Item11410: Implement USERINFOisTooRestrictive fix

USERINFO macro can reveal Wikiname, and also whether or not the user is a group. git-svn-id: http://svn.foswiki.org/trunk@13561 0b4bb1d4-4e5a-0410-9cc4-b2b747904278
foswiki · Jan 8, 2012 · 8fac51b · 8fac51b
1 parent 2ea1c25
commit 8fac51b
Show file tree

Hide file tree

Showing 2 changed files with 68 additions and 5 deletions.
diff --git a/UnitTestContrib/test/unit/Fn_USERINFO.pm b/UnitTestContrib/test/unit/Fn_USERINFO.pm
@@ -98,6 +98,58 @@ HERE
     return;
 }
 
+sub test_antispam {
+    my $this = shift;
+    my $testformat =
+'W$wikiusernameU$wikinameN$usernameE$emailsG$groupsA$adminIA$isadminIG$isgroupE$bogustoken nop$nopnop $percent $quot $comma$n$n()ewline $lt $gt $amp $dollar';
+
+    $Foswiki::cfg{AntiSpam}{HideUserDetails} = 1;
+
+# ScumBag should only see his own information
+    $this->createNewFoswikiSession( "ScumBag" );
+    my $ui = $this->{test_topicObject}->expandMacros(<<"HERE");
+%USERINFO{"ScumBag" format="$testformat"}%
+HERE
+    $this->assert_str_equals( <<"HERE", $ui );
+W$Foswiki::cfg{UsersWebName}.ScumBagUScumBagNscumEscumbag\@example.comGFriendsOfFriendsOfGropeGroup, FriendsOfGropeGroup, GropeGroupAfalseIAfalseIGfalseE\$bogustoken nopnop % " ,
+
+ewline < > & \$
+HERE
+
+    my $guest_ui = $this->{test_topicObject}->expandMacros(<<"HERE");
+%USERINFO{"WikiGuest" format="$testformat"}%
+HERE
+
+#'W$wikiusernameU$wikinameN$usernameE$emailsG$groupsA$adminIA$isadminIG$isgroupE$bogustoken nop$nopnop $percent $quot $comma$n$n()ewline $lt $gt $amp $dollar';
+    $this->assert_str_equals( <<"HERE", $guest_ui );
+W$Foswiki::cfg{UsersWebName}.WikiGuestUWikiGuestNEGAIAIGfalseE\$bogustoken nopnop % " ,
+
+ewline < > & \$
+HERE
+
+# Admin user should see everything
+    $this->createNewFoswikiSession( $Foswiki::cfg{AdminUserLogin} );
+    $ui = $this->{test_topicObject}->expandMacros(<<"HERE");
+%USERINFO{"ScumBag" format="$testformat"}%
+HERE
+    $this->assert_str_equals( <<"HERE", $ui );
+W$Foswiki::cfg{UsersWebName}.ScumBagUScumBagNscumEscumbag\@example.comGFriendsOfFriendsOfGropeGroup, FriendsOfGropeGroup, GropeGroupAfalseIAfalseIGfalseE\$bogustoken nopnop % " ,
+
+ewline < > & \$
+HERE
+
+    $guest_ui = $this->{test_topicObject}->expandMacros(<<"HERE");
+%USERINFO{"WikiGuest" format="$testformat"}%
+HERE
+    $this->assert_str_equals( <<"HERE", $guest_ui );
+W$Foswiki::cfg{UsersWebName}.WikiGuestUWikiGuestNguestEGBaseGroup, FriendsOfFriendsOfGropeGroup, FriendsOfGropeGroup, GropeGroupAfalseIAfalseIGfalseE\$bogustoken nopnop % " ,
+
+ewline < > & \$
+HERE
+
+    return;
+}
+
 sub test_isgroup {
     my $this = shift;
     my $testformat =

diff --git a/core/lib/Foswiki/Macros/USERINFO.pm b/core/lib/Foswiki/Macros/USERINFO.pm
@@ -5,11 +5,15 @@ use strict;
 use warnings;
 use Assert;
 
+# Set to true if user details should be cloaked.   Selected tokens will return an empty string.
+my $USERINFO_cloak = 0;
+
 my %USERINFO_tokens = (
     username => sub {
         my ( $this, $user ) = @_;
-        my $username = $this->{users}->getLoginName($user);
+        return '' if ($USERINFO_cloak);
 
+        my $username = $this->{users}->getLoginName($user);
         $username = 'unknown' unless defined $username;
 
         return $username;
@@ -19,6 +23,7 @@ my %USERINFO_tokens = (
     cUID => sub {
         my ( $this, $user ) = @_;
 
+        return '' if ($USERINFO_cloak);
         return $user;
     },
     wikiname => sub {
@@ -41,11 +46,14 @@ my %USERINFO_tokens = (
     emails => sub {
         my ( $this, $user ) = @_;
 
+        return '' if ($USERINFO_cloak);
         return join( ', ', $this->{users}->getEmails($user) );
     },
     groups => sub {
         my ( $this, $user ) = @_;
         my @groupNames;
+        return '' if ($USERINFO_cloak);
+
         my $it = $this->{users}->eachMembership($user);
 
         while ( $it->hasNext() ) {
@@ -60,13 +68,15 @@ my %USERINFO_tokens = (
     admin => sub {
         my ( $this, $user ) = @_;
 
+        return '' if ($USERINFO_cloak);
         return $this->{users}->isAdmin($user) ? 'true' : 'false';
     },
 
     # Item2466: $isadmin & $isgroup added November 2011
     isadmin => sub {
         my ( $this, $user ) = @_;
 
+        return '' if ($USERINFO_cloak);
         return $this->{users}->isAdmin($user) ? 'true' : 'false';
     },
     isgroup => sub {
@@ -100,10 +110,11 @@ sub USERINFO {
             $user = $cuid;
         }
         return '' unless $user;
-        return ''
-          if ( $Foswiki::cfg{AntiSpam}{HideUserDetails}
-            && !$this->{users}->isAdmin( $this->{user} )
-            && $user ne $this->{user} );
+
+        $USERINFO_cloak =
+          (      $Foswiki::cfg{AntiSpam}{HideUserDetails}
+              && !$this->{users}->isAdmin( $this->{user} )
+              && $user ne $this->{user} );
     }
 
     return '' unless $user;