From 4c9aba92942c4b9341c46a50aeaa31bea24a8b60 Mon Sep 17 00:00:00 2001
From: Christian Hofmaier
Date: Tue, 9 Jan 2018 17:38:21 +0100
Subject: [exams] implemented permission system

---
 modules-available/rebootcontrol/page.inc.php | 66 ++++++++++++++++++++++++----
 1 file changed, 57 insertions(+), 9 deletions(-)

(limited to 'modules-available/rebootcontrol/page.inc.php')

diff --git a/modules-available/rebootcontrol/page.inc.php b/modules-available/rebootcontrol/page.inc.php
index fc3ded8f..fa34a05a 100644
--- a/modules-available/rebootcontrol/page.inc.php
+++ b/modules-available/rebootcontrol/page.inc.php
@@ -4,6 +4,9 @@ class Page_RebootControl extends Page
 {
 
 	private $action = false;
+	private $allowedShutdownLocs = [];
+	private $allowedRebootLocs = [];
+	private $allowedLocs = [];
 
 	/**
 	 * Called before any page rendering happens - early hook to check parameters etc.
@@ -17,21 +20,40 @@ class Page_RebootControl extends Page
 			Util::redirect('?do=Main'); // does not return
 		}
 
+		$this->allowedShutdownLocs = User::getAllowedLocations("shutdown");
+		$this->allowedRebootLocs = User::getAllowedLocations("reboot");
+		$this->allowedLocs = array_unique(array_merge($this->allowedShutdownLocs, $this->allowedRebootLocs));
+
 		$this->action = Request::any('action', 'show', 'string');
 
 
 		if ($this->action === 'startReboot' || $this->action === 'startShutdown') {
-			$clients = Request::post('clients');
-			if (!is_array($clients) || empty($clients)) {
-				Message::addError('no-clients-selected');
-				Util::redirect();
-			}
+
 			$locationId = Request::post('locationId', false, 'int');
 			if ($locationId === false) {
 				Message::addError('locations.invalid-location-id', $locationId);
 				Util::redirect();
 			}
+
 			$shutdown = $this->action === "startShutdown";
+			// Check user permission (if user has no permission, the getAllowed-list will be empty and the check will fail)
+			if ($shutdown) {
+				if (!in_array($locationId, $this->allowedShutdownLocs)) {
+					Message::addError('main.no-permission');
+					Util::redirect();
+				}
+			} else {
+				if (!in_array($locationId, $this->allowedRebootLocs)) {
+					Message::addError('main.no-permission');
+					Util::redirect();
+				}
+			}
+
+			$clients = Request::post('clients');
+			if (!is_array($clients) || empty($clients)) {
+				Message::addError('no-clients-selected');
+				Util::redirect();
+			}
 			$minutes = Request::post('minutes', 0, 'int');
 
 			$list = RebootQueries::getMachinesByUuid($clients);
@@ -72,12 +94,34 @@ class Page_RebootControl extends Page
 				//location you want to see, default are "not  assigned" clients
 				$requestedLocation = Request::get('location', 0, 'int');
 
-				$data['data'] = RebootQueries::getMachineTable($requestedLocation);
-				$data['locations'] = Location::getLocations($requestedLocation, 0, true);
+				// only fill table if user has at least one permission for the location
+				if (in_array($requestedLocation, $this->allowedLocs)) {
+					$data['data'] = RebootQueries::getMachineTable($requestedLocation);
+					$data['allowedToSelect'] = True;
+				}
 
+				$data['locations'] = Location::getLocations($requestedLocation, 0, true);
+				// Always show public key (it's public, isn't it?)
 				$data['pubKey'] = SSHKey::getPublicKey();
 
+				// disable each location user has no permission for
+				foreach ($data['locations'] as &$loc) {
+					if (!in_array($loc["locationid"], $this->allowedLocs)) {
+						$loc["disabled"] = "disabled";
+					}
+				}
+
+				// Only enable shutdown/reboot-button if user has permission for the location
+				if (in_array($requestedLocation, $this->allowedShutdownLocs)) {
+					$data['allowedToShutdown'] = True;
+				}
+				if (in_array($requestedLocation, $this->allowedRebootLocs)) {
+					$data['allowedToReboot'] = True;
+				}
+				$data['allowedToGenerateKey'] = User::hasPermission("newkeypair");
+
 				Render::addTemplate('_page', $data);
+
 			}
 		}
 	}
@@ -86,8 +130,12 @@ class Page_RebootControl extends Page
 	{
 		$this->action = Request::post('action', false, 'string');
 		if ($this->action === 'generateNewKeypair') {
-			Property::set("rebootcontrol-private-key", false);
-			echo SSHKey::getPublicKey();
+			if (User::hasPermission("newkeypair")) {
+				Property::set("rebootcontrol-private-key", false);
+				echo SSHKey::getPublicKey();
+			} else {
+				echo 'No permission.';
+			}
 		} else {
 			echo 'Invalid action.';
 		}
-- 
cgit v1.2.3-55-g7522