/**
* What we should do if the permission action is clicked.
* @param OutputPage $output
* @param Article $article
* @param Title $title
* @param User $user
* @param WebRequest $request
* @Param MediaWiki $wiki
*/
static function displayACLForm($output, $article, $title, $user, $request, $wiki)
{
global $wgParser;
if ($request->getVal('action') != self::$ACTION) {
return true;
}
$text = "";
$owner = MWUtil::pageOwner($title, true);
$text .= "Page owner is '''" . $owner->getName() . "'''.";
ACL::loadUserGroups();
$ownergroups = ACL::getUserGroups($owner);
$ogroups = " Owner belongs to these user groups:";
if ($ownergroups) {
foreach ($ownergroups as $g) {
$ogroups .= $g['name'] . ",";
}
} else {
$ogroups = " Owner does not belong to any user group";
}
$text .= $ogroups . "\n\n";
$permissionpage = ACL_ACL . ":" . $article->getID();
$permissiontitle = Title::newFromText($permissionpage);
$ns = $title->getNSText();
if (!$ns) {
$ns = "Main";
}
$sp = SpecialPage::getPage("FormEdit");
$sp_url = $sp->getTitle()->getLocalURL();
$sp_url .= "?form=" . self::$FORM . "&target={$permissionpage}&ACL Page Permission[PageId]={$article->getID()}&ACL Page Permission[PageName]={$title->getDBkey()}&ACL Page Permission[Namespace]={$ns}";
if ($permissiontitle->exists()) {
$text .= "[[{$permissionpage}|View Page Permission]]\n\n----\n";
$output->addWikiText($text);
$output->addHTML("<a href='{$sp_url}'>Edit permission for this page</a>");
} else {
$text .= "No page specific Permission is set.";
$output->addWikiText($text);
$output->addHTML("<a href='{$sp_url}'>Set permission for this page</a>");
}
return false;
}
/**
*
* Go through all the level of ACL to check whether a user has the $permission on the
* particular article.
* @param User $user
* @param Title $title
* @param String $permission required permission.
* @param Boolean $fromchild whether this method is invoked from a logic child page.
* The child page delegates the parent page to check the permission for itself.
* @return
* true if the user can access.
* false if the user can not acces
* -1 if this rule does not apply
*/
public static function checkUserPermissionForContentPage($user, $title, $permission, $fromchild = false)
{
//error_log("check content permission for {$title->getDBkey()}");
if (!$title->exists()) {
//let wiki to decide who can create page.
//error_log("return -1 for nonexists content article");
return -1;
}
self::loadUserGroups();
$username = $user->getName();
/*
* Step 1.1
* If the page has a logic page owner, this page owner has all permission with this page.
*/
$pageprops = SMWUtil::loadSemanticProperties($title->getDBkey(), $title->getNamespace(), false);
if (array_key_exists(self::$CONTENT_PAGE_OWNER, $pageprops)) {
$pageowner = $pageprops[self::$CONTENT_PAGE_OWNER];
if (is_array($pageowner)) {
$pageowner = array_map("_myupper", $pageowner);
if (in_array($username, $pageowner)) {
return true;
}
} else {
$pageowner = ucfirst($pageowner);
if ($pageowner === $username) {
return true;
}
}
}
/*
* Step 1.1.1
* check the ACL rule embedded in page content.
*/
$allgrouppermission = null;
$pps = self::loadPageSpecificPermissions($title, true);
//1.1.1.1: check ACL rule for user in page content.
if ($pps != null) {
foreach ($pps[self::$PAGE_USER] as $ups) {
//An ACL for this user.
if ($ups[self::$PAGE_USER_USER] === $username) {
if (in_array($permission, $ups[self::$PERMISSIONS])) {
if ($ups[self::$GRANT] == self::$GRANT_ACCESS_ALLOW) {
return true;
} else {
return false;
}
}
}
}
//1.1.1.2: check ACL rule for group in page content.
foreach ($pps[self::$PAGE_GROUP] as $gps) {
$groupname = $gps[self::$PAGE_GROUP_GROUP];
if ($groupname === self::$AllUser) {
//delay all groups permission setting so that permission in ACL page can be effective.
$allgrouppermission = $gps;
continue;
}
$groupDefinition = self::$allGroups[$groupname];
if (!$groupDefinition) {
//group is deleted.
continue;
}
//if the user in the group.
if (in_array($username, $groupDefinition[self::$USERGROUP_USERS])) {
if (in_array($permission, $gps[self::$PERMISSIONS])) {
if ($gps[self::$GRANT] == self::$GRANT_ACCESS_ALLOW) {
return true;
} else {
return false;
}
}
}
}
}
/*
* Step 1.2
* Page-specific permission. Each page can have user-specific or
* group-specific ACL. If the current user is one of the user, or belongs
* to one of groups. The corresponding permission is checked.
*/
//check page-spefici user rule.
$pps = null;
$pps = self::loadPageSpecificPermissions($title);
if ($pps != null) {
foreach ($pps[self::$PAGE_USER] as $ups) {
//An ACL for this user.
if ($ups[self::$PAGE_USER_USER] === $username) {
if (in_array($permission, $ups[self::$PERMISSIONS])) {
if ($ups[self::$GRANT] == self::$GRANT_ACCESS_ALLOW) {
return true;
} else {
return false;
}
}
}
}
//check page-specific group rule
foreach ($pps[self::$PAGE_GROUP] as $gps) {
$groupname = $gps[self::$PAGE_GROUP_GROUP];
if ($groupname === self::$AllUser) {
if (in_array($permission, $gps[self::$PERMISSIONS])) {
if ($gps[self::$GRANT] == self::$GRANT_ACCESS_ALLOW) {
return true;
} else {
return false;
}
}
continue;
}
$groupDefinition = self::$allGroups[$groupname];
if (!$groupDefinition) {
//group is deleted.
continue;
}
//if the user in the group.
if (in_array($username, $groupDefinition[self::$USERGROUP_USERS])) {
if (in_array($permission, $gps[self::$PERMISSIONS])) {
if ($gps[self::$GRANT] == self::$GRANT_ACCESS_ALLOW) {
return true;
} else {
return false;
}
}
}
}
}
//check the all group permission in the content page.
if ($allgrouppermission != null) {
if (in_array($permission, $allgrouppermission[self::$PERMISSIONS])) {
if ($allgrouppermission[self::$GRANT] == self::$GRANT_ACCESS_ALLOW) {
return true;
} else {
return false;
}
}
}
/*
* Step 1.3
* If the page has a logic ACl page parent, we delegates permission check to that page.
*/
$pageparent = null;
if (array_key_exists(self::$CONTENT_PAGE_PARENT, $pageprops)) {
$pageparent = $pageprops[self::$CONTENT_PAGE_PARENT];
}
if ($pageparent) {
$parenttitle = Title::newFromURL($pageparent);
$ret = self::checkUserPermissionForContentPage($user, $parenttitle, $permission, true);
return $ret;
}
/*
* Step 2. group permission.
* Each page has an owner. For example, the owner belongs to both sale and R&D groups.
* If the current user belongs to one of the group, the group ACL is checked. We grant
* access if the user has permission.
*
* Otherwise, we check the pre-defined default group ACL, if the user has
* necessary permission, we grant access. Otherwise, we go to next step.
*/
$owner = MWUtil::pageOwner($title, true);
if (array_key_exists(self::$CONTENT_PAGE_Group, $pageprops)) {
//if the page has specified its own group we use it.
$ogrps = $pageprops[self::$CONTENT_PAGE_Group];
if (is_array($ogrps)) {
$ownerGroups = $ogrps;
} else {
$ownerGroups = array($ogrps);
}
} else {
//otherwise, we retrieve the create group
$ownerGroups = self::getUserGroups($owner);
}
$inownergroup = false;
$checkDefaultACL = false;
//check the permission in owner group
foreach ($ownerGroups as $ownerGroup) {
if (!in_array($username, $ownerGroup[self::$USERGROUP_USERS])) {
continue;
}
$inownergroup = true;
if ($ownerGroup['name'] == self::$DefaultACL) {
$checkDefaultACL = true;
}
$ret = self::checkGroupRule($permission, $ownerGroup);
//error_log(" $ret for owner group");
if (is_bool($ret)) {
return $ret;
}
}
//check the permission in default group
if ($inownergroup) {
$ret = self::checkGroupRule($permission, self::getPredefinedGroupACLGroup());
//error_log(" $ret for default group ACL");
if (is_bool($ret)) {
return $ret;
}
}
/*
*Step 3 Global rule. Check 'Users' access control rule.
*/
if (!$checkDefaultACL) {
$ret = self::checkGroupRule($permission, self::getPredefinedDefaultACLGroup());
//error_log(" $ret for default ACL");
if (is_bool($ret)) {
return $ret;
}
}
/*
* Step 4. If we comes to this step, there is no rule defined for this user.
* We deny access by default.
*/
return -1;
}
