From 463aadce87ab207c7477b580295d6fce2b351b67 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Mon, 18 May 2020 18:40:59 +0200
Subject: [remoteaccess] Add permissions, add "delete group" functionality

---
 .../remoteaccess/lang/de/messages.json             |  2 +
 .../remoteaccess/lang/de/permissions.json          |  7 ++
 .../remoteaccess/lang/de/template-tags.json        |  5 +-
 modules-available/remoteaccess/page.inc.php        | 84 +++++++++++++++++-----
 .../remoteaccess/permissions/permissions.json      | 17 +++++
 .../remoteaccess/templates/edit-group.html         | 13 ++--
 .../remoteaccess/templates/edit-settings.html      | 34 ++++++---
 7 files changed, 132 insertions(+), 30 deletions(-)
 create mode 100644 modules-available/remoteaccess/lang/de/permissions.json
 create mode 100644 modules-available/remoteaccess/permissions/permissions.json

diff --git a/modules-available/remoteaccess/lang/de/messages.json b/modules-available/remoteaccess/lang/de/messages.json
index fbdefd8f..a7b26240 100644
--- a/modules-available/remoteaccess/lang/de/messages.json
+++ b/modules-available/remoteaccess/lang/de/messages.json
@@ -1,6 +1,8 @@
 {
     "group-added": "Gruppe hinzugef\u00fcgt",
+    "group-deleted": "Gruppe {{0}} gel\u00f6scht",
     "group-not-found": "Gruppe {{0}} existiert nicht",
     "group-updated": "Gruppe {{0}} wurde aktualisiert",
+    "locations-not-allowed": "Gruppe {{0}} hat Orte zugewiesen, f\u00fcr die Sie keine Berechtigung haben",
     "settings-saved": "Einstellungen gespeichert"
 }
\ No newline at end of file
diff --git a/modules-available/remoteaccess/lang/de/permissions.json b/modules-available/remoteaccess/lang/de/permissions.json
new file mode 100644
index 00000000..ef402eed
--- /dev/null
+++ b/modules-available/remoteaccess/lang/de/permissions.json
@@ -0,0 +1,7 @@
+{
+    "group.add": "Neue Gruppe anlegen",
+    "group.edit": "Einstellungen einer Gruppe bearbeiten, Gruppe l\u00f6schen",
+    "group.locations": "Zugewiesene R\u00e4ume einer Gruppe \u00e4ndern",
+    "set-proxy-ip": "F\u00fcr Zugriff freigegebene IP-Adresse\/Bereich \u00e4ndern",
+    "view": "Seite sehen"
+}
\ No newline at end of file
diff --git a/modules-available/remoteaccess/lang/de/template-tags.json b/modules-available/remoteaccess/lang/de/template-tags.json
index b44849d6..a5d9ef07 100644
--- a/modules-available/remoteaccess/lang/de/template-tags.json
+++ b/modules-available/remoteaccess/lang/de/template-tags.json
@@ -3,13 +3,14 @@
     "lang_allowAccessText": "IP-Adresse oder Netz in CIDR Notation, welches auf den VNC-Port des Clients zugreifen darf. (I.d.R. nur der Guacamole-Server)",
     "lang_allowedAccessToVncPort": "Erlaubte Quelle f\u00fcr VNC-Zugriff",
     "lang_assignLocations": "R\u00e4ume zuweisen",
+    "lang_general": "Allgemein",
     "lang_group": "Gruppe",
     "lang_groupListText": "Liste verf\u00fcgbarer Gruppen (\"virtuelle R\u00e4ume\")",
+    "lang_groups": "Gruppen",
     "lang_keepAvailableWol": "WoL#",
     "lang_locationSelectionText": "Ausgew\u00e4hlte Orte werden in den Remote-Modus geschaltet (beim n\u00e4chsten Boot des Clients) und sind damit im Pool f\u00fcr den Fernzugriff.",
     "lang_numLocs": "R\u00e4ume",
-    "lang_numberOfAvailableClients": "Anzahl bereit zu haltender Rechner",
-    "lang_numberOfAvailableText": "Wir hier eine Zahl > 0 angegeben, wird versucht mittels WOL mindestens diese Anzahl an Rechnern am Loginbildschirm bereit zu halten, um sofortigen Zugriff zu gew\u00e4hrleisten. Diese Einstellung deaktiviert keine eventuell gesetzten Reboot\/Shutdown Timeouts oder Zeitpl\u00e4ne, diese sollten also ggf. f\u00fcr die unten ausgew\u00e4hlten R\u00e4ume angepasst werden.",
+    "lang_reallyDelete": "Wirklich l\u00f6schen?",
     "lang_remoteAccessSettings": "Einstellungen f\u00fcr den Fernzugriff",
     "lang_tryVirtualizerHandover": "Versuche, VNC-Server des Virtualisierers zu verwenden",
     "lang_tryVirtualizerText": "Wenn aktiviert wird versucht, nach dem Start einer VM die Verbindung auf den VNC-Server des Virtualisierers umzubuchen. Zumindest f\u00fcr VMware haben wir hier allerdings eher eine Verschlechterung der Performance beobachten k\u00f6nnen; au\u00dferdem bricht die Verbindung beim Handover manchmal ab -> Nur experimentell!"
diff --git a/modules-available/remoteaccess/page.inc.php b/modules-available/remoteaccess/page.inc.php
index 2877fc9d..27b7ca6b 100644
--- a/modules-available/remoteaccess/page.inc.php
+++ b/modules-available/remoteaccess/page.inc.php
@@ -16,15 +16,20 @@ class Page_RemoteAccess extends Page
 			Message::addError('main.no-permission');
 			Util::redirect('?do=Main');
 		}
+		User::assertPermission('view');
 		$action = Request::post('action', false, 'string');
 		// Add group adds a DB row and then falls through to regular saving
 		if ($action === 'add-group') {
+			User::assertPermission('group.add');
 			Database::exec("INSERT INTO remoteaccess_group (groupname, wolcount, passwd, active)
 				VALUES ('.new', 0, '', 0)");
-			$action = 'save-settings';
 			Message::addSuccess('group-added');
+			if (User::hasPermission('group.edit')) {
+				$action = 'save-groups';
+			}
 		}
-		if ($action === 'save-settings') {
+		if ($action === 'save-groups') {
+			User::assertPermission('group.edit');
 			$groups = Request::post('group', [], 'array');
 			foreach ($groups as $id => $group) {
 				Database::exec("UPDATE remoteaccess_group SET groupname = :name, wolcount = :wol,
@@ -36,18 +41,30 @@ class Page_RemoteAccess extends Page
 					'active' => isset($group['active']) && $group['active'] ? 1 : 0,
 				]);
 			}
+			Message::addSuccess('settings-saved');
+		} elseif ($action === 'save-settings') {
+			User::assertPermission('set-proxy-ip');
 			Property::set(RemoteAccess::PROP_ALLOWED_VNC_NET, Request::post('allowed-source', '', 'string'));
 			Property::set(RemoteAccess::PROP_TRY_VIRT_HANDOVER, Request::post('virt-handover', false, 'int'));
 			Message::addSuccess('settings-saved');
-		} elseif ($action === 'set-locations') {
+		} elseif ($action === 'delete-group') {
+			User::assertPermission('group.edit');
 			$groupid = Request::post('groupid', Request::REQUIRED, 'int');
-			$group = Database::queryFirst("SELECT groupname FROM remoteaccess_group WHERE groupid = :id",
-				['id' => $groupid]);
-			if ($group === false) {
-				Message::addError('group-not-found', $groupid);
-				Util::redirect('?do=remoteaccess');
+			$group = $this->groupNameOrFail($groupid);
+			if (!$this->checkGroupLocations($groupid)) {
+				Message::addError('locations-not-allowed', $group);
+			} else {
+				Database::exec("DELETE FROM remoteaccess_group WHERE groupid = :id", ['id' => $groupid]);
+				Message::addSuccess('group-deleted', $group);
 			}
+		} elseif ($action === 'set-locations') {
+			User::assertPermission('group.locations');
+			$groupid = Request::post('groupid', Request::REQUIRED, 'int');
+			$group = $this->groupNameOrFail($groupid);
 			$locations = array_values(Request::post('location', [], 'array'));
+			// Merge what's already set where we don't have permission
+			$locations = Permission::mergeWithDisallowed($locations, 'group.locations',
+				"SELECT locationid FROM remoteaccess_x_location WHERE groupid = :id", ['id' => $groupid]);
 			if (empty($locations)) {
 				Database::exec("DELETE FROM remoteaccess_x_location WHERE groupid = :id", ['id' => $groupid]);
 			} else {
@@ -56,13 +73,24 @@ class Page_RemoteAccess extends Page
 				Database::exec("DELETE FROM remoteaccess_x_location WHERE groupid = :id AND locationid NOT IN (:locations)",
 						['id' => $groupid, 'locations' => $locations]);
 			}
-			Message::addSuccess('group-updated', $group['groupname']);
+			Message::addSuccess('group-updated', $group);
 		}
 		if (Request::isPost()) {
 			Util::redirect('?do=remoteaccess');
 		}
 	}
 
+	private function groupNameOrFail($groupid)
+	{
+		$group = Database::queryFirst("SELECT groupname FROM remoteaccess_group WHERE groupid = :id",
+			['id' => $groupid]);
+		if ($group === false) {
+			Message::addError('group-not-found', $groupid);
+			Util::redirect('?do=remoteaccess');
+		}
+		return $group['groupname'];
+	}
+
 	protected function doRender()
 	{
 		$groupid = Request::get('groupid', false, 'int');
@@ -78,24 +106,48 @@ class Page_RemoteAccess extends Page
 				'virt-handover_checked' => Property::get(RemoteAccess::PROP_TRY_VIRT_HANDOVER) ? 'checked' : '',
 				'groups' => $groups,
 			];
+			Permission::addGlobalTags($data['perms'], null, ['group.locations', 'group.add', 'group.edit', 'set-proxy-ip']);
 			Render::addTemplate('edit-settings', $data);
 		} else {
 			// Edit locations for group
-			$group = Database::queryFirst("SELECT groupid, groupname FROM remoteaccess_group WHERE groupid = :id",
-				['id' => $groupid]);
-			if ($group === false) {
-				Message::addError('group-not-found', $groupid);
-				return;
-			}
+			$group = $this->groupNameOrFail($groupid);
 			$locationList = Location::getLocationsAssoc();
 			$enabled = RemoteAccess::getEnabledLocations($groupid);
+			$allowed = User::getAllowedLocations('group.locations');
 			foreach ($enabled as $lid) {
 				if (isset($locationList[$lid])) {
 					$locationList[$lid]['checked'] = 'checked';
 				}
 			}
-			Render::addTemplate('edit-group', $group + ['locations' => array_values($locationList)]);
+			foreach ($locationList as $lid => &$loc) {
+				if (!in_array($lid, $allowed)) {
+					$loc['disabled'] = 'disabled';
+				}
+			}
+			$data = [
+				'groupid' => $groupid,
+				'groupname' => $group,
+				'locations' => array_values($locationList),
+				'disabled' => empty($allowed) ? 'disabled' : '',
+			];
+			Permission::addGlobalTags($data['perms'], null, ['group.locations', 'group.edit']);
+			Render::addTemplate('edit-group', $data);
 		}
 	}
 
+	/**
+	 * @param int $groupid group to check
+	 * @return bool if we have permission for all the locations assigned to group
+	 */
+	private function checkGroupLocations($groupid)
+	{
+		$allowed = User::getAllowedLocations('group.locations');
+		if (in_array(0, $allowed))
+			return true;
+		$hasLocs = Database::queryColumnArray("SELECT locationid FROM remoteaccess_x_location WHERE groupid = :id",
+				['id' => $groupid]);
+		$diff = array_diff($hasLocs, $allowed);
+		return empty($diff);
+	}
+
 }
diff --git a/modules-available/remoteaccess/permissions/permissions.json b/modules-available/remoteaccess/permissions/permissions.json
new file mode 100644
index 00000000..c91ce7ae
--- /dev/null
+++ b/modules-available/remoteaccess/permissions/permissions.json
@@ -0,0 +1,17 @@
+{
+	"view": {
+		"location-aware": false
+	},
+	"group.locations": {
+		"location-aware": true
+	},
+	"group.add": {
+		"location-aware": false
+	},
+	"group.edit": {
+		"location-aware": false
+	},
+	"set-proxy-ip": {
+		"location-aware": false
+	}
+}
\ No newline at end of file
diff --git a/modules-available/remoteaccess/templates/edit-group.html b/modules-available/remoteaccess/templates/edit-group.html
index 2c207ca5..0f09f071 100644
--- a/modules-available/remoteaccess/templates/edit-group.html
+++ b/modules-available/remoteaccess/templates/edit-group.html
@@ -6,7 +6,12 @@
 	<input type="hidden" name="groupid" value="{{groupid}}">
 
 	<div class="buttonbar pull-right">
-		<button type="submit" class="btn btn-primary" name="action" value="set-locations">
+		<button type="submit" class="btn btn-danger" name="action" value="delete-group" data-confirm="{{lang_reallyDelete}}"
+				  {{perms.group.locations.disabled}} {{perms.group.edit.disabled}}>
+			<span class="glyphicon glyphicon-remove"></span>
+			{{lang_delete}}
+		</button>
+		<button type="submit" class="btn btn-primary" name="action" value="set-locations" {{perms.group.locations.disabled}}>
 			<span class="glyphicon glyphicon-floppy-disk"></span>
 			{{lang_save}}
 		</button>
@@ -21,20 +26,20 @@
 				<td class="slx-smallcol">
 					<div class="checkbox checkbox-inline">
 						<input type="checkbox" name="location[]" value="{{locationid}}" id="loc-check-{{locationid}}"
-								 {{checked}}>
+								 {{checked}} {{disabled}}>
 						<label></label>
 					</div>
 				</td>
 				<td class="text-nowrap">
 					<div style="display:inline-block;width:{{depth}}em"></div>
-					<label for="loc-check-{{locationid}}">{{locationname}}</label>
+					<label for="loc-check-{{locationid}}" class="{{disabled}}">{{locationname}}</label>
 				</td>
 			</tr>
 			{{/locations}}
 		</table>
 	</div>
 	<div class="buttonbar pull-right">
-		<button type="submit" class="btn btn-primary" name="action" value="set-locations">
+		<button type="submit" class="btn btn-primary" name="action" value="set-locations" {{perms.group.locations.disabled}}>
 			<span class="glyphicon glyphicon-floppy-disk"></span>
 			{{lang_save}}
 		</button>
diff --git a/modules-available/remoteaccess/templates/edit-settings.html b/modules-available/remoteaccess/templates/edit-settings.html
index 2712cf04..3c890b91 100644
--- a/modules-available/remoteaccess/templates/edit-settings.html
+++ b/modules-available/remoteaccess/templates/edit-settings.html
@@ -1,23 +1,38 @@
 <h2>{{lang_remoteAccessSettings}}</h2>
 
+<h3>{{lang_general}}</h3>
+
 <form method="post" action="?do=remoteaccess">
 	<input type="hidden" name="token" value="{{token}}">
 	<div class="form-group">
 		<label>
 			{{lang_allowedAccessToVncPort}}
-			<input type="text" class="form-control" name="allowed-source" value="{{allowed-source}}" required>
+			<input type="text" class="form-control" name="allowed-source" value="{{allowed-source}}"
+					 required {{perms.set-proxy-ip.disabled}}>
 		</label>
 		<p>{{lang_allowAccessText}}</p>
 	</div>
 	<div class="form-group">
 		<div class="checkbox">
 			<input type="checkbox" name="virt-handover" value="1"
-					 id="virt-handover" {{virt-handover_checked}}>
+					 id="virt-handover" {{virt-handover_checked}} {{perms.set-proxy-ip.disabled}}>
 			<label for="virt-handover">{{lang_tryVirtualizerHandover}}</label>
 		</div>
 		<p>{{lang_tryVirtualizerText}}</p>
 	</div>
+	<div class="buttonbar pull-right">
+		<button type="submit" class="btn btn-primary" name="action" value="save-settings" {{perms.set-proxy-ip.disabled}}>
+			<span class="glyphicon glyphicon-floppy-disk"></span>
+			{{lang_save}}
+		</button>
+	</div>
+	<div class="clearfix"></div>
+</form>
+
+<h3>{{lang_groups}}</h3>
 
+<form method="post" action="?do=remoteaccess">
+	<input type="hidden" name="token" value="{{token}}">
 	<div class="form-group">
 		<p>{{lang_groupListText}}</p>
 		<table class="table table-condensed table-hover">
@@ -35,12 +50,13 @@
 				<td class="slx-smallcol">
 					<div class="checkbox checkbox-inline">
 						<input type="checkbox" name="group[{{groupid}}][active]" value="1" id="group-check-{{groupid}}"
-								 {{checked}}>
+								 {{checked}} {{perms.group.edit.disabled}}>
 						<label for="group-check-{{groupid}}"></label>
 					</div>
 				</td>
 				<td class="text-nowrap">
-					<input type="text" class="form-control" name="group[{{groupid}}][groupname]" value="{{groupname}}">
+					<input type="text" class="form-control" name="group[{{groupid}}][groupname]" value="{{groupname}}"
+							 {{perms.group.edit.disabled}}>
 				</td>
 				<td class="text-right text-nowrap">
 					<span class="badge">{{locs}}</span>
@@ -49,21 +65,23 @@
 					</a>
 				</td>
 				<td>
-					<input type="number" class="form-control" name="group[{{groupid}}][wolcount]" value="{{wolcount}}">
+					<input type="number" class="form-control" name="group[{{groupid}}][wolcount]" value="{{wolcount}}"
+							 {{perms.group.edit.disabled}}>
 				</td>
 				<td>
-					<input type="text" class="form-control" name="group[{{groupid}}][passwd]" value="{{passwd}}">
+					<input type="text" class="form-control" name="group[{{groupid}}][passwd]" value="{{passwd}}"
+							 {{perms.group.edit.disabled}}>
 				</td>
 			</tr>
 			{{/groups}}
 		</table>
 	</div>
 	<div class="buttonbar pull-right">
-		<button type="submit" class="btn btn-success" name="action" value="add-group">
+		<button type="submit" class="btn btn-success" name="action" value="add-group" {{perms.group.add.disabled}}>
 			<span class="glyphicon glyphicon-plus"></span>
 			{{lang_add}}
 		</button>
-		<button type="submit" class="btn btn-primary" name="action" value="save-settings">
+		<button type="submit" class="btn btn-primary" name="action" value="save-groups" {{perms.group.edit.disabled}}>
 			<span class="glyphicon glyphicon-floppy-disk"></span>
 			{{lang_save}}
 		</button>
-- 
cgit v1.2.3-55-g7522