Managing User Groups through ACLs
Working for 1.1.5.3 (according to author) to 1.3.6(latest)
There is already a proposal for this at GroupManagement. However this code doesn't seem to work anymore.My solution
I though about a simpler way to deal with User Groups - my concept is: Give the power to the users and Keep it simple.- The idea is that anyuser could define a new group by creating a dedicated WikiPage: something like MyProjectGroup.
- Then he would write in this page all the user logins he wants to be part of the group (embeded inside plus signs to avoid confusions: +UserLogin1+UserLogin2+).
- He would decide through the ACLs of this page who can manage the group list.
- Then he may use this page name in the ACLs of any page in order to manage the access authorizations.
- The only code needed should be that HasAccess() function has to be modified in order to search if the user is part of the group or not.
Dependency
None that I can figure out. I have it working with 1.1.5.3 version.The code
In wikka.php add the isGroupMember() function (after TrimACLs() function for example):(for version 1.1.6.2, the required file has beem moved and renamed to ...../libs/Wakka.class.php )
// returns true if $who is member of $group
function isGroupMember($who, $group)
{
$thegroup=$this->LoadPage($group);
if ($thegroup) {
$search = "+".$who."+"; // In the GroupListPages, the participants logins have to be embbeded inside '+' signs
return (boolean)(substr_count($thegroup["body"], $search));
}
else return false;
}
function isGroupMember($who, $group)
{
$thegroup=$this->LoadPage($group);
if ($thegroup) {
$search = "+".$who."+"; // In the GroupListPages, the participants logins have to be embbeded inside '+' signs
return (boolean)(substr_count($thegroup["body"], $search));
}
else return false;
}
Then change HasAccess() function:
from:
// aha! a user entry.
default:
if ($line == $user)
{
return !$negate;
}
default:
if ($line == $user)
{
return !$negate;
}
to:
// aha! a user entry.
default:
if ($line == $user)
{
return !$negate;
}
// this may be a UserGroup so we check if $user is part of the group
else if (($this->isGroupMember($user, $line)))
{
return !$negate;
}
default:
if ($line == $user)
{
return !$negate;
}
// this may be a UserGroup so we check if $user is part of the group
else if (($this->isGroupMember($user, $line)))
{
return !$negate;
}
How to use it?
Create a WikiPage to manage a particular user group: a name like UserGroupWikkaCrew makes sense (it exists ;-) ), it could be nice to link to a CategoryUserGroup.Write in all the user login that have to be part of this group inside "+" signs: +UserLogin1+UserLogin2+ is valid as would be:
- +UserLogin2+.
Use the UserGroupPage in any ACLs, they can be can be negated using the "!" character as usual.
To Do
My code needs probably to be reviewed by expert coder as I am not at all a developer (I just rely on the above user group).Any ideas and comments than welcome.
This does not allow to manage Groups of Groups (don't think about using the {{include}} action!)
- This doesn't really make sense, because u can add it as a subgroupe using his page/groupname, no ?
- Correct. I'm using this to control access on my intranet and I've got multiple layers of groups (many that cross over) that allow me to manage groups of groups. Here's how I'm using it:
- Group 1 (UGMetro) has several names: +Reporter1+ +Reporter2+ +Reporter3+ +MetroEditors+
- Group 2 (UGSports) has others: +Reporter4+ +Reporter5+ +Reporter6+ +SportsEditors+
- And the master group (UGNewsroom) looks like this: +UGMetro+ +UGSports+
- Works just fine for me. :) --MovieLady
- Could not get it working with master groups as described by MovieLady, so I changed the IsGroupMember function to recursivly go through all sub groups:
-
// returns true if $who is member of $group
function isGroupMember($who, $group)
{
$thegroup=$this->LoadPage($group);
if ($thegroup) {
preg_match_all("/\+(\V*?)\+/",$thegroup["body"],$group_members);
foreach ($group_members[1] as $group_member) {
if ($who == $group_member) { return true; }
if ($this->isGroupMember($who,$group_member)) { return true; }
}
}
else return false;
}
- Does anybody have an idea why the setup described by MovieLady should work? I my setup members of the Group UGMetro or UGSports did not have access to pages where the read/write acl's were set to UGNewsroom
Security Risks
A hacker may be able to get unauthorized access if they create a new user account with the same name as a groupname. For example, in the above scenario, the hacker may gain unauthorized access if (s)he creates a user with "UserGroupWikkaCrew" as the login name. The easiest way to prevent this from happening is to disallow new users to pick a name which is equal to an existing page.
- This check is already in place as of version 1.1.6.0. --JavaWoman
CategoryUserContributions