Merge pull request #261 from splitbrain/acl_tokensubstitution_fixes

Acl tokensubstitution fixes

inc/auth.php

@@ -136,22 +136,30 @@ function auth_loadACL() {
 
     $acl = file($config_cascade['acl']['default']);
 
-    //support user wildcard
     $out = array();
     foreach($acl as $line) {
         $line = trim($line);
         if($line{0} == '#') continue;
         list($id,$rest) = preg_split('/\s+/',$line,2);
 
+        // substitue user wildcard first (its 1:1)
+        if(strstr($line, '%USER%')){
+            // if user is not logged in, this ACL line is meaningless - skip it
+            if (!isset($_SERVER['REMOTE_USER'])) continue;
+
+            $id   = str_replace('%USER%',cleanID($_SERVER['REMOTE_USER']),$id);
+            $rest = str_replace('%USER%',auth_nameencode($_SERVER['REMOTE_USER']),$rest);
+        }
+
+        // substitute group wildcard (its 1:m)
         if(strstr($line, '%GROUP%')){
+            // if user is not logged in, grps is empty, no output will be added (i.e. skipped)
             foreach((array) $USERINFO['grps'] as $grp){
                 $nid   = str_replace('%GROUP%',cleanID($grp),$id);
                 $nrest = str_replace('%GROUP%','@'.auth_nameencode($grp),$rest);
                 $out[] = "$nid\t$nrest";
             }
         } else {
-            $id   = str_replace('%USER%',cleanID($_SERVER['REMOTE_USER']),$id);
-            $rest = str_replace('%USER%',auth_nameencode($_SERVER['REMOTE_USER']),$rest);
             $out[] = "$id\t$rest";
         }
     }

lib/plugins/acl/admin.php

@@ -724,7 +724,7 @@ function _html_checkboxes($setperm,$ispage,$name){
         static $label = 0; //number labels
         $ret = '';
 
-        if($ispage && $setperm > AUTH_EDIT) $perm = AUTH_EDIT;
+        if($ispage && $setperm > AUTH_EDIT) $setperm = AUTH_EDIT;
 
         foreach(array(AUTH_NONE,AUTH_READ,AUTH_EDIT,AUTH_CREATE,AUTH_UPLOAD,AUTH_DELETE) as $perm){
             $label += 1;