From a8b0095b335780ae0bb950bc44021215d43a6b2d Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Mon, 12 Feb 2018 14:17:07 +0100
Subject: [permissionmanager] Introduce "location-aware" flag for permissions

This flag tells wether the permission can be restricted to certain
locations in a meaningful way. This flag has to be set in the
permissions.json of the according module.
For example, the permission to reboot the server cannot be limited
to certain locations in a meaningful way, while the view of the
client log can be filtered to only show log entries for clients
in specific locations.
---
 modules-available/permissionmanager/page.inc.php | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

(limited to 'modules-available/permissionmanager/page.inc.php')

diff --git a/modules-available/permissionmanager/page.inc.php b/modules-available/permissionmanager/page.inc.php
index 13d81c6a..bb8482af 100644
--- a/modules-available/permissionmanager/page.inc.php
+++ b/modules-available/permissionmanager/page.inc.php
@@ -100,18 +100,21 @@ class Page_PermissionManager extends Page
 		$toplevel = $permString == "";
 		if ($toplevel && in_array("*", $selectedPermissions)) $selectAll = true;
 		foreach ($permissions as $k => $v) {
-			$leaf = !is_array($v);
+			$leaf = isset($v['isLeaf']) && $v['isLeaf'];
 			$nextPermString = $permString ? $permString.".".$k : $k;
 			$id = $leaf ? $nextPermString : $nextPermString.".*";
 			$selected = $selectAll || in_array($id, $selectedPermissions);
-			$res .= Render::parse("treenode",
-				array("id" =>  $id,
-						"name" => $toplevel ? Module::get($k)->getDisplayName() : $k,
-						"toplevel" => $toplevel,
-						"checkboxname" => "permissions",
-						"selected" => $selected,
-						"HTML" => $leaf ? "" : self::generatePermissionHTML($v, $selectedPermissions, $selected, $nextPermString),
-						"description" => $leaf ? $v : ""));
+			$data = array("id" =>  $id,
+				"name" => $toplevel ? Module::get($k)->getDisplayName() : $k,
+				"toplevel" => $toplevel,
+				"checkboxname" => "permissions",
+				"selected" => $selected,
+				"HTML" => $leaf ? "" : self::generatePermissionHTML($v, $selectedPermissions, $selected, $nextPermString),
+			);
+			if ($leaf) {
+				$data += $v;
+			}
+			$res .= Render::parse("treenode", $data);
 		}
 		if ($toplevel) {
 			$res = Render::parse("treepanel",
-- 
cgit v1.2.3-55-g7522


From af5c4258439341fd2153a951fb871269bd754e58 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Mon, 12 Feb 2018 17:18:45 +0100
Subject: [permissionmanager] Tweak style, fix role filtering (and make it
 AND), minor cleanups

---
 .../permissionmanager/clientscript.js              | 45 ++++----------
 modules-available/permissionmanager/config.json    |  2 +-
 .../permissionmanager/lang/de/template-tags.json   | 30 ++++------
 .../permissionmanager/lang/en/template-tags.json   | 28 ++++-----
 modules-available/permissionmanager/page.inc.php   | 49 ++++++++-------
 modules-available/permissionmanager/style.css      | 54 +++--------------
 .../permissionmanager/templates/_page.html         | 29 ---------
 .../permissionmanager/templates/header-menu.html   | 25 ++++++++
 .../templates/locationstable.html                  | 56 +++++++----------
 .../templates/role-filter-selectize.html           |  6 ++
 .../permissionmanager/templates/roleeditor.html    | 70 ++++++++++++----------
 .../permissionmanager/templates/rolestable.html    | 20 +++----
 .../permissionmanager/templates/treenode.html      |  4 +-
 .../permissionmanager/templates/treepanel.html     |  2 +-
 .../permissionmanager/templates/userstable.html    | 40 +++++--------
 15 files changed, 184 insertions(+), 276 deletions(-)
 delete mode 100644 modules-available/permissionmanager/templates/_page.html
 create mode 100644 modules-available/permissionmanager/templates/header-menu.html
 create mode 100644 modules-available/permissionmanager/templates/role-filter-selectize.html

(limited to 'modules-available/permissionmanager/page.inc.php')

diff --git a/modules-available/permissionmanager/clientscript.js b/modules-available/permissionmanager/clientscript.js
index 4770fa6a..90d66688 100644
--- a/modules-available/permissionmanager/clientscript.js
+++ b/modules-available/permissionmanager/clientscript.js
@@ -10,36 +10,21 @@ document.addEventListener("DOMContentLoaded", function() {
 			plugins: ["remove_button"]
 		})[0].selectize;
 
-		// If Site gets refreshed, all data-selectizeCounts will be reset to 0, so delete the filters from the selectize
-		selectize.clear();
-
-		selectize.on("item_add", function (value, $item) {
-			// When first item gets added the filter isn't empty anymore, so hide all rows
-			if (selectize.items.length === 1) {
-				$(".dataTable tbody").find("tr").hide();
-			}
-			// Find all rows which shall be shown and increase their counter by 1
-			$(".roleid-" + value).closest("tr").each(function () {
-				$(this).data("selectizeCount", $(this).data("selectizeCount") + 1);
-				$(this).show();
-			});
-		});
-
-		selectize.on("item_remove", function (value, $item) {
-			// When no items in the filter, show all rows again
-			if (selectize.items.length === 0) {
-				$(".dataTable tbody").find("tr").show();
+		var $body = $(".dataTable tbody");
+		var filterFunc = function(value) {
+			var selected = selectize.getValue();
+			if (!selected || !selected.length) {
+				$body.find("tr").show();
 			} else {
-				// Find all rows which have the delete role, decrease their counter by 1
-				$(".roleid-" + value).closest("tr").each(function () {
-					$(this).data("selectizeCount", $(this).data("selectizeCount") - 1);
-					// If counter is 0, hide the row (no filter given to show the row anymore)
-					if ($(this).data("selectizeCount") === 0) {
-						$(this).closest("tr").hide();
-					}
-				});
+				$body.find("tr").hide();
+				var str = 'tr.roleid-' + selected.join('.roleid-');
+				$body.find(str).show();
 			}
-		});
+		};
+
+		selectize.on("item_add", filterFunc);
+
+		selectize.on("item_remove",filterFunc);
 	}
 
 	$("tr").on("click", function(e) {
@@ -47,8 +32,4 @@ document.addEventListener("DOMContentLoaded", function() {
 			$(this).find("input[type=checkbox]").trigger("click");
 		}
 	});
-
-	$("form input").keydown(function(e) {
-		if (e.keyCode === 13) e.preventDefault();
-	});
 });
\ No newline at end of file
diff --git a/modules-available/permissionmanager/config.json b/modules-available/permissionmanager/config.json
index c92e917a..d2071984 100644
--- a/modules-available/permissionmanager/config.json
+++ b/modules-available/permissionmanager/config.json
@@ -1,4 +1,4 @@
 {
 	"category":"main.content",
-	"dependencies": [ "locations", "js_stupidtable", "bootstrap_switch", "js_selectize" ]
+	"dependencies": [ "locations", "js_stupidtable", "js_selectize" ]
 }
diff --git a/modules-available/permissionmanager/lang/de/template-tags.json b/modules-available/permissionmanager/lang/de/template-tags.json
index 71bd4075..2ec25b37 100644
--- a/modules-available/permissionmanager/lang/de/template-tags.json
+++ b/modules-available/permissionmanager/lang/de/template-tags.json
@@ -1,24 +1,18 @@
 {
-    "lang_roles": "Rollen",
-    "lang_users": "Nutzer",
-    "lang_locations": "Räume",
     "lang_addRole": "Rollen erteilen",
-    "lang_removeRole": "Rollen entziehen",
-    "lang_newRole": "Rolle anlegen",
-    "lang_selected": "Ausgewählt",
-    "lang_edit": "Bearbeiten",
-    "lang_delete": "Löschen",
-    "lang_removeCheck": "Sind Sie sich sicher, dass Sie diese Rolle entfernen wollen?",
-    "lang_deleteCheck": "Sind Sie sich sicher, dass Sie diese Rolle löschen wollen?",
-    "lang_emptyNameWarning": "Der Name der Rolle darf nicht leer sein!",
+    "lang_addRoleHeading": "Neue Rolle hinzuf\u00fcgen",
+    "lang_deleteCheck": "Sind Sie sich sicher, dass Sie diese Rolle l\u00f6schen wollen?",
+    "lang_editRoleHeading": "Rolle bearbeiten",
+    "lang_locationAwareDesc": "Berechtigungen mit diesem Symbol k\u00f6nnen auf bestimmte R\u00e4ume\/Orte beschr\u00e4nkt werden. Alle anderen Berechtigungen sind unabh\u00e4ngig von den f\u00fcr diese Rolle ausgew\u00e4hlten Orten.",
+    "lang_locations": "R\u00e4ume",
+    "lang_moduleName": "Rechtemanager",
     "lang_name": "Name",
-    "lang_cancel": "Abbrechen",
-    "lang_save": "Speichern",
-    "lang_all": "alle",
-    "lang_selected": "ausgewählte",
+    "lang_newRole": "Rolle anlegen",
     "lang_permissions": "Rechte",
-    "lang_selectizePlaceholder": "Nach Rollen filtern...",
+    "lang_removeRole": "Rollen entziehen",
+    "lang_roles": "Rollen",
     "lang_searchPlaceholder": "Nach Rollen suchen...",
-    "lang_moduleName": "Rechtemanager",
-    "lang_roleEditor": "Rollen Editor"
+    "lang_selected": "ausgew\u00e4hlte",
+    "lang_selectizePlaceholder": "Nach Rollen filtern...",
+    "lang_users": "Nutzer"
 }
\ No newline at end of file
diff --git a/modules-available/permissionmanager/lang/en/template-tags.json b/modules-available/permissionmanager/lang/en/template-tags.json
index 2d31b294..cef23422 100644
--- a/modules-available/permissionmanager/lang/en/template-tags.json
+++ b/modules-available/permissionmanager/lang/en/template-tags.json
@@ -1,24 +1,18 @@
 {
-    "lang_roles": "Roles",
-    "lang_users": "Users",
-    "lang_locations": "Locations",
     "lang_addRole": "Grant Roles",
-    "lang_removeRole": "Revoke Roles",
-    "lang_newRole": "New Role",
-    "lang_selected": "Selected",
-    "lang_edit": "Edit",
-    "lang_delete": "Delete",
-    "lang_removeCheck": "Are you sure you want to remove this role?",
+    "lang_addRoleHeading": "Add new role",
     "lang_deleteCheck": "Are you sure you want to delete this role?",
-    "lang_emptyNameWarning": "Role name can not be empty!",
+    "lang_editRoleHeading": "Edit role",
+    "lang_locationAwareDesc": "Permissions with this symbol can be restricted to certain locations. All other permissions are independent of the locations selected for this role.",
+    "lang_locations": "Locations",
+    "lang_moduleName": "Permission Manager",
     "lang_name": "Name",
-    "lang_cancel": "Cancel",
-    "lang_save": "Save",
-    "lang_all": "all",
-    "lang_selected": "selected",
+    "lang_newRole": "New Role",
     "lang_permissions": "Permissions",
-    "lang_selectizePlaceholder": "Filter for roles...",
+    "lang_removeRole": "Revoke Roles",
+    "lang_roles": "Roles",
     "lang_searchPlaceholder": "Search for roles...",
-    "lang_moduleName": "Permission Manager",
-    "lang_roleEditor": "Role Editor"
+    "lang_selected": "selected",
+    "lang_selectizePlaceholder": "Filter for roles...",
+    "lang_users": "Users"
 }
\ No newline at end of file
diff --git a/modules-available/permissionmanager/page.inc.php b/modules-available/permissionmanager/page.inc.php
index bb8482af..4b961632 100644
--- a/modules-available/permissionmanager/page.inc.php
+++ b/modules-available/permissionmanager/page.inc.php
@@ -34,6 +34,9 @@ class Page_PermissionManager extends Page
 			$permissions = self::processPermissions(Request::post("permissions"));
 			PermissionDbUpdate::saveRole($rolename, $locations, $permissions, $roleID);
 		}
+		if (Request::isPost()) {
+			Util::redirect('?do=permissionmanager&show=' . Request::get("show", "roles"));
+		}
 	}
 
 	/**
@@ -44,32 +47,35 @@ class Page_PermissionManager extends Page
 		$show = Request::get("show", "roles");
 
 		// switch between tables, but always show menu to switch tables
-		if ( $show === 'roles' || $show === 'users' || $show === 'locations' ) {
-			// get menu button colors
-			$buttonColors = array();
-			$buttonColors['rolesButtonClass'] = $show === 'roles' ? 'active' : '';
-			$buttonColors['usersButtonClass'] = $show === 'users' ? 'active' : '';
-			$buttonColors['locationsButtonClass'] = $show === 'locations' ? 'active' : '';
-
-			Render::addtemplate('_page', $buttonColors);
-
-			if ($show === "roles") {
-				$data = array("roles" => GetPermissionData::getRoles());
-				Render::addTemplate('rolestable', $data);
-			} elseif ($show === "users") {
-				$data = array("user" => GetPermissionData::getUserData(), "roles" => GetPermissionData::getRoles());
-				Render::addTemplate('userstable', $data);
-			} elseif ($show === "locations") {
-				$data = array("location" => GetPermissionData::getLocationData(), "allroles" => GetPermissionData::getRoles());
-				Render::addTemplate('locationstable', $data);
-			}
+		// get menu button colors
+		$buttonColors = array();
+		if ($show === "roleEditor") {
+			$buttonColors['groupClass'] = 'slx-fade';
+			$buttonColors['rolesButtonClass'] = 'active';
+		} else {
+			$buttonColors[$show . 'ButtonClass'] = 'active';
+		}
+
+		Render::addtemplate('header-menu', $buttonColors);
+
+		if ($show === "roles") {
+			$data = array("roles" => GetPermissionData::getRoles());
+			Render::addTemplate('rolestable', $data);
+		} elseif ($show === "users") {
+			$data = array("user" => GetPermissionData::getUserData(), "allroles" => GetPermissionData::getRoles());
+			Render::addTemplate('role-filter-selectize', $data);
+			Render::addTemplate('userstable', $data);
+		} elseif ($show === "locations") {
+			$data = array("location" => GetPermissionData::getLocationData(), "allroles" => GetPermissionData::getRoles());
+			Render::addTemplate('role-filter-selectize', $data);
+			Render::addTemplate('locationstable', $data);
 		} elseif ($show === "roleEditor") {
 			$data = array("cancelShow" => Request::get("cancel", "roles"));
 
 			$selectedPermissions = array();
 			$selectedLocations = array();
-			$roleid = Request::get("roleid", false);
-			if ($roleid) {
+			$roleid = Request::get("roleid", false, 'int');
+			if ($roleid !== false) {
 				$roleData = GetPermissionData::getRoleData($roleid);
 				$data["roleid"] = $roleid;
 				$data["rolename"] = $roleData["rolename"];
@@ -81,7 +87,6 @@ class Page_PermissionManager extends Page
 			$data["locationHTML"] = self::generateLocationHTML(Location::getTree(), $selectedLocations);
 
 			Render::addTemplate('roleeditor', $data);
-
 		}
 	}
 
diff --git a/modules-available/permissionmanager/style.css b/modules-available/permissionmanager/style.css
index 9c39af64..8285fdd2 100644
--- a/modules-available/permissionmanager/style.css
+++ b/modules-available/permissionmanager/style.css
@@ -1,58 +1,21 @@
-#switchForm {
-    text-align: center;
-    margin-bottom: 50px;
-}
-
-#saveButton {
-    margin-left: 10px;
-}
-
-#rolename {
-    width: 200px;
-    display: inline-block;
-    margin-left: 10px;
-}
-
-.missingInput {
-    border-color: rgba(255, 0, 0, 0.8);
-    box-shadow: 0 1px 1px rgba(255, 0, 0, 0.075) inset, 0 0 8px rgba(255, 0, 0, 0.6);
-}
-
 .table {
     margin-top: 20px;
 }
 
-.table > tbody > tr > td {
-    vertical-align: middle;
-    height: 50px;
-}
-
 .scrollingTable {
     height: 500px;
     overflow: auto;
 }
 
-.customSpanMargin {
+/* vcenter .label in table cell */
+td > .label {
     display: inline-block;
-    margin-top: 2px;
-    margin-bottom: 2px;
+    margin: 2px 0;
 }
 
-.panel-primary > .panel-heading {
-    background-image: none;
-}
-
-.panel{
-    margin-bottom: 20px;
-}
-
-.selectize-input {
-    overflow: visible;
-}
-
-
-.tree-container .selected {
-    background-color: rgba(0, 182, 41, 0.23);
+/* lists in tree view: hide bullet points, first entry bold, ... */
+.tree-container ul {
+    list-style-type: none;
 }
 
 .tree-container > ul {
@@ -65,6 +28,7 @@
     font-weight: bold;
 }
 
+/* number of columns in tree view depending on screen size */
 .tree-container {
     -moz-column-gap: 20px;
     -webkit-column-gap: 20px;
@@ -91,7 +55,3 @@
         column-count: 3;
     }
 }
-
-ul {
-    list-style-type: none;
-}
\ No newline at end of file
diff --git a/modules-available/permissionmanager/templates/_page.html b/modules-available/permissionmanager/templates/_page.html
deleted file mode 100644
index 4140ce78..00000000
--- a/modules-available/permissionmanager/templates/_page.html
+++ /dev/null
@@ -1,29 +0,0 @@
-<div class="row">
-	<div class="col-md-12" style="margin-bottom: 0;">
-		<div class='page-header'>
-			<div class='pull-right'>
-				<form id="switchForm" method="GET" action="?do=permissionmanager">
-					<input type="hidden" name="do" value="permissionmanager">
-
-					<div class="btn-group">
-						<button class="btn btn-default {{rolesButtonClass}}" type="submit" name="show" value="roles">
-							<span class="glyphicon glyphicon-education"></span>
-							{{lang_roles}}
-						</button>
-
-						<button class="btn btn-default {{usersButtonClass}}" type="submit" name="show" value="users">
-							<span class="glyphicon glyphicon-user"></span>
-							{{lang_users}}
-						</button>
-
-						<button class="btn btn-default {{locationsButtonClass}}" type="submit" name="show" value="locations">
-							<span class="glyphicon glyphicon-home"></span>
-							{{lang_locations}}
-						</button>
-					</div>
-				</form>
-			</div>
-			<h1>{{lang_moduleName}}</h1>
-		</div>
-	</div>
-</div>
\ No newline at end of file
diff --git a/modules-available/permissionmanager/templates/header-menu.html b/modules-available/permissionmanager/templates/header-menu.html
new file mode 100644
index 00000000..ce31d237
--- /dev/null
+++ b/modules-available/permissionmanager/templates/header-menu.html
@@ -0,0 +1,25 @@
+<div class='page-header'>
+	<div class='pull-right'>
+		<form method="GET">
+			<input type="hidden" name="do" value="permissionmanager">
+
+			<div class="btn-group {{groupClass}}">
+				<button class="btn btn-default {{rolesButtonClass}}" type="submit" name="show" value="roles">
+					<span class="glyphicon glyphicon-education"></span>
+					{{lang_roles}}
+				</button>
+
+				<button class="btn btn-default {{usersButtonClass}}" type="submit" name="show" value="users">
+					<span class="glyphicon glyphicon-user"></span>
+					{{lang_users}}
+				</button>
+
+				<button class="btn btn-default {{locationsButtonClass}}" type="submit" name="show" value="locations">
+					<span class="glyphicon glyphicon-home"></span>
+					{{lang_locations}}
+				</button>
+			</div>
+		</form>
+	</div>
+	<h1>{{lang_moduleName}}</h1>
+</div>
\ No newline at end of file
diff --git a/modules-available/permissionmanager/templates/locationstable.html b/modules-available/permissionmanager/templates/locationstable.html
index 153258fe..35058387 100644
--- a/modules-available/permissionmanager/templates/locationstable.html
+++ b/modules-available/permissionmanager/templates/locationstable.html
@@ -1,37 +1,21 @@
-<div class="row">
-	<div class="col-md-4"></div>
-	<div class="col-md-4">
-		<select multiple name="roles[]" id="select-role">
-			<option value>{{lang_selectizePlaceholder}}</option>
-			{{#allroles}}
-			<option value="{{roleid}}">{{rolename}}</option>
-			{{/allroles}}
-		</select>
-	</div>
-</div>
+<table id="locationsTable" class="table table-condensed table-hover dataTable">
+	<thead>
+		<tr>
+			<th>{{lang_locations}}</th>
+			<th class="slx-smallcol">{{lang_roles}}</th>
+		</tr>
+	</thead>
 
-<div class="row">
-	<div class="col-md-12">
-		<table id="locationsTable" class="table table-condensed table-hover stupidtable dataTable">
-			<thead>
-				<tr>
-					<th data-sort="string">{{lang_locations}}</th>
-					<th>{{lang_roles}}</th>
-				</tr>
-			</thead>
-
-			<tbody>
-			{{#location}}
-				<tr data-selectizeCount='0'>
-					<td>{{locationpad}} {{locationname}}</td>
-					<td>
-						{{#roles}}
-						<a href="?do=permissionmanager&show=roleEditor&cancel=locations&roleid={{roleid}}" class="label label-default customSpanMargin roleid-{{roleid}}">{{rolename}}</a>
-						{{/roles}}
-					</td>
-				</tr>
-			{{/location}}
-			</tbody>
-		</table>
-	</div>
-</div>
\ No newline at end of file
+	<tbody>
+	{{#location}}
+		<tr class="{{#roles}}roleid-{{roleid}} {{/roles}}">
+			<td>{{locationpad}} {{locationname}}</td>
+			<td class="slx-smallcol">
+				{{#roles}}
+				<a href="?do=permissionmanager&show=roleEditor&cancel=locations&roleid={{roleid}}" class="label label-default customSpanMargin">{{rolename}}</a>
+				{{/roles}}
+			</td>
+		</tr>
+	{{/location}}
+	</tbody>
+</table>
\ No newline at end of file
diff --git a/modules-available/permissionmanager/templates/role-filter-selectize.html b/modules-available/permissionmanager/templates/role-filter-selectize.html
new file mode 100644
index 00000000..ceadec75
--- /dev/null
+++ b/modules-available/permissionmanager/templates/role-filter-selectize.html
@@ -0,0 +1,6 @@
+<select multiple id="select-role">
+	<option value>{{lang_selectizePlaceholder}}</option>
+	{{#allroles}}
+		<option value="{{roleid}}">{{rolename}}</option>
+	{{/allroles}}
+</select>
\ No newline at end of file
diff --git a/modules-available/permissionmanager/templates/roleeditor.html b/modules-available/permissionmanager/templates/roleeditor.html
index eadce027..d50f2145 100644
--- a/modules-available/permissionmanager/templates/roleeditor.html
+++ b/modules-available/permissionmanager/templates/roleeditor.html
@@ -1,24 +1,42 @@
-<h1>{{lang_roleEditor}}</h1>
+<h2>
+	{{#roleid}}
+		{{lang_editRoleHeading}}
+	{{/roleid}}
+	{{^roleid}}
+		{{lang_addRoleHeading}}
+	{{/roleid}}
+</h2>
+
 <form method="post" action="?do=permissionmanager">
 	<input type="hidden" name="action" value="saveRole">
 	<input type="hidden" name="token" value="{{token}}">
 	<input type="hidden" name="roleid" value="{{roleid}}">
 
+	<div class="input-group">
+	<span class="input-group-addon">
+		<label for="rolename">{{lang_name}}</label>
+	</span>
+		<input id="rolename" name="rolename" value="{{rolename}}" type="text" class="form-control" required>
+	</div>
+	<br>
+
+	<div class="pull-right">
+		<a href="?do=permissionmanager&amp;show={{cancelShow}}" class="btn btn-default">{{lang_cancel}}</a>
+		<button type="submit" class="btn btn-primary"><span class="glyphicon glyphicon-floppy-disk"></span> {{lang_save}}</button>
+	</div>
 	<ul class="nav nav-tabs text-center" role="tablist">
 		<li role="presentation" class="active"><a href="#permissions" role="tab" data-toggle="tab">{{lang_permissions}}</a></li>
 		<li role="presentation"><a href="#locations" role="tab" data-toggle="tab">{{lang_locations}}</a></li>
-		<li style="float: none; display: inline-block">
-			<label for="rolename">{{lang_name}}:</label>
-			<input id="rolename" name="rolename" value="{{rolename}}" type="text" class="form-control">
-		</li>
-		<li style="float: right;">
-			<span><a href="?do=permissionmanager&show={{cancelShow}}" id="cancelButton" class="btn btn-default">{{lang_cancel}}</a></span>
-			<button type="submit" id="saveButton" class="btn btn-primary"><span class="glyphicon glyphicon-floppy-disk"></span> {{lang_save}}</button>
-		</li>
 	</ul>
 	<div class="tab-content">
 		<div role="tabpanel" class="tab-pane active" id="permissions">
 			{{{permissionHTML}}}
+			<div class="panel panel-default">
+				<div class="panel-body">
+					<span class="glyphicon glyphicon-home text-muted"></span>&emsp;
+					{{lang_locationAwareDesc}}
+				</div>
+			</div>
 		</div>
 		<div role="tabpanel" class="tab-pane" id="locations">
 			{{{locationHTML}}}
@@ -31,31 +49,17 @@
 
 	document.addEventListener("DOMContentLoaded", function () {
 
-		$(".tree-panel input[type=checkbox]").change(function () {
-			var checked = $(this).prop("checked");
-			var parent = $(this).parent().parent();
-			if (parent.hasClass("panel-heading")) parent = parent.parent();
-
-			var checkboxes = parent.find("input[type=checkbox]");
-			if (checked) {
-				checkboxes.prop("checked", true);
-			} else {
-				checkboxes.prop("checked", false);
-				while (!parent.hasClass("tree-panel")) {
-					parent = parent.parent().parent();
-					if (parent.hasClass("tree-container")) parent = parent.parent().parent();
-					parent.find("input[type=checkbox]:first").prop("checked", false);
-				}
-			}
+		$(".tree-container input[type=checkbox]").change(function () {
+			// (Un)Mark all sub-elements when changing a checkbox in the panel body
+			var $this = $(this);
+			var checked = $this.prop("checked");
+			$this.closest('li').find("input[type=checkbox]").prop("checked", checked);
 		});
-
-		$('form').submit(function () {
-			var input = $("#rolename");
-			var name = $.trim(input.val());
-			if (!name) {
-				input.addClass("missingInput");
-				return false;
-			}
+		$("input.master-checkbox").change(function () {
+			// (Un)Mark everything within the panel when the master checkbox on top is clicked
+			var $this = $(this);
+			var checked = $this.prop("checked");
+			$this.closest('.tree-panel').find("input[type=checkbox]").prop("checked", checked);
 		});
 
 		$('[data-toggle="tooltip"]').tooltip({
diff --git a/modules-available/permissionmanager/templates/rolestable.html b/modules-available/permissionmanager/templates/rolestable.html
index b121a9e0..944ab3ae 100644
--- a/modules-available/permissionmanager/templates/rolestable.html
+++ b/modules-available/permissionmanager/templates/rolestable.html
@@ -1,15 +1,8 @@
 <form method="post" action="?do=permissionmanager">
 	<input type="hidden" name="token" value="{{token}}">
 
-	<div class="row">
-		<div class="col-md-4">
-		</div>
-		<div class="col-md-4">
-			<input type="text" class="form-control" id="roleNameSearchField" onkeyup="searchFieldFunction()" placeholder="{{lang_searchPlaceholder}}">
-		</div>
-		<div class="col-md-4 text-right">
-			<a href="?do=permissionmanager&show=roleEditor" class="btn btn-success"><span class="glyphicon glyphicon-plus"></span> {{lang_newRole}}</a>
-		</div>
+	<div>
+		<input type="text" class="form-control" id="roleNameSearchField" onkeyup="searchFieldFunction()" placeholder="{{lang_searchPlaceholder}}">
 	</div>
 
 	<div class="row">
@@ -18,8 +11,8 @@
 				<thead>
 					<tr>
 						<th data-sort="string">{{lang_roles}}</th>
-						<th class="text-center">{{lang_edit}}</th>
-						<th class="text-center">{{lang_delete}}</th>
+						<th class="text-center slx-smallcol">{{lang_edit}}</th>
+						<th class="text-center slx-smallcol">{{lang_delete}}</th>
 					</tr>
 				</thead>
 
@@ -40,7 +33,6 @@
 		</div>
 	</div>
 
-
 	<!-- Modals -->
 	<div class ="modal fade" id="deleteModal" tabindex="-1" role="dialog" aria-labelledby="myModalLabel">
 		<div class="modal-dialog" role="document">
@@ -63,6 +55,10 @@
 
 </form>
 
+<div class="text-right">
+	<a href="?do=permissionmanager&show=roleEditor" class="btn btn-success"><span class="glyphicon glyphicon-plus"></span> {{lang_newRole}}</a>
+</div>
+
 <script>
 	function deleteRole($roleid) {
 		$(".modal-footer #deleteId").val($roleid);
diff --git a/modules-available/permissionmanager/templates/treenode.html b/modules-available/permissionmanager/templates/treenode.html
index 43509237..a4a3d7b5 100644
--- a/modules-available/permissionmanager/templates/treenode.html
+++ b/modules-available/permissionmanager/templates/treenode.html
@@ -1,7 +1,7 @@
 {{#toplevel}}<ul>{{/toplevel}}
-<li title="{{description}}" data-toggle="tooltip" data-placement="left">
+<li {{#description}}title="{{description}}" data-toggle="tooltip" data-placement="left"{{/description}}>
 	<div class='checkbox'>
-		<input id="{{id}}" name="{{checkboxname}}[]" value="{{id}}" type="checkbox" class="form-control" {{#selected}}checked{{/selected}}>
+		<input id="{{id}}" name="{{checkboxname}}[]" value="{{id}}" type="checkbox" {{#selected}}checked{{/selected}}>
 		<label for="{{id}}">
 			{{name}}
 			{{#location-aware}}<span class="glyphicon glyphicon-home text-muted"></span>{{/location-aware}}
diff --git a/modules-available/permissionmanager/templates/treepanel.html b/modules-available/permissionmanager/templates/treepanel.html
index 8b510407..cda848a0 100644
--- a/modules-available/permissionmanager/templates/treepanel.html
+++ b/modules-available/permissionmanager/templates/treepanel.html
@@ -1,7 +1,7 @@
 <div class="panel panel-primary tree-panel">
 	<div class="panel-heading">
 		<div class="checkbox">
-			<input id="{{id}}" name="{{checkboxname}}[]" value="{{id}}" type="checkbox" class="form-control" {{#selected}}checked{{/selected}}>
+			<input id="{{id}}" name="{{checkboxname}}[]" value="{{id}}" type="checkbox" class="master-checkbox" {{#selected}}checked{{/selected}}>
 			<label for="{{id}}">{{name}}</label>
 		</div>
 	</div>
diff --git a/modules-available/permissionmanager/templates/userstable.html b/modules-available/permissionmanager/templates/userstable.html
index bb0e228e..4cda2b1b 100644
--- a/modules-available/permissionmanager/templates/userstable.html
+++ b/modules-available/permissionmanager/templates/userstable.html
@@ -1,41 +1,24 @@
 <form method="post" action="?do=permissionmanager&show=users">
 	<input type="hidden" name="token" value="{{token}}">
 
-	<div class="row">
-		<div class="col-md-4">
-		</div>
-		<div class="col-md-4">
-			<select multiple name="roles[]" id="select-role">
-				<option value>{{lang_selectizePlaceholder}}</option>
-				{{#roles}}
-				<option value="{{roleid}}">{{rolename}}</option>
-				{{/roles}}
-			</select>
-		</div>
-		<div class="col-md-4 text-right">
-			<button class="roleButtons btn btn-success" type="button" data-toggle="modal" data-target="#addRoleToUserModal" disabled><span class="glyphicon glyphicon-share-alt"></span> {{lang_addRole}}</button>
-			<button class="roleButtons btn btn-danger" type="button" data-toggle="modal" data-target="#removeRoleFromUserModal" disabled><span class="glyphicon glyphicon-remove-circle"></span> {{lang_removeRole}}</button>
-		</div>
-	</div>
-
 	<div class="row">
 		<div class="col-md-12">
 			<table id="usersTable" class="table table-condensed table-hover stupidtable dataTable">
 				<thead>
 					<tr>
 						<th data-sort="string">{{lang_users}}</th>
-						<th>{{lang_roles}}</th>
-						<th data-sort="int" data-sort-default="desc">{{lang_selected}}</th>
+						<th class="slx-smallcol">{{lang_roles}}</th>
+						<th class="slx-smallcol" data-sort="int" data-sort-default="desc">{{lang_selected}}</th>
 					</tr>
 				</thead>
 
 				<tbody>
 				{{#user}}
-					<tr data-selectizeCount='0'>
+					<tr class="{{#roles}}roleid-{{roleid}} {{/roles}}">
 						<td>{{username}}</td>
-						<td>
+						<td class="slx-smallcol">
 							{{#roles}}
-							<a href="?do=permissionmanager&show=roleEditor&cancel=users&roleid={{roleid}}" class="label label-default customSpanMargin roleid-{{roleid}}">{{rolename}}</a>
+							<a href="?do=permissionmanager&show=roleEditor&cancel=users&roleid={{roleid}}" class="label label-default customSpanMargin">{{rolename}}</a>
 							{{/roles}}
 						</td>
 						<td data-sort-value="0">
@@ -71,7 +54,7 @@
 								</thead>
 
 								<tbody>
-								{{#roles}}
+								{{#allroles}}
 									<tr>
 										<td>{{rolename}}</td>
 										<td data-sort-value="0">
@@ -81,7 +64,7 @@
 											</div>
 										</td>
 									</tr>
-								{{/roles}}
+								{{/allroles}}
 								</tbody>
 							</table>
 						</div>
@@ -114,7 +97,7 @@
 								</thead>
 
 								<tbody>
-								{{#roles}}
+								{{#allroles}}
 									<tr>
 										<td>{{rolename}}</td>
 										<td data-sort-value="0">
@@ -124,7 +107,7 @@
 											</div>
 										</td>
 									</tr>
-								{{/roles}}
+								{{/allroles}}
 								</tbody>
 							</table>
 						</div>
@@ -139,6 +122,11 @@
 	</div>
 </form>
 
+<div class="text-right">
+	<button class="roleButtons btn btn-success" type="button" data-toggle="modal" data-target="#addRoleToUserModal" disabled><span class="glyphicon glyphicon-share-alt"></span> {{lang_addRole}}</button>
+	<button class="roleButtons btn btn-danger" type="button" data-toggle="modal" data-target="#removeRoleFromUserModal" disabled><span class="glyphicon glyphicon-remove-circle"></span> {{lang_removeRole}}</button>
+</div>
+
 <script>
 	selectedUsersCounter = 0;
 	selectedAddRolesCounter = 0;
-- 
cgit v1.2.3-55-g7522


From 56e6f8698c49099f0c78d77e1d99b9eec2f13df9 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Tue, 13 Feb 2018 16:29:55 +0100
Subject: [permissionmanager] Slightly more efficient queries, wildcard
 support, debug mode, comments

---
 .../permissionmanager/inc/permissionutil.inc.php   | 148 ++++++++++++++++-----
 modules-available/permissionmanager/page.inc.php   |  32 ++++-
 2 files changed, 142 insertions(+), 38 deletions(-)

(limited to 'modules-available/permissionmanager/page.inc.php')

diff --git a/modules-available/permissionmanager/inc/permissionutil.inc.php b/modules-available/permissionmanager/inc/permissionutil.inc.php
index 51aaa6fb..6d83ef92 100644
--- a/modules-available/permissionmanager/inc/permissionutil.inc.php
+++ b/modules-available/permissionmanager/inc/permissionutil.inc.php
@@ -2,6 +2,44 @@
 
 class PermissionUtil
 {
+
+	/**
+	 * Generate all possible variants to match against, eg. $permissionid = a.b.c then we get:
+	 * [ *, a.*, a.b.*, a.b.c ]
+	 * In case $permissionid ends with an asterisk, also set $wildcard and $wclen, e.g.
+	 * $permissionid = a.b.* --> $wildcard = a.b. and $wclen = 4
+	 *
+	 * @param $permission string|string[] permission to mangle
+	 * @param string[] $compare all the generated variants
+	 * @param string|false $wildcard if $permission is a wildcard string this returns the matching variant
+	 * @param int|false $wclen if $permission is a wildcard string, this is the length of the matching variant
+	 */
+	private static function makeComparisonVariants($permission, &$compare, &$wildcard, &$wclen)
+	{
+		if (!is_array($permission)) {
+			$permission = explode('.', $permission);
+		}
+		$partCount = count($permission);
+		$compare = [];
+		for ($i = 0; $i < $partCount; ++$i) {
+			$compare[] = $permission[0];
+		}
+		for ($i = 1; $i < $partCount; ++$i) {
+			$compare[$i-1] .= '.*';
+			for ($j = $i; $j < $partCount; ++$j) {
+				$compare[$j] .= '.' . $permission[$i];
+			}
+		}
+		$compare[] = '*';
+
+		if ($permission[$partCount-1] === '*') {
+			$wildcard = substr($compare[$partCount-1], 0, -1);
+			$wclen = strlen($wildcard);
+		} else {
+			$wclen = $wildcard = false;
+		}
+	}
+
 	/**
 	 * Check if the user has the given permission (for the given location).
 	 *
@@ -11,25 +49,37 @@ class PermissionUtil
 	 * @return bool true if user has permission, false if not
 	 */
 	public static function userHasPermission($userid, $permissionid, $locationid) {
-		$locations = array();
-		if (!is_null($locationid)) {
+		self::validatePermission($permissionid);
+		$parts = explode('.', $permissionid);
+		// Limit query to first part of permissionid, which is always the module id
+		$prefix = $parts[0] . '.%';
+		if (is_null($locationid)) {
+			$res = Database::simpleQuery("SELECT permissionid FROM role_x_permission
+					INNER JOIN user_x_role USING (roleid)
+					WHERE user_x_role.userid = :userid AND (permissionid LIKE :prefix OR permissionid LIKE '*')",
+				compact('userid', 'prefix'));
+		} else {
 			$locations = Location::getLocationRootChain($locationid);
-			if (count($locations) == 0) return false;
-			else $locations[] = 0;
+			if (count($locations) == 0)
+				return false;
+			$res = Database::simpleQuery("SELECT permissionid FROM role_x_permission
+					INNER JOIN user_x_role USING (roleid)
+					INNER JOIN role_x_location USING (roleid)
+					WHERE user_x_role.userid = :userid AND (permissionid LIKE :prefix OR permissionid LIKE '*')
+						AND (locationid IN (:locations) OR locationid IS NULL)",
+				compact('userid', 'prefix', 'locations'));
 		}
+		// Quick bailout - no results
+		if ($res->rowCount() === 0)
+			return false;
 
-		$res = Database::simpleQuery("SELECT permissionid, locationid FROM user_x_role
-												INNER JOIN role_x_permission ON user_x_role.roleid = role_x_permission.roleid
-												LEFT JOIN (SELECT roleid, COALESCE(locationid, 0) AS locationid FROM role_x_location) t1
-													ON role_x_permission.roleid = t1.roleid
-												WHERE user_x_role.userid = :userid", array("userid" => $userid));
-
+		// Compare to database result
+		self::makeComparisonVariants($parts, $compare, $wildcard, $wclen);
 		while ($row = $res->fetch(PDO::FETCH_ASSOC)) {
-			$userPermission = rtrim($row["permissionid"], ".*").".";
-			if ((is_null($locationid) || (!is_null($row["locationid"]) && in_array($row["locationid"], $locations))) &&
-				(substr($permissionid.".", 0, strlen($userPermission)) === $userPermission || $userPermission === ".")) {
+			if (in_array($row['permissionid'], $compare, true))
+				return true;
+			if ($wildcard !== false && strncmp($row['permissionid'], $wildcard, $wclen) === 0)
 				return true;
-			}
 		}
 		return false;
 	}
@@ -42,25 +92,32 @@ class PermissionUtil
 	 * @return array array of locationids where the user has the given permission
 	 */
 	public static function getAllowedLocations($userid, $permissionid) {
+		self::validatePermission($permissionid);
+		$parts = explode('.', $permissionid);
+		// Limit query to first part of permissionid, which is always the module id
+		$prefix = $parts[0] . '.%';
+		$res = Database::simpleQuery("SELECT permissionid, locationid FROM role_x_permission
+					INNER JOIN user_x_role USING (roleid)
+					INNER JOIN role_x_location USING (roleid)
+					WHERE user_x_role.userid = :userid AND (permissionid LIKE :prefix OR permissionid LIKE '*')",
+			compact('userid', 'prefix'));
 
-		$res = Database::simpleQuery("SELECT permissionid, COALESCE(locationid, 0) AS locationid FROM user_x_role
-												INNER JOIN role_x_permission ON user_x_role.roleid = role_x_permission.roleid
-												INNER JOIN role_x_location ON role_x_permission.roleid = role_x_location.roleid
-												WHERE user_x_role.userid = :userid", array("userid" => $userid));
-
+		// Gather locationid from relevant rows
+		self::makeComparisonVariants($parts, $compare, $wildcard, $wclen);
 		$allowedLocations = array();
 		while ($row = $res->fetch(PDO::FETCH_ASSOC)) {
-			$userPermission = rtrim($row["permissionid"], ".*").".";
-			if (substr($permissionid.".", 0, strlen($userPermission)) === $userPermission || $userPermission === ".") {
-				$allowedLocations[$row["locationid"]] = 1;
+			if (in_array($row['permissionid'], $compare, true)
+					|| ($wildcard !== false && strncmp($row['permissionid'], $wildcard, $wclen) === 0)) {
+				$allowedLocations[(int)$row['locationid']] = true;
 			}
 		}
-		$allowedLocations = array_keys($allowedLocations);
 		$locations = Location::getTree();
-		if (in_array("0", $allowedLocations)) {
-			$allowedLocations = array_map("intval", Location::extractIds($locations));
-			$allowedLocations[] = 0;
+		if (isset($allowedLocations[0])) {
+			// Trivial case - have permission for all locations, so populate list with all valid locationds
+			$allowedLocations = Location::extractIds($locations);
+			$allowedLocations[] = 0; // .. plus 0 to show that we have global perms
 		} else {
+			// We have a specific list of locationds - add any sublocations to list
 			$allowedLocations = self::getSublocations($locations, $allowedLocations);
 		}
 		return $allowedLocations;
@@ -70,23 +127,52 @@ class PermissionUtil
 	 * Extend an array of locations by adding all sublocations.
 	 *
 	 * @param array $tree tree of all locations (structured like Location::getTree())
-	 * @param array $locations the array of locationids to extend
+	 * @param array $allowedLocations the array of locationids to extend
 	 * @return array extended array of locationids
 	 */
-	public static function getSublocations($tree, $locations) {
-		$result = array_flip($locations);
+	public static function getSublocations($tree, $allowedLocations) {
+		$result = $allowedLocations;
 		foreach ($tree as $location) {
 			if (array_key_exists("children", $location)) {
-				if (in_array($location["locationid"], $locations)) {
+				if (isset($allowedLocations[$location["locationid"]])) {
 					$result += array_flip(Location::extractIds($location["children"]));
 				} else {
-					$result += array_flip(self::getSublocations($location["children"], $locations));
+					$result += array_flip(self::getSublocations($location["children"], $allowedLocations));
 				}
 			}
 		}
 		return array_keys($result);
 	}
 
+	/**
+	 * If in debug mode, validate that the checked permission is actually defined
+	 * in the according permissions.json and complain if that's not the case.
+	 * This is supposed to catch misspelled permission checks.
+	 *
+	 * @param string $permissionId permission to check
+	 */
+	private static function validatePermission($permissionId)
+	{
+		if (!CONFIG_DEBUG || $permissionId === '*')
+			return;
+		$split = explode('.', $permissionId, 2);
+		if (count($split) !== 2) {
+			trigger_error('[skip:3]Cannot check malformed permission "' . $permissionId . '"', E_USER_WARNING);
+			return;
+		}
+		$data = json_decode(file_get_contents('modules/' . $split[0] . '/permissions/permissions.json'), true);
+		if (substr($split[1], -2) === '.*') {
+			$len = strlen($split[1]) - 1;
+			foreach ($data as $perm => $v) {
+				if (strncmp($split[1], $perm, $len) === 0)
+					return;
+			}
+			trigger_error('[skip:3]Permission "' . $permissionId . '" does not match anything defined for module', E_USER_WARNING);
+		} elseif (!is_array($data) || !array_key_exists($split[1], $data)) {
+			trigger_error('[skip:3]Permission "' . $permissionId . '" not defined for module', E_USER_WARNING);
+		}
+	}
+
 	/**
 	 * Get all permissions of all active modules that have permissions in their permissions/permissions.json file.
 	 *
diff --git a/modules-available/permissionmanager/page.inc.php b/modules-available/permissionmanager/page.inc.php
index 4b961632..89c72842 100644
--- a/modules-available/permissionmanager/page.inc.php
+++ b/modules-available/permissionmanager/page.inc.php
@@ -103,14 +103,32 @@ class Page_PermissionManager extends Page
 	{
 		$res = "";
 		$toplevel = $permString == "";
-		if ($toplevel && in_array("*", $selectedPermissions)) $selectAll = true;
+		if ($toplevel && in_array("*", $selectedPermissions)) {
+			$selectAll = true;
+		}
 		foreach ($permissions as $k => $v) {
-			$leaf = isset($v['isLeaf']) && $v['isLeaf'];
-			$nextPermString = $permString ? $permString.".".$k : $k;
-			$id = $leaf ? $nextPermString : $nextPermString.".*";
-			$selected = $selectAll || in_array($id, $selectedPermissions);
-			$data = array("id" =>  $id,
-				"name" => $toplevel ? Module::get($k)->getDisplayName() : $k,
+			$selected = $selectAll;
+			$nextPermString = $permString ? $permString . "." . $k : $k;
+			if ($toplevel) {
+				$displayName = Module::get($k)->getDisplayName();
+			} else {
+				$displayName = $k;
+			}
+			do {
+				$leaf = isset($v['isLeaf']) && $v['isLeaf'];
+				$id = $leaf ? $nextPermString : $nextPermString . ".*";
+				$selected = $selected || in_array($id, $selectedPermissions);
+				if ($leaf || count($v) !== 1)
+					break;
+				reset($v);
+				$k = key($v);
+				$v = $v[$k];
+				$nextPermString .= '.' . $k;
+				$displayName .= '.' . $k;
+			} while (true);
+			$data = array(
+				"id" => $id,
+				"name" => $displayName,
 				"toplevel" => $toplevel,
 				"checkboxname" => "permissions",
 				"selected" => $selected,
-- 
cgit v1.2.3-55-g7522


From e39bc13cee5db3d4905498e0fe3ac89fd3ccbfe7 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Wed, 14 Feb 2018 13:54:45 +0100
Subject: [permissionmanager] Apply formatting

---
 modules-available/permissionmanager/api.inc.php    |  7 ---
 .../inc/permissiondbupdate.inc.php                 | 37 +++++++++-------
 .../permissionmanager/inc/permissionutil.inc.php   | 17 +++++---
 modules-available/permissionmanager/page.inc.php   | 51 ++++++++++++----------
 4 files changed, 60 insertions(+), 52 deletions(-)
 delete mode 100644 modules-available/permissionmanager/api.inc.php

(limited to 'modules-available/permissionmanager/page.inc.php')

diff --git a/modules-available/permissionmanager/api.inc.php b/modules-available/permissionmanager/api.inc.php
deleted file mode 100644
index 0d84ebce..00000000
--- a/modules-available/permissionmanager/api.inc.php
+++ /dev/null
@@ -1,7 +0,0 @@
-<?php
-
-echo json_encode(array(
-	'key' => 'value',
-	'number' => 123,
-	'list' => array(1,2,3,4,5,6,'foo')
-));
diff --git a/modules-available/permissionmanager/inc/permissiondbupdate.inc.php b/modules-available/permissionmanager/inc/permissiondbupdate.inc.php
index 0f37a053..f2e7a366 100644
--- a/modules-available/permissionmanager/inc/permissiondbupdate.inc.php
+++ b/modules-available/permissionmanager/inc/permissiondbupdate.inc.php
@@ -1,6 +1,7 @@
 <?php
 
-class PermissionDbUpdate {
+class PermissionDbUpdate
+{
 
 	/**
 	 * Insert all user/role combinations into the user_x_role table.
@@ -8,9 +9,10 @@ class PermissionDbUpdate {
 	 * @param array $users userids
 	 * @param array $roles roleids
 	 */
-	public static function addRoleToUser($users, $roles) {
+	public static function addRoleToUser($users, $roles)
+	{
 		$arg = array();
-		foreach($users AS $userid) {
+		foreach ($users AS $userid) {
 			foreach ($roles AS $roleid) {
 				$arg[] = compact('userid', 'roleid');
 			}
@@ -25,7 +27,8 @@ class PermissionDbUpdate {
 	 * @param array $users userids
 	 * @param array $roles roleids
 	 */
-	public static function removeRoleFromUser($users, $roles) {
+	public static function removeRoleFromUser($users, $roles)
+	{
 		$query = "DELETE FROM user_x_role WHERE userid IN (:users) AND roleid IN (:roles)";
 		Database::exec($query, array("users" => $users, "roles" => $roles));
 	}
@@ -35,7 +38,8 @@ class PermissionDbUpdate {
 	 *
 	 * @param string $roleid roleid
 	 */
-	public static function deleteRole($roleid) {
+	public static function deleteRole($roleid)
+	{
 		Database::exec("DELETE FROM role WHERE roleid = :roleid", array("roleid" => $roleid));
 	}
 
@@ -47,28 +51,31 @@ class PermissionDbUpdate {
 	 * @param array $permissions array of permissions
 	 * @param string|null $roleid roleid or null if the role does not exist yet
 	 */
-	public static function saveRole($rolename, $locations, $permissions, $roleid = NULL) {
+	public static function saveRole($rolename, $locations, $permissions, $roleid = null)
+	{
 		if ($roleid) {
 			Database::exec("UPDATE role SET rolename = :rolename WHERE roleid = :roleid",
-									array("rolename" => $rolename, "roleid" => $roleid));
+				array("rolename" => $rolename, "roleid" => $roleid));
 			Database::exec("DELETE FROM role_x_location
-					WHERE roleid = :roleid AND locationid NOT IN (:locations)", array("roleid" => $roleid, 'locations' => $locations));
+					WHERE roleid = :roleid AND locationid NOT IN (:locations)",
+				array("roleid" => $roleid, 'locations' => $locations));
 			Database::exec("DELETE FROM role_x_permission
-					WHERE roleid = :roleid AND permissionid NOT IN (:permissions)", array("roleid" => $roleid, 'permissions' => $permissions));
+					WHERE roleid = :roleid AND permissionid NOT IN (:permissions)",
+				array("roleid" => $roleid, 'permissions' => $permissions));
 		} else {
 			Database::exec("INSERT INTO role (rolename) VALUES (:rolename)", array("rolename" => $rolename));
 			$roleid = Database::lastInsertId();
 		}
-		$arg = array_map(function($loc) use ($roleid) {
+
+		$arg = array_map(function ($loc) use ($roleid) {
 			return compact('roleid', 'loc');
 		}, $locations);
-		Database::exec("INSERT IGNORE INTO role_x_location (roleid, locationid) VALUES :arg",
-				['arg' => $arg]);
-		$arg = array_map(function($perm) use ($roleid) {
+		Database::exec("INSERT IGNORE INTO role_x_location (roleid, locationid) VALUES :arg", ['arg' => $arg]);
+
+		$arg = array_map(function ($perm) use ($roleid) {
 			return compact('roleid', 'perm');
 		}, $permissions);
-		Database::exec("INSERT IGNORE INTO role_x_permission (roleid, permissionid) VALUES :arg",
-			['arg' => $arg]);
+		Database::exec("INSERT IGNORE INTO role_x_permission (roleid, permissionid) VALUES :arg", ['arg' => $arg]);
 	}
 
 }
diff --git a/modules-available/permissionmanager/inc/permissionutil.inc.php b/modules-available/permissionmanager/inc/permissionutil.inc.php
index 6d83ef92..d3948ebd 100644
--- a/modules-available/permissionmanager/inc/permissionutil.inc.php
+++ b/modules-available/permissionmanager/inc/permissionutil.inc.php
@@ -25,15 +25,15 @@ class PermissionUtil
 			$compare[] = $permission[0];
 		}
 		for ($i = 1; $i < $partCount; ++$i) {
-			$compare[$i-1] .= '.*';
+			$compare[$i - 1] .= '.*';
 			for ($j = $i; $j < $partCount; ++$j) {
 				$compare[$j] .= '.' . $permission[$i];
 			}
 		}
 		$compare[] = '*';
 
-		if ($permission[$partCount-1] === '*') {
-			$wildcard = substr($compare[$partCount-1], 0, -1);
+		if ($permission[$partCount - 1] === '*') {
+			$wildcard = substr($compare[$partCount - 1], 0, -1);
 			$wclen = strlen($wildcard);
 		} else {
 			$wclen = $wildcard = false;
@@ -48,7 +48,8 @@ class PermissionUtil
 	 * @param int|null $locationid locationid to check or null if the location should be disregarded
 	 * @return bool true if user has permission, false if not
 	 */
-	public static function userHasPermission($userid, $permissionid, $locationid) {
+	public static function userHasPermission($userid, $permissionid, $locationid)
+	{
 		self::validatePermission($permissionid);
 		$parts = explode('.', $permissionid);
 		// Limit query to first part of permissionid, which is always the module id
@@ -91,7 +92,8 @@ class PermissionUtil
 	 * @param string $permissionid permissionid to check
 	 * @return array array of locationids where the user has the given permission
 	 */
-	public static function getAllowedLocations($userid, $permissionid) {
+	public static function getAllowedLocations($userid, $permissionid)
+	{
 		self::validatePermission($permissionid);
 		$parts = explode('.', $permissionid);
 		// Limit query to first part of permissionid, which is always the module id
@@ -130,7 +132,8 @@ class PermissionUtil
 	 * @param array $allowedLocations the array of locationids to extend
 	 * @return array extended array of locationids
 	 */
-	public static function getSublocations($tree, $allowedLocations) {
+	public static function getSublocations($tree, $allowedLocations)
+	{
 		$result = $allowedLocations;
 		foreach ($tree as $location) {
 			if (array_key_exists("children", $location)) {
@@ -189,7 +192,7 @@ class PermissionUtil
 			$moduleId = $out[1];
 			if (Module::get($moduleId) === false)
 				continue;
-			foreach($data as $perm => $permissionFlags) {
+			foreach ($data as $perm => $permissionFlags) {
 				$description = Dictionary::translateFileModule($moduleId, "permissions", $perm);
 				self::putInPermissionTree($moduleId . "." . $perm, $permissionFlags['location-aware'], $description, $permissions);
 			}
diff --git a/modules-available/permissionmanager/page.inc.php b/modules-available/permissionmanager/page.inc.php
index 89c72842..1c2d56bf 100644
--- a/modules-available/permissionmanager/page.inc.php
+++ b/modules-available/permissionmanager/page.inc.php
@@ -95,8 +95,8 @@ class Page_PermissionManager extends Page
 	 *
 	 * @param array $permissions the permission tree
 	 * @param array $selectedPermissions permissions that should be preselected
-	 * @param array $selectAll true if all pemrissions should be preselected, false if only those in $selectedPermissions
-	 * @param array $permString the prefix permission string with which all permissions in the permission tree should start
+	 * @param bool $selectAll true if all permissions should be preselected, false if only those in $selectedPermissions
+	 * @param string $permString the prefix permission string with which all permissions in the permission tree should start
 	 * @return string generated html code
 	 */
 	private static function generatePermissionHTML($permissions, $selectedPermissions = array(), $selectAll = false, $permString = "")
@@ -142,10 +142,10 @@ class Page_PermissionManager extends Page
 		if ($toplevel) {
 			$res = Render::parse("treepanel",
 				array("id" => "*",
-						"name" => Dictionary::translateFile("template-tags", "lang_permissions"),
-						"checkboxname" => "permissions",
-						"selected" => $selectAll,
-						"HTML" => $res));
+					"name" => Dictionary::translateFile("template-tags", "lang_permissions"),
+					"checkboxname" => "permissions",
+					"selected" => $selectAll,
+					"HTML" => $res));
 		}
 		return $res;
 	}
@@ -162,25 +162,27 @@ class Page_PermissionManager extends Page
 	private static function generateLocationHTML($locations, $selectedLocations = array(), $selectAll = false, $toplevel = true)
 	{
 		$res = "";
-		if ($toplevel && in_array(0, $selectedLocations)) $selectAll = true;
+		if ($toplevel && in_array(0, $selectedLocations)) {
+			$selectAll = true;
+		}
 		foreach ($locations as $location) {
 			$selected = $selectAll || in_array($location["locationid"], $selectedLocations);
 			$res .= Render::parse("treenode",
-				array("id" =>  $location["locationid"],
-						"name" => $location["locationname"],
-						"toplevel" => $toplevel,
-						"checkboxname" => "locations",
-						"selected" => $selected,
-						"HTML" => array_key_exists("children", $location) ?
-							self::generateLocationHTML($location["children"], $selectedLocations, $selected, false) : ""));
+				array("id" => $location["locationid"],
+					"name" => $location["locationname"],
+					"toplevel" => $toplevel,
+					"checkboxname" => "locations",
+					"selected" => $selected,
+					"HTML" => array_key_exists("children", $location) ?
+						self::generateLocationHTML($location["children"], $selectedLocations, $selected, false) : ""));
 		}
 		if ($toplevel) {
 			$res = Render::parse("treepanel",
 				array("id" => 0,
-						"name" => Dictionary::translateFile("template-tags", "lang_locations"),
-						"checkboxname" => "locations",
-						"selected" => $selectAll,
-						"HTML" => $res));
+					"name" => Dictionary::translateFile("template-tags", "lang_locations"),
+					"checkboxname" => "locations",
+					"selected" => $selectAll,
+					"HTML" => $res));
 		}
 		return $res;
 	}
@@ -193,12 +195,14 @@ class Page_PermissionManager extends Page
 	 */
 	private static function processLocations($locations)
 	{
-		if (in_array(0, $locations)) return array(NULL);
+		if (in_array(0, $locations))
+			return array(null);
 		$result = array();
 		foreach ($locations as $location) {
 			$rootchain = array_reverse(Location::getLocationRootChain($location));
 			foreach ($rootchain as $l) {
-				if (in_array($l, $result)) break;
+				if (in_array($l, $result))
+					break;
 				if (in_array($l, $locations)) {
 					$result[] = $l;
 					break;
@@ -216,7 +220,8 @@ class Page_PermissionManager extends Page
 	 */
 	private static function processPermissions($permissions)
 	{
-		if (in_array("*", $permissions)) return array("*");
+		if (in_array("*", $permissions))
+			return array("*");
 		$result = array();
 		foreach ($permissions as $permission) {
 			$x =& $result;
@@ -239,10 +244,10 @@ class Page_PermissionManager extends Page
 		foreach ($permissions as $permission => $a) {
 			if (is_array($a)) {
 				if (array_key_exists("*", $a)) {
-					$result[] = $permission.".*";
+					$result[] = $permission . ".*";
 				} else {
 					foreach (self::extractPermissions($a) as $subPermission) {
-						$result[] = $permission.".".$subPermission;
+						$result[] = $permission . "." . $subPermission;
 					}
 				}
 			} else {
-- 
cgit v1.2.3-55-g7522


From 7afe5a3ffee64ff5c1ee7692a2ac4c83d46d6a78 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Mon, 19 Feb 2018 13:36:35 +0100
Subject: [permissionmanager] Implement permissions:

Permissinmanager is now protected by permissions.
In order to prevent complete lockout, the user with
userid == 1 will always be able to edit and assign permissions.
(TODO: Communicate this somehow)
---
 inc/permission.inc.php                             |  2 +-
 .../inc/getpermissiondata.inc.php                  | 22 +++++++-
 .../permissionmanager/inc/permissionutil.inc.php   | 34 ++++++++-----
 .../permissionmanager/lang/de/permissions.json     |  7 +++
 .../permissionmanager/lang/de/template-tags.json   |  6 ++-
 .../permissionmanager/lang/en/permissions.json     |  7 +++
 .../permissionmanager/lang/en/template-tags.json   |  6 ++-
 modules-available/permissionmanager/page.inc.php   | 59 +++++++++++++++-------
 .../permissionmanager/permissions/permissions.json | 17 +++++++
 modules-available/permissionmanager/style.css      |  4 ++
 .../permissionmanager/templates/header-menu.html   |  6 +--
 .../permissionmanager/templates/roleeditor.html    |  5 +-
 .../permissionmanager/templates/rolestable.html    | 25 ++++++---
 .../permissionmanager/templates/treenode.html      |  2 +-
 .../permissionmanager/templates/treepanel.html     |  2 +-
 .../roomplanner/permissions/permissions.json       | 10 ++++
 16 files changed, 164 insertions(+), 50 deletions(-)
 create mode 100644 modules-available/permissionmanager/lang/de/permissions.json
 create mode 100644 modules-available/permissionmanager/lang/en/permissions.json
 create mode 100644 modules-available/permissionmanager/permissions/permissions.json
 create mode 100644 modules-available/roomplanner/permissions/permissions.json

(limited to 'modules-available/permissionmanager/page.inc.php')

diff --git a/inc/permission.inc.php b/inc/permission.inc.php
index e61c7423..aaef6ba6 100644
--- a/inc/permission.inc.php
+++ b/inc/permission.inc.php
@@ -33,7 +33,7 @@ class Permission
 			}
 			$temp =& $array;
 			foreach (explode('.', $perm) as $sub) {
-				if (empty($sub))
+				if (empty($sub) || $sub === '*')
 					continue;
 				$temp =& $temp[$sub];
 			}
diff --git a/modules-available/permissionmanager/inc/getpermissiondata.inc.php b/modules-available/permissionmanager/inc/getpermissiondata.inc.php
index dd100d42..496c8224 100644
--- a/modules-available/permissionmanager/inc/getpermissiondata.inc.php
+++ b/modules-available/permissionmanager/inc/getpermissiondata.inc.php
@@ -3,6 +3,9 @@
 class GetPermissionData
 {
 
+	const WITH_USER_COUNT = 1;
+	const WITH_LOCATION_COUNT = 2;
+
 	/**
 	 * Get data for all users.
 	 *
@@ -64,11 +67,26 @@ class GetPermissionData
 	/**
 	 * Get all roles.
 	 *
+	 * @param int $flags Bitmask specifying additional data to fetch (WITH_* constants of this class)
 	 * @return array array roles (each with roleid and rolename)
 	 */
-	public static function getRoles()
+	public static function getRoles($flags = 0)
 	{
-		return Database::queryAll("SELECT roleid, rolename FROM role ORDER BY rolename ASC");
+		$cols = $joins = '';
+		if ($flags & self::WITH_USER_COUNT) {
+			$cols .= ', Count(DISTINCT rxu.userid) AS users';
+			$joins .= ' LEFT JOIN user_x_role rxu ON (r.roleid = rxu.roleid)';
+		}
+		if ($flags & self::WITH_LOCATION_COUNT) {
+			$cols .= ', Count(DISTINCT rxl.locationid) AS locations';
+			$joins .= ' LEFT JOIN role_x_location rxl ON (r.roleid = rxl.roleid)';
+		}
+		if (!empty($joins)) {
+			$joins .= ' GROUP BY r.roleid';
+		}
+		return Database::queryAll("SELECT r.roleid, r.rolename $cols FROM role r
+			$joins
+			ORDER BY rolename ASC");
 	}
 
 	/**
diff --git a/modules-available/permissionmanager/inc/permissionutil.inc.php b/modules-available/permissionmanager/inc/permissionutil.inc.php
index b4d54055..bc42c5a0 100644
--- a/modules-available/permissionmanager/inc/permissionutil.inc.php
+++ b/modules-available/permissionmanager/inc/permissionutil.inc.php
@@ -53,6 +53,9 @@ class PermissionUtil
 		$permissionid = strtolower($permissionid);
 		self::validatePermission($permissionid);
 		$parts = explode('.', $permissionid);
+		// Special case: To prevent lockout, userid === 1 always has permissionmanager.*
+		if ($parts[0] === 'permissionmanager' && User::getId() === 1)
+			return true;
 		// Limit query to first part of permissionid, which is always the module id
 		$prefix = $parts[0] . '.%';
 		if (is_null($locationid)) {
@@ -103,21 +106,26 @@ class PermissionUtil
 		$permissionid = strtolower($permissionid);
 		self::validatePermission($permissionid);
 		$parts = explode('.', $permissionid);
-		// Limit query to first part of permissionid, which is always the module id
-		$prefix = $parts[0] . '.%';
-		$res = Database::simpleQuery("SELECT permissionid, locationid FROM role_x_permission
-					INNER JOIN user_x_role USING (roleid)
-					INNER JOIN role_x_location USING (roleid)
-					WHERE user_x_role.userid = :userid AND (permissionid LIKE :prefix OR permissionid LIKE '*')",
-			compact('userid', 'prefix'));
+		// Special case: To prevent lockout, userid === 1 always has permissionmanager.*
+		if ($parts[0] === 'permissionmanager' && User::getId() === 1) {
+			$allowedLocations = [true];
+		} else {
+			// Limit query to first part of permissionid, which is always the module id
+			$prefix = $parts[0] . '.%';
+			$res = Database::simpleQuery("SELECT permissionid, locationid FROM role_x_permission
+						INNER JOIN user_x_role USING (roleid)
+						INNER JOIN role_x_location USING (roleid)
+						WHERE user_x_role.userid = :userid AND (permissionid LIKE :prefix OR permissionid LIKE '*')",
+				compact('userid', 'prefix'));
 
-		// Gather locationid from relevant rows
-		self::makeComparisonVariants($parts, $compare, $wildcard, $wclen);
-		$allowedLocations = array();
-		while ($row = $res->fetch(PDO::FETCH_ASSOC)) {
-			if (in_array($row['permissionid'], $compare, true)
+			// Gather locationid from relevant rows
+			self::makeComparisonVariants($parts, $compare, $wildcard, $wclen);
+			$allowedLocations = array();
+			while ($row = $res->fetch(PDO::FETCH_ASSOC)) {
+				if (in_array($row['permissionid'], $compare, true)
 					|| ($wildcard !== false && strncmp($row['permissionid'], $wildcard, $wclen) === 0)) {
-				$allowedLocations[(int)$row['locationid']] = true;
+					$allowedLocations[(int)$row['locationid']] = true;
+				}
 			}
 		}
 		$locations = Location::getTree();
diff --git a/modules-available/permissionmanager/lang/de/permissions.json b/modules-available/permissionmanager/lang/de/permissions.json
new file mode 100644
index 00000000..444c1e8c
--- /dev/null
+++ b/modules-available/permissionmanager/lang/de/permissions.json
@@ -0,0 +1,7 @@
+{
+    "locations.view": "Orte mit zugewiesenen Rollen sehen.",
+    "roles.edit": "Rollen bearbeiten.",
+    "roles.view": "Rollen sehen.",
+    "users.edit-roles": "Benutzern Rollen zuweisen oder entziehen.",
+    "users.view": "Benutzer mit zugewiesenen Rolen sehen."
+}
\ No newline at end of file
diff --git a/modules-available/permissionmanager/lang/de/template-tags.json b/modules-available/permissionmanager/lang/de/template-tags.json
index 2ec25b37..52073dee 100644
--- a/modules-available/permissionmanager/lang/de/template-tags.json
+++ b/modules-available/permissionmanager/lang/de/template-tags.json
@@ -1,18 +1,20 @@
 {
     "lang_addRole": "Rollen erteilen",
     "lang_addRoleHeading": "Neue Rolle hinzuf\u00fcgen",
-    "lang_deleteCheck": "Sind Sie sich sicher, dass Sie diese Rolle l\u00f6schen wollen?",
     "lang_editRoleHeading": "Rolle bearbeiten",
     "lang_locationAwareDesc": "Berechtigungen mit diesem Symbol k\u00f6nnen auf bestimmte R\u00e4ume\/Orte beschr\u00e4nkt werden. Alle anderen Berechtigungen sind unabh\u00e4ngig von den f\u00fcr diese Rolle ausgew\u00e4hlten Orten.",
     "lang_locations": "R\u00e4ume",
     "lang_moduleName": "Rechtemanager",
     "lang_name": "Name",
     "lang_newRole": "Rolle anlegen",
+    "lang_numAssignedUsers": "Benutzer mit dieser Rolle",
     "lang_permissions": "Rechte",
     "lang_removeRole": "Rollen entziehen",
+    "lang_roleDeleteConfirm": "Sind Sie sich sicher, dass Sie diese Rolle l\u00f6schen m\u00f6chten? Benutzer, denen diese Rolle zugewiesen ist, werden die entsprechenden Berechtigungen verlieren.",
     "lang_roles": "Rollen",
     "lang_searchPlaceholder": "Nach Rollen suchen...",
     "lang_selected": "ausgew\u00e4hlte",
     "lang_selectizePlaceholder": "Nach Rollen filtern...",
-    "lang_users": "Nutzer"
+    "lang_users": "Nutzer",
+    "lang_view": "Anzeigen"
 }
\ No newline at end of file
diff --git a/modules-available/permissionmanager/lang/en/permissions.json b/modules-available/permissionmanager/lang/en/permissions.json
new file mode 100644
index 00000000..9f7263db
--- /dev/null
+++ b/modules-available/permissionmanager/lang/en/permissions.json
@@ -0,0 +1,7 @@
+{
+    "locations.view": "See locations with assigned roles.",
+    "roles.edit": "Edit roles.",
+    "roles.view": "Show roles.",
+    "users.edit-roles": "Assign or remove roles from users.",
+    "users.view": "See users with assigned roles."
+}
\ No newline at end of file
diff --git a/modules-available/permissionmanager/lang/en/template-tags.json b/modules-available/permissionmanager/lang/en/template-tags.json
index cef23422..b7a1d77a 100644
--- a/modules-available/permissionmanager/lang/en/template-tags.json
+++ b/modules-available/permissionmanager/lang/en/template-tags.json
@@ -1,18 +1,20 @@
 {
     "lang_addRole": "Grant Roles",
     "lang_addRoleHeading": "Add new role",
-    "lang_deleteCheck": "Are you sure you want to delete this role?",
     "lang_editRoleHeading": "Edit role",
     "lang_locationAwareDesc": "Permissions with this symbol can be restricted to certain locations. All other permissions are independent of the locations selected for this role.",
     "lang_locations": "Locations",
     "lang_moduleName": "Permission Manager",
     "lang_name": "Name",
     "lang_newRole": "New Role",
+    "lang_numAssignedUsers": "Users with this role",
     "lang_permissions": "Permissions",
     "lang_removeRole": "Revoke Roles",
+    "lang_roleDeleteConfirm": "Are you sure you want to delete this role? Users currently assigned to this role will lose the according permissions.",
     "lang_roles": "Roles",
     "lang_searchPlaceholder": "Search for roles...",
     "lang_selected": "selected",
     "lang_selectizePlaceholder": "Filter for roles...",
-    "lang_users": "Users"
+    "lang_users": "Users",
+    "lang_view": "View"
 }
\ No newline at end of file
diff --git a/modules-available/permissionmanager/page.inc.php b/modules-available/permissionmanager/page.inc.php
index 1c2d56bf..a78f935f 100644
--- a/modules-available/permissionmanager/page.inc.php
+++ b/modules-available/permissionmanager/page.inc.php
@@ -17,17 +17,21 @@ class Page_PermissionManager extends Page
 
 		$action = Request::any('action', 'show', 'string');
 		if ($action === 'addRoleToUser') {
+			User::assertPermission('users.edit-roles');
 			$users = Request::post('users', '');
 			$roles = Request::post('roles', '');
 			PermissionDbUpdate::addRoleToUser($users, $roles);
 		} elseif ($action === 'removeRoleFromUser') {
+			User::assertPermission('users.edit-roles');
 			$users = Request::post('users', '');
 			$roles = Request::post('roles', '');
 			PermissionDbUpdate::removeRoleFromUser($users, $roles);
 		} elseif ($action === 'deleteRole') {
+			User::assertPermission('roles.edit');
 			$id = Request::post('deleteId', false, 'string');
 			PermissionDbUpdate::deleteRole($id);
 		} elseif ($action === 'saveRole') {
+			User::assertPermission('roles.edit');
 			$roleID = Request::post("roleid", false);
 			$rolename = Request::post("rolename");
 			$locations = self::processLocations(Request::post("locations"));
@@ -44,33 +48,51 @@ class Page_PermissionManager extends Page
 	 */
 	protected function doRender()
 	{
-		$show = Request::get("show", "roles");
+		$show = Request::get("show", false, 'string');
+
+		if ($show === false) {
+			foreach (['roles', 'users', 'locations'] as $show) {
+				if (User::hasPermission($show . '.*'))
+					break;
+			}
+		}
 
 		// switch between tables, but always show menu to switch tables
 		// get menu button colors
-		$buttonColors = array();
+		$data = array();
 		if ($show === "roleEditor") {
-			$buttonColors['groupClass'] = 'slx-fade';
-			$buttonColors['rolesButtonClass'] = 'active';
+			$data['groupClass'] = 'btn-group-muted';
+			$data['rolesButtonClass'] = 'active';
 		} else {
-			$buttonColors[$show . 'ButtonClass'] = 'active';
+			$data[$show . 'ButtonClass'] = 'active';
 		}
+		Permission::addGlobalTags($data['perms'], null, ['roles.*', 'users.*', 'locations.*']);
 
-		Render::addtemplate('header-menu', $buttonColors);
+		Render::addtemplate('header-menu', $data);
 
 		if ($show === "roles") {
-			$data = array("roles" => GetPermissionData::getRoles());
+			User::assertPermission('roles.*');
+			$data = array("roles" => GetPermissionData::getRoles(GetPermissionData::WITH_USER_COUNT));
+			Permission::addGlobalTags($data['perms'], null, ['roles.edit']);
 			Render::addTemplate('rolestable', $data);
 		} elseif ($show === "users") {
-			$data = array("user" => GetPermissionData::getUserData(), "allroles" => GetPermissionData::getRoles());
+			User::assertPermission('users.*');
+			$data = array("user" => GetPermissionData::getUserData());
+			if (User::hasPermission('users.edit-roles')) {
+				$data['allroles'] = GetPermissionData::getRoles();
+			}
+			Permission::addGlobalTags($data['perms'], null, ['users.edit-roles']);
 			Render::addTemplate('role-filter-selectize', $data);
 			Render::addTemplate('userstable', $data);
 		} elseif ($show === "locations") {
+			User::assertPermission('locations.*');
 			$data = array("location" => GetPermissionData::getLocationData(), "allroles" => GetPermissionData::getRoles());
 			Render::addTemplate('role-filter-selectize', $data);
 			Render::addTemplate('locationstable', $data);
 		} elseif ($show === "roleEditor") {
+			User::assertPermission('roles.*');
 			$data = array("cancelShow" => Request::get("cancel", "roles"));
+			Permission::addGlobalTags($data['perms'], null, ['roles.edit']);
 
 			$selectedPermissions = array();
 			$selectedLocations = array();
@@ -83,8 +105,10 @@ class Page_PermissionManager extends Page
 				$selectedLocations = $roleData["locations"];
 			}
 
-			$data["permissionHTML"] = self::generatePermissionHTML(PermissionUtil::getPermissions(), $selectedPermissions);
-			$data["locationHTML"] = self::generateLocationHTML(Location::getTree(), $selectedLocations);
+			$data["permissionHTML"] = self::generatePermissionHTML(PermissionUtil::getPermissions(), $selectedPermissions,
+				false, '', ['perms' => $data['perms']]);
+			$data["locationHTML"] = self::generateLocationHTML(Location::getTree(), $selectedLocations,
+				false, '', ['perms' => $data['perms']]);
 
 			Render::addTemplate('roleeditor', $data);
 		}
@@ -99,7 +123,7 @@ class Page_PermissionManager extends Page
 	 * @param string $permString the prefix permission string with which all permissions in the permission tree should start
 	 * @return string generated html code
 	 */
-	private static function generatePermissionHTML($permissions, $selectedPermissions = array(), $selectAll = false, $permString = "")
+	private static function generatePermissionHTML($permissions, $selectedPermissions = array(), $selectAll = false, $permString = "", $tags = [])
 	{
 		$res = "";
 		$toplevel = $permString == "";
@@ -132,12 +156,12 @@ class Page_PermissionManager extends Page
 				"toplevel" => $toplevel,
 				"checkboxname" => "permissions",
 				"selected" => $selected,
-				"HTML" => $leaf ? "" : self::generatePermissionHTML($v, $selectedPermissions, $selected, $nextPermString),
+				"HTML" => $leaf ? "" : self::generatePermissionHTML($v, $selectedPermissions, $selected, $nextPermString, $tags),
 			);
 			if ($leaf) {
 				$data += $v;
 			}
-			$res .= Render::parse("treenode", $data);
+			$res .= Render::parse("treenode", $data + $tags);
 		}
 		if ($toplevel) {
 			$res = Render::parse("treepanel",
@@ -145,7 +169,7 @@ class Page_PermissionManager extends Page
 					"name" => Dictionary::translateFile("template-tags", "lang_permissions"),
 					"checkboxname" => "permissions",
 					"selected" => $selectAll,
-					"HTML" => $res));
+					"HTML" => $res) + $tags);
 		}
 		return $res;
 	}
@@ -159,7 +183,7 @@ class Page_PermissionManager extends Page
 	 * @param array $toplevel true if the location tree are the children of the root location, false if not
 	 * @return string generated html code
 	 */
-	private static function generateLocationHTML($locations, $selectedLocations = array(), $selectAll = false, $toplevel = true)
+	private static function generateLocationHTML($locations, $selectedLocations = array(), $selectAll = false, $toplevel = true, $tags = [])
 	{
 		$res = "";
 		if ($toplevel && in_array(0, $selectedLocations)) {
@@ -174,7 +198,8 @@ class Page_PermissionManager extends Page
 					"checkboxname" => "locations",
 					"selected" => $selected,
 					"HTML" => array_key_exists("children", $location) ?
-						self::generateLocationHTML($location["children"], $selectedLocations, $selected, false) : ""));
+						self::generateLocationHTML($location["children"], $selectedLocations, $selected, false, $tags) : "")
+				+ $tags);
 		}
 		if ($toplevel) {
 			$res = Render::parse("treepanel",
@@ -182,7 +207,7 @@ class Page_PermissionManager extends Page
 					"name" => Dictionary::translateFile("template-tags", "lang_locations"),
 					"checkboxname" => "locations",
 					"selected" => $selectAll,
-					"HTML" => $res));
+					"HTML" => $res) + $tags);
 		}
 		return $res;
 	}
diff --git a/modules-available/permissionmanager/permissions/permissions.json b/modules-available/permissionmanager/permissions/permissions.json
new file mode 100644
index 00000000..3981a2c3
--- /dev/null
+++ b/modules-available/permissionmanager/permissions/permissions.json
@@ -0,0 +1,17 @@
+{
+	"roles.view": {
+		"location-aware": false
+	},
+	"roles.edit": {
+		"location-aware": false
+	},
+	"users.view": {
+		"location-aware": false
+	},
+	"users.edit-roles": {
+		"location-aware": false
+	},
+	"locations.view": {
+		"location-aware": false
+	}
+}
\ No newline at end of file
diff --git a/modules-available/permissionmanager/style.css b/modules-available/permissionmanager/style.css
index 8285fdd2..6169b26f 100644
--- a/modules-available/permissionmanager/style.css
+++ b/modules-available/permissionmanager/style.css
@@ -55,3 +55,7 @@ td > .label {
         column-count: 3;
     }
 }
+
+.btn-group-muted > button {
+    color: #aaa;
+}
\ No newline at end of file
diff --git a/modules-available/permissionmanager/templates/header-menu.html b/modules-available/permissionmanager/templates/header-menu.html
index ce31d237..91bfa3af 100644
--- a/modules-available/permissionmanager/templates/header-menu.html
+++ b/modules-available/permissionmanager/templates/header-menu.html
@@ -4,17 +4,17 @@
 			<input type="hidden" name="do" value="permissionmanager">
 
 			<div class="btn-group {{groupClass}}">
-				<button class="btn btn-default {{rolesButtonClass}}" type="submit" name="show" value="roles">
+				<button class="btn btn-default {{rolesButtonClass}}" type="submit" name="show" value="roles" {{perms.roles.disabled}}>
 					<span class="glyphicon glyphicon-education"></span>
 					{{lang_roles}}
 				</button>
 
-				<button class="btn btn-default {{usersButtonClass}}" type="submit" name="show" value="users">
+				<button class="btn btn-default {{usersButtonClass}}" type="submit" name="show" value="users" {{perms.users.disabled}}>
 					<span class="glyphicon glyphicon-user"></span>
 					{{lang_users}}
 				</button>
 
-				<button class="btn btn-default {{locationsButtonClass}}" type="submit" name="show" value="locations">
+				<button class="btn btn-default {{locationsButtonClass}}" type="submit" name="show" value="locations" {{perms.locations.disabled}}>
 					<span class="glyphicon glyphicon-home"></span>
 					{{lang_locations}}
 				</button>
diff --git a/modules-available/permissionmanager/templates/roleeditor.html b/modules-available/permissionmanager/templates/roleeditor.html
index d50f2145..8524427b 100644
--- a/modules-available/permissionmanager/templates/roleeditor.html
+++ b/modules-available/permissionmanager/templates/roleeditor.html
@@ -22,7 +22,10 @@
 
 	<div class="pull-right">
 		<a href="?do=permissionmanager&amp;show={{cancelShow}}" class="btn btn-default">{{lang_cancel}}</a>
-		<button type="submit" class="btn btn-primary"><span class="glyphicon glyphicon-floppy-disk"></span> {{lang_save}}</button>
+		<button type="submit" class="btn btn-primary" {{perms.roles.edit.disabled}}>
+			<span class="glyphicon glyphicon-floppy-disk"></span>
+			{{lang_save}}
+		</button>
 	</div>
 	<ul class="nav nav-tabs text-center" role="tablist">
 		<li role="presentation" class="active"><a href="#permissions" role="tab" data-toggle="tab">{{lang_permissions}}</a></li>
diff --git a/modules-available/permissionmanager/templates/rolestable.html b/modules-available/permissionmanager/templates/rolestable.html
index 944ab3ae..9ba8d85c 100644
--- a/modules-available/permissionmanager/templates/rolestable.html
+++ b/modules-available/permissionmanager/templates/rolestable.html
@@ -11,7 +11,14 @@
 				<thead>
 					<tr>
 						<th data-sort="string">{{lang_roles}}</th>
-						<th class="text-center slx-smallcol">{{lang_edit}}</th>
+						<th class="text-center slx-smallcol">
+							{{#perms.roles.edit.disabled}}
+							{{lang_view}}
+							{{/perms.roles.edit.disabled}}
+							{{^perms.roles.edit.disabled}}
+							{{lang_edit}}
+							{{/perms.roles.edit.disabled}}
+						</th>
 						<th class="text-center slx-smallcol">{{lang_delete}}</th>
 					</tr>
 				</thead>
@@ -24,7 +31,9 @@
 							<a class="btn btn-xs btn-primary" href="?do=permissionmanager&show=roleEditor&roleid={{roleid}}"><span class="glyphicon glyphicon-edit"></span></a>
 						</td>
 						<td class="text-center">
-							<a class="btn btn-xs btn-danger" href="#deleteModal" data-toggle="modal" data-target="#deleteModal" onclick="deleteRole('{{roleid}}')"><span class="glyphicon glyphicon-trash"></span></a>
+							<button type="button" class="btn btn-xs btn-danger" data-toggle="modal" data-target="#deleteModal" onclick="deleteRole('{{roleid}}', '{{users}}')" {{perms.roles.edit.disabled}}>
+								<span class="glyphicon glyphicon-trash"></span>
+							</button>
 						</td>
 					</tr>
 				{{/roles}}
@@ -42,10 +51,11 @@
 					<h4 class="modal-title" id="myModalLabel">{{lang_delete}}</h4>
 				</div>
 				<div class="modal-body">
-					{{lang_deleteCheck}}
+					<p>{{lang_roleDeleteConfirm}}</p>
+					{{lang_numAssignedUsers}}: <span id="delete-role-users"></span>
 				</div>
 				<div class="modal-footer">
-					<input type="hidden" id="deleteId" name="deleteId" value=""/>
+					<input type="hidden" id="delete-role-id" name="deleteId" value="">
 					<button type="button" class="btn btn-default" data-dismiss="modal">{{lang_cancel}}</button>
 					<button type="submit" name="action" value="deleteRole" class="btn btn-danger"><span class="glyphicon glyphicon-trash"></span> {{lang_delete}}</button>
 				</div>
@@ -56,12 +66,13 @@
 </form>
 
 <div class="text-right">
-	<a href="?do=permissionmanager&show=roleEditor" class="btn btn-success"><span class="glyphicon glyphicon-plus"></span> {{lang_newRole}}</a>
+	<a href="?do=permissionmanager&show=roleEditor" class="btn btn-success {{perms.roles.edit.disabled}}"><span class="glyphicon glyphicon-plus"></span> {{lang_newRole}}</a>
 </div>
 
 <script>
-	function deleteRole($roleid) {
-		$(".modal-footer #deleteId").val($roleid);
+	function deleteRole(roleid, users) {
+		$("#delete-role-id").val(roleid);
+		$("#delete-role-users").text(users);
 	}
 
 	function searchFieldFunction() {
diff --git a/modules-available/permissionmanager/templates/treenode.html b/modules-available/permissionmanager/templates/treenode.html
index a4a3d7b5..f8ee3df5 100644
--- a/modules-available/permissionmanager/templates/treenode.html
+++ b/modules-available/permissionmanager/templates/treenode.html
@@ -1,7 +1,7 @@
 {{#toplevel}}<ul>{{/toplevel}}
 <li {{#description}}title="{{description}}" data-toggle="tooltip" data-placement="left"{{/description}}>
 	<div class='checkbox'>
-		<input id="{{id}}" name="{{checkboxname}}[]" value="{{id}}" type="checkbox" {{#selected}}checked{{/selected}}>
+		<input id="{{id}}" name="{{checkboxname}}[]" value="{{id}}" type="checkbox" {{#selected}}checked{{/selected}} {{edit_disabled}} {{perms.roles.edit.disabled}}>
 		<label for="{{id}}">
 			{{name}}
 			{{#location-aware}}<span class="glyphicon glyphicon-home text-muted"></span>{{/location-aware}}
diff --git a/modules-available/permissionmanager/templates/treepanel.html b/modules-available/permissionmanager/templates/treepanel.html
index cda848a0..eccecb58 100644
--- a/modules-available/permissionmanager/templates/treepanel.html
+++ b/modules-available/permissionmanager/templates/treepanel.html
@@ -1,7 +1,7 @@
 <div class="panel panel-primary tree-panel">
 	<div class="panel-heading">
 		<div class="checkbox">
-			<input id="{{id}}" name="{{checkboxname}}[]" value="{{id}}" type="checkbox" class="master-checkbox" {{#selected}}checked{{/selected}}>
+			<input id="{{id}}" name="{{checkboxname}}[]" value="{{id}}" type="checkbox" class="master-checkbox" {{#selected}}checked{{/selected}} {{perms.roles.edit.disabled}}>
 			<label for="{{id}}">{{name}}</label>
 		</div>
 	</div>
diff --git a/modules-available/roomplanner/permissions/permissions.json b/modules-available/roomplanner/permissions/permissions.json
new file mode 100644
index 00000000..f7bc3479
--- /dev/null
+++ b/modules-available/roomplanner/permissions/permissions.json
@@ -0,0 +1,10 @@
+{
+	"compilerOptions": {
+		"module": "commonjs",
+		"target": "es5",
+		"sourceMap": true
+	},
+	"exclude": [
+		"node_modules"
+	]
+}
\ No newline at end of file
-- 
cgit v1.2.3-55-g7522


From 2fbede5024e11f50036a14471bc72c805cc6539b Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Tue, 20 Feb 2018 15:19:52 +0100
Subject: [permissionmanager] Fix location table display

---
 modules-available/permissionmanager/page.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'modules-available/permissionmanager/page.inc.php')

diff --git a/modules-available/permissionmanager/page.inc.php b/modules-available/permissionmanager/page.inc.php
index a78f935f..d326bb94 100644
--- a/modules-available/permissionmanager/page.inc.php
+++ b/modules-available/permissionmanager/page.inc.php
@@ -108,7 +108,7 @@ class Page_PermissionManager extends Page
 			$data["permissionHTML"] = self::generatePermissionHTML(PermissionUtil::getPermissions(), $selectedPermissions,
 				false, '', ['perms' => $data['perms']]);
 			$data["locationHTML"] = self::generateLocationHTML(Location::getTree(), $selectedLocations,
-				false, '', ['perms' => $data['perms']]);
+				false, true, ['perms' => $data['perms']]);
 
 			Render::addTemplate('roleeditor', $data);
 		}
-- 
cgit v1.2.3-55-g7522


From 18f378c9bd232822577258fe68afe78df3f7e7f4 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Thu, 29 Mar 2018 18:41:37 +0200
Subject: [permissionmanager] Introduce dedicated "permission denied" page

Closes #3350
---
 inc/user.inc.php                                    | 17 +++++++++++++----
 .../permissionmanager/lang/de/template-tags.json    |  5 ++++-
 .../permissionmanager/lang/en/template-tags.json    |  5 ++++-
 modules-available/permissionmanager/page.inc.php    |  9 +++++++++
 modules-available/permissionmanager/style.css       |  7 ++++++-
 .../templates/page-permission-denied.html           | 21 +++++++++++++++++++++
 6 files changed, 57 insertions(+), 7 deletions(-)
 create mode 100644 modules-available/permissionmanager/templates/page-permission-denied.html

(limited to 'modules-available/permissionmanager/page.inc.php')

diff --git a/inc/user.inc.php b/inc/user.inc.php
index 27a907c3..f12cc39f 100644
--- a/inc/user.inc.php
+++ b/inc/user.inc.php
@@ -55,15 +55,24 @@ class User
 	{
 		if (User::hasPermission($permission, $locationid))
 			return;
-		Message::addError('main.no-permission');
 		if (AJAX) {
 			Message::renderList();
 			exit;
 		}
-		if (is_null($redirect)) {
-			Util::redirect('?do=main');
-		} else {
+		if (!is_null($redirect)) {
+			Message::addError('main.no-permission');
 			Util::redirect($redirect);
+		} elseif (Module::isAvailable('permissionmanager')) {
+			if ($permission{0} !== '.') {
+				$module = Page::getModule();
+				if ($module !== false) {
+					$permission = '.' . $module->getIdentifier() . '.' . $permission;
+				}
+			}
+			Util::redirect('?do=permissionmanager&show=denied&permission=' . urlencode($permission));
+		} else {
+			Message::addError('main.no-permission');
+			Util::redirect('?do=main');
 		}
 	}
 
diff --git a/modules-available/permissionmanager/lang/de/template-tags.json b/modules-available/permissionmanager/lang/de/template-tags.json
index 52073dee..a4fc990b 100644
--- a/modules-available/permissionmanager/lang/de/template-tags.json
+++ b/modules-available/permissionmanager/lang/de/template-tags.json
@@ -8,6 +8,9 @@
     "lang_name": "Name",
     "lang_newRole": "Rolle anlegen",
     "lang_numAssignedUsers": "Benutzer mit dieser Rolle",
+    "lang_permissionDeniedBody": "Ihnen fehlt eine oder mehrere Berechtigungen, um auf diese Seite oder Funktion zuzugreifen.",
+    "lang_permissionDeniedHeader": "Zugriff verweigert",
+    "lang_permission": "Berechtigung",
     "lang_permissions": "Rechte",
     "lang_removeRole": "Rollen entziehen",
     "lang_roleDeleteConfirm": "Sind Sie sich sicher, dass Sie diese Rolle l\u00f6schen m\u00f6chten? Benutzer, denen diese Rolle zugewiesen ist, werden die entsprechenden Berechtigungen verlieren.",
@@ -17,4 +20,4 @@
     "lang_selectizePlaceholder": "Nach Rollen filtern...",
     "lang_users": "Nutzer",
     "lang_view": "Anzeigen"
-}
\ No newline at end of file
+}
diff --git a/modules-available/permissionmanager/lang/en/template-tags.json b/modules-available/permissionmanager/lang/en/template-tags.json
index b7a1d77a..92c3ac26 100644
--- a/modules-available/permissionmanager/lang/en/template-tags.json
+++ b/modules-available/permissionmanager/lang/en/template-tags.json
@@ -8,6 +8,9 @@
     "lang_name": "Name",
     "lang_newRole": "New Role",
     "lang_numAssignedUsers": "Users with this role",
+    "lang_permissionDeniedBody": "You are missing one or more permissions to access this page or functionality.",
+    "lang_permissionDeniedHeader": "Access denied",
+    "lang_permission": "Permission",
     "lang_permissions": "Permissions",
     "lang_removeRole": "Revoke Roles",
     "lang_roleDeleteConfirm": "Are you sure you want to delete this role? Users currently assigned to this role will lose the according permissions.",
@@ -17,4 +20,4 @@
     "lang_selectizePlaceholder": "Filter for roles...",
     "lang_users": "Users",
     "lang_view": "View"
-}
\ No newline at end of file
+}
diff --git a/modules-available/permissionmanager/page.inc.php b/modules-available/permissionmanager/page.inc.php
index d326bb94..828891ab 100644
--- a/modules-available/permissionmanager/page.inc.php
+++ b/modules-available/permissionmanager/page.inc.php
@@ -50,6 +50,15 @@ class Page_PermissionManager extends Page
 	{
 		$show = Request::get("show", false, 'string');
 
+		// "Public" page -- nice "permission denied" message
+		if ($show === 'denied') {
+			Render::addTemplate('page-permission-denied', [
+				'name' => User::getName(),
+				'permission' => Request::get('permission', false, 'string'),
+			]);
+			return;
+		}
+
 		if ($show === false) {
 			foreach (['roles', 'users', 'locations'] as $show) {
 				if (User::hasPermission($show . '.*'))
diff --git a/modules-available/permissionmanager/style.css b/modules-available/permissionmanager/style.css
index 6169b26f..dca38eeb 100644
--- a/modules-available/permissionmanager/style.css
+++ b/modules-available/permissionmanager/style.css
@@ -58,4 +58,9 @@ td > .label {
 
 .btn-group-muted > button {
     color: #aaa;
-}
\ No newline at end of file
+}
+
+h1 span.glyphicon {
+    top: 9px;
+}
+
diff --git a/modules-available/permissionmanager/templates/page-permission-denied.html b/modules-available/permissionmanager/templates/page-permission-denied.html
new file mode 100644
index 00000000..cc357a0b
--- /dev/null
+++ b/modules-available/permissionmanager/templates/page-permission-denied.html
@@ -0,0 +1,21 @@
+<br><br>
+<div class="jumbotron">
+	<h1>
+		<span class="text-danger">
+			<span class="glyphicon glyphicon-ban-circle"></span>
+			{{lang_permissionDeniedHeader}}
+		</span>
+	</h1>
+	<br><br>
+	<p>
+		{{lang_permissionDeniedBody}}
+	</p>
+	{{#permission}}
+	<div>
+		{{lang_permission}}: <b>{{permission}}</b>
+	</div>
+	{{/permission}}
+	<div>
+		{{lang_user}}: <b>{{name}}</b>
+	</div>
+</div>
-- 
cgit v1.2.3-55-g7522


From 0a0c8374827a3b26e806237888eb79c22dcbaf5d Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Fri, 13 Apr 2018 11:33:40 +0200
Subject: [permissionmanager] Preselect all locations when adding new role

---
 modules-available/permissionmanager/page.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'modules-available/permissionmanager/page.inc.php')

diff --git a/modules-available/permissionmanager/page.inc.php b/modules-available/permissionmanager/page.inc.php
index 828891ab..11b5b028 100644
--- a/modules-available/permissionmanager/page.inc.php
+++ b/modules-available/permissionmanager/page.inc.php
@@ -117,7 +117,7 @@ class Page_PermissionManager extends Page
 			$data["permissionHTML"] = self::generatePermissionHTML(PermissionUtil::getPermissions(), $selectedPermissions,
 				false, '', ['perms' => $data['perms']]);
 			$data["locationHTML"] = self::generateLocationHTML(Location::getTree(), $selectedLocations,
-				false, true, ['perms' => $data['perms']]);
+				$roleid === false, true, ['perms' => $data['perms']]);
 
 			Render::addTemplate('roleeditor', $data);
 		}
-- 
cgit v1.2.3-55-g7522


From 5014f09a5aa30b1c3aa1e35e67a183086a212052 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Fri, 13 Apr 2018 12:30:43 +0200
Subject: [permissionmanager] Add role description field; install some default
 rules

Closes #3356
---
 .../inc/getpermissiondata.inc.php                  |   4 +-
 .../inc/permissiondbupdate.inc.php                 |  31 ++++---
 .../permissionmanager/install.inc.php              | 103 +++++++++++++++++++++
 .../permissionmanager/lang/de/template-tags.json   |   5 +-
 .../permissionmanager/lang/en/template-tags.json   |   5 +-
 modules-available/permissionmanager/page.inc.php   |  29 +++---
 .../permissionmanager/templates/roleeditor.html    |   8 +-
 .../permissionmanager/templates/rolestable.html    |   6 +-
 8 files changed, 156 insertions(+), 35 deletions(-)

(limited to 'modules-available/permissionmanager/page.inc.php')

diff --git a/modules-available/permissionmanager/inc/getpermissiondata.inc.php b/modules-available/permissionmanager/inc/getpermissiondata.inc.php
index fc18de99..660c94ae 100644
--- a/modules-available/permissionmanager/inc/getpermissiondata.inc.php
+++ b/modules-available/permissionmanager/inc/getpermissiondata.inc.php
@@ -84,7 +84,7 @@ class GetPermissionData
 		if (!empty($joins)) {
 			$joins .= ' GROUP BY r.roleid';
 		}
-		return Database::queryAll("SELECT r.roleid, r.rolename $cols FROM role r
+		return Database::queryAll("SELECT r.roleid, r.rolename, r.roledescription $cols FROM role r
 			$joins
 			ORDER BY rolename ASC");
 	}
@@ -97,7 +97,7 @@ class GetPermissionData
 	 */
 	public static function getRoleData($roleid)
 	{
-		$query = "SELECT roleid, rolename FROM role WHERE roleid = :roleid";
+		$query = "SELECT roleid, rolename, roledescription FROM role WHERE roleid = :roleid";
 		$data = Database::queryFirst($query, array("roleid" => $roleid));
 		$query = "SELECT roleid, locationid FROM role_x_location WHERE roleid = :roleid";
 		$res = Database::simpleQuery($query, array("roleid" => $roleid));
diff --git a/modules-available/permissionmanager/inc/permissiondbupdate.inc.php b/modules-available/permissionmanager/inc/permissiondbupdate.inc.php
index 1d6367af..0cd89b3a 100644
--- a/modules-available/permissionmanager/inc/permissiondbupdate.inc.php
+++ b/modules-available/permissionmanager/inc/permissiondbupdate.inc.php
@@ -54,7 +54,7 @@ class PermissionDbUpdate
 	/**
 	 * Delete role from the role table.
 	 *
-	 * @param string $roleid roleid
+	 * @param int $roleid roleid
 	 */
 	public static function deleteRole($roleid)
 	{
@@ -64,41 +64,42 @@ class PermissionDbUpdate
 	/**
 	 * Save changes to a role or create a new one.
 	 *
-	 * @param string $rolename rolename
+	 * @param string $roleName rolename
 	 * @param int[] $locations array of locations
 	 * @param string[] $permissions array of permissions
-	 * @param string|null $roleid roleid or null if the role does not exist yet
+	 * @param int|null $roleId roleid or null if the role does not exist yet
 	 */
-	public static function saveRole($rolename, $locations, $permissions, $roleid = null)
+	public static function saveRole($roleName, $roleDescription, $locations, $permissions, $roleId = null)
 	{
 		foreach ($permissions as &$permission) {
 			$permission = strtolower($permission);
 		}
 		unset($permission);
-		if ($roleid) {
-			Database::exec("UPDATE role SET rolename = :rolename WHERE roleid = :roleid",
-				array("rolename" => $rolename, "roleid" => $roleid));
+		if ($roleId) {
+			Database::exec("UPDATE role SET rolename = :rolename, roledescription = :roledescription WHERE roleid = :roleid",
+				array("rolename" => $roleName, "roledescription" => $roleDescription, "roleid" => $roleId));
 			Database::exec("DELETE FROM role_x_location
 					WHERE roleid = :roleid AND (locationid NOT IN (:locations) OR locationid IS NULL)",
-				array("roleid" => $roleid, 'locations' => $locations));
+				array("roleid" => $roleId, 'locations' => $locations));
 			Database::exec("DELETE FROM role_x_permission
 					WHERE roleid = :roleid AND permissionid NOT IN (:permissions)",
-				array("roleid" => $roleid, 'permissions' => $permissions));
+				array("roleid" => $roleId, 'permissions' => $permissions));
 		} else {
-			Database::exec("INSERT INTO role (rolename) VALUES (:rolename)", array("rolename" => $rolename));
-			$roleid = Database::lastInsertId();
+			Database::exec("INSERT INTO role (rolename, roledescription) VALUES (:rolename, :roledescription)",
+				array("rolename" => $roleName, "roledescription" => $roleDescription));
+			$roleId = Database::lastInsertId();
 		}
 
 		if (!empty($locations)) {
-			$arg = array_map(function ($loc) use ($roleid) {
-				return compact('roleid', 'loc');
+			$arg = array_map(function ($loc) use ($roleId) {
+				return compact('roleId', 'loc');
 			}, $locations);
 			Database::exec("INSERT IGNORE INTO role_x_location (roleid, locationid) VALUES :arg", ['arg' => $arg]);
 		}
 
 		if (!empty($permissions)) {
-			$arg = array_map(function ($perm) use ($roleid) {
-				return compact('roleid', 'perm');
+			$arg = array_map(function ($perm) use ($roleId) {
+				return compact('roleId', 'perm');
 			}, $permissions);
 			Database::exec("INSERT IGNORE INTO role_x_permission (roleid, permissionid) VALUES :arg", ['arg' => $arg]);
 		}
diff --git a/modules-available/permissionmanager/install.inc.php b/modules-available/permissionmanager/install.inc.php
index afa5dd7e..480460db 100644
--- a/modules-available/permissionmanager/install.inc.php
+++ b/modules-available/permissionmanager/install.inc.php
@@ -5,6 +5,7 @@ $res = array();
 $res[] = tableCreate('role', "
 	roleid int(10) unsigned NOT NULL AUTO_INCREMENT,
 	rolename varchar(200) NOT NULL,
+	roledescription TEXT,
 	PRIMARY KEY (roleid)
 ");
 
@@ -100,6 +101,108 @@ if (!tableExists('user') || !tableExists('location')) {
 		$res[] = UPDATE_DONE;
 	}
 }
+
+// 2018-04-13 role description field; add a couple default roles
+if (!tableHasColumn('role', 'roledescription')) {
+	$alter = Database::exec("ALTER TABLE role ADD roledescription TEXT");
+	if ($alter === false)
+		finalResponse(UPDATE_FAILED, 'Cannot add roledescription field to table role: ' . Database::lastError());
+	$res[] = UPDATE_DONE;
+}
+
+if (!tableHasColumn('role', 'roledescription')) {
+	finalResponse(UPDATE_RETRY, 'Try again later');
+}
+
+if (Database::exec("INSERT INTO `role` VALUES
+			(1,'Super-Admin', 'Hat keinerlei Zugriffsbeschränkungen'),
+			(2,'Admin', 'Alles bis auf Rechte-/Nutzerverwaltung'),
+			(3,'Prüfungsadmin', 'Kann E-Prüfungen verwalten, Prüfungsmodus einschalten, etc.'),
+			(4,'Lesezugriff', 'Kann auf die meisten Seiten zugreifen, jedoch keine Änderungen vornehmen')") !== false) {
+	// Success, there probably were no roles before, keep going
+	// Assign roles to location (all)
+	Database::exec("INSERT INTO `role_x_location` VALUES (1,NULL),(2,NULL),(3,NULL),(4,NULL)");
+	// Assign permissions to roles
+	Database::exec("INSERT INTO `role_x_permission` VALUES
+			(3,'exams.exams.*'),
+			(3,'rebootcontrol.action.*'),
+			(3,'statistics.hardware.projectors.view'),
+			(3,'statistics.machine.note.*'),
+			(3,'statistics.machine.view-details'),
+			(3,'statistics.view.*'),
+			(3,'syslog.view'),
+			
+			(1,'*'),
+			
+			(4,'adduser.user.view-list'),
+			(4,'backup.create'),
+			(4,'baseconfig.view'),
+			(4,'dnbd3.access-page'),
+			(4,'dnbd3.refresh'),
+			(4,'dnbd3.view.details'),
+			(4,'dozmod.actionlog.view'),
+			(4,'dozmod.users.view'),
+			(4,'eventlog.view'),
+			(4,'exams.exams.view'),
+			(4,'locationinfo.backend.check'),
+			(4,'locationinfo.panel.list'),
+			(4,'locations.location.view'),
+			(4,'minilinux.view'),
+			(4,'news.*'),
+			(4,'permissionmanager.locations.view'),
+			(4,'permissionmanager.roles.view'),
+			(4,'permissionmanager.users.view'),
+			(4,'runmode.list-all'),
+			(4,'serversetup.access-page'),
+			(4,'serversetup.download'),
+			(4,'statistics.hardware.projectors.view'),
+			(4,'statistics.machine.note.view'),
+			(4,'statistics.machine.view-details'),
+			(4,'statistics.view.*'),
+			(4,'statistics_reporting.reporting.download'),
+			(4,'statistics_reporting.table.export'),
+			(4,'statistics_reporting.table.view.*'),
+			(4,'sysconfig.config.view-list'),
+			(4,'sysconfig.module.download'),
+			(4,'sysconfig.module.view-list'),
+			(4,'syslog.view'),
+			(4,'systemstatus.show.overview.*'),
+			(4,'systemstatus.tab.*'),
+			(4,'webinterface.access-page'),
+			
+			(2,'adduser.user.view-list'),
+			(2,'backup.*'),
+			(2,'baseconfig.*'),
+			(2,'dnbd3.*'),
+			(2,'dozmod.*'),
+			(2,'eventlog.view'),
+			(2,'exams.exams.*'),
+			(2,'locationinfo.*'),
+			(2,'locations.*'),
+			(2,'minilinux.*'),
+			(2,'news.*'),
+			(2,'permissionmanager.locations.view'),
+			(2,'permissionmanager.roles.view'),
+			(2,'permissionmanager.users.view'),
+			(2,'rebootcontrol.*'),
+			(2,'roomplanner.edit'),
+			(2,'runmode.list-all'),
+			(2,'serversetup.*'),
+			(2,'statistics.*'),
+			(2,'statistics_reporting.*'),
+			(2,'sysconfig.*'),
+			(2,'syslog.*'),
+			(2,'systemstatus.*'),
+			(2,'vmstore.edit'),
+			(2,'webinterface.*')");
+	// Asign the first user to the superadmin role
+	Database::exec("INSERT INTO `role_x_user` VALUES (1,1)");
+	$res[] = UPDATE_DONE;
+}
+
+//
+//
+
 if (in_array(UPDATE_DONE, $res)) {
 	finalResponse(UPDATE_DONE, 'Tables created successfully');
 }
diff --git a/modules-available/permissionmanager/lang/de/template-tags.json b/modules-available/permissionmanager/lang/de/template-tags.json
index a4fc990b..504ef6d2 100644
--- a/modules-available/permissionmanager/lang/de/template-tags.json
+++ b/modules-available/permissionmanager/lang/de/template-tags.json
@@ -1,6 +1,7 @@
 {
     "lang_addRole": "Rollen erteilen",
     "lang_addRoleHeading": "Neue Rolle hinzuf\u00fcgen",
+    "lang_description": "Beschreibung",
     "lang_editRoleHeading": "Rolle bearbeiten",
     "lang_locationAwareDesc": "Berechtigungen mit diesem Symbol k\u00f6nnen auf bestimmte R\u00e4ume\/Orte beschr\u00e4nkt werden. Alle anderen Berechtigungen sind unabh\u00e4ngig von den f\u00fcr diese Rolle ausgew\u00e4hlten Orten.",
     "lang_locations": "R\u00e4ume",
@@ -8,9 +9,9 @@
     "lang_name": "Name",
     "lang_newRole": "Rolle anlegen",
     "lang_numAssignedUsers": "Benutzer mit dieser Rolle",
+    "lang_permission": "Berechtigung",
     "lang_permissionDeniedBody": "Ihnen fehlt eine oder mehrere Berechtigungen, um auf diese Seite oder Funktion zuzugreifen.",
     "lang_permissionDeniedHeader": "Zugriff verweigert",
-    "lang_permission": "Berechtigung",
     "lang_permissions": "Rechte",
     "lang_removeRole": "Rollen entziehen",
     "lang_roleDeleteConfirm": "Sind Sie sich sicher, dass Sie diese Rolle l\u00f6schen m\u00f6chten? Benutzer, denen diese Rolle zugewiesen ist, werden die entsprechenden Berechtigungen verlieren.",
@@ -20,4 +21,4 @@
     "lang_selectizePlaceholder": "Nach Rollen filtern...",
     "lang_users": "Nutzer",
     "lang_view": "Anzeigen"
-}
+}
\ No newline at end of file
diff --git a/modules-available/permissionmanager/lang/en/template-tags.json b/modules-available/permissionmanager/lang/en/template-tags.json
index 92c3ac26..6f1fa614 100644
--- a/modules-available/permissionmanager/lang/en/template-tags.json
+++ b/modules-available/permissionmanager/lang/en/template-tags.json
@@ -1,6 +1,7 @@
 {
     "lang_addRole": "Grant Roles",
     "lang_addRoleHeading": "Add new role",
+    "lang_description": "Description",
     "lang_editRoleHeading": "Edit role",
     "lang_locationAwareDesc": "Permissions with this symbol can be restricted to certain locations. All other permissions are independent of the locations selected for this role.",
     "lang_locations": "Locations",
@@ -8,9 +9,9 @@
     "lang_name": "Name",
     "lang_newRole": "New Role",
     "lang_numAssignedUsers": "Users with this role",
+    "lang_permission": "Permission",
     "lang_permissionDeniedBody": "You are missing one or more permissions to access this page or functionality.",
     "lang_permissionDeniedHeader": "Access denied",
-    "lang_permission": "Permission",
     "lang_permissions": "Permissions",
     "lang_removeRole": "Revoke Roles",
     "lang_roleDeleteConfirm": "Are you sure you want to delete this role? Users currently assigned to this role will lose the according permissions.",
@@ -20,4 +21,4 @@
     "lang_selectizePlaceholder": "Filter for roles...",
     "lang_users": "Users",
     "lang_view": "View"
-}
+}
\ No newline at end of file
diff --git a/modules-available/permissionmanager/page.inc.php b/modules-available/permissionmanager/page.inc.php
index 11b5b028..462d3163 100644
--- a/modules-available/permissionmanager/page.inc.php
+++ b/modules-available/permissionmanager/page.inc.php
@@ -28,15 +28,24 @@ class Page_PermissionManager extends Page
 			PermissionDbUpdate::removeRoleFromUser($users, $roles);
 		} elseif ($action === 'deleteRole') {
 			User::assertPermission('roles.edit');
-			$id = Request::post('deleteId', false, 'string');
+			$id = Request::post('deleteId', false, 'int');
 			PermissionDbUpdate::deleteRole($id);
 		} elseif ($action === 'saveRole') {
 			User::assertPermission('roles.edit');
-			$roleID = Request::post("roleid", false);
-			$rolename = Request::post("rolename");
-			$locations = self::processLocations(Request::post("locations"));
+			$roleID = Request::post("roleid", false, 'int');
+			if ($roleID === false) {
+				Message::addError('main.parameter-missing', 'roleid');
+				Util::redirect('?do=permissionmanager');
+			}
+			$roleName = Request::post("rolename", '', 'string');
+			if (empty($roleName)) {
+				Message::addError('main.parameter-empty', 'rolename');
+				Util::redirect('?do=permissionmanager');
+			}
+			$roleDescription = Request::post('roledescription', '', 'string');
+			$locations = self::processLocations(Request::post("locations", [], 'array'));
 			$permissions = self::processPermissions(Request::post("permissions"));
-			PermissionDbUpdate::saveRole($rolename, $locations, $permissions, $roleID);
+			PermissionDbUpdate::saveRole($roleName, $roleDescription, $locations, $permissions, $roleID);
 		}
 		if (Request::isPost()) {
 			Util::redirect('?do=permissionmanager&show=' . Request::get("show", "roles"));
@@ -100,18 +109,16 @@ class Page_PermissionManager extends Page
 			Render::addTemplate('locationstable', $data);
 		} elseif ($show === "roleEditor") {
 			User::assertPermission('roles.*');
-			$data = array("cancelShow" => Request::get("cancel", "roles"));
+			$data = array("cancelShow" => Request::get("cancel", "roles", 'string'));
 			Permission::addGlobalTags($data['perms'], null, ['roles.edit']);
 
 			$selectedPermissions = array();
 			$selectedLocations = array();
 			$roleid = Request::get("roleid", false, 'int');
 			if ($roleid !== false) {
-				$roleData = GetPermissionData::getRoleData($roleid);
-				$data["roleid"] = $roleid;
-				$data["rolename"] = $roleData["rolename"];
-				$selectedPermissions = $roleData["permissions"];
-				$selectedLocations = $roleData["locations"];
+				$data += GetPermissionData::getRoleData($roleid);
+				$selectedPermissions = $data["permissions"];
+				$selectedLocations = $data["locations"];
 			}
 
 			$data["permissionHTML"] = self::generatePermissionHTML(PermissionUtil::getPermissions(), $selectedPermissions,
diff --git a/modules-available/permissionmanager/templates/roleeditor.html b/modules-available/permissionmanager/templates/roleeditor.html
index 38493d5d..c464c1fc 100644
--- a/modules-available/permissionmanager/templates/roleeditor.html
+++ b/modules-available/permissionmanager/templates/roleeditor.html
@@ -13,11 +13,17 @@
 	<input type="hidden" name="roleid" value="{{roleid}}">
 
 	<div class="input-group">
-	<span class="input-group-addon">
+	<span class="input-group-addon slx-ga">
 		<label for="rolename">{{lang_name}}</label>
 	</span>
 		<input id="rolename" name="rolename" value="{{rolename}}" type="text" class="form-control" required>
 	</div>
+	<div class="input-group">
+		<span class="input-group-addon slx-ga">
+			<label for="roledescription">{{lang_description}}</label>
+		</span>
+		<input id="roledescription" name="roledescription" value="{{roledescription}}" type="text" class="form-control">
+	</div>
 	<br>
 
 	<div class="pull-right">
diff --git a/modules-available/permissionmanager/templates/rolestable.html b/modules-available/permissionmanager/templates/rolestable.html
index 9ba8d85c..d520db33 100644
--- a/modules-available/permissionmanager/templates/rolestable.html
+++ b/modules-available/permissionmanager/templates/rolestable.html
@@ -11,6 +11,7 @@
 				<thead>
 					<tr>
 						<th data-sort="string">{{lang_roles}}</th>
+						<th data-sort="string">{{lang_description}}</th>
 						<th class="text-center slx-smallcol">
 							{{#perms.roles.edit.disabled}}
 							{{lang_view}}
@@ -27,8 +28,9 @@
 				{{#roles}}
 					<tr>
 						<td class="rolename">{{rolename}}</td>
+						<td class="text-muted"><table class="slx-ellipsis"><tr><td>{{roledescription}}</td></tr></table></td>
 						<td class="text-center">
-							<a class="btn btn-xs btn-primary" href="?do=permissionmanager&show=roleEditor&roleid={{roleid}}"><span class="glyphicon glyphicon-edit"></span></a>
+							<a class="btn btn-xs btn-primary" href="?do=permissionmanager&amp;show=roleEditor&amp;roleid={{roleid}}"><span class="glyphicon glyphicon-edit"></span></a>
 						</td>
 						<td class="text-center">
 							<button type="button" class="btn btn-xs btn-danger" data-toggle="modal" data-target="#deleteModal" onclick="deleteRole('{{roleid}}', '{{users}}')" {{perms.roles.edit.disabled}}>
@@ -66,7 +68,7 @@
 </form>
 
 <div class="text-right">
-	<a href="?do=permissionmanager&show=roleEditor" class="btn btn-success {{perms.roles.edit.disabled}}"><span class="glyphicon glyphicon-plus"></span> {{lang_newRole}}</a>
+	<a href="?do=permissionmanager&amp;show=roleEditor" class="btn btn-success {{perms.roles.edit.disabled}}"><span class="glyphicon glyphicon-plus"></span> {{lang_newRole}}</a>
 </div>
 
 <script>
-- 
cgit v1.2.3-55-g7522