Skip to content

Commit fd02095

Browse files
committed
Rework plugin to use auth_aclcheck()
This replaces the code for checking the ACL rules by calls to the existing auth_aclcheck() function. This avoids the duplication of ACL evaluation logic and allows to use this plugin with ACL extenstion plugins like aclregex or aclplusregex. The new logic goes through all the users and groups that are contained in the ACL rules and checks the permissions for these subjects. If the permissions for the subject exceed those of the 'ALL' group, they are added to the list. Signed-off-by: Frieder Schrempf <[email protected]>
1 parent fa3a27c commit fd02095

File tree

1 file changed

+41
-56
lines changed

1 file changed

+41
-56
lines changed

syntax.php

Lines changed: 41 additions & 56 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22
/**
33
* @license GPL 2 (http://www.gnu.org/licenses/gpl.html)
44
* @author Andreas Gohr <[email protected]>
5+
* @author Frieder Schrempf <[email protected]>
56
*/
67
// must be run within Dokuwiki
78
if(!defined('DOKU_INC')) die();
@@ -58,6 +59,8 @@ function handle($match, $state, $pos, Doku_Handler $handler){
5859
*/
5960
function render($format, Doku_Renderer $R, $data) {
6061
global $INFO;
62+
global $AUTH_ACL;
63+
6164
if($format != 'xhtml') return false;
6265

6366
if(!$data[0]) {
@@ -66,71 +69,53 @@ function render($format, Doku_Renderer $R, $data) {
6669
$page = $data[0];
6770
}
6871

69-
$perms = $this->_aclcheck($page);
72+
$subjects = array();
73+
74+
/*
75+
* Get the permissions for @ALL in the beginning, we will use it
76+
* to compare and filter other permissions that are lower.
77+
*/
78+
$allperm = auth_aclcheck($page, '', array('ALL'));
79+
7080
$R->listu_open();
71-
foreach((array)$perms as $who => $p){
81+
82+
/*
83+
* Go through each entry of the ACL rules.
84+
*/
85+
foreach($AUTH_ACL as $rule){
86+
$rule = preg_replace('/#.*$/', '', $rule); // Ignore comments
87+
$subject = preg_split('/[ \t]+/', $rule)[1];
88+
$subject = urldecode($subject);
89+
$groups = array();
90+
$user = '';
91+
92+
// Skip if we already checked this user/group
93+
if(in_array($subject, $subjects))
94+
continue;
95+
96+
$subjects[] = $subject;
97+
98+
// Check if this entry is about a user or a group (starting with '@')
99+
if(substr($subject, 0, 1) === '@')
100+
$groups[] = substr($subject, 1);
101+
else
102+
$user = $subject;
103+
104+
$perm = auth_aclcheck($page, $user, $groups);
105+
106+
// Skip permissions of 0 or if lower than @ALL
107+
if($perm == AUTH_NONE || ($subject != '@ALL' && $perm <= $allperm))
108+
continue;
109+
72110
$R->listitem_open(1);
73111
$R->listcontent_open();
74-
$R->cdata(sprintf($this->getLang('perm'.$p), urldecode($who)));
112+
$R->cdata(sprintf($this->getLang('perm'.$perm), $subject));
75113
$R->listcontent_close();
76114
$R->listitem_close();
77115
}
78116
$R->listu_close();
79117
return true;
80118
}
81-
82-
function _aclcheck($id){
83-
global $conf;
84-
global $AUTH_ACL;
85-
86-
$id = cleanID($id);
87-
$ns = getNS($id);
88-
$perms = array();
89-
90-
//check exact match first
91-
$matches = preg_grep('/^'.preg_quote($id,'/').'\s+/',$AUTH_ACL);
92-
if(count($matches)){
93-
foreach($matches as $match){
94-
$match = preg_replace('/#.*$/','',$match); //ignore comments
95-
$acl = preg_split('/\s+/',$match);
96-
if($acl[2] > AUTH_DELETE) $acl[2] = AUTH_DELETE; //no admins in the ACL!
97-
if(!isset($perms[$acl[1]])) $perms[$acl[1]] = $acl[2];
98-
}
99-
}
100-
101-
//still here? do the namespace checks
102-
if($ns){
103-
$path = $ns.':\*';
104-
}else{
105-
$path = '\*'; //root document
106-
}
107-
108-
do{
109-
$matches = preg_grep('/^'.$path.'\s+/',$AUTH_ACL);
110-
if(count($matches)){
111-
foreach($matches as $match){
112-
$match = preg_replace('/#.*$/','',$match); //ignore comments
113-
$acl = preg_split('/\s+/',$match);
114-
if($acl[2] > AUTH_DELETE) $acl[2] = AUTH_DELETE; //no admins in the ACL!
115-
if(!isset($perms[$acl[1]])) $perms[$acl[1]] = $acl[2];
116-
}
117-
}
118-
119-
//get next higher namespace
120-
$ns = getNS($ns);
121-
122-
if($path != '\*'){
123-
$path = $ns.':\*';
124-
if($path == ':\*') $path = '\*';
125-
}else{
126-
//we did this already
127-
//break here
128-
break;
129-
}
130-
}while(1); //this should never loop endless
131-
132-
return $perms;
133-
}
134119
}
135120

136121
//Setup VIM: ex: et ts=4 enc=utf-8 :

0 commit comments

Comments
 (0)