# HG changeset patch
# User Dan
# Date 1206577222 14400
# Node ID f88c8c79d784c6175624adef23913904c94fa12f
# Parent  290fa071842abc36310e05713562d04c1d5e78ad
Made some improvements to ACL system including: warning on setting Deny for Everyone on the entire site, added ACL_ALWAYS_ALLOW_ADMIN_EDIT_ACL, and changed behavior as noted in the docs so that Deny for Everyone is no longer able to be overridden

diff -r 290fa071842a -r f88c8c79d784 includes/clientside/static/acl.js
--- a/includes/clientside/static/acl.js	Wed Mar 26 16:51:42 2008 -0400
+++ b/includes/clientside/static/acl.js	Wed Mar 26 20:20:22 2008 -0400
@@ -729,9 +729,20 @@
       var form = document.forms[aclManagerID + '_formobj'];
       selections = new Object();
       var dbg = '';
+      var warned_everyone = false;
       for(var i in aclPermList)
       {
         selections[aclPermList[i]] = getRadioState(form, aclPermList[i], [1, 2, 3, 4]);
+        // If we're editing permissions for everyone on the entire site and the
+        // admin selected to deny privileges, give a stern warning about it.
+        if ( selections[aclPermList[i]] == 1 && aclDataCache.target_type == 1 /* ACL_TYPE_GROUP */ && aclDataCache.target_id == 1 && !warned_everyone )
+        {
+          warned_everyone = true;
+          if ( !confirm($lang.get('acl_msg_deny_everyone_confirm')) )
+          {
+            return false;
+          }
+        }
         dbg += aclPermList[i] + ': ' + selections[aclPermList[i]] + "\n";
         if(!selections[aclPermList[i]])
         {
diff -r 290fa071842a -r f88c8c79d784 includes/constants.php
--- a/includes/constants.php	Wed Mar 26 16:51:42 2008 -0400
+++ b/includes/constants.php	Wed Mar 26 20:20:22 2008 -0400
@@ -29,6 +29,11 @@
 define('ACL_TYPE_USER', 2);
 define('ACL_TYPE_PRESET', 3);
 
+// ACL switch
+// If this is defined, administrators can edit ACLs regardless of current
+// permissions. This is enabled by default.
+define('ACL_ALWAYS_ALLOW_ADMIN_EDIT_ACL', 1);
+
 // System groups
 define('GROUP_ID_ADMIN', 2);
 define('GROUP_ID_MOD', 3);
@@ -39,7 +44,7 @@
 define('PAGE_GRP_NORMAL', 3);
 define('PAGE_GRP_REGEX', 4);
 
-// Identifier for the default meta-language
+// Identifier for the default pseudo-language
 define('LANG_DEFAULT', 0);
 
 //
diff -r 290fa071842a -r f88c8c79d784 includes/pageprocess.php
--- a/includes/pageprocess.php	Wed Mar 26 16:51:42 2008 -0400
+++ b/includes/pageprocess.php	Wed Mar 26 20:20:22 2008 -0400
@@ -176,9 +176,19 @@
     
     if ( !$this->perms->get_permissions('read') )
     {
-      $this->err_access_denied();
-      profiler_log("PageProcessor [{$this->namespace}:{$this->page_id}]: Finished send process");
-      return false;
+      // Permission denied to read page. Is this one of our core pages that must always be allowed?
+      // NOTE: Not even the administration panel will work if ACLs deny access to it.
+      if ( $this->namespace == 'Special' && in_array($this->page_id, array('Login', 'Logout', 'LangExportJSON', 'CSS')) )
+      {
+        // Do nothing; allow execution to continue
+      }
+      else
+      {
+        // Page isn't whitelisted, behave as normal
+        $this->err_access_denied();
+        profiler_log("PageProcessor [{$this->namespace}:{$this->page_id}]: Finished send process");
+        return false;
+      }
     }
     $pathskey = $paths->nslist[ $this->namespace ] . $this->page_id;
     $strict_no_headers = false;
diff -r 290fa071842a -r f88c8c79d784 includes/pageutils.php
--- a/includes/pageutils.php	Wed Mar 26 16:51:42 2008 -0400
+++ b/includes/pageutils.php	Wed Mar 26 20:20:22 2008 -0400
@@ -1589,7 +1589,7 @@
     global $db, $session, $paths, $template, $plugins; // Common objects
     global $lang;
     
-    if(!$session->get_permissions('edit_acl') && $session->user_level < USER_LEVEL_ADMIN)
+    if(!$session->get_permissions('edit_acl') && ( $session->user_level < USER_LEVEL_ADMIN || !defined('ACL_ALWAYS_ALLOW_ADMIN_EDIT_ACL')) )
     {
       return Array(
         'mode' => 'error',
diff -r 290fa071842a -r f88c8c79d784 includes/sessions.php
--- a/includes/sessions.php	Wed Mar 26 16:51:42 2008 -0400
+++ b/includes/sessions.php	Wed Mar 26 20:20:22 2008 -0400
@@ -2696,21 +2696,31 @@
         // Decide precedence
         if ( isset($this->acl_defaults_used[$i]) )
         {
-          //echo "$i: default in use, overriding to: {$perm[$i]}<br />";
+          // echo "$i: default in use, overriding to: {$perm[$i]}<br />";
           // Defaults are in use, override
-          $this->perms[$i] = $perm[$i];
-          $this->acl_defaults_used[$i] = ( $is_everyone );
+          
+          // CHANGED - 1.1.4:
+          // For some time this has been intentionally relaxed so that the following
+          // exception is available to Deny permissions:
+          //   If the rule applies to the group "Everyone" on the entire site,
+          //   Deny settings could be overriden.
+          // This is documented at: http://docs.enanocms.org/Help:4.2
+          if ( $this->perms[$i] != AUTH_DENY )
+          {
+            $this->perms[$i] = $perm[$i];
+            $this->acl_defaults_used[$i] = ( $is_everyone );
+          }
         }
         else
         {
-          //echo "$i: default NOT in use";
+          // echo "$i: default NOT in use";
           // Defaults are not in use, merge as normal
           if ( $this->perms[$i] != AUTH_DENY )
           {
-            //echo ", but overriding";
+            // echo ", but overriding";
             $this->perms[$i] = $perm[$i];
           }
-          //echo "<br />";
+          // echo "<br />";
         }
       }
     }
diff -r 290fa071842a -r f88c8c79d784 includes/template.php
--- a/includes/template.php	Wed Mar 26 16:51:42 2008 -0400
+++ b/includes/template.php	Wed Mar 26 20:20:22 2008 -0400
@@ -782,7 +782,7 @@
     }
     
     // Manage ACLs button
-    if ( !$paths->anonymous_page && ( $session->get_permissions('edit_acl') || $session->user_level >= USER_LEVEL_ADMIN ) )
+    if ( !$paths->anonymous_page && ( $session->get_permissions('edit_acl') || ( defined('ACL_ALWAYS_ALLOW_ADMIN_EDIT_ACL') &&  $session->user_level >= USER_LEVEL_ADMIN ) ) )
     {
       $menubtn->assign_vars(array(
           'FLAGS' => 'onclick="if ( !KILL_SWITCH ) { return ajaxOpenACLManager(); }" title="' . $lang->get('onpage_tip_aclmanager') . '" accesskey="m"',
diff -r 290fa071842a -r f88c8c79d784 language/english/admin.json
--- a/language/english/admin.json	Wed Mar 26 16:51:42 2008 -0400
+++ b/language/english/admin.json	Wed Mar 26 20:20:22 2008 -0400
@@ -134,6 +134,7 @@
       msg_guest_howto: 'To edit permissions for guests, select "a specific user", and enter Anonymous as the username.',
       msg_deleterule_confirm: 'Do you really want to delete this rule?',
       msg_closeacl_confirm: 'Do you really want to close the ACL manager?',
+      msg_deny_everyone_confirm: 'CAUTION: You are setting a Deny ruling for everyone on this site. This will block the selected actions from being performed at all. Do you really want to do this?\n\nPlease also note that the following core pages will not be blocked from being accessed: Special:Login, Special:Logout, and Special:LangExportJSON.',
       
       btn_success_dismiss: 'dismiss',
       btn_success_close: 'close manager',
diff -r 290fa071842a -r f88c8c79d784 plugins/SpecialAdmin.php
--- a/plugins/SpecialAdmin.php	Wed Mar 26 16:51:42 2008 -0400
+++ b/plugins/SpecialAdmin.php	Wed Mar 26 20:20:22 2008 -0400
@@ -312,7 +312,7 @@
     
     if ( is_dir(ENANO_ROOT . '/' . $_POST['avatar_directory']) )
     {
-      if ( preg_match('/^([A-z0-9_-]+)(\/([A-z0-9_-]+))*$/', $_POST['avatar_directory']) )
+      if ( preg_match('/^([A-z0-9_-]+)(\/([A-z0-9_-]+))*\/?$/', $_POST['avatar_directory']) )
       {
         setConfig('avatar_directory', $_POST['avatar_directory']);
       }