1<?php 2/** 3 * ACL administration functions 4 * 5 * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) 6 * @author Andreas Gohr <andi@splitbrain.org> 7 * @author Anika Henke <a.c.henke@arcor.de> (concepts) 8 * @author Frank Schubert <frank@schokilade.de> (old version) 9 */ 10// must be run within Dokuwiki 11if(!defined('DOKU_INC')) die(); 12 13if(!defined('DOKU_PLUGIN')) define('DOKU_PLUGIN',DOKU_INC.'lib/plugins/'); 14require_once(DOKU_PLUGIN.'admin.php'); 15 16/** 17 * All DokuWiki plugins to extend the admin function 18 * need to inherit from this class 19 */ 20class admin_plugin_acl extends DokuWiki_Admin_Plugin { 21 var $acl = null; 22 var $ns = null; 23 var $who = ''; 24 var $usersgroups = array(); 25 26 27 /** 28 * return some info 29 */ 30 function getInfo(){ 31 return array( 32 'author' => 'Andreas Gohr', 33 'email' => 'andi@splitbrain.org', 34 'date' => '2007-11-17', 35 'name' => 'ACL', 36 'desc' => 'Manage Page Access Control Lists', 37 'url' => 'http://wiki.splitbrain.org/wiki:acl', 38 ); 39 } 40 41 /** 42 * return prompt for admin menu 43 */ 44 function getMenuText($language) { 45 return $this->getLang('admin_acl'); 46 } 47 48 /** 49 * return sort order for position in admin menu 50 */ 51 function getMenuSort() { 52 return 1; 53 } 54 55 /** 56 * handle user request 57 * 58 * Initializes internal vars and handles modifications 59 * 60 * @author Andreas Gohr <andi@splitbrain.org> 61 */ 62 function handle() { 63 global $AUTH_ACL; 64 global $ID; 65 66 // namespace given? 67 if($_REQUEST['ns'] == '*'){ 68 $this->ns = '*'; 69 }else{ 70 $this->ns = cleanID($_REQUEST['ns']); 71 } 72 73 // user or group choosen? 74 $who = trim($_REQUEST['acl_w']); 75 if($_REQUEST['acl_t'] == '__g__' && $who){ 76 $this->who = '@'.ltrim($who,'@'); 77 }elseif($_REQUEST['acl_t'] == '__u__' && $who){ 78 $this->who = ltrim($who,'@'); 79 }elseif($_REQUEST['acl_t'] && 80 $_REQUEST['acl_t'] != '__u__' && 81 $_REQUEST['acl_t'] != '__g__'){ 82 $this->who = $_REQUEST['acl_t']; 83 }elseif($who){ 84 $this->who = $who; 85 } 86 87 // handle modifications 88 if(isset($_REQUEST['cmd'])){ 89 // scope for modifications 90 if($this->ns){ 91 if($this->ns == '*'){ 92 $scope = '*'; 93 }else{ 94 $scope = $this->ns.':*'; 95 } 96 }else{ 97 $scope = $ID; 98 } 99 100 if(isset($_REQUEST['cmd']['save']) && $scope && $this->who && isset($_REQUEST['acl'])){ 101 // handle additions or single modifications 102 $this->_acl_del($scope, $this->who); 103 $this->_acl_add($scope, $this->who, (int) $_REQUEST['acl']); 104 }elseif(isset($_REQUEST['cmd']['del']) && $scope && $this->who){ 105 // handle single deletions 106 $this->_acl_del($scope, $this->who); 107 }elseif(isset($_REQUEST['cmd']['update'])){ 108 // handle update of the whole file 109 foreach((array) $_REQUEST['del'] as $where => $who){ 110 // remove all rules marked for deletion 111 unset($_REQUEST['acl'][$where][$who]); 112 } 113 // prepare lines 114 $lines = array(); 115 // keep header 116 foreach($AUTH_ACL as $line){ 117 if($line{0} == '#'){ 118 $lines[] = $line; 119 }else{ 120 break; 121 } 122 } 123 // re-add all rules 124 foreach((array) $_REQUEST['acl'] as $where => $opt){ 125 foreach($opt as $who => $perm){ 126 $who = auth_nameencode($who,true); 127 $lines[] = "$where\t$who\t$perm\n"; 128 } 129 } 130 // save it 131 io_saveFile(DOKU_CONF.'acl.auth.php', join('',$lines)); 132 } 133 134 // reload ACL config 135 $AUTH_ACL = file(DOKU_CONF.'acl.auth.php'); 136 } 137 138 // initialize ACL array 139 $this->_init_acl_config(); 140 } 141 142 /** 143 * ACL Output function 144 * 145 * print a table with all significant permissions for the 146 * current id 147 * 148 * @author Frank Schubert <frank@schokilade.de> 149 * @author Andreas Gohr <andi@splitbrain.org> 150 */ 151 function html() { 152 global $ID; 153 154 echo '<div id="acl_manager">'.NL; 155 echo '<h1>'.$this->getLang('admin_acl').'</h1>'.NL; 156 echo '<div class="level1">'.NL; 157 158 echo '<div id="acl__tree">'.NL; 159 $this->_html_explorer($_REQUEST['ns']); 160 echo '</div>'.NL; 161 162 echo '<div id="acl__detail">'.NL; 163 $this->_html_detail(); 164 echo '</div>'.NL; 165 echo '</div>'.NL; 166 167 echo '<div class="clearer"></div>'; 168 echo '<h2>'.$this->getLang('current').'</h2>'.NL; 169 echo '<div class="level2">'.NL; 170 $this->_html_table(); 171 echo '</div>'.NL; 172 173 echo '</div>'.NL; 174 } 175 176 /** 177 * returns array with set options for building links 178 * 179 * @author Andreas Gohr <andi@splitbrain.org> 180 */ 181 function _get_opts($addopts=null){ 182 global $ID; 183 $opts = array( 184 'do'=>'admin', 185 'page'=>'acl', 186 ); 187 if($this->ns) $opts['ns'] = $this->ns; 188 if($this->who) $opts['acl_w'] = $this->who; 189 190 if(is_null($addopts)) return $opts; 191 return array_merge($opts, $addopts); 192 } 193 194 /** 195 * Display a tree menu to select a page or namespace 196 * 197 * @author Andreas Gohr <andi@splitbrain.org> 198 */ 199 function _html_explorer(){ 200 require_once(DOKU_INC.'inc/search.php'); 201 global $conf; 202 global $ID; 203 global $lang; 204 205 $dir = $conf['datadir']; 206 $ns = $this->ns; 207 if(empty($ns)){ 208 $ns = dirname(str_replace(':','/',$ID)); 209 if($ns == '.') $ns =''; 210 }elseif($ns == '*'){ 211 $ns =''; 212 } 213 $ns = utf8_encodeFN(str_replace(':','/',$ns)); 214 215 216 $data = array(); 217 search($data,$conf['datadir'],'search_index',array('ns' => $ns)); 218 219 220 // wrap a list with the root level around the other namespaces 221 $item = array( 'level' => 0, 'id' => '*', 'type' => 'd', 222 'open' =>'true', 'label' => '['.$lang['mediaroot'].']'); 223 224 echo '<ul class="acltree">'; 225 echo $this->_html_li_acl($item); 226 echo '<div class="li">'; 227 echo $this->_html_list_acl($item); 228 echo '</div>'; 229 echo html_buildlist($data,'acl', 230 array($this,'_html_list_acl'), 231 array($this,'_html_li_acl')); 232 echo '</li>'; 233 echo '</ul>'; 234 235 } 236 237 /** 238 * Display the current ACL for selected where/who combination with 239 * selectors and modification form 240 * 241 * @author Andreas Gohr <andi@splitbrain.org> 242 */ 243 function _html_detail(){ 244 global $conf; 245 global $ID; 246 247 echo '<form action="'.wl().'" method="post" accept-charset="utf-8">'.NL; 248 249 echo '<div id="acl__user">'; 250 echo $this->getLang('acl_perms').' '; 251 $inl = $this->_html_select(); 252 echo '<input type="text" name="acl_w" class="edit" value="'.(($inl)?'':hsc(ltrim($this->who,'@'))).'" />'.NL; 253 echo '<input type="submit" value="Select" class="button" />'.NL; 254 echo '</div>'.NL; 255 256 echo '<div id="acl__info">'; 257 $this->_html_info(); 258 echo '</div>'; 259 260 echo '<input type="hidden" name="ns" value="'.hsc($this->ns).'" />'.NL; 261 echo '<input type="hidden" name="id" value="'.hsc($ID).'" />'.NL; 262 echo '<input type="hidden" name="do" value="admin" />'.NL; 263 echo '<input type="hidden" name="page" value="acl" />'.NL; 264 echo '</form>'.NL; 265 } 266 267 /** 268 * Print infos and editor 269 */ 270 function _html_info(){ 271 global $ID; 272 273 if($this->who){ 274 $current = $this->_get_exact_perm(); 275 276 // explain current permissions 277 $this->_html_explain($current); 278 // load editor 279 $this->_html_acleditor($current); 280 }else{ 281 echo '<p>'; 282 if($this->ns){ 283 printf($this->getLang('p_choose_ns'),hsc($this->ns)); 284 }else{ 285 printf($this->getLang('p_choose_id'),hsc($ID)); 286 } 287 echo '</p>'; 288 289 echo $this->locale_xhtml('help'); 290 } 291 } 292 293 /** 294 * Display the ACL editor 295 * 296 * @author Andreas Gohr <andi@splitbrain.org> 297 */ 298 function _html_acleditor($current){ 299 global $lang; 300 301 echo '<fieldset>'; 302 if(is_null($current)){ 303 echo '<legend>'.$this->getLang('acl_new').'</legend>'; 304 }else{ 305 echo '<legend>'.$this->getLang('acl_mod').'</legend>'; 306 } 307 308 309 echo $this->_html_checkboxes($current,empty($this->ns),'acl'); 310 311 if(is_null($current)){ 312 echo '<input type="submit" name="cmd[save]" class="button" value="'.$lang['btn_save'].'" />'.NL; 313 }else{ 314 echo '<input type="submit" name="cmd[save]" class="button" value="'.$lang['btn_update'].'" />'.NL; 315 echo '<input type="submit" name="cmd[del]" class="button" value="'.$lang['btn_delete'].'" />'.NL; 316 } 317 318 echo '</fieldset>'; 319 } 320 321 /** 322 * Explain the currently set permissions in plain english/$lang 323 * 324 * @author Andreas Gohr <andi@splitbrain.org> 325 */ 326 function _html_explain($current){ 327 global $ID; 328 global $auth; 329 330 $who = $this->who; 331 $ns = $this->ns; 332 333 // prepare where to check 334 if($ns){ 335 if($ns == '*'){ 336 $check='*'; 337 }else{ 338 $check=$ns.':*'; 339 } 340 }else{ 341 $check = $ID; 342 } 343 344 // prepare who to check 345 if($who{0} == '@'){ 346 $user = ''; 347 $groups = array(ltrim($who,'@')); 348 }else{ 349 $user = auth_nameencode($who); 350 $info = $auth->getUserData($user); 351 $groups = $info['groups']; 352 } 353 354 // check the permissions 355 $perm = auth_aclcheck($check,$user,$groups); 356 357 // build array of named permissions 358 $names = array(); 359 if($perm){ 360 if($ns){ 361 if($perm >= AUTH_DELETE) $names[] = $this->getLang('acl_perm16'); 362 if($perm >= AUTH_UPLOAD) $names[] = $this->getLang('acl_perm8'); 363 if($perm >= AUTH_CREATE) $names[] = $this->getLang('acl_perm4'); 364 } 365 if($perm >= AUTH_EDIT) $names[] = $this->getLang('acl_perm2'); 366 if($perm >= AUTH_READ) $names[] = $this->getLang('acl_perm1'); 367 $names = array_reverse($names); 368 }else{ 369 $names[] = $this->getLang('acl_perm0'); 370 } 371 372 // print permission explanation 373 echo '<p>'; 374 if($user){ 375 if($ns){ 376 printf($this->getLang('p_user_ns'),hsc($who),hsc($ns),join(', ',$names)); 377 }else{ 378 printf($this->getLang('p_user_id'),hsc($who),hsc($ID),join(', ',$names)); 379 } 380 }else{ 381 if($ns){ 382 printf($this->getLang('p_group_ns'),hsc(ltrim($who,'@')),hsc($ns),join(', ',$names)); 383 }else{ 384 printf($this->getLang('p_group_id'),hsc(ltrim($who,'@')),hsc($ID),join(', ',$names)); 385 } 386 } 387 echo '</p>'; 388 389 // add note if admin 390 if($perm == AUTH_ADMIN){ 391 echo '<p>'.$this->getLang('p_isadmin').'</p>'; 392 }elseif(is_null($current)){ 393 echo '<p>'.$this->getLang('p_inherited').'</p>'; 394 } 395 } 396 397 398 /** 399 * Item formatter for the tree view 400 * 401 * User function for html_buildlist() 402 * 403 * @author Andreas Gohr <andi@splitbrain.org> 404 */ 405 function _html_list_acl($item){ 406 global $ID; 407 $ret = ''; 408 // what to display 409 if($item['label']){ 410 $base = $item['label']; 411 }else{ 412 $base = ':'.$item['id']; 413 $base = substr($base,strrpos($base,':')+1); 414 } 415 416 // highlight? 417 if(($item['type']=='d' && 418 $item['id'] == $this->ns) || 419 $item['id'] == $ID) $cl = ' cur'; 420 421 // namespace or page? 422 if($item['type']=='d'){ 423 if($item['open']){ 424 $img = DOKU_BASE.'lib/images/minus.gif'; 425 $alt = '−'; 426 }else{ 427 $img = DOKU_BASE.'lib/images/plus.gif'; 428 $alt = '+'; 429 } 430 $ret .= '<img src="'.$img.'" alt="'.$alt.'" />'; 431 $ret .= '<a href="'.wl('',$this->_get_opts(array('ns'=>$item['id']))).'" class="idx_dir'.$cl.'">'; 432 $ret .= $base; 433 $ret .= '</a>'; 434 }else{ 435 $ret .= '<a href="'.wl('',$this->_get_opts(array('id'=>$item['id'],'ns'=>''))).'" class="wikilink1'.$cl.'">'; 436 $ret .= noNS($item['id']); 437 $ret .= '</a>'; 438 } 439 return $ret; 440 } 441 442 443 function _html_li_acl($item){ 444 return '<li class="level'.$item['level'].'">'; 445 } 446 447 448 /** 449 * Get current ACL settings as multidim array 450 * 451 * @author Andreas Gohr <andi@splitbrain.org> 452 */ 453 function _init_acl_config(){ 454 global $AUTH_ACL; 455 global $conf; 456 $acl_config=array(); 457 $usersgroups = array(); 458 459 foreach($AUTH_ACL as $line){ 460 $line = trim(preg_replace('/#.*$/','',$line)); //ignore comments 461 if(!$line) continue; 462 463 $acl = preg_split('/\s+/',$line); 464 //0 is pagename, 1 is user, 2 is acl 465 466 $acl[1] = rawurldecode($acl[1]); 467 $acl_config[$acl[0]][$acl[1]] = $acl[2]; 468 469 // store non-special users and groups for later selection dialog 470 $ug = $acl[1]; 471 if($ug == '@ALL') continue; 472 if($ug == $conf['superuser']) continue; 473 if($ug == $conf['manager']) continue; 474 $usersgroups[] = $ug; 475 } 476 477 $usersgroups = array_unique($usersgroups); 478 sort($usersgroups); 479 uksort($acl_config,array($this,'_sort_names')); 480 481 $this->acl = $acl_config; 482 $this->usersgroups = $usersgroups; 483 } 484 485 /** 486 * Custom function to sort the ACLs by namespace names 487 * 488 * @todo This maybe could be improved to resemble the real tree structure? 489 */ 490 function _sort_names($a,$b){ 491 $ca = substr_count($a,':'); 492 $cb = substr_count($b,':'); 493 if($ca < $cb){ 494 return -1; 495 }elseif($ca > $cb){ 496 return 1; 497 }else{ 498 return strcmp($a,$b); 499 } 500 } 501 502 /** 503 * Display all currently set permissions in a table 504 * 505 * @author Andreas Gohr <andi@splitbrain.org> 506 */ 507 function _html_table(){ 508 global $lang; 509 global $ID; 510 511 echo '<form action="'.wl().'" method="post" accept-charset="utf-8">'.NL; 512 if($this->ns){ 513 echo '<input type="hidden" name="ns" value="'.hsc($this->ns).'" />'.NL; 514 }else{ 515 echo '<input type="hidden" name="id" value="'.hsc($ID).'" />'.NL; 516 } 517 echo '<input type="hidden" name="acl_w" value="'.hsc($this->who).'" />'.NL; 518 echo '<input type="hidden" name="do" value="admin" />'.NL; 519 echo '<input type="hidden" name="page" value="acl" />'.NL; 520 echo '<table class="inline">'; 521 echo '<tr>'; 522 echo '<th>'.$this->getLang('where').'</th>'; 523 echo '<th>'.$this->getLang('who').'</th>'; 524 echo '<th>'.$this->getLang('perm').'</th>'; 525 echo '<th>'.$lang['btn_delete'].'</th>'; 526 echo '</tr>'; 527 foreach($this->acl as $where => $set){ 528 foreach($set as $who => $perm){ 529 echo '<tr>'; 530 echo '<td>'; 531 if(substr($where,-1) == '*'){ 532 echo '<span class="aclns">'.hsc($where).'</span>'; 533 $ispage = false; 534 }else{ 535 echo '<span class="aclpage">'.hsc($where).'</span>'; 536 $ispage = true; 537 } 538 echo '</td>'; 539 540 echo '<td>'; 541 if($who{0} == '@'){ 542 echo '<span class="aclgroup">'.hsc($who).'</span>'; 543 }else{ 544 echo '<span class="acluser">'.hsc($who).'</span>'; 545 } 546 echo '</td>'; 547 548 echo '<td>'; 549 echo $this->_html_checkboxes($perm,$ispage,'acl['.hsc($where).']['.hsc($who).']'); 550 echo '</td>'; 551 552 echo '<td align="center">'; 553 echo '<input type="checkbox" name="del['.hsc($where).']" value="'.hsc($who).'" class="edit" />'; 554 echo '</td>'; 555 echo '</tr>'; 556 } 557 } 558 559 echo '<tr>'; 560 echo '<th align="right" colspan="4">'; 561 echo '<input type="submit" value="'.$lang['btn_update'].'" name="cmd[update]" class="button" />'; 562 echo '</th>'; 563 echo '</tr>'; 564 echo '</table>'; 565 echo '</form>'.NL; 566 } 567 568 569 /** 570 * Returns the permission which were set for exactly the given user/group 571 * and page/namespace. Returns null if no exact match is available 572 * 573 * @author Andreas Gohr <andi@splitbrain.org> 574 */ 575 function _get_exact_perm(){ 576 global $ID; 577 if($this->ns){ 578 if($this->ns == '*'){ 579 $check = '*'; 580 }else{ 581 $check = $this->ns.':*'; 582 } 583 }else{ 584 $check = $ID; 585 } 586 587 if(isset($this->acl[$check][auth_nameencode($this->who,true)])){ 588 return $this->acl[$check][auth_nameencode($this->who,true)]; 589 }else{ 590 return null; 591 } 592 } 593 594 /** 595 * adds new acl-entry to conf/acl.auth.php 596 * 597 * @author Frank Schubert <frank@schokilade.de> 598 */ 599 function _acl_add($acl_scope, $acl_user, $acl_level){ 600 $acl_config = file_get_contents(DOKU_CONF.'acl.auth.php'); 601 $acl_user = auth_nameencode($acl_user,true); 602 603 // max level for pagenames is edit 604 if(strpos($acl_scope,'*') === false) { 605 if($acl_level > AUTH_EDIT) $acl_level = AUTH_EDIT; 606 } 607 608 609 $new_acl = "$acl_scope\t$acl_user\t$acl_level\n"; 610 611 $new_config = $acl_config.$new_acl; 612 613 return io_saveFile(DOKU_CONF.'acl.auth.php', $new_config); 614 } 615 616 /** 617 * remove acl-entry from conf/acl.auth.php 618 * 619 * @author Frank Schubert <frank@schokilade.de> 620 */ 621 function _acl_del($acl_scope, $acl_user){ 622 $acl_config = file(DOKU_CONF.'acl.auth.php'); 623 $acl_user = auth_nameencode($acl_user,true); 624 625 $acl_pattern = '^'.preg_quote($acl_scope,'/').'\s+'.$acl_user.'\s+[0-8].*$'; 626 627 // save all non!-matching 628 $new_config = preg_grep("/$acl_pattern/", $acl_config, PREG_GREP_INVERT); 629 630 return io_saveFile(DOKU_CONF.'acl.auth.php', join('',$new_config)); 631 } 632 633 /** 634 * print the permission radio boxes 635 * 636 * @author Frank Schubert <frank@schokilade.de> 637 * @author Andreas Gohr <andi@splitbrain.org> 638 */ 639 function _html_checkboxes($setperm,$ispage,$name){ 640 global $lang; 641 642 static $label = 0; //number labels 643 $ret = ''; 644 645 if($ispage && $setperm > AUTH_EDIT) $perm = AUTH_EDIT; 646 647 foreach(array(AUTH_NONE,AUTH_READ,AUTH_EDIT,AUTH_CREATE,AUTH_UPLOAD,AUTH_DELETE) as $perm){ 648 $label += 1; 649 650 //general checkbox attributes 651 $atts = array( 'type' => 'radio', 652 'id' => 'pbox'.$label, 653 'name' => $name, 654 'value' => $perm ); 655 //dynamic attributes 656 if(!is_null($setperm) && $setperm == $perm) $atts['checked'] = 'checked'; 657 if($ispage && $perm > AUTH_EDIT){ 658 $atts['disabled'] = 'disabled'; 659 $class = ' class="disabled"'; 660 }else{ 661 $class = ''; 662 } 663 664 //build code 665 $ret .= '<label for="pbox'.$label.'" title="'.$this->getLang('acl_perm'.$perm).'"'.$class.'>'; 666 $ret .= '<input '.html_attbuild($atts).' /> '; 667 $ret .= $this->getLang('acl_perm'.$perm); 668 $ret .= '</label>'.NL; 669 } 670 return $ret; 671 } 672 673 /** 674 * Print a user/group selector (reusing already used users and groups) 675 * 676 * @author Andreas Gohr <andi@splitbrain.org> 677 */ 678 function _html_select(){ 679 global $conf; 680 $inlist = false; 681 682 $specials = array('@ALL','@'.$conf['defaultgroup']); 683 if($conf['manager'] && $conf['manager'] != '!!not set!!') $specials[] = $conf['manager']; 684 685 686 if($this->who && 687 !in_array($this->who,$this->usersgroups) && 688 !in_array($this->who,$specials)){ 689 690 if($this->who{0} == '@'){ 691 $gsel = ' selected="selected"'; 692 }else{ 693 $usel = ' selected="selected"'; 694 } 695 }else{ 696 $usel = ''; 697 $gsel = ''; 698 $inlist = true; 699 } 700 701 702 echo '<select name="acl_t" class="edit">'.NL; 703 echo ' <option value="__g__" class="aclgroup"'.$gsel.'>'.$this->getLang('acl_group').':</option>'.NL; 704 echo ' <option value="__u__" class="acluser"'.$usel.'>'.$this->getLang('acl_user').':</option>'.NL; 705 echo ' <optgroup label=" ">'.NL; 706 foreach($specials as $ug){ 707 if($ug == $this->who){ 708 $sel = ' selected="selected"'; 709 $inlist = true; 710 }else{ 711 $sel = ''; 712 } 713 714 if($ug{0} == '@'){ 715 echo ' <option value="'.hsc($ug).'" class="aclgroup"'.$sel.'>'.hsc($ug).'</option>'.NL; 716 }else{ 717 echo ' <option value="'.hsc($ug).'" class="acluser"'.$sel.'>'.hsc($ug).'</option>'.NL; 718 } 719 } 720 echo ' </optgroup>'.NL; 721 echo ' <optgroup label=" ">'.NL; 722 foreach($this->usersgroups as $ug){ 723 if($ug == $this->who){ 724 $sel = ' selected="selected"'; 725 $inlist = true; 726 }else{ 727 $sel = ''; 728 } 729 730 if($ug{0} == '@'){ 731 echo ' <option value="'.hsc($ug).'" class="aclgroup"'.$sel.'>'.hsc($ug).'</option>'.NL; 732 }else{ 733 echo ' <option value="'.hsc($ug).'" class="acluser"'.$sel.'>'.hsc($ug).'</option>'.NL; 734 } 735 } 736 echo ' </optgroup>'.NL; 737 echo '</select>'.NL; 738 return $inlist; 739 } 740} 741
