/** * What we should do if the permission action is clicked. * @param OutputPage $output * @param Article $article * @param Title $title * @param User $user * @param WebRequest $request * @Param MediaWiki $wiki */ static function displayACLForm($output, $article, $title, $user, $request, $wiki) { global $wgParser; if ($request->getVal('action') != self::$ACTION) { return true; } $text = ""; $owner = MWUtil::pageOwner($title, true); $text .= "Page owner is '''" . $owner->getName() . "'''."; ACL::loadUserGroups(); $ownergroups = ACL::getUserGroups($owner); $ogroups = " Owner belongs to these user groups:"; if ($ownergroups) { foreach ($ownergroups as $g) { $ogroups .= $g['name'] . ","; } } else { $ogroups = " Owner does not belong to any user group"; } $text .= $ogroups . "\n\n"; $permissionpage = ACL_ACL . ":" . $article->getID(); $permissiontitle = Title::newFromText($permissionpage); $ns = $title->getNSText(); if (!$ns) { $ns = "Main"; } $sp = SpecialPage::getPage("FormEdit"); $sp_url = $sp->getTitle()->getLocalURL(); $sp_url .= "?form=" . self::$FORM . "&target={$permissionpage}&ACL Page Permission[PageId]={$article->getID()}&ACL Page Permission[PageName]={$title->getDBkey()}&ACL Page Permission[Namespace]={$ns}"; if ($permissiontitle->exists()) { $text .= "[[{$permissionpage}|View Page Permission]]\n\n----\n"; $output->addWikiText($text); $output->addHTML("<a href='{$sp_url}'>Edit permission for this page</a>"); } else { $text .= "No page specific Permission is set."; $output->addWikiText($text); $output->addHTML("<a href='{$sp_url}'>Set permission for this page</a>"); } return false; }
/** * * Go through all the level of ACL to check whether a user has the $permission on the * particular article. * @param User $user * @param Title $title * @param String $permission required permission. * @param Boolean $fromchild whether this method is invoked from a logic child page. * The child page delegates the parent page to check the permission for itself. * @return * true if the user can access. * false if the user can not acces * -1 if this rule does not apply */ public static function checkUserPermissionForContentPage($user, $title, $permission, $fromchild = false) { //error_log("check content permission for {$title->getDBkey()}"); if (!$title->exists()) { //let wiki to decide who can create page. //error_log("return -1 for nonexists content article"); return -1; } self::loadUserGroups(); $username = $user->getName(); /* * Step 1.1 * If the page has a logic page owner, this page owner has all permission with this page. */ $pageprops = SMWUtil::loadSemanticProperties($title->getDBkey(), $title->getNamespace(), false); if (array_key_exists(self::$CONTENT_PAGE_OWNER, $pageprops)) { $pageowner = $pageprops[self::$CONTENT_PAGE_OWNER]; if (is_array($pageowner)) { $pageowner = array_map("_myupper", $pageowner); if (in_array($username, $pageowner)) { return true; } } else { $pageowner = ucfirst($pageowner); if ($pageowner === $username) { return true; } } } /* * Step 1.1.1 * check the ACL rule embedded in page content. */ $allgrouppermission = null; $pps = self::loadPageSpecificPermissions($title, true); //1.1.1.1: check ACL rule for user in page content. if ($pps != null) { foreach ($pps[self::$PAGE_USER] as $ups) { //An ACL for this user. if ($ups[self::$PAGE_USER_USER] === $username) { if (in_array($permission, $ups[self::$PERMISSIONS])) { if ($ups[self::$GRANT] == self::$GRANT_ACCESS_ALLOW) { return true; } else { return false; } } } } //1.1.1.2: check ACL rule for group in page content. foreach ($pps[self::$PAGE_GROUP] as $gps) { $groupname = $gps[self::$PAGE_GROUP_GROUP]; if ($groupname === self::$AllUser) { //delay all groups permission setting so that permission in ACL page can be effective. $allgrouppermission = $gps; continue; } $groupDefinition = self::$allGroups[$groupname]; if (!$groupDefinition) { //group is deleted. continue; } //if the user in the group. if (in_array($username, $groupDefinition[self::$USERGROUP_USERS])) { if (in_array($permission, $gps[self::$PERMISSIONS])) { if ($gps[self::$GRANT] == self::$GRANT_ACCESS_ALLOW) { return true; } else { return false; } } } } } /* * Step 1.2 * Page-specific permission. Each page can have user-specific or * group-specific ACL. If the current user is one of the user, or belongs * to one of groups. The corresponding permission is checked. */ //check page-spefici user rule. $pps = null; $pps = self::loadPageSpecificPermissions($title); if ($pps != null) { foreach ($pps[self::$PAGE_USER] as $ups) { //An ACL for this user. if ($ups[self::$PAGE_USER_USER] === $username) { if (in_array($permission, $ups[self::$PERMISSIONS])) { if ($ups[self::$GRANT] == self::$GRANT_ACCESS_ALLOW) { return true; } else { return false; } } } } //check page-specific group rule foreach ($pps[self::$PAGE_GROUP] as $gps) { $groupname = $gps[self::$PAGE_GROUP_GROUP]; if ($groupname === self::$AllUser) { if (in_array($permission, $gps[self::$PERMISSIONS])) { if ($gps[self::$GRANT] == self::$GRANT_ACCESS_ALLOW) { return true; } else { return false; } } continue; } $groupDefinition = self::$allGroups[$groupname]; if (!$groupDefinition) { //group is deleted. continue; } //if the user in the group. if (in_array($username, $groupDefinition[self::$USERGROUP_USERS])) { if (in_array($permission, $gps[self::$PERMISSIONS])) { if ($gps[self::$GRANT] == self::$GRANT_ACCESS_ALLOW) { return true; } else { return false; } } } } } //check the all group permission in the content page. if ($allgrouppermission != null) { if (in_array($permission, $allgrouppermission[self::$PERMISSIONS])) { if ($allgrouppermission[self::$GRANT] == self::$GRANT_ACCESS_ALLOW) { return true; } else { return false; } } } /* * Step 1.3 * If the page has a logic ACl page parent, we delegates permission check to that page. */ $pageparent = null; if (array_key_exists(self::$CONTENT_PAGE_PARENT, $pageprops)) { $pageparent = $pageprops[self::$CONTENT_PAGE_PARENT]; } if ($pageparent) { $parenttitle = Title::newFromURL($pageparent); $ret = self::checkUserPermissionForContentPage($user, $parenttitle, $permission, true); return $ret; } /* * Step 2. group permission. * Each page has an owner. For example, the owner belongs to both sale and R&D groups. * If the current user belongs to one of the group, the group ACL is checked. We grant * access if the user has permission. * * Otherwise, we check the pre-defined default group ACL, if the user has * necessary permission, we grant access. Otherwise, we go to next step. */ $owner = MWUtil::pageOwner($title, true); if (array_key_exists(self::$CONTENT_PAGE_Group, $pageprops)) { //if the page has specified its own group we use it. $ogrps = $pageprops[self::$CONTENT_PAGE_Group]; if (is_array($ogrps)) { $ownerGroups = $ogrps; } else { $ownerGroups = array($ogrps); } } else { //otherwise, we retrieve the create group $ownerGroups = self::getUserGroups($owner); } $inownergroup = false; $checkDefaultACL = false; //check the permission in owner group foreach ($ownerGroups as $ownerGroup) { if (!in_array($username, $ownerGroup[self::$USERGROUP_USERS])) { continue; } $inownergroup = true; if ($ownerGroup['name'] == self::$DefaultACL) { $checkDefaultACL = true; } $ret = self::checkGroupRule($permission, $ownerGroup); //error_log(" $ret for owner group"); if (is_bool($ret)) { return $ret; } } //check the permission in default group if ($inownergroup) { $ret = self::checkGroupRule($permission, self::getPredefinedGroupACLGroup()); //error_log(" $ret for default group ACL"); if (is_bool($ret)) { return $ret; } } /* *Step 3 Global rule. Check 'Users' access control rule. */ if (!$checkDefaultACL) { $ret = self::checkGroupRule($permission, self::getPredefinedDefaultACLGroup()); //error_log(" $ret for default ACL"); if (is_bool($ret)) { return $ret; } } /* * Step 4. If we comes to this step, there is no rule defined for this user. * We deny access by default. */ return -1; }