This is a static dump of issues in the old "Flyspray" bugtracker for DokuWiki. Bugs and feature requests
are now tracked at the issue tracker at Github.
Closed
Fixed
FS#1415 The ACL plugin doesn't report correct rights for groups, it defaults to @ALL.
ACL & Authentication
2008-05-26grin
The ACL plugin doesn't report correct rights for groups, it defaults to @ALL because:
The function _html_explain in lib/plugins/acl/admin.php contains the following code:
// prepare who to check
if($who{0} == '@'){
$user = '';
$groups = array(ltrim($who,'@'));
}else{
$user = auth_nameencode($who);
$info = $auth->getUserData($user);
if($info === false){
$groups = array();
}else{
$groups = $info['groups'];
}
}
// check the permissions
$perm = auth_aclcheck($check,$user,$groups);
This results in an empty $user variable when for example checking for permissions for the group @ICT.
Then in auth_aclcheck in inc/auth.php:
if($user){
//add ALL group
$groups[] = '@ALL';
//add User
$groups[] = $user;
//build regexp
$regexp = join('|',$groups);
}else{
$regexp = '@ALL';
}
Because $user is empty this defaults to @ALL and the function ends up returning the rights for the @ALL group in the given $ID.
I don't have a suggestion for fixing this with respect to other uses of these functions and other Dokuwiki internals.
Thanks in advance for a solution.
(I set severity to medium since this could probably result in wrong permissions on pages/namespaces although I think those would always be less than intended.)