DokuWiki

It's better when it's simple

User Tools

Site Tools

Trace:
tips:clean_acl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Last revisionBoth sides next revision
wiki:tips:clean_acl [2008-08-05 12:51] – created gbirkewiki:tips:clean_acl [2008-08-05 12:55] – mention cron gbirke
Line 1: Line 1:
 +====== Clean up Access Control Lists ======
  
 +When pages, namespaces and users are deleted, the permission settings for them are left in the access control list (ACL). This can create a potential security risk when pages or users are created again. The following script (to be placed in the ''bin'' folder of your DokuWiki installation) cleans up the ACL. You must create the folder ''conf/backup'' first, the old ACL file will be backed up there. Depending on the usage patterns in your wiki, you can run it as as daily, weekly or monthly cron job.
 +
 +<code php>
 +#!/usr/bin/php
 +<?php
 +#------------------------------------------------------------------------------
 +if(!defined('NOSESSION')) define('NOSESSION', true);
 +if(!defined('DOKU_INC')) define('DOKU_INC',realpath(dirname(__FILE__).'/../').'/');
 +require_once DOKU_INC.'inc/init.php';
 +require_once DOKU_INC.'inc/common.php';
 +require_once DOKU_INC.'inc/cliopts.php';
 +
 +// handle options
 +$short_opts = 'hq';
 +$long_opts  = array('help', 'quiet');
 +$OPTS = Doku_Cli_Opts::getOptions(__FILE__,$short_opts,$long_opts);
 +if ( $OPTS->isError() ) {
 +    fwrite( STDERR, $OPTS->getMessage() . "\n");
 +    _usage();
 +    exit(1);
 +}
 +
 +$QUIET = false;
 +foreach ($OPTS->options as $key => $val) {
 +    switch ($key) {
 +        case 'h':
 +        case 'help':
 +            _usage();
 +            exit;
 +    case 'q':
 +        case 'quiet':
 +      $QUIET = true;
 +      break;
 +    }
 +}
 +
 +#------------------------------------------------------------------------------
 +
 +function _usage() {
 +    print "Usage: clean_acl.php <options>
 +    
 +  Removes entries from acl.auth.php referencing page ids that 
 +  don't exist anymore.
 +    
 +    OPTIONS
 +        -h, --help     show this help and exit
 +        -q, --quiet    don't produce any output
 +";
 +}
 +
 +#------------------------------------------------------------------------------
 +function clean_acl()
 +{
 +  $acls_name = DOKU_CONF.'/acl.auth.php';
 +  $acls = file($acls_name);
 +  $new_acls = fopen(DOKU_CONF.'/acl.auth.new.php', 'w');
 +  $msg = "Removed: '%s' (%s).\n";
 +  $was_changed = false;
 +  foreach($acls as $line)
 +  {
 +    if(trim($line) && !preg_match('/^#/', $line))
 +    {
 +      if(id_exists($line))
 +      {
 +        if(user_exists($line))
 +        {
 +          fwrite($new_acls, $line);
 +        }
 +        else
 +        {
 +          _quietecho(sprintf($msg, trim($line), 'user does not exist'));
 +          $was_changed = true;
 +        }
 +      }
 +      else
 +      {
 +        _quietecho(sprintf($msg, trim($line), 'page does not exist'));
 +         $was_changed = true;
 +      }
 +    }
 +    else
 +    {
 +      fwrite($new_acls, $line);
 +    }
 +  }
 +  fclose($new_acls);
 +  //die();
 +  if($was_changed)
 +  {
 +    $ok = @rename(DOKU_CONF.'/acl.auth.php', DOKU_CONF.'/backup/acl.auth.'.date('Y-m-d_His').'.php');
 +    if($ok)
 +      $ok = @rename(DOKU_CONF.'/acl.auth.new.php',  DOKU_CONF.'/acl.auth.php');
 +    else
 +      _quietecho('Could not rename old acl file.');
 +  }
 +  else
 +  {
 +    @unlink(DOKU_CONF.'/acl.auth.new.php');
 +  }
 +  
 +}
 +
 +#------------------------------------------------------------------------------
 +function id_exists($acl_line)
 +{
 +  $access = preg_split("/\s/", $acl_line);
 +  // "All"
 +  if($access[0]=="*")
 +  {
 +    return true;
 +  }
 +  // Namespace
 +  elseif(preg_match('/(.*):\*$/', $access[0], $matches))
 +  {
 +    $fn = str_replace(".txt", "", wikiFN($matches[1]));
 +  }
 +  // Page
 +  else
 +  {
 +    $fn = wikiFN($access[0]);
 +  }
 +  return file_exists($fn);
 +}
 +
 +function user_exists($line)
 +{
 +  static $usernames = null;
 +  if(is_null($usernames))
 +  {
 +    $usernames = array();
 +    foreach(file(DOKU_CONF.'/users.auth.php') as $userline)
 +    {
 +      if($userline[0] == '#')
 +        continue;
 +      $line_arr = explode(':', $userline);
 +      if(trim($line_arr[0]))
 +        $usernames[] = trim($line_arr[0]);
 +    }
 +  }
 +  list(,$user) = explode("\t", $line);
 +  if($user[0] == '@')
 +    return true;
 +  return in_array(rawurldecode($user), $usernames);
 +}
 +
 +function _quietecho($msg)
 +{
 +  global $QUIET;
 +  if(!$QUIET)
 +    echo $msg;
 +}
 +
 +clean_acl();
 +?>
 +</code>
tips/clean_acl.txt · Last modified: 2012-05-07 15:48 by 82.185.100.94
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki

Global DokuWiki Links