From 206d0b94f4010e8a5cbce74c5afbae46adf03d74 Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Thu, 9 Jan 2020 13:22:29 +0100 Subject: [permissionmanager] Make default roles "builtin" i.e. not modifiable --- .../permissionmanager/install.inc.php | 32 ++++++++++++++-------- 1 file changed, 21 insertions(+), 11 deletions(-) (limited to 'modules-available/permissionmanager/install.inc.php') diff --git a/modules-available/permissionmanager/install.inc.php b/modules-available/permissionmanager/install.inc.php index 68f01899..5d1f60da 100644 --- a/modules-available/permissionmanager/install.inc.php +++ b/modules-available/permissionmanager/install.inc.php @@ -5,6 +5,7 @@ $res = array(); $res[] = tableCreate('role', " roleid int(10) unsigned NOT NULL AUTO_INCREMENT, rolename varchar(200) NOT NULL, + builtin bool NOT NULL DEFAULT '0', roledescription TEXT, PRIMARY KEY (roleid) "); @@ -100,20 +101,27 @@ if (!tableHasColumn('role', 'roledescription')) { $res[] = UPDATE_DONE; } -if (!tableHasColumn('role', 'roledescription')) { - finalResponse(UPDATE_RETRY, 'Try again later'); +// 2020-01-09 flag for builtin roles that can't be edited +if (!tableHasColumn('role', 'builtin')) { + $alter = Database::exec("ALTER TABLE role ADD builtin bool NOT NULL DEFAULT '0' AFTER rolename"); + if ($alter === false) + finalResponse(UPDATE_FAILED, 'Cannot add builtin field to table role: ' . Database::lastError()); + $res[] = UPDATE_DONE; } -if (Database::exec("INSERT INTO `role` VALUES - (1,'Super-Admin', 'Hat keinerlei Zugriffsbeschränkungen'), - (2,'Admin', 'Alles bis auf Rechte-/Nutzerverwaltung'), - (3,'Prüfungsadmin', 'Kann E-Prüfungen verwalten, Prüfungsmodus einschalten, etc.'), - (4,'Lesezugriff', 'Kann auf die meisten Seiten zugreifen, jedoch keine Änderungen vornehmen')") !== false) { - // Success, there probably were no roles before, keep going +if (Database::exec("INSERT INTO `role` (roleid, rolename, builtin, roledescription) VALUES + (1,'Super-Admin', 1, 'Hat keinerlei Zugriffsbeschränkungen'), + (2,'Admin', 1, 'Alles bis auf Rechte-/Nutzerverwaltung'), + (3,'Prüfungsadmin', 1, 'Kann E-Prüfungen verwalten, Prüfungsmodus einschalten, etc.'), + (4,'Lesezugriff', 1, 'Kann auf die meisten Seiten zugreifen, jedoch keine Änderungen vornehmen') + ON DUPLICATE KEY UPDATE rolename = VALUES(rolename), builtin = 1, roledescription = VALUES(roledescription)") !== false) { + // Old ruleset accidentally gave write permissions to the read-only role + Database::exec("DELETE FROM role_x_permission WHERE roleid = 4 AND permissionid = 'news.*'"); // Assign roles to location (all) + Database::exec("DELETE FROM role_x_location WHERE roleid IN (1,2,3,4)"); Database::exec("INSERT INTO `role_x_location` VALUES (1,NULL),(2,NULL),(3,NULL),(4,NULL)"); // Assign permissions to roles - Database::exec("INSERT INTO `role_x_permission` VALUES + Database::exec("INSERT IGNORE INTO `role_x_permission` VALUES (3,'exams.exams.*'), (3,'rebootcontrol.action.*'), (3,'statistics.hardware.projectors.view'), @@ -138,7 +146,7 @@ if (Database::exec("INSERT INTO `role` VALUES (4,'locationinfo.panel.list'), (4,'locations.location.view'), (4,'minilinux.view'), - (4,'news.*'), + (4,'news.access-page'), (4,'permissionmanager.locations.view'), (4,'permissionmanager.roles.view'), (4,'permissionmanager.users.view'), @@ -159,6 +167,8 @@ if (Database::exec("INSERT INTO `role` VALUES (4,'systemstatus.show.overview.*'), (4,'systemstatus.tab.*'), (4,'webinterface.access-page'), + (4,'rebootcontrol.subnet.view'), + (4,'rebootcontrol.jumphost.view'), (2,'adduser.user.view-list'), (2,'backup.*'), @@ -186,7 +196,7 @@ if (Database::exec("INSERT INTO `role` VALUES (2,'vmstore.edit'), (2,'webinterface.*')"); // Assign the first user to the superadmin role (if one exists) - Database::exec("INSERT INTO `role_x_user` VALUES (1,1)"); + Database::exec("INSERT IGNORE INTO `role_x_user` VALUES (1,1)"); $res[] = UPDATE_DONE; } -- cgit v1.2.3-55-g7522