/**
* "Real" ACL list, loaded using AJAX
*/
static function haclAcllist($t, $n, $offset = 0, $limit = 10)
{
global $wgScript, $wgTitle, $haclgHaloScriptPath, $haclgContLang, $wgUser;
haclCheckScriptPath();
// Load data
$spec = SpecialPage::getTitleFor('IntraACL');
$titles = IACLStorage::get('SD')->getSDPages($t, $n, NULL, $offset, $limit, $total);
$defs = IACLDefinition::newFromTitles($titles);
// Build SD data for template
$lists = array();
foreach ($titles as $k => $sd) {
$d = array('name' => $sd->getText(), 'real' => $sd->getText(), 'editlink' => $spec->getLocalUrl(array('action' => 'acl', 'sd' => $sd->getText())), 'viewlink' => $sd->getLocalUrl(), 'single' => NULL);
$pe = IACLDefinition::nameOfPE($sd);
$d['type'] = IACL::$typeToName[$pe[0]];
$d['real'] = $pe[1];
// Single SD inclusion
if (isset($defs[$k]) && !empty($defs[$k]['single_child'])) {
$s = $defs[$k]['single_child'];
$name = IACLDefinition::peNameForID($s[0], $s[1]);
$d['single'] = Title::newFromText(IACLDefinition::nameOfSD($s[0], $name));
$d['singletype'] = IACL::$typeToName[$s[0]];
$d['singlename'] = $name;
$d['singlelink'] = $d['single']->getLocalUrl();
$d['singletip'] = wfMsg('hacl_acllist_hint_single', $d['real'], $d['single']->getPrefixedText());
}
$lists[$d['type']][] = $d;
}
// Next and previous page links
$pageurl = Title::makeTitleSafe(NS_SPECIAL, 'IntraACL')->getLocalUrl(array('types' => $t, 'filter' => $n, 'limit' => $limit));
$nextpage = $prevpage = false;
if ($total > $limit + $offset) {
$nextpage = $pageurl . '&offset=' . intval($offset + $limit);
}
if ($offset >= $limit) {
$prevpage = $pageurl . '&offset=' . intval($offset - $limit);
}
// Run template
ob_start();
require dirname(__FILE__) . '/../templates/HACL_ACLListContents.tpl.php';
$html = ob_get_contents();
ob_end_clean();
return $html;
}
static function getContentAction()
{
global $wgTitle, $haclgContLang, $haclgDisableACLTab, $wgUser;
if ($wgUser->isAnon()) {
return NULL;
}
if ($wgTitle->getNamespace() == HACL_NS_ACL) {
// Display the link to article or category
list($peType, $peName) = IACLDefinition::nameOfPE($wgTitle->getText());
if ($peType == IACL::PE_PAGE || $peType == IACL::PE_CATEGORY) {
$title = $peType == IACL::PE_PAGE ? Title::newFromText($peName) : Title::makeTitleSafe(NS_CATEGORY, $peName);
return array('class' => false, 'text' => wfMsg("hacl_tab_" . IACL::$typeToName[$peType]), 'href' => $title->getLocalUrl());
}
} elseif ($wgTitle->exists()) {
// Display the link to category or page SD
if ($wgTitle->getNamespace() == NS_CATEGORY) {
$sd = IACLDefinition::nameOfSD(IACL::PE_CATEGORY, $wgTitle);
} else {
$sd = IACLDefinition::nameOfSD(IACL::PE_PAGE, $wgTitle);
}
$etc = haclfDisableTitlePatch();
$sd = Title::newFromText($sd, HACL_NS_ACL);
haclfRestoreTitlePatch($etc);
// Hide ACL tab if SD does not exist and $haclgDisableACLTab is true
if (!$sd || !empty($haclgDisableACLTab) && !$sd->exists() && !$wgUser->getOption('showacltab')) {
return NULL;
}
return array('class' => $sd->exists() ? false : 'new', 'text' => wfMsg('hacl_tab_acl'), 'href' => $sd->getLocalUrl());
}
return NULL;
}
/**
* This method checks if a user wants to create/modify an article in the ACL namespace.
* Should not be used outside of IACLEvaluator because doesn't do any additional access checks.
*
* @param Title $t
* @param User $user
* @param int $actionID Action ID
* @return bool Whether the user has the right to perform the action
*/
protected static function checkACLManager(Title $t, User $user, $actionID)
{
global $haclgSuperGroups;
$userID = $user->getId();
if (!$userID) {
// No access for anonymous users to ACL pages
return 0;
}
if ($actionID == IACL::ACTION_READ) {
// Read access for all registered users
// FIXME if not OpenWikiAccess, then return false for users who can't read the article
return 1;
}
$peId = IACLDefinition::nameOfPE($t);
if (!$peId) {
// Don't care about invalid titles
return -1;
}
$peId[1] = IACLDefinition::peIDforName($peId[0], $peId[1]);
if (IACLDefinition::userCan($userID, $peId[0], $peId[1], IACL::ACTION_MANAGE)) {
// Explicitly granted
return 1;
}
// "protect page" right is a hole
// 1) user A has read+edit access to article X
// 2) he adds [[Category:HisOwnCategory]] marker to article X
// 3) ACL:Category/HisOwnCategory grants PROTECT_PAGES to him
// 4) he gets the right to change ACL:Page/X
// 5) he removes all other users from ACL:Page/X => no one more can see the article :-(
// 6) okay, but per-namespace "protect page" right is also a hole
// 7) and "move page" right with namespace rights is also a hole
// 8) and user who can edit the article always can remove all categories from it
// 9) soooooooooo...
// "move page" right is a hole
// category rights are a hole - any editor can change them
// Check for ACTION_PROTECT_PAGES inherited from namespaces and categories
if ($peId[0] == IACL::PE_PAGE && self::checkProtectPageRight($peId[1], $userID)) {
return 1;
}
return 0;
}
