summaryrefslogtreecommitdiffstats
path: root/modules-available/remoteaccess/page.inc.php
diff options
context:
space:
mode:
Diffstat (limited to 'modules-available/remoteaccess/page.inc.php')
-rw-r--r--modules-available/remoteaccess/page.inc.php84
1 files changed, 68 insertions, 16 deletions
diff --git a/modules-available/remoteaccess/page.inc.php b/modules-available/remoteaccess/page.inc.php
index 2877fc9d..27b7ca6b 100644
--- a/modules-available/remoteaccess/page.inc.php
+++ b/modules-available/remoteaccess/page.inc.php
@@ -16,15 +16,20 @@ class Page_RemoteAccess extends Page
Message::addError('main.no-permission');
Util::redirect('?do=Main');
}
+ User::assertPermission('view');
$action = Request::post('action', false, 'string');
// Add group adds a DB row and then falls through to regular saving
if ($action === 'add-group') {
+ User::assertPermission('group.add');
Database::exec("INSERT INTO remoteaccess_group (groupname, wolcount, passwd, active)
VALUES ('.new', 0, '', 0)");
- $action = 'save-settings';
Message::addSuccess('group-added');
+ if (User::hasPermission('group.edit')) {
+ $action = 'save-groups';
+ }
}
- if ($action === 'save-settings') {
+ if ($action === 'save-groups') {
+ User::assertPermission('group.edit');
$groups = Request::post('group', [], 'array');
foreach ($groups as $id => $group) {
Database::exec("UPDATE remoteaccess_group SET groupname = :name, wolcount = :wol,
@@ -36,18 +41,30 @@ class Page_RemoteAccess extends Page
'active' => isset($group['active']) && $group['active'] ? 1 : 0,
]);
}
+ Message::addSuccess('settings-saved');
+ } elseif ($action === 'save-settings') {
+ User::assertPermission('set-proxy-ip');
Property::set(RemoteAccess::PROP_ALLOWED_VNC_NET, Request::post('allowed-source', '', 'string'));
Property::set(RemoteAccess::PROP_TRY_VIRT_HANDOVER, Request::post('virt-handover', false, 'int'));
Message::addSuccess('settings-saved');
- } elseif ($action === 'set-locations') {
+ } elseif ($action === 'delete-group') {
+ User::assertPermission('group.edit');
$groupid = Request::post('groupid', Request::REQUIRED, 'int');
- $group = Database::queryFirst("SELECT groupname FROM remoteaccess_group WHERE groupid = :id",
- ['id' => $groupid]);
- if ($group === false) {
- Message::addError('group-not-found', $groupid);
- Util::redirect('?do=remoteaccess');
+ $group = $this->groupNameOrFail($groupid);
+ if (!$this->checkGroupLocations($groupid)) {
+ Message::addError('locations-not-allowed', $group);
+ } else {
+ Database::exec("DELETE FROM remoteaccess_group WHERE groupid = :id", ['id' => $groupid]);
+ Message::addSuccess('group-deleted', $group);
}
+ } elseif ($action === 'set-locations') {
+ User::assertPermission('group.locations');
+ $groupid = Request::post('groupid', Request::REQUIRED, 'int');
+ $group = $this->groupNameOrFail($groupid);
$locations = array_values(Request::post('location', [], 'array'));
+ // Merge what's already set where we don't have permission
+ $locations = Permission::mergeWithDisallowed($locations, 'group.locations',
+ "SELECT locationid FROM remoteaccess_x_location WHERE groupid = :id", ['id' => $groupid]);
if (empty($locations)) {
Database::exec("DELETE FROM remoteaccess_x_location WHERE groupid = :id", ['id' => $groupid]);
} else {
@@ -56,13 +73,24 @@ class Page_RemoteAccess extends Page
Database::exec("DELETE FROM remoteaccess_x_location WHERE groupid = :id AND locationid NOT IN (:locations)",
['id' => $groupid, 'locations' => $locations]);
}
- Message::addSuccess('group-updated', $group['groupname']);
+ Message::addSuccess('group-updated', $group);
}
if (Request::isPost()) {
Util::redirect('?do=remoteaccess');
}
}
+ private function groupNameOrFail($groupid)
+ {
+ $group = Database::queryFirst("SELECT groupname FROM remoteaccess_group WHERE groupid = :id",
+ ['id' => $groupid]);
+ if ($group === false) {
+ Message::addError('group-not-found', $groupid);
+ Util::redirect('?do=remoteaccess');
+ }
+ return $group['groupname'];
+ }
+
protected function doRender()
{
$groupid = Request::get('groupid', false, 'int');
@@ -78,24 +106,48 @@ class Page_RemoteAccess extends Page
'virt-handover_checked' => Property::get(RemoteAccess::PROP_TRY_VIRT_HANDOVER) ? 'checked' : '',
'groups' => $groups,
];
+ Permission::addGlobalTags($data['perms'], null, ['group.locations', 'group.add', 'group.edit', 'set-proxy-ip']);
Render::addTemplate('edit-settings', $data);
} else {
// Edit locations for group
- $group = Database::queryFirst("SELECT groupid, groupname FROM remoteaccess_group WHERE groupid = :id",
- ['id' => $groupid]);
- if ($group === false) {
- Message::addError('group-not-found', $groupid);
- return;
- }
+ $group = $this->groupNameOrFail($groupid);
$locationList = Location::getLocationsAssoc();
$enabled = RemoteAccess::getEnabledLocations($groupid);
+ $allowed = User::getAllowedLocations('group.locations');
foreach ($enabled as $lid) {
if (isset($locationList[$lid])) {
$locationList[$lid]['checked'] = 'checked';
}
}
- Render::addTemplate('edit-group', $group + ['locations' => array_values($locationList)]);
+ foreach ($locationList as $lid => &$loc) {
+ if (!in_array($lid, $allowed)) {
+ $loc['disabled'] = 'disabled';
+ }
+ }
+ $data = [
+ 'groupid' => $groupid,
+ 'groupname' => $group,
+ 'locations' => array_values($locationList),
+ 'disabled' => empty($allowed) ? 'disabled' : '',
+ ];
+ Permission::addGlobalTags($data['perms'], null, ['group.locations', 'group.edit']);
+ Render::addTemplate('edit-group', $data);
}
}
+ /**
+ * @param int $groupid group to check
+ * @return bool if we have permission for all the locations assigned to group
+ */
+ private function checkGroupLocations($groupid)
+ {
+ $allowed = User::getAllowedLocations('group.locations');
+ if (in_array(0, $allowed))
+ return true;
+ $hasLocs = Database::queryColumnArray("SELECT locationid FROM remoteaccess_x_location WHERE groupid = :id",
+ ['id' => $groupid]);
+ $diff = array_diff($hasLocs, $allowed);
+ return empty($diff);
+ }
+
}
generated by cgit v1.2.3-55-g7522 (git 2.39.0) at 2024-04-25 13:01:39 +0200