Item13847: Users::isInUserList: does not work with cUID entries

ACL checks go through, eventually, Foswiki::Users::isInUserList. This works by iterating over the list, converting each entry to a cUID, and comparing that against the target user's cUID.

This is all perfect if the list does not contain any cUIDs, but if it does, the conversion can fail (the cUID is not a valid WikiName or login name and its cUID-ness is not checked) and then the entry resolves to UnknownUser. So, cUIDs can end up not working in ACLs.

There are two straightforward ways to change this:

• Do an extra comparison against the raw list entry (which will succeed if the entry is a cUID or happens to be identical to the user's WikiName or login name)
• Change the cUID conversion to use Foswiki::Func::getCanonicalUserID instead of $this->getCanonicalUserID because the former includes a check to allow for a cUID as input.

Patch 1:

--- a/lib/Foswiki/Users.pm        2015-11-11 11:49:30.745086162 +0100
+++ b/lib/Foswiki/Users.pm        2015-11-11 11:31:50.311639693 +0100
@@ -650,6 +650,7 @@
         if ( $ident eq '*' ) {
             return 1;
         }
+        return 1 if ( $ident eq $cUID );
 
         my $identCUID = $this->getCanonicalUserID($ident);
 

Patch 2:

--- a/lib/Foswiki/Users.pm        2015-11-11 11:49:30.745086162 +0100
+++ b/lib/Foswiki/Users.pm        2015-11-11 16:43:00.980076136 +0100
@@ -651,7 +651,7 @@
             return 1;
         }
 
-        my $identCUID = $this->getCanonicalUserID($ident);
+        my $identCUID = Foswiki::Func::getCanonicalUserID($ident);
 
         if ( defined $identCUID ) {
             return 1 if ( $identCUID eq $cUID );

-- JanKrueger - 11 Nov 2015

Confirming.

-- GeorgeClark - 02 Dec 2016

Commenting is disabled while not logged in