FS#1859 Problems with name sanitation in auth (uppercase groups/users in ACLs)

ACL & Authentication

• 

  2010-01-19 einhirn

  Since "lemming" auth_acl_check() sanitizes user/group names prior to checking the Access level in the ACL file.
  
  This leads to problems because the existing entries in the ACL file might be unsanitized, thus not matching. The user has a hard time finding this problem, because the "plain" auth class saves and displays user and group names unsanitized - it looks like the ACL rule should match, since the right value is displayed...
  
  I have a patch to the ACL editor so it at least rewrites the rules sanitized when the "update" button is pressed:
  
  --- dokuwiki/lib/plugins/acl/admin.php.orig     2010-01-19 16:38:28.000000000 +0100
  +++ dokuwiki/lib/plugins/acl/admin.php  2010-01-19 18:19:17.000000000 +0100
  @@ -130,6 +130,11 @@
                  // re-add all rules
                  foreach((array) $_REQUEST['acl'] as $where => $opt){
                      foreach($opt as $who => $perm){
  +                       if ($who[0]=='@') {
  +                               $who = '@'.ltrim($auth->cleanGroup($who),'@');
  +                       } else {
  +                               $who = $auth->cleanUser($who);
  +                       }
                          $who = auth_nameencode($who,true);
                          $lines[] = "$where\t$who\t$perm\n";
                      }
  
  I will add a patch that applies user/group name sanitation to the user manager plugin.
• 

  2010-01-19 einhirn

  Patch incorrect - sanitizes "@ALL", not good. Here is corrected:
  --- dokuwiki/lib/plugins/acl/admin.php.orig     2010-01-19 16:38:28.000000000 +0100
  +++ dokuwiki/lib/plugins/acl/admin.php  2010-01-19 18:49:52.000000000 +0100
  @@ -130,6 +130,13 @@
                  // re-add all rules
                  foreach((array) $_REQUEST['acl'] as $where => $opt){
                      foreach($opt as $who => $perm){
  +                       if ($who[0]=='@') {
  +                               if ($who!='@ALL') {
  +                                       $who = '@'.ltrim($auth->cleanGroup($who),'@');
  +                               }
  +                       } else {
  +                               $who = $auth->cleanUser($who);
  +                       }
                          $who = auth_nameencode($who,true);
                          $lines[] = "$where\t$who\t$perm\n";
                      }
  
• 

  2010-01-21 andi

  Patch applied, looking forward to the second patch for the user manager.
• 

  2010-10-02 andi

  Hey Christian, did you ever come around to write that second patch?
• 

  2011-02-06 andi

  missing cleaning was added in 7441e340