diff --git a/lam/help/help.inc b/lam/help/help.inc index c3820012..5956015f 100644 --- a/lam/help/help.inc +++ b/lam/help/help.inc @@ -149,6 +149,11 @@ $helpArray = array ( "Text" => _("Here you can specify minimum requirements for passwords. The character classes are: lowercase, uppercase, numeric and symbols.")), "250" => array ("Headline" => _("Filter"), "Text" => _("Here you can input simple filter expressions (e.g. 'value' or 'v*'). The filter is case-sensitive.")), + "260" => array ("Headline" => _("Additional LDAP filter"), + "Text" => _('Use this to enter an additional LDAP filter (e.g. "(cn!=admin)") to reduce the number of visible elements for this account type.') + . ' ' . _('By default LAM will show all accounts that match the selected account modules.')), + "261" => array ("Headline" => _("Hidden"), + "Text" => _('Hidden account types will not show up in LAM. This is useful if you want to display e.g. only groups but still need to manage their members.')), // 300 - 399 // profile editor, file upload "301" => array ("Headline" => _("RDN identifier"), diff --git a/lam/lib/config.inc b/lam/lib/config.inc index 3bcc8ff9..90b91cc8 100644 --- a/lam/lib/config.inc +++ b/lam/lib/config.inc @@ -200,6 +200,16 @@ function metaRefresh($page) { echo "\n"; } +/** + * Checks if the given account type is hidden. + * + * @param String $type account type (e.g. user) + * @return boolean is hidden + */ +function isAccountTypeHidden($type) { + $typeSettings = $_SESSION['config']->get_typeSettings(); + return isset($typeSettings['hidden_' . $type]) && ($typeSettings['hidden_' . $type] == true); +} /** * This class manages .conf files. diff --git a/lam/lib/modules.inc b/lam/lib/modules.inc index 4acbfccf..860142c6 100644 --- a/lam/lib/modules.inc +++ b/lam/lib/modules.inc @@ -104,6 +104,11 @@ function get_ldap_filter($scope) { } // add built OR filter to AND filters if ($orFilter != '') $filters['and'][] = $orFilter; + // add type filter + $typeSettings = $_SESSION['config']->get_typeSettings(); + if (isset($typeSettings['filter_' . $scope]) && ($typeSettings['filter_' . $scope] != '')) { + $filters['and'][] = $typeSettings['filter_' . $scope]; + } // collapse AND filters if (sizeof($filters['and']) < 2) return $filters['and'][0]; else return "(&" . implode("", $filters['and']) . ")"; diff --git a/lam/lib/types/group.inc b/lam/lib/types/group.inc index 085d32c3..57665abe 100644 --- a/lam/lib/types/group.inc +++ b/lam/lib/types/group.inc @@ -262,7 +262,10 @@ class lamGroupList extends lamList { // make a link for each member of the group for ($d = 0; $d < sizeof($attr); $d++) { $user = $attr[$d]; // user name - if (isset($primaryvals[$user])) { + if (isAccountTypeHidden('user')) { + $linklist[$d] = $user; + } + elseif (isset($primaryvals[$user])) { $linklist[$d] = "" . $user . ""; } else { @@ -274,7 +277,12 @@ class lamGroupList extends lamList { // make a link for each member of the group for ($d = 0; $d < sizeof($entry[$attribute]); $d++) { $user = $entry[$attribute][$d]; // user name - $linklist[$d] = "" . $user . ""; + if (!isAccountTypeHidden('user')) { + $linklist[$d] = "" . $user . ""; + } + else { + $linklist[$d] = $user; + } } } echo implode("; ", $linklist); diff --git a/lam/lib/upgrade.inc b/lam/lib/upgrade.inc index cb03f84f..9336f10b 100644 --- a/lam/lib/upgrade.inc +++ b/lam/lib/upgrade.inc @@ -168,7 +168,7 @@ function recursiveCopy($src, $dst, $profiles, $fileFilter = null, $overwrite = t StatusMessage('ERROR', 'Upgrade failed.', 'The directory \'' . $dst . '\' could not be created.'); } } - while (false !== ($file = readdir($dir))) { + while (false !== ($file = @readdir($dir))) { if ($file != '.' && $file != '..' && !in_array($file, $profiles)) { if (is_dir($src . '/' . $file) && ($file == 'logos')) { recursiveCopy($src . '/' . $file, $dst . '/' . $file, $profiles, $fileFilter, $overwrite); diff --git a/lam/templates/account/edit.php b/lam/templates/account/edit.php index 657c8e8f..19d970ff 100644 --- a/lam/templates/account/edit.php +++ b/lam/templates/account/edit.php @@ -4,6 +4,7 @@ $Id$ This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) Copyright (C) 2003 - 2006 Tilo Lutz + 2005 - 2012 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -28,6 +29,7 @@ $Id$ * * @package modules * @author Tilo Lutz +* @author Roland Gruber */ /** security functions */ @@ -60,6 +62,10 @@ if (isset($_GET['DN'])) { $DN = str_replace("\\'", '', $_GET['DN']); $type = str_replace("\\'", '', $_GET['type']); if ($_GET['type'] == $type) $type = str_replace("'", '',$_GET['type']); + if (isAccountTypeHidden($type)) { + logNewMessage(LOG_ERR, 'User tried to access hidden account type: ' . $type); + die(); + } if ($_GET['DN'] == $DN) $DN = str_replace("'", '',$_GET['DN']); $_SESSION['account'] = new accountContainer($type, 'account'); $result = $_SESSION['account']->load_account($DN); @@ -76,6 +82,10 @@ if (isset($_GET['DN'])) { else if (count($_POST)==0) { $type = str_replace("\\'", '', $_GET['type']); if ($_GET['type'] == $type) $type = str_replace("'", '',$_GET['type']); + if (isAccountTypeHidden($type)) { + logNewMessage(LOG_ERR, 'User tried to access hidden account type: ' . $type); + die(); + } $_SESSION['account'] = new accountContainer($type, 'account'); $_SESSION['account']->new_account(); } diff --git a/lam/templates/config/conftypes.php b/lam/templates/config/conftypes.php index 7b54a1bb..222ee925 100644 --- a/lam/templates/config/conftypes.php +++ b/lam/templates/config/conftypes.php @@ -247,7 +247,18 @@ if (sizeof($activeTypes) > 0) { $suffixInput = new htmlInputField('suffix_' . $activeTypes[$i], $typeSettings['suffix_' . $activeTypes[$i]]); $suffixInput->setFieldSize(40); $activeContainer->addElement($suffixInput); - $activeContainer->addElement(new htmlHelpLink('202'), true); + $activeContainer->addElement(new htmlHelpLink('202')); + $activeContainer->addElement(new htmlSpacer('10px', null)); + // LDAP filter + $filterText = new htmlOutputText(_("Additional LDAP filter")); + $filterText->colspan = 2; + $activeContainer->addElement($filterText); + $activeContainer->addElement(new htmlSpacer('10px', null)); + $filterInput = new htmlInputField('filter_' . $activeTypes[$i], $typeSettings['filter_' . $activeTypes[$i]]); + $filterInput->setFieldSize(40); + $activeContainer->addElement($filterInput); + $activeContainer->addElement(new htmlHelpLink('260')); + $activeContainer->addNewLine(); // list attributes if (isset($typeSettings['attr_' . $activeTypes[$i]])) { $attributes = $typeSettings['attr_' . $activeTypes[$i]]; @@ -262,7 +273,16 @@ if (sizeof($activeTypes) > 0) { $attrsInput = new htmlInputField('attr_' . $activeTypes[$i], $attributes); $attrsInput->setFieldSize(40); $activeContainer->addElement($attrsInput); - $activeContainer->addElement(new htmlHelpLink('206'), true); + $activeContainer->addElement(new htmlHelpLink('206')); + $activeContainer->addElement(new htmlSpacer('10px', null)); + // hidden type + $hiddenText = new htmlOutputText(_('Hidden')); + $hiddenText->colspan = 2; + $activeContainer->addElement($hiddenText); + $activeContainer->addElement(new htmlSpacer('10px', null)); + $activeContainer->addElement(new htmlInputCheckbox('hidden_' . $activeTypes[$i], $typeSettings['hidden_' . $activeTypes[$i]])); + $activeContainer->addElement(new htmlHelpLink('261')); + $activeContainer->addNewLine(); // delete button $delButton = new htmlButton('rem_'. $activeTypes[$i], _("Remove this account type")); $delButton->colspan = 5; @@ -334,6 +354,7 @@ function checkInput() { $errors[] = array("ERROR", _("LDAP Suffix is invalid!"), getTypeAlias($type)); } } + // set attributes elseif (substr($key, 0, 5) == "attr_") { $typeSettings[$key] = $_POST[$key]; $type = substr($postKeys[$i], 5); @@ -341,6 +362,14 @@ function checkInput() { $errors[] = array("ERROR", _("List attributes are invalid!"), getTypeAlias($type)); } } + // set filter + elseif (substr($key, 0, 7) == "filter_") { + $typeSettings[$key] = $_POST[$key]; + } + // set hidden + elseif (substr($key, 0, 7) == "hidden_") { + $typeSettings[$key] = ($_POST[$key] == 'on'); + } } // save input $conf->set_typeSettings($typeSettings); diff --git a/lam/templates/lists/list.php b/lam/templates/lists/list.php index 20c70c77..3644778c 100644 --- a/lam/templates/lists/list.php +++ b/lam/templates/lists/list.php @@ -3,7 +3,7 @@ $Id$ This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) - Copyright (C) 2003 - 2006 Roland Gruber + Copyright (C) 2003 - 2012 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -41,9 +41,15 @@ startSecureSession(); setlanguage(); +$type = $_GET['type']; + +// check if list is hidden +if (isAccountTypeHidden($type)) { + logNewMessage(LOG_ERR, 'User tried to access hidden account list: ' . $type); + die(); +} // create list object if needed -$type = $_GET['type']; $listClass = getListClassName($type); if (!isset($_SESSION['list_' . $type])) { $list = new $listClass($type); diff --git a/lam/templates/main.php b/lam/templates/main.php index d02b2c1f..fdbfb07d 100644 --- a/lam/templates/main.php +++ b/lam/templates/main.php @@ -3,7 +3,7 @@ $Id$ This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) - Copyright (C) 2003 - 2011 Roland Gruber + Copyright (C) 2003 - 2012 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -57,7 +57,13 @@ if ((sizeof($new_suffs) > 0) && checkIfWriteAccessIsAllowed()) { } else { if (sizeof($types) > 0) { - metaRefresh("lists/list.php?type=" . $types[0]); + for ($i = 0; $i < sizeof($types); $i++) { + if (isAccountTypeHidden($types[$i])) { + continue; + } + metaRefresh("lists/list.php?type=" . $types[$i]); + break; + } } else { metaRefresh("tree/treeViewContainer.php"); diff --git a/lam/templates/main_header.php b/lam/templates/main_header.php index 3a4cb53e..55ba8d79 100644 --- a/lam/templates/main_header.php +++ b/lam/templates/main_header.php @@ -3,7 +3,7 @@ $Id$ This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) - Copyright (C) 2003 - 2011 Roland Gruber + Copyright (C) 2003 - 2012 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -200,6 +200,9 @@ jQuery(document).ready(function() { ' . '' . $types[$i] . ' ' . diff --git a/lam/templates/massBuildAccounts.php b/lam/templates/massBuildAccounts.php index b49316c5..df1bdd29 100644 --- a/lam/templates/massBuildAccounts.php +++ b/lam/templates/massBuildAccounts.php @@ -91,6 +91,13 @@ if (isset($_GET['showldif'])) { include 'main_header.php'; $scope = htmlspecialchars($_POST['scope']); + +// check if account type is ok +if (isAccountTypeHidden($scope)) { + logNewMessage(LOG_ERR, 'User tried to access hidden upload: ' . $scope); + die(); +} + echo '
'; $selectedModules = explode(',', $_POST['selectedModules']); diff --git a/lam/templates/massDoUpload.php b/lam/templates/massDoUpload.php index e296a1cf..c466525c 100644 --- a/lam/templates/massDoUpload.php +++ b/lam/templates/massDoUpload.php @@ -62,6 +62,13 @@ setlanguage(); include 'main_header.php'; $scope = htmlspecialchars($_SESSION['mass_scope']); + +// check if account type is ok +if (isAccountTypeHidden($scope)) { + logNewMessage(LOG_ERR, 'User tried to access hidden upload: ' . $scope); + die(); +} + echo '
'; // create accounts diff --git a/lam/templates/masscreate.php b/lam/templates/masscreate.php index fb0a0305..4837cc23 100644 --- a/lam/templates/masscreate.php +++ b/lam/templates/masscreate.php @@ -80,7 +80,7 @@ include 'main_header.php'; $types = $_SESSION['config']->get_ActiveTypes(); for ($i = 0; $i < sizeof($types); $i++) { $myType = new $types[$i](); - if (!$myType->supportsFileUpload()) { + if (!$myType->supportsFileUpload() || isAccountTypeHidden($types[$i])) { unset($types[$i]); } } diff --git a/lam/templates/ou_edit.php b/lam/templates/ou_edit.php index 68cbe564..593a7a28 100644 --- a/lam/templates/ou_edit.php +++ b/lam/templates/ou_edit.php @@ -3,7 +3,7 @@ $Id$ This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) - Copyright (C) 2003 - 2010 Roland Gruber + Copyright (C) 2003 - 2012 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -164,6 +164,9 @@ function display_main($message, $error) { $types = array(); $typeList = $_SESSION['config']->get_ActiveTypes(); for ($i = 0; $i < sizeof($typeList); $i++) { + if (isAccountTypeHidden($typeList[$i])) { + continue; + } $types[$typeList[$i]] = getTypeAlias($typeList[$i]); } natcasesort($types); diff --git a/lam/templates/pdfedit/pdfmain.php b/lam/templates/pdfedit/pdfmain.php index 817352f6..b69ee52b 100644 --- a/lam/templates/pdfedit/pdfmain.php +++ b/lam/templates/pdfedit/pdfmain.php @@ -73,6 +73,9 @@ if(isset($_POST['createNewTemplate'])) { $scopes = $_SESSION['config']->get_ActiveTypes(); $sortedScopes = array(); for ($i = 0; $i < sizeof($scopes); $i++) { + if (isAccountTypeHidden($scopes[$i])) { + continue; + } $sortedScopes[$scopes[$i]] = getTypeAlias($scopes[$i]); } natcasesort($sortedScopes); diff --git a/lam/templates/pdfedit/pdfpage.php b/lam/templates/pdfedit/pdfpage.php index 7c337704..e8ec8526 100644 --- a/lam/templates/pdfedit/pdfpage.php +++ b/lam/templates/pdfedit/pdfpage.php @@ -4,7 +4,7 @@ $Id$ This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) Copyright (C) 2003 - 2006 Michael Duergner - 2007 - 2010 Roland Gruber + 2007 - 2012 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -69,6 +69,11 @@ if(isset($_POST['type'])) { } } +if (isAccountTypeHidden($_GET['type'])) { + logNewMessage(LOG_ERR, 'User tried to access hidden PDF structure: ' . $_GET['type']); + die(); +} + // Abort and go back to main pdf structure page if(isset($_GET['abort'])) { diff --git a/lam/templates/profedit/profilemain.php b/lam/templates/profedit/profilemain.php index c377a7dd..6d60c0d5 100644 --- a/lam/templates/profedit/profilemain.php +++ b/lam/templates/profedit/profilemain.php @@ -51,6 +51,9 @@ $types = $_SESSION['config']->get_ActiveTypes(); $profileClasses = array(); $profileClassesTemp = array(); for ($i = 0; $i < sizeof($types); $i++) { + if (isAccountTypeHidden($types[$i])) { + continue; + } $profileClassesTemp[getTypeAlias($types[$i])] = array( 'scope' => $types[$i], 'title' => getTypeAlias($types[$i]), @@ -97,6 +100,10 @@ $container = new htmlTable(); $container->addElement(new htmlTitle(_("Profile editor")), true); if (isset($_POST['deleteProfile']) && ($_POST['deleteProfile'] == 'true')) { + if (isAccountTypeHidden($_POST['profileDeleteType'])) { + logNewMessage(LOG_ERR, 'User tried to delete hidden account type profile: ' . $_POST['profileDeleteType']); + die(); + } // delete profile if (delAccountProfile($_POST['profileDeleteName'], $_POST['profileDeleteType'])) { $message = new htmlStatusMessage('INFO', _('Deleted profile.'), getTypeAlias($_POST['profileDeleteType']) . ': ' . htmlspecialchars($_POST['profileDeleteName'])); diff --git a/lam/templates/profedit/profilepage.php b/lam/templates/profedit/profilepage.php index 819b9538..0a4209ae 100644 --- a/lam/templates/profedit/profilepage.php +++ b/lam/templates/profedit/profilepage.php @@ -3,7 +3,7 @@ $Id$ This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) - Copyright (C) 2003 - 2010 Roland Gruber + Copyright (C) 2003 - 2012 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -61,6 +61,11 @@ if (!$_SESSION['ldap'] || !$_SESSION['ldap']->server()) { if (isset($_POST['profname'])) $_GET['edit'] = $_POST['profname']; if (isset($_POST['accounttype'])) $_GET['type'] = $_POST['accounttype']; +if (isAccountTypeHidden($_GET['type'])) { + logNewMessage(LOG_ERR, 'User tried to access hidden account type profile: ' . $_GET['type']); + die(); +} + // abort button was pressed // back to profile editor if (isset($_POST['abort'])) {