From 5014f09a5aa30b1c3aa1e35e67a183086a212052 Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Fri, 13 Apr 2018 12:30:43 +0200 Subject: [permissionmanager] Add role description field; install some default rules Closes #3356 --- .../inc/getpermissiondata.inc.php | 4 +- .../inc/permissiondbupdate.inc.php | 31 ++++--- .../permissionmanager/install.inc.php | 103 +++++++++++++++++++++ .../permissionmanager/lang/de/template-tags.json | 5 +- .../permissionmanager/lang/en/template-tags.json | 5 +- modules-available/permissionmanager/page.inc.php | 29 +++--- .../permissionmanager/templates/roleeditor.html | 8 +- .../permissionmanager/templates/rolestable.html | 6 +- 8 files changed, 156 insertions(+), 35 deletions(-) diff --git a/modules-available/permissionmanager/inc/getpermissiondata.inc.php b/modules-available/permissionmanager/inc/getpermissiondata.inc.php index fc18de99..660c94ae 100644 --- a/modules-available/permissionmanager/inc/getpermissiondata.inc.php +++ b/modules-available/permissionmanager/inc/getpermissiondata.inc.php @@ -84,7 +84,7 @@ class GetPermissionData if (!empty($joins)) { $joins .= ' GROUP BY r.roleid'; } - return Database::queryAll("SELECT r.roleid, r.rolename $cols FROM role r + return Database::queryAll("SELECT r.roleid, r.rolename, r.roledescription $cols FROM role r $joins ORDER BY rolename ASC"); } @@ -97,7 +97,7 @@ class GetPermissionData */ public static function getRoleData($roleid) { - $query = "SELECT roleid, rolename FROM role WHERE roleid = :roleid"; + $query = "SELECT roleid, rolename, roledescription FROM role WHERE roleid = :roleid"; $data = Database::queryFirst($query, array("roleid" => $roleid)); $query = "SELECT roleid, locationid FROM role_x_location WHERE roleid = :roleid"; $res = Database::simpleQuery($query, array("roleid" => $roleid)); diff --git a/modules-available/permissionmanager/inc/permissiondbupdate.inc.php b/modules-available/permissionmanager/inc/permissiondbupdate.inc.php index 1d6367af..0cd89b3a 100644 --- a/modules-available/permissionmanager/inc/permissiondbupdate.inc.php +++ b/modules-available/permissionmanager/inc/permissiondbupdate.inc.php @@ -54,7 +54,7 @@ class PermissionDbUpdate /** * Delete role from the role table. * - * @param string $roleid roleid + * @param int $roleid roleid */ public static function deleteRole($roleid) { @@ -64,41 +64,42 @@ class PermissionDbUpdate /** * Save changes to a role or create a new one. * - * @param string $rolename rolename + * @param string $roleName rolename * @param int[] $locations array of locations * @param string[] $permissions array of permissions - * @param string|null $roleid roleid or null if the role does not exist yet + * @param int|null $roleId roleid or null if the role does not exist yet */ - public static function saveRole($rolename, $locations, $permissions, $roleid = null) + public static function saveRole($roleName, $roleDescription, $locations, $permissions, $roleId = null) { foreach ($permissions as &$permission) { $permission = strtolower($permission); } unset($permission); - if ($roleid) { - Database::exec("UPDATE role SET rolename = :rolename WHERE roleid = :roleid", - array("rolename" => $rolename, "roleid" => $roleid)); + if ($roleId) { + Database::exec("UPDATE role SET rolename = :rolename, roledescription = :roledescription WHERE roleid = :roleid", + array("rolename" => $roleName, "roledescription" => $roleDescription, "roleid" => $roleId)); Database::exec("DELETE FROM role_x_location WHERE roleid = :roleid AND (locationid NOT IN (:locations) OR locationid IS NULL)", - array("roleid" => $roleid, 'locations' => $locations)); + array("roleid" => $roleId, 'locations' => $locations)); Database::exec("DELETE FROM role_x_permission WHERE roleid = :roleid AND permissionid NOT IN (:permissions)", - array("roleid" => $roleid, 'permissions' => $permissions)); + array("roleid" => $roleId, 'permissions' => $permissions)); } else { - Database::exec("INSERT INTO role (rolename) VALUES (:rolename)", array("rolename" => $rolename)); - $roleid = Database::lastInsertId(); + Database::exec("INSERT INTO role (rolename, roledescription) VALUES (:rolename, :roledescription)", + array("rolename" => $roleName, "roledescription" => $roleDescription)); + $roleId = Database::lastInsertId(); } if (!empty($locations)) { - $arg = array_map(function ($loc) use ($roleid) { - return compact('roleid', 'loc'); + $arg = array_map(function ($loc) use ($roleId) { + return compact('roleId', 'loc'); }, $locations); Database::exec("INSERT IGNORE INTO role_x_location (roleid, locationid) VALUES :arg", ['arg' => $arg]); } if (!empty($permissions)) { - $arg = array_map(function ($perm) use ($roleid) { - return compact('roleid', 'perm'); + $arg = array_map(function ($perm) use ($roleId) { + return compact('roleId', 'perm'); }, $permissions); Database::exec("INSERT IGNORE INTO role_x_permission (roleid, permissionid) VALUES :arg", ['arg' => $arg]); } diff --git a/modules-available/permissionmanager/install.inc.php b/modules-available/permissionmanager/install.inc.php index afa5dd7e..480460db 100644 --- a/modules-available/permissionmanager/install.inc.php +++ b/modules-available/permissionmanager/install.inc.php @@ -5,6 +5,7 @@ $res = array(); $res[] = tableCreate('role', " roleid int(10) unsigned NOT NULL AUTO_INCREMENT, rolename varchar(200) NOT NULL, + roledescription TEXT, PRIMARY KEY (roleid) "); @@ -100,6 +101,108 @@ if (!tableExists('user') || !tableExists('location')) { $res[] = UPDATE_DONE; } } + +// 2018-04-13 role description field; add a couple default roles +if (!tableHasColumn('role', 'roledescription')) { + $alter = Database::exec("ALTER TABLE role ADD roledescription TEXT"); + if ($alter === false) + finalResponse(UPDATE_FAILED, 'Cannot add roledescription field to table role: ' . Database::lastError()); + $res[] = UPDATE_DONE; +} + +if (!tableHasColumn('role', 'roledescription')) { + finalResponse(UPDATE_RETRY, 'Try again later'); +} + +if (Database::exec("INSERT INTO `role` VALUES + (1,'Super-Admin', 'Hat keinerlei Zugriffsbeschränkungen'), + (2,'Admin', 'Alles bis auf Rechte-/Nutzerverwaltung'), + (3,'Prüfungsadmin', 'Kann E-Prüfungen verwalten, Prüfungsmodus einschalten, etc.'), + (4,'Lesezugriff', 'Kann auf die meisten Seiten zugreifen, jedoch keine Änderungen vornehmen')") !== false) { + // Success, there probably were no roles before, keep going + // Assign roles to location (all) + Database::exec("INSERT INTO `role_x_location` VALUES (1,NULL),(2,NULL),(3,NULL),(4,NULL)"); + // Assign permissions to roles + Database::exec("INSERT INTO `role_x_permission` VALUES + (3,'exams.exams.*'), + (3,'rebootcontrol.action.*'), + (3,'statistics.hardware.projectors.view'), + (3,'statistics.machine.note.*'), + (3,'statistics.machine.view-details'), + (3,'statistics.view.*'), + (3,'syslog.view'), + + (1,'*'), + + (4,'adduser.user.view-list'), + (4,'backup.create'), + (4,'baseconfig.view'), + (4,'dnbd3.access-page'), + (4,'dnbd3.refresh'), + (4,'dnbd3.view.details'), + (4,'dozmod.actionlog.view'), + (4,'dozmod.users.view'), + (4,'eventlog.view'), + (4,'exams.exams.view'), + (4,'locationinfo.backend.check'), + (4,'locationinfo.panel.list'), + (4,'locations.location.view'), + (4,'minilinux.view'), + (4,'news.*'), + (4,'permissionmanager.locations.view'), + (4,'permissionmanager.roles.view'), + (4,'permissionmanager.users.view'), + (4,'runmode.list-all'), + (4,'serversetup.access-page'), + (4,'serversetup.download'), + (4,'statistics.hardware.projectors.view'), + (4,'statistics.machine.note.view'), + (4,'statistics.machine.view-details'), + (4,'statistics.view.*'), + (4,'statistics_reporting.reporting.download'), + (4,'statistics_reporting.table.export'), + (4,'statistics_reporting.table.view.*'), + (4,'sysconfig.config.view-list'), + (4,'sysconfig.module.download'), + (4,'sysconfig.module.view-list'), + (4,'syslog.view'), + (4,'systemstatus.show.overview.*'), + (4,'systemstatus.tab.*'), + (4,'webinterface.access-page'), + + (2,'adduser.user.view-list'), + (2,'backup.*'), + (2,'baseconfig.*'), + (2,'dnbd3.*'), + (2,'dozmod.*'), + (2,'eventlog.view'), + (2,'exams.exams.*'), + (2,'locationinfo.*'), + (2,'locations.*'), + (2,'minilinux.*'), + (2,'news.*'), + (2,'permissionmanager.locations.view'), + (2,'permissionmanager.roles.view'), + (2,'permissionmanager.users.view'), + (2,'rebootcontrol.*'), + (2,'roomplanner.edit'), + (2,'runmode.list-all'), + (2,'serversetup.*'), + (2,'statistics.*'), + (2,'statistics_reporting.*'), + (2,'sysconfig.*'), + (2,'syslog.*'), + (2,'systemstatus.*'), + (2,'vmstore.edit'), + (2,'webinterface.*')"); + // Asign the first user to the superadmin role + Database::exec("INSERT INTO `role_x_user` VALUES (1,1)"); + $res[] = UPDATE_DONE; +} + +// +// + if (in_array(UPDATE_DONE, $res)) { finalResponse(UPDATE_DONE, 'Tables created successfully'); } diff --git a/modules-available/permissionmanager/lang/de/template-tags.json b/modules-available/permissionmanager/lang/de/template-tags.json index a4fc990b..504ef6d2 100644 --- a/modules-available/permissionmanager/lang/de/template-tags.json +++ b/modules-available/permissionmanager/lang/de/template-tags.json @@ -1,6 +1,7 @@ { "lang_addRole": "Rollen erteilen", "lang_addRoleHeading": "Neue Rolle hinzuf\u00fcgen", + "lang_description": "Beschreibung", "lang_editRoleHeading": "Rolle bearbeiten", "lang_locationAwareDesc": "Berechtigungen mit diesem Symbol k\u00f6nnen auf bestimmte R\u00e4ume\/Orte beschr\u00e4nkt werden. Alle anderen Berechtigungen sind unabh\u00e4ngig von den f\u00fcr diese Rolle ausgew\u00e4hlten Orten.", "lang_locations": "R\u00e4ume", @@ -8,9 +9,9 @@ "lang_name": "Name", "lang_newRole": "Rolle anlegen", "lang_numAssignedUsers": "Benutzer mit dieser Rolle", + "lang_permission": "Berechtigung", "lang_permissionDeniedBody": "Ihnen fehlt eine oder mehrere Berechtigungen, um auf diese Seite oder Funktion zuzugreifen.", "lang_permissionDeniedHeader": "Zugriff verweigert", - "lang_permission": "Berechtigung", "lang_permissions": "Rechte", "lang_removeRole": "Rollen entziehen", "lang_roleDeleteConfirm": "Sind Sie sich sicher, dass Sie diese Rolle l\u00f6schen m\u00f6chten? Benutzer, denen diese Rolle zugewiesen ist, werden die entsprechenden Berechtigungen verlieren.", @@ -20,4 +21,4 @@ "lang_selectizePlaceholder": "Nach Rollen filtern...", "lang_users": "Nutzer", "lang_view": "Anzeigen" -} +} \ No newline at end of file diff --git a/modules-available/permissionmanager/lang/en/template-tags.json b/modules-available/permissionmanager/lang/en/template-tags.json index 92c3ac26..6f1fa614 100644 --- a/modules-available/permissionmanager/lang/en/template-tags.json +++ b/modules-available/permissionmanager/lang/en/template-tags.json @@ -1,6 +1,7 @@ { "lang_addRole": "Grant Roles", "lang_addRoleHeading": "Add new role", + "lang_description": "Description", "lang_editRoleHeading": "Edit role", "lang_locationAwareDesc": "Permissions with this symbol can be restricted to certain locations. All other permissions are independent of the locations selected for this role.", "lang_locations": "Locations", @@ -8,9 +9,9 @@ "lang_name": "Name", "lang_newRole": "New Role", "lang_numAssignedUsers": "Users with this role", + "lang_permission": "Permission", "lang_permissionDeniedBody": "You are missing one or more permissions to access this page or functionality.", "lang_permissionDeniedHeader": "Access denied", - "lang_permission": "Permission", "lang_permissions": "Permissions", "lang_removeRole": "Revoke Roles", "lang_roleDeleteConfirm": "Are you sure you want to delete this role? Users currently assigned to this role will lose the according permissions.", @@ -20,4 +21,4 @@ "lang_selectizePlaceholder": "Filter for roles...", "lang_users": "Users", "lang_view": "View" -} +} \ No newline at end of file diff --git a/modules-available/permissionmanager/page.inc.php b/modules-available/permissionmanager/page.inc.php index 11b5b028..462d3163 100644 --- a/modules-available/permissionmanager/page.inc.php +++ b/modules-available/permissionmanager/page.inc.php @@ -28,15 +28,24 @@ class Page_PermissionManager extends Page PermissionDbUpdate::removeRoleFromUser($users, $roles); } elseif ($action === 'deleteRole') { User::assertPermission('roles.edit'); - $id = Request::post('deleteId', false, 'string'); + $id = Request::post('deleteId', false, 'int'); PermissionDbUpdate::deleteRole($id); } elseif ($action === 'saveRole') { User::assertPermission('roles.edit'); - $roleID = Request::post("roleid", false); - $rolename = Request::post("rolename"); - $locations = self::processLocations(Request::post("locations")); + $roleID = Request::post("roleid", false, 'int'); + if ($roleID === false) { + Message::addError('main.parameter-missing', 'roleid'); + Util::redirect('?do=permissionmanager'); + } + $roleName = Request::post("rolename", '', 'string'); + if (empty($roleName)) { + Message::addError('main.parameter-empty', 'rolename'); + Util::redirect('?do=permissionmanager'); + } + $roleDescription = Request::post('roledescription', '', 'string'); + $locations = self::processLocations(Request::post("locations", [], 'array')); $permissions = self::processPermissions(Request::post("permissions")); - PermissionDbUpdate::saveRole($rolename, $locations, $permissions, $roleID); + PermissionDbUpdate::saveRole($roleName, $roleDescription, $locations, $permissions, $roleID); } if (Request::isPost()) { Util::redirect('?do=permissionmanager&show=' . Request::get("show", "roles")); @@ -100,18 +109,16 @@ class Page_PermissionManager extends Page Render::addTemplate('locationstable', $data); } elseif ($show === "roleEditor") { User::assertPermission('roles.*'); - $data = array("cancelShow" => Request::get("cancel", "roles")); + $data = array("cancelShow" => Request::get("cancel", "roles", 'string')); Permission::addGlobalTags($data['perms'], null, ['roles.edit']); $selectedPermissions = array(); $selectedLocations = array(); $roleid = Request::get("roleid", false, 'int'); if ($roleid !== false) { - $roleData = GetPermissionData::getRoleData($roleid); - $data["roleid"] = $roleid; - $data["rolename"] = $roleData["rolename"]; - $selectedPermissions = $roleData["permissions"]; - $selectedLocations = $roleData["locations"]; + $data += GetPermissionData::getRoleData($roleid); + $selectedPermissions = $data["permissions"]; + $selectedLocations = $data["locations"]; } $data["permissionHTML"] = self::generatePermissionHTML(PermissionUtil::getPermissions(), $selectedPermissions, diff --git a/modules-available/permissionmanager/templates/roleeditor.html b/modules-available/permissionmanager/templates/roleeditor.html index 38493d5d..c464c1fc 100644 --- a/modules-available/permissionmanager/templates/roleeditor.html +++ b/modules-available/permissionmanager/templates/roleeditor.html @@ -13,11 +13,17 @@
- +
+
+ + + + +

diff --git a/modules-available/permissionmanager/templates/rolestable.html b/modules-available/permissionmanager/templates/rolestable.html index 9ba8d85c..d520db33 100644 --- a/modules-available/permissionmanager/templates/rolestable.html +++ b/modules-available/permissionmanager/templates/rolestable.html @@ -11,6 +11,7 @@ {{lang_roles}} + {{lang_description}} {{#perms.roles.edit.disabled}} {{lang_view}} @@ -27,8 +28,9 @@ {{#roles}} {{rolename}} +
{{roledescription}}
- +