-
2009-09-06
Naitsabes
Assume a user U which is in two groups A and B.
Further assume there is a namespace N.
The permissions for the namespace N regarding the groups A and B are the following:
group A has r acces only
group B has r+w access
As user U is in both groups, permissions conflict.
Within the reported version, the user gets read access only to the namespace,
which is counter intuitive.
Regards,
Sebastian
-
2009-11-18
jerry
Your problem seems to be the same as mine. If you have a look at the function auth_aclcheck in inc/auth.php you will see that the comment to this function
"Returns the maximum rights a user has for the given ID or its namespace" is definetly not right.
It returns maximum rights of the first match found and skipping any inherited higher rights from upper namespaces. The acces-control-page (admin) makes the check the other way round (when checking for each group) so you may end up in this situation.
I'm currently testing a modified auth_aclcheck function not returning any value until it is checking root namespace. Maybe that's faster and easier to maintain than a hugh $AUTH_ACL list where you need practically a decl for each group and namespace and one for each page with special conditions.
-jerry
-
2009-11-19
jerry
now I found the bug? feature? in inc/auth.php:
the first match of group/user and namespace is returned in function auth_aclcheck
dokuwiki-latest inc/auth.php, line 526.
patch:
comment out line 526 and add some lines:
*** 523,531 ****
}
}
//we had a match - return it
return $perm;
}
-
//get next higher namespace
$ns = getNS($ns);
--- 523,534 ----
}
}
//we had a match - return it
+ //return $perm;
+ }
+ if($perm > -1){
+ //we had a match - return it
return $perm;
}
//get next higher namespace
$ns = getNS($ns);
-
2009-11-28
andi
I can't reproduce the initial bug report
test:* @groupa 1
test:* @groupb 2
will return edit permissions (2), for a user who is in both groups.
Jerry, what you seem to tackle is not a bug, but a misunderstanding in how ACLs are designed in DokuWiki. Permissions are only inherited when no explicit settings are found for the current user/group in the tested page/namespace. The ACL manager does reflect that correctly. Eg. for the above ACL setup it will correctly report (group-inherited) Edit permissions for a user in both groups.