View Issue Details

IDProjectCategoryView StatusLast Update
0008249mantisbtplug-inspublic2018-01-19 17:32
Reporterjci000 Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version1.1.0a4 
Summary0008249: DokuWiki user rights
Description

When using multiple projects where some users haven't rights to see all projects the entire Wiki will be public. This means that a project for costumer A will be visible for costumer B, and the the Wiki isn't usable.

The user right seams to come from the general Mantis rights and NOT the user rights assigned on projects, so a Mantis reporter which is assigned to a project as viewer, will still be a reporter in the Wiki, and that seams to be wrong.

TagsNo tags attached.
Attached Files
mantis.class.php (1,972 bytes)   
<?php
/**
 * Mantis auth backend
 *
 * Uses external Trust mechanism to check against Mantis'
 * user cookie.
 *
 * @author    Victor Boctor (http://www.futureware.biz)
 */
 
require_once( MANTIS_ROOT . 'core.php' );
 
#dbg($GLOBALS);
 
class auth_mantis extends auth_basic {
  /**
   * Constructor.
   *
   * Sets additional capabilities and config strings
   */
  function auth_mantis(){
    $this->cando['external'] = true;
  }
 
  /**
   * Authenticates the user using Mantis APIs.
   */
  function trustExternal($user,$pass,$sticky=false){
    global $USERINFO;
    global $conf;
 
    if ( auth_is_user_authenticated() ) {
      // okay we're logged in - set the globals
      $USERINFO['pass'] = current_user_get_field( 'password' );
      $USERINFO['name'] = current_user_get_field( 'username' );
      $USERINFO['mail'] = current_user_get_field( 'email' );
 
//      $t_project_name = getNS( getID() );
//      $t_project_id = project_get_id_by_name( $t_project_name );
      $t_project_name = explode( ':', getNS( getID() ) );
      $t_project_id = project_get_id_by_name( $t_project_name[1] );
      $t_access_level = access_get_project_level( $t_project_id );
      $t_access_level_string = strtoupper( get_enum_to_string( config_get( 'access_levels_enum_string' ),  $t_access_level ) );

 	$t_access_level_string_ex = strtoupper( $t_project_name[1] ) . '_' . $t_access_level_string; 

//      $USERINFO['grps'] = array( $t_access_level_string );
      $USERINFO['grps'] = array( $t_access_level_string, $t_access_level_string_ex );
 
      $_SERVER['REMOTE_USER'] = $USERINFO['name'];

      $_SESSION[$conf['title']]['auth']['user'] = $USERINFO['name'];
      $_SESSION[$conf['title']]['auth']['info'] = $USERINFO;
 
      return true;
    }
 
    // to be sure
    auth_logoff();
 
    return false;
  }
 
  /**
   * Logout from Mantis
   */
  function logOff(){
	auth_logout();
  }
}
?>
mantis.class.php (1,972 bytes)   
updated_mantis.class.php (1,995 bytes)   
<?php
/**
 * Mantis auth backend
 *
 * Uses external Trust mechanism to check against Mantis'
 * user cookie.
 *
 * @author    Victor Boctor (http://www.futureware.biz)
 */
 
require_once( MANTIS_ROOT . 'core.php' );
 
#dbg($GLOBALS);
 
class auth_mantis extends auth_basic {
  /**
   * Constructor.
   *
   * Sets additional capabilities and config strings
   */
  function auth_mantis(){
    $this->cando['external'] = true;
  }
 
  /**
   * Authenticates the user using Mantis APIs.
   */
  function trustExternal($user,$pass,$sticky=false){
    global $USERINFO;
    global $conf;
 
    if ( auth_is_user_authenticated() ) {
      // okay we're logged in - set the globals
      $USERINFO['pass'] = current_user_get_field( 'password' );
      $USERINFO['name'] = current_user_get_field( 'username' );
      $USERINFO['mail'] = current_user_get_field( 'email' );
 
//      $t_project_name = getNS( getID() );
//      $t_project_id = project_get_id_by_name( $t_project_name );
      $t_project_name = explode( ':', getNS( getID() ) );
      $t_project_id = project_get_id_by_name( str_replace('_',' ',$t_project_name[1]) );

      $t_access_level = access_get_project_level( $t_project_id );
      $t_access_level_string = strtoupper( get_enum_to_string( config_get( 'access_levels_enum_string' ),  $t_access_level ) );

 	$t_access_level_string_ex = strtoupper( $t_project_name[1] ) . '_' . $t_access_level_string; 

//      $USERINFO['grps'] = array( $t_access_level_string );
      $USERINFO['grps'] = array( $t_access_level_string, $t_access_level_string_ex );
 
      $_SERVER['REMOTE_USER'] = $USERINFO['name'];

      $_SESSION[$conf['title']]['auth']['user'] = $USERINFO['name'];
      $_SESSION[$conf['title']]['auth']['info'] = $USERINFO;
 
      return true;
    }
 
    // to be sure
    auth_logoff();
 
    return false;
  }
 
  /**
   * Logout from Mantis
   */
  function logOff(){
	auth_logout();
  }
}
?>
updated_mantis.class.php (1,995 bytes)   

Relationships

has duplicate 0007753 closeddregad Wiki rights 

Activities

jci000

jci000

2007-08-10 01:35

reporter   ~0015393

Could a possible solution be to transfer the Mants project access level as the access level to DokuWiki and the project name as a DokuWiki group. Then it should be possible to use the standard DokuWiki 'Access Restrictions' setup for projects.

jreese

jreese

2007-08-10 09:45

reporter   ~0015400

Last edited: 2007-08-10 09:46

The Dokuwiki auth module does already use access_get_project_level() to determine access privileges. So, the only thing I think that needs to be done, is for you to customize the dokuwiki/conf/acl.auth.php file to revoke read privileges from viewers, or perhaps even reporters, depending on what your specific installation has for base users. Once you do that, then when you add users to a specific project, make them the lowest level that has read permissions, and then they should be able to only read the stuff for their project. I haven't specifically tried this myself, but since the Dokuwiki auth module for mantis retrieves the project id and project access level, it should work.

jci000

jci000

2007-08-13 07:50

reporter   ~0015431

I've patched the mantis.class.php file, so it adds an extra group. It will now create USER,PROJECT_USER like VIEWER,PROJECTA_VIEWER.

Then the standard files still work but the acl.auth.php file can be changed so some projects can be restricted like

my_namespace:my_project: @ALL 0
my_namespace:my_project:
@MYPROJECT_VIEWER 1

I know that some extra work must be done in DokuWiki when creating projects, but I can't find a better solution right now :-)

Setting everything up is a bit tricky so a better guide would help.

I've attached the code and also made a comment at

http://www.mantisbt.org/forums/viewtopic.php?t=3623

nurikabe

nurikabe

2008-03-07 10:53

reporter   ~0017284

Thanks jci000. I was looking for exactly this.

Would be nice to not show the wiki link at all for users who do not have access.

mlo

mlo

2008-04-09 12:41

reporter   ~0017580

jci000,
I've tried your patch, but it only seems to work if no underline is used in group names.
Can you confirm this?
Else, what could be the problem?

jci000

jci000

2008-04-11 09:22

reporter   ~0017588

Hi mlo. I don't remember but if you say so it's properly right. I'm not part of the group developing Mantis, but just a user that modifies stuff to get the setup I need. I have no idea how to correct this, but why use _ at all?

williamg

williamg

2009-08-10 15:46

reporter   ~0022712

The original patch does not properly function. The code attempts to match the namespace with a project ID, but neglects to remove the underscores which are used in lieu of spaces within dokiwiki.

As a result, mantis always returns a project ID of '0', which allows the user to view any page, even if the user does not have correct permissions for the project/namespace in question.

Fix: Replace '_' with ' ' prior to the project lookup step.

See attached updated class file.