From 93d4c1417e80977145f032c4dbab0ff3f59d4b9c Mon Sep 17 00:00:00 2001
From: Roland Gruber <post@rolandgruber.de>
Date: Sun, 30 Dec 2007 16:08:54 +0000
Subject: [PATCH] added new security model

---
 lam/lib/lists.inc                | 23 +++++++----
 lam/lib/modules.inc              | 70 +++++++++++++++++++-------------
 lam/lib/modules/posixAccount.inc |  3 ++
 lam/lib/types/user.inc           |  2 +-
 lam/templates/delete.php         |  4 ++
 lam/templates/initsuff.php       |  4 ++
 lam/templates/main.php           |  5 ++-
 7 files changed, 71 insertions(+), 40 deletions(-)

diff --git a/lam/lib/lists.inc b/lam/lib/lists.inc
index d3b30161..5720179c 100644
--- a/lam/lib/lists.inc
+++ b/lam/lib/lists.inc
@@ -462,9 +462,11 @@ class lamList {
 		echo "<img src=\"../../graphics/edit.png\" alt=\"" . _("Edit") . "\" title=\"" . _("Edit") . "\">";
 		echo "</a>\n ";
 		// delete image
-		echo "<a href=\"deletelink.php?type=" . $this->type . "&amp;DN='" . $account['dn'] . "'\">";
-		echo "<img src=\"../../graphics/delete.png\" alt=\"" . _("Delete") . "\" title=\"" . _("Delete") . "\">";
-		echo "</a>\n ";
+		if (checkIfWriteAccessIsAllowed()) {
+			echo "<a href=\"deletelink.php?type=" . $this->type . "&amp;DN='" . $account['dn'] . "'\">";
+			echo "<img src=\"../../graphics/delete.png\" alt=\"" . _("Delete") . "\" title=\"" . _("Delete") . "\">";
+			echo "</a>\n ";
+		}
 		// pdf image
 		echo "<input type=\"image\" style=\"background:transparent;\" name=\"createPDF_" . $id . "\" src=\"../../graphics/pdf.png\" title=\"" . _('Create PDF') . "\">\n ";
 		// additional tools
@@ -504,6 +506,9 @@ class lamList {
 	private function listDoPost() {
 		// check if button was pressed and if we have to add/delete an account
 		if (isset($_POST['new']) || isset($_POST['del'])){
+			if (!checkIfWriteAccessIsAllowed()) {
+				die();
+			}
 			// add new account
 			if (isset($_POST['new'])){
 				metaRefresh("../account/edit.php?type=" . $this->type . "&amp;suffix=" . $this->suffix);
@@ -703,12 +708,14 @@ class lamList {
 		echo "<table border=0 width=\"100%\">\n";
 		echo "<tr>\n";
 		echo "<td align=\"left\">\n";
-		// add/delete buttons
-		echo ("<input class=\"" . $this->type . "\" type=\"submit\" name=\"new\" value=\"" . $this->labels['newEntry'] . "\">\n");
-		if (!$createOnly) {
-			echo ("<input class=\"" . $this->type . "\" type=\"submit\" name=\"del\" value=\"" . $this->labels['deleteEntry'] . "\">\n");
+		if (checkIfWriteAccessIsAllowed()) {
+			// add/delete buttons
+			echo ("<input class=\"" . $this->type . "\" type=\"submit\" name=\"new\" value=\"" . $this->labels['newEntry'] . "\">\n");
+			if (!$createOnly) {
+				echo ("<input class=\"" . $this->type . "\" type=\"submit\" name=\"del\" value=\"" . $this->labels['deleteEntry'] . "\">\n");
+			}
+			echo "&nbsp;&nbsp;&nbsp;";
 		}
-		echo "&nbsp;&nbsp;&nbsp;";
 		$this->listShowOUSelection();
 		echo "</td>\n";
 		echo "<td align=\"right\">\n";
diff --git a/lam/lib/modules.inc b/lam/lib/modules.inc
index 794fe6b3..1ef80329 100644
--- a/lam/lib/modules.inc
+++ b/lam/lib/modules.inc
@@ -961,6 +961,43 @@ class accountContainer {
 				return;
 			}
 		}
+		if (checkIfWriteAccessIsAllowed()) {
+			$this->printCommonControls();
+		}
+		echo "<br>\n";
+		// create module menu
+		echo "<table class=\"".$this->type."list\" border=0 width=\"100%\" style=\"border-collapse: collapse;\">\n";
+		echo "<tr class=\"".$this->type."list\" valign=\"top\"><td style=\"border-bottom: 1px solid;padding:0px;\" colspan=2>";
+		// tab menu
+		$this->printModuleTabs();
+		echo "</td></tr>\n";
+		// content header
+		echo "<tr class=\"" . $this->type . "list\">\n";
+			echo "<td style=\"padding:10px;\">\n";
+				$this->printContentHeader();
+			echo "</td>\n";
+		echo "</tr>\n";
+		echo "<tr class=\"" . $this->type . "list\">\n";
+		// content area
+		echo "<td width=\"100%\" style=\"padding:10px;\">";
+		// display html-code from modules
+		$return = array();
+		
+		$return = call_user_func(array($this->module[$this->order[$this->current_page]], 'display_html_'.$this->subpage));
+				
+		$y = 5000;
+		$z = 10000;
+		parseHtml($this->order[$this->current_page], $return, array(), false, $y, $z, $this->type);
+		// Display rest of html-page
+		echo "<br>*" . _('required');
+		echo "</td></tr></table>\n";
+		$this->printPageFooter();
+	}
+	
+	/**
+	 * Prints common controls like the save button and the ou selection.
+	 */
+	private function printCommonControls() {
 		echo "<table class=\"".$this->type."list\" style=\"border-width:0px;\" width=\"100%\"><tr>";
 		echo "<td align=\"left\">";
 		// save button
@@ -990,35 +1027,7 @@ class accountContainer {
 			echo "</a>\n";
 		}
 		echo "</td>";
-		echo "</tr></table>";
-		echo "<br>\n";
-		// create module menu
-		echo "<table class=\"".$this->type."list\" border=0 width=\"100%\" style=\"border-collapse: collapse;\">\n";
-		echo "<tr class=\"".$this->type."list\" valign=\"top\"><td style=\"border-bottom: 1px solid;padding:0px;\" colspan=2>";
-		// tab menu
-		$this->printModuleTabs();
-		echo "</td></tr>\n";
-		// content header
-		echo "<tr class=\"" . $this->type . "list\">\n";
-			echo "<td style=\"padding:10px;\">\n";
-				$this->printContentHeader();
-			echo "</td>\n";
-		echo "</tr>\n";
-		echo "<tr class=\"" . $this->type . "list\">\n";
-		// content area
-		echo "<td width=\"100%\" style=\"padding:10px;\">";
-		// display html-code from modules
-		$return = array();
-		
-		$return = call_user_func(array($this->module[$this->order[$this->current_page]], 'display_html_'.$this->subpage));
-				
-		$y = 5000;
-		$z = 10000;
-		parseHtml($this->order[$this->current_page], $return, array(), false, $y, $z, $this->type);
-		// Display rest of html-page
-		echo "<br>*" . _('required');
-		echo "</td></tr></table>\n";
-		$this->printPageFooter();
+		echo "</tr></table>";		
 	}
 	
 	/**
@@ -1439,6 +1448,9 @@ class accountContainer {
 	* @return array list of status messages if any errors occured
 	*/
 	function save_account() {
+		if (!checkIfWriteAccessIsAllowed()) {
+			die();
+		}
 		$finalDN = $this->dn;
 		$errors = array();
 		$ldapUser = $_SESSION['ldap']->decrypt_login();
diff --git a/lam/lib/modules/posixAccount.inc b/lam/lib/modules/posixAccount.inc
index d02b6c2b..4bf43e24 100644
--- a/lam/lib/modules/posixAccount.inc
+++ b/lam/lib/modules/posixAccount.inc
@@ -1521,6 +1521,9 @@ class posixAccount extends baseModule {
 	* <br> )
 	*/
 	function doUploadPostActions($data, $ids, $failed, &$temp) {
+		if (!checkIfWriteAccessIsAllowed()) {
+			die();
+		}
 		// on first call generate list of ldap operations
 		if (!isset($temp['counter'])) {
 			$temp['groups'] = array();
diff --git a/lam/lib/types/user.inc b/lam/lib/types/user.inc
index 1717b909..ae9790ba 100644
--- a/lam/lib/types/user.inc
+++ b/lam/lib/types/user.inc
@@ -225,7 +225,7 @@ class lamUserList extends lamList {
 		if (!isLAMProVersion()) {
 			return array();
 		}
-		else {
+		elseif (checkIfPasswordChangeIsAllowed()) {
 			$passwordTool = new lamListTool(_('Change password'), 'key.png', 'changePassword.php');
 			return array($passwordTool);
 		}
diff --git a/lam/templates/delete.php b/lam/templates/delete.php
index 58973eb6..4d617fa0 100644
--- a/lam/templates/delete.php
+++ b/lam/templates/delete.php
@@ -49,6 +49,10 @@ include_once('../lib/modules.inc');
 // Start session
 startSecureSession();
 
+if (!checkIfWriteAccessIsAllowed()) {
+	die();
+}
+
 // Redirect to startpage if user is not loged in
 if (!isset($_SESSION['loggedIn'])) {
 	metaRefresh("login.php");
diff --git a/lam/templates/initsuff.php b/lam/templates/initsuff.php
index a44037f9..8b221ee6 100644
--- a/lam/templates/initsuff.php
+++ b/lam/templates/initsuff.php
@@ -40,6 +40,10 @@ include_once("../lib/status.inc");
 // start session
 startSecureSession();
 
+if (!checkIfWriteAccessIsAllowed()) {
+	die();
+}
+
 setlanguage();
 
 // check if user already pressed button
diff --git a/lam/templates/main.php b/lam/templates/main.php
index 820808b9..682a34a3 100644
--- a/lam/templates/main.php
+++ b/lam/templates/main.php
@@ -71,8 +71,9 @@ echo ("</head>\n");
 echo ("<frameset rows=\"150,*\">\n");
 echo ("<frame src=\"./main_header.php\" name=\"head\" frameborder=\"0\">\n");
 // display page to add suffixes, if needed
-if (sizeof($new_suffs) > 0) echo ("<frame src=\"initsuff.php?suffs='" . implode(";", $new_suffs) .
-	"'\" name=\"mainpart\" frameborder=\"0\">\n");
+if ((sizeof($new_suffs) > 0) && checkIfWriteAccessIsAllowed()) {
+	echo ("<frame src=\"initsuff.php?suffs='" . implode(";", $new_suffs) . "'\" name=\"mainpart\" frameborder=\"0\">\n");
+}
 else {
 	if (sizeof($types) > 0) {
 		echo ("<frame src=\"./lists/list.php?type=" . $types[0] . "\" name=\"mainpart\" frameborder=\"0\" scrolling=\"yes\">\n");