Wiki source for ACLsWithUserGroups


Show raw source

====Managing User Groups through ACLs====
>>Working for 1.1.5.3 (according to author) to 1.3.6(latest)>>There is already a proposal for this at GroupManagement. However this code doesn't seem to work anymore.

===My solution===
I though about a simpler way to deal with User Groups - my concept is: Give the power to the users and Keep it simple.

- The idea is that anyuser could define a new group by creating a dedicated WikiPage: something like ""MyProjectGroup"".
- Then he would write in this page all the user logins he wants to be part of the group (embeded inside plus signs to avoid confusions: +UserLogin1+UserLogin2+).
- He would decide through the ACLs of this page who can manage the group list.
- Then he may use this page name in the ACLs of any page in order to manage the access authorizations.
- The only code needed should be that ""HasAccess()"" function has to be modified in order to search if the user is part of the group or not.

===Dependency===
None that I can figure out. I have it working with 1.1.5.3 version.

===The code===
In wikka.php add the ""isGroupMember()"" function (after ""TrimACLs()"" function for example):

(for version 1.1.6.2, the required file has beem moved and renamed to ...../libs/Wakka.class.php )

%%(php)
// returns true if $who is member of $group
function isGroupMember($who, $group)
{
$thegroup=$this->LoadPage($group);
if ($thegroup) {
$search = "+".$who."+"; // In the GroupListPages, the participants logins have to be embbeded inside '+' signs
return (boolean)(substr_count($thegroup["body"], $search));
}
else return false;
}
%%

Then change ""HasAccess()"" function:

from:

%%(php)
// aha! a user entry.
default:
if ($line == $user)
{
return !$negate;
}
%%

to:

%%(php)
// aha! a user entry.
default:
if ($line == $user)
{
return !$negate;
}
// this may be a UserGroup so we check if $user is part of the group
else if (($this->isGroupMember($user, $line)))
{
return !$negate;
}
%%

===How to use it?===
Create a WikiPage to manage a particular user group: a name like UserGroupWikkaCrew makes sense (it exists ;-) ), it could be nice to link to a CategoryUserGroup.
Write in all the user login that have to be part of this group inside "+" signs: +UserLogin1+UserLogin2+ is valid as would be:
- +UserLogin1+
- +UserLogin2+.
Modify the ACLs of this ""UserGroupPage"" to reflect who is allowed to manage the group.
Use the ""UserGroupPage"" in any ACLs, they can be can be negated using the "!" character as usual.

===To Do===
My code needs probably to be reviewed by expert coder as I am not at all a developer (I just rely on the above user group).
Any ideas and comments than welcome.
This does not allow to manage Groups of Groups (don't think about using the ""{{include}}"" action!)
~& This doesn't really make sense, because u can add it as a subgroupe using his page/groupname, no ?
~~& Correct. I'm using this to control access on my intranet and I've got multiple layers of groups (many that cross over) that allow me to manage groups of groups. Here's how I'm using it:
~~& Group 1 (""UGMetro"") has several names: ""+Reporter1+"" ""+Reporter2+"" ""+Reporter3+"" ""+MetroEditors+""
~~& Group 2 (""UGSports"") has others: ""+Reporter4+"" ""+Reporter5+"" ""+Reporter6+"" ""+SportsEditors+""
~~& And the master group (""UGNewsroom"") looks like this: ""+UGMetro+"" ""+UGSports+""
~~& Works just fine for me. :) --MovieLady
~~~& Could not get it working with master groups as described by MovieLady, so I changed the ""IsGroupMember"" function to recursivly go through all sub groups:
~~~&%%(php) // returns true if $who is member of $group
function isGroupMember($who, $group)
{
$thegroup=$this->LoadPage($group);
if ($thegroup) {
preg_match_all("/\+(\V*?)\+/",$thegroup["body"],$group_members);
foreach ($group_members[1] as $group_member) {
if ($who == $group_member) { return true; }
if ($this->isGroupMember($who,$group_member)) { return true; }
}
}
else return false;
}%%
~~~& Does anybody have an idea why the setup described by MovieLady should work? I my setup members of the Group ""UGMetro"" or ""UGSports"" did not have access to pages where the read/write acl's were set to ""UGNewsroom""



===Security Risks===

A hacker may be able to get unauthorized access if they create a new user account with the same name as a groupname. For example, in the above scenario, the hacker may gain unauthorized access if (s)he creates a user with "UserGroupWikkaCrew" as the login name. The easiest way to prevent this from happening is to disallow new users to pick a name which is equal to an existing page.
~&This check is already in place as of version 1.1.6.0. --JavaWoman

----
CategoryUserContributions
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki