From 734c493dc1e416ee188ad121033b7856e8259816 Mon Sep 17 00:00:00 2001
From: Udo Walter
Date: Thu, 18 Jan 2018 17:54:13 +0100
Subject: [statistics] added permissions to view client logs; removed unused
 query arguments from Paginate::exec (caused an error if query arguments that
 are actually used in the query are passed to Paginate::exec)

---
 modules-available/syslog/page.inc.php | 26 +++++++++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)

(limited to 'modules-available/syslog/page.inc.php')

diff --git a/modules-available/syslog/page.inc.php b/modules-available/syslog/page.inc.php
index c679877a..a34ceb53 100644
--- a/modules-available/syslog/page.inc.php
+++ b/modules-available/syslog/page.inc.php
@@ -15,6 +15,13 @@ class Page_SysLog extends Page
 
 	protected function doRender()
 	{
+		Render::addTemplate("heading");
+
+		if (!User::hasPermission("view")) {
+			Message::addError('main.no-permission');
+			return;
+		}
+
 		$cutoff = strtotime('-1 month');
 		$res = Database::simpleQuery("SELECT logtypeid, Count(*) AS counter FROM clientlog WHERE dateline > $cutoff GROUP BY logtypeid ORDER BY counter ASC");
 		$types = array();
@@ -55,11 +62,24 @@ class Page_SysLog extends Page
 			else
 				$whereClause .= ' AND ';
 
-				$whereClause .= "machineuuid='" . preg_replace('/[^0-9a-zA-Z\-]/', '', Request::get('machineuuid', '', 'string')) . "'";
+			$whereClause .= "machineuuid='" . preg_replace('/[^0-9a-zA-Z\-]/', '', Request::get('machineuuid', '', 'string')) . "'";
+		}
+
+		$allowedLocations = User::getAllowedLocations("view");
+		$joinClause = "";
+		if (!in_array(0, $allowedLocations)) {
+			$joinClause = "INNER JOIN machine ON machine.machineuuid = clientlog.machineuuid";
+			if (empty($whereClause))
+				$whereClause .= ' WHERE ';
+			else
+				$whereClause .= ' AND ';
+
+			$whereClause .= 'locationid IN (:allowedLocations)';
 		}
+
 		$lines = array();
-		$paginate = new Paginate("SELECT logid, dateline, logtypeid, clientip, description, extra FROM clientlog $whereClause ORDER BY logid DESC", 50);
-		$res = $paginate->exec();
+		$paginate = new Paginate("SELECT logid, dateline, logtypeid, clientlog.clientip as clientip, description, extra FROM clientlog $joinClause $whereClause ORDER BY logid DESC", 50);
+		$res = $paginate->exec(array("allowedLocations" => $allowedLocations));
 		while ($row = $res->fetch(PDO::FETCH_ASSOC)) {
 			$row['date'] = Util::prettyTime($row['dateline']);
 			$row['icon'] = $this->eventToIconName($row['logtypeid']);
-- 
cgit v1.2.3-55-g7522


From 798ff78db897fa44fa5d22847f6fec51069871ad Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Thu, 8 Feb 2018 12:16:55 +0100
Subject: [syslog] Add option to anonymize log entries after X days

Closes #3301
---
 modules-available/syslog/hooks/cron.inc.php        | 21 +++++++++++++++++
 modules-available/syslog/page.inc.php              | 13 +++++++++++
 .../syslog/templates/page-syslog.html              | 26 ++++++++++++++++++++++
 3 files changed, 60 insertions(+)

(limited to 'modules-available/syslog/page.inc.php')

diff --git a/modules-available/syslog/hooks/cron.inc.php b/modules-available/syslog/hooks/cron.inc.php
index bae882a9..62516648 100644
--- a/modules-available/syslog/hooks/cron.inc.php
+++ b/modules-available/syslog/hooks/cron.inc.php
@@ -1,7 +1,28 @@
 <?php
 
 if (mt_rand(1, 10) === 1) {
+	// Prune old entries
 	Database::exec("DELETE FROM clientlog WHERE (UNIX_TIMESTAMP() - 86400 * 190) > dateline");
+	// Anonymize if requested
+	$days = Property::get('syslog.anon-days', 0);
+	if ($days > 0) {
+		$cutoff = time() - ($days * 86400);
+		Database::exec("UPDATE clientlog SET description = '[root] User logged in'
+				WHERE $cutoff > dateline AND logtypeid = 'session-open' AND description NOT LIKE '[root] User %'");
+		Database::exec("UPDATE clientlog SET description = '[root] User logged out'
+				WHERE $cutoff > dateline AND logtypeid = 'session-close' AND description NOT LIKE '[root] User %'");
+		Database::exec("UPDATE clientlog SET description = '-', extra = ''
+				WHERE $cutoff > dateline AND description NOT LIKE '-'
+				AND logtypeid NOT IN ('session-open', 'session-close', 'idleaction-busy', 'partition-temp',
+					'partition-swap', 'smartctl-realloc', 'vmware-netifup', 'vmware-insmod', 'firewall-script-apply',
+					'mount-vm-tmp-fail')");
+		if (Module::get('statistics') !== false) {
+			Database::exec("UPDATE statistic SET username = 'anonymous'
+					WHERE $cutoff > dateline AND username NOT LIKE 'anonymous' AND username NOT LIKE ''");
+			Database::exec("UPDATE machine SET currentuser = NULL
+					WHERE $cutoff > lastseen AND currentuser IS NOT NULL");
+		}
+	}
 	if (mt_rand(1, 100) === 1) {
 		Database::exec("OPTIMIZE TABLE clientlog");
 	}
diff --git a/modules-available/syslog/page.inc.php b/modules-available/syslog/page.inc.php
index 153b591f..e63ada85 100644
--- a/modules-available/syslog/page.inc.php
+++ b/modules-available/syslog/page.inc.php
@@ -3,6 +3,9 @@
 class Page_SysLog extends Page
 {
 
+	const PROP_ANON_DAYS = 'syslog.anon-days'; // Copy in cronjob
+
+
 	protected function doPreprocess()
 	{
 		User::load();
@@ -11,6 +14,15 @@ class Page_SysLog extends Page
 			Message::addError('main.no-permission');
 			Util::redirect('?do=Main');
 		}
+		if (($days = Request::post('anondays', false, 'int')) !== false) {
+			if ($days < 0 || $days > 180) {
+				Message::addError('anon-days-out-of-range', $days);
+			} else {
+				Property::set(self::PROP_ANON_DAYS, $days);
+				Message::addSuccess('anon-days-saved');
+			}
+			Util::redirect('?do=syslog');
+		}
 	}
 
 	protected function doRender()
@@ -72,6 +84,7 @@ class Page_SysLog extends Page
 			'list'     => $lines,
 			'types'    => json_encode(array_values($types)),
 			'machineuuid' => Request::get('machineuuid'),
+			'anondays' => Property::get(self::PROP_ANON_DAYS, 0),
 		));
 	}
 
diff --git a/modules-available/syslog/templates/page-syslog.html b/modules-available/syslog/templates/page-syslog.html
index d4709456..585aa310 100644
--- a/modules-available/syslog/templates/page-syslog.html
+++ b/modules-available/syslog/templates/page-syslog.html
@@ -1,3 +1,6 @@
+<button type="button" class="btn btn-default pull-right" data-toggle="modal" data-target="#modal-settings">
+	<span class="glyphicon glyphicon-cog"></span> {{lang_settings}}
+</button>
 <h1>{{lang_clientLog}}</h1>
 <style type="text/css">
 	.selectize-dropdown {
@@ -74,6 +77,29 @@
 	</div>
 </div>
 
+<div id="modal-settings" class="modal fade" role="dialog">
+	<div class="modal-dialog">
+		<div class="modal-content">
+			<form method="post" action="?do=syslog">
+				<input type="hidden" name="token" value="{{token}}">
+				<div class="modal-header">
+					<button type="button" class="close" data-dismiss="modal">&times;</button>
+					<h4 class="modal-title"><b>{{lang_settings}}</b></h4>
+				</div>
+				<div class="modal-body">
+					<p>{{lang_anonDaysDescription}}</p>
+					<input type="number" name="anondays" value="{{anondays}}" min="0" max="180">
+				</div>
+				<div class="modal-footer">
+					<button type="button" class="btn btn-default" data-dismiss="modal">{{lang_cancel}}</button>
+					<button type="submit" class="btn btn-primary">{{lang_save}}</button>
+				</div>
+			</form>
+		</div>
+
+	</div>
+</div>
+
 <script type="application/javascript"><!--
 document.addEventListener('DOMContentLoaded', function () {
 
-- 
cgit v1.2.3-55-g7522


From 2a8858e17ef441a22526e8aedf5262e7e065d8d6 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Tue, 13 Feb 2018 16:30:49 +0100
Subject: [syslog] Permission checks when saving anonymization days

---
 modules-available/syslog/lang/de/permissions.json  |  3 +-
 modules-available/syslog/lang/en/permissions.json  |  3 +-
 modules-available/syslog/page.inc.php              |  7 +++--
 .../syslog/permissions/permissions.json            |  3 ++
 modules-available/syslog/templates/heading.html    | 36 +++++++++++++++++++++-
 .../syslog/templates/page-syslog.html              | 26 ----------------
 6 files changed, 47 insertions(+), 31 deletions(-)

(limited to 'modules-available/syslog/page.inc.php')

diff --git a/modules-available/syslog/lang/de/permissions.json b/modules-available/syslog/lang/de/permissions.json
index 0cd05451..dcd96ae1 100644
--- a/modules-available/syslog/lang/de/permissions.json
+++ b/modules-available/syslog/lang/de/permissions.json
@@ -1,3 +1,4 @@
 {
-	"view": "Client Log anschauen."
+    "configure-anonymization": "Einstellen, nach wie vielen Tagen die Nutzernamen in den Logs entfernt werden.",
+    "view": "Client Log anschauen."
 }
\ No newline at end of file
diff --git a/modules-available/syslog/lang/en/permissions.json b/modules-available/syslog/lang/en/permissions.json
index 497e199e..26ea4448 100644
--- a/modules-available/syslog/lang/en/permissions.json
+++ b/modules-available/syslog/lang/en/permissions.json
@@ -1,3 +1,4 @@
 {
-	"view": "View client log."
+    "configure-anonymization": "Configure after how many days any usernames will be removed from log files.",
+    "view": "View client log."
 }
\ No newline at end of file
diff --git a/modules-available/syslog/page.inc.php b/modules-available/syslog/page.inc.php
index a26ed9be..3a7513b5 100644
--- a/modules-available/syslog/page.inc.php
+++ b/modules-available/syslog/page.inc.php
@@ -14,7 +14,9 @@ class Page_SysLog extends Page
 			Message::addError('main.no-permission');
 			Util::redirect('?do=Main');
 		}
+
 		if (($days = Request::post('anondays', false, 'int')) !== false) {
+			User::assertPermission('configure-anonymization', NULL,'?do=syslog');
 			if ($days < 0 || $days > 180) {
 				Message::addError('anon-days-out-of-range', $days);
 			} else {
@@ -27,7 +29,9 @@ class Page_SysLog extends Page
 
 	protected function doRender()
 	{
-		Render::addTemplate("heading");
+		$data = ['anondays' => Property::get(self::PROP_ANON_DAYS, 0)];
+		Permission::addGlobalTags($data['perms'], NULL, ['configure-anonymization']);
+		Render::addTemplate("heading", $data);
 
 		if (!User::hasPermission("view")) {
 			Message::addError('main.no-permission');
@@ -104,7 +108,6 @@ class Page_SysLog extends Page
 			'list'     => $lines,
 			'types'    => json_encode(array_values($types)),
 			'machineuuid' => Request::get('machineuuid'),
-			'anondays' => Property::get(self::PROP_ANON_DAYS, 0),
 		));
 	}
 
diff --git a/modules-available/syslog/permissions/permissions.json b/modules-available/syslog/permissions/permissions.json
index fcf530c5..cabf82f9 100644
--- a/modules-available/syslog/permissions/permissions.json
+++ b/modules-available/syslog/permissions/permissions.json
@@ -1,5 +1,8 @@
 {
     "view": {
         "location-aware": true
+    },
+    "configure-anonymization": {
+        "location-aware": false
     }
 }
\ No newline at end of file
diff --git a/modules-available/syslog/templates/heading.html b/modules-available/syslog/templates/heading.html
index d6790a21..2ab1a848 100644
--- a/modules-available/syslog/templates/heading.html
+++ b/modules-available/syslog/templates/heading.html
@@ -1 +1,35 @@
-<h1>{{lang_clientLog}}</h1>
\ No newline at end of file
+<div class="page-header">
+	<button type="button" class="btn btn-default pull-right" data-toggle="modal" data-target="#modal-settings">
+		<span class="glyphicon glyphicon-cog"></span> {{lang_settings}}
+	</button>
+
+	<div id="modal-settings" class="modal fade" role="dialog">
+		<div class="modal-dialog">
+			<div class="modal-content">
+				<form method="post" action="?do=syslog">
+					<input type="hidden" name="token" value="{{token}}">
+					<div class="modal-header">
+						<button type="button" class="close" data-dismiss="modal">&times;</button>
+						<h4 class="modal-title"><b>{{lang_settings}}</b></h4>
+					</div>
+					<div class="modal-body">
+						<p>{{lang_anonDaysDescription}}</p>
+						<input {{perms.configure-anonymization.disabled}} class="form-control" type="number" name="anondays"
+								value="{{anondays}}" min="0" max="180">
+					</div>
+					<div class="modal-footer">
+						<button type="button" class="btn btn-default" data-dismiss="modal">{{lang_cancel}}</button>
+						<button {{perms.configure-anonymization.disabled}} type="submit"
+								class="btn btn-primary">
+							<span class="glyphicon glyphicon-floppy-disk"></span>
+							{{lang_save}}
+						</button>
+					</div>
+				</form>
+			</div>
+
+		</div>
+	</div>
+
+	<h1>{{lang_clientLog}}</h1>
+</div>
\ No newline at end of file
diff --git a/modules-available/syslog/templates/page-syslog.html b/modules-available/syslog/templates/page-syslog.html
index 7ab81067..9d05d434 100644
--- a/modules-available/syslog/templates/page-syslog.html
+++ b/modules-available/syslog/templates/page-syslog.html
@@ -1,6 +1,3 @@
-<button type="button" class="btn btn-default pull-right" data-toggle="modal" data-target="#modal-settings">
-	<span class="glyphicon glyphicon-cog"></span> {{lang_settings}}
-</button>
 <style type="text/css">
 	.selectize-dropdown {
 		max-width: 500px;
@@ -76,29 +73,6 @@
 	</div>
 </div>
 
-<div id="modal-settings" class="modal fade" role="dialog">
-	<div class="modal-dialog">
-		<div class="modal-content">
-			<form method="post" action="?do=syslog">
-				<input type="hidden" name="token" value="{{token}}">
-				<div class="modal-header">
-					<button type="button" class="close" data-dismiss="modal">&times;</button>
-					<h4 class="modal-title"><b>{{lang_settings}}</b></h4>
-				</div>
-				<div class="modal-body">
-					<p>{{lang_anonDaysDescription}}</p>
-					<input type="number" name="anondays" value="{{anondays}}" min="0" max="180">
-				</div>
-				<div class="modal-footer">
-					<button type="button" class="btn btn-default" data-dismiss="modal">{{lang_cancel}}</button>
-					<button type="submit" class="btn btn-primary">{{lang_save}}</button>
-				</div>
-			</form>
-		</div>
-
-	</div>
-</div>
-
 <script type="application/javascript"><!--
 document.addEventListener('DOMContentLoaded', function () {
 
-- 
cgit v1.2.3-55-g7522


From 24815e16087b4b1b64e9f380d45d411af32daf42 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Mon, 9 Apr 2018 16:56:04 +0200
Subject: Permissions: Consistency: Make all pages require at least one
 permission to be accessible

Closes #3340
---
 modules-available/backup/page.inc.php                 |  1 +
 modules-available/exams/page.inc.php                  |  9 +--------
 modules-available/locations/page.inc.php              | 19 +++++++++++++++----
 modules-available/news/page.inc.php                   | 10 ++--------
 modules-available/news/permissions/permissions.json   |  3 +++
 modules-available/rebootcontrol/page.inc.php          |  9 ++++++---
 modules-available/serversetup-bwlp/page.inc.php       |  6 ++++++
 .../serversetup-bwlp/permissions/permissions.json     |  3 +++
 modules-available/statistics_reporting/page.inc.php   |  1 +
 modules-available/sysconfig/page.inc.php              |  2 +-
 modules-available/syslog/page.inc.php                 |  1 +
 modules-available/systemstatus/page.inc.php           |  1 +
 modules-available/webinterface/page.inc.php           |  4 ++++
 .../webinterface/permissions/permissions.json         |  3 +++
 14 files changed, 48 insertions(+), 24 deletions(-)

(limited to 'modules-available/syslog/page.inc.php')

diff --git a/modules-available/backup/page.inc.php b/modules-available/backup/page.inc.php
index 14522734..985f39ee 100644
--- a/modules-available/backup/page.inc.php
+++ b/modules-available/backup/page.inc.php
@@ -23,6 +23,7 @@ class Page_Backup extends Page
 			User::assertPermission("restore");
 			$this->restore();
 		}
+		User::assertPermission('*');
 	}
 
 	protected function doRender()
diff --git a/modules-available/exams/page.inc.php b/modules-available/exams/page.inc.php
index 51975052..15640a73 100644
--- a/modules-available/exams/page.inc.php
+++ b/modules-available/exams/page.inc.php
@@ -441,16 +441,9 @@ class Page_Exams extends Page
 
 	protected function doRender()
 	{
-		if (Request::isPost()) {
-			$examid = Request::post('examid', 0, 'int');
-		} else if (Request::isGet()) {
-			$examid = Request::get('examid', 0, 'int');
-		} else {
-			die('Neither Post nor Get Request send.');
-		}
-
 		if ($this->action === "show") {
 
+			User::assertPermission('exams.view');
 			// General title and description
 			Render::addTemplate('page-main-heading');
 			// List of defined exam periods
diff --git a/modules-available/locations/page.inc.php b/modules-available/locations/page.inc.php
index 80a8076b..4d5c6628 100644
--- a/modules-available/locations/page.inc.php
+++ b/modules-available/locations/page.inc.php
@@ -24,6 +24,9 @@ class Page_Locations extends Page
 		} elseif ($this->action === 'updatesubnets') {
 			$this->updateSubnets();
 		}
+		if (Request::isPost()) {
+			Util::redirect('?do=locations');
+		}
 	}
 
 	private function updateSubnets()
@@ -306,10 +309,16 @@ class Page_Locations extends Page
 
 	protected function doRender()
 	{
-		$getAction = Request::get('action');
-		if (empty($getAction)) {
-			// Until we have a main landing page?
-			Util::redirect('?do=Locations&action=showlocations');
+		$getAction = Request::get('action', false, 'string');
+		if ($getAction === false) {
+			if (User::hasPermission('location.view')) {
+				Util::redirect('?do=locations&action=showlocations');
+			} elseif (User::hasPermission('subnets.edit')) {
+				Util::redirect('?do=locations&action=showsubnets');
+			} else {
+				// Trigger permission denied by asserting non-existent permission
+				User::assertPermission('location.view');
+			}
 		}
 		if ($getAction === 'showsubnets') {
 			User::assertPermission('subnets.edit', NULL, '?do=locations');
@@ -324,6 +333,8 @@ class Page_Locations extends Page
 			Render::addTemplate('subnets', array('list' => $rows));
 		} elseif ($getAction === 'showlocations') {
 			$this->showLocationList();
+		} else {
+			Util::redirect('?do=locations');
 		}
 	}
 
diff --git a/modules-available/news/page.inc.php b/modules-available/news/page.inc.php
index e7b70c0f..1e2e3eef 100644
--- a/modules-available/news/page.inc.php
+++ b/modules-available/news/page.inc.php
@@ -46,14 +46,8 @@ class Page_News extends Page
 
 		// check which action we need to do
 		$action = Request::any('action', 'show');
-		if ($action === 'clear') {
-			// clear news input fields
-			// TODO: is this the right way?
-			$this->newsId = false;
-			$this->newsTitle = false;
-			$this->newsContent = false;
-			$this->newsDate = false;
-		} elseif ($action === 'show') {
+		if ($action === 'show') {
+			User::assertPermission('access-page');
 			/* load latest things */
 			$this->loadLatest('help');
 			$this->loadLatest('news');
diff --git a/modules-available/news/permissions/permissions.json b/modules-available/news/permissions/permissions.json
index 0d9435d7..953599df 100644
--- a/modules-available/news/permissions/permissions.json
+++ b/modules-available/news/permissions/permissions.json
@@ -1,4 +1,7 @@
 {
+    "access-page": {
+        "location-aware": false
+    },
     "help.delete": {
         "location-aware": false
     },
diff --git a/modules-available/rebootcontrol/page.inc.php b/modules-available/rebootcontrol/page.inc.php
index abbdb2c3..041ae74f 100644
--- a/modules-available/rebootcontrol/page.inc.php
+++ b/modules-available/rebootcontrol/page.inc.php
@@ -79,11 +79,14 @@ class Page_RebootControl extends Page
 				//location you want to see, default are "not  assigned" clients
 				$requestedLocation = Request::get('location', false, 'int');
 				$allowedLocs = User::getAllowedLocations("action.*");
+				if (empty($allowedLocs)) {
+					User::assertPermission('action.*');
+				}
 
 				if ($requestedLocation === false) {
 					if (in_array(0, $allowedLocs)) {
 						$requestedLocation = 0;
-					} elseif (!empty($allowedLocs)) {
+					} else {
 						$requestedLocation = reset($allowedLocs);
 					}
 				}
@@ -105,8 +108,8 @@ class Page_RebootControl extends Page
 				Render::addTemplate('header', $data);
 
 				// only fill table if user has at least one permission for the location
-				if ($requestedLocation === false) {
-					Message::addError('main.no-permission');
+				if (!in_array($requestedLocation, $allowedLocs)) {
+					Message::addError('locations.no-permission-location', $requestedLocation);
 				} else {
 					$data['data'] = RebootQueries::getMachineTable($requestedLocation);
 					Render::addTemplate('_page', $data);
diff --git a/modules-available/serversetup-bwlp/page.inc.php b/modules-available/serversetup-bwlp/page.inc.php
index ae709da7..78096d7b 100644
--- a/modules-available/serversetup-bwlp/page.inc.php
+++ b/modules-available/serversetup-bwlp/page.inc.php
@@ -43,6 +43,12 @@ class Page_ServerSetup extends Page
 			// iPXE stuff changes
 			$this->updatePxeMenu();
 		}
+
+		if (Request::isPost()) {
+			Util::redirect('?do=serversetup');
+		}
+
+		User::assertPermission('access-page');
 	}
 
 	protected function doRender()
diff --git a/modules-available/serversetup-bwlp/permissions/permissions.json b/modules-available/serversetup-bwlp/permissions/permissions.json
index 6bae5422..44927506 100644
--- a/modules-available/serversetup-bwlp/permissions/permissions.json
+++ b/modules-available/serversetup-bwlp/permissions/permissions.json
@@ -1,4 +1,7 @@
 {
+    "access-page": {
+        "location-aware": false
+    },
     "download": {
         "location-aware": false
     },
diff --git a/modules-available/statistics_reporting/page.inc.php b/modules-available/statistics_reporting/page.inc.php
index af4b2b12..cc03e4d8 100644
--- a/modules-available/statistics_reporting/page.inc.php
+++ b/modules-available/statistics_reporting/page.inc.php
@@ -84,6 +84,7 @@ class Page_Statistics_Reporting extends Page
 				die(json_encode($report));
 			}
 		}
+		User::assertPermission('*');
 	}
 
 	/**
diff --git a/modules-available/sysconfig/page.inc.php b/modules-available/sysconfig/page.inc.php
index 7bb3e599..8d1799af 100644
--- a/modules-available/sysconfig/page.inc.php
+++ b/modules-available/sysconfig/page.inc.php
@@ -160,7 +160,7 @@ class Page_SysConfig extends Page
 			$pMods = User::hasPermission('module.view-list');
 			$pConfs = User::hasPermission('config.view-list');
 			if (!($pMods || $pConfs)) {
-				Message::addError('main.no-permission');
+				User::assertPermission('config.view-list');
 			}
 			Render::openTag('div', array('class' => 'row'));
 			if ($pConfs) {
diff --git a/modules-available/syslog/page.inc.php b/modules-available/syslog/page.inc.php
index 3a7513b5..00c55a3f 100644
--- a/modules-available/syslog/page.inc.php
+++ b/modules-available/syslog/page.inc.php
@@ -25,6 +25,7 @@ class Page_SysLog extends Page
 			}
 			Util::redirect('?do=syslog');
 		}
+		User::assertPermission('*');
 	}
 
 	protected function doRender()
diff --git a/modules-available/systemstatus/page.inc.php b/modules-available/systemstatus/page.inc.php
index 816caa05..66b30bcf 100644
--- a/modules-available/systemstatus/page.inc.php
+++ b/modules-available/systemstatus/page.inc.php
@@ -18,6 +18,7 @@ class Page_SystemStatus extends Page
 			User::assertPermission("serverreboot");
 			$this->rebootTask = Taskmanager::submit('Reboot');
 		}
+		User::assertPermission('*');
 	}
 
 	protected function doRender()
diff --git a/modules-available/webinterface/page.inc.php b/modules-available/webinterface/page.inc.php
index 806ffd59..ca52c2ab 100644
--- a/modules-available/webinterface/page.inc.php
+++ b/modules-available/webinterface/page.inc.php
@@ -28,6 +28,10 @@ class Page_WebInterface extends Page
 				$this->actionCustomization();
 				break;
 		}
+		if (Request::isPost()) {
+			Util::redirect('?do=webinterface');
+		}
+		User::assertPermission('access-page');
 	}
 
 	private function actionConfigureHttps()
diff --git a/modules-available/webinterface/permissions/permissions.json b/modules-available/webinterface/permissions/permissions.json
index fa6f493f..ed81602a 100644
--- a/modules-available/webinterface/permissions/permissions.json
+++ b/modules-available/webinterface/permissions/permissions.json
@@ -1,4 +1,7 @@
 {
+    "access-page": {
+        "location-aware": false
+    },
     "edit.design": {
         "location-aware": false
     },
-- 
cgit v1.2.3-55-g7522


From f37c95a560f0d2bac96e4b0e650d12691181b876 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Tue, 7 Aug 2018 16:48:13 +0200
Subject: [syslog] Add user export feature

This will export all rows from tables that log user related content,
data, events, helping administrators to conform to DSGVO information requests.

Closes #3401
---
 modules-available/syslog/api.inc.php               | 39 ++++++++++++++++++++++
 .../syslog/lang/de/template-tags.json              |  4 +++
 .../syslog/lang/en/template-tags.json              |  4 +++
 modules-available/syslog/page.inc.php              |  2 +-
 .../syslog/permissions/permissions.json            |  3 ++
 modules-available/syslog/templates/heading.html    | 39 ++++++++++++++++++++--
 6 files changed, 87 insertions(+), 4 deletions(-)

(limited to 'modules-available/syslog/page.inc.php')

diff --git a/modules-available/syslog/api.inc.php b/modules-available/syslog/api.inc.php
index 18c42c31..945f9d09 100644
--- a/modules-available/syslog/api.inc.php
+++ b/modules-available/syslog/api.inc.php
@@ -1,5 +1,44 @@
 <?php
 
+// Check for user data export
+if (($user = Request::post('export-user', false, 'string')) !== false) {
+	User::load();
+	User::assertPermission('export-user-data', null, '?do=syslog');
+	if (!Util::verifyToken()) {
+		die('Invalid Token');
+	}
+	$puser = preg_quote($user);
+	$exp = "$puser logged|^\[$puser\]";
+	Header('Content-Type: text/plain; charset=utf-8');
+	Header('Content-Disposition: attachment; filename=bwlehrpool-export-' .Util::sanitizeFilename($user) . '-' . date('Y-m-d') . '.txt');
+	$srcs = [];
+	$srcs[] = ['res' => Database::simpleQuery("SELECT dateline, logtypeid AS typeid, clientip, description FROM clientlog
+		WHERE description REGEXP :exp
+		ORDER BY dateline ASC", ['exp' => $exp])];
+	if (Module::get('statistics') !== false) {
+		$srcs[] = ['res' => Database::simpleQuery("SELECT dateline, typeid, clientip, data AS description FROM statistic
+			WHERE username = :user
+			ORDER BY dateline ASC", ['user' => $user])];
+	}
+	echo "# Begin log\n";
+	for (;;) {
+		unset($best);
+		foreach ($srcs as &$src) {
+			if (!isset($src['row'])) {
+				$src['row'] = $src['res']->fetch(PDO::FETCH_ASSOC);
+			}
+			if ($src['row'] !== false && (!isset($best) || $src['row']['dateline'] < $best['dateline'])) {
+				$best =& $src['row'];
+			}
+		}
+		if (!isset($best))
+			break;
+		echo date('Y-m-d H:i:s', $best['dateline']), "\t", $best['typeid'], "\t", $best['clientip'], "\t", $best['description'], "\n";
+		$best = null; // so we repopulate on next iteration
+	}
+	die("# End log\n");
+}
+
 if (empty($_POST['type'])) die('Missing options.');
 $type = mb_strtolower($_POST['type']);
 
diff --git a/modules-available/syslog/lang/de/template-tags.json b/modules-available/syslog/lang/de/template-tags.json
index b5c6f8c7..c00d619a 100644
--- a/modules-available/syslog/lang/de/template-tags.json
+++ b/modules-available/syslog/lang/de/template-tags.json
@@ -5,8 +5,12 @@
     "lang_clientLog": "Client Log",
     "lang_details": "Details",
     "lang_event": "Ereignis",
+    "lang_export": "Exportieren",
+    "lang_exportUserDesc": "Mit dieser Funktion k\u00f6nnen Sie alle in der Datenbank vorhandenen Datens\u00e4tze zu einem bestimmten Benutzer exportieren. Bitte geben Sie den Benutzernamen genau so ein, wie ihn der Nutzer beim Login am Client angeben muss.",
     "lang_filter": "Filter",
     "lang_not": "not",
     "lang_settings": "Einstellungen",
+    "lang_userExport": "Nutzer-Export",
+    "lang_userLogin": "Benutzer-Login",
     "lang_when": "Wann"
 }
\ No newline at end of file
diff --git a/modules-available/syslog/lang/en/template-tags.json b/modules-available/syslog/lang/en/template-tags.json
index 1aae1fe9..24e9aaa1 100644
--- a/modules-available/syslog/lang/en/template-tags.json
+++ b/modules-available/syslog/lang/en/template-tags.json
@@ -5,8 +5,12 @@
     "lang_clientLog": "Client Log",
     "lang_details": "Details",
     "lang_event": "Event",
+    "lang_export": "Export",
+    "lang_exportUserDesc": "This exports all data from the database relating to the given user login. Please specify the user name exactly the way they would provide it when logging in on a client.",
     "lang_filter": "Filter",
     "lang_not": "not",
     "lang_settings": "Settings",
+    "lang_userExport": "User export",
+    "lang_userLogin": "User login",
     "lang_when": "When"
 }
\ No newline at end of file
diff --git a/modules-available/syslog/page.inc.php b/modules-available/syslog/page.inc.php
index 00c55a3f..6c1a0a16 100644
--- a/modules-available/syslog/page.inc.php
+++ b/modules-available/syslog/page.inc.php
@@ -31,7 +31,7 @@ class Page_SysLog extends Page
 	protected function doRender()
 	{
 		$data = ['anondays' => Property::get(self::PROP_ANON_DAYS, 0)];
-		Permission::addGlobalTags($data['perms'], NULL, ['configure-anonymization']);
+		Permission::addGlobalTags($data['perms'], NULL, ['configure-anonymization', 'export-user-data']);
 		Render::addTemplate("heading", $data);
 
 		if (!User::hasPermission("view")) {
diff --git a/modules-available/syslog/permissions/permissions.json b/modules-available/syslog/permissions/permissions.json
index cabf82f9..1f2373d4 100644
--- a/modules-available/syslog/permissions/permissions.json
+++ b/modules-available/syslog/permissions/permissions.json
@@ -4,5 +4,8 @@
     },
     "configure-anonymization": {
         "location-aware": false
+    },
+    "export-user-data": {
+        "location-aware": false
     }
 }
\ No newline at end of file
diff --git a/modules-available/syslog/templates/heading.html b/modules-available/syslog/templates/heading.html
index 2ab1a848..8dd3d440 100644
--- a/modules-available/syslog/templates/heading.html
+++ b/modules-available/syslog/templates/heading.html
@@ -1,7 +1,13 @@
 <div class="page-header">
-	<button type="button" class="btn btn-default pull-right" data-toggle="modal" data-target="#modal-settings">
-		<span class="glyphicon glyphicon-cog"></span> {{lang_settings}}
-	</button>
+	<span class="buttonbar pull-right">
+		<button type="button" class="btn btn-default" data-toggle="modal" data-target="#modal-export" {{perms.export-user-data.disabled}}>
+			<span class="glyphicon glyphicon-export"></span>
+			{{lang_userExport}}
+		</button>
+		<button type="button" class="btn btn-default" data-toggle="modal" data-target="#modal-settings">
+			<span class="glyphicon glyphicon-cog"></span> {{lang_settings}}
+		</button>
+	</span>
 
 	<div id="modal-settings" class="modal fade" role="dialog">
 		<div class="modal-dialog">
@@ -31,5 +37,32 @@
 		</div>
 	</div>
 
+	<div id="modal-export" class="modal fade" role="dialog">
+		<div class="modal-dialog">
+			<div class="modal-content">
+				<form method="post" action="api.php?do=syslog">
+					<input type="hidden" name="token" value="{{token}}">
+					<div class="modal-header">
+						<button type="button" class="close" data-dismiss="modal">&times;</button>
+						<h4 class="modal-title"><b>{{lang_userExport}}</b></h4>
+					</div>
+					<div class="modal-body">
+						<p>{{lang_exportUserDesc}}</p>
+						<label for="export-user-name">{{lang_userLogin}}</label>
+						<input id="export-user-name" type="text" name="export-user" class="form-control" style="width:100%">
+					</div>
+					<div class="modal-footer">
+						<button type="button" class="btn btn-default" data-dismiss="modal">{{lang_cancel}}</button>
+						<button type="submit" class="btn btn-primary">
+							<span class="glyphicon glyphicon-export"></span>
+							{{lang_export}}
+						</button>
+					</div>
+				</form>
+			</div>
+
+		</div>
+	</div>
+
 	<h1>{{lang_clientLog}}</h1>
 </div>
\ No newline at end of file
-- 
cgit v1.2.3-55-g7522