From c23b6957d841d273cf8b0838481ea461a88a8eb4 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Thu, 8 Feb 2018 15:17:30 +0100
Subject: [inc/User] Add locationid 0 to allowed locations in fallback mode
---
inc/user.inc.php | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
(limited to 'inc/user.inc.php')
diff --git a/inc/user.inc.php b/inc/user.inc.php
index 81091e1b..b5a364ee 100644
--- a/inc/user.inc.php
+++ b/inc/user.inc.php
@@ -47,8 +47,11 @@ class User
$permission = $module ? $module->getIdentifier().".".$permission : $permission;
return PermissionUtil::getAllowedLocations(self::$user['userid'], $permission);
}
- if (self::$user['permissions'] & Permission::get('superadmin'))
- return array_keys(Location::getLocationsAssoc());
+ if (self::$user['permissions'] & Permission::get('superadmin')) {
+ $a = array_keys(Location::getLocationsAssoc());
+ $a[] = 0;
+ return $a;
+ }
return array();
}
--
cgit v1.2.3-55-g7522
From cfa60bc6dc68699efb74342ead37865c074bc66a Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Fri, 9 Feb 2018 16:13:17 +0100
Subject: Permissions: Introduce helper functions for common tasks
assertPermission ensures the user has a given permission and
halts execution otherwise.
addGlobalTags is a helper to fill an array for the rendering
process with tags associated with (missing) permissions.
---
inc/permission.inc.php | 20 ++++++++++++++++++++
inc/user.inc.php | 29 +++++++++++++++++++++++++++--
2 files changed, 47 insertions(+), 2 deletions(-)
(limited to 'inc/user.inc.php')
diff --git a/inc/permission.inc.php b/inc/permission.inc.php
index d04e3c3b..defa9f4d 100644
--- a/inc/permission.inc.php
+++ b/inc/permission.inc.php
@@ -15,5 +15,25 @@ class Permission
return self::$permissions[$permission];
}
+
+ public static function addGlobalTags(&$array, $locationid, $disabled)
+ {
+ if (!Module::isAvailable('permissionmanager'))
+ return;
+ foreach ($disabled as $perm) {
+ if (User::hasPermission($perm, $locationid))
+ continue;
+ if (strpos($perm, '.') === false) {
+ $array[$perm]['disabled'] = 'disabled';
+ continue;
+ }
+ $temp =& $array;
+ foreach (explode('.', $perm) as $sub) {
+ $temp =& $temp[$sub];
+ }
+ $temp['disabled'] = 'disabled';
+ }
+ }
+
}
diff --git a/inc/user.inc.php b/inc/user.inc.php
index b5a364ee..eee4f883 100644
--- a/inc/user.inc.php
+++ b/inc/user.inc.php
@@ -31,8 +31,12 @@ class User
if (!self::isLoggedIn())
return false;
if (Module::isAvailable("permissionmanager")) {
- $module = Page::getModule();
- $permission = $module ? $module->getIdentifier().".".$permission : $permission;
+ if ($permission{0} === '.') {
+ $permission = substr($permission, 1);
+ } else {
+ $module = Page::getModule();
+ $permission = $module ? $module->getIdentifier() . "." . $permission : $permission;
+ }
return PermissionUtil::userHasPermission(self::$user['userid'], $permission, $locationid);
}
if (self::$user['permissions'] & Permission::get('superadmin'))
@@ -40,8 +44,29 @@ class User
return (self::$user['permissions'] & Permission::get($permission)) != 0;
}
+ /**
+ * Confirm current user has the given permission, stop execution and show error message
+ * otherwise.
+ * @param string $permission Permission to check for
+ * @param null|int $locationid location this permission has to apply to, NULL if any location is sufficient
+ * @param null|string $redirect page to redirect to if permission is not given, NULL defaults to main page
+ */
+ public static function assertPermission($permission, $locationid = NULL, $redirect = NULL)
+ {
+ if (User::hasPermission($permission, $locationid))
+ return;
+ Message::addError('main.no-permission');
+ if (is_null($redirect)) {
+ Util::redirect('?do=main');
+ } else {
+ Util::redirect($redirect);
+ }
+ }
+
public static function getAllowedLocations($permission)
{
+ if (!self::isLoggedIn())
+ return [];
if (Module::isAvailable("permissionmanager")) {
$module = Page::getModule();
$permission = $module ? $module->getIdentifier().".".$permission : $permission;
--
cgit v1.2.3-55-g7522
From 092b99fb7964ba15d7f20119ef7bd51ca1f2675f Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Thu, 15 Feb 2018 13:23:57 +0100
Subject: [inc/User] getAllowedLocations(): Support cross-module checking
---
inc/user.inc.php | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
(limited to 'inc/user.inc.php')
diff --git a/inc/user.inc.php b/inc/user.inc.php
index eee4f883..79facffc 100644
--- a/inc/user.inc.php
+++ b/inc/user.inc.php
@@ -68,8 +68,12 @@ class User
if (!self::isLoggedIn())
return [];
if (Module::isAvailable("permissionmanager")) {
- $module = Page::getModule();
- $permission = $module ? $module->getIdentifier().".".$permission : $permission;
+ if ($permission{0} === '.') {
+ $permission = substr($permission, 1);
+ } else {
+ $module = Page::getModule();
+ $permission = $module ? $module->getIdentifier() . "." . $permission : $permission;
+ }
return PermissionUtil::getAllowedLocations(self::$user['userid'], $permission);
}
if (self::$user['permissions'] & Permission::get('superadmin')) {
--
cgit v1.2.3-55-g7522
From 276675039e3a596bbf88ff95203e5c1a30723204 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Fri, 16 Feb 2018 13:10:16 +0100
Subject: [inc/User] assertPermission(): Don't redirect if it's an ajax call
---
inc/user.inc.php | 4 ++++
1 file changed, 4 insertions(+)
(limited to 'inc/user.inc.php')
diff --git a/inc/user.inc.php b/inc/user.inc.php
index 79facffc..2ba1bad2 100644
--- a/inc/user.inc.php
+++ b/inc/user.inc.php
@@ -56,6 +56,10 @@ class User
if (User::hasPermission($permission, $locationid))
return;
Message::addError('main.no-permission');
+ if (AJAX) {
+ Message::renderList();
+ exit;
+ }
if (is_null($redirect)) {
Util::redirect('?do=main');
} else {
--
cgit v1.2.3-55-g7522
From 24cfbb62c144c1ffecd2be8be3bfb04705d801dd Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Thu, 29 Mar 2018 12:58:01 +0200
Subject: [inc/User] Make userid type int to fix string compares
---
inc/user.inc.php | 1 +
1 file changed, 1 insertion(+)
(limited to 'inc/user.inc.php')
diff --git a/inc/user.inc.php b/inc/user.inc.php
index 2ba1bad2..27a907c3 100644
--- a/inc/user.inc.php
+++ b/inc/user.inc.php
@@ -99,6 +99,7 @@ class User
self::$user = Database::queryFirst('SELECT * FROM user WHERE userid = :uid LIMIT 1', array(':uid' => $uid));
if (self::$user === false)
self::logout();
+ settype(self::$user['userid'], 'int');
return true;
}
return false;
--
cgit v1.2.3-55-g7522
From 18f378c9bd232822577258fe68afe78df3f7e7f4 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Thu, 29 Mar 2018 18:41:37 +0200
Subject: [permissionmanager] Introduce dedicated "permission denied" page
Closes #3350
---
inc/user.inc.php | 17 +++++++++++++----
.../permissionmanager/lang/de/template-tags.json | 5 ++++-
.../permissionmanager/lang/en/template-tags.json | 5 ++++-
modules-available/permissionmanager/page.inc.php | 9 +++++++++
modules-available/permissionmanager/style.css | 7 ++++++-
.../templates/page-permission-denied.html | 21 +++++++++++++++++++++
6 files changed, 57 insertions(+), 7 deletions(-)
create mode 100644 modules-available/permissionmanager/templates/page-permission-denied.html
(limited to 'inc/user.inc.php')
diff --git a/inc/user.inc.php b/inc/user.inc.php
index 27a907c3..f12cc39f 100644
--- a/inc/user.inc.php
+++ b/inc/user.inc.php
@@ -55,15 +55,24 @@ class User
{
if (User::hasPermission($permission, $locationid))
return;
- Message::addError('main.no-permission');
if (AJAX) {
Message::renderList();
exit;
}
- if (is_null($redirect)) {
- Util::redirect('?do=main');
- } else {
+ if (!is_null($redirect)) {
+ Message::addError('main.no-permission');
Util::redirect($redirect);
+ } elseif (Module::isAvailable('permissionmanager')) {
+ if ($permission{0} !== '.') {
+ $module = Page::getModule();
+ if ($module !== false) {
+ $permission = '.' . $module->getIdentifier() . '.' . $permission;
+ }
+ }
+ Util::redirect('?do=permissionmanager&show=denied&permission=' . urlencode($permission));
+ } else {
+ Message::addError('main.no-permission');
+ Util::redirect('?do=main');
}
}
diff --git a/modules-available/permissionmanager/lang/de/template-tags.json b/modules-available/permissionmanager/lang/de/template-tags.json
index 52073dee..a4fc990b 100644
--- a/modules-available/permissionmanager/lang/de/template-tags.json
+++ b/modules-available/permissionmanager/lang/de/template-tags.json
@@ -8,6 +8,9 @@
"lang_name": "Name",
"lang_newRole": "Rolle anlegen",
"lang_numAssignedUsers": "Benutzer mit dieser Rolle",
+ "lang_permissionDeniedBody": "Ihnen fehlt eine oder mehrere Berechtigungen, um auf diese Seite oder Funktion zuzugreifen.",
+ "lang_permissionDeniedHeader": "Zugriff verweigert",
+ "lang_permission": "Berechtigung",
"lang_permissions": "Rechte",
"lang_removeRole": "Rollen entziehen",
"lang_roleDeleteConfirm": "Sind Sie sich sicher, dass Sie diese Rolle l\u00f6schen m\u00f6chten? Benutzer, denen diese Rolle zugewiesen ist, werden die entsprechenden Berechtigungen verlieren.",
@@ -17,4 +20,4 @@
"lang_selectizePlaceholder": "Nach Rollen filtern...",
"lang_users": "Nutzer",
"lang_view": "Anzeigen"
-}
\ No newline at end of file
+}
diff --git a/modules-available/permissionmanager/lang/en/template-tags.json b/modules-available/permissionmanager/lang/en/template-tags.json
index b7a1d77a..92c3ac26 100644
--- a/modules-available/permissionmanager/lang/en/template-tags.json
+++ b/modules-available/permissionmanager/lang/en/template-tags.json
@@ -8,6 +8,9 @@
"lang_name": "Name",
"lang_newRole": "New Role",
"lang_numAssignedUsers": "Users with this role",
+ "lang_permissionDeniedBody": "You are missing one or more permissions to access this page or functionality.",
+ "lang_permissionDeniedHeader": "Access denied",
+ "lang_permission": "Permission",
"lang_permissions": "Permissions",
"lang_removeRole": "Revoke Roles",
"lang_roleDeleteConfirm": "Are you sure you want to delete this role? Users currently assigned to this role will lose the according permissions.",
@@ -17,4 +20,4 @@
"lang_selectizePlaceholder": "Filter for roles...",
"lang_users": "Users",
"lang_view": "View"
-}
\ No newline at end of file
+}
diff --git a/modules-available/permissionmanager/page.inc.php b/modules-available/permissionmanager/page.inc.php
index d326bb94..828891ab 100644
--- a/modules-available/permissionmanager/page.inc.php
+++ b/modules-available/permissionmanager/page.inc.php
@@ -50,6 +50,15 @@ class Page_PermissionManager extends Page
{
$show = Request::get("show", false, 'string');
+ // "Public" page -- nice "permission denied" message
+ if ($show === 'denied') {
+ Render::addTemplate('page-permission-denied', [
+ 'name' => User::getName(),
+ 'permission' => Request::get('permission', false, 'string'),
+ ]);
+ return;
+ }
+
if ($show === false) {
foreach (['roles', 'users', 'locations'] as $show) {
if (User::hasPermission($show . '.*'))
diff --git a/modules-available/permissionmanager/style.css b/modules-available/permissionmanager/style.css
index 6169b26f..dca38eeb 100644
--- a/modules-available/permissionmanager/style.css
+++ b/modules-available/permissionmanager/style.css
@@ -58,4 +58,9 @@ td > .label {
.btn-group-muted > button {
color: #aaa;
-}
\ No newline at end of file
+}
+
+h1 span.glyphicon {
+ top: 9px;
+}
+
diff --git a/modules-available/permissionmanager/templates/page-permission-denied.html b/modules-available/permissionmanager/templates/page-permission-denied.html
new file mode 100644
index 00000000..cc357a0b
--- /dev/null
+++ b/modules-available/permissionmanager/templates/page-permission-denied.html
@@ -0,0 +1,21 @@
+
+
+ {{lang_permissionDeniedBody}} +
+ {{#permission}} +