diff --git a/lam/HISTORY b/lam/HISTORY index 4a26def9..5891c619 100644 --- a/lam/HISTORY +++ b/lam/HISTORY @@ -3,6 +3,7 @@ March 2014 4.5 - Personal: allow to set fields read-only - Added option to server profile if referrals should be followed (fixes problems with Samba 4 and AD) - LAM Pro: + -> Allow to set single account types read-only -> Separate IP restriction list for self service diff --git a/lam/README b/lam/README index 45f89438..790dff75 100644 --- a/lam/README +++ b/lam/README @@ -15,7 +15,7 @@ LAM - Readme https://www.ldap-account-manager.org/ - Copyright (C) 2003 - 2013 Roland Gruber + Copyright (C) 2003 - 2014 Roland Gruber Installation and documentation: Please see the LAM manual in docs/manual/index.html. diff --git a/lam/copyright b/lam/copyright index 9af51abd..4d6e970e 100644 --- a/lam/copyright +++ b/lam/copyright @@ -1,4 +1,4 @@ -This software is copyright (c) 2003 - 2013 by Roland Gruber +This software is copyright (c) 2003 - 2014 by Roland Gruber If you purchased a copy of LDAP Account Manager Pro then the following files are licensed under the conditions which you accepted at purchase diff --git a/lam/docs/manual-sources/howto.xml b/lam/docs/manual-sources/howto.xml index 5411e565..f12934b9 100644 --- a/lam/docs/manual-sources/howto.xml +++ b/lam/docs/manual-sources/howto.xml @@ -19,7 +19,7 @@ https://www.ldap-account-manager.org/ - Copyright (C) 2003 - 2013 Roland Gruber + Copyright (C) 2003 - 2014 Roland Gruber <post@rolandgruber.de> Key features: @@ -1388,6 +1388,15 @@ Have fun! users. + + Read-only (LAM Pro only): + This allows to set a single account type to read-only mode. + Please note that this is a restriction on functional level (e.g. + group memberships can be changed on user page even if groups are + read-only) and is no replacement for setting up proper ACLs on + your LDAP server. + + Custom label: Here you can set a custom label for the account types. Use this if the diff --git a/lam/docs/manual-sources/images/configTypes2.png b/lam/docs/manual-sources/images/configTypes2.png index 69735f24..3e7bbb85 100644 Binary files a/lam/docs/manual-sources/images/configTypes2.png and b/lam/docs/manual-sources/images/configTypes2.png differ diff --git a/lam/help/help.inc b/lam/help/help.inc index a96d14d9..ac3eb8bc 100644 --- a/lam/help/help.inc +++ b/lam/help/help.inc @@ -4,7 +4,7 @@ $Id$ This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) Copyright (C) 2003 - 2006 Michael Duergner - 2003 - 2013 Roland Gruber + 2003 - 2014 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -171,6 +171,8 @@ $helpArray = array ( "Text" => _('If checked then the user will not be able to delete entries of this account type.')), "264" => array ("Headline" => _('Custom label'), "Text" => _('Here you can overwrite the display name for this account type.')), + "265" => array ("Headline" => _('Read-only'), + "Text" => _('Sets this account type to read-only.')), // 300 - 399 // profile editor, file upload "301" => array ("Headline" => _("RDN identifier"), diff --git a/lam/lib/html.inc b/lam/lib/html.inc index 5a86b089..3691554f 100644 --- a/lam/lib/html.inc +++ b/lam/lib/html.inc @@ -1728,6 +1728,10 @@ class htmlInputCheckbox extends htmlElement { protected $tableRowsToShow = array(); /** indicates that this field should not automatically be saved in the self service or server profile */ private $transient = false; + /** list of input elements to enable when checked */ + protected $elementsToEnable = array(); + /** list of input elements to disable when checked */ + protected $elementsToDisable = array(); /** @@ -1776,7 +1780,6 @@ class htmlInputCheckbox extends htmlElement { $script = ''; if ((sizeof($this->tableRowsToShow) > 0) || (sizeof($this->tableRowsToHide) > 0)) { // build onChange listener - $onChange = ' onChange="'; $onChange .= 'if (jQuery(\'#' . $this->name . ':checked\').val() !== undefined) {'; for ($i = 0; $i < sizeof($this->tableRowsToShow); $i++) { $onChange .= 'jQuery(\'#' . $this->tableRowsToShow[$i] . '\').closest(\'tr\').removeClass(\'hidden\');'; @@ -1793,7 +1796,6 @@ class htmlInputCheckbox extends htmlElement { $onChange .= 'jQuery(\'#' . $this->tableRowsToHide[$i] . '\').closest(\'tr\').removeClass(\'hidden\');'; } $onChange .= '};'; - $onChange .= '"'; // build script to set initial state $script = ''; } + // build Java script to enable/disable elements + if ((sizeof($this->elementsToEnable) > 0) || (sizeof($this->elementsToDisable) > 0)) { + // build onChange listener + $onChange .= 'if (jQuery(\'#' . $this->name . ':checked\').val() !== undefined) {'; + for ($i = 0; $i < sizeof($this->elementsToEnable); $i++) { + $onChange .= 'jQuery(\'#' . $this->elementsToEnable[$i] . '\').prop(\'disabled\', false);'; + } + for ($i = 0; $i < sizeof($this->elementsToDisable); $i++) { + $onChange .= 'jQuery(\'#' . $this->elementsToDisable[$i] . '\').prop(\'disabled\', true);'; + } + $onChange .= '}'; + $onChange .= 'else {'; + for ($i = 0; $i < sizeof($this->elementsToEnable); $i++) { + $onChange .= 'jQuery(\'#' . $this->elementsToEnable[$i] . '\').prop(\'disabled\', true);'; + } + for ($i = 0; $i < sizeof($this->elementsToDisable); $i++) { + $onChange .= 'jQuery(\'#' . $this->elementsToDisable[$i] . '\').prop(\'disabled\', false);'; + } + $onChange .= '};'; + // build script to set initial state + $script = ''; + } + if (!empty($onChange)) { + $onChange = ' onChange="' . $onChange . '"'; + } echo ''; echo $script; if ($this->transient) { @@ -1868,6 +1910,26 @@ class htmlInputCheckbox extends htmlElement { $this->transient = $transient; } + /** + * This will disable the given input elements when the checkbox is checked. + * The given IDs can be of any input element (e.g. select, checkbox, ...). + * + * @param array $elements IDs of elements to disable + */ + public function setElementsToDisable($elements) { + $this->elementsToDisable = $elements; + } + + /** + * This will enable the given input elements when the checkbox is checked. + * The given IDs can be of any input element (e.g. select, checkbox, ...). + * + * @param array $elements IDs of elements to enable + */ + public function setElementsToEnable($elements) { + $this->elementsToEnable = $elements; + } + } /** diff --git a/lam/lib/lists.inc b/lam/lib/lists.inc index 06ab87f0..34328810 100644 --- a/lam/lib/lists.inc +++ b/lam/lib/lists.inc @@ -486,7 +486,7 @@ class lamList { $group->addElement($editLink); $toolCount++; // delete link - if (checkIfWriteAccessIsAllowed() && checkIfDeleteEntriesIsAllowed($this->type)) { + if (checkIfWriteAccessIsAllowed($this->type) && checkIfDeleteEntriesIsAllowed($this->type)) { $deleteLink = new htmlLink('', "deletelink.php?type=" . $this->type . "&DN='" . rawurlencode($account['dn']) . "'", '../../graphics/delete.png'); $deleteLink->setTitle(_("Delete")); $group->addElement($deleteLink); @@ -539,7 +539,7 @@ class lamList { protected function listDoPost() { // check if button was pressed and if we have to add/delete an account or call file upload if (isset($_POST['new']) || isset($_POST['del']) || isset($_POST['fileUpload'])){ - if (!checkIfWriteAccessIsAllowed()) { + if (!checkIfWriteAccessIsAllowed($this->type)) { die(); } // add new account @@ -748,7 +748,7 @@ class lamList { $left = new htmlGroup(); // button part $left->alignment = htmlElement::ALIGN_LEFT; - if (checkIfWriteAccessIsAllowed()) { + if (checkIfWriteAccessIsAllowed($this->type)) { // add button if (checkIfNewEntriesAreAllowed($this->type)) { $newButton = new htmlButton('new', $this->labels['newEntry']); diff --git a/lam/lib/modules.inc b/lam/lib/modules.inc index 3100875a..cdcbe809 100644 --- a/lam/lib/modules.inc +++ b/lam/lib/modules.inc @@ -843,7 +843,7 @@ class accountContainer { exit; } // module actions - if ((sizeof($_POST) > 0) && checkIfWriteAccessIsAllowed()) { + if ((sizeof($_POST) > 0) && checkIfWriteAccessIsAllowed($this->type)) { $result = call_user_func(array(&$this->module[$this->order[$this->current_page]], 'process_'.$this->subpage)); if (is_array($result)) { // messages were returned, check for errors for ($i = 0; $i < sizeof($result); $i++) { @@ -965,7 +965,7 @@ class accountContainer { } echo '
'; echo "type."-bright\" border=0 width=\"100%\" style=\"border-collapse: collapse;\">\n"; - if (checkIfWriteAccessIsAllowed()) { + if (checkIfWriteAccessIsAllowed($this->type)) { echo "type."-bright\">\n"; @@ -1673,7 +1673,7 @@ class accountContainer { * @return array list of status messages */ function save_account() { - if (!checkIfWriteAccessIsAllowed()) { + if (!checkIfWriteAccessIsAllowed($this->type)) { die(); } $this->finalDN = $this->dn_orig; diff --git a/lam/lib/modules/imapAccess.inc b/lam/lib/modules/imapAccess.inc index 6b7f871a..1f58fef5 100644 --- a/lam/lib/modules/imapAccess.inc +++ b/lam/lib/modules/imapAccess.inc @@ -4,7 +4,7 @@ $Id$ This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) Copyright (C) 2010 - 2011 Pavel Pozdniak - 2010 - 2013 Roland Gruber + 2010 - 2014 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -188,7 +188,7 @@ class imapAccess extends baseModule { */ function display_html_attributes() { $return = new htmlTable(); - if (!checkIfWriteAccessIsAllowed()) { + if (!checkIfWriteAccessIsAllowed($this->get_scope())) { return $return; } $prefix = $this->getMailboxPrefix(); @@ -335,7 +335,7 @@ class imapAccess extends baseModule { */ function process_attributes() { $errors = array(); - if (!checkIfWriteAccessIsAllowed()) { + if (!checkIfWriteAccessIsAllowed($this->get_scope())) { return $errors; } $prefix = $this->getMailboxPrefix(); diff --git a/lam/lib/modules/inetOrgPerson.inc b/lam/lib/modules/inetOrgPerson.inc index 02b0be0c..7eb1a5e0 100644 --- a/lam/lib/modules/inetOrgPerson.inc +++ b/lam/lib/modules/inetOrgPerson.inc @@ -4,7 +4,7 @@ $Id$ This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) Copyright (C) 2003 - 2006 Tilo Lutz - 2005 - 2013 Roland Gruber + 2005 - 2014 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -1672,7 +1672,7 @@ class inetOrgPerson extends baseModule implements passwordService { } } // password buttons - if (!in_array('posixAccount', $modules) && checkIfWriteAccessIsAllowed() && isset($this->attributes['userPassword'][0]) && !$this->isAdminReadOnly('userPassword')) { + if (!in_array('posixAccount', $modules) && checkIfWriteAccessIsAllowed($this->get_scope()) && isset($this->attributes['userPassword'][0]) && !$this->isAdminReadOnly('userPassword')) { $fieldContainer->addElement(new htmlSubTitle(_('Password')), true); $pwdContainer = new htmlTable(); if (pwd_is_enabled($this->attributes['userPassword'][0])) { @@ -2516,7 +2516,7 @@ class inetOrgPerson extends baseModule implements passwordService { *
) */ function doUploadPostActions(&$data, $ids, $failed, &$temp, &$accounts) { - if (!checkIfWriteAccessIsAllowed()) { + if (!checkIfWriteAccessIsAllowed($this->get_scope())) { die(); } // mail sending is LAM Pro only diff --git a/lam/lib/modules/posixAccount.inc b/lam/lib/modules/posixAccount.inc index de6fc757..762739d4 100644 --- a/lam/lib/modules/posixAccount.inc +++ b/lam/lib/modules/posixAccount.inc @@ -1429,7 +1429,7 @@ class posixAccount extends baseModule implements passwordService { $return->addElement(new htmlTableExtendedSelect('loginShell', $shelllist, $selectedShell, _('Login shell'), 'loginShell'), true); } // password buttons - if (checkIfWriteAccessIsAllowed() && isset($this->attributes[$this->getPasswordAttrName()][0])) { + if (checkIfWriteAccessIsAllowed($this->get_scope()) && isset($this->attributes[$this->getPasswordAttrName()][0])) { $return->addElement(new htmlOutputText(_('Password'))); $pwdContainer = new htmlTable(); if (pwd_is_enabled($this->attributes[$this->getPasswordAttrName()][0])) { @@ -2172,7 +2172,7 @@ class posixAccount extends baseModule implements passwordService { *
) */ function doUploadPostActions(&$data, $ids, $failed, &$temp, &$accounts) { - if (!checkIfWriteAccessIsAllowed()) { + if (!checkIfWriteAccessIsAllowed($this->get_scope())) { die(); } // on first call generate list of ldap operations diff --git a/lam/lib/modules/posixGroup.inc b/lam/lib/modules/posixGroup.inc index d7fa1637..4c0d6a27 100644 --- a/lam/lib/modules/posixGroup.inc +++ b/lam/lib/modules/posixGroup.inc @@ -4,7 +4,7 @@ $Id$ This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) Copyright (C) 2003 - 2006 Tilo Lutz - 2007 - 2013 Roland Gruber + 2007 - 2014 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -201,7 +201,7 @@ class posixGroup extends baseModule implements passwordService { $return->addElement(new htmlTableExtendedInputField(_('Description'), 'description', $description, 'description'), true); } // password buttons - if (checkIfWriteAccessIsAllowed() && isset($this->attributes[$this->passwordAttrName][0])) { + if (checkIfWriteAccessIsAllowed($this->get_scope()) && isset($this->attributes[$this->passwordAttrName][0])) { $return->addElement(new htmlOutputText(_('Password'))); $pwdContainer = new htmlTable(); if (pwd_is_enabled($this->attributes[$this->passwordAttrName][0])) { diff --git a/lam/lib/modules/windowsUser.inc b/lam/lib/modules/windowsUser.inc index ebb2a160..a9e539d7 100644 --- a/lam/lib/modules/windowsUser.inc +++ b/lam/lib/modules/windowsUser.inc @@ -3,7 +3,7 @@ $Id$ This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) - Copyright (C) 2013 Roland Gruber + Copyright (C) 2013 - 2014 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -1427,7 +1427,7 @@ class windowsUser extends baseModule implements passwordService { *
) */ function doUploadPostActions(&$data, $ids, $failed, &$temp, &$accounts) { - if (!checkIfWriteAccessIsAllowed()) { + if (!checkIfWriteAccessIsAllowed($this->get_scope())) { die(); } // on first call generate list of ldap operations diff --git a/lam/lib/security.inc b/lam/lib/security.inc index 8ee5ea5e..904db586 100644 --- a/lam/lib/security.inc +++ b/lam/lib/security.inc @@ -236,14 +236,22 @@ function logNewMessage($level, $message) { /** * Checks if write access to LDAP is allowed. * + * @param String $scope account type (e.g. user) * @return boolean true, if allowed */ -function checkIfWriteAccessIsAllowed() { +function checkIfWriteAccessIsAllowed($scope = null) { if (!isset($_SESSION['config'])) { return false; } if ($_SESSION['config']->getAccessLevel() >= LAMConfig::ACCESS_ALL) { - return true; + $typeSettings = $_SESSION['config']->get_typeSettings(); + if ($scope == null) { + return true; + } + elseif (!isset($typeSettings['readOnly_' . $scope]) || !$typeSettings['readOnly_' . $scope]) { + // check if write for this type is allowed + return true; + } } return false; } diff --git a/lam/lib/types/dhcp.inc b/lam/lib/types/dhcp.inc index ac807d05..c3f30ad1 100644 --- a/lam/lib/types/dhcp.inc +++ b/lam/lib/types/dhcp.inc @@ -4,7 +4,7 @@ $Id$ This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) Copyright (C) 2008 Thomas Manninger - 2009 - 2013 Roland Gruber + 2009 - 2014 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -244,7 +244,7 @@ class lamDHCPList extends lamList { * @param htmlGroup $right right part */ protected function addExtraInputElementsToTopArea(&$left, &$right) { - if (checkIfWriteAccessIsAllowed()) { + if (checkIfWriteAccessIsAllowed($this->type)) { $left->addElement(new htmlSpacer('20px', null)); $dhcpButton = new htmlButton('dhcpDefaults', $this->labels['dhcpDefaults']); $dhcpButton->setIconClass('settingsButton'); diff --git a/lam/lib/types/user.inc b/lam/lib/types/user.inc index f291e53a..29d6f382 100644 --- a/lam/lib/types/user.inc +++ b/lam/lib/types/user.inc @@ -3,7 +3,7 @@ $Id$ This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) - Copyright (C) 2005 - 2013 Roland Gruber + Copyright (C) 2005 - 2014 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -293,13 +293,13 @@ class user extends baseType { } $statusTable .= '
\n"; $this->printCommonControls($tabindex); echo "
'; $tipContent = $statusTable; - if (checkIfWriteAccessIsAllowed()) { + if (checkIfWriteAccessIsAllowed('user')) { $tipContent .= '
"hint" '; $tipContent .= _('Please click to lock/unlock this account.'); } $dialogDiv = $this->buildAccountStatusDialogDiv($unixAvailable, $unixLocked, $sambaAvailable, $sambaLocked, $ppolicyAvailable, $ppolicyLocked, $windowsAvailable, $windowsLocked); $onClick = ''; - if (checkIfWriteAccessIsAllowed()) { + if (checkIfWriteAccessIsAllowed('user')) { $onClick = 'onclick="showConfirmationDialog(\'' . _('Change account status') . '\', \'' . _('Ok') . '\', \'' . _('Cancel') . '\', \'lam_accountStatusDialog\', \'inputForm\', \'lam_accountStatusResult\');"'; } return $dialogDiv . 'status   '; @@ -664,7 +664,7 @@ class lamUserList extends lamList { * @return lamListTool[] tools */ protected function getAdditionalTools() { - if (isLAMProVersion() && checkIfPasswordChangeIsAllowed()) { + if (isLAMProVersion() && checkIfPasswordChangeIsAllowed() && checkIfWriteAccessIsAllowed('user')) { $passwordTool = new lamListTool(_('Change password'), 'key.png', 'changePassword.php'); return array($passwordTool); } diff --git a/lam/templates/config/conftypes.php b/lam/templates/config/conftypes.php index 1d0a321b..ea10b7b9 100644 --- a/lam/templates/config/conftypes.php +++ b/lam/templates/config/conftypes.php @@ -3,7 +3,7 @@ $Id$ This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) - Copyright (C) 2004 - 2013 Roland Gruber + Copyright (C) 2004 - 2014 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -280,7 +280,18 @@ if (sizeof($activeTypes) > 0) { if (isset($typeSettings['hidden_' . $activeTypes[$i]])) { $hidden = $typeSettings['hidden_' . $activeTypes[$i]]; } - $advancedOptionsContent->addElement(new htmlTableExtendedInputCheckbox('hidden_' . $activeTypes[$i], $hidden, _('Hidden'), '261'), true); + $advancedOptionsContent->addElement(new htmlTableExtendedInputCheckbox('hidden_' . $activeTypes[$i], $hidden, _('Hidden'), '261')); + if (isLAMProVersion() && ($conf->getAccessLevel() == LAMConfig::ACCESS_ALL)) { + $advancedOptionsContent->addElement(new htmlSpacer('20px', null)); + $isReadOnly = false; + if (isset($typeSettings['readOnly_' . $activeTypes[$i]])) { + $isReadOnly = $typeSettings['readOnly_' . $activeTypes[$i]]; + } + $readOnly = new htmlTableExtendedInputCheckbox('readOnly_' . $activeTypes[$i], $isReadOnly, _('Read-only'), '265'); + $readOnly->setElementsToDisable(array('hideNewButton_' . $activeTypes[$i], 'hideDeleteButton_' . $activeTypes[$i])); + $advancedOptionsContent->addElement($readOnly); + } + $advancedOptionsContent->addNewLine(); // custom label $customLabel = ''; if (isset($typeSettings['customLabel_' . $activeTypes[$i]])) { @@ -403,6 +414,9 @@ function checkInput() { // set if deletion of entries is allowed $key = "hideDeleteButton_" . $accountTypes[$i]; $typeSettings[$key] = (isset($_POST[$key]) && ($_POST[$key] == 'on')); + // set if account type is read-only + $key = "readOnly_" . $accountTypes[$i]; + $typeSettings[$key] = (isset($_POST[$key]) && ($_POST[$key] == 'on')); } } // save input diff --git a/lam/templates/delete.php b/lam/templates/delete.php index 19944979..0018a41e 100644 --- a/lam/templates/delete.php +++ b/lam/templates/delete.php @@ -72,7 +72,7 @@ if (isset($_GET['type']) && isset($_SESSION['delete_dn'])) { logNewMessage(LOG_ERR, 'Invalid type: ' . $_GET['type']); die(); } - if (!checkIfDeleteEntriesIsAllowed($_GET['type'])) { + if (!checkIfDeleteEntriesIsAllowed($_GET['type']) || !checkIfWriteAccessIsAllowed($_GET['type'])) { logNewMessage(LOG_ERR, 'User tried to delete entries of forbidden type '. $_GET['type']); die(); } @@ -142,7 +142,7 @@ elseif (isset($_POST['cancelAllOk'])) { } if (isset($_POST['delete'])) { - if (!checkIfDeleteEntriesIsAllowed($_POST['type'])) { + if (!checkIfDeleteEntriesIsAllowed($_POST['type']) || !checkIfWriteAccessIsAllowed($_GET['type'])) { logNewMessage(LOG_ERR, 'User tried to delete entries of forbidden type '. $_POST['type']); die(); } diff --git a/lam/templates/massBuildAccounts.php b/lam/templates/massBuildAccounts.php index 7f1e5ee8..7474be3d 100644 --- a/lam/templates/massBuildAccounts.php +++ b/lam/templates/massBuildAccounts.php @@ -97,7 +97,7 @@ if (isAccountTypeHidden($scope)) { logNewMessage(LOG_ERR, 'User tried to access hidden upload: ' . $scope); die(); } -if (!checkIfNewEntriesAreAllowed($scope)) { +if (!checkIfNewEntriesAreAllowed($scope) || !checkIfWriteAccessIsAllowed($scope)) { logNewMessage(LOG_ERR, 'User tried to access forbidden upload: ' . $scope); die(); } diff --git a/lam/templates/massDoUpload.php b/lam/templates/massDoUpload.php index b398165e..89f1477e 100644 --- a/lam/templates/massDoUpload.php +++ b/lam/templates/massDoUpload.php @@ -68,7 +68,7 @@ if (isAccountTypeHidden($scope)) { logNewMessage(LOG_ERR, 'User tried to access hidden upload: ' . $scope); die(); } -if (!checkIfNewEntriesAreAllowed($scope)) { +if (!checkIfNewEntriesAreAllowed($scope) || !checkIfWriteAccessIsAllowed($scope)) { logNewMessage(LOG_ERR, 'User tried to access forbidden upload: ' . $scope); die(); } diff --git a/lam/templates/masscreate.php b/lam/templates/masscreate.php index c674b6ea..fd0c575e 100644 --- a/lam/templates/masscreate.php +++ b/lam/templates/masscreate.php @@ -81,7 +81,8 @@ $types = $_SESSION['config']->get_ActiveTypes(); $count = sizeof($types); for ($i = 0; $i < $count; $i++) { $myType = new $types[$i](); - if (!$myType->supportsFileUpload() || isAccountTypeHidden($types[$i]) || !checkIfNewEntriesAreAllowed($types[$i])) { + if (!$myType->supportsFileUpload() || isAccountTypeHidden($types[$i]) + || !checkIfNewEntriesAreAllowed($types[$i]) || !checkIfWriteAccessIsAllowed($types[$i])) { unset($types[$i]); } } @@ -145,7 +146,7 @@ $selectedType = array(); if (isset($_REQUEST['type'])) { $selectedType[] = $_REQUEST['type']; } -else { +elseif (!empty($types)) { $selectedType[] = $types[0]; } $typeSelect = new htmlTableExtendedSelect('type', $typeList, $selectedType, _("Account type")); @@ -206,7 +207,9 @@ $table->addElement($moduleGroup, true); // ok button $table->addElement(new htmlSpacer(null, '20px'), true); -$table->addElement(new htmlButton('submit', _('Ok')), true); +if (!empty($types)) { + $table->addElement(new htmlButton('submit', _('Ok')), true); +} parseHtml(null, $table, array(), false, $tabindex, 'user'); ?> diff --git a/lam/templates/ou_edit.php b/lam/templates/ou_edit.php index 5a23ca6a..a973c1d5 100644 --- a/lam/templates/ou_edit.php +++ b/lam/templates/ou_edit.php @@ -164,7 +164,7 @@ function display_main($message, $error) { $types = array(); $typeList = $_SESSION['config']->get_ActiveTypes(); for ($i = 0; $i < sizeof($typeList); $i++) { - if (isAccountTypeHidden($typeList[$i])) { + if (isAccountTypeHidden($typeList[$i]) || !checkIfWriteAccessIsAllowed($typeList[$i])) { continue; } $types[$typeList[$i]] = getTypeAlias($typeList[$i]); @@ -179,31 +179,34 @@ function display_main($message, $error) { } $options[$title] = $elements; } - // new OU - $container->addElement(new htmlOutputText(_("New organisational unit"))); - $parentOUSelect = new htmlSelect('parentOU', $options, array()); - $parentOUSelect->setContainsOptgroups(true); - $parentOUSelect->setHasDescriptiveElements(true); - $parentOUSelect->setRightToLeftTextDirection(true); - $parentOUSelect->setSortElements(false); - $container->addElement($parentOUSelect); - $container->addElement(new htmlInputField('newOU')); - $container->addElement(new htmlButton('createOU', _("Ok"))); - $container->addElement(new htmlHelpLink('601'), true); - $container->addElement(new htmlSpacer(null, '10px'), true); - - // delete OU - $container->addElement(new htmlOutputText(_("Delete organisational unit"))); - $deleteableOUSelect = new htmlSelect('deleteableOU', $options, array()); - $deleteableOUSelect->setContainsOptgroups(true); - $deleteableOUSelect->setHasDescriptiveElements(true); - $deleteableOUSelect->setRightToLeftTextDirection(true); - $deleteableOUSelect->setSortElements(false); - $container->addElement($deleteableOUSelect); - $container->addElement(new htmlOutputText('')); - $container->addElement(new htmlButton('deleteOU', _("Ok"))); - $container->addElement(new htmlHelpLink('602'), true); + if (!empty($options)) { + // new OU + $container->addElement(new htmlOutputText(_("New organisational unit"))); + $parentOUSelect = new htmlSelect('parentOU', $options, array()); + $parentOUSelect->setContainsOptgroups(true); + $parentOUSelect->setHasDescriptiveElements(true); + $parentOUSelect->setRightToLeftTextDirection(true); + $parentOUSelect->setSortElements(false); + $container->addElement($parentOUSelect); + $container->addElement(new htmlInputField('newOU')); + $container->addElement(new htmlButton('createOU', _("Ok"))); + $container->addElement(new htmlHelpLink('601'), true); + + $container->addElement(new htmlSpacer(null, '10px'), true); + + // delete OU + $container->addElement(new htmlOutputText(_("Delete organisational unit"))); + $deleteableOUSelect = new htmlSelect('deleteableOU', $options, array()); + $deleteableOUSelect->setContainsOptgroups(true); + $deleteableOUSelect->setHasDescriptiveElements(true); + $deleteableOUSelect->setRightToLeftTextDirection(true); + $deleteableOUSelect->setSortElements(false); + $container->addElement($deleteableOUSelect); + $container->addElement(new htmlOutputText('')); + $container->addElement(new htmlButton('deleteOU', _("Ok"))); + $container->addElement(new htmlHelpLink('602'), true); + } parseHtml(null, $container, array(), false, $tabindex, 'user'); echo ("\n"); diff --git a/lam/templates/pdfedit/pdfmain.php b/lam/templates/pdfedit/pdfmain.php index 924ef8b1..ee9084f7 100644 --- a/lam/templates/pdfedit/pdfmain.php +++ b/lam/templates/pdfedit/pdfmain.php @@ -4,7 +4,7 @@ $Id$ This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) Copyright (C) 2003 - 2006 Michael Duergner - 2005 - 2013 Roland Gruber + 2005 - 2014 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -73,7 +73,7 @@ if(isset($_POST['createNewTemplate'])) { $scopes = $_SESSION['config']->get_ActiveTypes(); $sortedScopes = array(); for ($i = 0; $i < sizeof($scopes); $i++) { - if (isAccountTypeHidden($scopes[$i])) { + if (isAccountTypeHidden($scopes[$i]) || !checkIfWriteAccessIsAllowed($scopes[$i])) { continue; } $sortedScopes[$scopes[$i]] = getTypeAlias($scopes[$i]); @@ -171,16 +171,18 @@ include '../main_header.php'; } // new template - $container->addElement(new htmlSubTitle(_('Create a new PDF structure')), true); - $newPDFContainer = new htmlTable(); - $newScopeSelect = new htmlSelect('scope', $availableScopes); - $newScopeSelect->setHasDescriptiveElements(true); - $newScopeSelect->setWidth('15em'); - $newPDFContainer->addElement($newScopeSelect); - $newPDFContainer->addElement(new htmlSpacer('10px', null)); - $newPDFContainer->addElement(new htmlButton('createNewTemplate', _('Create'))); - $container->addElement($newPDFContainer, true); - $container->addElement(new htmlSpacer(null, '10px'), true); + if (!empty($availableScopes)) { + $container->addElement(new htmlSubTitle(_('Create a new PDF structure')), true); + $newPDFContainer = new htmlTable(); + $newScopeSelect = new htmlSelect('scope', $availableScopes); + $newScopeSelect->setHasDescriptiveElements(true); + $newScopeSelect->setWidth('15em'); + $newPDFContainer->addElement($newScopeSelect); + $newPDFContainer->addElement(new htmlSpacer('10px', null)); + $newPDFContainer->addElement(new htmlButton('createNewTemplate', _('Create'))); + $container->addElement($newPDFContainer, true); + $container->addElement(new htmlSpacer(null, '10px'), true); + } // existing templates $configProfiles = getConfigProfiles(); diff --git a/lam/templates/pdfedit/pdfpage.php b/lam/templates/pdfedit/pdfpage.php index eaf77423..4f6f0a92 100644 --- a/lam/templates/pdfedit/pdfpage.php +++ b/lam/templates/pdfedit/pdfpage.php @@ -4,7 +4,7 @@ $Id$ This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) Copyright (C) 2003 - 2006 Michael Duergner - 2007 - 2013 Roland Gruber + 2007 - 2014 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -69,7 +69,7 @@ if(isset($_POST['type'])) { } } -if (isAccountTypeHidden($_GET['type'])) { +if (isAccountTypeHidden($_GET['type']) || !checkIfWriteAccessIsAllowed($_GET['type'])) { logNewMessage(LOG_ERR, 'User tried to access hidden PDF structure: ' . $_GET['type']); die(); } diff --git a/lam/templates/profedit/profilemain.php b/lam/templates/profedit/profilemain.php index a0141a5c4..a1f06fe9 100644 --- a/lam/templates/profedit/profilemain.php +++ b/lam/templates/profedit/profilemain.php @@ -3,7 +3,7 @@ $Id$ This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) - Copyright (C) 2003 - 2012 Roland Gruber + Copyright (C) 2003 - 2014 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -51,7 +51,7 @@ $types = $_SESSION['config']->get_ActiveTypes(); $profileClasses = array(); $profileClassesTemp = array(); for ($i = 0; $i < sizeof($types); $i++) { - if (isAccountTypeHidden($types[$i])) { + if (isAccountTypeHidden($types[$i]) || !checkIfWriteAccessIsAllowed($types[$i])) { continue; } $profileClassesTemp[getTypeAlias($types[$i])] = array( @@ -152,20 +152,22 @@ if (isset($_GET['savedSuccessfully'])) { } // new profile -$container->addElement(new htmlSubTitle(_('Create a new profile')), true); -$sortedTypes = array(); -for ($i = 0; $i < sizeof($profileClasses); $i++) { - $sortedTypes[$profileClasses[$i]['title']] = $profileClasses[$i]['scope']; +if (!empty($profileClasses)) { + $container->addElement(new htmlSubTitle(_('Create a new profile')), true); + $sortedTypes = array(); + for ($i = 0; $i < sizeof($profileClasses); $i++) { + $sortedTypes[$profileClasses[$i]['title']] = $profileClasses[$i]['scope']; + } + natcasesort($sortedTypes); + $newContainer = new htmlTable(); + $newProfileSelect = new htmlSelect('createProfile', $sortedTypes); + $newProfileSelect->setHasDescriptiveElements(true); + $newProfileSelect->setWidth('15em'); + $newContainer->addElement($newProfileSelect); + $newContainer->addElement(new htmlSpacer('10px', null)); + $newContainer->addElement(new htmlButton('createProfileButton', _('Create')), true); + $container->addElement($newContainer, true); } -natcasesort($sortedTypes); -$newContainer = new htmlTable(); -$newProfileSelect = new htmlSelect('createProfile', $sortedTypes); -$newProfileSelect->setHasDescriptiveElements(true); -$newProfileSelect->setWidth('15em'); -$newContainer->addElement($newProfileSelect); -$newContainer->addElement(new htmlSpacer('10px', null)); -$newContainer->addElement(new htmlButton('createProfileButton', _('Create')), true); -$container->addElement($newContainer, true); $container->addElement(new htmlSpacer(null, '10px'), true); diff --git a/lam/templates/profedit/profilepage.php b/lam/templates/profedit/profilepage.php index f9d1bfd3..e039a010 100644 --- a/lam/templates/profedit/profilepage.php +++ b/lam/templates/profedit/profilepage.php @@ -3,7 +3,7 @@ $Id$ This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) - Copyright (C) 2003 - 2012 Roland Gruber + Copyright (C) 2003 - 2014 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -61,7 +61,7 @@ if (!$_SESSION['ldap'] || !$_SESSION['ldap']->server()) { if (isset($_POST['profname'])) $_GET['edit'] = $_POST['profname']; if (isset($_POST['accounttype'])) $_GET['type'] = $_POST['accounttype']; -if (isAccountTypeHidden($_GET['type'])) { +if (isAccountTypeHidden($_GET['type']) || !checkIfWriteAccessIsAllowed($_GET['type'])) { logNewMessage(LOG_ERR, 'User tried to access hidden account type profile: ' . $_GET['type']); die(); }