From cc5294682913a4fdb87184d3b5bfdd8e28678ed2 Mon Sep 17 00:00:00 2001
From: Michael Hamann <michael@content-space.de>
Date: Mon, 12 Oct 2015 20:01:23 +0200
Subject: [PATCH] Add an ACL check in page_findnearest, fix #1369
This means that templates that use this function will no longer display
pages like sidebars that can't be accessed by the current user.
---
.../tests/inc/pageutils_findnearest.test.php | 49 +++++++++++++++++++
inc/pageutils.php | 12 +++--
2 files changed, 56 insertions(+), 5 deletions(-)
diff --git a/_test/tests/inc/pageutils_findnearest.test.php b/_test/tests/inc/pageutils_findnearest.test.php
index e129b5e58..170962650 100644
--- a/_test/tests/inc/pageutils_findnearest.test.php
+++ b/_test/tests/inc/pageutils_findnearest.test.php
@@ -1,6 +1,33 @@
<?php
class pageutils_findnearest_test extends DokuWikiTest {
+
+ var $oldAuthAcl;
+
+ function setUp() {
+ parent::setUp();
+ global $AUTH_ACL;
+ global $auth;
+ global $conf;
+ $conf['superuser'] = 'john';
+ $conf['useacl'] = 1;
+
+ $this->oldAuthAcl = $AUTH_ACL;
+ $auth = new DokuWiki_Auth_Plugin();
+
+ $AUTH_ACL = array(
+ '* @ALL 1',
+ 'internal:* @ALL 0',
+ 'internal:* max 1',
+ '* @user 8',
+ );
+ }
+
+ function tearDown() {
+ global $AUTH_ACL;
+ $AUTH_ACL = $this->oldAuthAcl;
+ }
+
function testNoSidebar() {
global $ID;
@@ -37,4 +64,26 @@ class pageutils_findnearest_test extends DokuWikiTest {
$this->assertEquals('sidebar', $sidebar);
}
+ function testACLWithSidebar() {
+ global $ID;
+ global $INPUT;
+
+ $INPUT->server->set('REMOTE_USER', 'foo');
+
+ saveWikiText('sidebar', 'top sidebar', '');
+ saveWikiText('internal:sidebar', 'internal sidebar', '');
+
+ $ID = 'internal:foo:bar';
+
+ $sidebar = page_findnearest('sidebar');
+ $this->assertEquals('sidebar', $sidebar);
+
+ $sidebar = page_findnearest('sidebar', true);
+ $this->assertEquals('internal:sidebar', $sidebar);
+
+ $INPUT->server->set('REMOTE_USER', 'max');
+
+ $sidebar = page_findnearest('sidebar');
+ $this->assertEquals('internal:sidebar', $sidebar);
+ }
}
diff --git a/inc/pageutils.php b/inc/pageutils.php
index a5bf039d5..2c1f997ca 100644
--- a/inc/pageutils.php
+++ b/inc/pageutils.php
@@ -738,24 +738,26 @@ function utf8_decodeFN($file){
/**
* Find a page in the current namespace (determined from $ID) or any
- * higher namespace
+ * higher namespace that can be accessed by the current user,
+ * this condition can be overriden by an optional parameter.
*
* Used for sidebars, but can be used other stuff as well
*
* @todo add event hook
*
* @param string $page the pagename you're looking for
- * @return string|false the full page id of the found page, false if any
+ * @param bool $ignoreacl If pages that can't be accessed by the current user shall be returend
+ * @return false|string the full page id of the found page, false if any
*/
-function page_findnearest($page){
+function page_findnearest($page, $ignoreacl = false){
if (!$page) return false;
global $ID;
$ns = $ID;
do {
$ns = getNS($ns);
- $pageid = ltrim("$ns:$page",':');
- if(page_exists($pageid)){
+ $pageid = cleanID("$ns:$page");
+ if(page_exists($pageid) && ($ignoreacl || auth_quickaclcheck($pageid) > 0)){
return $pageid;
}
} while($ns);
--
GitLab