View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0008249 | mantisbt | plug-ins | public | 2007-08-10 01:06 | 2018-01-19 17:32 |
Reporter | jci000 | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | always |
Status | new | Resolution | open | ||
Product Version | 1.1.0a4 | ||||
Summary | 0008249: DokuWiki user rights | ||||
Description | When using multiple projects where some users haven't rights to see all projects the entire Wiki will be public. This means that a project for costumer A will be visible for costumer B, and the the Wiki isn't usable. The user right seams to come from the general Mantis rights and NOT the user rights assigned on projects, so a Mantis reporter which is assigned to a project as viewer, will still be a reporter in the Wiki, and that seams to be wrong. | ||||
Tags | No tags attached. | ||||
Attached Files | mantis.class.php (1,972 bytes)
<?php /** * Mantis auth backend * * Uses external Trust mechanism to check against Mantis' * user cookie. * * @author Victor Boctor (http://www.futureware.biz) */ require_once( MANTIS_ROOT . 'core.php' ); #dbg($GLOBALS); class auth_mantis extends auth_basic { /** * Constructor. * * Sets additional capabilities and config strings */ function auth_mantis(){ $this->cando['external'] = true; } /** * Authenticates the user using Mantis APIs. */ function trustExternal($user,$pass,$sticky=false){ global $USERINFO; global $conf; if ( auth_is_user_authenticated() ) { // okay we're logged in - set the globals $USERINFO['pass'] = current_user_get_field( 'password' ); $USERINFO['name'] = current_user_get_field( 'username' ); $USERINFO['mail'] = current_user_get_field( 'email' ); // $t_project_name = getNS( getID() ); // $t_project_id = project_get_id_by_name( $t_project_name ); $t_project_name = explode( ':', getNS( getID() ) ); $t_project_id = project_get_id_by_name( $t_project_name[1] ); $t_access_level = access_get_project_level( $t_project_id ); $t_access_level_string = strtoupper( get_enum_to_string( config_get( 'access_levels_enum_string' ), $t_access_level ) ); $t_access_level_string_ex = strtoupper( $t_project_name[1] ) . '_' . $t_access_level_string; // $USERINFO['grps'] = array( $t_access_level_string ); $USERINFO['grps'] = array( $t_access_level_string, $t_access_level_string_ex ); $_SERVER['REMOTE_USER'] = $USERINFO['name']; $_SESSION[$conf['title']]['auth']['user'] = $USERINFO['name']; $_SESSION[$conf['title']]['auth']['info'] = $USERINFO; return true; } // to be sure auth_logoff(); return false; } /** * Logout from Mantis */ function logOff(){ auth_logout(); } } ?> updated_mantis.class.php (1,995 bytes)
<?php /** * Mantis auth backend * * Uses external Trust mechanism to check against Mantis' * user cookie. * * @author Victor Boctor (http://www.futureware.biz) */ require_once( MANTIS_ROOT . 'core.php' ); #dbg($GLOBALS); class auth_mantis extends auth_basic { /** * Constructor. * * Sets additional capabilities and config strings */ function auth_mantis(){ $this->cando['external'] = true; } /** * Authenticates the user using Mantis APIs. */ function trustExternal($user,$pass,$sticky=false){ global $USERINFO; global $conf; if ( auth_is_user_authenticated() ) { // okay we're logged in - set the globals $USERINFO['pass'] = current_user_get_field( 'password' ); $USERINFO['name'] = current_user_get_field( 'username' ); $USERINFO['mail'] = current_user_get_field( 'email' ); // $t_project_name = getNS( getID() ); // $t_project_id = project_get_id_by_name( $t_project_name ); $t_project_name = explode( ':', getNS( getID() ) ); $t_project_id = project_get_id_by_name( str_replace('_',' ',$t_project_name[1]) ); $t_access_level = access_get_project_level( $t_project_id ); $t_access_level_string = strtoupper( get_enum_to_string( config_get( 'access_levels_enum_string' ), $t_access_level ) ); $t_access_level_string_ex = strtoupper( $t_project_name[1] ) . '_' . $t_access_level_string; // $USERINFO['grps'] = array( $t_access_level_string ); $USERINFO['grps'] = array( $t_access_level_string, $t_access_level_string_ex ); $_SERVER['REMOTE_USER'] = $USERINFO['name']; $_SESSION[$conf['title']]['auth']['user'] = $USERINFO['name']; $_SESSION[$conf['title']]['auth']['info'] = $USERINFO; return true; } // to be sure auth_logoff(); return false; } /** * Logout from Mantis */ function logOff(){ auth_logout(); } } ?> | ||||
Could a possible solution be to transfer the Mants project access level as the access level to DokuWiki and the project name as a DokuWiki group. Then it should be possible to use the standard DokuWiki 'Access Restrictions' setup for projects. |
|
The Dokuwiki auth module does already use access_get_project_level() to determine access privileges. So, the only thing I think that needs to be done, is for you to customize the dokuwiki/conf/acl.auth.php file to revoke read privileges from viewers, or perhaps even reporters, depending on what your specific installation has for base users. Once you do that, then when you add users to a specific project, make them the lowest level that has read permissions, and then they should be able to only read the stuff for their project. I haven't specifically tried this myself, but since the Dokuwiki auth module for mantis retrieves the project id and project access level, it should work. |
|
I've patched the mantis.class.php file, so it adds an extra group. It will now create USER,PROJECT_USER like VIEWER,PROJECTA_VIEWER. Then the standard files still work but the acl.auth.php file can be changed so some projects can be restricted like my_namespace:my_project: @ALL 0 I know that some extra work must be done in DokuWiki when creating projects, but I can't find a better solution right now :-) Setting everything up is a bit tricky so a better guide would help. I've attached the code and also made a comment at |
|
Thanks jci000. I was looking for exactly this. Would be nice to not show the wiki link at all for users who do not have access. |
|
jci000, |
|
Hi mlo. I don't remember but if you say so it's properly right. I'm not part of the group developing Mantis, but just a user that modifies stuff to get the setup I need. I have no idea how to correct this, but why use _ at all? |
|
The original patch does not properly function. The code attempts to match the namespace with a project ID, but neglects to remove the underscores which are used in lieu of spaces within dokiwiki. As a result, mantis always returns a project ID of '0', which allows the user to view any page, even if the user does not have correct permissions for the project/namespace in question. Fix: Replace '_' with ' ' prior to the project lookup step. See attached updated class file. |
|