added new security model
This commit is contained in:
parent
4bb25a5c17
commit
4808d138fd
|
@ -3,6 +3,7 @@
|
|||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
@ -41,7 +42,22 @@ Account modules can now have icons. See <span style="font-weight: bold;">baseMod
|
|||
|
||||
<br>
|
||||
<h3>Constructors</h3>
|
||||
LAM now uses the PHP5 syntax for constructors: <span style="font-weight: bold;">__construct()</span><br>
|
||||
LAM now uses the PHP5 syntax for constructors: <span style="font-weight: bold;">__construct()<br>
|
||||
<br>
|
||||
</span>
|
||||
<h3>Extended security model</h3>
|
||||
Each server profile now defines an access level.<br>
|
||||
<br>
|
||||
Currently these are:<br>
|
||||
<ul>
|
||||
<li>write access</li>
|
||||
<li>password changes</li>
|
||||
<li>read access<br>
|
||||
</li>
|
||||
</ul>
|
||||
<span style="font-weight: bold;"></span> Please check your code and prohibit any actions which do not fit the current access level.<br>
|
||||
There are two new functions in <span style="font-style: italic;">security.inc</span>: <span style="font-weight: bold;">checkIfWriteAccessIsAllowed()</span> and <span style="font-weight: bold;">checkIfPasswordChangeIsAllowed()</span><br>
|
||||
Only LAM Pro allows to change the access level from <span style="font-style: italic;">write access</span> to a smaller level.<br>
|
||||
<br>
|
||||
<br>
|
||||
|
||||
|
|
|
@ -162,6 +162,10 @@ function metaRefresh($page) {
|
|||
* @package configuration
|
||||
*/
|
||||
class LAMConfig {
|
||||
|
||||
const ACCESS_ALL = 100;
|
||||
const ACCESS_PASSWORD_CHANGE = 20;
|
||||
const ACCESS_READ_ONLY = 0;
|
||||
|
||||
/** Server address (e.g. ldap://127.0.0.1:389) */
|
||||
private $ServerURL;
|
||||
|
@ -213,11 +217,13 @@ class LAMConfig {
|
|||
|
||||
/** Name of configuration file */
|
||||
private $file;
|
||||
|
||||
private $accessLevel = 100;
|
||||
|
||||
/** List of all settings in config file */
|
||||
private $settings = array("ServerURL", "Passwd", "Admins", "treesuffix",
|
||||
"defaultLanguage", "scriptPath", "scriptServer", "scriptRights", "cachetimeout",
|
||||
"modules", "activeTypes", "types");
|
||||
"modules", "activeTypes", "types", "accessLevel");
|
||||
|
||||
|
||||
/**
|
||||
|
@ -360,6 +366,7 @@ class LAMConfig {
|
|||
if (!in_array("scriptRights", $saved)) array_push($file_array, "\n\n# Access rights for home directories\n" . "scriptRights: " . $this->scriptRights . "\n");
|
||||
if (!in_array("cachetimeout", $saved)) array_push($file_array, "\n\n# Number of minutes LAM caches LDAP searches.\n" . "cacheTimeout: " . $this->cachetimeout . "\n");
|
||||
if (!in_array("activeTypes", $saved)) array_push($file_array, "\n\n# List of active account types.\n" . "activeTypes: " . $this->activeTypes . "\n");
|
||||
if (!in_array("accessLevel", $saved)) array_push($file_array, "\n\n# Access level for this profile.\n" . "accessLevel: " . $this->accessLevel . "\n");
|
||||
// check if all module settings were added
|
||||
$m_settings = array_keys($this->moduleSettings);
|
||||
for ($i = 0; $i < sizeof($m_settings); $i++) {
|
||||
|
@ -846,6 +853,24 @@ class LAMConfig {
|
|||
return $this->typeSettings;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the access level for this profile.
|
||||
*
|
||||
* @return int level
|
||||
*/
|
||||
public function getAccessLevel() {
|
||||
return $this->accessLevel;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets the access level for this profile.
|
||||
*
|
||||
* @param int $level level
|
||||
*/
|
||||
public function setAccessLevel($level) {
|
||||
$this->accessLevel = $level;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
@ -1010,7 +1035,7 @@ class LAMCfgMain {
|
|||
private function hashPassword($password, $salt) {
|
||||
return "{SSHA}" . base64_encode(hex2bin(sha1($password . $salt))) . " " . base64_encode($salt);
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
||||
?>
|
||||
|
|
|
@ -179,4 +179,34 @@ function logNewMessage($level, $message) {
|
|||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if write access to LDAP is allowed.
|
||||
*
|
||||
* @return boolean true, if allowed
|
||||
*/
|
||||
function checkIfWriteAccessIsAllowed() {
|
||||
if (!isset($_SESSION['config'])) {
|
||||
return false;
|
||||
}
|
||||
if ($_SESSION['config']->getAccessLevel() >= LAMConfig::ACCESS_ALL) {
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if passwords may be changed.
|
||||
*
|
||||
* @return boolean true, if allowed
|
||||
*/
|
||||
function checkIfPasswordChangeIsAllowed() {
|
||||
if (!isset($_SESSION['config'])) {
|
||||
return false;
|
||||
}
|
||||
if ($_SESSION['config']->getAccessLevel() >= LAMConfig::ACCESS_PASSWORD_CHANGE) {
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
?>
|
|
@ -190,6 +190,42 @@ echo "<img src=\"../../graphics/help.png\" alt=\"" . _('Help') . "\" title=\"" .
|
|||
echo "</a>\n";
|
||||
echo "</td></tr>\n";
|
||||
|
||||
// access level is only visible in Pro version
|
||||
if (isLAMProVersion()) {
|
||||
// new line
|
||||
echo ("<tr><td colspan=3> </td></tr>");
|
||||
|
||||
// access level
|
||||
echo ("<tr><td align=\"right\"><b>".
|
||||
_("Access level") . ": </b></td>".
|
||||
"<td><select tabindex=\"$tabindex\" name=\"accessLevel\">\n");
|
||||
if ($conf->getAccessLevel() == LAMConfig::ACCESS_ALL) {
|
||||
echo("<option selected value=" . LAMConfig::ACCESS_ALL . ">" . _('Write access') . "</option>\n");
|
||||
}
|
||||
else {
|
||||
echo("<option value=" . LAMConfig::ACCESS_ALL . ">" . _('Write access') . "</option>\n");
|
||||
}
|
||||
if ($conf->getAccessLevel() == LAMConfig::ACCESS_PASSWORD_CHANGE) {
|
||||
echo("<option selected value=" . LAMConfig::ACCESS_PASSWORD_CHANGE . ">" . _('Change passwords') . "</option>\n");
|
||||
}
|
||||
else {
|
||||
echo("<option value=" . LAMConfig::ACCESS_PASSWORD_CHANGE . ">" . _('Change passwords') . "</option>\n");
|
||||
}
|
||||
if ($conf->getAccessLevel() == LAMConfig::ACCESS_READ_ONLY) {
|
||||
echo("<option selected value=" . LAMConfig::ACCESS_READ_ONLY . ">" . _('Read only') . "</option>\n");
|
||||
}
|
||||
else {
|
||||
echo("<option value=" . LAMConfig::ACCESS_READ_ONLY . ">" . _('Read only') . "</option>\n");
|
||||
}
|
||||
echo ("</select></td>\n");
|
||||
$tabindex++;
|
||||
echo "<td>";
|
||||
echo "<a href=\"../help.php?HelpNumber=214\" target=\"lamhelp\">";
|
||||
echo "<img src=\"../../graphics/help.png\" alt=\"" . _('Help') . "\" title=\"" . _('Help') . "\">";
|
||||
echo "</a>\n";
|
||||
echo "</td></tr>\n";
|
||||
}
|
||||
|
||||
echo ("</table>");
|
||||
echo ("</fieldset>");
|
||||
|
||||
|
@ -460,6 +496,9 @@ function saveSettings() {
|
|||
if (!$conf->set_cacheTimeout($_POST['cachetimeout'])) {
|
||||
$errors[] = array("ERROR", _("Cache timeout is invalid!"));
|
||||
}
|
||||
if (isLAMProVersion()) {
|
||||
$conf->setAccessLevel($_POST['accessLevel']);
|
||||
}
|
||||
$adminText = $_POST['admins'];
|
||||
$adminText = explode("\n", $adminText);
|
||||
$adminTextNew = array();
|
||||
|
|
|
@ -50,47 +50,53 @@ echo "<body>\n";
|
|||
|
||||
// list of tools and descriptions
|
||||
$tools = array();
|
||||
|
||||
// profile editor
|
||||
$tools[] = array(
|
||||
"name" => _("Profile editor"),
|
||||
"description" => _("Here you can manage your account profiles."),
|
||||
"link" => "profedit/profilemain.php"
|
||||
);
|
||||
$pEditor = new LAMTool();
|
||||
$pEditor->name = _("Profile editor");
|
||||
$pEditor->description = _("Here you can manage your account profiles.");
|
||||
$pEditor->link = "profedit/profilemain.php";
|
||||
$pEditor->requiresWriteAccess = true;
|
||||
$tools[] = $pEditor;
|
||||
|
||||
// file upload
|
||||
$tools[] = array(
|
||||
"name" => _("File upload"),
|
||||
"description" => _("Creates accounts by uploading a CSV formated file."),
|
||||
"link" => "masscreate.php"
|
||||
);
|
||||
$fUpload = new LAMTool();
|
||||
$fUpload->name = _("File upload");
|
||||
$fUpload->description = _("Creates accounts by uploading a CSV formated file.");
|
||||
$fUpload->link = "masscreate.php";
|
||||
$fUpload->requiresWriteAccess = true;
|
||||
$tools[] = $fUpload;
|
||||
|
||||
// OU editor
|
||||
$tools[] = array(
|
||||
"name" => _("OU editor"),
|
||||
"description" => _("Manages OU objects in your LDAP tree."),
|
||||
"link" => "ou_edit.php"
|
||||
);
|
||||
$ouEditor = new LAMTool();
|
||||
$ouEditor->name = _("OU editor");
|
||||
$ouEditor->description = _("Manages OU objects in your LDAP tree.");
|
||||
$ouEditor->link = "ou_edit.php";
|
||||
$ouEditor->requiresWriteAccess = true;
|
||||
$tools[] = $ouEditor;
|
||||
|
||||
// PDF editor
|
||||
$tools[] = array(
|
||||
"name" => _("PDF editor"),
|
||||
"description" => _("This tool allows you to customize the PDF pages."),
|
||||
"link" => "pdfedit/pdfmain.php"
|
||||
);
|
||||
$pdfEditor = new LAMTool();
|
||||
$pdfEditor->name = _("PDF editor");
|
||||
$pdfEditor->description = _("This tool allows you to customize the PDF pages.");
|
||||
$pdfEditor->link = "pdfedit/pdfmain.php";
|
||||
$pdfEditor->requiresWriteAccess = true;
|
||||
$tools[] = $pdfEditor;
|
||||
|
||||
// schema browser
|
||||
$tools[] = array(
|
||||
"name" => _("Schema browser"),
|
||||
"description" => _("Here you can browse LDAP object classes and attributes."),
|
||||
"link" => "schema/schema.php"
|
||||
);
|
||||
$sBrowser = new LAMTool();
|
||||
$sBrowser->name = _("Schema browser");
|
||||
$sBrowser->description = _("Here you can browse LDAP object classes and attributes.");
|
||||
$sBrowser->link = "schema/schema.php";
|
||||
$tools[] = $sBrowser;
|
||||
|
||||
// tests
|
||||
$tools[] = array(
|
||||
"name" => _("Tests"),
|
||||
"description" => _("Here you can test if certain LAM features work on your installation."),
|
||||
"link" => "tests/index.php"
|
||||
);
|
||||
$tests = new LAMTool();
|
||||
$tests->name = _("Tests");
|
||||
$tests->description = _("Here you can test if certain LAM features work on your installation.");
|
||||
$tests->link = "tests/index.php";
|
||||
$tests->requiresWriteAccess = true;
|
||||
$tools[] = $tests;
|
||||
|
||||
echo "<p> </p>\n";
|
||||
|
||||
|
@ -98,14 +104,22 @@ echo "<p> </p>\n";
|
|||
echo "<table class=\"userlist\" rules=\"none\">\n";
|
||||
|
||||
for ($i = 0; $i < sizeof($tools); $i++) {
|
||||
// check access level
|
||||
if ($tools[$i]->requiresWriteAccess && !checkIfWriteAccessIsAllowed()) {
|
||||
continue;
|
||||
}
|
||||
if ($tools[$i]->requiresPasswordChanges && !checkIfPasswordChangeIsAllowed()) {
|
||||
continue;
|
||||
}
|
||||
// print tool
|
||||
echo "<tr class=\"userlist\">\n";
|
||||
echo "<td> </td>\n";
|
||||
echo "<td><br>";
|
||||
echo "<a href=\"" . $tools[$i]['link'] . "\" target=\"mainpart\"><b>" . $tools[$i]['name'] . "</b></a>";
|
||||
echo "<a href=\"" . $tools[$i]->link . "\" target=\"mainpart\"><b>" . $tools[$i]->name . "</b></a>";
|
||||
echo "<br><br></td>\n";
|
||||
echo "<td> </td>\n";
|
||||
echo "<td>";
|
||||
echo $tools[$i]['description'];
|
||||
echo $tools[$i]->description;
|
||||
echo "</td>\n";
|
||||
echo "<td> </td>\n";
|
||||
echo "</tr>\n";
|
||||
|
@ -117,4 +131,29 @@ echo "</table>\n";
|
|||
echo "</body>\n";
|
||||
echo "</html>\n";
|
||||
|
||||
/**
|
||||
* Represents a tool.
|
||||
*
|
||||
* @author Roland Gruber
|
||||
* @package tools
|
||||
*/
|
||||
class LAMTool {
|
||||
|
||||
/** name of the tool */
|
||||
public $name;
|
||||
|
||||
/** description text */
|
||||
public $description;
|
||||
|
||||
/** link to tool page (relative to templates/) */
|
||||
public $link;
|
||||
|
||||
/** tool requires write access to LDAP */
|
||||
public $requiresWriteAccess = false;
|
||||
|
||||
/** tool requires password change rights */
|
||||
public $requiresPasswordChanges = false;
|
||||
|
||||
}
|
||||
|
||||
?>
|
||||
|
|
Loading…
Reference in New Issue