diff --git a/lam/HISTORY b/lam/HISTORY index c74f9313..09d4baa7 100644 --- a/lam/HISTORY +++ b/lam/HISTORY @@ -2,6 +2,7 @@ June 2013 4.2 - Samba 4 support: users, groups, hosts - Unix: allow to change format for suggested user name - LAM Pro: + -> allow to hide buttons to create/delete entries for each account type -> Password self reset: support new identification methods: user, email, user or email, employee number -> Custom fields: support PDF, profiles and multi-value text fields -> Personal: support password mail sending in file upload diff --git a/lam/help/help.inc b/lam/help/help.inc index 9f7bb7c8..9c40f27b 100644 --- a/lam/help/help.inc +++ b/lam/help/help.inc @@ -155,6 +155,10 @@ $helpArray = array ( . ' ' . _('By default LAM will show all accounts that match the selected account modules.')), "261" => array ("Headline" => _("Hidden"), "Text" => _('Hidden account types will not show up in LAM. This is useful if you want to display e.g. only groups but still need to manage their members.')), + "262" => array ("Headline" => _("No new entries"), + "Text" => _('If checked then the user will not be able to create new entries of this account type.')), + "263" => array ("Headline" => _("Disallow delete"), + "Text" => _('If checked then the user will not be able to delete entries of this account type.')), // 300 - 399 // profile editor, file upload "301" => array ("Headline" => _("RDN identifier"), diff --git a/lam/lib/lists.inc b/lam/lib/lists.inc index 557a8b27..36ed70f8 100644 --- a/lam/lib/lists.inc +++ b/lam/lib/lists.inc @@ -486,7 +486,7 @@ class lamList { $group->addElement($editLink); $toolCount++; // delete link - if (checkIfWriteAccessIsAllowed()) { + if (checkIfWriteAccessIsAllowed() && checkIfDeleteEntriesIsAllowed($this->type)) { $deleteLink = new htmlLink('', "deletelink.php?type=" . $this->type . "&DN='" . rawurlencode($account['dn']) . "'", '../../graphics/delete.png'); $deleteLink->setTitle(_("Delete")); $group->addElement($deleteLink); @@ -543,12 +543,12 @@ class lamList { die(); } // add new account - if (isset($_POST['new'])){ + if (isset($_POST['new']) && checkIfNewEntriesAreAllowed($this->type)){ metaRefresh("../account/edit.php?type=" . $this->type . "&suffix=" . $this->suffix); exit; } // delete account(s) - elseif (isset($_POST['del'])){ + elseif (isset($_POST['del']) && checkIfDeleteEntriesIsAllowed($this->type)){ // search for checkboxes $accounts = array_keys($_POST, "on"); // build DN list @@ -562,7 +562,7 @@ class lamList { } } // file upload - elseif (isset($_POST['fileUpload'])){ + elseif (isset($_POST['fileUpload']) && checkIfNewEntriesAreAllowed($this->type)){ metaRefresh("../masscreate.php?type=" . $this->type); exit; } @@ -749,11 +749,14 @@ class lamList { // button part $left->alignment = htmlElement::ALIGN_LEFT; if (checkIfWriteAccessIsAllowed()) { - // add/delete buttons - $newButton = new htmlButton('new', $this->labels['newEntry']); - $newButton->setIconClass('createButton'); - $left->addElement($newButton); - if (!$createOnly) { + // add button + if (checkIfNewEntriesAreAllowed($this->type)) { + $newButton = new htmlButton('new', $this->labels['newEntry']); + $newButton->setIconClass('createButton'); + $left->addElement($newButton); + } + // delete button + if (!$createOnly && checkIfDeleteEntriesIsAllowed($this->type)) { $left->addElement(new htmlSpacer('1px', null)); $delButton = new htmlButton('del', $this->labels['deleteEntry']); $delButton->setIconClass('deleteButton'); @@ -761,7 +764,8 @@ class lamList { } $type = new $this->type(); $toolSettings = $_SESSION['config']->getToolSettings(); - if ($type->supportsFileUpload() && !(isset($toolSettings['tool_hide_toolFileUpload']) && ($toolSettings['tool_hide_toolFileUpload'] == 'true'))) { + if ($type->supportsFileUpload() && checkIfNewEntriesAreAllowed($this->type) + && !(isset($toolSettings['tool_hide_toolFileUpload']) && ($toolSettings['tool_hide_toolFileUpload'] == 'true'))) { $left->addElement(new htmlSpacer('20px', null)); $uploadButton = new htmlButton('fileUpload', _('File upload')); $uploadButton->setIconClass('upButton'); diff --git a/lam/lib/modules.inc b/lam/lib/modules.inc index 4872b037..221f62ca 100644 --- a/lam/lib/modules.inc +++ b/lam/lib/modules.inc @@ -1291,10 +1291,12 @@ class accountContainer { $type = new $this->type(); $buttonGroup = new htmlGroup(); - $createButton = new htmlButton('accountContainerCreateAgain', $type->LABEL_CREATE_ANOTHER_ACCOUNT); - $createButton->setIconClass('createButton'); - $buttonGroup->addElement($createButton); - $buttonGroup->addElement(new htmlSpacer('10px', null)); + if (checkIfNewEntriesAreAllowed($this->type)) { + $createButton = new htmlButton('accountContainerCreateAgain', $type->LABEL_CREATE_ANOTHER_ACCOUNT); + $createButton->setIconClass('createButton'); + $buttonGroup->addElement($createButton); + $buttonGroup->addElement(new htmlSpacer('10px', null)); + } $pdfButton = new htmlButton('accountContainerCreatePDF', _('Create PDF file')); $pdfButton->setIconClass('pdfButton'); $buttonGroup->addElement($pdfButton); diff --git a/lam/lib/security.inc b/lam/lib/security.inc index 9cd8cc2c..340c3f73 100644 --- a/lam/lib/security.inc +++ b/lam/lib/security.inc @@ -243,6 +243,47 @@ function checkIfPasswordChangeIsAllowed() { return false; } +/** + * Checks if it is allowed to create new LDAP entries of the given type. + * This also checks if general write access is enabled. + * + * @param String $scope account type (e.g. 'user') + * @return boolean true, if new entries are allowed + */ +function checkIfNewEntriesAreAllowed($scope) { + if (!isLAMProVersion()) { + return true; + } + if (!isset($_SESSION['config']) || empty($scope)) { + return false; + } + $typeSettings = $_SESSION['config']->get_typeSettings(); + if (isset($typeSettings['hideNewButton_' . $scope]) && $typeSettings['hideNewButton_' . $scope]) { + return false; + } + return checkIfWriteAccessIsAllowed(); +} + +/** + * Checks if it is allowed to delete LDAP entries of the given type. + * + * @param String $scope account type (e.g. 'user') + * @return boolean true, if entries may be deleted + */ +function checkIfDeleteEntriesIsAllowed($scope) { + if (!isLAMProVersion()) { + return true; + } + if (!isset($_SESSION['config']) || empty($scope)) { + return false; + } + $typeSettings = $_SESSION['config']->get_typeSettings(); + if (isset($typeSettings['hideDeleteButton_' . $scope]) && $typeSettings['hideDeleteButton_' . $scope]) { + return false; + } + return checkIfWriteAccessIsAllowed(); +} + /** * Checks if the password fulfills the password policies. * diff --git a/lam/templates/account/edit.php b/lam/templates/account/edit.php index 19d970ff..673ec47e 100644 --- a/lam/templates/account/edit.php +++ b/lam/templates/account/edit.php @@ -4,7 +4,7 @@ $Id$ This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) Copyright (C) 2003 - 2006 Tilo Lutz - 2005 - 2012 Roland Gruber + 2005 - 2013 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -86,6 +86,10 @@ else if (count($_POST)==0) { logNewMessage(LOG_ERR, 'User tried to access hidden account type: ' . $type); die(); } + elseif (!checkIfNewEntriesAreAllowed($type)) { + logNewMessage(LOG_ERR, 'User tried to create entry of forbidden account type: ' . $type); + die(); + } $_SESSION['account'] = new accountContainer($type, 'account'); $_SESSION['account']->new_account(); } diff --git a/lam/templates/config/conftypes.php b/lam/templates/config/conftypes.php index e37d7d49..263297eb 100644 --- a/lam/templates/config/conftypes.php +++ b/lam/templates/config/conftypes.php @@ -234,7 +234,7 @@ if (sizeof($activeTypes) > 0) { for ($i = 0; $i < sizeof($activeTypes); $i++) { // title $titleGroup = new htmlGroup(); - $titleGroup->colspan = 10; + $titleGroup->colspan = 6; $titleGroup->addElement(new htmlImage('../../graphics/' . $activeTypes[$i] . '.png')); $titleText = new htmlOutputText(getTypeAlias($activeTypes[$i])); $titleText->setIsBold(true); @@ -244,21 +244,15 @@ if (sizeof($activeTypes) > 0) { $activeContainer->addElement($titleGroup); // delete button $delButton = new htmlButton('rem_'. $activeTypes[$i], 'del.png', true); - $delButton->colspan = 3; $delButton->alignment = htmlElement::ALIGN_RIGHT; $delButton->setTitle(_("Remove this account type")); $activeContainer->addElement($delButton, true); //del.png $activeContainer->addElement(new htmlSpacer(null, '5px'), true); // LDAP suffix - $suffixText = new htmlOutputText(_("LDAP suffix")); - $suffixText->colspan = 2; - $activeContainer->addElement($suffixText); - $activeContainer->addElement(new htmlSpacer('10px', null)); - $suffixInput = new htmlInputField('suffix_' . $activeTypes[$i], $typeSettings['suffix_' . $activeTypes[$i]]); + $suffixInput = new htmlTableExtendedInputField(_("LDAP suffix"), 'suffix_' . $activeTypes[$i], $typeSettings['suffix_' . $activeTypes[$i]], '202'); $suffixInput->setFieldSize(40); $activeContainer->addElement($suffixInput); - $activeContainer->addElement(new htmlHelpLink('202')); - $activeContainer->addElement(new htmlSpacer('10px', null)); + $activeContainer->addElement(new htmlSpacer('20px', null)); // list attributes if (isset($typeSettings['attr_' . $activeTypes[$i]])) { $attributes = $typeSettings['attr_' . $activeTypes[$i]]; @@ -266,14 +260,9 @@ if (sizeof($activeTypes) > 0) { else { $attributes = getDefaultListAttributes($activeTypes[$i]); } - $attrsText = new htmlOutputText(_("List attributes")); - $attrsText->colspan = 2; - $activeContainer->addElement($attrsText); - $activeContainer->addElement(new htmlSpacer('10px', null)); - $attrsInput = new htmlInputField('attr_' . $activeTypes[$i], $attributes); + $attrsInput = new htmlTableExtendedInputField(_("List attributes"), 'attr_' . $activeTypes[$i], $attributes, '206'); $attrsInput->setFieldSize(40); $activeContainer->addElement($attrsInput); - $activeContainer->addElement(new htmlHelpLink('206')); $activeContainer->addNewLine(); // advanced options $advancedOptionsContent = new htmlTable(); @@ -282,27 +271,31 @@ if (sizeof($activeTypes) > 0) { if (isset($typeSettings['filter_' . $activeTypes[$i]])) { $filter = $typeSettings['filter_' . $activeTypes[$i]]; } - $filterText = new htmlOutputText(_("Additional LDAP filter")); - $filterText->colspan = 2; - $advancedOptionsContent->addElement($filterText); - $advancedOptionsContent->addElement(new htmlSpacer('10px', null)); - $filterInput = new htmlInputField('filter_' . $activeTypes[$i], $filter); + $filterInput = new htmlTableExtendedInputField(_("Additional LDAP filter"), 'filter_' . $activeTypes[$i], $filter, '260'); $filterInput->setFieldSize(40); $advancedOptionsContent->addElement($filterInput); - $advancedOptionsContent->addElement(new htmlHelpLink('260')); - $advancedOptionsContent->addElement(new htmlSpacer('10px', null)); + $advancedOptionsContent->addElement(new htmlSpacer('20px', null)); // hidden type $hidden = false; if (isset($typeSettings['hidden_' . $activeTypes[$i]])) { $hidden = $typeSettings['hidden_' . $activeTypes[$i]]; } - $hiddenText = new htmlOutputText(_('Hidden')); - $hiddenText->colspan = 2; - $advancedOptionsContent->addElement($hiddenText); - $advancedOptionsContent->addElement(new htmlSpacer('10px', null)); - $advancedOptionsContent->addElement(new htmlInputCheckbox('hidden_' . $activeTypes[$i], $hidden)); - $advancedOptionsContent->addElement(new htmlHelpLink('261')); - $advancedOptionsContent->addNewLine(); + $advancedOptionsContent->addElement(new htmlTableExtendedInputCheckbox('hidden_' . $activeTypes[$i], $hidden, _('Hidden'), '261'), true); + if (isLAMProVersion() && ($conf->getAccessLevel() == LAMConfig::ACCESS_ALL)) { + // hide button to create new accounts + $hideNewButton = false; + if (isset($typeSettings['hideNewButton_' . $activeTypes[$i]])) { + $hideNewButton = $typeSettings['hideNewButton_' . $activeTypes[$i]]; + } + $advancedOptionsContent->addElement(new htmlTableExtendedInputCheckbox('hideNewButton_' . $activeTypes[$i], $hideNewButton, _('No new entries'), '262')); + $advancedOptionsContent->addElement(new htmlSpacer('20px', null)); + // hide button to delete accounts + $hideDeleteButton = false; + if (isset($typeSettings['hideDeleteButton_' . $activeTypes[$i]])) { + $hideDeleteButton = $typeSettings['hideDeleteButton_' . $activeTypes[$i]]; + } + $advancedOptionsContent->addElement(new htmlTableExtendedInputCheckbox('hideDeleteButton_' . $activeTypes[$i], $hideDeleteButton, _('Disallow delete'), '263'), true); + } // build advanced options box $advancedOptions = new htmlAccordion('advancedOptions_' . $activeTypes[$i], array(_('Advanced options') => $advancedOptionsContent), false); $advancedOptions->colspan = 15; @@ -386,14 +379,17 @@ function checkInput() { $typeSettings[$key] = $_POST[$key]; } } - // set hidden for ($i = 0; $i < sizeof($accountTypes); $i++) { + // set hidden $key = "hidden_" . $accountTypes[$i]; - if (isset($_POST[$key]) && ($_POST[$key] == 'on')) { - $typeSettings[$key] = true; - } - else { - $typeSettings[$key] = false; + $typeSettings[$key] = (isset($_POST[$key]) && ($_POST[$key] == 'on')); + if (isLAMProVersion() && ($conf->getAccessLevel() == LAMConfig::ACCESS_ALL)) { + // set if new entries are allowed + $key = "hideNewButton_" . $accountTypes[$i]; + $typeSettings[$key] = (isset($_POST[$key]) && ($_POST[$key] == 'on')); + // set if deletion of entries is allowed + $key = "hideDeleteButton_" . $accountTypes[$i]; + $typeSettings[$key] = (isset($_POST[$key]) && ($_POST[$key] == 'on')); } } // save input diff --git a/lam/templates/delete.php b/lam/templates/delete.php index 3d936577..a34c6a5a 100644 --- a/lam/templates/delete.php +++ b/lam/templates/delete.php @@ -72,6 +72,10 @@ if (isset($_GET['type']) && isset($_SESSION['delete_dn'])) { logNewMessage(LOG_ERR, 'Invalid type: ' . $_GET['type']); die(); } + if (!checkIfDeleteEntriesIsAllowed($_GET['type'])) { + logNewMessage(LOG_ERR, 'User tried to delete entries of forbidden type '. $_GET['type']); + die(); + } // Create account list foreach ($_SESSION['delete_dn'] as $dn) { $start = strpos ($dn, "=")+1; @@ -138,6 +142,10 @@ elseif (isset($_POST['cancelAllOk'])) { } if (isset($_POST['delete'])) { + if (!checkIfDeleteEntriesIsAllowed($_POST['type'])) { + logNewMessage(LOG_ERR, 'User tried to delete entries of forbidden type '. $_POST['type']); + die(); + } // Show HTML Page include 'main_header.php'; echo "
\n"; diff --git a/lam/templates/massBuildAccounts.php b/lam/templates/massBuildAccounts.php index 0ef6e525..73fdee67 100644 --- a/lam/templates/massBuildAccounts.php +++ b/lam/templates/massBuildAccounts.php @@ -97,6 +97,10 @@ if (isAccountTypeHidden($scope)) { logNewMessage(LOG_ERR, 'User tried to access hidden upload: ' . $scope); die(); } +if (!checkIfNewEntriesAreAllowed($scope)) { + logNewMessage(LOG_ERR, 'User tried to access forbidden upload: ' . $scope); + die(); +} echo ''; echo '
'; diff --git a/lam/templates/massDoUpload.php b/lam/templates/massDoUpload.php index a3711c57..caa45732 100644 --- a/lam/templates/massDoUpload.php +++ b/lam/templates/massDoUpload.php @@ -3,7 +3,7 @@ $Id$ This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) - Copyright (C) 2004 - 2012 Roland Gruber + Copyright (C) 2004 - 2013 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -68,6 +68,10 @@ if (isAccountTypeHidden($scope)) { logNewMessage(LOG_ERR, 'User tried to access hidden upload: ' . $scope); die(); } +if (!checkIfNewEntriesAreAllowed($scope)) { + logNewMessage(LOG_ERR, 'User tried to access forbidden upload: ' . $scope); + die(); +} echo '
'; diff --git a/lam/templates/masscreate.php b/lam/templates/masscreate.php index 1352f598..a3aac9a9 100644 --- a/lam/templates/masscreate.php +++ b/lam/templates/masscreate.php @@ -78,9 +78,10 @@ include 'main_header.php'; // get possible types and remove those which do not support file upload $types = $_SESSION['config']->get_ActiveTypes(); -for ($i = 0; $i < sizeof($types); $i++) { +$count = sizeof($types); +for ($i = 0; $i < $count; $i++) { $myType = new $types[$i](); - if (!$myType->supportsFileUpload() || isAccountTypeHidden($types[$i])) { + if (!$myType->supportsFileUpload() || isAccountTypeHidden($types[$i]) || !checkIfNewEntriesAreAllowed($types[$i])) { unset($types[$i]); } }