I currently have a wiki setup with the Vector template which supports "Closed Wiki." The benefit to that is the links I have in the sidebar that point to pages that are protected with ACLs don't even show up in the sidebar until someone logs in.
I'm trying to recreate something similar with the sidebar and the bootstrap3 template and it appears that the sidebar isn't being checked against ACLs. My goal is to only show the sidebar when someone is logged in. For the purpose of showing my issue I have kept it very simple.
Config:
config»sidebar = :
internal:sidebar
tpl»bootstrap3»sidebarPosition = left
ACL:
Namespace *. @ALL. Permission: Read. This allows users that aren't logged in to see everything in the root namespace.
Namespace internal:*. @ALL. Permission: None. This should lock everyone out of anything in the
internal namespace, which is where my sidebar is configured at.
Expected behavior: If I browse to the site and I'm not logged in I should see the main page but no sidebar.
Actual behavior: Browsing to the main page allows me to see the sidebar even though I'm not logged in. Browsing manually to
http://mywiki.com/internal/sidebar does give me permission denied, so the ACL itself is working.
I have never done anything with dokuwiki's underlying code or plugin/template creation but I know PHP. I did a quick dig through the bootstrap3 template source and found tpl_functions.php and the following switch case:
case 'showSidebar':
if ($ACT !== 'show') return false;
if (bootstrap3_conf('showLandingPage')) return false;
return page_findnearest($conf['sidebar'], bootstrap3_conf('useACL'));
That seems to indicate that it is loading the sidebar with ACL rules, but I could be looking in the completely wrong place since I haven't looked in to any of the development docs. This seems like a security issue/bug, but I wanted to post and see if anyone has any ideas. Thanks.
Brent