From 5309badac125114399ec2cf39b095e0d9efcd09f Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Thu, 15 Feb 2018 13:18:56 +0100
Subject: [rebootcontrol] Rewrite permission handling, simplify html/javascript

---
 modules-available/rebootcontrol/page.inc.php | 107 ++++++++++++---------------
 1 file changed, 47 insertions(+), 60 deletions(-)

(limited to 'modules-available/rebootcontrol/page.inc.php')

diff --git a/modules-available/rebootcontrol/page.inc.php b/modules-available/rebootcontrol/page.inc.php
index fa34a05a..fa7688d8 100644
--- a/modules-available/rebootcontrol/page.inc.php
+++ b/modules-available/rebootcontrol/page.inc.php
@@ -4,9 +4,6 @@ class Page_RebootControl extends Page
 {
 
 	private $action = false;
-	private $allowedShutdownLocs = [];
-	private $allowedRebootLocs = [];
-	private $allowedLocs = [];
 
 	/**
 	 * Called before any page rendering happens - early hook to check parameters etc.
@@ -20,54 +17,40 @@ class Page_RebootControl extends Page
 			Util::redirect('?do=Main'); // does not return
 		}
 
-		$this->allowedShutdownLocs = User::getAllowedLocations("shutdown");
-		$this->allowedRebootLocs = User::getAllowedLocations("reboot");
-		$this->allowedLocs = array_unique(array_merge($this->allowedShutdownLocs, $this->allowedRebootLocs));
-
 		$this->action = Request::any('action', 'show', 'string');
 
 
-		if ($this->action === 'startReboot' || $this->action === 'startShutdown') {
-
-			$locationId = Request::post('locationId', false, 'int');
-			if ($locationId === false) {
-				Message::addError('locations.invalid-location-id', $locationId);
-				Util::redirect();
-			}
-
-			$shutdown = $this->action === "startShutdown";
-			// Check user permission (if user has no permission, the getAllowed-list will be empty and the check will fail)
-			if ($shutdown) {
-				if (!in_array($locationId, $this->allowedShutdownLocs)) {
-					Message::addError('main.no-permission');
-					Util::redirect();
-				}
-			} else {
-				if (!in_array($locationId, $this->allowedRebootLocs)) {
-					Message::addError('main.no-permission');
-					Util::redirect();
-				}
-			}
+		if ($this->action === 'reboot' || $this->action === 'shutdown') {
 
-			$clients = Request::post('clients');
-			if (!is_array($clients) || empty($clients)) {
+			$requestedClients = Request::post('clients', false, 'array');
+			if (!is_array($requestedClients) || empty($requestedClients)) {
 				Message::addError('no-clients-selected');
 				Util::redirect();
 			}
 			$minutes = Request::post('minutes', 0, 'int');
 
-			$list = RebootQueries::getMachinesByUuid($clients);
-			if (count($list) !== count($clients)) {
+			$actualClients = RebootQueries::getMachinesByUuid($requestedClients);
+			if (count($actualClients) !== count($requestedClients)) {
 				// We could go ahead an see which ones were not found in DB but this should not happen anyways unless the
 				// user manipulated the request
 				Message::addWarning('some-machine-not-found');
 			}
-			// TODO: Iterate over list and check if a locationid is not in permissions
-			// TODO: we could also check if the locationid is equal or a sublocation of the $locationId from above
-			// (this would be more of a sanity check though, or does the UI allow selecting machines from different locations)
-
-			$task = RebootControl::execute($list, $shutdown, $minutes, $locationId);
+			// Filter ones with no permission
+			foreach (array_keys($actualClients) as $idx) {
+				if (!User::hasPermission('action.' . $this->action, $actualClients[$idx]['locationid'])) {
+					Message::addWarning('main.location-no-permission', $actualClients[$idx]['locationid']);
+					unset($actualClients[$idx]);
+				} else {
+					$locationId = $actualClients[$idx]['locationid'];
+				}
+			}
+			// See if anything is left
+			if (!is_array($actualClients) || empty($actualClients)) {
+				Message::addError('no-clients-selected');
+				Util::redirect();
+			}
 
+			$task = RebootControl::execute($actualClients, $this->action === 'shutdown', $minutes, $locationId);
 			Util::redirect("?do=rebootcontrol&taskid=".$task["id"]);
 		}
 
@@ -81,6 +64,7 @@ class Page_RebootControl extends Page
 	{
 		if ($this->action === 'show') {
 
+			$data = [];
 			$taskId = Request::get("taskid");
 
 			if ($taskId && Taskmanager::isTask($taskId)) {
@@ -91,36 +75,42 @@ class Page_RebootControl extends Page
 				$data['clients'] = $task['data']['clients'];
 				Render::addTemplate('status', $data);
 			} else {
-				//location you want to see, default are "not  assigned" clients
-				$requestedLocation = Request::get('location', 0, 'int');
 
-				// only fill table if user has at least one permission for the location
-				if (in_array($requestedLocation, $this->allowedLocs)) {
-					$data['data'] = RebootQueries::getMachineTable($requestedLocation);
-					$data['allowedToSelect'] = True;
+				//location you want to see, default are "not  assigned" clients
+				$requestedLocation = Request::get('location', false, 'int');
+				$allowedLocs = User::getAllowedLocations("action.*");
+
+				if ($requestedLocation === false) {
+					if (in_array(0, $allowedLocs)) {
+						$requestedLocation = 0;
+					} elseif (!empty($allowedLocs)) {
+						$requestedLocation = reset($allowedLocs);
+					}
 				}
 
 				$data['locations'] = Location::getLocations($requestedLocation, 0, true);
-				// Always show public key (it's public, isn't it?)
-				$data['pubKey'] = SSHKey::getPublicKey();
 
 				// disable each location user has no permission for
 				foreach ($data['locations'] as &$loc) {
-					if (!in_array($loc["locationid"], $this->allowedLocs)) {
+					if (!in_array($loc["locationid"], $allowedLocs)) {
 						$loc["disabled"] = "disabled";
 					}
 				}
+				// Always show public key (it's public, isn't it?)
+				$data['pubKey'] = SSHKey::getPublicKey();
 
 				// Only enable shutdown/reboot-button if user has permission for the location
-				if (in_array($requestedLocation, $this->allowedShutdownLocs)) {
-					$data['allowedToShutdown'] = True;
-				}
-				if (in_array($requestedLocation, $this->allowedRebootLocs)) {
-					$data['allowedToReboot'] = True;
-				}
-				$data['allowedToGenerateKey'] = User::hasPermission("newkeypair");
+				Permission::addGlobalTags($data['perms'], $requestedLocation, ['newkeypair', 'action.shutdown', 'action.reboot']);
+
+				Render::addTemplate('header', $data);
 
-				Render::addTemplate('_page', $data);
+				// only fill table if user has at least one permission for the location
+				if ($requestedLocation === false) {
+					Message::addError('main.no-permission');
+				} else {
+					$data['data'] = RebootQueries::getMachineTable($requestedLocation);
+					Render::addTemplate('_page', $data);
+				}
 
 			}
 		}
@@ -130,12 +120,9 @@ class Page_RebootControl extends Page
 	{
 		$this->action = Request::post('action', false, 'string');
 		if ($this->action === 'generateNewKeypair') {
-			if (User::hasPermission("newkeypair")) {
-				Property::set("rebootcontrol-private-key", false);
-				echo SSHKey::getPublicKey();
-			} else {
-				echo 'No permission.';
-			}
+			User::assertPermission("newkeypair");
+			Property::set("rebootcontrol-private-key", false);
+			echo SSHKey::getPublicKey();
 		} else {
 			echo 'Invalid action.';
 		}
-- 
cgit v1.2.3-55-g7522