php @@ -20,6 +20,7 @@ $lang['binddn'] = 'DN eines optionalen Benutzers, wenn der anonym $lang['bindpw'] = 'Passwort des angegebenen Benutzers.'; $lang['userscope'] = 'Die Suchweite nach Benutzeraccounts.'; $lang['groupscope'] = 'Die Suchweite nach Benutzergruppen.'; +$lang['userkey'] = 'Attribut, das den Benutzernamen enthält; muss konsistent zum userfilter sein.'; $lang['groupkey'] = 'Gruppieren der Benutzeraccounts anhand eines beliebigen Benutzerattributes z. B. Telefonnummer oder Abteilung, anstelle der Standard-Gruppen).'; $lang['debug'] = 'Debug-Informationen beim Auftreten von Fehlern anzeigen?'; $lang['deref_o_0'] = 'LDAP_DEREF_NEVER'; -- cgit v1.2.3 From 25f80763dd71190679289de2b8d29f28021aedb1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Gro=C3=9Fe?= Date: Wed, 11 Mar 2015 19:49:14 +0100 Subject: Get total number of users in ad, needed for paging --- lib/plugins/authad/auth.php | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'lib/plugins') diff --git a/lib/plugins/authad/auth.php b/lib/plugins/authad/auth.php index 88b56046c..a0a1143db 100644 --- a/lib/plugins/authad/auth.php +++ b/lib/plugins/authad/auth.php @@ -116,6 +116,7 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin { // other can do's are changed in $this->_loadServerConfig() base on domain setup $this->cando['modName'] = true; $this->cando['modMail'] = true; + $this->cando['getUserCount'] = true; } /** @@ -325,6 +326,26 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin { return false; } + /** + * @param array $filter + * @return int + */ + public function getUserCount($filter = array()) { + + $adldap = $this->_adldap(null); + if(!$adldap) { + dbglog("authad/auth.php: _adldap not set."); + return -1; + } + + $result = $adldap->user()->all(); + if (!$result) { + dbglog("authad/auth.php: getting all users failed."); + return -1; + } + return count($result); + } + /** * Bulk retrieval of user data * -- cgit v1.2.3 From 67a31a83dd6c8a3ff9e87da0c2070a2783aec44e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Gro=C3=9Fe?= Date: Thu, 12 Mar 2015 13:09:08 +0100 Subject: Create and use ad search for user, name and email --- lib/plugins/authad/auth.php | 68 ++++++++++++++++++++++++++++++++------- lib/plugins/usermanager/admin.php | 14 ++++++++ 2 files changed, 71 insertions(+), 11 deletions(-) (limited to 'lib/plugins') diff --git a/lib/plugins/authad/auth.php b/lib/plugins/authad/auth.php index a0a1143db..f1f34245e 100644 --- a/lib/plugins/authad/auth.php +++ b/lib/plugins/authad/auth.php @@ -326,19 +326,63 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin { return false; } + protected function _constructSearchString($filter){ + if (!$filter){ + return '*'; + } + $result = '*'; + if (isset($filter['name'])) { + $result .= ')(displayname=*' . $filter['name'] . '*'; + unset($filter['name']); + } + if (isset($filter['user'])) { + $result .= ')(samAccountName=*' . $filter['user'] . '*'; + unset($filter['user']); + } + + if (isset($filter['mail'])) { + $result .= ')(mail=*' . $filter['mail'] . '*'; + unset($filter['mail']); + } + dbglog($result); + return $result; + } + /** * @param array $filter * @return int */ public function getUserCount($filter = array()) { + if ($filter == array()) { + $adldap = $this->_adldap(null); + if(!$adldap) { + dbglog("authad/auth.php getUserCount(): _adldap not set."); + return -1; + } + $result = $adldap->user()->all(); + $start = 0; + } else {/* + dbglog('_startcache: ' . $this->_startcache); + $usermanager = plugin_load("admin", "usermanager", false); + if ($this->_startcache < $usermanager->getStart()) { + $start = $usermanager->getStart(); + $this->_startcache = $start; + } else { + $start = $this->_startcache; + } + $pagesize = $usermanager->getPagesize(); + $result = $this->retrieveUsers($start, 3*$pagesize,$filter,false);*/ + $adldap = $this->_adldap(null); + if(!$adldap) { + dbglog("authad/auth.php getUserCount(): _adldap not set."); + return -1; + } + dbglog($filter); + $searchString = $this->_constructSearchString($filter); + $result = $adldap->user()->all(false, $searchString); - $adldap = $this->_adldap(null); - if(!$adldap) { - dbglog("authad/auth.php: _adldap not set."); - return -1; } - $result = $adldap->user()->all(); if (!$result) { dbglog("authad/auth.php: getting all users failed."); return -1; @@ -351,18 +395,20 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin { * * @author Dominik Eckelmann * - * @param int $start index of first user to be returned - * @param int $limit max number of users to be returned - * @param array $filter array of field/pattern pairs, null for no filter - * @return array userinfo (refer getUserData for internal userinfo details) + * @param int $start index of first user to be returned + * @param int $limit max number of users to be returned + * @param array $filter array of field/pattern pairs, null for no filter + * @param bool $setStart + * @return array userinfo (refer getUserData for internal userinfo details) */ - public function retrieveUsers($start = 0, $limit = 0, $filter = array()) { + public function retrieveUsers($start = 0, $limit = 0, $filter = array(), $setStart = true) { + dbglog("start: " . $start . "; limit: " . $limit); $adldap = $this->_adldap(null); if(!$adldap) return false; if(!$this->users) { //get info for given user - $result = $adldap->user()->all(); + $result = $adldap->user()->all(false, $this->_constructSearchString($filter)); if (!$result) return array(); $this->users = array_fill_keys($result, false); } diff --git a/lib/plugins/usermanager/admin.php b/lib/plugins/usermanager/admin.php index 86562f1dd..b1f5c4023 100644 --- a/lib/plugins/usermanager/admin.php +++ b/lib/plugins/usermanager/admin.php @@ -81,6 +81,20 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { return 2; } + /** + * @return int current start value for pageination + */ + public function getStart() { + return $this->_start; + } + + /** + * @return int number of users per page + */ + public function getPagesize() { + return $this->_pagesize; + } + /** * Handle user request * -- cgit v1.2.3 From c52f6cd2bf68bccfbc665f376f68c93861a99837 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Gro=C3=9Fe?= Date: Thu, 12 Mar 2015 14:50:23 +0100 Subject: When filtering for group implement prefetching --- lib/plugins/authad/auth.php | 82 ++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 74 insertions(+), 8 deletions(-) (limited to 'lib/plugins') diff --git a/lib/plugins/authad/auth.php b/lib/plugins/authad/auth.php index f1f34245e..2710d6a17 100644 --- a/lib/plugins/authad/auth.php +++ b/lib/plugins/authad/auth.php @@ -67,6 +67,10 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin { */ protected $_pattern = array(); + protected $_actualstart = 0; + + protected $_grpsusers = array(); + /** * Constructor */ @@ -380,6 +384,16 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin { dbglog($filter); $searchString = $this->_constructSearchString($filter); $result = $adldap->user()->all(false, $searchString); + if (isset($filter['grps'])) { + $this->users = array_fill_keys($result, false); + $usermanager = plugin_load("admin", "usermanager", false); + if (!isset($this->_grpsusers[$this->_filterToString($filter)])){ + $this->_fillGroupUserArray($filter,$usermanager->getStart() + 3*$usermanager->getPagesize()); + } elseif (count($this->_grpsusers[$this->_filterToString($filter)]) < getStart() + 3*$usermanager->getPagesize()) { + $this->_fillGroupUserArray($filter,$usermanager->getStart() + 3*$usermanager->getPagesize() - count($this->_grpsusers[$this->_filterToString($filter)])); + } + $result = $this->_grpsusers[$this->_filterToString($filter)]; + } } @@ -390,6 +404,44 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin { return count($result); } + protected function _filterToString ($filter) { + $result = ''; + if (isset($filter['user'])) { + $result .= 'user-' . $filter['user']; + } + if (isset($filter['name'])) { + $result .= 'name-' . $filter['name']; + } + if (isset($filter['mail'])) { + $result .= 'mail-' . $filter['mail']; + } + if (isset($filter['grps'])) { + $result .= 'grps-' . $filter['grps']; + } + return $result; + } + + protected function _fillGroupUserArray($filter, $numberOfAdds){ + $this->_grpsusers[$this->_filterToString($filter)]; + $i = 0; + $count = 0; + $this->_constructPattern($filter); + foreach ($this->users as $user => &$info) { + if($i++ < $this->_actualstart) { + continue; + } + if($info === false) { + $info = $this->getUserData($user); + } + if($this->_filter($user, $info)) { + $this->_grpsusers[$this->_filterToString($filter)][$user] = $info; + if(($numberOfAdds > 0) && (++$count >= $numberOfAdds)) break; + } + } + $this->_actualstart = $i; + return $count; + } + /** * Bulk retrieval of user data * @@ -398,10 +450,9 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin { * @param int $start index of first user to be returned * @param int $limit max number of users to be returned * @param array $filter array of field/pattern pairs, null for no filter - * @param bool $setStart * @return array userinfo (refer getUserData for internal userinfo details) */ - public function retrieveUsers($start = 0, $limit = 0, $filter = array(), $setStart = true) { + public function retrieveUsers($start = 0, $limit = 0, $filter = array()) { dbglog("start: " . $start . "; limit: " . $limit); $adldap = $this->_adldap(null); if(!$adldap) return false; @@ -418,17 +469,32 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin { $this->_constructPattern($filter); $result = array(); - foreach($this->users as $user => &$info) { - if($i++ < $start) { - continue; + if (!isset($filter['grps'])) { + foreach($this->users as $user => &$info) { + if($i++ < $start) { + continue; + } + if($info === false) { + $info = $this->getUserData($user); + } + if($this->_filter($user, $info)) { + $result[$user] = $info; + if(($limit > 0) && (++$count >= $limit)) break; + } } - if($info === false) { - $info = $this->getUserData($user); + } else { + if (!isset($this->_grpsusers[$this->_filterToString($filter)]) || count($this->_grpsusers[$this->_filterToString($filter)]) < ($start+$limit)) { + $this->_fillGroupUserArray($filter,$start+$limit - count($this->_grpsusers[$this->_filterToString($filter)]) +1); } - if($this->_filter($user, $info)) { + foreach($this->_grpsusers[$this->_filterToString($filter)] as $user => &$info) { + dbglog($this->_grpsusers[$this->_filterToString($filter)]); + if($i++ < $start) { + continue; + } $result[$user] = $info; if(($limit > 0) && (++$count >= $limit)) break; } + } return $result; } -- cgit v1.2.3 From 462e9e37f38d6de9ec19ad1476b64bac3b851fc1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Gro=C3=9Fe?= Date: Thu, 12 Mar 2015 15:06:26 +0100 Subject: Disable the ``last`` button when filtering groups Since we cannot effectively filter for groups and have to work with incremental prefetching, the ``last`` button is mostly broken/buggy. Hence it is disabled in this usecase. --- lib/plugins/authad/auth.php | 8 ++++++++ lib/plugins/usermanager/admin.php | 12 ++++++++++++ 2 files changed, 20 insertions(+) (limited to 'lib/plugins') diff --git a/lib/plugins/authad/auth.php b/lib/plugins/authad/auth.php index 2710d6a17..4022cd68f 100644 --- a/lib/plugins/authad/auth.php +++ b/lib/plugins/authad/auth.php @@ -387,12 +387,16 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin { if (isset($filter['grps'])) { $this->users = array_fill_keys($result, false); $usermanager = plugin_load("admin", "usermanager", false); + $usermanager->setLastdisabled(true); if (!isset($this->_grpsusers[$this->_filterToString($filter)])){ $this->_fillGroupUserArray($filter,$usermanager->getStart() + 3*$usermanager->getPagesize()); } elseif (count($this->_grpsusers[$this->_filterToString($filter)]) < getStart() + 3*$usermanager->getPagesize()) { $this->_fillGroupUserArray($filter,$usermanager->getStart() + 3*$usermanager->getPagesize() - count($this->_grpsusers[$this->_filterToString($filter)])); } $result = $this->_grpsusers[$this->_filterToString($filter)]; + } else { + $usermanager = plugin_load("admin", "usermanager", false); + $usermanager->setLastdisabled(false); } } @@ -470,6 +474,8 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin { $result = array(); if (!isset($filter['grps'])) { + $usermanager = plugin_load("admin", "usermanager", false); + $usermanager->setLastdisabled(false); foreach($this->users as $user => &$info) { if($i++ < $start) { continue; @@ -483,6 +489,8 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin { } } } else { + $usermanager = plugin_load("admin", "usermanager", false); + $usermanager->setLastdisabled(true); if (!isset($this->_grpsusers[$this->_filterToString($filter)]) || count($this->_grpsusers[$this->_filterToString($filter)]) < ($start+$limit)) { $this->_fillGroupUserArray($filter,$start+$limit - count($this->_grpsusers[$this->_filterToString($filter)]) +1); } diff --git a/lib/plugins/usermanager/admin.php b/lib/plugins/usermanager/admin.php index b1f5c4023..cc4c4ae47 100644 --- a/lib/plugins/usermanager/admin.php +++ b/lib/plugins/usermanager/admin.php @@ -31,6 +31,7 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { protected $_edit_userdata = array(); protected $_disabled = ''; // if disabled set to explanatory string protected $_import_failures = array(); + protected $_lastdisabled = false; // set to true if last user is unknown and last button is hence buggy /** * Constructor @@ -95,6 +96,13 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { return $this->_pagesize; } + /** + * @param boolean $lastdisabled + */ + public function setLastdisabled($lastdisabled) { + $this->_lastdisabled = $lastdisabled; + } + /** * Handle user request * @@ -850,6 +858,10 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { $buttons['last'] = $buttons['next'] = (($this->_start + $this->_pagesize) >= $this->_user_total) ? $disabled : ''; } + if ($this->_lastdisabled) { + $buttons['last'] = $disabled; + } + return $buttons; } -- cgit v1.2.3 From 6fcf992c3420a8904add8169cfd672407a7c38d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Gro=C3=9Fe?= Date: Thu, 12 Mar 2015 16:00:26 +0100 Subject: Clean up code, add phpdoc comments, some refactoring, etc. --- lib/plugins/authad/auth.php | 62 ++++++++++++++++++++------------------------- 1 file changed, 28 insertions(+), 34 deletions(-) (limited to 'lib/plugins') diff --git a/lib/plugins/authad/auth.php b/lib/plugins/authad/auth.php index 4022cd68f..bcf01ff21 100644 --- a/lib/plugins/authad/auth.php +++ b/lib/plugins/authad/auth.php @@ -330,6 +330,10 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin { return false; } + /** + * @param array $filter + * @return string + */ protected function _constructSearchString($filter){ if (!$filter){ return '*'; @@ -348,7 +352,6 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin { $result .= ')(mail=*' . $filter['mail'] . '*'; unset($filter['mail']); } - dbglog($result); return $result; } @@ -357,31 +360,14 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin { * @return int */ public function getUserCount($filter = array()) { + $adldap = $this->_adldap(null); + if(!$adldap) { + dbglog("authad/auth.php getUserCount(): _adldap not set."); + return -1; + } if ($filter == array()) { - $adldap = $this->_adldap(null); - if(!$adldap) { - dbglog("authad/auth.php getUserCount(): _adldap not set."); - return -1; - } $result = $adldap->user()->all(); - $start = 0; - } else {/* - dbglog('_startcache: ' . $this->_startcache); - $usermanager = plugin_load("admin", "usermanager", false); - if ($this->_startcache < $usermanager->getStart()) { - $start = $usermanager->getStart(); - $this->_startcache = $start; - } else { - $start = $this->_startcache; - } - $pagesize = $usermanager->getPagesize(); - $result = $this->retrieveUsers($start, 3*$pagesize,$filter,false);*/ - $adldap = $this->_adldap(null); - if(!$adldap) { - dbglog("authad/auth.php getUserCount(): _adldap not set."); - return -1; - } - dbglog($filter); + } else { $searchString = $this->_constructSearchString($filter); $result = $adldap->user()->all(false, $searchString); if (isset($filter['grps'])) { @@ -390,7 +376,7 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin { $usermanager->setLastdisabled(true); if (!isset($this->_grpsusers[$this->_filterToString($filter)])){ $this->_fillGroupUserArray($filter,$usermanager->getStart() + 3*$usermanager->getPagesize()); - } elseif (count($this->_grpsusers[$this->_filterToString($filter)]) < getStart() + 3*$usermanager->getPagesize()) { + } elseif (count($this->_grpsusers[$this->_filterToString($filter)]) < $usermanager->getStart() + 3*$usermanager->getPagesize()) { $this->_fillGroupUserArray($filter,$usermanager->getStart() + 3*$usermanager->getPagesize() - count($this->_grpsusers[$this->_filterToString($filter)])); } $result = $this->_grpsusers[$this->_filterToString($filter)]; @@ -402,12 +388,18 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin { } if (!$result) { - dbglog("authad/auth.php: getting all users failed."); - return -1; + return 0; } return count($result); } + /** + * + * create a unique string for each filter used with a group + * + * @param array $filter + * @return string + */ protected function _filterToString ($filter) { $result = ''; if (isset($filter['user'])) { @@ -425,6 +417,11 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin { return $result; } + /** + * @param array $filter + * @param int $numberOfAdds additional number of users requested + * @return int number of Users actually add to Array + */ protected function _fillGroupUserArray($filter, $numberOfAdds){ $this->_grpsusers[$this->_filterToString($filter)]; $i = 0; @@ -457,7 +454,6 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin { * @return array userinfo (refer getUserData for internal userinfo details) */ public function retrieveUsers($start = 0, $limit = 0, $filter = array()) { - dbglog("start: " . $start . "; limit: " . $limit); $adldap = $this->_adldap(null); if(!$adldap) return false; @@ -470,12 +466,12 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin { $i = 0; $count = 0; - $this->_constructPattern($filter); $result = array(); if (!isset($filter['grps'])) { $usermanager = plugin_load("admin", "usermanager", false); $usermanager->setLastdisabled(false); + $this->_constructPattern($filter); foreach($this->users as $user => &$info) { if($i++ < $start) { continue; @@ -483,10 +479,8 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin { if($info === false) { $info = $this->getUserData($user); } - if($this->_filter($user, $info)) { - $result[$user] = $info; - if(($limit > 0) && (++$count >= $limit)) break; - } + $result[$user] = $info; + if(($limit > 0) && (++$count >= $limit)) break; } } else { $usermanager = plugin_load("admin", "usermanager", false); @@ -494,8 +488,8 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin { if (!isset($this->_grpsusers[$this->_filterToString($filter)]) || count($this->_grpsusers[$this->_filterToString($filter)]) < ($start+$limit)) { $this->_fillGroupUserArray($filter,$start+$limit - count($this->_grpsusers[$this->_filterToString($filter)]) +1); } + if (!$this->_grpsusers[$this->_filterToString($filter)]) return false; foreach($this->_grpsusers[$this->_filterToString($filter)] as $user => &$info) { - dbglog($this->_grpsusers[$this->_filterToString($filter)]); if($i++ < $start) { continue; } -- cgit v1.2.3 From 7910cbbbce7fd803f3ee4f458d5426eac51bfd89 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Gro=C3=9Fe?= Date: Thu, 12 Mar 2015 16:34:45 +0100 Subject: Explain functions in docstrings --- lib/plugins/authad/auth.php | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) (limited to 'lib/plugins') diff --git a/lib/plugins/authad/auth.php b/lib/plugins/authad/auth.php index bcf01ff21..321a60f24 100644 --- a/lib/plugins/authad/auth.php +++ b/lib/plugins/authad/auth.php @@ -331,6 +331,8 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin { } /** + * Create a Search-String useable by adLDAPUsers::all($includeDescription = false, $search = "*", $sorted = true) + * * @param array $filter * @return string */ @@ -343,6 +345,7 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin { $result .= ')(displayname=*' . $filter['name'] . '*'; unset($filter['name']); } + if (isset($filter['user'])) { $result .= ')(samAccountName=*' . $filter['user'] . '*'; unset($filter['user']); @@ -356,8 +359,10 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin { } /** - * @param array $filter - * @return int + * Return a count of the number of user which meet $filter criteria + * + * @param array $filter $filter array of field/pattern pairs, empty array for no filter + * @return int number of users */ public function getUserCount($filter = array()) { $adldap = $this->_adldap(null); @@ -418,6 +423,10 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin { } /** + * Create an array of $numberOfAdds users passing a certain $filter, including belonging + * to a certain group and save them to a object-wide array. If the array + * already exists try to add $numberOfAdds further users to it. + * * @param array $filter * @param int $numberOfAdds additional number of users requested * @return int number of Users actually add to Array -- cgit v1.2.3 From 07aec0297354ce1a2bb273def8173ff0a524f852 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Gro=C3=9Fe?= Date: Thu, 12 Mar 2015 16:57:13 +0100 Subject: Escape user strings given to adLDAP --- lib/plugins/authad/auth.php | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'lib/plugins') diff --git a/lib/plugins/authad/auth.php b/lib/plugins/authad/auth.php index 321a60f24..400a5efee 100644 --- a/lib/plugins/authad/auth.php +++ b/lib/plugins/authad/auth.php @@ -3,6 +3,7 @@ if(!defined('DOKU_INC')) die(); require_once(DOKU_PLUGIN.'authad/adLDAP/adLDAP.php'); +require_once(DOKU_PLUGIN.'authad/adLDAP/classes/adLDAPUtils.php'); /** * Active Directory authentication backend for DokuWiki @@ -340,19 +341,20 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin { if (!$filter){ return '*'; } + $adldapUtils = new adLDAPUtils($this->_adldap(null)); $result = '*'; if (isset($filter['name'])) { - $result .= ')(displayname=*' . $filter['name'] . '*'; + $result .= ')(displayname=*' . $adldapUtils->ldapSlashes($filter['name']) . '*'; unset($filter['name']); } if (isset($filter['user'])) { - $result .= ')(samAccountName=*' . $filter['user'] . '*'; + $result .= ')(samAccountName=*' . $adldapUtils->ldapSlashes($filter['user']) . '*'; unset($filter['user']); } if (isset($filter['mail'])) { - $result .= ')(mail=*' . $filter['mail'] . '*'; + $result .= ')(mail=*' . $adldapUtils->ldapSlashes($filter['mail']) . '*'; unset($filter['mail']); } return $result; -- cgit v1.2.3 From 1014a348a1826737c9df8a9edaed3f756d0058f2 Mon Sep 17 00:00:00 2001 From: Sascha Klopp Date: Fri, 13 Mar 2015 12:01:51 +0100 Subject: Add description for modPass-Option --- lib/plugins/authldap/lang/de/settings.php | 1 + 1 file changed, 1 insertion(+) (limited to 'lib/plugins') diff --git a/lib/plugins/authldap/lang/de/settings.php b/lib/plugins/authldap/lang/de/settings.php index ecb407820..933189c40 100644 --- a/lib/plugins/authldap/lang/de/settings.php +++ b/lib/plugins/authldap/lang/de/settings.php @@ -22,6 +22,7 @@ $lang['userscope'] = 'Die Suchweite nach Benutzeraccounts.'; $lang['groupscope'] = 'Die Suchweite nach Benutzergruppen.'; $lang['userkey'] = 'Attribut, das den Benutzernamen enthält; muss konsistent zum userfilter sein.'; $lang['groupkey'] = 'Gruppieren der Benutzeraccounts anhand eines beliebigen Benutzerattributes z. B. Telefonnummer oder Abteilung, anstelle der Standard-Gruppen).'; +$lang['modPass'] = 'Darf über Dokuwiki das LDAP-Passwort geändert werden?'; $lang['debug'] = 'Debug-Informationen beim Auftreten von Fehlern anzeigen?'; $lang['deref_o_0'] = 'LDAP_DEREF_NEVER'; $lang['deref_o_1'] = 'LDAP_DEREF_SEARCHING'; -- cgit v1.2.3 From 84f66e9f97ebf4d78ffaaad7a0b44f5c0180bfc9 Mon Sep 17 00:00:00 2001 From: Sascha Klopp Date: Mon, 16 Mar 2015 16:50:38 +0100 Subject: Add english description for new authldap options --- lib/plugins/authldap/lang/en/settings.php | 2 ++ 1 file changed, 2 insertions(+) (limited to 'lib/plugins') diff --git a/lib/plugins/authldap/lang/en/settings.php b/lib/plugins/authldap/lang/en/settings.php index 951901ccc..a4194b00a 100644 --- a/lib/plugins/authldap/lang/en/settings.php +++ b/lib/plugins/authldap/lang/en/settings.php @@ -13,7 +13,9 @@ $lang['binddn'] = 'DN of an optional bind user if anonymous bind is not suf $lang['bindpw'] = 'Password of above user'; $lang['userscope'] = 'Limit search scope for user search'; $lang['groupscope'] = 'Limit search scope for group search'; +$lang['userkey'] = 'Attribute denoting the username; must be consistent to userfilter.'; $lang['groupkey'] = 'Group membership from any user attribute (instead of standard AD groups) e.g. group from department or telephone number'; +$lang['modPass'] = 'Can the LDAP password be changed via dokuwiki?'; $lang['debug'] = 'Display additional debug information on errors'; -- cgit v1.2.3 From abb2621b95a47515d8223fcc52b5d62ca61b3e07 Mon Sep 17 00:00:00 2001 From: Jacob Palm Date: Tue, 17 Mar 2015 15:01:44 +0100 Subject: translation update --- lib/plugins/authad/lang/da/lang.php | 8 ++++ lib/plugins/authldap/lang/da/settings.php | 5 ++ lib/plugins/authmysql/lang/da/settings.php | 4 ++ lib/plugins/extension/lang/da/intro_install.txt | 1 + lib/plugins/extension/lang/da/intro_plugins.txt | 1 + lib/plugins/extension/lang/da/intro_templates.txt | 1 + lib/plugins/extension/lang/da/lang.php | 56 +++++++++++++++++++++++ 7 files changed, 76 insertions(+) create mode 100644 lib/plugins/authad/lang/da/lang.php create mode 100644 lib/plugins/extension/lang/da/intro_install.txt create mode 100644 lib/plugins/extension/lang/da/intro_plugins.txt create mode 100644 lib/plugins/extension/lang/da/intro_templates.txt (limited to 'lib/plugins') diff --git a/lib/plugins/authad/lang/da/lang.php b/lib/plugins/authad/lang/da/lang.php new file mode 100644 index 000000000..8fc7db775 --- /dev/null +++ b/lib/plugins/authad/lang/da/lang.php @@ -0,0 +1,8 @@ + + */ +$lang['domain'] = 'Logondomæne'; diff --git a/lib/plugins/authldap/lang/da/settings.php b/lib/plugins/authldap/lang/da/settings.php index b736504a5..a9fce3a8c 100644 --- a/lib/plugins/authldap/lang/da/settings.php +++ b/lib/plugins/authldap/lang/da/settings.php @@ -5,11 +5,16 @@ * * @author Jens Hyllegaard * @author soer9648 + * @author Jacob Palm */ $lang['server'] = 'Din LDAP server. Enten værtsnavn (localhost) eller fuld kvalificeret URL (ldap://server.tld:389)'; $lang['port'] = 'LDAP server port, hvis der ikke er angivet en komplet URL ovenfor.'; $lang['usertree'] = 'Hvor findes brugerkonti. F.eks. ou=Personer, dc=server, dc=tld'; $lang['grouptree'] = 'Hvor findes brugergrupper. F.eks. ou=Grupper, dc=server, dc=tld'; +$lang['userfilter'] = 'LDAP filter der benyttes til at søge efter brugerkonti. F.eks. (&(uid=%{user})(objectClass=posixAccount))'; +$lang['groupfilter'] = 'LDAP filter tder benyttes til at søge efter grupper. F.eks. (&(objectClass=posixGroup)(|(gidNumber=%{gid})(memberUID=%{user})))'; +$lang['version'] = 'Protokol version der skal benyttes. Det er muligvis nødvendigt at sætte denne til 3'; $lang['starttls'] = 'Benyt TLS forbindelser?'; $lang['bindpw'] = 'Kodeord til ovenstående bruger'; +$lang['modPass'] = 'Kan LDAP adgangskoden skiftes via DokuWiki?'; $lang['debug'] = 'Vis yderligere debug output ved fejl'; diff --git a/lib/plugins/authmysql/lang/da/settings.php b/lib/plugins/authmysql/lang/da/settings.php index ed21201fb..5fd66dbad 100644 --- a/lib/plugins/authmysql/lang/da/settings.php +++ b/lib/plugins/authmysql/lang/da/settings.php @@ -5,6 +5,7 @@ * * @author Jens Hyllegaard * @author soer9648 + * @author Jacob Palm */ $lang['server'] = 'Din MySQL server'; $lang['user'] = 'MySQL brugernavn'; @@ -12,8 +13,11 @@ $lang['password'] = 'Kodeord til ovenstående bruger'; $lang['database'] = 'Database der skal benyttes'; $lang['charset'] = 'Tegnsæt benyttet i database'; $lang['debug'] = 'Vis yderligere debug output'; +$lang['forwardClearPass'] = 'Videregiv bruger adgangskoder i klar tekst til nedenstående SQL statement, i stedet for at benytte passcrypt'; +$lang['TablesToLock'] = 'Kommasepareret liste over tabeller der skal låses under skrivning'; $lang['checkPass'] = 'SQL-sætning til at kontrollere kodeord'; $lang['getUserInfo'] = 'SQL-sætning til at hente brugerinformation'; +$lang['getGroups'] = 'SQL statement til at bestemme en brugers medlemskab af grupper'; $lang['getUsers'] = 'SQL-sætning til at liste alle brugere'; $lang['addUser'] = 'SQL-sætning til at tilføje en ny bruger'; $lang['addGroup'] = 'SQL-sætning til at tilføje en ny gruppe'; diff --git a/lib/plugins/extension/lang/da/intro_install.txt b/lib/plugins/extension/lang/da/intro_install.txt new file mode 100644 index 000000000..e5657f218 --- /dev/null +++ b/lib/plugins/extension/lang/da/intro_install.txt @@ -0,0 +1 @@ +Her kan du installerer plugins eller templates manuelt, ved enten at uploade dem eller angive en direkte URL til download. \ No newline at end of file diff --git a/lib/plugins/extension/lang/da/intro_plugins.txt b/lib/plugins/extension/lang/da/intro_plugins.txt new file mode 100644 index 000000000..5d9deaf1e --- /dev/null +++ b/lib/plugins/extension/lang/da/intro_plugins.txt @@ -0,0 +1 @@ +Dette er de plugins du aktuelt har installeret i din DokuWiki. Du kan aktivere, deaktiver eller fjerne plugins fra denne side. Opdateringer til plugins vises også her - husk at læse dokumentationen til et plugin inden du opdaterer det. \ No newline at end of file diff --git a/lib/plugins/extension/lang/da/intro_templates.txt b/lib/plugins/extension/lang/da/intro_templates.txt new file mode 100644 index 000000000..1914500b1 --- /dev/null +++ b/lib/plugins/extension/lang/da/intro_templates.txt @@ -0,0 +1 @@ +Dette er de templates du aktuelt har installeret i din DokuWiki. Du kan vælge det template du vil benytte under [[?do=admin&page=config|Opsætningsstyring]]. \ No newline at end of file diff --git a/lib/plugins/extension/lang/da/lang.php b/lib/plugins/extension/lang/da/lang.php index c341bc5f9..17cb3b57c 100644 --- a/lib/plugins/extension/lang/da/lang.php +++ b/lib/plugins/extension/lang/da/lang.php @@ -4,7 +4,62 @@ * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) * * @author Søren Birk + * @author Jacob Palm */ +$lang['tab_plugins'] = 'Installerede plugins'; +$lang['tab_templates'] = 'Installerede templates'; +$lang['tab_search'] = 'Søg og installer'; +$lang['tab_install'] = 'Manuel installation'; +$lang['notimplemented'] = 'Denne funktion er ikke implementeret endnu'; +$lang['unknownauthor'] = 'Ukendt udgiver'; +$lang['unknownversion'] = 'Ukendt version'; +$lang['btn_info'] = 'Vis mere information'; +$lang['btn_update'] = 'Opdater'; +$lang['btn_uninstall'] = 'Afinstaller'; +$lang['btn_enable'] = 'Aktiver'; +$lang['btn_disable'] = 'Deaktiver'; +$lang['btn_install'] = 'Installer'; +$lang['btn_reinstall'] = 'Geninstaller'; +$lang['js']['reallydel'] = 'Er du sikker på at du vil afinstallere denne udvidelse?'; +$lang['search_for'] = 'Søg efter udvidelse:'; +$lang['search'] = 'Søg'; +$lang['extensionby'] = '%s af %s'; +$lang['screenshot'] = 'Skærmbillede af %s'; +$lang['popularity'] = 'Popularitet: %s%%'; +$lang['homepage_link'] = 'Dokumenter'; +$lang['bugs_features'] = 'Fejl'; +$lang['tags'] = 'Tags:'; +$lang['author_hint'] = 'Søg efter udvidelse af denne udgiver'; +$lang['installed'] = 'Installeret:'; +$lang['downloadurl'] = 'Download URL:'; +$lang['unknown'] = 'ukendt'; +$lang['installed_version'] = 'Installeret version:'; +$lang['install_date'] = 'Din sidste opdatering:'; +$lang['available_version'] = 'Tilgængelig version:'; +$lang['compatible'] = 'Kompatibel med:'; +$lang['depends'] = 'Afhængig af:'; +$lang['similar'] = 'Ligner:'; +$lang['donate'] = 'Synes du om denne?'; +$lang['donate_action'] = 'Køb en kop kaffe til udvikleren!'; +$lang['repo_retry'] = 'Førsøg igen'; +$lang['status'] = 'Status:'; +$lang['status_installed'] = 'installeret'; +$lang['status_not_installed'] = 'ikke installeret'; +$lang['status_protected'] = 'beskyttet'; +$lang['status_enabled'] = 'aktiveret'; +$lang['status_disabled'] = 'deaktiveret'; +$lang['status_unmodifiable'] = 'låst for ændringer'; +$lang['status_plugin'] = 'plugin'; +$lang['status_template'] = 'template'; +$lang['msg_enabled'] = 'Plugin %s aktiveret'; +$lang['msg_disabled'] = 'Plugin %s deaktiveret'; +$lang['msg_delete_success'] = 'Udvidelse %s afinstalleret'; +$lang['msg_delete_failed'] = 'Kunne ikke afinstallere udvidelsen %s'; +$lang['msg_template_install_success'] = 'Template %s blev installeret'; +$lang['msg_template_update_success'] = 'Template %s blev opdateret'; +$lang['msg_plugin_install_success'] = 'Plugin %s blev installeret'; +$lang['msg_plugin_update_success'] = 'Plugin %s blev opdateret'; +$lang['msg_upload_failed'] = 'Kunne ikke uploade filen'; $lang['update_available'] = 'Opdatering: Ny version %s er tilgængelig.'; $lang['wrong_folder'] = 'Plugin ikke installeret korrekt: Omdøb plugin-mappe "%s" til "%s".'; $lang['url_change'] = 'URL ændret: Download-URL er blevet ændret siden sidste download. Kontrollér om den nye URL er valid, inden udvidelsen opdateres.
Ny: %s
Gammel: %s'; @@ -22,3 +77,4 @@ $lang['auth'] = 'Auth-plugin er ikke aktiveret i konfiguratione $lang['install_url'] = 'Installér fra URL:'; $lang['install_upload'] = 'Upload Udvidelse:'; $lang['repo_error'] = 'Plugin-arkivet kunne ikke kontaktes. Kontrollér at din server kan kontakte www.dokuwiki.org kontrollér dine proxy-indstillinger.'; +$lang['nossl'] = 'Din PHP lader til at mangle understøttelse for SSL. Mange DokuWiki udvidelser vil ikke kunne downloades.'; -- cgit v1.2.3 From f23f95941a400702f525923973f3612df6da82cb Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Wed, 18 Mar 2015 22:16:34 +0100 Subject: SECURITY escape user properties in user manager #1081 The user properties (login, real name, etc) where not properly escaped in the user manager's edit form. This allowed a XSS attack on the superuser by registered users. Thanks to Filippo Cavallarin from www.segment.technology for discovering this bug. --- lib/plugins/usermanager/admin.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'lib/plugins') diff --git a/lib/plugins/usermanager/admin.php b/lib/plugins/usermanager/admin.php index cc4c4ae47..9cb9b0c40 100644 --- a/lib/plugins/usermanager/admin.php +++ b/lib/plugins/usermanager/admin.php @@ -222,9 +222,9 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { */ $groups = join(', ',$grps); ptln(" "); - ptln(" "); + ptln(" "); if ($editable) { - ptln(" 1, + ptln(" 1, 'do' => 'admin', 'page' => 'usermanager', 'sectok' => getSecurityToken())). @@ -356,7 +356,7 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { // save current $user, we need this to access details if the name is changed if ($user) - ptln(" ",$indent); + ptln(" ",$indent); $this->_htmlFilterSettings($indent+10); @@ -401,6 +401,7 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { $fieldtype = 'text'; $autocomp = ''; } + $value = hsc($value); echo ""; echo ""; -- cgit v1.2.3