Changeset 29074


Ignore:
Timestamp:
Jul 25, 2014, 11:10:49 AM (10 years ago)
Author:
plg
Message:

bug 3104: less rights for admins (compared to webmaster). Now an admin can't:

  • delete a webmaster
  • give webmaster/admin status to any user
  • change status of a webmaster/admin
Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/admin/themes/default/template/user_list.tpl

    r28703 r29074  
    3434  'true':"{'Yes'|translate}",
    3535  'false':"{'No'|translate}",
     36};
     37
     38var statusLabels = {
     39{foreach from=$label_of_status key=status item=label}
     40  '{$status}' : '{$label|escape:javascript}',
     41{/foreach}
    3642};
    3743{/footer_script}
     
    261267          user.email = user.email || '';
    262268         
    263           jQuery("#action select[name=status] option").each(function() {
    264             if (user.status == jQuery(this).val()) {
    265               user.statusLabel = jQuery(this).html();
    266             }
    267           });
     269          user.statusLabel = statusLabels[user.status];
    268270         
    269271                      /* Render the underscore template */

  • trunk/admin/user_list.php

    r26461 r29074  
    100100  );
    101101
     102// an admin can't delete other admin/webmaster
     103if ('admin' == $user['status'])
     104{
     105  $query = '
     106SELECT
     107    user_id
     108  FROM '.USER_INFOS_TABLE.'
     109  WHERE status IN (\'webmaster\', \'admin\')
     110;';
     111  $protected_users = array_merge($protected_users, query2array($query, null, 'user_id'));
     112}
     113
    102114$template->assign(
    103115  array(
     
    118130foreach (get_enums(USER_INFOS_TABLE, 'status') as $status)
    119131{
    120   // Only status <= can be assign
    121   if (is_autorize_status(get_access_type_status($status)))
    122   {
    123     $pref_status_options[$status] = l10n('user_status_'.$status);
    124   }
     132  $label_of_status[$status] = l10n('user_status_'.$status);
    125133}
     134
     135$pref_status_options = $label_of_status;
     136
     137// a simple "admin" can set/remove statuses webmaster/admin
     138if ('admin' == $user['status'])
     139{
     140  unset($pref_status_options['webmaster']);
     141  unset($pref_status_options['admin']);
     142}
     143
     144$template->assign('label_of_status', $label_of_status);
    126145$template->assign('pref_status_options', $pref_status_options);
    127146$template->assign('pref_status_selected', 'normal');

  • trunk/include/ws_functions/pwg.users.php

    r28981 r29074  
    326326  include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
    327327
     328  $protected_users = array(
     329    $user['id'],
     330    $conf['guest_id'],
     331    $conf['default_user_id'],
     332    $conf['webmaster_id'],
     333    );
     334
     335  // an admin can't delete other admin/webmaster
     336  if ('admin' == $user['status'])
     337  {
     338    $query = '
     339SELECT
     340    user_id
     341  FROM '.USER_INFOS_TABLE.'
     342  WHERE status IN (\'webmaster\', \'admin\')
     343;';
     344    $protected_users = array_merge($protected_users, query2array($query, null, 'user_id'));
     345  }
     346 
    328347  // protect some users
    329   $params['user_id'] = array_diff(
    330     $params['user_id'],
    331     array(
    332       $user['id'],
    333       $conf['guest_id'],
    334       $conf['default_user_id'],
    335       $conf['webmaster_id'],
    336       )
    337     );
    338 
     348  $params['user_id'] = array_diff($params['user_id'], $protected_users);
     349
     350  $counter = 0;
     351 
    339352  foreach ($params['user_id'] as $user_id)
    340353  {
    341354    delete_user($user_id);
     355    $counter++;
    342356  }
    343357
    344358  return l10n_dec(
    345359    '%d user deleted', '%d users deleted',
    346     count($params['user_id'])
     360    $counter
    347361    );
    348362}
     
    419433  if (!empty($params['status']))
    420434  {
    421     if ( $params['status'] == 'webmaster' and !is_webmaster() )
    422     {
    423       return new PwgError(403, 'Only webmasters can grant "webmaster" status');
    424     }
     435    if (in_array($params['status'], array('webmaster', 'admin')) and !is_webmaster() )
     436    {
     437      return new PwgError(403, 'Only webmasters can grant "webmaster/admin" status');
     438    }
     439   
    425440    if ( !in_array($params['status'], array('guest','generic','normal','admin','webmaster')) )
    426441    {
    427442      return new PwgError(WS_ERR_INVALID_PARAM, 'Invalid status');
     443    }
     444
     445    $protected_users = array(
     446      $user['id'],
     447      $conf['guest_id'],
     448      $conf['webmaster_id'],
     449      );
     450
     451    // an admin can't change status of other admin/webmaster
     452    if ('admin' == $user['status'])
     453    {
     454      $query = '
     455SELECT
     456    user_id
     457  FROM '.USER_INFOS_TABLE.'
     458  WHERE status IN (\'webmaster\', \'admin\')
     459;';
     460      $protected_users = array_merge($protected_users, query2array($query, null, 'user_id'));
    428461    }
    429462
    430463    // status update query is separated from the rest as not applying to the same
    431464    // set of users (current, guest and webmaster can't be changed)
    432     $params['user_id_for_status'] = array_diff(
    433       $params['user_id'],
    434       array(
    435         $user['id'],
    436         $conf['guest_id'],
    437         $conf['webmaster_id'],
    438         )
    439       );
     465    $params['user_id_for_status'] = array_diff($params['user_id'], $protected_users);
    440466
    441467    $update_status = $params['status'];
Note: See TracChangeset for help on using the changeset viewer.