Summary: Excluding members from AuthUser groups doesn't work
Created: 2010-06-07 09:55
Status: Closed - fixed for 2.2.20
Category: Bug
Priority: 5
Version: 2.2.x

Description: The AuthUser documentation states the following:

Group password memberships are maintained by editing the SiteAdmin.AuthUser page. To specify a password group that allows access to anyone who is authenticated, you can specify:

    @wholeoffice: *

If you need to keep "Fred" out of this password group :

    @wholeoffice: *,-Fred

The first form works, but the second one does nothing: Fred is not excluded from the @wholeoffice group.

To fix this, the following patch is required:

Index: authuser.php
--- authuser.php	(revision 2560)
+++ authuser.php	(working copy)
@@ -79,12 +79,12 @@
     $authlist[$g] = 1;
   foreach(preg_grep('/^@/', (array)@$auth['*']) as $g) 
     $authlist[$g] = 1;
-  foreach(preg_grep('/^@/', array_keys($auth)) as $g) 
-    if (in_array($authid, $auth[$g])) $authlist[$g] = 1;
   if ($auth['htgroup']) {
     foreach(AuthUserHtGroup($pagename, $id, $pw, $auth['htgroup']) as $g)
       $authlist["@$g"] = 1;
+  foreach(preg_grep('/^@/', (array)@$auth["-$authid"]) as $g) 
+    unset($authlist[$g]);
   SessionAuth($pagename, array('authid' => $authid, 'authlist' => $authlist));

The loop foreach(preg_grep('/^@/', array_keys($auth)) as $g) may be removed as it's useless: $auth cannot have keys starting with '@'.

The current bug will be fixed for 2.2.20. The feature request about adding user subgroups was moved to PITS:01232 (AuthUser: groups included in other groups). --Petko November 10, 2010, at 05:46 PM