Item14463: Verification for {FeatureAccess}{Configure} in configure fails to handle login names (cont.)

Unfortunately Item14169 did not solve the problem. I still get a false positive when logged in with 'unixuser'=='WikiUser' which is included in AdminGroup.

gac410 made the following patch suggestion:

diff --git a/core/lib/Foswiki/Configure/Checkers/FeatureAccess/Configure.pm b/core/lib/Foswiki/Configure/Checkers/FeatureAccess/Configure.pm
index b91e743..ce32012 100644
--- a/core/lib/Foswiki/Configure/Checkers/FeatureAccess/Configure.pm
+++ b/core/lib/Foswiki/Configure/Checkers/FeatureAccess/Configure.pm
@@ -62,6 +62,14 @@ $Foswiki::cfg{AdminUserWikiName} ($Foswiki::cfg{AdminUserLogin}) cannot be used.
     my $cUID    = Foswiki::Func::getCanonicalUserID();
     my $curuser = Foswiki::Func::getWikiName($cUID);
 
+    if ( scalar @admins && ! scalar @Authorized ) {
+        foreach my $user (@admins) {
+            if ( $user eq $curuser ) {
+                $passed = 1;
+            }
+        }
+    }
+
     if ( scalar @Authorized ) {
         foreach my $user (@Authorized) {
             if ( $user eq $curuser ) {

But it didn't help. Further debugging of the code above showed:

• @admins contains 'BaseUserMapping_333', 'unixuser'
• $curuser == 'WikiUser'
• $cUID == 'WikiUser'

So it seems like the wrong values are compared.

I think that this is a better fix. It uses the core API to determine if the current user is an admin. That's cleaner than parsing the group.

diff --git a/core/lib/Foswiki/Configure/Checkers/FeatureAccess/Configure.pm b/core/lib/Foswiki/Configure/Checkers/FeatureAccess/Configure.pm
index b91e743..65e5d4e 100644
--- a/core/lib/Foswiki/Configure/Checkers/FeatureAccess/Configure.pm
+++ b/core/lib/Foswiki/Configure/Checkers/FeatureAccess/Configure.pm
@@ -56,15 +56,22 @@ $Foswiki::cfg{AdminUserWikiName} ($Foswiki::cfg{AdminUserLogin}) cannot be used.
         && !$Foswiki::cfg{Password}
         && !$Foswiki::cfg{FeatureAccess}{Configure} );
 
+    $reporter->NOTE(
+        "Current members of AdminGroup are: " . join( ' ', @admins ) );
+
     my @Authorized = split( /[,\s]/, $Foswiki::cfg{FeatureAccess}{Configure} );
     my $passed = '';   # Set to true if current user is allowed to use configure
 
     my $cUID    = Foswiki::Func::getCanonicalUserID();
     my $curuser = Foswiki::Func::getWikiName($cUID);
 
+    unless ( scalar @Authorized ) {
+        $passed = $Foswiki::Plugins::SESSION->{users}->isAdmin($cUID);
+    }
+
     if ( scalar @Authorized ) {
         foreach my $user (@Authorized) {
-            if ( $user eq $curuser ) {
+            if ( $user eq $curuser || $user eq $cUID ) {
                 $passed = 1;
             }
             if ( $user =~ m/Group$/ ) {

-- GeorgeClark - 01 Sep 2017

I tested this successfully and it works fine. Thanks!

-- TestUser333 - 01 Sep 2017

I have a revised fix that does a bit more checking and reporting. Please test the version at https://github.com/foswiki/distro/blob/54b6d8e090caed231a301a1202d227b437dc06d7/core/lib/Foswiki/Configure/Checkers/FeatureAccess/Configure.pm when you get a chance. Thanks

-- GeorgeClark - 06 Sep 2017

I just tested the new file and it works fine. It shows the following output:

Members of AdminGroup have access to configure: AdminUser(BaseUserMapping_333), WikiUser1, WikiUser2(unixuser2), ...

(WikiUserX are members of my AdminGroup, WikiUser1 has not yet been migrated and is therefore not existent). I do have to restart httpd before changes in {FeatureAccess}{Configure} lead to a changed output here, but that's as it should be I guess.

-- TestUser333 - 11 Sep 2017

Commenting is disabled while not logged in