Fix a couple of bugs in ACL substitution mechanism

- %GROUP% & %USER% can now both be used in the same rule, e.g. %GROUP%:%USER% 2 - rules with tokens will be skipped when the user is not logged in previously %USER% was attempted

Fix a couple of bugs in ACL substitution mechanism
- %GROUP% & %USER% can now both be used in the same rule, e.g. %GROUP%:%USER% 2 - rules with tokens will be skipped when the user is not logged in previously %USER% was attempted
ad3d68d7 · Christopher Smith · 354c39ff · ad3d68d7
Commit ad3d68d7 authored 11 years ago by Christopher Smith
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -136,22 +136,30 @@ function auth_loadACL() {
    $acl = file($config_cascade['acl']['default']);
-    //support user wildcard
    $out = array();
    foreach($acl as $line) {
        $line = trim($line);
        if($line{0} == '#') continue;
        list($id,$rest) = preg_split('/\s+/',$line,2);
+        // substitue user wildcard first (its 1:1)
+        if(strstr($line, '%USER%')){
+            // if user is not logged in, this ACL line is meaningless - skip it
+            if (!isset($_SERVER['REMOTE_USER'])) continue;
+            $id   = str_replace('%USER%',cleanID($_SERVER['REMOTE_USER']),$id);
+            $rest = str_replace('%USER%',auth_nameencode($_SERVER['REMOTE_USER']),$rest);
+        }
+        // substitute group wildcard (its 1:m)
        if(strstr($line, '%GROUP%')){
+            // if user is not logged in, grps is empty, no output will be added (i.e. skipped)
            foreach((array) $USERINFO['grps'] as $grp){
                $nid   = str_replace('%GROUP%',cleanID($grp),$id);
                $nrest = str_replace('%GROUP%','@'.auth_nameencode($grp),$rest);
                $out[] = "$nid\t$nrest";
            }
        } else {
-            $id   = str_replace('%USER%',cleanID($_SERVER['REMOTE_USER']),$id);
-            $rest = str_replace('%USER%',auth_nameencode($_SERVER['REMOTE_USER']),$rest);
            $out[] = "$id\t$rest";
        }
    }