From 4808d138fd35eab4b18d7304fa9cf8ddb3567394 Mon Sep 17 00:00:00 2001 From: Roland Gruber Date: Sun, 30 Dec 2007 12:32:48 +0000 Subject: [PATCH] added new security model --- lam/docs/devel/upgrade.htm | 18 +++++- lam/lib/config.inc | 29 ++++++++- lam/lib/security.inc | 30 +++++++++ lam/templates/config/confmain.php | 39 +++++++++++ lam/templates/tools.php | 103 ++++++++++++++++++++---------- 5 files changed, 184 insertions(+), 35 deletions(-) diff --git a/lam/docs/devel/upgrade.htm b/lam/docs/devel/upgrade.htm index 6daff78f..00a7ee3e 100644 --- a/lam/docs/devel/upgrade.htm +++ b/lam/docs/devel/upgrade.htm @@ -3,6 +3,7 @@ + @@ -41,7 +42,22 @@ Account modules can now have icons. See baseMod

Constructors

-LAM now uses the PHP5 syntax for constructors: __construct()
+LAM now uses the PHP5 syntax for constructors: __construct()
+
+ +

Extended security model

+Each server profile now defines an access level.
+
+Currently these are:
+ + Please check your code and prohibit any actions which do not fit the current access level.
+There are two new functions in security.inc: checkIfWriteAccessIsAllowed() and checkIfPasswordChangeIsAllowed()
+Only LAM Pro allows to change the access level from write access to a smaller level.


diff --git a/lam/lib/config.inc b/lam/lib/config.inc index 41027b71..d36c841c 100644 --- a/lam/lib/config.inc +++ b/lam/lib/config.inc @@ -162,6 +162,10 @@ function metaRefresh($page) { * @package configuration */ class LAMConfig { + + const ACCESS_ALL = 100; + const ACCESS_PASSWORD_CHANGE = 20; + const ACCESS_READ_ONLY = 0; /** Server address (e.g. ldap://127.0.0.1:389) */ private $ServerURL; @@ -213,11 +217,13 @@ class LAMConfig { /** Name of configuration file */ private $file; + + private $accessLevel = 100; /** List of all settings in config file */ private $settings = array("ServerURL", "Passwd", "Admins", "treesuffix", "defaultLanguage", "scriptPath", "scriptServer", "scriptRights", "cachetimeout", - "modules", "activeTypes", "types"); + "modules", "activeTypes", "types", "accessLevel"); /** @@ -360,6 +366,7 @@ class LAMConfig { if (!in_array("scriptRights", $saved)) array_push($file_array, "\n\n# Access rights for home directories\n" . "scriptRights: " . $this->scriptRights . "\n"); if (!in_array("cachetimeout", $saved)) array_push($file_array, "\n\n# Number of minutes LAM caches LDAP searches.\n" . "cacheTimeout: " . $this->cachetimeout . "\n"); if (!in_array("activeTypes", $saved)) array_push($file_array, "\n\n# List of active account types.\n" . "activeTypes: " . $this->activeTypes . "\n"); + if (!in_array("accessLevel", $saved)) array_push($file_array, "\n\n# Access level for this profile.\n" . "accessLevel: " . $this->accessLevel . "\n"); // check if all module settings were added $m_settings = array_keys($this->moduleSettings); for ($i = 0; $i < sizeof($m_settings); $i++) { @@ -846,6 +853,24 @@ class LAMConfig { return $this->typeSettings; } + /** + * Returns the access level for this profile. + * + * @return int level + */ + public function getAccessLevel() { + return $this->accessLevel; + } + + /** + * Sets the access level for this profile. + * + * @param int $level level + */ + public function setAccessLevel($level) { + $this->accessLevel = $level; + } + } @@ -1010,7 +1035,7 @@ class LAMCfgMain { private function hashPassword($password, $salt) { return "{SSHA}" . base64_encode(hex2bin(sha1($password . $salt))) . " " . base64_encode($salt); } - + } ?> diff --git a/lam/lib/security.inc b/lam/lib/security.inc index 68ba51cd..c3e56290 100644 --- a/lam/lib/security.inc +++ b/lam/lib/security.inc @@ -179,4 +179,34 @@ function logNewMessage($level, $message) { } } +/** + * Checks if write access to LDAP is allowed. + * + * @return boolean true, if allowed + */ +function checkIfWriteAccessIsAllowed() { + if (!isset($_SESSION['config'])) { + return false; + } + if ($_SESSION['config']->getAccessLevel() >= LAMConfig::ACCESS_ALL) { + return true; + } + return false; +} + +/** + * Checks if passwords may be changed. + * + * @return boolean true, if allowed + */ +function checkIfPasswordChangeIsAllowed() { + if (!isset($_SESSION['config'])) { + return false; + } + if ($_SESSION['config']->getAccessLevel() >= LAMConfig::ACCESS_PASSWORD_CHANGE) { + return true; + } + return false; +} + ?> \ No newline at end of file diff --git a/lam/templates/config/confmain.php b/lam/templates/config/confmain.php index b4f9a9df..cf526004 100644 --- a/lam/templates/config/confmain.php +++ b/lam/templates/config/confmain.php @@ -190,6 +190,42 @@ echo "\""\n"; echo "\n"; +// access level is only visible in Pro version +if (isLAMProVersion()) { + // new line + echo (" "); + + // access level + echo ("". + _("Access level") . ": ". + "\n"); + $tabindex++; + echo ""; + echo ""; + echo "\"""; + echo "\n"; + echo "\n"; +} + echo (""); echo (""); @@ -460,6 +496,9 @@ function saveSettings() { if (!$conf->set_cacheTimeout($_POST['cachetimeout'])) { $errors[] = array("ERROR", _("Cache timeout is invalid!")); } + if (isLAMProVersion()) { + $conf->setAccessLevel($_POST['accessLevel']); + } $adminText = $_POST['admins']; $adminText = explode("\n", $adminText); $adminTextNew = array(); diff --git a/lam/templates/tools.php b/lam/templates/tools.php index 1d52c0fc..57218058 100644 --- a/lam/templates/tools.php +++ b/lam/templates/tools.php @@ -50,47 +50,53 @@ echo "\n"; // list of tools and descriptions $tools = array(); + // profile editor -$tools[] = array( - "name" => _("Profile editor"), - "description" => _("Here you can manage your account profiles."), - "link" => "profedit/profilemain.php" - ); +$pEditor = new LAMTool(); +$pEditor->name = _("Profile editor"); +$pEditor->description = _("Here you can manage your account profiles."); +$pEditor->link = "profedit/profilemain.php"; +$pEditor->requiresWriteAccess = true; +$tools[] = $pEditor; // file upload -$tools[] = array( - "name" => _("File upload"), - "description" => _("Creates accounts by uploading a CSV formated file."), - "link" => "masscreate.php" - ); +$fUpload = new LAMTool(); +$fUpload->name = _("File upload"); +$fUpload->description = _("Creates accounts by uploading a CSV formated file."); +$fUpload->link = "masscreate.php"; +$fUpload->requiresWriteAccess = true; +$tools[] = $fUpload; // OU editor -$tools[] = array( - "name" => _("OU editor"), - "description" => _("Manages OU objects in your LDAP tree."), - "link" => "ou_edit.php" - ); +$ouEditor = new LAMTool(); +$ouEditor->name = _("OU editor"); +$ouEditor->description = _("Manages OU objects in your LDAP tree."); +$ouEditor->link = "ou_edit.php"; +$ouEditor->requiresWriteAccess = true; +$tools[] = $ouEditor; // PDF editor -$tools[] = array( - "name" => _("PDF editor"), - "description" => _("This tool allows you to customize the PDF pages."), - "link" => "pdfedit/pdfmain.php" - ); +$pdfEditor = new LAMTool(); +$pdfEditor->name = _("PDF editor"); +$pdfEditor->description = _("This tool allows you to customize the PDF pages."); +$pdfEditor->link = "pdfedit/pdfmain.php"; +$pdfEditor->requiresWriteAccess = true; +$tools[] = $pdfEditor; // schema browser -$tools[] = array( - "name" => _("Schema browser"), - "description" => _("Here you can browse LDAP object classes and attributes."), - "link" => "schema/schema.php" - ); +$sBrowser = new LAMTool(); +$sBrowser->name = _("Schema browser"); +$sBrowser->description = _("Here you can browse LDAP object classes and attributes."); +$sBrowser->link = "schema/schema.php"; +$tools[] = $sBrowser; // tests -$tools[] = array( - "name" => _("Tests"), - "description" => _("Here you can test if certain LAM features work on your installation."), - "link" => "tests/index.php" - ); +$tests = new LAMTool(); +$tests->name = _("Tests"); +$tests->description = _("Here you can test if certain LAM features work on your installation."); +$tests->link = "tests/index.php"; +$tests->requiresWriteAccess = true; +$tools[] = $tests; echo "

 

\n"; @@ -98,14 +104,22 @@ echo "

 

\n"; echo "\n"; for ($i = 0; $i < sizeof($tools); $i++) { + // check access level + if ($tools[$i]->requiresWriteAccess && !checkIfWriteAccessIsAllowed()) { + continue; + } + if ($tools[$i]->requiresPasswordChanges && !checkIfPasswordChangeIsAllowed()) { + continue; + } + // print tool echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; echo "\n"; @@ -117,4 +131,29 @@ echo "
   
"; - echo "" . $tools[$i]['name'] . ""; + echo "link . "\" target=\"mainpart\">" . $tools[$i]->name . ""; echo "

     "; - echo $tools[$i]['description']; + echo $tools[$i]->description; echo "   
\n"; echo "\n"; echo "\n"; +/** + * Represents a tool. + * + * @author Roland Gruber + * @package tools + */ +class LAMTool { + + /** name of the tool */ + public $name; + + /** description text */ + public $description; + + /** link to tool page (relative to templates/) */ + public $link; + + /** tool requires write access to LDAP */ + public $requiresWriteAccess = false; + + /** tool requires password change rights */ + public $requiresPasswordChanges = false; + +} + ?>