DokuWiki

It's better when it's simple

User Tools

Site Tools


Sidebar

Translations of this page?:

Learn about DokuWiki

Advanced Use

Corporate Use

Our Community


Follow us on Facebook, Twitter and other social networks.

tips:separate_admin_login

Separate Admin Login

This tip lets you separate the roles of yourself as someone using the wiki, and yourself as the wiki administrator. This is very useful when you do not have control over the authentication database (i.e. you are using LDAP, etc). It will help prevent you from accidentally1) accessing material in your wiki which you do not have (organisational) authority to do so, but still be able to administer the wiki.

Basically, you either log in as your username, in which case you are a normal user, or as admin-username, in which case you have no read permission on any page, but can access the Administrative functions.

--- dokuwiki-2009-02-14/inc/auth.php	2009-02-14 12:13:25.000000000 +0000
+++ dokuwiki-2009-02-14-admin/inc/auth.php	2009-02-20 14:23:13.000000000 +0000
@@ -136,10 +136,16 @@
 
   if(!empty($user)){
     //usual login
+    $try_admin = false;
+    $prefix = $conf['superuserprefix'];
+    if($prefix && substr($user, 0, strlen($prefix)) == $prefix) { 
+        $user = substr($user, strlen($prefix));
+        $try_admin = true;
+    }
     if ($auth->checkPass($user,$pass)){
       // make logininfo globally available
       $_SERVER['REMOTE_USER'] = $user;
-      auth_setCookie($user,PMA_blowfish_encrypt($pass,auth_cookiesalt()),$sticky);
+      auth_setCookie($user,PMA_blowfish_encrypt($pass,auth_cookiesalt()),$sticky,$try_admin);
       return true;
     }else{
       //invalid credentials - log off
@@ -287,6 +293,8 @@
     unset($_SESSION[DOKU_COOKIE]['auth']['info']);
   if(!$keepbc && isset($_SESSION[DOKU_COOKIE]['bc']))
     unset($_SESSION[DOKU_COOKIE]['bc']);
+  if(isset($_SESSION[DOKU_COOKIE]['auth']['admin']))
+    unset($_SESSION[DOKU_COOKIE]['auth']['admin']);
   if(isset($_SERVER['REMOTE_USER']))
     unset($_SERVER['REMOTE_USER']);
   $USERINFO=null; //FIXME
@@ -319,11 +327,13 @@
 function auth_ismanager($user=null,$groups=null,$adminonly=false){
   global $conf;
   global $USERINFO;
+  global $_SESSION;
 
   if(!$conf['useacl']) return false;
   if(is_null($user))   $user   = $_SERVER['REMOTE_USER'];
   if(is_null($groups)) $groups = (array) $USERINFO['grps'];
   $user   = auth_nameencode($user);
+  if($_SESSION[DOKU_COOKIE]['auth']['admin'] == true) { return true; }
 
   // check username against superuser and manager
   $superusers = explode(',', $conf['superuser']);
@@ -415,11 +425,16 @@
   // if no ACL is used always return upload rights
   if(!$conf['useacl']) return AUTH_UPLOAD;
 
+  // if admin, do not provide EDIT, etc
+  global $_SESSION;
+  $max = AUTH_ADMIN;
+  if($_SESSION[DOKU_COOKIE]['auth']['admin'] == true) { $max =  AUTH_READ; }
+
   //make sure groups is an array
   if(!is_array($groups)) $groups = array();
 
   //if user is superuser or in superusergroup return 255 (acl_admin)
-  if(auth_isadmin($user,$groups)) { return AUTH_ADMIN; }
+  //if(auth_isadmin($user,$groups)) { return AUTH_ADMIN; }
 
   $user = auth_nameencode($user);
 
@@ -456,7 +471,7 @@
     }
     if($perm > -1){
       //we had a match - return it
-      return $perm;
+      return min($perm,$max);
     }
   }
 
@@ -479,7 +494,7 @@
         }
       }
       //we had a match - return it
-      return $perm;
+      return min($perm,$max);
     }
 
     //get next higher namespace
@@ -983,7 +998,7 @@
  * @param string  $pass       encrypted password
  * @param bool    $sticky     whether or not the cookie will last beyond the session
  */
-function auth_setCookie($user,$pass,$sticky) {
+function auth_setCookie($user,$pass,$sticky,$try_admin=false) {
     global $conf;
     global $auth;
     global $USERINFO;
@@ -1004,6 +1019,15 @@
       $_SESSION[DOKU_COOKIE]['auth']['buid'] = auth_browseruid();
       $_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO;
       $_SESSION[DOKU_COOKIE]['auth']['time'] = time();
+      $_SESSION[DOKU_COOKIE]['auth']['admin'] = false;
+
+      if($try_admin) {
+          if(in_array($conf['superuserprefixgroup'], $USERINFO['grps'])) {
+              $_SESSION[DOKU_COOKIE]['auth']['admin'] = true;
+          }
+          #if($user == 'jarrod') { $_SESSION[DOKU_COOKIE]['auth']['admin'] = true; }
+          #if($user == 'david') { $_SESSION[DOKU_COOKIE]['auth']['admin'] = true; }
+      }
 }
 
 //Setup VIM: ex: et ts=2 enc=utf-8 :
--- dokuwiki-2009-02-14/inc/actions.php	2009-02-14 12:13:25.000000000 +0000
+++ dokuwiki-2009-02-14-admin/inc/actions.php	2009-02-20 13:35:21.000000000 +0000
@@ -240,6 +240,7 @@
   }else{
     $permneed = AUTH_READ;
   }
+  if($permneed == $AUTH_ADMIN && auth_isadmin()) { return $act; }
   if($INFO['perm'] >= $permneed) return $act;
 
   return 'denied';
--- dokuwiki-2009-02-14/inc/common.php	2009-02-14 12:13:25.000000000 +0000
+++ dokuwiki-2009-02-14-admin/inc/common.php	2009-02-20 13:32:10.000000000 +0000
@@ -119,7 +119,8 @@
     // set info about manager/admin status
     $info['isadmin']   = false;
     $info['ismanager'] = false;
-    if($info['perm'] == AUTH_ADMIN){
+    //if($info['perm'] == AUTH_ADMIN){
+    if(auth_isadmin()) {
       $info['isadmin']   = true;
       $info['ismanager'] = true;
     }elseif(auth_ismanager()){
--- dokuwiki-2009-02-14/inc/template.php	2009-02-14 12:13:25.000000000 +0000
+++ dokuwiki-2009-02-14-admin/inc/template.php	2009-02-20 14:23:17.000000000 +0000
@@ -911,6 +911,7 @@
   global $INFO;
   if($_SERVER['REMOTE_USER']){
     print $lang['loggedinas'].': '.$INFO['userinfo']['name'].' ('.$_SERVER['REMOTE_USER'].')';
+    if(auth_isadmin()) { print " [ADMIN]"; }
     return true;
   }
   return false;
--- dokuwiki-2009-02-14/conf/dokuwiki.php	2009-02-14 12:13:24.000000000 +0000
+++ dokuwiki-2009-02-14-admin/conf/dokuwiki.php	2009-02-20 14:23:38.000000000 +0000
@@ -71,6 +71,8 @@
 $conf['defaultgroup']= 'user';           //Default groups new Users are added to
 $conf['superuser']   = '!!not set!!';    //The admin can be user or @group or comma separated list user1,@group1,user2
 $conf['manager']     = '!!not set!!';    //The manager can be user or @group or comma separated list user1,@group1,user2
+$conf['superuserprefix'] = 'admin-';
+$conf['superuserprefixgroup'] = 'wikiadmin';
 $conf['profileconfirm'] = 1;             //Require current password to confirm changes to user profile
 $conf['disableactions'] = '';            //comma separated list of actions to disable
 $conf['sneaky_index']   = 0;             //check for namespace read permission in index view (0|1) (1 might cause unexpected behavior)
--- dokuwiki-2009-02-14/lib/plugins/acl/admin.php	2009-02-14 12:13:25.000000000 +0000
+++ dokuwiki-2009-02-14-admin/lib/plugins/acl/admin.php	2009-02-20 13:36:38.000000000 +0000
@@ -400,7 +400,7 @@
         echo '</p>';
 
         // add note if admin
-        if($perm == AUTH_ADMIN){
+        if(auth_isadmin()) {
             echo '<p>'.$this->getLang('p_isadmin').'</p>';
         }elseif(is_null($current)){
             echo '<p>'.$this->getLang('p_inherited').'</p>';
--- dokuwiki-2009-02-14/lib/plugins/config/settings/config.metadata.php	2009-02-14 12:13:25.000000000 +0000
+++ dokuwiki-2009-02-14-admin/lib/plugins/config/settings/config.metadata.php	2009-02-20 14:24:19.000000000 +0000
@@ -123,6 +123,8 @@
 $meta['defaultgroup']= array('string');
 $meta['superuser']   = array('string');
 $meta['manager']     = array('string');
+$meta['superuserprefix'] = array('string');
+$meta['superuserprefixgroup'] = array('string');
 $meta['profileconfirm'] = array('onoff');
 $meta['rememberme'] = array('onoff');
 $meta['registernotify'] = array('email');
--- dokuwiki-2009-02-14/lib/plugins/config/lang/en/lang.php	2009-02-14 12:13:25.000000000 +0000
+++ dokuwiki-2009-02-14-admin/lib/plugins/config/lang/en/lang.php	2009-02-20 14:24:49.000000000 +0000
@@ -93,6 +93,8 @@
 $lang['defaultgroup']= 'Default group';
 $lang['superuser']   = 'Superuser - group, user or comma separated list user1,@group1,user2 with full access to all pages and functions regardless of the ACL settings';
 $lang['manager']     = 'Manager - group, user or comma separated list user1,@group1,user2 with access to certain management functions';
+$lang['superuserprefix'] = 'Prefix to username that indicates they wish to log in as admin';
+$lang['superuserprefixgroup'] = 'Group of users that may log in as admin using the prefix';
 $lang['profileconfirm'] = 'Confirm profile changes with password';
 $lang['disableactions'] = 'Disable DokuWiki actions';
 $lang['disableactions_check'] = 'Check';
1)
You can still just change permissions on the pages to grant yourself access
tips/separate_admin_login.txt · Last modified: 2013-06-02 14:46 by Klap-in