[pmwiki-users] hide links for certain groups

[Vince Administration]

On Mar 31, 2011, at 6:05 PM, Randy Brown wrote:

> If you are simply trying to hide a link that won't work anyway for a user, a conditional test is fine. But if your goal is security, you need to set the page's permissions appropriately.
> 
> If a page has read permission authorized for all, all users will be able to read it even if they don't see the link in your sidebar. For example if UnauthorizedUser guesses the page name, or does a search for pages and it appears in the list, or looks at the All Recent Changes page and sees the link, he or she will find and read the page whose sidebar link you are hiding. 
> 
> Similarly, if you make content on a page display only for authorized users via a conditional like (:if authgroup xxx:), users who have permission for action=source will be able to extract the lines you are trying to hide. To repeat: the only secure way to block read access to a page is through setting the page's read permission appropriately. 
> 
> Randy
> 
> On Mar 31, 2011, at 3:01 PM, Robert Matthews wrote:
> 
>> Yes, this is basically what I want to do... can you show me a line of
>> code that I can insert into config.php to check which AD group a user
>> belongs to?
> 
IIUC, what RM wants is how to detect AD groups in config.php.  This will depend on his setup.  For us, in config.php we have:
 if (TestGroupMembership($user,"colloquium"))
        { $AuthList["@Colloquium"]=1;
          $Colloquium=1;
for example for the colloquium group.

The php function TestGroupMembership looks like:
function TestGroupMembership($username,$group)
{
  $debug=0;
  $command="dseditgroup -o checkmember -m ${username} ${group}|cut -d\  -f 1";
  $status=exec($command);
  if( $debug) echo "Status = $status\n";

  $membership=$status=="yes";
  if($debug)echo $membership;
  return ($membership);
}

The dseditgroup seems to be an ldap command, but somehow you have to read the OD information.  
Good Luck.
   Vince