DokuWiki

It's better when it's simple

User Tools

Site Tools

Trace:
tips:clean_acl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
wiki:tips:clean_acl [2008-08-05 12:51] – created gbirketips:clean_acl [2012-05-07 15:48] (current) 82.185.100.94
Line 1: Line 1:
 +====== Clean up Access Control Lists ======
  
 +When pages, namespaces and users are deleted, the permission settings for them are left in the access control list (ACL). This can create a potential security risk when pages or users are created again. The following script (to be placed in the ''bin'' folder of your DokuWiki installation) cleans up the ACL. You must create the folder ''conf/backup'' first, the old ACL file will be backed up there. Depending on the usage patterns in your wiki, you can run it as as daily, weekly or monthly cron job.
 +
 +<code php>
 +#!/usr/bin/php
 +<?php
 +#------------------------------------------------------------------------------
 +if(!defined('NOSESSION')) define('NOSESSION', true);
 +if(!defined('DOKU_INC')) define('DOKU_INC',realpath(dirname(__FILE__).'/../').'/');
 +require_once DOKU_INC.'inc/init.php';
 +require_once DOKU_INC.'inc/common.php';
 +require_once DOKU_INC.'inc/cliopts.php';
 +
 +// handle options
 +$short_opts = 'hq';
 +$long_opts  = array('help', 'quiet');
 +$OPTS = Doku_Cli_Opts::getOptions(__FILE__,$short_opts,$long_opts);
 +if ( $OPTS->isError() ) {
 +    fwrite( STDERR, $OPTS->getMessage() . "\n");
 +    _usage();
 +    exit(1);
 +}
 +
 +$QUIET = false;
 +foreach ($OPTS->options as $key => $val) {
 +    switch ($key) {
 +        case 'h':
 +        case 'help':
 +            _usage();
 +            exit;
 +    case 'q':
 +        case 'quiet':
 +      $QUIET = true;
 +      break;
 +    }
 +}
 +
 +#------------------------------------------------------------------------------
 +
 +function _usage() {
 +    print "Usage: clean_acl.php <options>
 +    
 +  Removes entries from acl.auth.php referencing page ids that 
 +  don't exist anymore.
 +    
 +    OPTIONS
 +        -h, --help     show this help and exit
 +        -q, --quiet    don't produce any output
 +";
 +}
 +
 +#------------------------------------------------------------------------------
 +function clean_acl()
 +{
 +  $acls_name = DOKU_CONF.'/acl.auth.php';
 +  $acls = file($acls_name);
 +  $new_acls = fopen(DOKU_CONF.'/acl.auth.new.php', 'w');
 +  $msg = "Removed: '%s' (%s).\n";
 +  $was_changed = false;
 +  foreach($acls as $line)
 +  {
 +    if(trim($line) && !preg_match('/^#/', $line))
 +    {
 +      if(id_exists($line))
 +      {
 +        if(user_exists($line))
 +        {
 +          fwrite($new_acls, $line);
 +        }
 +        else
 +        {
 +          _quietecho(sprintf($msg, trim($line), 'user does not exist'));
 +          $was_changed = true;
 +        }
 +      }
 +      else
 +      {
 +        _quietecho(sprintf($msg, trim($line), 'page does not exist'));
 +         $was_changed = true;
 +      }
 +    }
 +    else
 +    {
 +      fwrite($new_acls, $line);
 +    }
 +  }
 +  fclose($new_acls);
 +  //die();
 +  if($was_changed)
 +  {
 +    $ok = @rename(DOKU_CONF.'/acl.auth.php', DOKU_CONF.'/backup/acl.auth.'.date('Y-m-d_His').'.php');
 +    if($ok)
 +      $ok = @rename(DOKU_CONF.'/acl.auth.new.php',  DOKU_CONF.'/acl.auth.php');
 +    else
 +      _quietecho('Could not rename old acl file.');
 +  }
 +  else
 +  {
 +    @unlink(DOKU_CONF.'/acl.auth.new.php');
 +  }
 +  
 +}
 +
 +#------------------------------------------------------------------------------
 +function id_exists($acl_line)
 +{
 +  $access = preg_split("/\s/", $acl_line);
 +  // "All"
 +  if($access[0]=="*")
 +  {
 +    return true;
 +  }
 +  // Namespace
 +  elseif(preg_match('/(.*):\*$/', $access[0], $matches))
 +  {
 +    $fn = str_replace(".txt", "", wikiFN($matches[1]));
 +  }
 +  // Page
 +  else
 +  {
 +    $fn = wikiFN($access[0]);
 +  }
 +  return file_exists($fn);
 +}
 +
 +function user_exists($line)
 +{
 +  static $usernames = null;
 +  if(is_null($usernames))
 +  {
 +    $usernames = array();
 +    foreach(file(DOKU_CONF.'/users.auth.php') as $userline)
 +    {
 +      if($userline[0] == '#')
 +        continue;
 +      $line_arr = explode(':', $userline);
 +      if(trim($line_arr[0]))
 +        $usernames[] = trim($line_arr[0]);
 +    }
 +  }
 +  list(,$user) = explode("\t", $line);
 +  if($user[0] == '@')
 +    return true;
 +  return in_array(rawurldecode($user), $usernames);
 +}
 +
 +function _quietecho($msg)
 +{
 +  global $QUIET;
 +  if(!$QUIET)
 +    echo $msg;
 +}
 +
 +clean_acl();
 +?>
 +</code>
 +
 +====== Manage folder tree in ACL management page ======
 +In the ACL management page you see the folder tree you should use to manage ACL on directories.
 +\\
 +This tree is created by Dokuwiki, respectively, reading not only the folder ''pages'' but also the folder ''media''.
 +\\
 +So the reason you see a different tree from what you see in ''pages'' from a file explorer is because Dokuwiki also reads the other folder (''media'') and match them.
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki

Global DokuWiki Links