WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

allow to set single account types read-only

This commit is contained in:
Roland Gruber 2014-01-15 20:48:52 +00:00
parent 4b9c4bf535
commit a7d3773493
27 changed files with 203 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lam/HISTORY
View File

@ -3,6 +3,7 @@ March 2014 4.5
- Personal: allow to set fields read-only - Personal: allow to set fields read-only
- Added option to server profile if referrals should be followed (fixes problems with Samba 4 and AD) - Added option to server profile if referrals should be followed (fixes problems with Samba 4 and AD)
- LAM Pro: - LAM Pro:
-> Allow to set single account types read-only
-> Separate IP restriction list for self service -> Separate IP restriction list for self service

2
lam/README
View File

@ -15,7 +15,7 @@ LAM - Readme
https://www.ldap-account-manager.org/ https://www.ldap-account-manager.org/
Copyright (C) 2003 - 2013 Roland Gruber <post@rolandgruber.de> Copyright (C) 2003 - 2014 Roland Gruber <post@rolandgruber.de>
Installation and documentation: Installation and documentation:
Please see the LAM manual in docs/manual/index.html. Please see the LAM manual in docs/manual/index.html.

2
lam/copyright
View File

@ -1,4 +1,4 @@
This software is copyright (c) 2003 - 2013 by Roland Gruber This software is copyright (c) 2003 - 2014 by Roland Gruber
If you purchased a copy of LDAP Account Manager Pro then the following If you purchased a copy of LDAP Account Manager Pro then the following
files are licensed under the conditions which you accepted at purchase files are licensed under the conditions which you accepted at purchase

11
lam/docs/manual-sources/howto.xml
View File

@ -19,7 +19,7 @@
<para><ulink <para><ulink
url="https://www.ldap-account-manager.org/">https://www.ldap-account-manager.org/</ulink></para> url="https://www.ldap-account-manager.org/">https://www.ldap-account-manager.org/</ulink></para>
<para>Copyright (C) 2003 - 2013 Roland Gruber <para>Copyright (C) 2003 - 2014 Roland Gruber
&lt;post@rolandgruber.de&gt;</para> &lt;post@rolandgruber.de&gt;</para>
<para><emphasis role="bold">Key features:</emphasis></para> <para><emphasis role="bold">Key features:</emphasis></para>
@ -1388,6 +1388,15 @@ Have fun!
users.</para> users.</para>
</listitem> </listitem>
<listitem>
<para><emphasis role="bold">Read-only (LAM Pro only):</emphasis>
This allows to set a single account type to read-only mode.
Please note that this is a restriction on functional level (e.g.
group memberships can be changed on user page even if groups are
read-only) and is no replacement for setting up proper ACLs on
your LDAP server.</para>
</listitem>
<listitem> <listitem>
<para><emphasis role="bold">Custom label:</emphasis> Here you <para><emphasis role="bold">Custom label:</emphasis> Here you
can set a custom label for the account types. Use this if the can set a custom label for the account types. Use this if the

BIN
lam/docs/manual-sources/images/configTypes2.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 40 KiB

After

Width:  |  Height:  |  Size: 43 KiB

4
lam/help/help.inc
View File

@ -4,7 +4,7 @@ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2006 Michael Duergner Copyright (C) 2003 - 2006 Michael Duergner
2003 - 2013 Roland Gruber 2003 - 2014 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -171,6 +171,8 @@ $helpArray = array (
"Text" => _('If checked then the user will not be able to delete entries of this account type.')), "Text" => _('If checked then the user will not be able to delete entries of this account type.')),
"264" => array ("Headline" => _('Custom label'), "264" => array ("Headline" => _('Custom label'),
"Text" => _('Here you can overwrite the display name for this account type.')), "Text" => _('Here you can overwrite the display name for this account type.')),
"265" => array ("Headline" => _('Read-only'),
"Text" => _('Sets this account type to read-only.')),
// 300 - 399 // 300 - 399
// profile editor, file upload // profile editor, file upload
"301" => array ("Headline" => _("RDN identifier"), "301" => array ("Headline" => _("RDN identifier"),

66
lam/lib/html.inc
View File

@ -1728,6 +1728,10 @@ class htmlInputCheckbox extends htmlElement {
protected $tableRowsToShow = array(); protected $tableRowsToShow = array();
/** indicates that this field should not automatically be saved in the self service or server profile */ /** indicates that this field should not automatically be saved in the self service or server profile */
private $transient = false; private $transient = false;
/** list of input elements to enable when checked */
protected $elementsToEnable = array();
/** list of input elements to disable when checked */
protected $elementsToDisable = array();
/** /**
@ -1776,7 +1780,6 @@ class htmlInputCheckbox extends htmlElement {
$script = ''; $script = '';
if ((sizeof($this->tableRowsToShow) > 0) || (sizeof($this->tableRowsToHide) > 0)) { if ((sizeof($this->tableRowsToShow) > 0) || (sizeof($this->tableRowsToHide) > 0)) {
// build onChange listener // build onChange listener
$onChange = ' onChange="';
$onChange .= 'if (jQuery(\'#' . $this->name . ':checked\').val() !== undefined) {'; $onChange .= 'if (jQuery(\'#' . $this->name . ':checked\').val() !== undefined) {';
for ($i = 0; $i < sizeof($this->tableRowsToShow); $i++) { for ($i = 0; $i < sizeof($this->tableRowsToShow); $i++) {
$onChange .= 'jQuery(\'#' . $this->tableRowsToShow[$i] . '\').closest(\'tr\').removeClass(\'hidden\');'; $onChange .= 'jQuery(\'#' . $this->tableRowsToShow[$i] . '\').closest(\'tr\').removeClass(\'hidden\');';
@ -1793,7 +1796,6 @@ class htmlInputCheckbox extends htmlElement {
$onChange .= 'jQuery(\'#' . $this->tableRowsToHide[$i] . '\').closest(\'tr\').removeClass(\'hidden\');'; $onChange .= 'jQuery(\'#' . $this->tableRowsToHide[$i] . '\').closest(\'tr\').removeClass(\'hidden\');';
} }
$onChange .= '};'; $onChange .= '};';
$onChange .= '"';
// build script to set initial state // build script to set initial state
$script = '<script type="text/javascript">jQuery(document).ready(function() {'; $script = '<script type="text/javascript">jQuery(document).ready(function() {';
for ($i = 0; $i < sizeof($this->tableRowsToShow); $i++) { for ($i = 0; $i < sizeof($this->tableRowsToShow); $i++) {
@ -1812,6 +1814,46 @@ class htmlInputCheckbox extends htmlElement {
} }
$script .= '});</script>'; $script .= '});</script>';
} }
// build Java script to enable/disable elements
if ((sizeof($this->elementsToEnable) > 0) || (sizeof($this->elementsToDisable) > 0)) {
// build onChange listener
$onChange .= 'if (jQuery(\'#' . $this->name . ':checked\').val() !== undefined) {';
for ($i = 0; $i < sizeof($this->elementsToEnable); $i++) {
$onChange .= 'jQuery(\'#' . $this->elementsToEnable[$i] . '\').prop(\'disabled\', false);';
}
for ($i = 0; $i < sizeof($this->elementsToDisable); $i++) {
$onChange .= 'jQuery(\'#' . $this->elementsToDisable[$i] . '\').prop(\'disabled\', true);';
}
$onChange .= '}';
$onChange .= 'else {';
for ($i = 0; $i < sizeof($this->elementsToEnable); $i++) {
$onChange .= 'jQuery(\'#' . $this->elementsToEnable[$i] . '\').prop(\'disabled\', true);';
}
for ($i = 0; $i < sizeof($this->elementsToDisable); $i++) {
$onChange .= 'jQuery(\'#' . $this->elementsToDisable[$i] . '\').prop(\'disabled\', false);';
}
$onChange .= '};';
// build script to set initial state
$script = '<script type="text/javascript">jQuery(document).ready(function() {';
for ($i = 0; $i < sizeof($this->elementsToEnable); $i++) {
$classType = 'true';
if ($this->checked) {
$classType = 'false';
}
$script .= 'jQuery(\'#' . $this->elementsToEnable[$i] . '\').prop(\'disabled\', ' . $classType . ');';
}
for ($i = 0; $i < sizeof($this->elementsToDisable); $i++) {
$classType = 'false';
if ($this->checked) {
$classType = 'true';
}
$script .= 'jQuery(\'#' . $this->elementsToDisable[$i] . '\').prop(\'disabled\', ' . $classType . ');';
}
$script .= '});</script>';
}
if (!empty($onChange)) {
$onChange = ' onChange="' . $onChange . '"';
}
echo '<input type="checkbox" id="' . $this->name . '" name="' . $this->name . '"' . $tabindexValue . $onChange . $checked . $disabled . '>'; echo '<input type="checkbox" id="' . $this->name . '" name="' . $this->name . '"' . $tabindexValue . $onChange . $checked . $disabled . '>';
echo $script; echo $script;
if ($this->transient) { if ($this->transient) {
@ -1868,6 +1910,26 @@ class htmlInputCheckbox extends htmlElement {
$this->transient = $transient; $this->transient = $transient;
} }
/**
* This will disable the given input elements when the checkbox is checked.
* The given IDs can be of any input element (e.g. select, checkbox, ...).
*
* @param array $elements IDs of elements to disable
*/
public function setElementsToDisable($elements) {
$this->elementsToDisable = $elements;
}
/**
* This will enable the given input elements when the checkbox is checked.
* The given IDs can be of any input element (e.g. select, checkbox, ...).
*
* @param array $elements IDs of elements to enable
*/
public function setElementsToEnable($elements) {
$this->elementsToEnable = $elements;
}
} }
/** /**

6
lam/lib/lists.inc
View File

@ -486,7 +486,7 @@ class lamList {
$group->addElement($editLink); $group->addElement($editLink);
$toolCount++; $toolCount++;
// delete link // delete link
if (checkIfWriteAccessIsAllowed() && checkIfDeleteEntriesIsAllowed($this->type)) { if (checkIfWriteAccessIsAllowed($this->type) && checkIfDeleteEntriesIsAllowed($this->type)) {
$deleteLink = new htmlLink('', "deletelink.php?type=" . $this->type . "&DN='" . rawurlencode($account['dn']) . "'", '../../graphics/delete.png'); $deleteLink = new htmlLink('', "deletelink.php?type=" . $this->type . "&DN='" . rawurlencode($account['dn']) . "'", '../../graphics/delete.png');
$deleteLink->setTitle(_("Delete")); $deleteLink->setTitle(_("Delete"));
$group->addElement($deleteLink); $group->addElement($deleteLink);
@ -539,7 +539,7 @@ class lamList {
protected function listDoPost() { protected function listDoPost() {
// check if button was pressed and if we have to add/delete an account or call file upload // check if button was pressed and if we have to add/delete an account or call file upload
if (isset($_POST['new']) || isset($_POST['del']) || isset($_POST['fileUpload'])){ if (isset($_POST['new']) || isset($_POST['del']) || isset($_POST['fileUpload'])){
if (!checkIfWriteAccessIsAllowed()) { if (!checkIfWriteAccessIsAllowed($this->type)) {
die(); die();
} }
// add new account // add new account
@ -748,7 +748,7 @@ class lamList {
$left = new htmlGroup(); $left = new htmlGroup();
// button part // button part
$left->alignment = htmlElement::ALIGN_LEFT; $left->alignment = htmlElement::ALIGN_LEFT;
if (checkIfWriteAccessIsAllowed()) { if (checkIfWriteAccessIsAllowed($this->type)) {
// add button // add button
if (checkIfNewEntriesAreAllowed($this->type)) { if (checkIfNewEntriesAreAllowed($this->type)) {
$newButton = new htmlButton('new', $this->labels['newEntry']); $newButton = new htmlButton('new', $this->labels['newEntry']);

6
lam/lib/modules.inc
View File

@ -843,7 +843,7 @@ class accountContainer {
exit; exit;
} }
// module actions // module actions
if ((sizeof($_POST) > 0) && checkIfWriteAccessIsAllowed()) { if ((sizeof($_POST) > 0) && checkIfWriteAccessIsAllowed($this->type)) {
$result = call_user_func(array(&$this->module[$this->order[$this->current_page]], 'process_'.$this->subpage)); $result = call_user_func(array(&$this->module[$this->order[$this->current_page]], 'process_'.$this->subpage));
if (is_array($result)) { // messages were returned, check for errors if (is_array($result)) { // messages were returned, check for errors
for ($i = 0; $i < sizeof($result); $i++) { for ($i = 0; $i < sizeof($result); $i++) {
@ -965,7 +965,7 @@ class accountContainer {
} }
echo '<div id="passwordMessageArea"></div>'; echo '<div id="passwordMessageArea"></div>';
echo "<table class=\"".$this->type."-bright\" border=0 width=\"100%\" style=\"border-collapse: collapse;\">\n"; echo "<table class=\"".$this->type."-bright\" border=0 width=\"100%\" style=\"border-collapse: collapse;\">\n";
if (checkIfWriteAccessIsAllowed()) { if (checkIfWriteAccessIsAllowed($this->type)) {
echo "<tr class=\"".$this->type."-bright\"><td style=\"padding: 15px 15px 0px 15px;\">\n"; echo "<tr class=\"".$this->type."-bright\"><td style=\"padding: 15px 15px 0px 15px;\">\n";
$this->printCommonControls($tabindex); $this->printCommonControls($tabindex);
echo "</td></tr>\n"; echo "</td></tr>\n";
@ -1673,7 +1673,7 @@ class accountContainer {
* @return array list of status messages * @return array list of status messages
*/ */
function save_account() { function save_account() {
if (!checkIfWriteAccessIsAllowed()) { if (!checkIfWriteAccessIsAllowed($this->type)) {
die(); die();
} }
$this->finalDN = $this->dn_orig; $this->finalDN = $this->dn_orig;

6
lam/lib/modules/imapAccess.inc
View File

@ -4,7 +4,7 @@ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2010 - 2011 Pavel Pozdniak Copyright (C) 2010 - 2011 Pavel Pozdniak
2010 - 2013 Roland Gruber 2010 - 2014 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -188,7 +188,7 @@ class imapAccess extends baseModule {
*/ */
function display_html_attributes() { function display_html_attributes() {
$return = new htmlTable(); $return = new htmlTable();
if (!checkIfWriteAccessIsAllowed()) { if (!checkIfWriteAccessIsAllowed($this->get_scope())) {
return $return; return $return;
} }
$prefix = $this->getMailboxPrefix(); $prefix = $this->getMailboxPrefix();
@ -335,7 +335,7 @@ class imapAccess extends baseModule {
*/ */
function process_attributes() { function process_attributes() {
$errors = array(); $errors = array();
if (!checkIfWriteAccessIsAllowed()) { if (!checkIfWriteAccessIsAllowed($this->get_scope())) {
return $errors; return $errors;
} }
$prefix = $this->getMailboxPrefix(); $prefix = $this->getMailboxPrefix();

6
lam/lib/modules/inetOrgPerson.inc
View File

@ -4,7 +4,7 @@ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2006 Tilo Lutz Copyright (C) 2003 - 2006 Tilo Lutz
2005 - 2013 Roland Gruber 2005 - 2014 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -1672,7 +1672,7 @@ class inetOrgPerson extends baseModule implements passwordService {
} }
} }
// password buttons // password buttons
if (!in_array('posixAccount', $modules) && checkIfWriteAccessIsAllowed() && isset($this->attributes['userPassword'][0]) && !$this->isAdminReadOnly('userPassword')) { if (!in_array('posixAccount', $modules) && checkIfWriteAccessIsAllowed($this->get_scope()) && isset($this->attributes['userPassword'][0]) && !$this->isAdminReadOnly('userPassword')) {
$fieldContainer->addElement(new htmlSubTitle(_('Password')), true); $fieldContainer->addElement(new htmlSubTitle(_('Password')), true);
$pwdContainer = new htmlTable(); $pwdContainer = new htmlTable();
if (pwd_is_enabled($this->attributes['userPassword'][0])) { if (pwd_is_enabled($this->attributes['userPassword'][0])) {
@ -2516,7 +2516,7 @@ class inetOrgPerson extends baseModule implements passwordService {
* <br> ) * <br> )
*/ */
function doUploadPostActions(&$data, $ids, $failed, &$temp, &$accounts) { function doUploadPostActions(&$data, $ids, $failed, &$temp, &$accounts) {
if (!checkIfWriteAccessIsAllowed()) { if (!checkIfWriteAccessIsAllowed($this->get_scope())) {
die(); die();
} }
// mail sending is LAM Pro only // mail sending is LAM Pro only

4
lam/lib/modules/posixAccount.inc
View File

@ -1429,7 +1429,7 @@ class posixAccount extends baseModule implements passwordService {
$return->addElement(new htmlTableExtendedSelect('loginShell', $shelllist, $selectedShell, _('Login shell'), 'loginShell'), true); $return->addElement(new htmlTableExtendedSelect('loginShell', $shelllist, $selectedShell, _('Login shell'), 'loginShell'), true);
} }
// password buttons // password buttons
if (checkIfWriteAccessIsAllowed() && isset($this->attributes[$this->getPasswordAttrName()][0])) { if (checkIfWriteAccessIsAllowed($this->get_scope()) && isset($this->attributes[$this->getPasswordAttrName()][0])) {
$return->addElement(new htmlOutputText(_('Password'))); $return->addElement(new htmlOutputText(_('Password')));
$pwdContainer = new htmlTable(); $pwdContainer = new htmlTable();
if (pwd_is_enabled($this->attributes[$this->getPasswordAttrName()][0])) { if (pwd_is_enabled($this->attributes[$this->getPasswordAttrName()][0])) {
@ -2172,7 +2172,7 @@ class posixAccount extends baseModule implements passwordService {
* <br> ) * <br> )
*/ */
function doUploadPostActions(&$data, $ids, $failed, &$temp, &$accounts) { function doUploadPostActions(&$data, $ids, $failed, &$temp, &$accounts) {
if (!checkIfWriteAccessIsAllowed()) { if (!checkIfWriteAccessIsAllowed($this->get_scope())) {
die(); die();
} }
// on first call generate list of ldap operations // on first call generate list of ldap operations

4
lam/lib/modules/posixGroup.inc
View File

@ -4,7 +4,7 @@ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2006 Tilo Lutz Copyright (C) 2003 - 2006 Tilo Lutz
2007 - 2013 Roland Gruber 2007 - 2014 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -201,7 +201,7 @@ class posixGroup extends baseModule implements passwordService {
$return->addElement(new htmlTableExtendedInputField(_('Description'), 'description', $description, 'description'), true); $return->addElement(new htmlTableExtendedInputField(_('Description'), 'description', $description, 'description'), true);
} }
// password buttons // password buttons
if (checkIfWriteAccessIsAllowed() && isset($this->attributes[$this->passwordAttrName][0])) { if (checkIfWriteAccessIsAllowed($this->get_scope()) && isset($this->attributes[$this->passwordAttrName][0])) {
$return->addElement(new htmlOutputText(_('Password'))); $return->addElement(new htmlOutputText(_('Password')));
$pwdContainer = new htmlTable(); $pwdContainer = new htmlTable();
if (pwd_is_enabled($this->attributes[$this->passwordAttrName][0])) { if (pwd_is_enabled($this->attributes[$this->passwordAttrName][0])) {

4
lam/lib/modules/windowsUser.inc
View File

@ -3,7 +3,7 @@
$Id$ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2013 Roland Gruber Copyright (C) 2013 - 2014 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -1427,7 +1427,7 @@ class windowsUser extends baseModule implements passwordService {
* <br> ) * <br> )
*/ */
function doUploadPostActions(&$data, $ids, $failed, &$temp, &$accounts) { function doUploadPostActions(&$data, $ids, $failed, &$temp, &$accounts) {
if (!checkIfWriteAccessIsAllowed()) { if (!checkIfWriteAccessIsAllowed($this->get_scope())) {
die(); die();
} }
// on first call generate list of ldap operations // on first call generate list of ldap operations

10
lam/lib/security.inc
View File

@ -236,15 +236,23 @@ function logNewMessage($level, $message) {
/** /**
* Checks if write access to LDAP is allowed. * Checks if write access to LDAP is allowed.
* *
* @param String $scope account type (e.g. user)
* @return boolean true, if allowed * @return boolean true, if allowed
*/ */
function checkIfWriteAccessIsAllowed() { function checkIfWriteAccessIsAllowed($scope = null) {
if (!isset($_SESSION['config'])) { if (!isset($_SESSION['config'])) {
return false; return false;
} }
if ($_SESSION['config']->getAccessLevel() >= LAMConfig::ACCESS_ALL) { if ($_SESSION['config']->getAccessLevel() >= LAMConfig::ACCESS_ALL) {
$typeSettings = $_SESSION['config']->get_typeSettings();
if ($scope == null) {
return true; return true;
} }
elseif (!isset($typeSettings['readOnly_' . $scope]) || !$typeSettings['readOnly_' . $scope]) {
// check if write for this type is allowed
return true;
}
}
return false; return false;
} }

4
lam/lib/types/dhcp.inc
View File

@ -4,7 +4,7 @@ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2008 Thomas Manninger Copyright (C) 2008 Thomas Manninger
2009 - 2013 Roland Gruber 2009 - 2014 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -244,7 +244,7 @@ class lamDHCPList extends lamList {
* @param htmlGroup $right right part * @param htmlGroup $right right part
*/ */
protected function addExtraInputElementsToTopArea(&$left, &$right) { protected function addExtraInputElementsToTopArea(&$left, &$right) {
if (checkIfWriteAccessIsAllowed()) { if (checkIfWriteAccessIsAllowed($this->type)) {
$left->addElement(new htmlSpacer('20px', null)); $left->addElement(new htmlSpacer('20px', null));
$dhcpButton = new htmlButton('dhcpDefaults', $this->labels['dhcpDefaults']); $dhcpButton = new htmlButton('dhcpDefaults', $this->labels['dhcpDefaults']);
$dhcpButton->setIconClass('settingsButton'); $dhcpButton->setIconClass('settingsButton');

8
lam/lib/types/user.inc
View File

@ -3,7 +3,7 @@
$Id$ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2005 - 2013 Roland Gruber Copyright (C) 2005 - 2014 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -293,13 +293,13 @@ class user extends baseType {
} }
$statusTable .= '</table>'; $statusTable .= '</table>';
$tipContent = $statusTable; $tipContent = $statusTable;
if (checkIfWriteAccessIsAllowed()) { if (checkIfWriteAccessIsAllowed('user')) {
$tipContent .= '<br><img alt=&quot;hint&quot; src=&quot;../../graphics/light.png&quot;> '; $tipContent .= '<br><img alt=&quot;hint&quot; src=&quot;../../graphics/light.png&quot;> ';
$tipContent .= _('Please click to lock/unlock this account.'); $tipContent .= _('Please click to lock/unlock this account.');
} }
$dialogDiv = $this->buildAccountStatusDialogDiv($unixAvailable, $unixLocked, $sambaAvailable, $sambaLocked, $ppolicyAvailable, $ppolicyLocked, $windowsAvailable, $windowsLocked); $dialogDiv = $this->buildAccountStatusDialogDiv($unixAvailable, $unixLocked, $sambaAvailable, $sambaLocked, $ppolicyAvailable, $ppolicyLocked, $windowsAvailable, $windowsLocked);
$onClick = ''; $onClick = '';
if (checkIfWriteAccessIsAllowed()) { if (checkIfWriteAccessIsAllowed('user')) {
$onClick = 'onclick="showConfirmationDialog(\'' . _('Change account status') . '\', \'' . _('Ok') . '\', \'' . _('Cancel') . '\', \'lam_accountStatusDialog\', \'inputForm\', \'lam_accountStatusResult\');"'; $onClick = 'onclick="showConfirmationDialog(\'' . _('Change account status') . '\', \'' . _('Ok') . '\', \'' . _('Cancel') . '\', \'lam_accountStatusDialog\', \'inputForm\', \'lam_accountStatusResult\');"';
} }
return $dialogDiv . '<a href="#"><img id="lam_accountStatus" alt="status" ' . $onClick . ' helptitle="' . _('Account status') . '" helpdata="' . $tipContent . '" height=16 width=16 src="../../graphics/' . $icon . '"></a>&nbsp;&nbsp;&nbsp;'; return $dialogDiv . '<a href="#"><img id="lam_accountStatus" alt="status" ' . $onClick . ' helptitle="' . _('Account status') . '" helpdata="' . $tipContent . '" height=16 width=16 src="../../graphics/' . $icon . '"></a>&nbsp;&nbsp;&nbsp;';
@ -664,7 +664,7 @@ class lamUserList extends lamList {
* @return lamListTool[] tools * @return lamListTool[] tools
*/ */
protected function getAdditionalTools() { protected function getAdditionalTools() {
if (isLAMProVersion() && checkIfPasswordChangeIsAllowed()) { if (isLAMProVersion() && checkIfPasswordChangeIsAllowed() && checkIfWriteAccessIsAllowed('user')) {
$passwordTool = new lamListTool(_('Change password'), 'key.png', 'changePassword.php'); $passwordTool = new lamListTool(_('Change password'), 'key.png', 'changePassword.php');
return array($passwordTool); return array($passwordTool);
} }

18
lam/templates/config/conftypes.php
View File

@ -3,7 +3,7 @@
$Id$ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2004 - 2013 Roland Gruber Copyright (C) 2004 - 2014 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -280,7 +280,18 @@ if (sizeof($activeTypes) > 0) {
if (isset($typeSettings['hidden_' . $activeTypes[$i]])) { if (isset($typeSettings['hidden_' . $activeTypes[$i]])) {
$hidden = $typeSettings['hidden_' . $activeTypes[$i]]; $hidden = $typeSettings['hidden_' . $activeTypes[$i]];
} }
$advancedOptionsContent->addElement(new htmlTableExtendedInputCheckbox('hidden_' . $activeTypes[$i], $hidden, _('Hidden'), '261'), true); $advancedOptionsContent->addElement(new htmlTableExtendedInputCheckbox('hidden_' . $activeTypes[$i], $hidden, _('Hidden'), '261'));
if (isLAMProVersion() && ($conf->getAccessLevel() == LAMConfig::ACCESS_ALL)) {
$advancedOptionsContent->addElement(new htmlSpacer('20px', null));
$isReadOnly = false;
if (isset($typeSettings['readOnly_' . $activeTypes[$i]])) {
$isReadOnly = $typeSettings['readOnly_' . $activeTypes[$i]];
}
$readOnly = new htmlTableExtendedInputCheckbox('readOnly_' . $activeTypes[$i], $isReadOnly, _('Read-only'), '265');
$readOnly->setElementsToDisable(array('hideNewButton_' . $activeTypes[$i], 'hideDeleteButton_' . $activeTypes[$i]));
$advancedOptionsContent->addElement($readOnly);
}
$advancedOptionsContent->addNewLine();
// custom label // custom label
$customLabel = ''; $customLabel = '';
if (isset($typeSettings['customLabel_' . $activeTypes[$i]])) { if (isset($typeSettings['customLabel_' . $activeTypes[$i]])) {
@ -403,6 +414,9 @@ function checkInput() {
// set if deletion of entries is allowed // set if deletion of entries is allowed
$key = "hideDeleteButton_" . $accountTypes[$i]; $key = "hideDeleteButton_" . $accountTypes[$i];
$typeSettings[$key] = (isset($_POST[$key]) && ($_POST[$key] == 'on')); $typeSettings[$key] = (isset($_POST[$key]) && ($_POST[$key] == 'on'));
// set if account type is read-only
$key = "readOnly_" . $accountTypes[$i];
$typeSettings[$key] = (isset($_POST[$key]) && ($_POST[$key] == 'on'));
} }
} }
// save input // save input

4
lam/templates/delete.php
View File

@ -72,7 +72,7 @@ if (isset($_GET['type']) && isset($_SESSION['delete_dn'])) {
logNewMessage(LOG_ERR, 'Invalid type: ' . $_GET['type']); logNewMessage(LOG_ERR, 'Invalid type: ' . $_GET['type']);
die(); die();
} }
if (!checkIfDeleteEntriesIsAllowed($_GET['type'])) { if (!checkIfDeleteEntriesIsAllowed($_GET['type']) || !checkIfWriteAccessIsAllowed($_GET['type'])) {
logNewMessage(LOG_ERR, 'User tried to delete entries of forbidden type '. $_GET['type']); logNewMessage(LOG_ERR, 'User tried to delete entries of forbidden type '. $_GET['type']);
die(); die();
} }
@ -142,7 +142,7 @@ elseif (isset($_POST['cancelAllOk'])) {
} }
if (isset($_POST['delete'])) { if (isset($_POST['delete'])) {
if (!checkIfDeleteEntriesIsAllowed($_POST['type'])) { if (!checkIfDeleteEntriesIsAllowed($_POST['type']) || !checkIfWriteAccessIsAllowed($_GET['type'])) {
logNewMessage(LOG_ERR, 'User tried to delete entries of forbidden type '. $_POST['type']); logNewMessage(LOG_ERR, 'User tried to delete entries of forbidden type '. $_POST['type']);
die(); die();
} }

2
lam/templates/massBuildAccounts.php
View File

@ -97,7 +97,7 @@ if (isAccountTypeHidden($scope)) {
logNewMessage(LOG_ERR, 'User tried to access hidden upload: ' . $scope); logNewMessage(LOG_ERR, 'User tried to access hidden upload: ' . $scope);
die(); die();
} }
if (!checkIfNewEntriesAreAllowed($scope)) { if (!checkIfNewEntriesAreAllowed($scope) || !checkIfWriteAccessIsAllowed($scope)) {
logNewMessage(LOG_ERR, 'User tried to access forbidden upload: ' . $scope); logNewMessage(LOG_ERR, 'User tried to access forbidden upload: ' . $scope);
die(); die();
} }

2
lam/templates/massDoUpload.php
View File

@ -68,7 +68,7 @@ if (isAccountTypeHidden($scope)) {
logNewMessage(LOG_ERR, 'User tried to access hidden upload: ' . $scope); logNewMessage(LOG_ERR, 'User tried to access hidden upload: ' . $scope);
die(); die();
} }
if (!checkIfNewEntriesAreAllowed($scope)) { if (!checkIfNewEntriesAreAllowed($scope) || !checkIfWriteAccessIsAllowed($scope)) {
logNewMessage(LOG_ERR, 'User tried to access forbidden upload: ' . $scope); logNewMessage(LOG_ERR, 'User tried to access forbidden upload: ' . $scope);
die(); die();
} }

9
lam/templates/masscreate.php
View File

@ -81,7 +81,8 @@ $types = $_SESSION['config']->get_ActiveTypes();
$count = sizeof($types); $count = sizeof($types);
for ($i = 0; $i < $count; $i++) { for ($i = 0; $i < $count; $i++) {
$myType = new $types[$i](); $myType = new $types[$i]();
if (!$myType->supportsFileUpload() || isAccountTypeHidden($types[$i]) || !checkIfNewEntriesAreAllowed($types[$i])) { if (!$myType->supportsFileUpload() || isAccountTypeHidden($types[$i])
|| !checkIfNewEntriesAreAllowed($types[$i]) || !checkIfWriteAccessIsAllowed($types[$i])) {
unset($types[$i]); unset($types[$i]);
} }
} }
@ -145,7 +146,7 @@ $selectedType = array();
if (isset($_REQUEST['type'])) { if (isset($_REQUEST['type'])) {
$selectedType[] = $_REQUEST['type']; $selectedType[] = $_REQUEST['type'];
} }
else { elseif (!empty($types)) {
$selectedType[] = $types[0]; $selectedType[] = $types[0];
} }
$typeSelect = new htmlTableExtendedSelect('type', $typeList, $selectedType, _("Account type")); $typeSelect = new htmlTableExtendedSelect('type', $typeList, $selectedType, _("Account type"));
@ -206,7 +207,9 @@ $table->addElement($moduleGroup, true);
// ok button // ok button
$table->addElement(new htmlSpacer(null, '20px'), true); $table->addElement(new htmlSpacer(null, '20px'), true);
$table->addElement(new htmlButton('submit', _('Ok')), true); if (!empty($types)) {
$table->addElement(new htmlButton('submit', _('Ok')), true);
}
parseHtml(null, $table, array(), false, $tabindex, 'user'); parseHtml(null, $table, array(), false, $tabindex, 'user');
?> ?>

5
lam/templates/ou_edit.php
View File

@ -164,7 +164,7 @@ function display_main($message, $error) {
$types = array(); $types = array();
$typeList = $_SESSION['config']->get_ActiveTypes(); $typeList = $_SESSION['config']->get_ActiveTypes();
for ($i = 0; $i < sizeof($typeList); $i++) { for ($i = 0; $i < sizeof($typeList); $i++) {
if (isAccountTypeHidden($typeList[$i])) { if (isAccountTypeHidden($typeList[$i]) || !checkIfWriteAccessIsAllowed($typeList[$i])) {
continue; continue;
} }
$types[$typeList[$i]] = getTypeAlias($typeList[$i]); $types[$typeList[$i]] = getTypeAlias($typeList[$i]);
@ -179,6 +179,8 @@ function display_main($message, $error) {
} }
$options[$title] = $elements; $options[$title] = $elements;
} }
if (!empty($options)) {
// new OU // new OU
$container->addElement(new htmlOutputText(_("New organisational unit"))); $container->addElement(new htmlOutputText(_("New organisational unit")));
$parentOUSelect = new htmlSelect('parentOU', $options, array()); $parentOUSelect = new htmlSelect('parentOU', $options, array());
@ -204,6 +206,7 @@ function display_main($message, $error) {
$container->addElement(new htmlOutputText('')); $container->addElement(new htmlOutputText(''));
$container->addElement(new htmlButton('deleteOU', _("Ok"))); $container->addElement(new htmlButton('deleteOU', _("Ok")));
$container->addElement(new htmlHelpLink('602'), true); $container->addElement(new htmlHelpLink('602'), true);
}
parseHtml(null, $container, array(), false, $tabindex, 'user'); parseHtml(null, $container, array(), false, $tabindex, 'user');
echo ("</form>\n"); echo ("</form>\n");

6
lam/templates/pdfedit/pdfmain.php
View File

@ -4,7 +4,7 @@ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2006 Michael Duergner Copyright (C) 2003 - 2006 Michael Duergner
2005 - 2013 Roland Gruber 2005 - 2014 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -73,7 +73,7 @@ if(isset($_POST['createNewTemplate'])) {
$scopes = $_SESSION['config']->get_ActiveTypes(); $scopes = $_SESSION['config']->get_ActiveTypes();
$sortedScopes = array(); $sortedScopes = array();
for ($i = 0; $i < sizeof($scopes); $i++) { for ($i = 0; $i < sizeof($scopes); $i++) {
if (isAccountTypeHidden($scopes[$i])) { if (isAccountTypeHidden($scopes[$i]) || !checkIfWriteAccessIsAllowed($scopes[$i])) {
continue; continue;
} }
$sortedScopes[$scopes[$i]] = getTypeAlias($scopes[$i]); $sortedScopes[$scopes[$i]] = getTypeAlias($scopes[$i]);
@ -171,6 +171,7 @@ include '../main_header.php';
} }
// new template // new template
if (!empty($availableScopes)) {
$container->addElement(new htmlSubTitle(_('Create a new PDF structure')), true); $container->addElement(new htmlSubTitle(_('Create a new PDF structure')), true);
$newPDFContainer = new htmlTable(); $newPDFContainer = new htmlTable();
$newScopeSelect = new htmlSelect('scope', $availableScopes); $newScopeSelect = new htmlSelect('scope', $availableScopes);
@ -181,6 +182,7 @@ include '../main_header.php';
$newPDFContainer->addElement(new htmlButton('createNewTemplate', _('Create'))); $newPDFContainer->addElement(new htmlButton('createNewTemplate', _('Create')));
$container->addElement($newPDFContainer, true); $container->addElement($newPDFContainer, true);
$container->addElement(new htmlSpacer(null, '10px'), true); $container->addElement(new htmlSpacer(null, '10px'), true);
}
// existing templates // existing templates
$configProfiles = getConfigProfiles(); $configProfiles = getConfigProfiles();

4
lam/templates/pdfedit/pdfpage.php
View File

@ -4,7 +4,7 @@ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2006 Michael Duergner Copyright (C) 2003 - 2006 Michael Duergner
2007 - 2013 Roland Gruber 2007 - 2014 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -69,7 +69,7 @@ if(isset($_POST['type'])) {
} }
} }
if (isAccountTypeHidden($_GET['type'])) { if (isAccountTypeHidden($_GET['type']) || !checkIfWriteAccessIsAllowed($_GET['type'])) {
logNewMessage(LOG_ERR, 'User tried to access hidden PDF structure: ' . $_GET['type']); logNewMessage(LOG_ERR, 'User tried to access hidden PDF structure: ' . $_GET['type']);
die(); die();
} }

30
lam/templates/profedit/profilemain.php
View File

@ -3,7 +3,7 @@
$Id$ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2012 Roland Gruber Copyright (C) 2003 - 2014 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -51,7 +51,7 @@ $types = $_SESSION['config']->get_ActiveTypes();
$profileClasses = array(); $profileClasses = array();
$profileClassesTemp = array(); $profileClassesTemp = array();
for ($i = 0; $i < sizeof($types); $i++) { for ($i = 0; $i < sizeof($types); $i++) {
if (isAccountTypeHidden($types[$i])) { if (isAccountTypeHidden($types[$i]) || !checkIfWriteAccessIsAllowed($types[$i])) {
continue; continue;
} }
$profileClassesTemp[getTypeAlias($types[$i])] = array( $profileClassesTemp[getTypeAlias($types[$i])] = array(
@ -152,20 +152,22 @@ if (isset($_GET['savedSuccessfully'])) {
} }
// new profile // new profile
$container->addElement(new htmlSubTitle(_('Create a new profile')), true); if (!empty($profileClasses)) {
$sortedTypes = array(); $container->addElement(new htmlSubTitle(_('Create a new profile')), true);
for ($i = 0; $i < sizeof($profileClasses); $i++) { $sortedTypes = array();
for ($i = 0; $i < sizeof($profileClasses); $i++) {
$sortedTypes[$profileClasses[$i]['title']] = $profileClasses[$i]['scope']; $sortedTypes[$profileClasses[$i]['title']] = $profileClasses[$i]['scope'];
}
natcasesort($sortedTypes);
$newContainer = new htmlTable();
$newProfileSelect = new htmlSelect('createProfile', $sortedTypes);
$newProfileSelect->setHasDescriptiveElements(true);
$newProfileSelect->setWidth('15em');
$newContainer->addElement($newProfileSelect);
$newContainer->addElement(new htmlSpacer('10px', null));
$newContainer->addElement(new htmlButton('createProfileButton', _('Create')), true);
$container->addElement($newContainer, true);
} }
natcasesort($sortedTypes);
$newContainer = new htmlTable();
$newProfileSelect = new htmlSelect('createProfile', $sortedTypes);
$newProfileSelect->setHasDescriptiveElements(true);
$newProfileSelect->setWidth('15em');
$newContainer->addElement($newProfileSelect);
$newContainer->addElement(new htmlSpacer('10px', null));
$newContainer->addElement(new htmlButton('createProfileButton', _('Create')), true);
$container->addElement($newContainer, true);
$container->addElement(new htmlSpacer(null, '10px'), true); $container->addElement(new htmlSpacer(null, '10px'), true);

4
lam/templates/profedit/profilepage.php
View File

@ -3,7 +3,7 @@
$Id$ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2012 Roland Gruber Copyright (C) 2003 - 2014 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -61,7 +61,7 @@ if (!$_SESSION['ldap'] || !$_SESSION['ldap']->server()) {
if (isset($_POST['profname'])) $_GET['edit'] = $_POST['profname']; if (isset($_POST['profname'])) $_GET['edit'] = $_POST['profname'];
if (isset($_POST['accounttype'])) $_GET['type'] = $_POST['accounttype']; if (isset($_POST['accounttype'])) $_GET['type'] = $_POST['accounttype'];
if (isAccountTypeHidden($_GET['type'])) { if (isAccountTypeHidden($_GET['type']) || !checkIfWriteAccessIsAllowed($_GET['type'])) {
logNewMessage(LOG_ERR, 'User tried to access hidden account type profile: ' . $_GET['type']); logNewMessage(LOG_ERR, 'User tried to access hidden account type profile: ' . $_GET['type']);
die(); die();
} }