01164: (:if auth xyz :) not checking against $HandleAuth but $DefaultPasswords

Summary: (:if auth xyz :) not checking against $HandleAuth but $DefaultPasswords
Created: 2010-01-10 14:30
Status: Closed - fixed for 2.2.15
Category: Bug
From: Maddes
Priority: 4
Version: 2.2.8
OS: Debian, Apache, PHP 5.2.6

Checking a user's permission with (:if auth xyz :) seems to check against $DefaultPasswords not $HandleAuth.

The following example doesn't work:
1) config.php
$HandleAuth['diff'] = 'edit';

2) Site.SiteBar
(:if auth diff :)

If I understood the documentation correctly, authorizations should be set via $HandleAuth and not $DefaultPasswords.

The current behaviour prevents using a general Site.SiteBar for all wikis, some very restrictive, some totally open.

Not tested, but what about $HandleAuth['edit'] = 'admin';?

I can confirm that if the $DefaultPasswords['diff'] is not set, the markup (:if auth diff:) is always false, regardless of $HandleAuth and $AuthCascade. Demo below; I'm not sure how to deal with this at the moment -- $HandleAuth['diff'] is only used when opening ?action=diff. A workaround would be to set $DefaultPasswords['diff'] in config.php. --Petko January 12, 2010, at 02:58 PM

(:if auth read:)
* you canread
(:if auth browse:)
* you can browse
(:if auth print:)
* you can print
(:if auth edit:)
* you can edit
(:if auth source:)
* you can see the source
(:if auth upload:)
* you can upload
(:if auth diff:)
* you can see diffs
(:if auth attr:)
* you can open ?action=attr form
(:if auth postattr:)
* you can change passwords
(:if auth  admin:)
* you are admin
(:if auth  logout:)
* you can logout
(:if auth petko334:)
* you have permissions for petko334 (which doesn't exist)
  • you canread
  • you can browse
  • you can print
  • you can edit
  • you can see the source
  • you can upload
  • you can see diffs
  • you can open ?action=attr form
  • you can change passwords
  • you can logout

Can not find any documentation about $AuthCascade, so without knowing what it is:
The auth check should first check $HandleAuth[<action>] for what permissions are needed, then check against the corresponding $DefaultPasswords entry. Assuming $HandleAuth[<action>] can not be empty, then this would be $DefaultPasswords[$HandleAuth[<action>]]. --Maddes January 15, 2010, at 11:00 AM

This was mostly fixed, if $HandleAuth['diff'] is defined in a config file. Otherwise you should use (:if auth read:) as default diff permissions equal read permissions. --Petko February 27, 2010, at 06:26 AM

My (:if auth diff :) works great with 2.2.16 --Maddes May 15, 2010, at 12:22 PM