From 80601d26897c5dced80645aaf904085aa08b7bb9 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Sat, 26 Jun 2010 11:20:25 +0200
Subject: [PATCH] fixed wildcard handling in ACL manager FS#1955

This patch also removes legacy support for @USER@. Only %USER% is valid
now.
---
 inc/auth.php              | 4 +++-
 lib/plugins/acl/admin.php | 7 +++++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/inc/auth.php b/inc/auth.php
index 70514316c..6a4108a7c 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -107,7 +107,6 @@ function auth_setup(){
         //support user wildcard
         if(isset($_SERVER['REMOTE_USER'])){
             $AUTH_ACL = str_replace('%USER%',$_SERVER['REMOTE_USER'],$AUTH_ACL);
-            $AUTH_ACL = str_replace('@USER@',$_SERVER['REMOTE_USER'],$AUTH_ACL); //legacy
         }
     }
 }
@@ -569,6 +568,9 @@ function auth_nameencode($name,$skip_group=false){
     $cache =& $cache_authname;
     $name  = (string) $name;
 
+    // never encode wildcard FS#1955
+    if($name == '%USER%') return $name;
+
     if (!isset($cache[$name][$skip_group])) {
         if($skip_group && $name{0} =='@'){
             $cache[$name][$skip_group] = '@'.preg_replace('/([\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f])/e',
diff --git a/lib/plugins/acl/admin.php b/lib/plugins/acl/admin.php
index 1f666660c..673ffbc96 100644
--- a/lib/plugins/acl/admin.php
+++ b/lib/plugins/acl/admin.php
@@ -96,7 +96,10 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin {
         if($_REQUEST['acl_t'] == '__g__' && $who){
             $this->who = '@'.ltrim($auth->cleanGroup($who),'@');
         }elseif($_REQUEST['acl_t'] == '__u__' && $who){
-            $this->who = ltrim($auth->cleanUser($who),'@');
+            $this->who = ltrim($who,'@');
+            if($this->who != '%USER%'){ #keep wildcard as is
+                $this->who = $auth->cleanUser($this->who);
+            }
         }elseif($_REQUEST['acl_t'] &&
                 $_REQUEST['acl_t'] != '__u__' &&
                 $_REQUEST['acl_t'] != '__g__'){
@@ -150,7 +153,7 @@ class admin_plugin_acl extends DokuWiki_Admin_Plugin {
                             if ($who!='@ALL') {
                                 $who = '@'.ltrim($auth->cleanGroup($who),'@');
                             }
-                        } else {
+                        } elseif ($who != '%USER%'){ #keep wildcard as is
                             $who = $auth->cleanUser($who);
                         }
                         $who = auth_nameencode($who,true);
-- 
GitLab