From 32a152689037a7de3e94e120e4163d56cfd5cc61 Mon Sep 17 00:00:00 2001 From: jengo Date: Tue, 4 Sep 2001 04:26:51 +0000 Subject: [PATCH] - Groups and accounts now fully check ACL rights for each section - Admins can only grant as much access as they already have - Removed Header() calls and replaced them with direct ui calls --- admin/inc/class.boaccounts.inc.php | 129 ++++++++++++--------------- admin/inc/class.uiaccounts.inc.php | 107 ++++++++++++++++++---- admin/inc/class.uiaclmanager.inc.php | 60 +++++++------ admin/inc/hook_acl_manager.inc.php | 2 +- admin/templates/default/groups.tpl | 6 +- 5 files changed, 184 insertions(+), 120 deletions(-) diff --git a/admin/inc/class.boaccounts.inc.php b/admin/inc/class.boaccounts.inc.php index 5422de1780..bdfb1338ce 100755 --- a/admin/inc/class.boaccounts.inc.php +++ b/admin/inc/class.boaccounts.inc.php @@ -13,6 +13,8 @@ class boaccounts { + var $ui; + var $so; var $public_functions = array( 'add_group' => True, 'add_user' => True, @@ -22,11 +24,16 @@ 'edit_user' => True ); - var $so; - - function boaccounts() + function boaccounts($dont_load_ui = False) { $this->so = createobject('admin.soaccounts'); + + // This is to prevent an infinite loop which ends up segfaulting PHP and will drive + // you crazy for hours tring to track it down. (jengo) + if (! $dont_load_ui) + { + $this->ui = createobject('admin.uiaccounts'); + } } function account_total($account_type,$query='') @@ -36,10 +43,10 @@ function delete_group() { - if (!@isset($GLOBALS['HTTP_POST_VARS']['account_id']) || !@$GLOBALS['HTTP_POST_VARS']['account_id']) + if (!@isset($GLOBALS['HTTP_POST_VARS']['account_id']) || !@$GLOBALS['HTTP_POST_VARS']['account_id'] || $GLOBALS['phpgw']->acl->check('group_access',32,'admin')) { - Header('Location: ' . $GLOBALS['phpgw']->link('/index.php','menuaction=admin.uiaccounts.list_groups')); - $GLOBALS['phpgw']->common->phpgw_exit(); + $this->ui->list_groups(); + return False; } $account_id = intval($GLOBALS['HTTP_POST_VARS']['account_id']); @@ -74,23 +81,17 @@ $GLOBALS['phpgw']->db->unlock(); - Header('Location: ' . $GLOBALS['phpgw']->link('/index.php', - Array( - 'menuaction' => 'admin.uiaccounts.list_groups', - 'cd' => $cd - ) - ) - ); - $GLOBALS['phpgw']->common->phpgw_exit(); + $this->ui->list_accounts(); + return False; + } function delete_user() { - if(isset($GLOBALS['HTTP_POST_VARS']['cancel'])) + if (isset($GLOBALS['HTTP_POST_VARS']['cancel']) || $GLOBALS['phpgw']->acl->check('account_access',32,'admin')) { - Header('Location: '.$GLOBALS['phpgw']->link('/index.php','menuaction=admin.uiaccounts.list_users')); - $GLOBALS['phpgw']->common->phpgw_exit(); - + $this->ui->list_users(); + return False; } elseif($GLOBALS['HTTP_POST_VARS']['delete_account']) { @@ -127,19 +128,19 @@ $cd = 29; } - Header('Location: ' . $GLOBALS['phpgw']->link('/index.php', - Array( - 'menuaction' => 'admin.uiaccounts.list_users', - 'cd' => $cd - ) - ) - ); - $GLOBALS['phpgw']->common->phpgw_exit(); + $this->ui->list_users(); + return False; } } function add_group() { + if ($GLOBALS['phpgw']->acl->check('group_access',4,'admin')) + { + $this->ui->list_groups(); + return False; + } + $temp_users = ($GLOBALS['HTTP_POST_VARS']['account_user']?$GLOBALS['HTTP_POST_VARS']['account_user']:Array()); $account_user = Array(); @reset($temp_users); @@ -250,18 +251,18 @@ $GLOBALS['phpgw']->db->unlock(); - Header('Location: ' . $GLOBALS['phpgw']->link('/index.php', - Array( - 'menuaction' => 'admin.uiaccounts.list_groups', - 'cd' => $cd - ) - ) - ); - $GLOBALS['phpgw']->common->phpgw_exit(); + $this->ui->list_groups(); + return False; } function add_user() { + if ($GLOBALS['phpgw']->acl->check('account_access',4,'admin')) + { + $this->ui->list_users(); + return False; + } + if ($GLOBALS['HTTP_POST_VARS']['submit']) { $userData = array( @@ -386,14 +387,8 @@ $GLOBALS['phpgw']->common->hook_single('add_user_data', $value); } */ - Header('Location: ' . $GLOBALS['phpgw']->link('/index.php', - Array( - 'menuaction' => 'admin.uiaccounts.list_users', - 'cd' => $cd - ) - ) - ); - $GLOBALS['phpgw']->common->phpgw_exit(); + $this->ui->list_users(); + return False; } else { @@ -403,13 +398,19 @@ } else { - Header('Location: '.$GLOBALS['phpgw']->link('/index.php','menuaction=admin.uiaccounts.list_users')); - $GLOBALS['phpgw']->common->phpgw_exit(); + $this->ui->list_users(); + return False; } } function edit_group() { + if ($GLOBALS['phpgw']->acl->check('group_access',16,'admin')) + { + $this->ui->list_groups(); + return False; + } + $temp_users = ($GLOBALS['HTTP_POST_VARS']['account_user']?$GLOBALS['HTTP_POST_VARS']['account_user']:Array()); $account_user = Array(); @reset($temp_users); @@ -566,18 +567,18 @@ $GLOBALS['phpgw']->db->unlock(); - Header('Location: ' . $GLOBALS['phpgw']->link('/index.php', - Array( - 'menuaction' => 'admin.uiaccounts.list_groups', - 'cd' => $cd - ) - ) - ); - $GLOBALS['phpgw']->common->phpgw_exit(); + $this->ui->list_groups(); + return False; } function edit_user() { + if ($GLOBALS['phpgw']->acl->check('account_access',16,'admin')) + { + $this->ui->list_users(); + return False; + } + if ($GLOBALS['HTTP_POST_VARS']['submit']) { $userData = array( @@ -608,31 +609,19 @@ $menuClass = CreateObject('admin.uimenuclass'); if (!$menuClass->createHTMLCode('edit_user')) { - Header('Location: ' . $GLOBALS['phpgw']->link('/index.php', - Array( - 'menuaction' => 'admin.uiaccounts.list_users', - 'cd' => $cd - ) - ) - ); - $GLOBALS['phpgw']->common->phpgw_exit(); + $this->ui->list_users(); + return False; } else { - $linkdata = Array( - 'menuaction' => 'admin.uiaccounts.edit_user', - 'cd' => $cd, - 'account_id' => $GLOBALS['HTTP_GET_VARS']['account_id'] - ); - Header('Location: ' . $GLOBALS['phpgw']->link('/index.php', $linkdata)); - - $GLOBALS['phpgw']->common->phpgw_exit(); + $this->ui->edit_user($GLOBALS['HTTP_GET_VARS']['account_id']); + return False; } } else { - $ui = createobject('admin.uiaccounts'); - $ui->create_edit_user($userData['account_id'],$userData,$errors); +// $ui = createobject('admin.uiaccounts'); + $this->ui->create_edit_user($userData['account_id'],$userData,$errors); } } } diff --git a/admin/inc/class.uiaccounts.inc.php b/admin/inc/class.uiaccounts.inc.php index e042242990..5e80f9d8b0 100755 --- a/admin/inc/class.uiaccounts.inc.php +++ b/admin/inc/class.uiaccounts.inc.php @@ -31,7 +31,7 @@ function uiaccounts() { - $this->bo = createobject('admin.boaccounts'); + $this->bo = createobject('admin.boaccounts',True); $this->nextmatchs = createobject('phpgwapi.nextmatchs'); } @@ -45,6 +45,10 @@ function list_groups() { + if ($GLOBALS['phpgw']->acl->check('group_access',1,'admin')) + { + $GLOBALS['phpgw']->redirect($GLOBALS['phpgw']->link('/admin/index.php')); + } $GLOBALS['cd'] = ($GLOBALS['HTTP_GET_VARS']['cd']?$GLOBALS['HTTP_GET_VARS']['cd']:0); @@ -62,7 +66,16 @@ $p->set_block('groups','row','row'); $p->set_block('groups','row_empty','row_empty'); - $total = $this->bo->account_total('g',$query); + if ($GLOBALS['phpgw']->acl->check('group_access',2,'admin')) + { + $total = $this->bo->account_total('g'); + $account_info = $GLOBALS['phpgw']->accounts->get_list('groups',$start,$sort, $order, '', $total); + } + else + { + $total = $this->bo->account_total('g',$query); + $account_info = $GLOBALS['phpgw']->accounts->get_list('groups',$start,$sort, $order, $query, $total); + } $url = $GLOBALS['phpgw']->link('/index.php'); @@ -76,8 +89,6 @@ 'header_delete' => lang('Delete') ); $p->set_var($var); - - $account_info = $GLOBALS['phpgw']->accounts->get_list('groups',$start,$sort, $order, $query, $total); if (!count($account_info)) { @@ -86,28 +97,70 @@ } else { + if (! $GLOBALS['phpgw']->acl->check('group_access',8,'admin')) + { + $can_view = True; + } + + if (! $GLOBALS['phpgw']->acl->check('group_access',16,'admin')) + { + $can_edit = True; + } + + if (! $GLOBALS['phpgw']->acl->check('group_access',32,'admin')) + { + $can_delete = True; + } + while (list($null,$account) = each($account_info)) { $tr_color = $this->nextmatchs->alternate_row_color($tr_color); $var = Array( 'tr_color' => $tr_color, 'group_name' => (!$account['account_lid']?' ':$account['account_lid']), - 'edit_link' => $this->row_action('edit','group',$account['account_id']), 'delete_link' => $this->row_action('delete','group',$account['account_id']) ); $p->set_var($var); - $p->parse('rows','row',True); + + if ($can_edit) + { + $p->set_var('edit_link',$this->row_action('edit','group',$account['account_id'])); + } + else + { + $p->set_var('edit_link',' '); + } + + if ($can_delete) + { + $p->set_var('delete_link',$this->row_action('delete','group',$account['account_id'])); + } + else + { + $p->set_var('delete_link',' '); + } + + $p->fp('rows','row',True); } } $var = Array( 'new_action' => $GLOBALS['phpgw']->link('/index.php','menuaction=admin.uiaccounts.add_group'), - 'lang_add' => lang('add'), 'search_action' => $GLOBALS['phpgw']->link('/index.php','menuaction=admin.uiaccounts.list_groups'), - 'lang_search' => lang('search') ); $p->set_var($var); - $p->pparse('out','list'); + + if (! $GLOBALS['phpgw']->acl->check('group_access',4,'admin')) + { + $p->set_var('input_add',''); + } + + if (! $GLOBALS['phpgw']->acl->check('group_access',2,'admin')) + { + $p->set_var('input_search',lang('Search') . ' '); + } + + $p->pfp('out','list'); } function list_users($param_cd='') @@ -137,7 +190,16 @@ $p->set_block('accounts','row','row'); $p->set_block('accounts','row_empty','row_empty'); - $total = $this->bo->account_total('u',$query); + if ($GLOBALS['phpgw']->acl->check('account_access',2,'admin')) + { + $total = $this->bo->account_total('u'); + $account_info = $GLOBALS['phpgw']->accounts->get_list('accounts',$start,$sort,$order,''); + } + else + { + $total = $this->bo->account_total('u',$query); + $account_info = $GLOBALS['phpgw']->accounts->get_list('accounts',$start,$sort,$order,$query); + } $url = $GLOBALS['phpgw']->link('/index.php'); @@ -169,8 +231,6 @@ $p->set_var('input_search',lang('Search') . ' '); } - $account_info = $GLOBALS['phpgw']->accounts->get_list('accounts',$start,$sort,$order,$query); - if (! count($account_info)) { $p->set_var('message',lang('No matchs found')); @@ -238,6 +298,12 @@ function add_group() { + if ($GLOBALS['phpgw']->acl->check('group_access',4,'admin')) + { + $this->list_groups(); + return False; + } + $group_info = Array( 'account_id' => $GLOBALS['HTTP_GET_VARS']['account_id'], 'account_name' => '', @@ -261,9 +327,10 @@ function delete_group() { - if (!@isset($GLOBALS['HTTP_GET_VARS']['account_id']) || !@$GLOBALS['HTTP_GET_VARS']['account_id']) + if (!@isset($GLOBALS['HTTP_GET_VARS']['account_id']) || !@$GLOBALS['HTTP_GET_VARS']['account_id'] || $GLOBALS['phpgw']->acl->check('group_access',32,'admin')) { - Header('Location: ' . $GLOBALS['phpgw']->link('/index.php','menuaction=admin.uiaccounts.list_groups')); + $this->list_groups(); + return False; } unset($GLOBALS['phpgw_info']['flags']['noheader']); @@ -377,6 +444,12 @@ function edit_group($cd='',$account_id='') { + if ($GLOBALS['phpgw']->acl->check('group_access',16,'admin')) + { + $this->list_groups(); + return False; + } + $cdid = $cd; settype($cd,'integer'); $cd = ($GLOBALS['HTTP_GET_VARS']['cd']?$GLOBALS['HTTP_GET_VARS']['cd']:intval($cdid)); @@ -386,10 +459,10 @@ $account_id = ($GLOBALS['HTTP_GET_VARS']['account_id']?$GLOBALS['HTTP_GET_VARS']['account_id']:intval($accountid)); // todo - // not needed if i use the same file for new users too - if (!$account_id) + // not needed if i use the same file for new groups too + if (! $account_id) { - Header('Location: ' . $GLOBALS['phpgw']->link('/index.php','menuaction=admin.uiaccounts.list_groups')); + $this->list_groups(); } else { diff --git a/admin/inc/class.uiaclmanager.inc.php b/admin/inc/class.uiaclmanager.inc.php index 7e078a8a83..ede189d98f 100644 --- a/admin/inc/class.uiaclmanager.inc.php +++ b/admin/inc/class.uiaclmanager.inc.php @@ -51,7 +51,6 @@ while (is_array($GLOBALS['acl_manager']) && list($app,$locations) = each($GLOBALS['acl_manager'])) { - $icon = $GLOBALS['phpgw']->common->image($app,array('navbar.gif',$app.'.gif')); $this->template->set_var('icon_backcolor',$GLOBALS['phpgw_info']['theme']['row_off']); $this->template->set_var('link_backcolor',$GLOBALS['phpgw_info']['theme']['row_off']); @@ -68,32 +67,29 @@ $this->template->fp('rows','app_row_noicon',True); } - if (is_array($locations['deny'])) - { - $link_values = array( - 'menuaction' => 'admin.uiaclmanager.access_form', - 'location' => urlencode(base64_encode('deny')), - 'acl_app' => $app, - 'account_id' => $GLOBALS['account_id'] - ); - - $this->template->set_var('link_location',$GLOBALS['phpgw']->link('/index.php',$link_values)); - $this->template->set_var('lang_location',lang('Deny access')); - $this->template->fp('rows','link_row',True); - } - while (is_array($locations) && list($loc,$value) = each($locations)) { - $link_values = array( - 'menuaction' => 'admin.uiaclmanager.access_form', - 'location' => urlencode(base64_encode($loc)), - 'acl_app' => $app, - 'account_id' => $GLOBALS['account_id'] - ); + $total_rights = 0; + while (list($k,$v) = each($value['rights'])) + { + $total_rights += $v; + } + reset($value['rights']); - $this->template->set_var('link_location',$GLOBALS['phpgw']->link('/index.php',$link_values)); - $this->template->set_var('lang_location',lang($value['name'])); - $this->template->fp('rows','link_row',True); + // If all of there rights are denied, then they shouldn't even see the option + if ($total_rights != $GLOBALS['phpgw']->acl->get_rights($loc,$app)) + { + $link_values = array( + 'menuaction' => 'admin.uiaclmanager.access_form', + 'location' => urlencode(base64_encode($loc)), + 'acl_app' => $app, + 'account_id' => $GLOBALS['account_id'] + ); + + $this->template->set_var('link_location',$GLOBALS['phpgw']->link('/index.php',$link_values)); + $this->template->set_var('lang_location',lang($value['name'])); + $this->template->fp('rows','link_row',True); + } } $this->template->parse('rows','spacer_row',True); @@ -124,23 +120,29 @@ ); $acl = createobject('phpgwapi.acl',$GLOBALS['account_id']); + $acl->read_repository(); $this->template->set_var('form_action',$GLOBALS['phpgw']->link('/index.php',$link_values)); $this->template->set_var('lang_title',lang('ACL Manager')); + $total = 0; while (list($name,$value) = each($acl_manager['rights'])) { $grants = $acl->get_rights($location,$GLOBALS['acl_app']); - $s .= '