/** * Returns the maximum rights a user has for * the given ID or its namespace * * @author Andreas Gohr <*****@*****.**> * * @param string $id page ID * @param string $user Username * @param array $groups Array of groups the user is in * @return int permission level */ function auth_aclcheck($id, $user, $groups, $_auth = 1) { global $AUTH_ACL; $AUTH_ACL = auth_loadACL($AUTH_ACL); if ($_auth == 255) { return 255; } elseif (isset($_SESSION['dwfck_acl']) && $_SESSION['dwfck_acl'] == 255) { return 255; } //make sure groups is an array if (!is_array($groups)) { $groups = array(); } //if user is superuser or in superusergroup return 255 (acl_admin) // if(auth_isadmin($user,$groups)) { return AUTH_ADMIN; } $ci = ''; if (!auth_isCaseSensitive()) { $ci = 'ui'; } $user = auth_nameencode($user); //prepend groups with @ and nameencode $cnt = count($groups); for ($i = 0; $i < $cnt; $i++) { $groups[$i] = '@' . auth_nameencode($groups[$i]); } $ns = getNS($id); $perm = -1; if ($user || count($groups)) { //add ALL group $groups[] = '@ALL'; //add User if ($user) { $groups[] = $user; } //build regexp $regexp = join('|', $groups); } else { $regexp = '@ALL'; } //check exact match first $matches = preg_grep('/^' . preg_quote($id, '/') . '\\s+(' . $regexp . ')\\s+/' . $ci, $AUTH_ACL); if (count($matches)) { foreach ($matches as $match) { $match = preg_replace('/#.*$/', '', $match); //ignore comments $acl = preg_split('/\\s+/', $match); if ($acl[2] > AUTH_DELETE) { $acl[2] = AUTH_DELETE; } //no admins in the ACL! if ($acl[2] > $perm) { $perm = $acl[2]; } } if ($perm > -1) { //we had a match - return it return $perm; } } //still here? do the namespace checks if ($ns) { $path = $ns . ':\\*'; } else { $path = '\\*'; //root document } do { $matches = preg_grep('/^' . $path . '\\s+(' . $regexp . ')\\s+/' . $ci, $AUTH_ACL); if (count($matches)) { foreach ($matches as $match) { $match = preg_replace('/#.*$/', '', $match); //ignore comments $acl = preg_split('/\\s+/', $match); if ($acl[2] > AUTH_DELETE) { $acl[2] = AUTH_DELETE; } //no admins in the ACL! if ($acl[2] > $perm) { $perm = $acl[2]; // checkacl_write_debug("$match;;$perm"); } } //we had a match - return it return $perm; } //get next higher namespace $ns = getNS($ns); if ($path != '\\*') { $path = $ns . ':\\*'; if ($path == ':\\*') { $path = '\\*'; } } else { //we did this already //looks like there is something wrong with the ACL //break here // msg('No ACL setup yet! Denying access to everyone.'); return AUTH_NONE; } } while (1); //this should never loop endless //still here? return no permissions return AUTH_NONE; }
/** * Returns the maximum rights a user has for * the given ID or its namespace * * @author Andreas Gohr <*****@*****.**> * * @param string $id page ID * @param string $user Username * @param array $groups Array of groups the user is in * @return int permission level */ function auth_aclcheck($id, $user, $groups, $_auth = 1) { //checkacl_write_debug("$id,$user"); global $AUTH_ACL; $AUTH_ACL = auth_loadACL($AUTH_ACL); if ($_auth == 255) { return 255; } elseif (isset($_SESSION['dwfck_acl']) && $_SESSION['dwfck_acl'] == 255) { return 255; } //make sure groups is an array if (!is_array($groups)) { $groups = array(); } if (!auth_isCaseSensitive()) { $user = utf8_strtolower($user); $groups = array_map('utf8_strtolower', $groups); } $user = auth_cleanUser($user); $groups = array_map('auth_cleanGroup', (array) $groups); $user = auth_nameencode($user); //prepend groups with @ and nameencode $cnt = count($groups); for ($i = 0; $i < $cnt; $i++) { $groups[$i] = '@' . auth_nameencode($groups[$i]); } $ns = getNS($id); $perm = -1; if ($user || count($groups)) { //add ALL group $groups[] = '@ALL'; //add User if ($user) { $groups[] = $user; } } else { $groups[] = '@ALL'; } //check exact match first $matches = preg_grep('/^' . preg_quote($id, '/') . '[ \\t]+([^ \\t]+)[ \\t]+/', $AUTH_ACL); if (count($matches)) { foreach ($matches as $match) { $match = preg_replace('/#.*$/', '', $match); //ignore comments $acl = preg_split('/[ \\t]+/', $match); if (!auth_isCaseSensitive() && $acl[1] !== '@ALL') { $acl[1] = utf8_strtolower($acl[1]); } if (!in_array($acl[1], $groups)) { continue; } if ($acl[2] > AUTH_DELETE) { $acl[2] = AUTH_DELETE; } //no admins in the ACL! if ($acl[2] > $perm) { $perm = $acl[2]; } } if ($perm > -1) { //we had a match - return it return (int) $perm; } } //still here? do the namespace checks if ($ns) { $path = $ns . ':*'; } else { $path = '*'; //root document } do { $matches = preg_grep('/^' . preg_quote($path, '/') . '[ \\t]+([^ \\t]+)[ \\t]+/', $AUTH_ACL); if (count($matches)) { foreach ($matches as $match) { $match = preg_replace('/#.*$/', '', $match); //ignore comments $acl = preg_split('/[ \\t]+/', $match); if (!auth_isCaseSensitive() && $acl[1] !== '@ALL') { $acl[1] = utf8_strtolower($acl[1]); } if (!in_array($acl[1], $groups)) { continue; } if ($acl[2] > AUTH_DELETE) { $acl[2] = AUTH_DELETE; } //no admins in the ACL! if ($acl[2] > $perm) { $perm = $acl[2]; } } //we had a match - return it if ($perm != -1) { return (int) $perm; } } //get next higher namespace $ns = getNS($ns); if ($path != '*') { $path = $ns . ':*'; if ($path == ':*') { $path = '*'; } } else { //we did this already //looks like there is something wrong with the ACL //break here return AUTH_NONE; } } while (1); //this should never loop endless return AUTH_NONE; }