Made some improvements to ACL system including: warning on setting Deny for Everyone on the entire site, added ACL_ALWAYS_ALLOW_ADMIN_EDIT_ACL, and changed behavior as noted in the docs so that Deny for Everyone is no longer able to be overridden
authorDan
Wed, 26 Mar 2008 20:20:22 -0400
changeset 511 f88c8c79d784
parent 510 290fa071842a
child 512 13532b0a223f
Made some improvements to ACL system including: warning on setting Deny for Everyone on the entire site, added ACL_ALWAYS_ALLOW_ADMIN_EDIT_ACL, and changed behavior as noted in the docs so that Deny for Everyone is no longer able to be overridden
includes/clientside/static/acl.js
includes/constants.php
includes/pageprocess.php
includes/pageutils.php
includes/sessions.php
includes/template.php
language/english/admin.json
plugins/SpecialAdmin.php
--- a/includes/clientside/static/acl.js	Wed Mar 26 16:51:42 2008 -0400
+++ b/includes/clientside/static/acl.js	Wed Mar 26 20:20:22 2008 -0400
@@ -729,9 +729,20 @@
       var form = document.forms[aclManagerID + '_formobj'];
       selections = new Object();
       var dbg = '';
+      var warned_everyone = false;
       for(var i in aclPermList)
       {
         selections[aclPermList[i]] = getRadioState(form, aclPermList[i], [1, 2, 3, 4]);
+        // If we're editing permissions for everyone on the entire site and the
+        // admin selected to deny privileges, give a stern warning about it.
+        if ( selections[aclPermList[i]] == 1 && aclDataCache.target_type == 1 /* ACL_TYPE_GROUP */ && aclDataCache.target_id == 1 && !warned_everyone )
+        {
+          warned_everyone = true;
+          if ( !confirm($lang.get('acl_msg_deny_everyone_confirm')) )
+          {
+            return false;
+          }
+        }
         dbg += aclPermList[i] + ': ' + selections[aclPermList[i]] + "\n";
         if(!selections[aclPermList[i]])
         {
--- a/includes/constants.php	Wed Mar 26 16:51:42 2008 -0400
+++ b/includes/constants.php	Wed Mar 26 20:20:22 2008 -0400
@@ -29,6 +29,11 @@
 define('ACL_TYPE_USER', 2);
 define('ACL_TYPE_PRESET', 3);
 
+// ACL switch
+// If this is defined, administrators can edit ACLs regardless of current
+// permissions. This is enabled by default.
+define('ACL_ALWAYS_ALLOW_ADMIN_EDIT_ACL', 1);
+
 // System groups
 define('GROUP_ID_ADMIN', 2);
 define('GROUP_ID_MOD', 3);
@@ -39,7 +44,7 @@
 define('PAGE_GRP_NORMAL', 3);
 define('PAGE_GRP_REGEX', 4);
 
-// Identifier for the default meta-language
+// Identifier for the default pseudo-language
 define('LANG_DEFAULT', 0);
 
 //
--- a/includes/pageprocess.php	Wed Mar 26 16:51:42 2008 -0400
+++ b/includes/pageprocess.php	Wed Mar 26 20:20:22 2008 -0400
@@ -176,9 +176,19 @@
     
     if ( !$this->perms->get_permissions('read') )
     {
-      $this->err_access_denied();
-      profiler_log("PageProcessor [{$this->namespace}:{$this->page_id}]: Finished send process");
-      return false;
+      // Permission denied to read page. Is this one of our core pages that must always be allowed?
+      // NOTE: Not even the administration panel will work if ACLs deny access to it.
+      if ( $this->namespace == 'Special' && in_array($this->page_id, array('Login', 'Logout', 'LangExportJSON', 'CSS')) )
+      {
+        // Do nothing; allow execution to continue
+      }
+      else
+      {
+        // Page isn't whitelisted, behave as normal
+        $this->err_access_denied();
+        profiler_log("PageProcessor [{$this->namespace}:{$this->page_id}]: Finished send process");
+        return false;
+      }
     }
     $pathskey = $paths->nslist[ $this->namespace ] . $this->page_id;
     $strict_no_headers = false;
--- a/includes/pageutils.php	Wed Mar 26 16:51:42 2008 -0400
+++ b/includes/pageutils.php	Wed Mar 26 20:20:22 2008 -0400
@@ -1589,7 +1589,7 @@
     global $db, $session, $paths, $template, $plugins; // Common objects
     global $lang;
     
-    if(!$session->get_permissions('edit_acl') && $session->user_level < USER_LEVEL_ADMIN)
+    if(!$session->get_permissions('edit_acl') && ( $session->user_level < USER_LEVEL_ADMIN || !defined('ACL_ALWAYS_ALLOW_ADMIN_EDIT_ACL')) )
     {
       return Array(
         'mode' => 'error',
--- a/includes/sessions.php	Wed Mar 26 16:51:42 2008 -0400
+++ b/includes/sessions.php	Wed Mar 26 20:20:22 2008 -0400
@@ -2696,21 +2696,31 @@
         // Decide precedence
         if ( isset($this->acl_defaults_used[$i]) )
         {
-          //echo "$i: default in use, overriding to: {$perm[$i]}<br />";
+          // echo "$i: default in use, overriding to: {$perm[$i]}<br />";
           // Defaults are in use, override
-          $this->perms[$i] = $perm[$i];
-          $this->acl_defaults_used[$i] = ( $is_everyone );
+          
+          // CHANGED - 1.1.4:
+          // For some time this has been intentionally relaxed so that the following
+          // exception is available to Deny permissions:
+          //   If the rule applies to the group "Everyone" on the entire site,
+          //   Deny settings could be overriden.
+          // This is documented at: http://docs.enanocms.org/Help:4.2
+          if ( $this->perms[$i] != AUTH_DENY )
+          {
+            $this->perms[$i] = $perm[$i];
+            $this->acl_defaults_used[$i] = ( $is_everyone );
+          }
         }
         else
         {
-          //echo "$i: default NOT in use";
+          // echo "$i: default NOT in use";
           // Defaults are not in use, merge as normal
           if ( $this->perms[$i] != AUTH_DENY )
           {
-            //echo ", but overriding";
+            // echo ", but overriding";
             $this->perms[$i] = $perm[$i];
           }
-          //echo "<br />";
+          // echo "<br />";
         }
       }
     }
--- a/includes/template.php	Wed Mar 26 16:51:42 2008 -0400
+++ b/includes/template.php	Wed Mar 26 20:20:22 2008 -0400
@@ -782,7 +782,7 @@
     }
     
     // Manage ACLs button
-    if ( !$paths->anonymous_page && ( $session->get_permissions('edit_acl') || $session->user_level >= USER_LEVEL_ADMIN ) )
+    if ( !$paths->anonymous_page && ( $session->get_permissions('edit_acl') || ( defined('ACL_ALWAYS_ALLOW_ADMIN_EDIT_ACL') &&  $session->user_level >= USER_LEVEL_ADMIN ) ) )
     {
       $menubtn->assign_vars(array(
           'FLAGS' => 'onclick="if ( !KILL_SWITCH ) { return ajaxOpenACLManager(); }" title="' . $lang->get('onpage_tip_aclmanager') . '" accesskey="m"',
--- a/language/english/admin.json	Wed Mar 26 16:51:42 2008 -0400
+++ b/language/english/admin.json	Wed Mar 26 20:20:22 2008 -0400
@@ -134,6 +134,7 @@
       msg_guest_howto: 'To edit permissions for guests, select "a specific user", and enter Anonymous as the username.',
       msg_deleterule_confirm: 'Do you really want to delete this rule?',
       msg_closeacl_confirm: 'Do you really want to close the ACL manager?',
+      msg_deny_everyone_confirm: 'CAUTION: You are setting a Deny ruling for everyone on this site. This will block the selected actions from being performed at all. Do you really want to do this?\n\nPlease also note that the following core pages will not be blocked from being accessed: Special:Login, Special:Logout, and Special:LangExportJSON.',
       
       btn_success_dismiss: 'dismiss',
       btn_success_close: 'close manager',
--- a/plugins/SpecialAdmin.php	Wed Mar 26 16:51:42 2008 -0400
+++ b/plugins/SpecialAdmin.php	Wed Mar 26 20:20:22 2008 -0400
@@ -312,7 +312,7 @@
     
     if ( is_dir(ENANO_ROOT . '/' . $_POST['avatar_directory']) )
     {
-      if ( preg_match('/^([A-z0-9_-]+)(\/([A-z0-9_-]+))*$/', $_POST['avatar_directory']) )
+      if ( preg_match('/^([A-z0-9_-]+)(\/([A-z0-9_-]+))*\/?$/', $_POST['avatar_directory']) )
       {
         setConfig('avatar_directory', $_POST['avatar_directory']);
       }