From 463aadce87ab207c7477b580295d6fce2b351b67 Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Mon, 18 May 2020 18:40:59 +0200 Subject: [remoteaccess] Add permissions, add "delete group" functionality --- modules-available/remoteaccess/page.inc.php | 84 +++++++++++++++++++++++------ 1 file changed, 68 insertions(+), 16 deletions(-) (limited to 'modules-available/remoteaccess/page.inc.php') diff --git a/modules-available/remoteaccess/page.inc.php b/modules-available/remoteaccess/page.inc.php index 2877fc9d..27b7ca6b 100644 --- a/modules-available/remoteaccess/page.inc.php +++ b/modules-available/remoteaccess/page.inc.php @@ -16,15 +16,20 @@ class Page_RemoteAccess extends Page Message::addError('main.no-permission'); Util::redirect('?do=Main'); } + User::assertPermission('view'); $action = Request::post('action', false, 'string'); // Add group adds a DB row and then falls through to regular saving if ($action === 'add-group') { + User::assertPermission('group.add'); Database::exec("INSERT INTO remoteaccess_group (groupname, wolcount, passwd, active) VALUES ('.new', 0, '', 0)"); - $action = 'save-settings'; Message::addSuccess('group-added'); + if (User::hasPermission('group.edit')) { + $action = 'save-groups'; + } } - if ($action === 'save-settings') { + if ($action === 'save-groups') { + User::assertPermission('group.edit'); $groups = Request::post('group', [], 'array'); foreach ($groups as $id => $group) { Database::exec("UPDATE remoteaccess_group SET groupname = :name, wolcount = :wol, @@ -36,18 +41,30 @@ class Page_RemoteAccess extends Page 'active' => isset($group['active']) && $group['active'] ? 1 : 0, ]); } + Message::addSuccess('settings-saved'); + } elseif ($action === 'save-settings') { + User::assertPermission('set-proxy-ip'); Property::set(RemoteAccess::PROP_ALLOWED_VNC_NET, Request::post('allowed-source', '', 'string')); Property::set(RemoteAccess::PROP_TRY_VIRT_HANDOVER, Request::post('virt-handover', false, 'int')); Message::addSuccess('settings-saved'); - } elseif ($action === 'set-locations') { + } elseif ($action === 'delete-group') { + User::assertPermission('group.edit'); $groupid = Request::post('groupid', Request::REQUIRED, 'int'); - $group = Database::queryFirst("SELECT groupname FROM remoteaccess_group WHERE groupid = :id", - ['id' => $groupid]); - if ($group === false) { - Message::addError('group-not-found', $groupid); - Util::redirect('?do=remoteaccess'); + $group = $this->groupNameOrFail($groupid); + if (!$this->checkGroupLocations($groupid)) { + Message::addError('locations-not-allowed', $group); + } else { + Database::exec("DELETE FROM remoteaccess_group WHERE groupid = :id", ['id' => $groupid]); + Message::addSuccess('group-deleted', $group); } + } elseif ($action === 'set-locations') { + User::assertPermission('group.locations'); + $groupid = Request::post('groupid', Request::REQUIRED, 'int'); + $group = $this->groupNameOrFail($groupid); $locations = array_values(Request::post('location', [], 'array')); + // Merge what's already set where we don't have permission + $locations = Permission::mergeWithDisallowed($locations, 'group.locations', + "SELECT locationid FROM remoteaccess_x_location WHERE groupid = :id", ['id' => $groupid]); if (empty($locations)) { Database::exec("DELETE FROM remoteaccess_x_location WHERE groupid = :id", ['id' => $groupid]); } else { @@ -56,13 +73,24 @@ class Page_RemoteAccess extends Page Database::exec("DELETE FROM remoteaccess_x_location WHERE groupid = :id AND locationid NOT IN (:locations)", ['id' => $groupid, 'locations' => $locations]); } - Message::addSuccess('group-updated', $group['groupname']); + Message::addSuccess('group-updated', $group); } if (Request::isPost()) { Util::redirect('?do=remoteaccess'); } } + private function groupNameOrFail($groupid) + { + $group = Database::queryFirst("SELECT groupname FROM remoteaccess_group WHERE groupid = :id", + ['id' => $groupid]); + if ($group === false) { + Message::addError('group-not-found', $groupid); + Util::redirect('?do=remoteaccess'); + } + return $group['groupname']; + } + protected function doRender() { $groupid = Request::get('groupid', false, 'int'); @@ -78,24 +106,48 @@ class Page_RemoteAccess extends Page 'virt-handover_checked' => Property::get(RemoteAccess::PROP_TRY_VIRT_HANDOVER) ? 'checked' : '', 'groups' => $groups, ]; + Permission::addGlobalTags($data['perms'], null, ['group.locations', 'group.add', 'group.edit', 'set-proxy-ip']); Render::addTemplate('edit-settings', $data); } else { // Edit locations for group - $group = Database::queryFirst("SELECT groupid, groupname FROM remoteaccess_group WHERE groupid = :id", - ['id' => $groupid]); - if ($group === false) { - Message::addError('group-not-found', $groupid); - return; - } + $group = $this->groupNameOrFail($groupid); $locationList = Location::getLocationsAssoc(); $enabled = RemoteAccess::getEnabledLocations($groupid); + $allowed = User::getAllowedLocations('group.locations'); foreach ($enabled as $lid) { if (isset($locationList[$lid])) { $locationList[$lid]['checked'] = 'checked'; } } - Render::addTemplate('edit-group', $group + ['locations' => array_values($locationList)]); + foreach ($locationList as $lid => &$loc) { + if (!in_array($lid, $allowed)) { + $loc['disabled'] = 'disabled'; + } + } + $data = [ + 'groupid' => $groupid, + 'groupname' => $group, + 'locations' => array_values($locationList), + 'disabled' => empty($allowed) ? 'disabled' : '', + ]; + Permission::addGlobalTags($data['perms'], null, ['group.locations', 'group.edit']); + Render::addTemplate('edit-group', $data); } } + /** + * @param int $groupid group to check + * @return bool if we have permission for all the locations assigned to group + */ + private function checkGroupLocations($groupid) + { + $allowed = User::getAllowedLocations('group.locations'); + if (in_array(0, $allowed)) + return true; + $hasLocs = Database::queryColumnArray("SELECT locationid FROM remoteaccess_x_location WHERE groupid = :id", + ['id' => $groupid]); + $diff = array_diff($hasLocs, $allowed); + return empty($diff); + } + } -- cgit v1.2.3-55-g7522