diff --git a/_test/cases/inc/auth_aclcheck.test.php b/_test/cases/inc/auth_aclcheck.test.php
index 18242fd16a1a5018b5cb12f6a966268ec1cf3d89..d8a8f285aaaa1e8d2e36a9983cfd9651bc0cf3f2 100644
--- a/_test/cases/inc/auth_aclcheck.test.php
+++ b/_test/cases/inc/auth_aclcheck.test.php
@@ -130,6 +130,102 @@ class auth_acl_test extends UnitTestCase {
$this->assertEqual(auth_aclcheck('devel:marketing', 'jane' ,array('devel')) , AUTH_UPLOAD);
}
+
+ function test_multiadmin_restricted(){
+ global $conf;
+ global $AUTH_ACL;
+ $conf['superuser'] = 'john,@admin,doe,@roots';
+ $conf['useacl'] = 1;
+
+ $AUTH_ACL = array(
+ '* @ALL 0',
+ '* @user 8',
+ );
+
+ // anonymous user
+ $this->assertEqual(auth_aclcheck('page', '',array()), AUTH_NONE);
+ $this->assertEqual(auth_aclcheck('namespace:page','',array()), AUTH_NONE);
+ $this->assertEqual(auth_aclcheck('namespace:*', '',array()), AUTH_NONE);
+
+ // user with no matching group
+ $this->assertEqual(auth_aclcheck('page', 'jill',array('foo')), AUTH_NONE);
+ $this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo')), AUTH_NONE);
+ $this->assertEqual(auth_aclcheck('namespace:*', 'jill',array('foo')), AUTH_NONE);
+
+ // user with matching group
+ $this->assertEqual(auth_aclcheck('page', 'jill',array('foo','user')), AUTH_UPLOAD);
+ $this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo','user')), AUTH_UPLOAD);
+ $this->assertEqual(auth_aclcheck('namespace:*', 'jill',array('foo','user')), AUTH_UPLOAD);
+
+ // super user john
+ $this->assertEqual(auth_aclcheck('page', 'john',array('foo')), AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:page','john',array('foo')), AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:*', 'john',array('foo')), AUTH_ADMIN);
+
+ // super user doe
+ $this->assertEqual(auth_aclcheck('page', 'doe',array('foo')), AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:page','doe',array('foo')), AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:*', 'doe',array('foo')), AUTH_ADMIN);
+
+ // user with matching admin group
+ $this->assertEqual(auth_aclcheck('page', 'jill',array('foo','admin')), AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo','admin')), AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:*', 'jill',array('foo','admin')), AUTH_ADMIN);
+
+ // user with matching another admin group
+ $this->assertEqual(auth_aclcheck('page', 'jill',array('foo','roots')), AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo','roots')), AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:*', 'jill',array('foo','roots')), AUTH_ADMIN);
+ }
+
+ function test_multiadmin_restricted_ropage(){
+ global $conf;
+ global $AUTH_ACL;
+ $conf['superuser'] = 'john,@admin,doe,@roots';
+ $conf['useacl'] = 1;
+
+ $AUTH_ACL = array(
+ '* @ALL 0',
+ '* @user 8',
+ 'namespace:page @user 1',
+ );
+
+ // anonymous user
+ $this->assertEqual(auth_aclcheck('page', '',array()), AUTH_NONE);
+ $this->assertEqual(auth_aclcheck('namespace:page','',array()), AUTH_NONE);
+ $this->assertEqual(auth_aclcheck('namespace:*', '',array()), AUTH_NONE);
+
+ // user with no matching group
+ $this->assertEqual(auth_aclcheck('page', 'jill',array('foo')), AUTH_NONE);
+ $this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo')), AUTH_NONE);
+ $this->assertEqual(auth_aclcheck('namespace:*', 'jill',array('foo')), AUTH_NONE);
+
+ // user with matching group
+ $this->assertEqual(auth_aclcheck('page', 'jill',array('foo','user')), AUTH_UPLOAD);
+ $this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo','user')), AUTH_READ);
+ $this->assertEqual(auth_aclcheck('namespace:*', 'jill',array('foo','user')), AUTH_UPLOAD);
+
+ // super user john
+ $this->assertEqual(auth_aclcheck('page', 'john',array('foo')), AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:page','john',array('foo')), AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:*', 'john',array('foo')), AUTH_ADMIN);
+
+ // super user doe
+ $this->assertEqual(auth_aclcheck('page', 'doe',array('foo')), AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:page','doe',array('foo')), AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:*', 'doe',array('foo')), AUTH_ADMIN);
+
+ // user with matching admin group
+ $this->assertEqual(auth_aclcheck('page', 'jill',array('foo','admin')), AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo','admin')), AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:*', 'jill',array('foo','admin')), AUTH_ADMIN);
+
+ // user with matching another admin group
+ $this->assertEqual(auth_aclcheck('page', 'jill',array('foo','roots')), AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:page','jill',array('foo','roots')), AUTH_ADMIN);
+ $this->assertEqual(auth_aclcheck('namespace:*', 'jill',array('foo','roots')), AUTH_ADMIN);
+ }
+
}
//Setup VIM: ex: et ts=4 enc=utf-8 :
diff --git a/_test/cases/inc/auth_admincheck.test.php b/_test/cases/inc/auth_admincheck.test.php
new file mode 100644
index 0000000000000000000000000000000000000000..c00271a263d04dc98265dac2a8613840e7831ed6
--- /dev/null
+++ b/_test/cases/inc/auth_admincheck.test.php
@@ -0,0 +1,53 @@
+<?php
+
+require_once DOKU_INC.'inc/init.php';
+require_once DOKU_INC.'inc/auth.php';
+
+class auth_admin_test extends UnitTestCase {
+
+ function teardown() {
+ global $conf;
+ global $AUTH_ACL;
+ unset($conf);
+ unset($AUTH_ACL);
+
+ }
+
+ function test_ismanager(){
+ global $conf;
+ $conf['superuser'] = 'john,@admin';
+ $conf['manager'] = 'john,@managers,doe';
+
+ // anonymous user
+ $this->assertEqual(auth_ismanager('jill', '',false), false);
+
+ // admin or manager users
+ $this->assertEqual(auth_ismanager('john', '',false), true);
+ $this->assertEqual(auth_ismanager('doe', '',false), true);
+
+ // admin or manager groups
+ $this->assertEqual(auth_ismanager('jill', array('admin'),false), true);
+ $this->assertEqual(auth_ismanager('jill', array('managers'),false), true);
+ }
+
+ function test_isadmin(){
+ global $conf;
+ $conf['superuser'] = 'john,@admin,doe,@roots';
+
+ // anonymous user
+ $this->assertEqual(auth_ismanager('jill', '',true), false);
+
+ // admin user
+ $this->assertEqual(auth_ismanager('john', '',true), true);
+ $this->assertEqual(auth_ismanager('doe', '',true), true);
+
+ // admin groups
+ $this->assertEqual(auth_ismanager('jill', array('admin'),true), true);
+ $this->assertEqual(auth_ismanager('jill', array('roots'),true), true);
+ $this->assertEqual(auth_ismanager('john', array('admin'),true), true);
+ $this->assertEqual(auth_ismanager('doe', array('admin'),true), true);
+ }
+
+}
+
+//Setup VIM: ex: et ts=4 enc=utf-8 :
diff --git a/conf/dokuwiki.php b/conf/dokuwiki.php
index 0229a5af3030ae3dda80b526dea483e51082e336..723d44de7d51179a68c1a0bfa31b7ae234f0c890 100644
--- a/conf/dokuwiki.php
+++ b/conf/dokuwiki.php
@@ -63,8 +63,8 @@ $conf['autopasswd'] = 1; //autogenerate passwords and email them
$conf['authtype'] = 'plain'; //which authentication backend should be used
$conf['passcrypt'] = 'smd5'; //Used crypt method (smd5,md5,sha1,ssha,crypt,mysql,my411)
$conf['defaultgroup']= 'user'; //Default groups new Users are added to
-$conf['superuser'] = '!!not set!!'; //The admin can be user or @group
-$conf['manager'] = '!!not set!!'; //The manager can be user or @group
+$conf['superuser'] = '!!not set!!'; //The admin can be user or @group or comma separated list user1,@group1,user2
+$conf['manager'] = '!!not set!!'; //The manager can be user or @group or comma separated list user1,@group1,user2
$conf['profileconfirm'] = '1'; //Require current password to confirm changes to user profile
$conf['disableactions'] = ''; //comma separated list of actions to disable
$conf['sneaky_index'] = 0; //check for namespace read permission in index view (0|1) (1 might cause unexpected behavior)
diff --git a/inc/auth.php b/inc/auth.php
index 85576b680a570fb1aff6d3950dfc972d56f50736..5316ca38261aec2a92f159cbb360354c2a5419e3 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -273,9 +273,22 @@ function auth_ismanager($user=null,$groups=null,$adminonly=false){
$user = auth_nameencode($user);
// check username against superuser and manager
- if(auth_nameencode($conf['superuser']) == $user) return true;
+ $superusers = explode(',', $conf['superuser']);
+ $superusers = array_unique($superusers);
+ $superusers = array_map('trim', $superusers);
+ // prepare an array containing only true values for array_map call
+ $alltrue = array_fill(0, count($superusers), true);
+ $superusers = array_map('auth_nameencode', $superusers, $alltrue);
+ if(in_array($user, $superusers)) return true;
+
if(!$adminonly){
- if(auth_nameencode($conf['manager']) == $user) return true;
+ $managers = explode(',', $conf['manager']);
+ $managers = array_unique($managers);
+ $managers = array_map('trim', $managers);
+ // prepare an array containing only true values for array_map call
+ $alltrue = array_fill(0, count($managers), true);
+ $managers = array_map('auth_nameencode', $managers, $alltrue);
+ if(in_array($user, $managers)) return true;
}
// check user's groups against superuser and manager
@@ -288,9 +301,11 @@ function auth_ismanager($user=null,$groups=null,$adminonly=false){
}
// check groups against superuser and manager
- if(in_array(auth_nameencode($conf['superuser'],true), $groups)) return true;
+ foreach($superusers as $supu)
+ if(in_array($supu, $groups)) return true;
if(!$adminonly){
- if(in_array(auth_nameencode($conf['manager'],true), $groups)) return true;
+ foreach($managers as $mana)
+ if(in_array($mana, $groups)) return true;
}
}