added new security model

This commit is contained in:
Roland Gruber 2007-12-30 12:32:48 +00:00
parent 4bb25a5c17
commit 4808d138fd
5 changed files with 184 additions and 35 deletions

View File

@ -3,6 +3,7 @@
@ -41,7 +42,22 @@ Account modules can now have icons. See <span style="font-weight: bold;">baseMod
<br>
<h3>Constructors</h3>
LAM now uses the PHP5 syntax for constructors: <span style="font-weight: bold;">__construct()</span><br>
LAM now uses the PHP5 syntax for constructors: <span style="font-weight: bold;">__construct()<br>
<br>
</span>
<h3>Extended security model</h3>
Each server profile now defines an access level.<br>
<br>
Currently these are:<br>
<ul>
<li>write access</li>
<li>password changes</li>
<li>read access<br>
</li>
</ul>
<span style="font-weight: bold;"></span> Please check your code and prohibit any actions which do not fit the current access level.<br>
There are two new functions in <span style="font-style: italic;">security.inc</span>: <span style="font-weight: bold;">checkIfWriteAccessIsAllowed()</span> and <span style="font-weight: bold;">checkIfPasswordChangeIsAllowed()</span><br>
Only LAM Pro allows to change the access level from <span style="font-style: italic;">write access</span> to a smaller level.<br>
<br>
<br>

View File

@ -162,6 +162,10 @@ function metaRefresh($page) {
* @package configuration
*/
class LAMConfig {
const ACCESS_ALL = 100;
const ACCESS_PASSWORD_CHANGE = 20;
const ACCESS_READ_ONLY = 0;
/** Server address (e.g. ldap://127.0.0.1:389) */
private $ServerURL;
@ -213,11 +217,13 @@ class LAMConfig {
/** Name of configuration file */
private $file;
private $accessLevel = 100;
/** List of all settings in config file */
private $settings = array("ServerURL", "Passwd", "Admins", "treesuffix",
"defaultLanguage", "scriptPath", "scriptServer", "scriptRights", "cachetimeout",
"modules", "activeTypes", "types");
"modules", "activeTypes", "types", "accessLevel");
/**
@ -360,6 +366,7 @@ class LAMConfig {
if (!in_array("scriptRights", $saved)) array_push($file_array, "\n\n# Access rights for home directories\n" . "scriptRights: " . $this->scriptRights . "\n");
if (!in_array("cachetimeout", $saved)) array_push($file_array, "\n\n# Number of minutes LAM caches LDAP searches.\n" . "cacheTimeout: " . $this->cachetimeout . "\n");
if (!in_array("activeTypes", $saved)) array_push($file_array, "\n\n# List of active account types.\n" . "activeTypes: " . $this->activeTypes . "\n");
if (!in_array("accessLevel", $saved)) array_push($file_array, "\n\n# Access level for this profile.\n" . "accessLevel: " . $this->accessLevel . "\n");
// check if all module settings were added
$m_settings = array_keys($this->moduleSettings);
for ($i = 0; $i < sizeof($m_settings); $i++) {
@ -846,6 +853,24 @@ class LAMConfig {
return $this->typeSettings;
}
/**
* Returns the access level for this profile.
*
* @return int level
*/
public function getAccessLevel() {
return $this->accessLevel;
}
/**
* Sets the access level for this profile.
*
* @param int $level level
*/
public function setAccessLevel($level) {
$this->accessLevel = $level;
}
}
@ -1010,7 +1035,7 @@ class LAMCfgMain {
private function hashPassword($password, $salt) {
return "{SSHA}" . base64_encode(hex2bin(sha1($password . $salt))) . " " . base64_encode($salt);
}
}
?>

View File

@ -179,4 +179,34 @@ function logNewMessage($level, $message) {
}
}
/**
* Checks if write access to LDAP is allowed.
*
* @return boolean true, if allowed
*/
function checkIfWriteAccessIsAllowed() {
if (!isset($_SESSION['config'])) {
return false;
}
if ($_SESSION['config']->getAccessLevel() >= LAMConfig::ACCESS_ALL) {
return true;
}
return false;
}
/**
* Checks if passwords may be changed.
*
* @return boolean true, if allowed
*/
function checkIfPasswordChangeIsAllowed() {
if (!isset($_SESSION['config'])) {
return false;
}
if ($_SESSION['config']->getAccessLevel() >= LAMConfig::ACCESS_PASSWORD_CHANGE) {
return true;
}
return false;
}
?>

View File

@ -190,6 +190,42 @@ echo "<img src=\"../../graphics/help.png\" alt=\"" . _('Help') . "\" title=\"" .
echo "</a>\n";
echo "</td></tr>\n";
// access level is only visible in Pro version
if (isLAMProVersion()) {
// new line
echo ("<tr><td colspan=3>&nbsp</td></tr>");
// access level
echo ("<tr><td align=\"right\"><b>".
_("Access level") . ": </b></td>".
"<td><select tabindex=\"$tabindex\" name=\"accessLevel\">\n");
if ($conf->getAccessLevel() == LAMConfig::ACCESS_ALL) {
echo("<option selected value=" . LAMConfig::ACCESS_ALL . ">" . _('Write access') . "</option>\n");
}
else {
echo("<option value=" . LAMConfig::ACCESS_ALL . ">" . _('Write access') . "</option>\n");
}
if ($conf->getAccessLevel() == LAMConfig::ACCESS_PASSWORD_CHANGE) {
echo("<option selected value=" . LAMConfig::ACCESS_PASSWORD_CHANGE . ">" . _('Change passwords') . "</option>\n");
}
else {
echo("<option value=" . LAMConfig::ACCESS_PASSWORD_CHANGE . ">" . _('Change passwords') . "</option>\n");
}
if ($conf->getAccessLevel() == LAMConfig::ACCESS_READ_ONLY) {
echo("<option selected value=" . LAMConfig::ACCESS_READ_ONLY . ">" . _('Read only') . "</option>\n");
}
else {
echo("<option value=" . LAMConfig::ACCESS_READ_ONLY . ">" . _('Read only') . "</option>\n");
}
echo ("</select></td>\n");
$tabindex++;
echo "<td>";
echo "<a href=\"../help.php?HelpNumber=214\" target=\"lamhelp\">";
echo "<img src=\"../../graphics/help.png\" alt=\"" . _('Help') . "\" title=\"" . _('Help') . "\">";
echo "</a>\n";
echo "</td></tr>\n";
}
echo ("</table>");
echo ("</fieldset>");
@ -460,6 +496,9 @@ function saveSettings() {
if (!$conf->set_cacheTimeout($_POST['cachetimeout'])) {
$errors[] = array("ERROR", _("Cache timeout is invalid!"));
}
if (isLAMProVersion()) {
$conf->setAccessLevel($_POST['accessLevel']);
}
$adminText = $_POST['admins'];
$adminText = explode("\n", $adminText);
$adminTextNew = array();

View File

@ -50,47 +50,53 @@ echo "<body>\n";
// list of tools and descriptions
$tools = array();
// profile editor
$tools[] = array(
"name" => _("Profile editor"),
"description" => _("Here you can manage your account profiles."),
"link" => "profedit/profilemain.php"
);
$pEditor = new LAMTool();
$pEditor->name = _("Profile editor");
$pEditor->description = _("Here you can manage your account profiles.");
$pEditor->link = "profedit/profilemain.php";
$pEditor->requiresWriteAccess = true;
$tools[] = $pEditor;
// file upload
$tools[] = array(
"name" => _("File upload"),
"description" => _("Creates accounts by uploading a CSV formated file."),
"link" => "masscreate.php"
);
$fUpload = new LAMTool();
$fUpload->name = _("File upload");
$fUpload->description = _("Creates accounts by uploading a CSV formated file.");
$fUpload->link = "masscreate.php";
$fUpload->requiresWriteAccess = true;
$tools[] = $fUpload;
// OU editor
$tools[] = array(
"name" => _("OU editor"),
"description" => _("Manages OU objects in your LDAP tree."),
"link" => "ou_edit.php"
);
$ouEditor = new LAMTool();
$ouEditor->name = _("OU editor");
$ouEditor->description = _("Manages OU objects in your LDAP tree.");
$ouEditor->link = "ou_edit.php";
$ouEditor->requiresWriteAccess = true;
$tools[] = $ouEditor;
// PDF editor
$tools[] = array(
"name" => _("PDF editor"),
"description" => _("This tool allows you to customize the PDF pages."),
"link" => "pdfedit/pdfmain.php"
);
$pdfEditor = new LAMTool();
$pdfEditor->name = _("PDF editor");
$pdfEditor->description = _("This tool allows you to customize the PDF pages.");
$pdfEditor->link = "pdfedit/pdfmain.php";
$pdfEditor->requiresWriteAccess = true;
$tools[] = $pdfEditor;
// schema browser
$tools[] = array(
"name" => _("Schema browser"),
"description" => _("Here you can browse LDAP object classes and attributes."),
"link" => "schema/schema.php"
);
$sBrowser = new LAMTool();
$sBrowser->name = _("Schema browser");
$sBrowser->description = _("Here you can browse LDAP object classes and attributes.");
$sBrowser->link = "schema/schema.php";
$tools[] = $sBrowser;
// tests
$tools[] = array(
"name" => _("Tests"),
"description" => _("Here you can test if certain LAM features work on your installation."),
"link" => "tests/index.php"
);
$tests = new LAMTool();
$tests->name = _("Tests");
$tests->description = _("Here you can test if certain LAM features work on your installation.");
$tests->link = "tests/index.php";
$tests->requiresWriteAccess = true;
$tools[] = $tests;
echo "<p>&nbsp;</p>\n";
@ -98,14 +104,22 @@ echo "<p>&nbsp;</p>\n";
echo "<table class=\"userlist\" rules=\"none\">\n";
for ($i = 0; $i < sizeof($tools); $i++) {
// check access level
if ($tools[$i]->requiresWriteAccess && !checkIfWriteAccessIsAllowed()) {
continue;
}
if ($tools[$i]->requiresPasswordChanges && !checkIfPasswordChangeIsAllowed()) {
continue;
}
// print tool
echo "<tr class=\"userlist\">\n";
echo "<td>&nbsp;&nbsp;&nbsp;</td>\n";
echo "<td><br>";
echo "<a href=\"" . $tools[$i]['link'] . "\" target=\"mainpart\"><b>" . $tools[$i]['name'] . "</b></a>";
echo "<a href=\"" . $tools[$i]->link . "\" target=\"mainpart\"><b>" . $tools[$i]->name . "</b></a>";
echo "<br><br></td>\n";
echo "<td>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</td>\n";
echo "<td>";
echo $tools[$i]['description'];
echo $tools[$i]->description;
echo "</td>\n";
echo "<td>&nbsp;&nbsp;&nbsp;</td>\n";
echo "</tr>\n";
@ -117,4 +131,29 @@ echo "</table>\n";
echo "</body>\n";
echo "</html>\n";
/**
* Represents a tool.
*
* @author Roland Gruber
* @package tools
*/
class LAMTool {
/** name of the tool */
public $name;
/** description text */
public $description;
/** link to tool page (relative to templates/) */
public $link;
/** tool requires write access to LDAP */
public $requiresWriteAccess = false;
/** tool requires password change rights */
public $requiresPasswordChanges = false;
}
?>