/** * "Real" ACL list, loaded using AJAX */ static function haclAcllist($t, $n, $offset = 0, $limit = 10) { global $wgScript, $wgTitle, $haclgHaloScriptPath, $haclgContLang, $wgUser; haclCheckScriptPath(); // Load data $spec = SpecialPage::getTitleFor('IntraACL'); $titles = IACLStorage::get('SD')->getSDPages($t, $n, NULL, $offset, $limit, $total); $defs = IACLDefinition::newFromTitles($titles); // Build SD data for template $lists = array(); foreach ($titles as $k => $sd) { $d = array('name' => $sd->getText(), 'real' => $sd->getText(), 'editlink' => $spec->getLocalUrl(array('action' => 'acl', 'sd' => $sd->getText())), 'viewlink' => $sd->getLocalUrl(), 'single' => NULL); $pe = IACLDefinition::nameOfPE($sd); $d['type'] = IACL::$typeToName[$pe[0]]; $d['real'] = $pe[1]; // Single SD inclusion if (isset($defs[$k]) && !empty($defs[$k]['single_child'])) { $s = $defs[$k]['single_child']; $name = IACLDefinition::peNameForID($s[0], $s[1]); $d['single'] = Title::newFromText(IACLDefinition::nameOfSD($s[0], $name)); $d['singletype'] = IACL::$typeToName[$s[0]]; $d['singlename'] = $name; $d['singlelink'] = $d['single']->getLocalUrl(); $d['singletip'] = wfMsg('hacl_acllist_hint_single', $d['real'], $d['single']->getPrefixedText()); } $lists[$d['type']][] = $d; } // Next and previous page links $pageurl = Title::makeTitleSafe(NS_SPECIAL, 'IntraACL')->getLocalUrl(array('types' => $t, 'filter' => $n, 'limit' => $limit)); $nextpage = $prevpage = false; if ($total > $limit + $offset) { $nextpage = $pageurl . '&offset=' . intval($offset + $limit); } if ($offset >= $limit) { $prevpage = $pageurl . '&offset=' . intval($offset - $limit); } // Run template ob_start(); require dirname(__FILE__) . '/../templates/HACL_ACLListContents.tpl.php'; $html = ob_get_contents(); ob_end_clean(); return $html; }
static function getContentAction() { global $wgTitle, $haclgContLang, $haclgDisableACLTab, $wgUser; if ($wgUser->isAnon()) { return NULL; } if ($wgTitle->getNamespace() == HACL_NS_ACL) { // Display the link to article or category list($peType, $peName) = IACLDefinition::nameOfPE($wgTitle->getText()); if ($peType == IACL::PE_PAGE || $peType == IACL::PE_CATEGORY) { $title = $peType == IACL::PE_PAGE ? Title::newFromText($peName) : Title::makeTitleSafe(NS_CATEGORY, $peName); return array('class' => false, 'text' => wfMsg("hacl_tab_" . IACL::$typeToName[$peType]), 'href' => $title->getLocalUrl()); } } elseif ($wgTitle->exists()) { // Display the link to category or page SD if ($wgTitle->getNamespace() == NS_CATEGORY) { $sd = IACLDefinition::nameOfSD(IACL::PE_CATEGORY, $wgTitle); } else { $sd = IACLDefinition::nameOfSD(IACL::PE_PAGE, $wgTitle); } $etc = haclfDisableTitlePatch(); $sd = Title::newFromText($sd, HACL_NS_ACL); haclfRestoreTitlePatch($etc); // Hide ACL tab if SD does not exist and $haclgDisableACLTab is true if (!$sd || !empty($haclgDisableACLTab) && !$sd->exists() && !$wgUser->getOption('showacltab')) { return NULL; } return array('class' => $sd->exists() ? false : 'new', 'text' => wfMsg('hacl_tab_acl'), 'href' => $sd->getLocalUrl()); } return NULL; }
/** * This method checks if a user wants to create/modify an article in the ACL namespace. * Should not be used outside of IACLEvaluator because doesn't do any additional access checks. * * @param Title $t * @param User $user * @param int $actionID Action ID * @return bool Whether the user has the right to perform the action */ protected static function checkACLManager(Title $t, User $user, $actionID) { global $haclgSuperGroups; $userID = $user->getId(); if (!$userID) { // No access for anonymous users to ACL pages return 0; } if ($actionID == IACL::ACTION_READ) { // Read access for all registered users // FIXME if not OpenWikiAccess, then return false for users who can't read the article return 1; } $peId = IACLDefinition::nameOfPE($t); if (!$peId) { // Don't care about invalid titles return -1; } $peId[1] = IACLDefinition::peIDforName($peId[0], $peId[1]); if (IACLDefinition::userCan($userID, $peId[0], $peId[1], IACL::ACTION_MANAGE)) { // Explicitly granted return 1; } // "protect page" right is a hole // 1) user A has read+edit access to article X // 2) he adds [[Category:HisOwnCategory]] marker to article X // 3) ACL:Category/HisOwnCategory grants PROTECT_PAGES to him // 4) he gets the right to change ACL:Page/X // 5) he removes all other users from ACL:Page/X => no one more can see the article :-( // 6) okay, but per-namespace "protect page" right is also a hole // 7) and "move page" right with namespace rights is also a hole // 8) and user who can edit the article always can remove all categories from it // 9) soooooooooo... // "move page" right is a hole // category rights are a hole - any editor can change them // Check for ACTION_PROTECT_PAGES inherited from namespaces and categories if ($peId[0] == IACL::PE_PAGE && self::checkProtectPageRight($peId[1], $userID)) { return 1; } return 0; }