1<?php 2 3use dokuwiki\test\mock\AuthPlugin; 4 5class auth_acl_test extends DokuWikiTest { 6 7 protected $oldAuthAcl; 8 9 function setUp() : void { 10 parent::setUp(); 11 global $AUTH_ACL; 12 global $auth; 13 $this->oldAuthAcl = $AUTH_ACL; 14 $auth = new AuthPlugin(); 15 } 16 17 function tearDown() : void { 18 global $AUTH_ACL; 19 $AUTH_ACL = $this->oldAuthAcl; 20 21 } 22 23 function test_restricted(){ 24 global $conf; 25 global $AUTH_ACL; 26 $conf['superuser'] = 'john'; 27 $conf['useacl'] = 1; 28 29 $AUTH_ACL = array( 30 '* @ALL 0', 31 '* @user 8', 32 ); 33 34 // anonymous user 35 $this->assertEquals(auth_aclcheck('page', '',array()), AUTH_NONE); 36 $this->assertEquals(auth_aclcheck('namespace:page','',array()), AUTH_NONE); 37 $this->assertEquals(auth_aclcheck('namespace:*', '',array()), AUTH_NONE); 38 39 // user with no matching group 40 $this->assertEquals(auth_aclcheck('page', 'jill',array('foo')), AUTH_NONE); 41 $this->assertEquals(auth_aclcheck('namespace:page','jill',array('foo')), AUTH_NONE); 42 $this->assertEquals(auth_aclcheck('namespace:*', 'jill',array('foo')), AUTH_NONE); 43 44 // user with matching group 45 $this->assertEquals(auth_aclcheck('page', 'jill',array('foo','user')), AUTH_UPLOAD); 46 $this->assertEquals(auth_aclcheck('namespace:page','jill',array('foo','user')), AUTH_UPLOAD); 47 $this->assertEquals(auth_aclcheck('namespace:*', 'jill',array('foo','user')), AUTH_UPLOAD); 48 49 // super user 50 $this->assertEquals(auth_aclcheck('page', 'john',array('foo')), AUTH_ADMIN); 51 $this->assertEquals(auth_aclcheck('namespace:page','john',array('foo')), AUTH_ADMIN); 52 $this->assertEquals(auth_aclcheck('namespace:*', 'john',array('foo')), AUTH_ADMIN); 53 } 54 55 function test_restricted_ropage(){ 56 global $conf; 57 global $AUTH_ACL; 58 $conf['superuser'] = 'john'; 59 $conf['useacl'] = 1; 60 61 $AUTH_ACL = array( 62 '* @ALL 0', 63 '* @user 8', 64 'namespace:page @user 1', 65 ); 66 67 // anonymous user 68 $this->assertEquals(auth_aclcheck('page', '',array()), AUTH_NONE); 69 $this->assertEquals(auth_aclcheck('namespace:page','',array()), AUTH_NONE); 70 $this->assertEquals(auth_aclcheck('namespace:*', '',array()), AUTH_NONE); 71 72 // user with no matching group 73 $this->assertEquals(auth_aclcheck('page', 'jill',array('foo')), AUTH_NONE); 74 $this->assertEquals(auth_aclcheck('namespace:page','jill',array('foo')), AUTH_NONE); 75 $this->assertEquals(auth_aclcheck('namespace:*', 'jill',array('foo')), AUTH_NONE); 76 77 // user with matching group 78 $this->assertEquals(auth_aclcheck('page', 'jill',array('foo','user')), AUTH_UPLOAD); 79 $this->assertEquals(auth_aclcheck('namespace:page','jill',array('foo','user')), AUTH_READ); 80 $this->assertEquals(auth_aclcheck('namespace:*', 'jill',array('foo','user')), AUTH_UPLOAD); 81 82 // super user 83 $this->assertEquals(auth_aclcheck('page', 'john',array('foo')), AUTH_ADMIN); 84 $this->assertEquals(auth_aclcheck('namespace:page','john',array('foo')), AUTH_ADMIN); 85 $this->assertEquals(auth_aclcheck('namespace:*', 'john',array('foo')), AUTH_ADMIN); 86 } 87 88 function test_aclexample(){ 89 global $conf; 90 global $AUTH_ACL; 91 $conf['superuser'] = 'john'; 92 $conf['useacl'] = 1; 93 94 $AUTH_ACL = array( 95 '* @ALL 4', 96 '* bigboss 16', 97 'start @ALL 1', 98 'marketing:* @marketing 8', 99 'devel:* @ALL 0', 100 'devel:* @devel 8', 101 'devel:* bigboss 16', 102 'devel:funstuff bigboss 0', 103 'devel:* @marketing 1', 104 'devel:marketing @marketing 2', 105 ); 106 107 108 $this->assertEquals(auth_aclcheck('page', '' ,array()) , AUTH_CREATE); 109 $this->assertEquals(auth_aclcheck('page', 'bigboss' ,array('foo')) , AUTH_DELETE); 110 $this->assertEquals(auth_aclcheck('page', 'jill' ,array('marketing')) , AUTH_CREATE); 111 $this->assertEquals(auth_aclcheck('page', 'jane' ,array('devel')) , AUTH_CREATE); 112 113 $this->assertEquals(auth_aclcheck('start', '' ,array()) , AUTH_READ); 114 $this->assertEquals(auth_aclcheck('start', 'bigboss' ,array('foo')) , AUTH_READ); 115 $this->assertEquals(auth_aclcheck('start', 'jill' ,array('marketing')) , AUTH_READ); 116 $this->assertEquals(auth_aclcheck('start', 'jane' ,array('devel')) , AUTH_READ); 117 118 $this->assertEquals(auth_aclcheck('marketing:page', '' ,array()) , AUTH_CREATE); 119 $this->assertEquals(auth_aclcheck('marketing:page', 'bigboss' ,array('foo')) , AUTH_DELETE); 120 $this->assertEquals(auth_aclcheck('marketing:page', 'jill' ,array('marketing')) , AUTH_UPLOAD); 121 $this->assertEquals(auth_aclcheck('marketing:page', 'jane' ,array('devel')) , AUTH_CREATE); 122 123 124 $this->assertEquals(auth_aclcheck('devel:page', '' ,array()) , AUTH_NONE); 125 $this->assertEquals(auth_aclcheck('devel:page', 'bigboss' ,array('foo')) , AUTH_DELETE); 126 $this->assertEquals(auth_aclcheck('devel:page', 'jill' ,array('marketing')) , AUTH_READ); 127 $this->assertEquals(auth_aclcheck('devel:page', 'jane' ,array('devel')) , AUTH_UPLOAD); 128 129 $this->assertEquals(auth_aclcheck('devel:funstuff', '' ,array()) , AUTH_NONE); 130 $this->assertEquals(auth_aclcheck('devel:funstuff', 'bigboss' ,array('foo')) , AUTH_NONE); 131 $this->assertEquals(auth_aclcheck('devel:funstuff', 'jill' ,array('marketing')) , AUTH_READ); 132 $this->assertEquals(auth_aclcheck('devel:funstuff', 'jane' ,array('devel')) , AUTH_UPLOAD); 133 134 $this->assertEquals(auth_aclcheck('devel:marketing', '' ,array()) , AUTH_NONE); 135 $this->assertEquals(auth_aclcheck('devel:marketing', 'bigboss' ,array('foo')) , AUTH_DELETE); 136 $this->assertEquals(auth_aclcheck('devel:marketing', 'jill' ,array('marketing')) , AUTH_EDIT); 137 $this->assertEquals(auth_aclcheck('devel:marketing', 'jane' ,array('devel')) , AUTH_UPLOAD); 138 139 } 140 141 function test_multiadmin_restricted(){ 142 global $conf; 143 global $AUTH_ACL; 144 $conf['superuser'] = 'john,@admin,doe,@roots'; 145 $conf['useacl'] = 1; 146 147 $AUTH_ACL = array( 148 '* @ALL 0', 149 '* @user 8', 150 ); 151 152 // anonymous user 153 $this->assertEquals(auth_aclcheck('page', '',array()), AUTH_NONE); 154 $this->assertEquals(auth_aclcheck('namespace:page','',array()), AUTH_NONE); 155 $this->assertEquals(auth_aclcheck('namespace:*', '',array()), AUTH_NONE); 156 157 // user with no matching group 158 $this->assertEquals(auth_aclcheck('page', 'jill',array('foo')), AUTH_NONE); 159 $this->assertEquals(auth_aclcheck('namespace:page','jill',array('foo')), AUTH_NONE); 160 $this->assertEquals(auth_aclcheck('namespace:*', 'jill',array('foo')), AUTH_NONE); 161 162 // user with matching group 163 $this->assertEquals(auth_aclcheck('page', 'jill',array('foo','user')), AUTH_UPLOAD); 164 $this->assertEquals(auth_aclcheck('namespace:page','jill',array('foo','user')), AUTH_UPLOAD); 165 $this->assertEquals(auth_aclcheck('namespace:*', 'jill',array('foo','user')), AUTH_UPLOAD); 166 167 // super user john 168 $this->assertEquals(auth_aclcheck('page', 'john',array('foo')), AUTH_ADMIN); 169 $this->assertEquals(auth_aclcheck('namespace:page','john',array('foo')), AUTH_ADMIN); 170 $this->assertEquals(auth_aclcheck('namespace:*', 'john',array('foo')), AUTH_ADMIN); 171 172 // super user doe 173 $this->assertEquals(auth_aclcheck('page', 'doe',array('foo')), AUTH_ADMIN); 174 $this->assertEquals(auth_aclcheck('namespace:page','doe',array('foo')), AUTH_ADMIN); 175 $this->assertEquals(auth_aclcheck('namespace:*', 'doe',array('foo')), AUTH_ADMIN); 176 177 // user with matching admin group 178 $this->assertEquals(auth_aclcheck('page', 'jill',array('foo','admin')), AUTH_ADMIN); 179 $this->assertEquals(auth_aclcheck('namespace:page','jill',array('foo','admin')), AUTH_ADMIN); 180 $this->assertEquals(auth_aclcheck('namespace:*', 'jill',array('foo','admin')), AUTH_ADMIN); 181 182 // user with matching another admin group 183 $this->assertEquals(auth_aclcheck('page', 'jill',array('foo','roots')), AUTH_ADMIN); 184 $this->assertEquals(auth_aclcheck('namespace:page','jill',array('foo','roots')), AUTH_ADMIN); 185 $this->assertEquals(auth_aclcheck('namespace:*', 'jill',array('foo','roots')), AUTH_ADMIN); 186 } 187 188 function test_multiadmin_restricted_ropage(){ 189 global $conf; 190 global $AUTH_ACL; 191 $conf['superuser'] = 'john,@admin,doe,@roots'; 192 $conf['useacl'] = 1; 193 194 $AUTH_ACL = array( 195 '* @ALL 0', 196 '* @user 8', 197 'namespace:page @user 1', 198 ); 199 200 // anonymous user 201 $this->assertEquals(auth_aclcheck('page', '',array()), AUTH_NONE); 202 $this->assertEquals(auth_aclcheck('namespace:page','',array()), AUTH_NONE); 203 $this->assertEquals(auth_aclcheck('namespace:*', '',array()), AUTH_NONE); 204 205 // user with no matching group 206 $this->assertEquals(auth_aclcheck('page', 'jill',array('foo')), AUTH_NONE); 207 $this->assertEquals(auth_aclcheck('namespace:page','jill',array('foo')), AUTH_NONE); 208 $this->assertEquals(auth_aclcheck('namespace:*', 'jill',array('foo')), AUTH_NONE); 209 210 // user with matching group 211 $this->assertEquals(auth_aclcheck('page', 'jill',array('foo','user')), AUTH_UPLOAD); 212 $this->assertEquals(auth_aclcheck('namespace:page','jill',array('foo','user')), AUTH_READ); 213 $this->assertEquals(auth_aclcheck('namespace:*', 'jill',array('foo','user')), AUTH_UPLOAD); 214 215 // super user john 216 $this->assertEquals(auth_aclcheck('page', 'john',array('foo')), AUTH_ADMIN); 217 $this->assertEquals(auth_aclcheck('namespace:page','john',array('foo')), AUTH_ADMIN); 218 $this->assertEquals(auth_aclcheck('namespace:*', 'john',array('foo')), AUTH_ADMIN); 219 220 // super user doe 221 $this->assertEquals(auth_aclcheck('page', 'doe',array('foo')), AUTH_ADMIN); 222 $this->assertEquals(auth_aclcheck('namespace:page','doe',array('foo')), AUTH_ADMIN); 223 $this->assertEquals(auth_aclcheck('namespace:*', 'doe',array('foo')), AUTH_ADMIN); 224 225 // user with matching admin group 226 $this->assertEquals(auth_aclcheck('page', 'jill',array('foo','admin')), AUTH_ADMIN); 227 $this->assertEquals(auth_aclcheck('namespace:page','jill',array('foo','admin')), AUTH_ADMIN); 228 $this->assertEquals(auth_aclcheck('namespace:*', 'jill',array('foo','admin')), AUTH_ADMIN); 229 230 // user with matching another admin group 231 $this->assertEquals(auth_aclcheck('page', 'jill',array('foo','roots')), AUTH_ADMIN); 232 $this->assertEquals(auth_aclcheck('namespace:page','jill',array('foo','roots')), AUTH_ADMIN); 233 $this->assertEquals(auth_aclcheck('namespace:*', 'jill',array('foo','roots')), AUTH_ADMIN); 234 } 235 236 function test_wildcards(){ 237 global $conf; 238 global $AUTH_ACL; 239 global $USERINFO; 240 $conf['useacl'] = 1; 241 242 $_SERVER['REMOTE_USER'] = 'john'; 243 $USERINFO['grps'] = array('test','töst','foo bar'); 244 $AUTH_ACL = auth_loadACL(); // default test file 245 246 // default setting 247 $this->assertEquals(AUTH_UPLOAD, auth_aclcheck('page', $_SERVER['REMOTE_USER'], $USERINFO['grps'])); 248 249 // user namespace 250 $this->assertEquals(AUTH_DELETE, auth_aclcheck('users:john:foo', $_SERVER['REMOTE_USER'], $USERINFO['grps'])); 251 $this->assertEquals(AUTH_READ, auth_aclcheck('users:john:foo', 'schmock', array())); 252 253 // group namespace 254 $this->assertEquals(AUTH_DELETE, auth_aclcheck('groups:test:foo', $_SERVER['REMOTE_USER'], $USERINFO['grps'])); 255 $this->assertEquals(AUTH_READ, auth_aclcheck('groups:test:foo', 'schmock', array())); 256 $this->assertEquals(AUTH_DELETE, auth_aclcheck('groups:toest:foo', $_SERVER['REMOTE_USER'], $USERINFO['grps'])); 257 $this->assertEquals(AUTH_READ, auth_aclcheck('groups:toest:foo', 'schmock', array())); 258 $this->assertEquals(AUTH_DELETE, auth_aclcheck('groups:foo_bar:foo', $_SERVER['REMOTE_USER'], $USERINFO['grps'])); 259 $this->assertEquals(AUTH_READ, auth_aclcheck('groups:foo_bar:foo', 'schmock', array())); 260 261 } 262 263} 264 265//Setup VIM: ex: et ts=4 : 266