====== Separate Admin Login ====== This tip lets you separate the roles of yourself as someone using the wiki, and yourself as the wiki administrator. This is very useful when you do not have control over the authentication database (i.e. you are using LDAP, etc). It will help prevent you from //accidentally//((You can still just change permissions on the pages to grant yourself access)) accessing material in your wiki which you do not have (organisational) authority to do so, but still be able to administer the wiki. Basically, you either log in as your //username//, in which case you are a normal user, or as ''admin-//username//'', in which case you have no read permission on any page, but can access the Administrative functions. --- dokuwiki-2009-02-14/inc/auth.php 2009-02-14 12:13:25.000000000 +0000 +++ dokuwiki-2009-02-14-admin/inc/auth.php 2009-02-20 14:23:13.000000000 +0000 @@ -136,10 +136,16 @@ if(!empty($user)){ //usual login + $try_admin = false; + $prefix = $conf['superuserprefix']; + if($prefix && substr($user, 0, strlen($prefix)) == $prefix) { + $user = substr($user, strlen($prefix)); + $try_admin = true; + } if ($auth->checkPass($user,$pass)){ // make logininfo globally available $_SERVER['REMOTE_USER'] = $user; - auth_setCookie($user,PMA_blowfish_encrypt($pass,auth_cookiesalt()),$sticky); + auth_setCookie($user,PMA_blowfish_encrypt($pass,auth_cookiesalt()),$sticky,$try_admin); return true; }else{ //invalid credentials - log off @@ -287,6 +293,8 @@ unset($_SESSION[DOKU_COOKIE]['auth']['info']); if(!$keepbc && isset($_SESSION[DOKU_COOKIE]['bc'])) unset($_SESSION[DOKU_COOKIE]['bc']); + if(isset($_SESSION[DOKU_COOKIE]['auth']['admin'])) + unset($_SESSION[DOKU_COOKIE]['auth']['admin']); if(isset($_SERVER['REMOTE_USER'])) unset($_SERVER['REMOTE_USER']); $USERINFO=null; //FIXME @@ -319,11 +327,13 @@ function auth_ismanager($user=null,$groups=null,$adminonly=false){ global $conf; global $USERINFO; + global $_SESSION; if(!$conf['useacl']) return false; if(is_null($user)) $user = $_SERVER['REMOTE_USER']; if(is_null($groups)) $groups = (array) $USERINFO['grps']; $user = auth_nameencode($user); + if($_SESSION[DOKU_COOKIE]['auth']['admin'] == true) { return true; } // check username against superuser and manager $superusers = explode(',', $conf['superuser']); @@ -415,11 +425,16 @@ // if no ACL is used always return upload rights if(!$conf['useacl']) return AUTH_UPLOAD; + // if admin, do not provide EDIT, etc + global $_SESSION; + $max = AUTH_ADMIN; + if($_SESSION[DOKU_COOKIE]['auth']['admin'] == true) { $max = AUTH_READ; } + //make sure groups is an array if(!is_array($groups)) $groups = array(); //if user is superuser or in superusergroup return 255 (acl_admin) - if(auth_isadmin($user,$groups)) { return AUTH_ADMIN; } + //if(auth_isadmin($user,$groups)) { return AUTH_ADMIN; } $user = auth_nameencode($user); @@ -456,7 +471,7 @@ } if($perm > -1){ //we had a match - return it - return $perm; + return min($perm,$max); } } @@ -479,7 +494,7 @@ } } //we had a match - return it - return $perm; + return min($perm,$max); } //get next higher namespace @@ -983,7 +998,7 @@ * @param string $pass encrypted password * @param bool $sticky whether or not the cookie will last beyond the session */ -function auth_setCookie($user,$pass,$sticky) { +function auth_setCookie($user,$pass,$sticky,$try_admin=false) { global $conf; global $auth; global $USERINFO; @@ -1004,6 +1019,15 @@ $_SESSION[DOKU_COOKIE]['auth']['buid'] = auth_browseruid(); $_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO; $_SESSION[DOKU_COOKIE]['auth']['time'] = time(); + $_SESSION[DOKU_COOKIE]['auth']['admin'] = false; + + if($try_admin) { + if(in_array($conf['superuserprefixgroup'], $USERINFO['grps'])) { + $_SESSION[DOKU_COOKIE]['auth']['admin'] = true; + } + #if($user == 'jarrod') { $_SESSION[DOKU_COOKIE]['auth']['admin'] = true; } + #if($user == 'david') { $_SESSION[DOKU_COOKIE]['auth']['admin'] = true; } + } } //Setup VIM: ex: et ts=2 enc=utf-8 : --- dokuwiki-2009-02-14/inc/actions.php 2009-02-14 12:13:25.000000000 +0000 +++ dokuwiki-2009-02-14-admin/inc/actions.php 2009-02-20 13:35:21.000000000 +0000 @@ -240,6 +240,7 @@ }else{ $permneed = AUTH_READ; } + if($permneed == $AUTH_ADMIN && auth_isadmin()) { return $act; } if($INFO['perm'] >= $permneed) return $act; return 'denied'; --- dokuwiki-2009-02-14/inc/common.php 2009-02-14 12:13:25.000000000 +0000 +++ dokuwiki-2009-02-14-admin/inc/common.php 2009-02-20 13:32:10.000000000 +0000 @@ -119,7 +119,8 @@ // set info about manager/admin status $info['isadmin'] = false; $info['ismanager'] = false; - if($info['perm'] == AUTH_ADMIN){ + //if($info['perm'] == AUTH_ADMIN){ + if(auth_isadmin()) { $info['isadmin'] = true; $info['ismanager'] = true; }elseif(auth_ismanager()){ --- dokuwiki-2009-02-14/inc/template.php 2009-02-14 12:13:25.000000000 +0000 +++ dokuwiki-2009-02-14-admin/inc/template.php 2009-02-20 14:23:17.000000000 +0000 @@ -911,6 +911,7 @@ global $INFO; if($_SERVER['REMOTE_USER']){ print $lang['loggedinas'].': '.$INFO['userinfo']['name'].' ('.$_SERVER['REMOTE_USER'].')'; + if(auth_isadmin()) { print " [ADMIN]"; } return true; } return false; --- dokuwiki-2009-02-14/conf/dokuwiki.php 2009-02-14 12:13:24.000000000 +0000 +++ dokuwiki-2009-02-14-admin/conf/dokuwiki.php 2009-02-20 14:23:38.000000000 +0000 @@ -71,6 +71,8 @@ $conf['defaultgroup']= 'user'; //Default groups new Users are added to $conf['superuser'] = '!!not set!!'; //The admin can be user or @group or comma separated list user1,@group1,user2 $conf['manager'] = '!!not set!!'; //The manager can be user or @group or comma separated list user1,@group1,user2 +$conf['superuserprefix'] = 'admin-'; +$conf['superuserprefixgroup'] = 'wikiadmin'; $conf['profileconfirm'] = 1; //Require current password to confirm changes to user profile $conf['disableactions'] = ''; //comma separated list of actions to disable $conf['sneaky_index'] = 0; //check for namespace read permission in index view (0|1) (1 might cause unexpected behavior) --- dokuwiki-2009-02-14/lib/plugins/acl/admin.php 2009-02-14 12:13:25.000000000 +0000 +++ dokuwiki-2009-02-14-admin/lib/plugins/acl/admin.php 2009-02-20 13:36:38.000000000 +0000 @@ -400,7 +400,7 @@ echo '

'; // add note if admin - if($perm == AUTH_ADMIN){ + if(auth_isadmin()) { echo '

'.$this->getLang('p_isadmin').'

'; }elseif(is_null($current)){ echo '

'.$this->getLang('p_inherited').'

'; --- dokuwiki-2009-02-14/lib/plugins/config/settings/config.metadata.php 2009-02-14 12:13:25.000000000 +0000 +++ dokuwiki-2009-02-14-admin/lib/plugins/config/settings/config.metadata.php 2009-02-20 14:24:19.000000000 +0000 @@ -123,6 +123,8 @@ $meta['defaultgroup']= array('string'); $meta['superuser'] = array('string'); $meta['manager'] = array('string'); +$meta['superuserprefix'] = array('string'); +$meta['superuserprefixgroup'] = array('string'); $meta['profileconfirm'] = array('onoff'); $meta['rememberme'] = array('onoff'); $meta['registernotify'] = array('email'); --- dokuwiki-2009-02-14/lib/plugins/config/lang/en/lang.php 2009-02-14 12:13:25.000000000 +0000 +++ dokuwiki-2009-02-14-admin/lib/plugins/config/lang/en/lang.php 2009-02-20 14:24:49.000000000 +0000 @@ -93,6 +93,8 @@ $lang['defaultgroup']= 'Default group'; $lang['superuser'] = 'Superuser - group, user or comma separated list user1,@group1,user2 with full access to all pages and functions regardless of the ACL settings'; $lang['manager'] = 'Manager - group, user or comma separated list user1,@group1,user2 with access to certain management functions'; +$lang['superuserprefix'] = 'Prefix to username that indicates they wish to log in as admin'; +$lang['superuserprefixgroup'] = 'Group of users that may log in as admin using the prefix'; $lang['profileconfirm'] = 'Confirm profile changes with password'; $lang['disableactions'] = 'Disable DokuWiki actions'; $lang['disableactions_check'] = 'Check';