Made some improvements to ACL system including: warning on setting Deny for Everyone on the entire site, added ACL_ALWAYS_ALLOW_ADMIN_EDIT_ACL, and changed behavior as noted in the docs so that Deny for Everyone is no longer able to be overridden
--- a/includes/clientside/static/acl.js Wed Mar 26 16:51:42 2008 -0400
+++ b/includes/clientside/static/acl.js Wed Mar 26 20:20:22 2008 -0400
@@ -729,9 +729,20 @@
var form = document.forms[aclManagerID + '_formobj'];
selections = new Object();
var dbg = '';
+ var warned_everyone = false;
for(var i in aclPermList)
{
selections[aclPermList[i]] = getRadioState(form, aclPermList[i], [1, 2, 3, 4]);
+ // If we're editing permissions for everyone on the entire site and the
+ // admin selected to deny privileges, give a stern warning about it.
+ if ( selections[aclPermList[i]] == 1 && aclDataCache.target_type == 1 /* ACL_TYPE_GROUP */ && aclDataCache.target_id == 1 && !warned_everyone )
+ {
+ warned_everyone = true;
+ if ( !confirm($lang.get('acl_msg_deny_everyone_confirm')) )
+ {
+ return false;
+ }
+ }
dbg += aclPermList[i] + ': ' + selections[aclPermList[i]] + "\n";
if(!selections[aclPermList[i]])
{
--- a/includes/constants.php Wed Mar 26 16:51:42 2008 -0400
+++ b/includes/constants.php Wed Mar 26 20:20:22 2008 -0400
@@ -29,6 +29,11 @@
define('ACL_TYPE_USER', 2);
define('ACL_TYPE_PRESET', 3);
+// ACL switch
+// If this is defined, administrators can edit ACLs regardless of current
+// permissions. This is enabled by default.
+define('ACL_ALWAYS_ALLOW_ADMIN_EDIT_ACL', 1);
+
// System groups
define('GROUP_ID_ADMIN', 2);
define('GROUP_ID_MOD', 3);
@@ -39,7 +44,7 @@
define('PAGE_GRP_NORMAL', 3);
define('PAGE_GRP_REGEX', 4);
-// Identifier for the default meta-language
+// Identifier for the default pseudo-language
define('LANG_DEFAULT', 0);
//
--- a/includes/pageprocess.php Wed Mar 26 16:51:42 2008 -0400
+++ b/includes/pageprocess.php Wed Mar 26 20:20:22 2008 -0400
@@ -176,9 +176,19 @@
if ( !$this->perms->get_permissions('read') )
{
- $this->err_access_denied();
- profiler_log("PageProcessor [{$this->namespace}:{$this->page_id}]: Finished send process");
- return false;
+ // Permission denied to read page. Is this one of our core pages that must always be allowed?
+ // NOTE: Not even the administration panel will work if ACLs deny access to it.
+ if ( $this->namespace == 'Special' && in_array($this->page_id, array('Login', 'Logout', 'LangExportJSON', 'CSS')) )
+ {
+ // Do nothing; allow execution to continue
+ }
+ else
+ {
+ // Page isn't whitelisted, behave as normal
+ $this->err_access_denied();
+ profiler_log("PageProcessor [{$this->namespace}:{$this->page_id}]: Finished send process");
+ return false;
+ }
}
$pathskey = $paths->nslist[ $this->namespace ] . $this->page_id;
$strict_no_headers = false;
--- a/includes/pageutils.php Wed Mar 26 16:51:42 2008 -0400
+++ b/includes/pageutils.php Wed Mar 26 20:20:22 2008 -0400
@@ -1589,7 +1589,7 @@
global $db, $session, $paths, $template, $plugins; // Common objects
global $lang;
- if(!$session->get_permissions('edit_acl') && $session->user_level < USER_LEVEL_ADMIN)
+ if(!$session->get_permissions('edit_acl') && ( $session->user_level < USER_LEVEL_ADMIN || !defined('ACL_ALWAYS_ALLOW_ADMIN_EDIT_ACL')) )
{
return Array(
'mode' => 'error',
--- a/includes/sessions.php Wed Mar 26 16:51:42 2008 -0400
+++ b/includes/sessions.php Wed Mar 26 20:20:22 2008 -0400
@@ -2696,21 +2696,31 @@
// Decide precedence
if ( isset($this->acl_defaults_used[$i]) )
{
- //echo "$i: default in use, overriding to: {$perm[$i]}<br />";
+ // echo "$i: default in use, overriding to: {$perm[$i]}<br />";
// Defaults are in use, override
- $this->perms[$i] = $perm[$i];
- $this->acl_defaults_used[$i] = ( $is_everyone );
+
+ // CHANGED - 1.1.4:
+ // For some time this has been intentionally relaxed so that the following
+ // exception is available to Deny permissions:
+ // If the rule applies to the group "Everyone" on the entire site,
+ // Deny settings could be overriden.
+ // This is documented at: http://docs.enanocms.org/Help:4.2
+ if ( $this->perms[$i] != AUTH_DENY )
+ {
+ $this->perms[$i] = $perm[$i];
+ $this->acl_defaults_used[$i] = ( $is_everyone );
+ }
}
else
{
- //echo "$i: default NOT in use";
+ // echo "$i: default NOT in use";
// Defaults are not in use, merge as normal
if ( $this->perms[$i] != AUTH_DENY )
{
- //echo ", but overriding";
+ // echo ", but overriding";
$this->perms[$i] = $perm[$i];
}
- //echo "<br />";
+ // echo "<br />";
}
}
}
--- a/includes/template.php Wed Mar 26 16:51:42 2008 -0400
+++ b/includes/template.php Wed Mar 26 20:20:22 2008 -0400
@@ -782,7 +782,7 @@
}
// Manage ACLs button
- if ( !$paths->anonymous_page && ( $session->get_permissions('edit_acl') || $session->user_level >= USER_LEVEL_ADMIN ) )
+ if ( !$paths->anonymous_page && ( $session->get_permissions('edit_acl') || ( defined('ACL_ALWAYS_ALLOW_ADMIN_EDIT_ACL') && $session->user_level >= USER_LEVEL_ADMIN ) ) )
{
$menubtn->assign_vars(array(
'FLAGS' => 'onclick="if ( !KILL_SWITCH ) { return ajaxOpenACLManager(); }" title="' . $lang->get('onpage_tip_aclmanager') . '" accesskey="m"',
--- a/language/english/admin.json Wed Mar 26 16:51:42 2008 -0400
+++ b/language/english/admin.json Wed Mar 26 20:20:22 2008 -0400
@@ -134,6 +134,7 @@
msg_guest_howto: 'To edit permissions for guests, select "a specific user", and enter Anonymous as the username.',
msg_deleterule_confirm: 'Do you really want to delete this rule?',
msg_closeacl_confirm: 'Do you really want to close the ACL manager?',
+ msg_deny_everyone_confirm: 'CAUTION: You are setting a Deny ruling for everyone on this site. This will block the selected actions from being performed at all. Do you really want to do this?\n\nPlease also note that the following core pages will not be blocked from being accessed: Special:Login, Special:Logout, and Special:LangExportJSON.',
btn_success_dismiss: 'dismiss',
btn_success_close: 'close manager',
--- a/plugins/SpecialAdmin.php Wed Mar 26 16:51:42 2008 -0400
+++ b/plugins/SpecialAdmin.php Wed Mar 26 20:20:22 2008 -0400
@@ -312,7 +312,7 @@
if ( is_dir(ENANO_ROOT . '/' . $_POST['avatar_directory']) )
{
- if ( preg_match('/^([A-z0-9_-]+)(\/([A-z0-9_-]+))*$/', $_POST['avatar_directory']) )
+ if ( preg_match('/^([A-z0-9_-]+)(\/([A-z0-9_-]+))*\/?$/', $_POST['avatar_directory']) )
{
setConfig('avatar_directory', $_POST['avatar_directory']);
}