From bac67141633eddcc8980467cd107f5e0a6b231f6 Mon Sep 17 00:00:00 2001 From: Christian Hofmaier Date: Fri, 26 Jan 2018 19:56:42 +0100 Subject: [systemstatus] implemented permission-system. alot of show-permissions to view things. and a server-reboot permission. --- modules-available/systemstatus/permissions/permissions.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 modules-available/systemstatus/permissions/permissions.json (limited to 'modules-available/systemstatus/permissions') diff --git a/modules-available/systemstatus/permissions/permissions.json b/modules-available/systemstatus/permissions/permissions.json new file mode 100644 index 00000000..0333564b --- /dev/null +++ b/modules-available/systemstatus/permissions/permissions.json @@ -0,0 +1,13 @@ +[ + "show.overview.diskstat", + "show.overview.services", + "show.overview.adresses", + "show.overview.systeminfo", + "show.overview.dmsdusers", + "show.logs.bwlpserver", + "show.logs.netstat", + "show.logs.pslist", + "show.logs.ldapad", + "show.logs.lighttpd", + "serverreboot" +] \ No newline at end of file -- cgit v1.2.3-55-g7522 From a8b0095b335780ae0bb950bc44021215d43a6b2d Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Mon, 12 Feb 2018 14:17:07 +0100 Subject: [permissionmanager] Introduce "location-aware" flag for permissions This flag tells wether the permission can be restricted to certain locations in a meaningful way. This flag has to be set in the permissions.json of the according module. For example, the permission to reboot the server cannot be limited to certain locations in a meaningful way, while the view of the client log can be filtered to only show log entries for clients in specific locations. --- .../backup/permissions/permissions.json | 12 +++-- .../permissions/permissions.json | 24 +++++++--- .../dozmod/permissions/permissions.json | 52 ++++++++++++++++------ .../eventlog/permissions/permissions.json | 8 ++-- .../exams/permissions/permissions.json | 13 +++--- .../internetaccess/permissions/permissions.json | 8 ++-- .../locations/permissions/permissions.json | 32 +++++++++---- .../minilinux/permissions/permissions.json | 12 +++-- .../news/permissions/permissions.json | 20 ++++++--- .../permissionmanager/inc/permissionutil.inc.php | 9 ++-- modules-available/permissionmanager/page.inc.php | 21 +++++---- modules-available/permissionmanager/style.css | 28 ++++++------ .../permissionmanager/templates/roleeditor.html | 42 +++++++---------- .../permissionmanager/templates/treenode.html | 23 +++++----- .../permissionmanager/templates/treepanel.html | 2 +- .../rebootcontrol/permissions/permissions.json | 16 ++++--- .../serversetup-bwlp/permissions/permissions.json | 16 ++++--- .../statistics/permissions/permissions.json | 16 ++++--- .../permissions/permissions.json | 36 ++++++++++----- .../syslog/permissions/permissions.json | 8 ++-- .../systemstatus/permissions/permissions.json | 48 ++++++++++++++------ .../vmstore/permissions/permissions.json | 16 ++++--- .../webinterface/permissions/permissions.json | 16 ++++--- 23 files changed, 309 insertions(+), 169 deletions(-) (limited to 'modules-available/systemstatus/permissions') diff --git a/modules-available/backup/permissions/permissions.json b/modules-available/backup/permissions/permissions.json index feeffe33..1f778ab6 100644 --- a/modules-available/backup/permissions/permissions.json +++ b/modules-available/backup/permissions/permissions.json @@ -1,4 +1,8 @@ -[ - "create", - "restore" -] \ No newline at end of file +{ + "create": { + "location-aware": false + }, + "restore": { + "location-aware": false + } +} \ No newline at end of file diff --git a/modules-available/baseconfig_partitions_cdn/permissions/permissions.json b/modules-available/baseconfig_partitions_cdn/permissions/permissions.json index 286a975b..3acd5230 100644 --- a/modules-available/baseconfig_partitions_cdn/permissions/permissions.json +++ b/modules-available/baseconfig_partitions_cdn/permissions/permissions.json @@ -1,7 +1,17 @@ -[ - "show", - "partitions.add", - "partitions.delete", - "partitions.edit", - "partitions.reset" -] \ No newline at end of file +{ + "partitions.add": { + "location-aware": false + }, + "partitions.delete": { + "location-aware": false + }, + "partitions.edit": { + "location-aware": false + }, + "partitions.reset": { + "location-aware": false + }, + "show": { + "location-aware": false + } +} \ No newline at end of file diff --git a/modules-available/dozmod/permissions/permissions.json b/modules-available/dozmod/permissions/permissions.json index e8dfb558..b4ff034b 100644 --- a/modules-available/dozmod/permissions/permissions.json +++ b/modules-available/dozmod/permissions/permissions.json @@ -1,14 +1,38 @@ -[ - "images.delete", - "mail.save", - "mail.testmail", - "runtimeconfig.save", - "templates.save", - "templates.reset", - "users.setmail", - "users.setlogin", - "users.setsu", - "users.orglogin", - "log.showuser", - "log.showtarget" -] \ No newline at end of file +{ + "images.delete": { + "location-aware": false + }, + "log.showtarget": { + "location-aware": false + }, + "log.showuser": { + "location-aware": false + }, + "mail.save": { + "location-aware": false + }, + "mail.testmail": { + "location-aware": false + }, + "runtimeconfig.save": { + "location-aware": false + }, + "templates.reset": { + "location-aware": false + }, + "templates.save": { + "location-aware": false + }, + "users.orglogin": { + "location-aware": false + }, + "users.setlogin": { + "location-aware": false + }, + "users.setmail": { + "location-aware": false + }, + "users.setsu": { + "location-aware": false + } +} \ No newline at end of file diff --git a/modules-available/eventlog/permissions/permissions.json b/modules-available/eventlog/permissions/permissions.json index f04ea714..a1748957 100644 --- a/modules-available/eventlog/permissions/permissions.json +++ b/modules-available/eventlog/permissions/permissions.json @@ -1,3 +1,5 @@ -[ - "view" -] \ No newline at end of file +{ + "view": { + "location-aware": false + } +} \ No newline at end of file diff --git a/modules-available/exams/permissions/permissions.json b/modules-available/exams/permissions/permissions.json index 215b3399..e44974b6 100644 --- a/modules-available/exams/permissions/permissions.json +++ b/modules-available/exams/permissions/permissions.json @@ -1,5 +1,8 @@ -[ - "exams.add", - "exams.delete", - "exams.edit" -] \ No newline at end of file +{ + "exams.edit": { + "location-aware": true + }, + "exams.view": { + "location-aware": true + } +} \ No newline at end of file diff --git a/modules-available/internetaccess/permissions/permissions.json b/modules-available/internetaccess/permissions/permissions.json index 67998da7..09652e51 100644 --- a/modules-available/internetaccess/permissions/permissions.json +++ b/modules-available/internetaccess/permissions/permissions.json @@ -1,3 +1,5 @@ -[ - "configuration.safe" -] \ No newline at end of file +{ + "configuration.safe": { + "location-aware": false + } +} \ No newline at end of file diff --git a/modules-available/locations/permissions/permissions.json b/modules-available/locations/permissions/permissions.json index 609a673a..06b01d2c 100644 --- a/modules-available/locations/permissions/permissions.json +++ b/modules-available/locations/permissions/permissions.json @@ -1,9 +1,23 @@ -[ - "location.view", - "location.edit", - "location.add", - "location.delete", - "subnet.edit", - "subnet.add", - "subnet.delete" -] \ No newline at end of file +{ + "location.add": { + "location-aware": false + }, + "location.delete": { + "location-aware": false + }, + "location.edit": { + "location-aware": false + }, + "location.view": { + "location-aware": false + }, + "subnet.add": { + "location-aware": false + }, + "subnet.delete": { + "location-aware": false + }, + "subnet.edit": { + "location-aware": false + } +} \ No newline at end of file diff --git a/modules-available/minilinux/permissions/permissions.json b/modules-available/minilinux/permissions/permissions.json index 457d9810..650f7e71 100644 --- a/modules-available/minilinux/permissions/permissions.json +++ b/modules-available/minilinux/permissions/permissions.json @@ -1,4 +1,8 @@ -[ - "show", - "update" -] \ No newline at end of file +{ + "show": { + "location-aware": false + }, + "update": { + "location-aware": false + } +} \ No newline at end of file diff --git a/modules-available/news/permissions/permissions.json b/modules-available/news/permissions/permissions.json index 321e73ea..0d9435d7 100644 --- a/modules-available/news/permissions/permissions.json +++ b/modules-available/news/permissions/permissions.json @@ -1,6 +1,14 @@ -[ - "news.save", - "news.delete", - "help.save", - "help.delete" -] \ No newline at end of file +{ + "help.delete": { + "location-aware": false + }, + "help.save": { + "location-aware": false + }, + "news.delete": { + "location-aware": false + }, + "news.save": { + "location-aware": false + } +} \ No newline at end of file diff --git a/modules-available/permissionmanager/inc/permissionutil.inc.php b/modules-available/permissionmanager/inc/permissionutil.inc.php index 5ff41046..3daf422e 100644 --- a/modules-available/permissionmanager/inc/permissionutil.inc.php +++ b/modules-available/permissionmanager/inc/permissionutil.inc.php @@ -100,9 +100,9 @@ class PermissionUtil if (!is_array($data)) continue; preg_match('#^modules/([^/]+)/#', $file, $out); - foreach( $data as $p ) { + foreach( $data as $p => $data) { $description = Dictionary::translateFileModule($out[1], "permissions", $p); - self::putInPermissionTree($out[1].".".$p, $description, $permissions); + self::putInPermissionTree($out[1].".".$p, $data['location-aware'], $description, $permissions); } } ksort($permissions); @@ -120,10 +120,11 @@ class PermissionUtil * Place a permission into the given permission tree. * * @param string $permission the permission to place in the tree + * @param bool $locationAware whether this permissions can be restricted to specific locations only * @param string $description the description of the permission * @param array $tree the permission tree to modify */ - private static function putInPermissionTree($permission, $description, &$tree) + private static function putInPermissionTree($permission, $locationAware, $description, &$tree) { $subPermissions = explode('.', $permission); foreach ($subPermissions as $subPermission) { @@ -134,6 +135,6 @@ class PermissionUtil $tree =& $tree[$subPermission]; } } - $tree = $description; + $tree = array('description' => $description, 'location-aware' => $locationAware, 'isLeaf' => true); } } \ No newline at end of file diff --git a/modules-available/permissionmanager/page.inc.php b/modules-available/permissionmanager/page.inc.php index 13d81c6a..bb8482af 100644 --- a/modules-available/permissionmanager/page.inc.php +++ b/modules-available/permissionmanager/page.inc.php @@ -100,18 +100,21 @@ class Page_PermissionManager extends Page $toplevel = $permString == ""; if ($toplevel && in_array("*", $selectedPermissions)) $selectAll = true; foreach ($permissions as $k => $v) { - $leaf = !is_array($v); + $leaf = isset($v['isLeaf']) && $v['isLeaf']; $nextPermString = $permString ? $permString.".".$k : $k; $id = $leaf ? $nextPermString : $nextPermString.".*"; $selected = $selectAll || in_array($id, $selectedPermissions); - $res .= Render::parse("treenode", - array("id" => $id, - "name" => $toplevel ? Module::get($k)->getDisplayName() : $k, - "toplevel" => $toplevel, - "checkboxname" => "permissions", - "selected" => $selected, - "HTML" => $leaf ? "" : self::generatePermissionHTML($v, $selectedPermissions, $selected, $nextPermString), - "description" => $leaf ? $v : "")); + $data = array("id" => $id, + "name" => $toplevel ? Module::get($k)->getDisplayName() : $k, + "toplevel" => $toplevel, + "checkboxname" => "permissions", + "selected" => $selected, + "HTML" => $leaf ? "" : self::generatePermissionHTML($v, $selectedPermissions, $selected, $nextPermString), + ); + if ($leaf) { + $data += $v; + } + $res .= Render::parse("treenode", $data); } if ($toplevel) { $res = Render::parse("treepanel", diff --git a/modules-available/permissionmanager/style.css b/modules-available/permissionmanager/style.css index 49d631a8..9c39af64 100644 --- a/modules-available/permissionmanager/style.css +++ b/modules-available/permissionmanager/style.css @@ -55,28 +55,28 @@ background-color: rgba(0, 182, 41, 0.23); } -.tree-container { - -moz-column-gap: 20px; - -webkit-column-gap: 20px; - column-gap: 20px; -} - - .tree-container > ul { display: inline-block; width: 100%; padding: 0; } -@media (max-width: 767px) { - .tree-container { - -moz-column-count: 1; - -webkit-column-count: 1; - column-count: 1; - } +.tree-container > ul > li > div > label { + font-weight: bold; +} + +.tree-container { + -moz-column-gap: 20px; + -webkit-column-gap: 20px; + column-gap: 20px; + -moz-column-count: 1; + -webkit-column-count: 1; + column-count: 1; + padding-left: 20px; + padding-right: 20px; } -@media (min-width: 768px) and (max-width: 991px) { +@media (min-width: 768px) { .tree-container { -moz-column-count: 2; -webkit-column-count: 2; diff --git a/modules-available/permissionmanager/templates/roleeditor.html b/modules-available/permissionmanager/templates/roleeditor.html index 871fd0cc..eadce027 100644 --- a/modules-available/permissionmanager/templates/roleeditor.html +++ b/modules-available/permissionmanager/templates/roleeditor.html @@ -4,32 +4,24 @@ -
', htmlspecialchars(substr($data, $start), ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8'), ''; + } + if (strlen($data) < 5990) { + $start = 0; } else { - echo "No permission to view this section."; + $start = strpos($data, "\n") + 1; } + echo '
', htmlspecialchars(substr($data, $start), ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8'), ''; } protected function ajaxLighttpdLog() { - if (User::hasPermission("show.logs.lighttpd")) { - $fh = @fopen('/var/log/lighttpd/error.log', 'r'); + User::assertPermission("tab.lighttpdlog"); + $fh = @fopen('/var/log/lighttpd/error.log', 'r'); + if ($fh === false) { + echo 'Error opening log file'; + return; + } + fseek($fh, -6000, SEEK_END); + $data = fread($fh, 6000); + @fclose($fh); + if ($data === false) { + echo 'Error reading from log file'; + return; + } + // If we could read less, try the .1 file too + $amount = 6000 - strlen($data); + if ($amount > 100) { + $fh = @fopen('/var/log/lighttpd/error.log.1', 'r'); + if ($fh !== false) { + fseek($fh, -$amount, SEEK_END); + $data = fread($fh, $amount) . $data; + @fclose($fh); + } + } + if (strlen($data) < 5990) { + $start = 0; + } else { + $start = strpos($data, "\n") + 1; + } + echo '
', htmlspecialchars(substr($data, $start), ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8'), ''; + } + + protected function ajaxLdadpLog() + { + User::assertPermission("tab.ldadplog"); + $haveSysconfig = Module::isAvailable('sysconfig'); + $files = glob('/var/log/ldadp/*.log', GLOB_NOSORT); + if ($files === false || empty($files)) echo('No logs found'); + $now = time(); + foreach ($files as $file) { + $mod = filemtime($file); + if ($now - $mod > 86400) continue; + // New enough - handle + preg_match(',/(\d+)\.log,', $file, $out); + $module = $haveSysconfig ? ConfigModule::get($out[1]) : false; + if ($module === false) { + echo '
Error opening log file'; + continue; } - fseek($fh, -6000, SEEK_END); - $data = fread($fh, 6000); + fseek($fh, -5000, SEEK_END); + $data = fread($fh, 5000); @fclose($fh); if ($data === false) { - echo 'Error reading from log file'; - return; - } - // If we could read less, try the .1 file too - $amount = 6000 - strlen($data); - if ($amount > 100) { - $fh = @fopen('/var/log/lighttpd/error.log.1', 'r'); - if ($fh !== false) { - fseek($fh, -$amount, SEEK_END); - $data = fread($fh, $amount) . $data; - @fclose($fh); - } + echo '
Error reading from log file'; + continue; } - if (strlen($data) < 5990) { + if (strlen($data) < 4990) { $start = 0; } else { $start = strpos($data, "\n") + 1; } echo '
', htmlspecialchars(substr($data, $start), ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8'), ''; - } else { - echo "No permission to view this section."; - } - - } - - protected function ajaxLdadpLog() - { - if (User::hasPermission("show.logs.ldapad")) { - $haveSysconfig = Module::isAvailable('sysconfig'); - $files = glob('/var/log/ldadp/*.log', GLOB_NOSORT); - if ($files === false || empty($files)) echo('No logs found'); - $now = time(); - foreach ($files as $file) { - $mod = filemtime($file); - if ($now - $mod > 86400) continue; - // New enough - handle - preg_match(',/(\d+)\.log,', $file, $out); - $module = $haveSysconfig ? ConfigModule::get($out[1]) : false; - if ($module === false) { - echo '
Error opening log file'; - continue; - } - fseek($fh, -5000, SEEK_END); - $data = fread($fh, 5000); - @fclose($fh); - if ($data === false) { - echo '
Error reading from log file'; - continue; - } - if (strlen($data) < 4990) { - $start = 0; - } else { - $start = strpos($data, "\n") + 1; - } - echo '
', htmlspecialchars(substr($data, $start), ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8'), ''; - } - } else { - echo "No permission to view this section."; } } protected function ajaxNetstat() { - if(User::hasPermission("show.logs.netstat")) { - $taskId = Taskmanager::submit('Netstat'); - if ($taskId === false) - return; - $status = Taskmanager::waitComplete($taskId, 3500); + User::assertPermission("tab.netstat"); + $taskId = Taskmanager::submit('Netstat'); + if ($taskId === false) + return; + $status = Taskmanager::waitComplete($taskId, 3500); - if (isset($status['data']['messages'])) - $data = $status['data']['messages']; - else - $data = 'Taskmanager error'; - - echo '
', htmlspecialchars($data, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8'), ''; - } else { - echo "No permission to view this section."; - } + if (isset($status['data']['messages'])) + $data = $status['data']['messages']; + else + $data = 'Taskmanager error'; + echo '
', htmlspecialchars($data, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8'), ''; } protected function ajaxPsList() { - if (User::hasPermission("show.logs.pslist")) { - $taskId = Taskmanager::submit('PsList'); - if ($taskId === false) - return; - $status = Taskmanager::waitComplete($taskId, 3500); - - if (isset($status['data']['messages'])) - $data = $status['data']['messages']; - else - $data = 'Taskmanager error'; + User::assertPermission("tab.pslist"); + $taskId = Taskmanager::submit('PsList'); + if ($taskId === false) + return; + $status = Taskmanager::waitComplete($taskId, 3500); - echo '
', htmlspecialchars($data, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8'), ''; - } else { - echo "No permission to view this section."; - } + if (isset($status['data']['messages'])) + $data = $status['data']['messages']; + else + $data = 'Taskmanager error'; + echo '
', htmlspecialchars($data, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8'), ''; } private function usageColor($percent) diff --git a/modules-available/systemstatus/permissions/permissions.json b/modules-available/systemstatus/permissions/permissions.json index 8324f708..29e26b5e 100644 --- a/modules-available/systemstatus/permissions/permissions.json +++ b/modules-available/systemstatus/permissions/permissions.json @@ -2,22 +2,22 @@ "serverreboot": { "location-aware": false }, - "show.logs.bwlpserver": { + "tab.dmsdlog": { "location-aware": false }, - "show.logs.ldapad": { + "tab.netstat": { "location-aware": false }, - "show.logs.lighttpd": { + "tab.pslist": { "location-aware": false }, - "show.logs.netstat": { + "tab.ldadplog": { "location-aware": false }, - "show.logs.pslist": { + "tab.lighttpdlog": { "location-aware": false }, - "show.overview.adresses": { + "show.overview.addresses": { "location-aware": false }, "show.overview.diskstat": { diff --git a/modules-available/systemstatus/templates/_page.html b/modules-available/systemstatus/templates/_page.html index 715fd233..59fffa3a 100644 --- a/modules-available/systemstatus/templates/_page.html +++ b/modules-available/systemstatus/templates/_page.html @@ -11,11 +11,20 @@ {{#tabs}} + {{^enabled}} +