DokuWiki

It's better when it's simple

User Tools

Site Tools


tips:clean_acl

Clean up Access Control Lists

When pages, namespaces and users are deleted, the permission settings for them are left in the access control list (ACL). This can create a potential security risk when pages or users are created again. The following script (to be placed in the bin folder of your DokuWiki installation) cleans up the ACL. You must create the folder conf/backup first, the old ACL file will be backed up there. Depending on the usage patterns in your wiki, you can run it as as daily, weekly or monthly cron job.

#!/usr/bin/php
<?php
#------------------------------------------------------------------------------
if(!defined('NOSESSION')) define('NOSESSION', true);
if(!defined('DOKU_INC')) define('DOKU_INC',realpath(dirname(__FILE__).'/../').'/');
require_once DOKU_INC.'inc/init.php';
require_once DOKU_INC.'inc/common.php';
require_once DOKU_INC.'inc/cliopts.php';
 
// handle options
$short_opts = 'hq';
$long_opts  = array('help', 'quiet');
$OPTS = Doku_Cli_Opts::getOptions(__FILE__,$short_opts,$long_opts);
if ( $OPTS->isError() ) {
    fwrite( STDERR, $OPTS->getMessage() . "\n");
    _usage();
    exit(1);
}
 
$QUIET = false;
foreach ($OPTS->options as $key => $val) {
    switch ($key) {
        case 'h':
        case 'help':
            _usage();
            exit;
    case 'q':
        case 'quiet':
      $QUIET = true;
      break;
    }
}
 
#------------------------------------------------------------------------------

function _usage() {
    print "Usage: clean_acl.php <options>
 
  Removes entries from acl.auth.php referencing page ids that 
  don't exist anymore.
 
    OPTIONS
        -h, --help     show this help and exit
        -q, --quiet    don't produce any output
";
}
 
#------------------------------------------------------------------------------
function clean_acl()
{
  $acls_name = DOKU_CONF.'/acl.auth.php';
  $acls = file($acls_name);
  $new_acls = fopen(DOKU_CONF.'/acl.auth.new.php', 'w');
  $msg = "Removed: '%s' (%s).\n";
  $was_changed = false;
  foreach($acls as $line)
  {
    if(trim($line) && !preg_match('/^#/', $line))
    {
      if(id_exists($line))
      {
        if(user_exists($line))
        {
          fwrite($new_acls, $line);
        }
        else
        {
          _quietecho(sprintf($msg, trim($line), 'user does not exist'));
          $was_changed = true;
        }
      }
      else
      {
        _quietecho(sprintf($msg, trim($line), 'page does not exist'));
         $was_changed = true;
      }
    }
    else
    {
      fwrite($new_acls, $line);
    }
  }
  fclose($new_acls);
  //die();
  if($was_changed)
  {
    $ok = @rename(DOKU_CONF.'/acl.auth.php', DOKU_CONF.'/backup/acl.auth.'.date('Y-m-d_His').'.php');
    if($ok)
      $ok = @rename(DOKU_CONF.'/acl.auth.new.php',  DOKU_CONF.'/acl.auth.php');
    else
      _quietecho('Could not rename old acl file.');
  }
  else
  {
    @unlink(DOKU_CONF.'/acl.auth.new.php');
  }
 
}
 
#------------------------------------------------------------------------------
function id_exists($acl_line)
{
  $access = preg_split("/\s/", $acl_line);
  // "All"
  if($access[0]=="*")
  {
    return true;
  }
  // Namespace
  elseif(preg_match('/(.*):\*$/', $access[0], $matches))
  {
    $fn = str_replace(".txt", "", wikiFN($matches[1]));
  }
  // Page
  else
  {
    $fn = wikiFN($access[0]);
  }
  return file_exists($fn);
}
 
function user_exists($line)
{
  static $usernames = null;
  if(is_null($usernames))
  {
    $usernames = array();
    foreach(file(DOKU_CONF.'/users.auth.php') as $userline)
    {
      if($userline[0] == '#')
        continue;
      $line_arr = explode(':', $userline);
      if(trim($line_arr[0]))
        $usernames[] = trim($line_arr[0]);
    }
  }
  list(,$user) = explode("\t", $line);
  if($user[0] == '@')
    return true;
  return in_array(rawurldecode($user), $usernames);
}
 
function _quietecho($msg)
{
  global $QUIET;
  if(!$QUIET)
    echo $msg;
}
 
clean_acl();
?>

Manage folder tree in ACL management page

In the ACL management page you see the folder tree you should use to manage ACL on directories.
This tree is created by Dokuwiki, respectively, reading not only the folder pages but also the folder media.
So the reason you see a different tree from what you see in pages from a file explorer is because Dokuwiki also reads the other folder (media) and match them.

tips/clean_acl.txt · Last modified: 2012-05-07 15:48 by 82.185.100.94

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki