added new security model
This commit is contained in:
parent
4bb25a5c17
commit
4808d138fd
|
@ -11,6 +11,7 @@
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<link rel="stylesheet" type="text/css" href="style/layout.css"></head><body>
|
<link rel="stylesheet" type="text/css" href="style/layout.css"></head><body>
|
||||||
<div style="text-align: center;">
|
<div style="text-align: center;">
|
||||||
<h1>Upgrade notes</h1></div>
|
<h1>Upgrade notes</h1></div>
|
||||||
|
@ -41,7 +42,22 @@ Account modules can now have icons. See <span style="font-weight: bold;">baseMod
|
||||||
|
|
||||||
<br>
|
<br>
|
||||||
<h3>Constructors</h3>
|
<h3>Constructors</h3>
|
||||||
LAM now uses the PHP5 syntax for constructors: <span style="font-weight: bold;">__construct()</span><br>
|
LAM now uses the PHP5 syntax for constructors: <span style="font-weight: bold;">__construct()<br>
|
||||||
|
<br>
|
||||||
|
</span>
|
||||||
|
<h3>Extended security model</h3>
|
||||||
|
Each server profile now defines an access level.<br>
|
||||||
|
<br>
|
||||||
|
Currently these are:<br>
|
||||||
|
<ul>
|
||||||
|
<li>write access</li>
|
||||||
|
<li>password changes</li>
|
||||||
|
<li>read access<br>
|
||||||
|
</li>
|
||||||
|
</ul>
|
||||||
|
<span style="font-weight: bold;"></span> Please check your code and prohibit any actions which do not fit the current access level.<br>
|
||||||
|
There are two new functions in <span style="font-style: italic;">security.inc</span>: <span style="font-weight: bold;">checkIfWriteAccessIsAllowed()</span> and <span style="font-weight: bold;">checkIfPasswordChangeIsAllowed()</span><br>
|
||||||
|
Only LAM Pro allows to change the access level from <span style="font-style: italic;">write access</span> to a smaller level.<br>
|
||||||
<br>
|
<br>
|
||||||
<br>
|
<br>
|
||||||
|
|
||||||
|
|
|
@ -163,6 +163,10 @@ function metaRefresh($page) {
|
||||||
*/
|
*/
|
||||||
class LAMConfig {
|
class LAMConfig {
|
||||||
|
|
||||||
|
const ACCESS_ALL = 100;
|
||||||
|
const ACCESS_PASSWORD_CHANGE = 20;
|
||||||
|
const ACCESS_READ_ONLY = 0;
|
||||||
|
|
||||||
/** Server address (e.g. ldap://127.0.0.1:389) */
|
/** Server address (e.g. ldap://127.0.0.1:389) */
|
||||||
private $ServerURL;
|
private $ServerURL;
|
||||||
|
|
||||||
|
@ -214,10 +218,12 @@ class LAMConfig {
|
||||||
/** Name of configuration file */
|
/** Name of configuration file */
|
||||||
private $file;
|
private $file;
|
||||||
|
|
||||||
|
private $accessLevel = 100;
|
||||||
|
|
||||||
/** List of all settings in config file */
|
/** List of all settings in config file */
|
||||||
private $settings = array("ServerURL", "Passwd", "Admins", "treesuffix",
|
private $settings = array("ServerURL", "Passwd", "Admins", "treesuffix",
|
||||||
"defaultLanguage", "scriptPath", "scriptServer", "scriptRights", "cachetimeout",
|
"defaultLanguage", "scriptPath", "scriptServer", "scriptRights", "cachetimeout",
|
||||||
"modules", "activeTypes", "types");
|
"modules", "activeTypes", "types", "accessLevel");
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -360,6 +366,7 @@ class LAMConfig {
|
||||||
if (!in_array("scriptRights", $saved)) array_push($file_array, "\n\n# Access rights for home directories\n" . "scriptRights: " . $this->scriptRights . "\n");
|
if (!in_array("scriptRights", $saved)) array_push($file_array, "\n\n# Access rights for home directories\n" . "scriptRights: " . $this->scriptRights . "\n");
|
||||||
if (!in_array("cachetimeout", $saved)) array_push($file_array, "\n\n# Number of minutes LAM caches LDAP searches.\n" . "cacheTimeout: " . $this->cachetimeout . "\n");
|
if (!in_array("cachetimeout", $saved)) array_push($file_array, "\n\n# Number of minutes LAM caches LDAP searches.\n" . "cacheTimeout: " . $this->cachetimeout . "\n");
|
||||||
if (!in_array("activeTypes", $saved)) array_push($file_array, "\n\n# List of active account types.\n" . "activeTypes: " . $this->activeTypes . "\n");
|
if (!in_array("activeTypes", $saved)) array_push($file_array, "\n\n# List of active account types.\n" . "activeTypes: " . $this->activeTypes . "\n");
|
||||||
|
if (!in_array("accessLevel", $saved)) array_push($file_array, "\n\n# Access level for this profile.\n" . "accessLevel: " . $this->accessLevel . "\n");
|
||||||
// check if all module settings were added
|
// check if all module settings were added
|
||||||
$m_settings = array_keys($this->moduleSettings);
|
$m_settings = array_keys($this->moduleSettings);
|
||||||
for ($i = 0; $i < sizeof($m_settings); $i++) {
|
for ($i = 0; $i < sizeof($m_settings); $i++) {
|
||||||
|
@ -846,6 +853,24 @@ class LAMConfig {
|
||||||
return $this->typeSettings;
|
return $this->typeSettings;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns the access level for this profile.
|
||||||
|
*
|
||||||
|
* @return int level
|
||||||
|
*/
|
||||||
|
public function getAccessLevel() {
|
||||||
|
return $this->accessLevel;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Sets the access level for this profile.
|
||||||
|
*
|
||||||
|
* @param int $level level
|
||||||
|
*/
|
||||||
|
public function setAccessLevel($level) {
|
||||||
|
$this->accessLevel = $level;
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -179,4 +179,34 @@ function logNewMessage($level, $message) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Checks if write access to LDAP is allowed.
|
||||||
|
*
|
||||||
|
* @return boolean true, if allowed
|
||||||
|
*/
|
||||||
|
function checkIfWriteAccessIsAllowed() {
|
||||||
|
if (!isset($_SESSION['config'])) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
if ($_SESSION['config']->getAccessLevel() >= LAMConfig::ACCESS_ALL) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Checks if passwords may be changed.
|
||||||
|
*
|
||||||
|
* @return boolean true, if allowed
|
||||||
|
*/
|
||||||
|
function checkIfPasswordChangeIsAllowed() {
|
||||||
|
if (!isset($_SESSION['config'])) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
if ($_SESSION['config']->getAccessLevel() >= LAMConfig::ACCESS_PASSWORD_CHANGE) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
?>
|
?>
|
|
@ -190,6 +190,42 @@ echo "<img src=\"../../graphics/help.png\" alt=\"" . _('Help') . "\" title=\"" .
|
||||||
echo "</a>\n";
|
echo "</a>\n";
|
||||||
echo "</td></tr>\n";
|
echo "</td></tr>\n";
|
||||||
|
|
||||||
|
// access level is only visible in Pro version
|
||||||
|
if (isLAMProVersion()) {
|
||||||
|
// new line
|
||||||
|
echo ("<tr><td colspan=3> </td></tr>");
|
||||||
|
|
||||||
|
// access level
|
||||||
|
echo ("<tr><td align=\"right\"><b>".
|
||||||
|
_("Access level") . ": </b></td>".
|
||||||
|
"<td><select tabindex=\"$tabindex\" name=\"accessLevel\">\n");
|
||||||
|
if ($conf->getAccessLevel() == LAMConfig::ACCESS_ALL) {
|
||||||
|
echo("<option selected value=" . LAMConfig::ACCESS_ALL . ">" . _('Write access') . "</option>\n");
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
echo("<option value=" . LAMConfig::ACCESS_ALL . ">" . _('Write access') . "</option>\n");
|
||||||
|
}
|
||||||
|
if ($conf->getAccessLevel() == LAMConfig::ACCESS_PASSWORD_CHANGE) {
|
||||||
|
echo("<option selected value=" . LAMConfig::ACCESS_PASSWORD_CHANGE . ">" . _('Change passwords') . "</option>\n");
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
echo("<option value=" . LAMConfig::ACCESS_PASSWORD_CHANGE . ">" . _('Change passwords') . "</option>\n");
|
||||||
|
}
|
||||||
|
if ($conf->getAccessLevel() == LAMConfig::ACCESS_READ_ONLY) {
|
||||||
|
echo("<option selected value=" . LAMConfig::ACCESS_READ_ONLY . ">" . _('Read only') . "</option>\n");
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
echo("<option value=" . LAMConfig::ACCESS_READ_ONLY . ">" . _('Read only') . "</option>\n");
|
||||||
|
}
|
||||||
|
echo ("</select></td>\n");
|
||||||
|
$tabindex++;
|
||||||
|
echo "<td>";
|
||||||
|
echo "<a href=\"../help.php?HelpNumber=214\" target=\"lamhelp\">";
|
||||||
|
echo "<img src=\"../../graphics/help.png\" alt=\"" . _('Help') . "\" title=\"" . _('Help') . "\">";
|
||||||
|
echo "</a>\n";
|
||||||
|
echo "</td></tr>\n";
|
||||||
|
}
|
||||||
|
|
||||||
echo ("</table>");
|
echo ("</table>");
|
||||||
echo ("</fieldset>");
|
echo ("</fieldset>");
|
||||||
|
|
||||||
|
@ -460,6 +496,9 @@ function saveSettings() {
|
||||||
if (!$conf->set_cacheTimeout($_POST['cachetimeout'])) {
|
if (!$conf->set_cacheTimeout($_POST['cachetimeout'])) {
|
||||||
$errors[] = array("ERROR", _("Cache timeout is invalid!"));
|
$errors[] = array("ERROR", _("Cache timeout is invalid!"));
|
||||||
}
|
}
|
||||||
|
if (isLAMProVersion()) {
|
||||||
|
$conf->setAccessLevel($_POST['accessLevel']);
|
||||||
|
}
|
||||||
$adminText = $_POST['admins'];
|
$adminText = $_POST['admins'];
|
||||||
$adminText = explode("\n", $adminText);
|
$adminText = explode("\n", $adminText);
|
||||||
$adminTextNew = array();
|
$adminTextNew = array();
|
||||||
|
|
|
@ -50,47 +50,53 @@ echo "<body>\n";
|
||||||
|
|
||||||
// list of tools and descriptions
|
// list of tools and descriptions
|
||||||
$tools = array();
|
$tools = array();
|
||||||
|
|
||||||
// profile editor
|
// profile editor
|
||||||
$tools[] = array(
|
$pEditor = new LAMTool();
|
||||||
"name" => _("Profile editor"),
|
$pEditor->name = _("Profile editor");
|
||||||
"description" => _("Here you can manage your account profiles."),
|
$pEditor->description = _("Here you can manage your account profiles.");
|
||||||
"link" => "profedit/profilemain.php"
|
$pEditor->link = "profedit/profilemain.php";
|
||||||
);
|
$pEditor->requiresWriteAccess = true;
|
||||||
|
$tools[] = $pEditor;
|
||||||
|
|
||||||
// file upload
|
// file upload
|
||||||
$tools[] = array(
|
$fUpload = new LAMTool();
|
||||||
"name" => _("File upload"),
|
$fUpload->name = _("File upload");
|
||||||
"description" => _("Creates accounts by uploading a CSV formated file."),
|
$fUpload->description = _("Creates accounts by uploading a CSV formated file.");
|
||||||
"link" => "masscreate.php"
|
$fUpload->link = "masscreate.php";
|
||||||
);
|
$fUpload->requiresWriteAccess = true;
|
||||||
|
$tools[] = $fUpload;
|
||||||
|
|
||||||
// OU editor
|
// OU editor
|
||||||
$tools[] = array(
|
$ouEditor = new LAMTool();
|
||||||
"name" => _("OU editor"),
|
$ouEditor->name = _("OU editor");
|
||||||
"description" => _("Manages OU objects in your LDAP tree."),
|
$ouEditor->description = _("Manages OU objects in your LDAP tree.");
|
||||||
"link" => "ou_edit.php"
|
$ouEditor->link = "ou_edit.php";
|
||||||
);
|
$ouEditor->requiresWriteAccess = true;
|
||||||
|
$tools[] = $ouEditor;
|
||||||
|
|
||||||
// PDF editor
|
// PDF editor
|
||||||
$tools[] = array(
|
$pdfEditor = new LAMTool();
|
||||||
"name" => _("PDF editor"),
|
$pdfEditor->name = _("PDF editor");
|
||||||
"description" => _("This tool allows you to customize the PDF pages."),
|
$pdfEditor->description = _("This tool allows you to customize the PDF pages.");
|
||||||
"link" => "pdfedit/pdfmain.php"
|
$pdfEditor->link = "pdfedit/pdfmain.php";
|
||||||
);
|
$pdfEditor->requiresWriteAccess = true;
|
||||||
|
$tools[] = $pdfEditor;
|
||||||
|
|
||||||
// schema browser
|
// schema browser
|
||||||
$tools[] = array(
|
$sBrowser = new LAMTool();
|
||||||
"name" => _("Schema browser"),
|
$sBrowser->name = _("Schema browser");
|
||||||
"description" => _("Here you can browse LDAP object classes and attributes."),
|
$sBrowser->description = _("Here you can browse LDAP object classes and attributes.");
|
||||||
"link" => "schema/schema.php"
|
$sBrowser->link = "schema/schema.php";
|
||||||
);
|
$tools[] = $sBrowser;
|
||||||
|
|
||||||
// tests
|
// tests
|
||||||
$tools[] = array(
|
$tests = new LAMTool();
|
||||||
"name" => _("Tests"),
|
$tests->name = _("Tests");
|
||||||
"description" => _("Here you can test if certain LAM features work on your installation."),
|
$tests->description = _("Here you can test if certain LAM features work on your installation.");
|
||||||
"link" => "tests/index.php"
|
$tests->link = "tests/index.php";
|
||||||
);
|
$tests->requiresWriteAccess = true;
|
||||||
|
$tools[] = $tests;
|
||||||
|
|
||||||
echo "<p> </p>\n";
|
echo "<p> </p>\n";
|
||||||
|
|
||||||
|
@ -98,14 +104,22 @@ echo "<p> </p>\n";
|
||||||
echo "<table class=\"userlist\" rules=\"none\">\n";
|
echo "<table class=\"userlist\" rules=\"none\">\n";
|
||||||
|
|
||||||
for ($i = 0; $i < sizeof($tools); $i++) {
|
for ($i = 0; $i < sizeof($tools); $i++) {
|
||||||
|
// check access level
|
||||||
|
if ($tools[$i]->requiresWriteAccess && !checkIfWriteAccessIsAllowed()) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
if ($tools[$i]->requiresPasswordChanges && !checkIfPasswordChangeIsAllowed()) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
// print tool
|
||||||
echo "<tr class=\"userlist\">\n";
|
echo "<tr class=\"userlist\">\n";
|
||||||
echo "<td> </td>\n";
|
echo "<td> </td>\n";
|
||||||
echo "<td><br>";
|
echo "<td><br>";
|
||||||
echo "<a href=\"" . $tools[$i]['link'] . "\" target=\"mainpart\"><b>" . $tools[$i]['name'] . "</b></a>";
|
echo "<a href=\"" . $tools[$i]->link . "\" target=\"mainpart\"><b>" . $tools[$i]->name . "</b></a>";
|
||||||
echo "<br><br></td>\n";
|
echo "<br><br></td>\n";
|
||||||
echo "<td> </td>\n";
|
echo "<td> </td>\n";
|
||||||
echo "<td>";
|
echo "<td>";
|
||||||
echo $tools[$i]['description'];
|
echo $tools[$i]->description;
|
||||||
echo "</td>\n";
|
echo "</td>\n";
|
||||||
echo "<td> </td>\n";
|
echo "<td> </td>\n";
|
||||||
echo "</tr>\n";
|
echo "</tr>\n";
|
||||||
|
@ -117,4 +131,29 @@ echo "</table>\n";
|
||||||
echo "</body>\n";
|
echo "</body>\n";
|
||||||
echo "</html>\n";
|
echo "</html>\n";
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Represents a tool.
|
||||||
|
*
|
||||||
|
* @author Roland Gruber
|
||||||
|
* @package tools
|
||||||
|
*/
|
||||||
|
class LAMTool {
|
||||||
|
|
||||||
|
/** name of the tool */
|
||||||
|
public $name;
|
||||||
|
|
||||||
|
/** description text */
|
||||||
|
public $description;
|
||||||
|
|
||||||
|
/** link to tool page (relative to templates/) */
|
||||||
|
public $link;
|
||||||
|
|
||||||
|
/** tool requires write access to LDAP */
|
||||||
|
public $requiresWriteAccess = false;
|
||||||
|
|
||||||
|
/** tool requires password change rights */
|
||||||
|
public $requiresPasswordChanges = false;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
?>
|
?>
|
||||||
|
|
Loading…
Reference in New Issue