diff options
author | Simon Rettberg | 2020-05-18 18:40:59 +0200 |
---|---|---|
committer | Simon Rettberg | 2020-05-18 18:40:59 +0200 |
commit | 125fc3e928d3f18ce531a61d505c050d1e2a099b (patch) | |
tree | 97be54b7bf8b6606fa46c96e2c6f463450e9389f /modules-available | |
parent | [default.css] Make labels with disabled class gray (diff) | |
download | slx-admin-125fc3e928d3f18ce531a61d505c050d1e2a099b.tar.gz slx-admin-125fc3e928d3f18ce531a61d505c050d1e2a099b.tar.xz slx-admin-125fc3e928d3f18ce531a61d505c050d1e2a099b.zip |
[remoteaccess] Add permissions, add "delete group" functionality
Diffstat (limited to 'modules-available')
7 files changed, 132 insertions, 30 deletions
diff --git a/modules-available/remoteaccess/lang/de/messages.json b/modules-available/remoteaccess/lang/de/messages.json index fbdefd8f..a7b26240 100644 --- a/modules-available/remoteaccess/lang/de/messages.json +++ b/modules-available/remoteaccess/lang/de/messages.json @@ -1,6 +1,8 @@ { "group-added": "Gruppe hinzugef\u00fcgt", + "group-deleted": "Gruppe {{0}} gel\u00f6scht", "group-not-found": "Gruppe {{0}} existiert nicht", "group-updated": "Gruppe {{0}} wurde aktualisiert", + "locations-not-allowed": "Gruppe {{0}} hat Orte zugewiesen, f\u00fcr die Sie keine Berechtigung haben", "settings-saved": "Einstellungen gespeichert" }
\ No newline at end of file diff --git a/modules-available/remoteaccess/lang/de/permissions.json b/modules-available/remoteaccess/lang/de/permissions.json new file mode 100644 index 00000000..ef402eed --- /dev/null +++ b/modules-available/remoteaccess/lang/de/permissions.json @@ -0,0 +1,7 @@ +{ + "group.add": "Neue Gruppe anlegen", + "group.edit": "Einstellungen einer Gruppe bearbeiten, Gruppe l\u00f6schen", + "group.locations": "Zugewiesene R\u00e4ume einer Gruppe \u00e4ndern", + "set-proxy-ip": "F\u00fcr Zugriff freigegebene IP-Adresse\/Bereich \u00e4ndern", + "view": "Seite sehen" +}
\ No newline at end of file diff --git a/modules-available/remoteaccess/lang/de/template-tags.json b/modules-available/remoteaccess/lang/de/template-tags.json index b44849d6..a5d9ef07 100644 --- a/modules-available/remoteaccess/lang/de/template-tags.json +++ b/modules-available/remoteaccess/lang/de/template-tags.json @@ -3,13 +3,14 @@ "lang_allowAccessText": "IP-Adresse oder Netz in CIDR Notation, welches auf den VNC-Port des Clients zugreifen darf. (I.d.R. nur der Guacamole-Server)", "lang_allowedAccessToVncPort": "Erlaubte Quelle f\u00fcr VNC-Zugriff", "lang_assignLocations": "R\u00e4ume zuweisen", + "lang_general": "Allgemein", "lang_group": "Gruppe", "lang_groupListText": "Liste verf\u00fcgbarer Gruppen (\"virtuelle R\u00e4ume\")", + "lang_groups": "Gruppen", "lang_keepAvailableWol": "WoL#", "lang_locationSelectionText": "Ausgew\u00e4hlte Orte werden in den Remote-Modus geschaltet (beim n\u00e4chsten Boot des Clients) und sind damit im Pool f\u00fcr den Fernzugriff.", "lang_numLocs": "R\u00e4ume", - "lang_numberOfAvailableClients": "Anzahl bereit zu haltender Rechner", - "lang_numberOfAvailableText": "Wir hier eine Zahl > 0 angegeben, wird versucht mittels WOL mindestens diese Anzahl an Rechnern am Loginbildschirm bereit zu halten, um sofortigen Zugriff zu gew\u00e4hrleisten. Diese Einstellung deaktiviert keine eventuell gesetzten Reboot\/Shutdown Timeouts oder Zeitpl\u00e4ne, diese sollten also ggf. f\u00fcr die unten ausgew\u00e4hlten R\u00e4ume angepasst werden.", + "lang_reallyDelete": "Wirklich l\u00f6schen?", "lang_remoteAccessSettings": "Einstellungen f\u00fcr den Fernzugriff", "lang_tryVirtualizerHandover": "Versuche, VNC-Server des Virtualisierers zu verwenden", "lang_tryVirtualizerText": "Wenn aktiviert wird versucht, nach dem Start einer VM die Verbindung auf den VNC-Server des Virtualisierers umzubuchen. Zumindest f\u00fcr VMware haben wir hier allerdings eher eine Verschlechterung der Performance beobachten k\u00f6nnen; au\u00dferdem bricht die Verbindung beim Handover manchmal ab -> Nur experimentell!" diff --git a/modules-available/remoteaccess/page.inc.php b/modules-available/remoteaccess/page.inc.php index 2877fc9d..27b7ca6b 100644 --- a/modules-available/remoteaccess/page.inc.php +++ b/modules-available/remoteaccess/page.inc.php @@ -16,15 +16,20 @@ class Page_RemoteAccess extends Page Message::addError('main.no-permission'); Util::redirect('?do=Main'); } + User::assertPermission('view'); $action = Request::post('action', false, 'string'); // Add group adds a DB row and then falls through to regular saving if ($action === 'add-group') { + User::assertPermission('group.add'); Database::exec("INSERT INTO remoteaccess_group (groupname, wolcount, passwd, active) VALUES ('.new', 0, '', 0)"); - $action = 'save-settings'; Message::addSuccess('group-added'); + if (User::hasPermission('group.edit')) { + $action = 'save-groups'; + } } - if ($action === 'save-settings') { + if ($action === 'save-groups') { + User::assertPermission('group.edit'); $groups = Request::post('group', [], 'array'); foreach ($groups as $id => $group) { Database::exec("UPDATE remoteaccess_group SET groupname = :name, wolcount = :wol, @@ -36,18 +41,30 @@ class Page_RemoteAccess extends Page 'active' => isset($group['active']) && $group['active'] ? 1 : 0, ]); } + Message::addSuccess('settings-saved'); + } elseif ($action === 'save-settings') { + User::assertPermission('set-proxy-ip'); Property::set(RemoteAccess::PROP_ALLOWED_VNC_NET, Request::post('allowed-source', '', 'string')); Property::set(RemoteAccess::PROP_TRY_VIRT_HANDOVER, Request::post('virt-handover', false, 'int')); Message::addSuccess('settings-saved'); - } elseif ($action === 'set-locations') { + } elseif ($action === 'delete-group') { + User::assertPermission('group.edit'); $groupid = Request::post('groupid', Request::REQUIRED, 'int'); - $group = Database::queryFirst("SELECT groupname FROM remoteaccess_group WHERE groupid = :id", - ['id' => $groupid]); - if ($group === false) { - Message::addError('group-not-found', $groupid); - Util::redirect('?do=remoteaccess'); + $group = $this->groupNameOrFail($groupid); + if (!$this->checkGroupLocations($groupid)) { + Message::addError('locations-not-allowed', $group); + } else { + Database::exec("DELETE FROM remoteaccess_group WHERE groupid = :id", ['id' => $groupid]); + Message::addSuccess('group-deleted', $group); } + } elseif ($action === 'set-locations') { + User::assertPermission('group.locations'); + $groupid = Request::post('groupid', Request::REQUIRED, 'int'); + $group = $this->groupNameOrFail($groupid); $locations = array_values(Request::post('location', [], 'array')); + // Merge what's already set where we don't have permission + $locations = Permission::mergeWithDisallowed($locations, 'group.locations', + "SELECT locationid FROM remoteaccess_x_location WHERE groupid = :id", ['id' => $groupid]); if (empty($locations)) { Database::exec("DELETE FROM remoteaccess_x_location WHERE groupid = :id", ['id' => $groupid]); } else { @@ -56,13 +73,24 @@ class Page_RemoteAccess extends Page Database::exec("DELETE FROM remoteaccess_x_location WHERE groupid = :id AND locationid NOT IN (:locations)", ['id' => $groupid, 'locations' => $locations]); } - Message::addSuccess('group-updated', $group['groupname']); + Message::addSuccess('group-updated', $group); } if (Request::isPost()) { Util::redirect('?do=remoteaccess'); } } + private function groupNameOrFail($groupid) + { + $group = Database::queryFirst("SELECT groupname FROM remoteaccess_group WHERE groupid = :id", + ['id' => $groupid]); + if ($group === false) { + Message::addError('group-not-found', $groupid); + Util::redirect('?do=remoteaccess'); + } + return $group['groupname']; + } + protected function doRender() { $groupid = Request::get('groupid', false, 'int'); @@ -78,24 +106,48 @@ class Page_RemoteAccess extends Page 'virt-handover_checked' => Property::get(RemoteAccess::PROP_TRY_VIRT_HANDOVER) ? 'checked' : '', 'groups' => $groups, ]; + Permission::addGlobalTags($data['perms'], null, ['group.locations', 'group.add', 'group.edit', 'set-proxy-ip']); Render::addTemplate('edit-settings', $data); } else { // Edit locations for group - $group = Database::queryFirst("SELECT groupid, groupname FROM remoteaccess_group WHERE groupid = :id", - ['id' => $groupid]); - if ($group === false) { - Message::addError('group-not-found', $groupid); - return; - } + $group = $this->groupNameOrFail($groupid); $locationList = Location::getLocationsAssoc(); $enabled = RemoteAccess::getEnabledLocations($groupid); + $allowed = User::getAllowedLocations('group.locations'); foreach ($enabled as $lid) { if (isset($locationList[$lid])) { $locationList[$lid]['checked'] = 'checked'; } } - Render::addTemplate('edit-group', $group + ['locations' => array_values($locationList)]); + foreach ($locationList as $lid => &$loc) { + if (!in_array($lid, $allowed)) { + $loc['disabled'] = 'disabled'; + } + } + $data = [ + 'groupid' => $groupid, + 'groupname' => $group, + 'locations' => array_values($locationList), + 'disabled' => empty($allowed) ? 'disabled' : '', + ]; + Permission::addGlobalTags($data['perms'], null, ['group.locations', 'group.edit']); + Render::addTemplate('edit-group', $data); } } + /** + * @param int $groupid group to check + * @return bool if we have permission for all the locations assigned to group + */ + private function checkGroupLocations($groupid) + { + $allowed = User::getAllowedLocations('group.locations'); + if (in_array(0, $allowed)) + return true; + $hasLocs = Database::queryColumnArray("SELECT locationid FROM remoteaccess_x_location WHERE groupid = :id", + ['id' => $groupid]); + $diff = array_diff($hasLocs, $allowed); + return empty($diff); + } + } diff --git a/modules-available/remoteaccess/permissions/permissions.json b/modules-available/remoteaccess/permissions/permissions.json new file mode 100644 index 00000000..c91ce7ae --- /dev/null +++ b/modules-available/remoteaccess/permissions/permissions.json @@ -0,0 +1,17 @@ +{ + "view": { + "location-aware": false + }, + "group.locations": { + "location-aware": true + }, + "group.add": { + "location-aware": false + }, + "group.edit": { + "location-aware": false + }, + "set-proxy-ip": { + "location-aware": false + } +}
\ No newline at end of file diff --git a/modules-available/remoteaccess/templates/edit-group.html b/modules-available/remoteaccess/templates/edit-group.html index 2c207ca5..0f09f071 100644 --- a/modules-available/remoteaccess/templates/edit-group.html +++ b/modules-available/remoteaccess/templates/edit-group.html @@ -6,7 +6,12 @@ <input type="hidden" name="groupid" value="{{groupid}}"> <div class="buttonbar pull-right"> - <button type="submit" class="btn btn-primary" name="action" value="set-locations"> + <button type="submit" class="btn btn-danger" name="action" value="delete-group" data-confirm="{{lang_reallyDelete}}" + {{perms.group.locations.disabled}} {{perms.group.edit.disabled}}> + <span class="glyphicon glyphicon-remove"></span> + {{lang_delete}} + </button> + <button type="submit" class="btn btn-primary" name="action" value="set-locations" {{perms.group.locations.disabled}}> <span class="glyphicon glyphicon-floppy-disk"></span> {{lang_save}} </button> @@ -21,20 +26,20 @@ <td class="slx-smallcol"> <div class="checkbox checkbox-inline"> <input type="checkbox" name="location[]" value="{{locationid}}" id="loc-check-{{locationid}}" - {{checked}}> + {{checked}} {{disabled}}> <label></label> </div> </td> <td class="text-nowrap"> <div style="display:inline-block;width:{{depth}}em"></div> - <label for="loc-check-{{locationid}}">{{locationname}}</label> + <label for="loc-check-{{locationid}}" class="{{disabled}}">{{locationname}}</label> </td> </tr> {{/locations}} </table> </div> <div class="buttonbar pull-right"> - <button type="submit" class="btn btn-primary" name="action" value="set-locations"> + <button type="submit" class="btn btn-primary" name="action" value="set-locations" {{perms.group.locations.disabled}}> <span class="glyphicon glyphicon-floppy-disk"></span> {{lang_save}} </button> diff --git a/modules-available/remoteaccess/templates/edit-settings.html b/modules-available/remoteaccess/templates/edit-settings.html index 2712cf04..3c890b91 100644 --- a/modules-available/remoteaccess/templates/edit-settings.html +++ b/modules-available/remoteaccess/templates/edit-settings.html @@ -1,23 +1,38 @@ <h2>{{lang_remoteAccessSettings}}</h2> +<h3>{{lang_general}}</h3> + <form method="post" action="?do=remoteaccess"> <input type="hidden" name="token" value="{{token}}"> <div class="form-group"> <label> {{lang_allowedAccessToVncPort}} - <input type="text" class="form-control" name="allowed-source" value="{{allowed-source}}" required> + <input type="text" class="form-control" name="allowed-source" value="{{allowed-source}}" + required {{perms.set-proxy-ip.disabled}}> </label> <p>{{lang_allowAccessText}}</p> </div> <div class="form-group"> <div class="checkbox"> <input type="checkbox" name="virt-handover" value="1" - id="virt-handover" {{virt-handover_checked}}> + id="virt-handover" {{virt-handover_checked}} {{perms.set-proxy-ip.disabled}}> <label for="virt-handover">{{lang_tryVirtualizerHandover}}</label> </div> <p>{{lang_tryVirtualizerText}}</p> </div> + <div class="buttonbar pull-right"> + <button type="submit" class="btn btn-primary" name="action" value="save-settings" {{perms.set-proxy-ip.disabled}}> + <span class="glyphicon glyphicon-floppy-disk"></span> + {{lang_save}} + </button> + </div> + <div class="clearfix"></div> +</form> + +<h3>{{lang_groups}}</h3> +<form method="post" action="?do=remoteaccess"> + <input type="hidden" name="token" value="{{token}}"> <div class="form-group"> <p>{{lang_groupListText}}</p> <table class="table table-condensed table-hover"> @@ -35,12 +50,13 @@ <td class="slx-smallcol"> <div class="checkbox checkbox-inline"> <input type="checkbox" name="group[{{groupid}}][active]" value="1" id="group-check-{{groupid}}" - {{checked}}> + {{checked}} {{perms.group.edit.disabled}}> <label for="group-check-{{groupid}}"></label> </div> </td> <td class="text-nowrap"> - <input type="text" class="form-control" name="group[{{groupid}}][groupname]" value="{{groupname}}"> + <input type="text" class="form-control" name="group[{{groupid}}][groupname]" value="{{groupname}}" + {{perms.group.edit.disabled}}> </td> <td class="text-right text-nowrap"> <span class="badge">{{locs}}</span> @@ -49,21 +65,23 @@ </a> </td> <td> - <input type="number" class="form-control" name="group[{{groupid}}][wolcount]" value="{{wolcount}}"> + <input type="number" class="form-control" name="group[{{groupid}}][wolcount]" value="{{wolcount}}" + {{perms.group.edit.disabled}}> </td> <td> - <input type="text" class="form-control" name="group[{{groupid}}][passwd]" value="{{passwd}}"> + <input type="text" class="form-control" name="group[{{groupid}}][passwd]" value="{{passwd}}" + {{perms.group.edit.disabled}}> </td> </tr> {{/groups}} </table> </div> <div class="buttonbar pull-right"> - <button type="submit" class="btn btn-success" name="action" value="add-group"> + <button type="submit" class="btn btn-success" name="action" value="add-group" {{perms.group.add.disabled}}> <span class="glyphicon glyphicon-plus"></span> {{lang_add}} </button> - <button type="submit" class="btn btn-primary" name="action" value="save-settings"> + <button type="submit" class="btn btn-primary" name="action" value="save-groups" {{perms.group.edit.disabled}}> <span class="glyphicon glyphicon-floppy-disk"></span> {{lang_save}} </button> |