Due to the code in getNS() (which gives back the UPPER namespace, eg in members:bobpage it gives back members) ACL cannot work right on multi level namespaces, example:
we have user bob with upload rights to his page, which is members:bobpage
user bob however, has no rights on the namespace members
- user bob logins and edits his page (members:bobpage)
- user bob now feels like uploading, he click the add image/file button, which checks ACL on namespace "member" instead of "member:bobpage", because of the bug i spoke of above.
- user bob will not be granted upload rights, because he has no rights on the namespace members
Quick fix, tested it, works-for-me:
Change getNS() function in inc/common.php to return the full namespace:
Change the pageinfo() function in inc/auth.php:
//get next higher namespace
// kang $ns = getNS($ns);
$ns = substr($ns,0,strrpos($ns,':'));
(it actually does what getNS did previsouly, that is, taking upper namespace)
Obvisouly this changes the whole logic of getNS, but I found nowhere where my new code actually bugs. To have flexible ACL's, one *needs* to know the full namespace where code is being executed. I think my solution is then just a quick fix, but I don't know the whole doku code, i just flew over it to find where the flaw was.
Please fix it :)
(kang A_T insecure dO_ooT ws)