From 624b85ed41943abddbaadc0d9a891cef1890f052 Mon Sep 17 00:00:00 2001 From: Chris MacMackin Date: Sat, 2 Dec 2023 09:56:55 +0000 Subject: [PATCH 1/5] Add option to restrict users/groups that can autocomplete usernames By default this is set to @ALL, so the behaviour is backwards-compatible. Tests of this new feature have been added. --- _test/types/UserTest.php | 29 ++++++++++++++++++++++++++++- conf/default.php | 1 + conf/metadata.php | 1 + lang/en/settings.php | 1 + types/User.php | 12 ++++++++++++ 5 files changed, 43 insertions(+), 1 deletion(-) diff --git a/_test/types/UserTest.php b/_test/types/UserTest.php index fe072905..a5848541 100644 --- a/_test/types/UserTest.php +++ b/_test/types/UserTest.php @@ -35,7 +35,19 @@ public function test_validate_success() public function test_ajax() { - global $INPUT; + global $INFO, $INPUT, $USERINFO; + include(__DIR__ . '/../../conf/default.php'); + $default_allow_autocomplete = $conf['allow_username_autocomplete']; + unset($conf); + + global $conf; + $conf['plugin']['struct']['allow_username_autocomplete'] = $default_allow_autocomplete; + $_SERVER['REMOTE_USER'] = 'john'; + $USERINFO['name'] = 'John Smith'; + $USERINFO['mail'] = 'john.smith@example.com'; + $USERINFO['grps'] = ['user', 'test']; + //update info array + $INFO['userinfo'] = $USERINFO; $user = new User( [ @@ -56,6 +68,21 @@ public function test_ajax() $INPUT->set('search', 'd'); // under mininput $this->assertEquals([], $user->handleAjax()); + // Check restrictions on who can access username data are respected + $conf['plugin']['struct']['allow_username_autocomplete'] = 'john'; + $INPUT->set('search', 'dent'); + $this->assertEquals([['label' => 'Arthur Dent [testuser]', 'value' => 'testuser']], $user->handleAjax()); + + $conf['plugin']['struct']['allow_username_autocomplete'] = '@user'; + $INPUT->set('search', 'dent'); + $this->assertEquals([['label' => 'Arthur Dent [testuser]', 'value' => 'testuser']], $user->handleAjax()); + + $conf['plugin']['struct']['allow_username_autocomplete'] = '@not_in_group,not_this_user'; + $INPUT->set('search', 'dent'); + $this->assertEquals([], $user->handleAjax()); + + $conf['plugin']['struct']['allow_username_autocomplete'] = $default_allow_autocomplete; + $user = new User( [ 'autocomplete' => [ diff --git a/conf/default.php b/conf/default.php index e41ca5ca..70b365b2 100644 --- a/conf/default.php +++ b/conf/default.php @@ -4,3 +4,4 @@ $conf['topoutput'] = 0; $conf['disableDeleteSerial'] = 0; $conf['show_not_found'] = 1; +$conf['allow_username_autocomplete'] = '@ALL'; diff --git a/conf/metadata.php b/conf/metadata.php index 5a131dfa..cccebccf 100644 --- a/conf/metadata.php +++ b/conf/metadata.php @@ -4,3 +4,4 @@ $meta['topoutput'] = ['onoff']; $meta['disableDeleteSerial'] = ['onoff']; $meta['show_not_found'] = ['onoff']; +$meta['allow_username_autocomplete'] = ['string']; diff --git a/lang/en/settings.php b/lang/en/settings.php index eae3f50b..fe9bfff9 100644 --- a/lang/en/settings.php +++ b/lang/en/settings.php @@ -4,3 +4,4 @@ $lang['topoutput'] = 'Display data at the top of the page'; $lang['disableDeleteSerial'] = 'Disable delete button for serial data'; $lang['show_not_found'] = 'Show the default text when no results are returned for struct value syntax'; +$lang['allow_username_autocomplete'] = 'Group, user or comma separated list user1,@group1,user2 to offer autocomplete suggestions for username data'; diff --git a/types/User.php b/types/User.php index 93aa2c08..da8950e6 100644 --- a/types/User.php +++ b/types/User.php @@ -66,12 +66,24 @@ public function handleAjax() { /** @var AuthPlugin $auth */ global $auth; + global $conf; global $INPUT; + global $_SERVER; + global $USERINFO; if (!$auth->canDo('getUsers')) { return []; } + if ( + !auth_isMember( + $conf['plugin']['struct']['allow_username_autocomplete'], + $_SERVER['REMOTE_USER'], + (array) $USERINFO['grps']) + ) { + return []; + } + // check minimum length $lookup = trim($INPUT->str('search')); if (PhpString::strlen($lookup) < $this->config['autocomplete']['mininput']) return []; From 2571beb15f31e39ecebaca7a4cb0cf6113cbfb55 Mon Sep 17 00:00:00 2001 From: Chris MacMackin Date: Sat, 2 Dec 2023 10:02:28 +0000 Subject: [PATCH 2/5] Removed todo that has been addressed --- types/User.php | 1 - 1 file changed, 1 deletion(-) diff --git a/types/User.php b/types/User.php index da8950e6..feafad65 100644 --- a/types/User.php +++ b/types/User.php @@ -60,7 +60,6 @@ public function renderValue($value, \Doku_Renderer $R, $mode) * Autocompletion for user names * * @return array - * @todo should we have any security mechanism? Currently everybody can look up users */ public function handleAjax() { From dc172402d991f6418f8c122f33aebfe73b247b11 Mon Sep 17 00:00:00 2001 From: Chris MacMackin Date: Sat, 2 Dec 2023 10:06:13 +0000 Subject: [PATCH 3/5] Code formatting --- types/User.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/types/User.php b/types/User.php index feafad65..57789cdf 100644 --- a/types/User.php +++ b/types/User.php @@ -76,9 +76,10 @@ public function handleAjax() if ( !auth_isMember( - $conf['plugin']['struct']['allow_username_autocomplete'], - $_SERVER['REMOTE_USER'], - (array) $USERINFO['grps']) + $conf['plugin']['struct']['allow_username_autocomplete'], + $_SERVER['REMOTE_USER'], + (array) $USERINFO['grps'] + ) ) { return []; } From d2ce449e0dd218f3d6bfbacdf5d367b0c812af3d Mon Sep 17 00:00:00 2001 From: Chris MacMackin Date: Sat, 2 Dec 2023 10:07:19 +0000 Subject: [PATCH 4/5] More code formatting --- types/User.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/types/User.php b/types/User.php index 57789cdf..e66790d9 100644 --- a/types/User.php +++ b/types/User.php @@ -76,9 +76,9 @@ public function handleAjax() if ( !auth_isMember( - $conf['plugin']['struct']['allow_username_autocomplete'], - $_SERVER['REMOTE_USER'], - (array) $USERINFO['grps'] + $conf['plugin']['struct']['allow_username_autocomplete'], + $_SERVER['REMOTE_USER'], + (array) $USERINFO['grps'] ) ) { return []; From 78f02c81bd097f781d4777257d0807444a694785 Mon Sep 17 00:00:00 2001 From: Chris MacMackin Date: Mon, 11 Dec 2023 23:02:10 +0000 Subject: [PATCH 5/5] Avoid accessing the $conf global directly This can cause errors if the configurations haven't been initialised yet. On the suggestion of annda, I've added a getConf() method which will load the configurations if they haven't been already. --- types/AbstractBaseType.php | 12 ++++++++++++ types/User.php | 3 +-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/types/AbstractBaseType.php b/types/AbstractBaseType.php index 973599da..fcd7c993 100644 --- a/types/AbstractBaseType.php +++ b/types/AbstractBaseType.php @@ -545,6 +545,18 @@ public function getLang($string) return $this->hlp->getLang($string); } + /** + * Convenience method to access plugin configurations + * + * @param string $string + * @return string + */ + public function getConf($string) + { + if (is_null($this->hlp)) $this->hlp = plugin_load('helper', 'struct'); + return $this->hlp->getConf($string); + } + /** * With what comparator should dynamic filters filter this type? * diff --git a/types/User.php b/types/User.php index e66790d9..db929f0f 100644 --- a/types/User.php +++ b/types/User.php @@ -65,7 +65,6 @@ public function handleAjax() { /** @var AuthPlugin $auth */ global $auth; - global $conf; global $INPUT; global $_SERVER; global $USERINFO; @@ -76,7 +75,7 @@ public function handleAjax() if ( !auth_isMember( - $conf['plugin']['struct']['allow_username_autocomplete'], + $this->getConf('allow_username_autocomplete'), $_SERVER['REMOTE_USER'], (array) $USERINFO['grps'] )