Priority: Normal
Current State: Closed
Released In: 2.1.5
Target Release: patch
Applies To: Extension
Component:
Branches: Release02x01 master
Unfortunately
Item14169 did not solve the problem. I still get a false positive when logged in with 'unixuser'=='WikiUser' which is included in
AdminGroup.
gac410 made the following patch suggestion:
diff --git a/core/lib/Foswiki/Configure/Checkers/FeatureAccess/Configure.pm b/core/lib/Foswiki/Configure/Checkers/FeatureAccess/Configure.pm
index b91e743..ce32012 100644
--- a/core/lib/Foswiki/Configure/Checkers/FeatureAccess/Configure.pm
+++ b/core/lib/Foswiki/Configure/Checkers/FeatureAccess/Configure.pm
@@ -62,6 +62,14 @@ $Foswiki::cfg{AdminUserWikiName} ($Foswiki::cfg{AdminUserLogin}) cannot be used.
my $cUID = Foswiki::Func::getCanonicalUserID();
my $curuser = Foswiki::Func::getWikiName($cUID);
+ if ( scalar @admins && ! scalar @Authorized ) {
+ foreach my $user (@admins) {
+ if ( $user eq $curuser ) {
+ $passed = 1;
+ }
+ }
+ }
+
if ( scalar @Authorized ) {
foreach my $user (@Authorized) {
if ( $user eq $curuser ) {
But it didn't help. Further debugging of the code above showed:
- @admins contains 'BaseUserMapping_333', 'unixuser'
- $curuser == 'WikiUser'
- $cUID == 'WikiUser'
So it seems like the wrong values are compared.
I think that this is a better fix. It uses the core API to determine if the current user is an admin. That's cleaner than parsing the group.
diff --git a/core/lib/Foswiki/Configure/Checkers/FeatureAccess/Configure.pm b/core/lib/Foswiki/Configure/Checkers/FeatureAccess/Configure.pm
index b91e743..65e5d4e 100644
--- a/core/lib/Foswiki/Configure/Checkers/FeatureAccess/Configure.pm
+++ b/core/lib/Foswiki/Configure/Checkers/FeatureAccess/Configure.pm
@@ -56,15 +56,22 @@ $Foswiki::cfg{AdminUserWikiName} ($Foswiki::cfg{AdminUserLogin}) cannot be used.
&& !$Foswiki::cfg{Password}
&& !$Foswiki::cfg{FeatureAccess}{Configure} );
+ $reporter->NOTE(
+ "Current members of AdminGroup are: " . join( ' ', @admins ) );
+
my @Authorized = split( /[,\s]/, $Foswiki::cfg{FeatureAccess}{Configure} );
my $passed = ''; # Set to true if current user is allowed to use configure
my $cUID = Foswiki::Func::getCanonicalUserID();
my $curuser = Foswiki::Func::getWikiName($cUID);
+ unless ( scalar @Authorized ) {
+ $passed = $Foswiki::Plugins::SESSION->{users}->isAdmin($cUID);
+ }
+
if ( scalar @Authorized ) {
foreach my $user (@Authorized) {
- if ( $user eq $curuser ) {
+ if ( $user eq $curuser || $user eq $cUID ) {
$passed = 1;
}
if ( $user =~ m/Group$/ ) {
--
GeorgeClark - 01 Sep 2017
I tested this successfully and it works fine. Thanks!
--
TestUser333 - 01 Sep 2017
I have a revised fix that does a bit more checking and reporting. Please test the version at
https://github.com/foswiki/distro/blob/54b6d8e090caed231a301a1202d227b437dc06d7/core/lib/Foswiki/Configure/Checkers/FeatureAccess/Configure.pm when you get a chance. Thanks
--
GeorgeClark - 06 Sep 2017
I just tested the new file and it works fine. It shows the following output:
Members of AdminGroup have access to configure: AdminUser(BaseUserMapping_333), WikiUser1, WikiUser2(unixuser2), ...
(WikiUserX are members of my AdminGroup, WikiUser1 has not yet been migrated and is therefore not existent). I do have to restart httpd before changes in {FeatureAccess}{Configure} lead to a changed output here, but that's as it should be I guess.
--
TestUser333 - 11 Sep 2017