added new security model

lam/docs/devel/upgrade.htm

@@ -11,6 +11,7 @@
 
   
   
+  
   <link rel="stylesheet" type="text/css" href="style/layout.css"></head><body>
 <div style="text-align: center;">
 <h1>Upgrade notes</h1></div>
@@ -41,7 +42,22 @@ Account modules can now have icons. See <span style="font-weight: bold;">baseMod
 
 <br>
 <h3>Constructors</h3>
-LAM now uses the PHP5 syntax for constructors: <span style="font-weight: bold;">__construct()</span><br>
+LAM now uses the PHP5 syntax for constructors: <span style="font-weight: bold;">__construct()<br>
+<br>
+</span>
+<h3>Extended security model</h3>
+Each server profile now defines an access level.<br>
+<br>
+Currently these are:<br>
+<ul>
+  <li>write access</li>
+  <li>password changes</li>
+  <li>read access<br>
+  </li>
+</ul>
+<span style="font-weight: bold;"></span> Please check your code and prohibit any actions which do not fit the current access level.<br>
+There are two new functions in <span style="font-style: italic;">security.inc</span>: <span style="font-weight: bold;">checkIfWriteAccessIsAllowed()</span> and <span style="font-weight: bold;">checkIfPasswordChangeIsAllowed()</span><br>
+Only LAM Pro allows to change the access level from <span style="font-style: italic;">write access</span> to a smaller level.<br>
 <br>
 <br>
 

lam/lib/config.inc

@@ -163,6 +163,10 @@ function metaRefresh($page) {
 */
 class LAMConfig {
 	
+	const ACCESS_ALL = 100;
+	const ACCESS_PASSWORD_CHANGE = 20;
+	const ACCESS_READ_ONLY = 0;
+
 	/** Server address (e.g. ldap://127.0.0.1:389) */
 	private $ServerURL;
 
@@ -214,10 +218,12 @@ class LAMConfig {
 	/** Name of configuration file */
 	private $file;
 	
+	private $accessLevel = 100;
+
 	/** List of all settings in config file */
 	private $settings = array("ServerURL", "Passwd", "Admins", "treesuffix",
 		"defaultLanguage", "scriptPath", "scriptServer", "scriptRights", "cachetimeout",
-		"modules", "activeTypes", "types");
+		"modules", "activeTypes", "types", "accessLevel");
 
 
 	/**
@@ -360,6 +366,7 @@ class LAMConfig {
 			if (!in_array("scriptRights", $saved)) array_push($file_array, "\n\n# Access rights for home directories\n" . "scriptRights: " . $this->scriptRights . "\n");
 			if (!in_array("cachetimeout", $saved)) array_push($file_array, "\n\n# Number of minutes LAM caches LDAP searches.\n" . "cacheTimeout: " . $this->cachetimeout . "\n");
 			if (!in_array("activeTypes", $saved)) array_push($file_array, "\n\n# List of active account types.\n" . "activeTypes: " . $this->activeTypes . "\n");
+			if (!in_array("accessLevel", $saved)) array_push($file_array, "\n\n# Access level for this profile.\n" . "accessLevel: " . $this->accessLevel . "\n");
 			// check if all module settings were added
 			$m_settings = array_keys($this->moduleSettings);
 			for ($i = 0; $i < sizeof($m_settings); $i++) {
@@ -846,6 +853,24 @@ class LAMConfig {
 		return $this->typeSettings;
 	}
 
+	/**
+	 * Returns the access level for this profile.
+	 *
+	 * @return int level
+	 */
+	public function getAccessLevel() {
+		return $this->accessLevel;
+	}
+	
+	/**
+	 * Sets the access level for this profile.
+	 *
+	 * @param int $level level
+	 */
+	public function setAccessLevel($level) {
+		$this->accessLevel = $level;
+	}
+
 }
 
 

lam/lib/security.inc

@@ -179,4 +179,34 @@ function logNewMessage($level, $message) {
 	}
 }
 
+/**
+ * Checks if write access to LDAP is allowed.
+ *
+ * @return boolean true, if allowed
+ */
+function checkIfWriteAccessIsAllowed() {
+	if (!isset($_SESSION['config'])) {
+		return false;
+	}
+	if ($_SESSION['config']->getAccessLevel() >= LAMConfig::ACCESS_ALL) {
+		return true;
+	}
+	return false;
+}
+
+/**
+ * Checks if passwords may be changed.
+ *
+ * @return boolean true, if allowed
+ */
+function checkIfPasswordChangeIsAllowed() {
+	if (!isset($_SESSION['config'])) {
+		return false;
+	}
+	if ($_SESSION['config']->getAccessLevel() >= LAMConfig::ACCESS_PASSWORD_CHANGE) {
+		return true;
+	}
+	return false;
+}
+
 ?>

lam/templates/config/confmain.php

@@ -190,6 +190,42 @@ echo "<img src=\"../../graphics/help.png\" alt=\"" . _('Help') . "\" title=\"" .
 echo "</a>\n";
 echo "</td></tr>\n";
 
+// access level is only visible in Pro version
+if (isLAMProVersion()) {
+	// new line
+	echo ("<tr><td colspan=3>&nbsp</td></tr>");
+	
+	// access level
+	echo ("<tr><td align=\"right\"><b>".
+		_("Access level") . ": </b></td>".
+		"<td><select tabindex=\"$tabindex\" name=\"accessLevel\">\n");
+	if ($conf->getAccessLevel() == LAMConfig::ACCESS_ALL) {
+		echo("<option selected value=" . LAMConfig::ACCESS_ALL . ">" . _('Write access') . "</option>\n");
+	}
+	else {
+		echo("<option value=" . LAMConfig::ACCESS_ALL . ">" . _('Write access') . "</option>\n");
+	}
+	if ($conf->getAccessLevel() == LAMConfig::ACCESS_PASSWORD_CHANGE) {
+		echo("<option selected value=" . LAMConfig::ACCESS_PASSWORD_CHANGE . ">" . _('Change passwords') . "</option>\n");
+	}
+	else {
+		echo("<option value=" . LAMConfig::ACCESS_PASSWORD_CHANGE . ">" . _('Change passwords') . "</option>\n");
+	}
+	if ($conf->getAccessLevel() == LAMConfig::ACCESS_READ_ONLY) {
+		echo("<option selected value=" . LAMConfig::ACCESS_READ_ONLY . ">" . _('Read only') . "</option>\n");
+	}
+	else {
+		echo("<option value=" . LAMConfig::ACCESS_READ_ONLY . ">" . _('Read only') . "</option>\n");
+	}
+	echo ("</select></td>\n");
+	$tabindex++;
+	echo "<td>";
+	echo "<a href=\"../help.php?HelpNumber=214\" target=\"lamhelp\">";
+	echo "<img src=\"../../graphics/help.png\" alt=\"" . _('Help') . "\" title=\"" . _('Help') . "\">";
+	echo "</a>\n";
+	echo "</td></tr>\n";
+}
+
 echo ("</table>");
 echo ("</fieldset>");
 
@@ -460,6 +496,9 @@ function saveSettings() {
 	if (!$conf->set_cacheTimeout($_POST['cachetimeout'])) {
 		$errors[] = array("ERROR", _("Cache timeout is invalid!"));
 	}
+	if (isLAMProVersion()) {
+		$conf->setAccessLevel($_POST['accessLevel']);
+	}
 	$adminText = $_POST['admins'];
 	$adminText = explode("\n", $adminText);
 	$adminTextNew = array();

lam/templates/tools.php

@@ -50,47 +50,53 @@ echo "<body>\n";
 
 // list of tools and descriptions
 $tools = array();
+
 // profile editor
-$tools[] = array(
-		"name" => _("Profile editor"),
-		"description" => _("Here you can manage your account profiles."),
-		"link" => "profedit/profilemain.php"
-	);
+$pEditor = new LAMTool();
+$pEditor->name = _("Profile editor");
+$pEditor->description = _("Here you can manage your account profiles.");
+$pEditor->link = "profedit/profilemain.php";
+$pEditor->requiresWriteAccess = true;
+$tools[] = $pEditor;
 
 // file upload
-$tools[] = array(
-		"name" => _("File upload"),
-		"description" => _("Creates accounts by uploading a CSV formated file."),
-		"link" => "masscreate.php"
-	);
+$fUpload = new LAMTool();
+$fUpload->name = _("File upload");
+$fUpload->description = _("Creates accounts by uploading a CSV formated file.");
+$fUpload->link = "masscreate.php";
+$fUpload->requiresWriteAccess = true;
+$tools[] = $fUpload;
 
 // OU editor
-$tools[] = array(
-		"name" => _("OU editor"),
-		"description" => _("Manages OU objects in your LDAP tree."),
-		"link" => "ou_edit.php"
-	);
+$ouEditor = new LAMTool();
+$ouEditor->name = _("OU editor");
+$ouEditor->description = _("Manages OU objects in your LDAP tree.");
+$ouEditor->link = "ou_edit.php";
+$ouEditor->requiresWriteAccess = true;
+$tools[] = $ouEditor;
 
 // PDF editor
-$tools[] = array(
-		"name" => _("PDF editor"),
-		"description" => _("This tool allows you to customize the PDF pages."),
-		"link" => "pdfedit/pdfmain.php"
-	);
+$pdfEditor = new LAMTool();
+$pdfEditor->name = _("PDF editor");
+$pdfEditor->description = _("This tool allows you to customize the PDF pages.");
+$pdfEditor->link = "pdfedit/pdfmain.php";
+$pdfEditor->requiresWriteAccess = true;
+$tools[] = $pdfEditor;
 
 // schema browser
-$tools[] = array(
-		"name" => _("Schema browser"),
-		"description" => _("Here you can browse LDAP object classes and attributes."),
-		"link" => "schema/schema.php"
-	);
+$sBrowser = new LAMTool();
+$sBrowser->name = _("Schema browser");
+$sBrowser->description = _("Here you can browse LDAP object classes and attributes.");
+$sBrowser->link = "schema/schema.php";
+$tools[] = $sBrowser;
 
 // tests
-$tools[] = array(
-		"name" => _("Tests"),
-		"description" => _("Here you can test if certain LAM features work on your installation."),
-		"link" => "tests/index.php"
-	);
+$tests = new LAMTool();
+$tests->name = _("Tests");
+$tests->description = _("Here you can test if certain LAM features work on your installation.");
+$tests->link = "tests/index.php";
+$tests->requiresWriteAccess = true;
+$tools[] = $tests;
 
 echo "<p>&nbsp;</p>\n";
 
@@ -98,14 +104,22 @@ echo "<p>&nbsp;</p>\n";
 echo "<table class=\"userlist\" rules=\"none\">\n";
 
 for ($i = 0; $i < sizeof($tools); $i++) {
+	// check access level
+	if ($tools[$i]->requiresWriteAccess && !checkIfWriteAccessIsAllowed()) {
+		continue;
+	}
+	if ($tools[$i]->requiresPasswordChanges && !checkIfPasswordChangeIsAllowed()) {
+		continue;
+	}
+	// print tool
 	echo "<tr class=\"userlist\">\n";
 		echo "<td>&nbsp;&nbsp;&nbsp;</td>\n";
 		echo "<td><br>";
-			echo "<a href=\"" . $tools[$i]['link'] . "\" target=\"mainpart\"><b>" . $tools[$i]['name'] . "</b></a>";
+			echo "<a href=\"" . $tools[$i]->link . "\" target=\"mainpart\"><b>" . $tools[$i]->name . "</b></a>";
 		echo "<br><br></td>\n";
 		echo "<td>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</td>\n";
 		echo "<td>";
-			echo $tools[$i]['description'];
+			echo $tools[$i]->description;
 		echo "</td>\n";
 		echo "<td>&nbsp;&nbsp;&nbsp;</td>\n";
 	echo "</tr>\n";
@@ -117,4 +131,29 @@ echo "</table>\n";
 echo "</body>\n";
 echo "</html>\n";
 
+/**
+ * Represents a tool.
+ *
+ * @author Roland Gruber
+ * @package tools
+ */
+class LAMTool {
+	
+	/** name of the tool */
+	public $name;
+	
+	/** description text */
+	public $description;
+	
+	/** link to tool page (relative to templates/) */
+	public $link;
+	
+	/** tool requires write access to LDAP */
+	public $requiresWriteAccess = false;
+	
+	/** tool requires password change rights */
+	public $requiresPasswordChanges = false;
+	
+}
+
 ?>