01201: Excluding members from AuthUser groups doesn't work
Description: The AuthUser documentation states the following:
Group password memberships are maintained by editing the SiteAdmin.AuthUser page. To specify a password group that allows access to anyone who is authenticated, you can specify:
@wholeoffice: *
If you need to keep "Fred" out of this password group :
@wholeoffice: *,-Fred
The first form works, but the second one does nothing: Fred is not excluded from the @wholeoffice group.
To fix this, the following patch is required:
Index: authuser.php
===================================================================
--- authuser.php (revision 2560)
+++ authuser.php (working copy)
@@ -79,12 +79,12 @@
$authlist[$g] = 1;
foreach(preg_grep('/^@/', (array)@$auth['*']) as $g)
$authlist[$g] = 1;
- foreach(preg_grep('/^@/', array_keys($auth)) as $g)
- if (in_array($authid, $auth[$g])) $authlist[$g] = 1;
if ($auth['htgroup']) {
foreach(AuthUserHtGroup($pagename, $id, $pw, $auth['htgroup']) as $g)
$authlist["@$g"] = 1;
}
+ foreach(preg_grep('/^@/', (array)@$auth["-$authid"]) as $g)
+ unset($authlist[$g]);
SessionAuth($pagename, array('authid' => $authid, 'authlist' => $authlist));
}
The loop foreach(preg_grep('/^@/', array_keys($auth)) as $g) may be removed as it's useless: $auth cannot have keys starting with '@'.
The current bug will be fixed for 2.2.20. The feature request about adding user subgroups was moved to PITS:01232 (AuthUser: groups included in other groups). --Petko November 10, 2010, at 05:46 PM