-
Notifications
You must be signed in to change notification settings - Fork 1
/
action.php
262 lines (223 loc) · 9.92 KB
/
action.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
<?php
/**
* Allow regular expressions in ACL entry objects
*
* Original idea raised in https://github.com/splitbrain/dokuwiki/issues/1957
*
* @license GPL 2 (http://www.gnu.org/licenses/gpl.html)
* @author Iain Hallam <iain@nineworlds.net>
*/
if (!defined('DOKU_INC')) die();
class action_plugin_aclregex extends DokuWiki_Action_Plugin
{
/**
* Register handlers with DokuWiki's event system
*
* @param Doku_Event_Handler $controller DokuWiki's event controller object
*
* @return not required
*/
public function register(Doku_Event_Handler $controller)
{
$controller->register_hook('AUTH_ACL_CHECK', 'BEFORE', $this, 'handleACLRegexCheck');
}
/**
* Event handler run before AUTH_ACL_CHECK
*
* Modelled on DokuWiki's own auth_aclcheck_cb() in inc/auth.php
*
* @param Doku_Event $event Event object by reference
* @param mixed $param The parameters passed to register_hook
*
* @return int AUTH_<X>
*/
public function handleACLRegexCheck(Doku_Event $event, $param)
{
// Prevent default event to do our own auth check
$event->preventDefault();
// Access event data
$id = $event->data['id']; // @var string $id
//dbg('Raw id: ' . $id);
$user = $event->data['user']; // @var string $user
//dbg('Raw user: ' . $user);
$groups = $event->data['groups']; // @var string[] $groups
//dbg('Raw groups: ' . implode(', ', $groups));
// Access global variables
global $conf; // @var string[] $conf The global configuration dictionary
global $AUTH_ACL; // @var string[] $AUTH_ACL Strings matching <object>\t<subject>[ \t]+<permission>
//dbg('Raw ACLs:' . NL . implode(NL, $AUTH_ACL));
global $auth; // @var DokuWiki_Auth_Plugin $auth The global authentication handler
// If no ACL is used always return upload rights
if (! $conf['useacl']) {
//dbg('Not configured for ACLs');
$event->result = AUTH_UPLOAD;
return AUTH_UPLOAD;
}
// If no auth is loaded return no rights
if (! $auth) {
//dbg('No auth backend loaded');
$event->result = AUTH_NONE;
return AUTH_NONE;
}
// If no ACLs exist return no rights
if (! count($AUTH_ACL)) {
msg('No ACL setup yet! Denying access to everyone.');
$event->result = AUTH_NONE;
return AUTH_NONE;
}
// Make sure $groups is an array
if (! is_array($groups)) $groups = array();
// If user is superuser or in superuser group return admin rights
if (auth_isadmin($user, $groups)) {
//dbg('Admin user');
$event->result = AUTH_ADMIN;
return AUTH_ADMIN;
}
// Clean up user name (and encode any special characters) and groups
if (! $auth->isCaseSensitive()) {
$user = utf8_strtolower($user);
$groups = array_map('utf8_strtolower', $groups);
}
$user = auth_nameencode($auth->cleanUser($user));
$groups = array_map(array($auth, 'cleanGroup'), (array) $groups);
// Make sure groups start with @ and encode any special characters
foreach ($groups as &$group) {
$group = '@' . auth_nameencode($group);
}
// Add @ALL group
$groups[] = '@ALL';
// Add user to match against
if ($user) $groups[] = $user;
//dbg('processed user and groups: ' . implode(', ', $groups));
// Set initial search variables
$highest_permission = -1;
// Build ACL parts structure
$acl_parts_list = array();
foreach ($AUTH_ACL as $acl) {
// Ignore comments
$acl = preg_replace('/#.*$/', '', $acl);
//dbg('Processing ACL: ' . $acl);
// Access ACL parts
list($acl_object, $acl_subject, $acl_permission, $acl_rest) = preg_split('/[ \t]+/', $acl, 4);
//dbg('Object: ' . $acl_object);
//dbg('Subject: ' . $acl_subject);
//dbg('Permission: ' . $acl_permission);
//dbg('Rest: ' . $acl_rest);
// Quote ACL object parts that aren't in a regex to treat them literally
$acl_object_parts = explode('/', $acl_object); // Split on delimiters
$acl_object = ''; // Rebuild $acl_object from scratch
foreach ($acl_object_parts as $key => $part) {
if ($key % 2 == 0) {
// Only for even keys counting from 0, i.e., 1st, 3rd, 5th,
// etc., which should be the parts outside / delimiters
$part = preg_quote($part); // Quote any PCRE special characters
}
$acl_object .= $part; // Add back to $acl_object
}
$acl_object = '|^' . $acl_object . '$|'; // Add PCRE delimiters to resulting $acl_object
//dbg('Quoted object: ' . $acl_object);
// Assign into the ACL parts structure
$acl_parts_list[] = array(
'object' => $acl_object,
'subject' => $acl_subject,
'permission' => $acl_permission,
'rest' => $acl_rest
);
}
// Check for exact object matches
foreach ($acl_parts_list as $acl_parts) {
if (preg_match($acl_parts['object'], $id)) {
//dbg('Matched ID ' . $id . ' with search string ' . $acl_parts['object']);
$line_permission = $this->checkPermission($groups, $acl_parts['subject'], $acl_parts['permission']);
//dbg('Line permission returned: ' . $line_permission);
// The highest permission found is what gets returned
if ($line_permission > $highest_permission) {
//dbg('New highest permission: ' . $line_permission);
$highest_permission = $line_permission;
}
}
}
// If we had a match return it
if ($highest_permission > -1) {
//dbg('Permission: ' . $highest_permission);
$event->result = $highest_permission;
return $highest_permission;
}
// There wasn't an exact match, so check up the tree for namespace matches
//dbg('No permissions from exact matches - trying namespaces');
// Set path match string using namespace
$ns = getNS($id);
$path = $ns . ':*';
if ($path == ':*') {
$path = '*'; // $id is in the root namespace
}
//dbg('Path: ' . $path);
// Loop to work our way up the tree if there's no match first time round
do {
foreach ($acl_parts_list as $acl_parts) {
if (preg_match($acl_parts['object'], $path)) {
//dbg('Matched namespace path ' . $path . ' with search string ' . $acl_parts['object']);
$line_permission = $this->checkPermission($groups, $acl_parts['subject'], $acl_parts['permission']);
//dbg('Line permission returned: ' . $line_permission);
// The highest permission found is what gets returned
if ($line_permission > $highest_permission) {
//dbg('New highest permission: ' . $line_permission);
$highest_permission = $line_permission;
}
}
}
// If we had a match return it
if ($highest_permission > -1) {
//dbg('Permission: ' . $highest_permission);
$event->result = $highest_permission;
return $highest_permission;
}
// If we're not already at the root, get the next higher namespace
if ($path != '*') {
$ns = getNS($ns);
$path = $ns . ':*';
if ($path == ':*') {
$path = '*';
}
//dbg('Next path: ' . $path);
} else {
// We were at the root already but didn't get a match; move on to the next ACL
msg('No ACL setup yet! Denying access to everyone.');
break;
}
} while (true); // This shouldn't be endless as there are exit conditions in the loop
// No matches = no permission
//dbg('Permission: ' . AUTH_NONE);
$event->result = AUTH_NONE;
return AUTH_NONE;
}
/**
* Check the resulting permission for user's groups and username
*
* @param string[] $groups A list of groups (including the username) to check
* @param string $acl_subject The subject (user or group) assigned in the ACL
* @param int $acl_permission The permission assigned in the ACL
*/
private function checkPermission($groups, $acl_subject, $acl_permission)
{
// Access global variables
global $auth; // @var DokuWiki_Auth_Plugin $auth The global authentication handler
//dbg('checkPermission $groups: ' . $groups);
//dbg('checkPermission $acl_subject: ' . $acl_subject);
//dbg('checkPermission $acl_permission: ' . $acl_permission);
// Lowercase acl_subject except @ALL if we can
if (! $auth->isCaseSensitive() && $acl_subject !== '@ALL') {
$acl_subject = utf8_strtolower($acl_subject);
}
// If $acl_subject doesn't contain one of the user's groups or their user name, move on
// This would be where to change the plugin to support regexes in subjects
if (! in_array($acl_subject, $groups)) {
return -1;
}
// Don't allow admin permissions from ACLs!
if ($acl_permission > AUTH_DELETE) {
$acl_permission = AUTH_DELETE;
}
return $acl_permission;
}
}