allow to set single account types read-only

lam/HISTORY

@@ -3,6 +3,7 @@ March 2014 4.5
   - Personal: allow to set fields read-only
   - Added option to server profile if referrals should be followed (fixes problems with Samba 4 and AD)
   - LAM Pro:
+   -> Allow to set single account types read-only
    -> Separate IP restriction list for self service
 
 

lam/README

@@ -15,7 +15,7 @@ LAM - Readme
 
   https://www.ldap-account-manager.org/
 
-    Copyright (C) 2003 - 2013 Roland Gruber <post@rolandgruber.de>
+    Copyright (C) 2003 - 2014 Roland Gruber <post@rolandgruber.de>
 
   Installation and documentation:
     Please see the LAM manual in docs/manual/index.html.

lam/copyright

@@ -1,4 +1,4 @@
-This software is copyright (c) 2003 - 2013 by Roland Gruber
+This software is copyright (c) 2003 - 2014 by Roland Gruber
 
 If you purchased a copy of LDAP Account Manager Pro then the following
 files are licensed under the conditions which you accepted at purchase

lam/docs/manual-sources/howto.xml

@@ -19,7 +19,7 @@
     <para><ulink
     url="https://www.ldap-account-manager.org/">https://www.ldap-account-manager.org/</ulink></para>
 
-    <para>Copyright (C) 2003 - 2013 Roland Gruber
+    <para>Copyright (C) 2003 - 2014 Roland Gruber
     &lt;post@rolandgruber.de&gt;</para>
 
     <para><emphasis role="bold">Key features:</emphasis></para>
@@ -1388,6 +1388,15 @@ Have fun!
               users.</para>
             </listitem>
 
+            <listitem>
+              <para><emphasis role="bold">Read-only (LAM Pro only):</emphasis>
+              This allows to set a single account type to read-only mode.
+              Please note that this is a restriction on functional level (e.g.
+              group memberships can be changed on user page even if groups are
+              read-only) and is no replacement for setting up proper ACLs on
+              your LDAP server.</para>
+            </listitem>
+
             <listitem>
               <para><emphasis role="bold">Custom label:</emphasis> Here you
               can set a custom label for the account types. Use this if the

lam/help/help.inc

@@ -4,7 +4,7 @@ $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
   Copyright (C) 2003 - 2006 Michael Duergner
-                2003 - 2013 Roland Gruber
+                2003 - 2014 Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -171,6 +171,8 @@ $helpArray = array (
 					"Text" => _('If checked then the user will not be able to delete entries of this account type.')),
 				"264" => array ("Headline" => _('Custom label'),
 					"Text" => _('Here you can overwrite the display name for this account type.')),
+				"265" => array ("Headline" => _('Read-only'),
+					"Text" => _('Sets this account type to read-only.')),
 				// 300 - 399
 				// profile editor, file upload
 				"301" => array ("Headline" => _("RDN identifier"),

lam/lib/html.inc

@@ -1728,6 +1728,10 @@ class htmlInputCheckbox extends htmlElement {
 	protected $tableRowsToShow = array();
 	/** indicates that this field should not automatically be saved in the self service or server profile */
 	private $transient = false;
+	/** list of input elements to enable when checked */
+	protected $elementsToEnable = array();
+	/** list of input elements to disable when checked */
+	protected $elementsToDisable = array();
 	
 	
 	/**
@@ -1776,7 +1780,6 @@ class htmlInputCheckbox extends htmlElement {
 		$script = '';
 		if ((sizeof($this->tableRowsToShow) > 0) || (sizeof($this->tableRowsToHide) > 0)) {
 			// build onChange listener
-			$onChange = ' onChange="';
 			$onChange .= 'if (jQuery(\'#' . $this->name . ':checked\').val() !== undefined) {';
 			for ($i = 0; $i < sizeof($this->tableRowsToShow); $i++) {
 				$onChange .= 'jQuery(\'#' . $this->tableRowsToShow[$i] . '\').closest(\'tr\').removeClass(\'hidden\');';
@@ -1793,7 +1796,6 @@ class htmlInputCheckbox extends htmlElement {
 				$onChange .= 'jQuery(\'#' . $this->tableRowsToHide[$i] . '\').closest(\'tr\').removeClass(\'hidden\');';
 			}
 			$onChange .= '};';
-			$onChange .= '"';
 			// build script to set initial state
 			$script = '<script type="text/javascript">jQuery(document).ready(function() {';
 			for ($i = 0; $i < sizeof($this->tableRowsToShow); $i++) {
@@ -1812,6 +1814,46 @@ class htmlInputCheckbox extends htmlElement {
 			}
 			$script .= '});</script>';
 		}
+		// build Java script to enable/disable elements
+		if ((sizeof($this->elementsToEnable) > 0) || (sizeof($this->elementsToDisable) > 0)) {
+			// build onChange listener
+			$onChange .= 'if (jQuery(\'#' . $this->name . ':checked\').val() !== undefined) {';
+			for ($i = 0; $i < sizeof($this->elementsToEnable); $i++) {
+				$onChange .= 'jQuery(\'#' . $this->elementsToEnable[$i] . '\').prop(\'disabled\', false);';
+			}
+			for ($i = 0; $i < sizeof($this->elementsToDisable); $i++) {
+				$onChange .= 'jQuery(\'#' . $this->elementsToDisable[$i] . '\').prop(\'disabled\', true);';
+			}
+			$onChange .= '}';
+			$onChange .= 'else {';
+			for ($i = 0; $i < sizeof($this->elementsToEnable); $i++) {
+				$onChange .= 'jQuery(\'#' . $this->elementsToEnable[$i] . '\').prop(\'disabled\', true);';
+			}
+			for ($i = 0; $i < sizeof($this->elementsToDisable); $i++) {
+				$onChange .= 'jQuery(\'#' . $this->elementsToDisable[$i] . '\').prop(\'disabled\', false);';
+			}
+			$onChange .= '};';
+			// build script to set initial state
+			$script = '<script type="text/javascript">jQuery(document).ready(function() {';
+			for ($i = 0; $i < sizeof($this->elementsToEnable); $i++) {
+				$classType = 'true';
+				if ($this->checked) {
+					$classType = 'false';
+				}
+				$script .= 'jQuery(\'#' . $this->elementsToEnable[$i] . '\').prop(\'disabled\', ' . $classType . ');';
+			}
+			for ($i = 0; $i < sizeof($this->elementsToDisable); $i++) {
+				$classType = 'false';
+				if ($this->checked) {
+					$classType = 'true';
+				}
+				$script .= 'jQuery(\'#' . $this->elementsToDisable[$i] . '\').prop(\'disabled\', ' . $classType . ');';
+			}
+			$script .= '});</script>';
+		}
+		if (!empty($onChange)) {
+			$onChange = ' onChange="' . $onChange . '"';
+		}
 		echo '<input type="checkbox" id="' . $this->name . '" name="' . $this->name . '"' . $tabindexValue . $onChange . $checked . $disabled . '>';
 		echo $script;
 		if ($this->transient) {
@@ -1868,6 +1910,26 @@ class htmlInputCheckbox extends htmlElement {
 		$this->transient = $transient;
 	}
 
+	/**
+	 * This will disable the given input elements when the checkbox is checked.
+	 * The given IDs can be of any input element (e.g. select, checkbox, ...).
+	 * 
+	 * @param array $elements IDs of elements to disable
+	 */
+	public function setElementsToDisable($elements) {
+		$this->elementsToDisable = $elements;
+	}
+	
+	/**
+	 * This will enable the given input elements when the checkbox is checked.
+	 * The given IDs can be of any input element (e.g. select, checkbox, ...).
+	 * 
+	 * @param array $elements IDs of elements to enable
+	 */
+	public function setElementsToEnable($elements) {
+		$this->elementsToEnable = $elements;
+	}
+
 }
 
 /**

lam/lib/lists.inc

@@ -486,7 +486,7 @@ class lamList {
 		$group->addElement($editLink);
 		$toolCount++;
 		// delete link
-		if (checkIfWriteAccessIsAllowed() && checkIfDeleteEntriesIsAllowed($this->type)) {
+		if (checkIfWriteAccessIsAllowed($this->type) && checkIfDeleteEntriesIsAllowed($this->type)) {
 			$deleteLink = new htmlLink('', "deletelink.php?type=" . $this->type . "&DN='" . rawurlencode($account['dn']) . "'", '../../graphics/delete.png');
 			$deleteLink->setTitle(_("Delete"));
 			$group->addElement($deleteLink);
@@ -539,7 +539,7 @@ class lamList {
 	protected function listDoPost() {
 		// check if button was pressed and if we have to add/delete an account or call file upload
 		if (isset($_POST['new']) || isset($_POST['del']) || isset($_POST['fileUpload'])){
-			if (!checkIfWriteAccessIsAllowed()) {
+			if (!checkIfWriteAccessIsAllowed($this->type)) {
 				die();
 			}
 			// add new account
@@ -748,7 +748,7 @@ class lamList {
 		$left = new htmlGroup();
 		// button part
 		$left->alignment = htmlElement::ALIGN_LEFT;
-		if (checkIfWriteAccessIsAllowed()) {
+		if (checkIfWriteAccessIsAllowed($this->type)) {
 			// add button
 			if (checkIfNewEntriesAreAllowed($this->type)) {
 				$newButton = new htmlButton('new', $this->labels['newEntry']);

lam/lib/modules.inc

@@ -843,7 +843,7 @@ class accountContainer {
 				exit;
 			}
 			// module actions
-			if ((sizeof($_POST) > 0) && checkIfWriteAccessIsAllowed()) {
+			if ((sizeof($_POST) > 0) && checkIfWriteAccessIsAllowed($this->type)) {
 				$result = call_user_func(array(&$this->module[$this->order[$this->current_page]], 'process_'.$this->subpage));
 				if (is_array($result)) {  // messages were returned, check for errors
 					for ($i = 0; $i < sizeof($result); $i++) {
@@ -965,7 +965,7 @@ class accountContainer {
 		}
 		echo '<div id="passwordMessageArea"></div>';
 		echo "<table class=\"".$this->type."-bright\" border=0 width=\"100%\" style=\"border-collapse: collapse;\">\n";
-		if (checkIfWriteAccessIsAllowed()) {
+		if (checkIfWriteAccessIsAllowed($this->type)) {
 			echo "<tr class=\"".$this->type."-bright\"><td style=\"padding: 15px 15px 0px 15px;\">\n";
 			$this->printCommonControls($tabindex);
 			echo "</td></tr>\n";
@@ -1673,7 +1673,7 @@ class accountContainer {
 	* @return array list of status messages
 	*/
 	function save_account() {
-		if (!checkIfWriteAccessIsAllowed()) {
+		if (!checkIfWriteAccessIsAllowed($this->type)) {
 			die();
 		}
 		$this->finalDN = $this->dn_orig;

lam/lib/modules/imapAccess.inc

@@ -4,7 +4,7 @@ $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
   Copyright (C) 2010 - 2011  Pavel Pozdniak
-                2010 - 2013  Roland Gruber
+                2010 - 2014  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -188,7 +188,7 @@ class imapAccess extends baseModule {
 	 */
 	function display_html_attributes() {
 		$return = new htmlTable();
-		if (!checkIfWriteAccessIsAllowed()) {
+		if (!checkIfWriteAccessIsAllowed($this->get_scope())) {
 			return $return;
 		}
 		$prefix = $this->getMailboxPrefix();
@@ -335,7 +335,7 @@ class imapAccess extends baseModule {
 	 */
 	function process_attributes() {
 		$errors = array();
-		if (!checkIfWriteAccessIsAllowed()) {
+		if (!checkIfWriteAccessIsAllowed($this->get_scope())) {
 			return $errors;
 		}
 		$prefix = $this->getMailboxPrefix();

lam/lib/modules/inetOrgPerson.inc

@@ -4,7 +4,7 @@ $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
   Copyright (C) 2003 - 2006  Tilo Lutz
-                2005 - 2013  Roland Gruber
+                2005 - 2014  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -1672,7 +1672,7 @@ class inetOrgPerson extends baseModule implements passwordService {
 			}
 		}
 		// password buttons
-		if (!in_array('posixAccount', $modules) && checkIfWriteAccessIsAllowed() && isset($this->attributes['userPassword'][0]) && !$this->isAdminReadOnly('userPassword')) {
+		if (!in_array('posixAccount', $modules) && checkIfWriteAccessIsAllowed($this->get_scope()) && isset($this->attributes['userPassword'][0]) && !$this->isAdminReadOnly('userPassword')) {
 			$fieldContainer->addElement(new htmlSubTitle(_('Password')), true);
 			$pwdContainer = new htmlTable();
 			if (pwd_is_enabled($this->attributes['userPassword'][0])) {
@@ -2516,7 +2516,7 @@ class inetOrgPerson extends baseModule implements passwordService {
 	* <br> )
 	*/
 	function doUploadPostActions(&$data, $ids, $failed, &$temp, &$accounts) {
-		if (!checkIfWriteAccessIsAllowed()) {
+		if (!checkIfWriteAccessIsAllowed($this->get_scope())) {
 			die();
 		}
 		// mail sending is LAM Pro only

lam/lib/modules/posixAccount.inc

@@ -1429,7 +1429,7 @@ class posixAccount extends baseModule implements passwordService {
 				$return->addElement(new htmlTableExtendedSelect('loginShell', $shelllist, $selectedShell, _('Login shell'), 'loginShell'), true);
 			}
 			// password buttons
-			if (checkIfWriteAccessIsAllowed() && isset($this->attributes[$this->getPasswordAttrName()][0])) {
+			if (checkIfWriteAccessIsAllowed($this->get_scope()) && isset($this->attributes[$this->getPasswordAttrName()][0])) {
 				$return->addElement(new htmlOutputText(_('Password')));
 				$pwdContainer = new htmlTable();
 				if (pwd_is_enabled($this->attributes[$this->getPasswordAttrName()][0])) {
@@ -2172,7 +2172,7 @@ class posixAccount extends baseModule implements passwordService {
 	* <br> )
 	*/
 	function doUploadPostActions(&$data, $ids, $failed, &$temp, &$accounts) {
-		if (!checkIfWriteAccessIsAllowed()) {
+		if (!checkIfWriteAccessIsAllowed($this->get_scope())) {
 			die();
 		}
 		// on first call generate list of ldap operations

lam/lib/modules/posixGroup.inc

@@ -4,7 +4,7 @@ $Id$
 
 This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
 Copyright (C) 2003 - 2006  Tilo Lutz
-              2007 - 2013  Roland Gruber
+              2007 - 2014  Roland Gruber
 
 This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -201,7 +201,7 @@ class posixGroup extends baseModule implements passwordService {
 				$return->addElement(new htmlTableExtendedInputField(_('Description'), 'description', $description, 'description'), true);
 			}
 			// password buttons
-			if (checkIfWriteAccessIsAllowed() && isset($this->attributes[$this->passwordAttrName][0])) {
+			if (checkIfWriteAccessIsAllowed($this->get_scope()) && isset($this->attributes[$this->passwordAttrName][0])) {
 				$return->addElement(new htmlOutputText(_('Password')));
 				$pwdContainer = new htmlTable();
 				if (pwd_is_enabled($this->attributes[$this->passwordAttrName][0])) {

lam/lib/modules/windowsUser.inc

@@ -3,7 +3,7 @@
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2013  Roland Gruber
+  Copyright (C) 2013 - 2014  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -1427,7 +1427,7 @@ class windowsUser extends baseModule implements passwordService {
 	* <br> )
 	*/
 	function doUploadPostActions(&$data, $ids, $failed, &$temp, &$accounts) {
-		if (!checkIfWriteAccessIsAllowed()) {
+		if (!checkIfWriteAccessIsAllowed($this->get_scope())) {
 			die();
 		}
 		// on first call generate list of ldap operations

lam/lib/security.inc

@@ -236,14 +236,22 @@ function logNewMessage($level, $message) {
 /**
  * Checks if write access to LDAP is allowed.
  *
+ * @param String $scope account type (e.g. user)
  * @return boolean true, if allowed
  */
-function checkIfWriteAccessIsAllowed() {
+function checkIfWriteAccessIsAllowed($scope = null) {
 	if (!isset($_SESSION['config'])) {
 		return false;
 	}
 	if ($_SESSION['config']->getAccessLevel() >= LAMConfig::ACCESS_ALL) {
-		return true;
+		$typeSettings = $_SESSION['config']->get_typeSettings();
+		if ($scope == null) {
+			return true;
+		}
+		elseif (!isset($typeSettings['readOnly_' . $scope]) || !$typeSettings['readOnly_' . $scope]) {
+			// check if write for this type is allowed
+			return true;
+		}
 	}
 	return false;
 }

lam/lib/types/dhcp.inc

@@ -4,7 +4,7 @@ $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
   Copyright (C) 2008         Thomas Manninger
-                2009 - 2013  Roland Gruber
+                2009 - 2014  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -244,7 +244,7 @@ class lamDHCPList extends lamList {
 	 * @param htmlGroup $right right part
 	 */
 	protected function addExtraInputElementsToTopArea(&$left, &$right) {
-		if (checkIfWriteAccessIsAllowed()) {
+		if (checkIfWriteAccessIsAllowed($this->type)) {
 			$left->addElement(new htmlSpacer('20px', null));
 			$dhcpButton = new htmlButton('dhcpDefaults', $this->labels['dhcpDefaults']);
 			$dhcpButton->setIconClass('settingsButton');

lam/lib/types/user.inc

@@ -3,7 +3,7 @@
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2005 - 2013  Roland Gruber
+  Copyright (C) 2005 - 2014  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -293,13 +293,13 @@ class user extends baseType {
 		}
 		$statusTable .= '</table>';
 		$tipContent = $statusTable;
-		if (checkIfWriteAccessIsAllowed()) {
+		if (checkIfWriteAccessIsAllowed('user')) {
 			$tipContent .= '<br><img alt=&quot;hint&quot; src=&quot;../../graphics/light.png&quot;> ';
 			$tipContent .= _('Please click to lock/unlock this account.');
 		}
 		$dialogDiv = $this->buildAccountStatusDialogDiv($unixAvailable, $unixLocked, $sambaAvailable, $sambaLocked, $ppolicyAvailable, $ppolicyLocked, $windowsAvailable, $windowsLocked);
 		$onClick = '';
-		if (checkIfWriteAccessIsAllowed()) {
+		if (checkIfWriteAccessIsAllowed('user')) {
 			$onClick = 'onclick="showConfirmationDialog(\'' . _('Change account status') . '\', \'' . _('Ok') . '\', \'' . _('Cancel') . '\', \'lam_accountStatusDialog\', \'inputForm\', \'lam_accountStatusResult\');"';
 		}
 		return $dialogDiv . '<a href="#"><img id="lam_accountStatus" alt="status" ' . $onClick . ' helptitle="' . _('Account status') . '" helpdata="' . $tipContent . '" height=16 width=16 src="../../graphics/' . $icon . '"></a>&nbsp;&nbsp;&nbsp;';
@@ -664,7 +664,7 @@ class lamUserList extends lamList {
 	 * @return lamListTool[] tools
 	 */
 	protected function getAdditionalTools() {
-		if (isLAMProVersion() && checkIfPasswordChangeIsAllowed()) {
+		if (isLAMProVersion() && checkIfPasswordChangeIsAllowed() && checkIfWriteAccessIsAllowed('user')) {
 			$passwordTool = new lamListTool(_('Change password'), 'key.png', 'changePassword.php');
 			return array($passwordTool);
 		}

lam/templates/config/conftypes.php

@@ -3,7 +3,7 @@
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2004 - 2013  Roland Gruber
+  Copyright (C) 2004 - 2014  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -280,7 +280,18 @@ if (sizeof($activeTypes) > 0) {
 		if (isset($typeSettings['hidden_' . $activeTypes[$i]])) {
 			$hidden = $typeSettings['hidden_' . $activeTypes[$i]];
 		}
-		$advancedOptionsContent->addElement(new htmlTableExtendedInputCheckbox('hidden_' . $activeTypes[$i], $hidden, _('Hidden'), '261'), true);
+		$advancedOptionsContent->addElement(new htmlTableExtendedInputCheckbox('hidden_' . $activeTypes[$i], $hidden, _('Hidden'), '261'));
+		if (isLAMProVersion() && ($conf->getAccessLevel() == LAMConfig::ACCESS_ALL)) {
+			$advancedOptionsContent->addElement(new htmlSpacer('20px', null));
+			$isReadOnly = false;
+			if (isset($typeSettings['readOnly_' . $activeTypes[$i]])) {
+				$isReadOnly = $typeSettings['readOnly_' . $activeTypes[$i]];
+			}
+			$readOnly = new htmlTableExtendedInputCheckbox('readOnly_' . $activeTypes[$i], $isReadOnly, _('Read-only'), '265');
+			$readOnly->setElementsToDisable(array('hideNewButton_' . $activeTypes[$i], 'hideDeleteButton_' . $activeTypes[$i]));
+			$advancedOptionsContent->addElement($readOnly);
+		}
+		$advancedOptionsContent->addNewLine();
 		// custom label
 		$customLabel = '';
 		if (isset($typeSettings['customLabel_' . $activeTypes[$i]])) {
@@ -403,6 +414,9 @@ function checkInput() {
 			// set if deletion of entries is allowed
 			$key = "hideDeleteButton_" . $accountTypes[$i];
 			$typeSettings[$key] = (isset($_POST[$key]) && ($_POST[$key] == 'on'));
+			// set if account type is read-only
+			$key = "readOnly_" . $accountTypes[$i];
+			$typeSettings[$key] = (isset($_POST[$key]) && ($_POST[$key] == 'on'));
 		}
 	}
 	// save input

lam/templates/delete.php

@@ -72,7 +72,7 @@ if (isset($_GET['type']) && isset($_SESSION['delete_dn'])) {
 		logNewMessage(LOG_ERR, 'Invalid type: ' . $_GET['type']);
 		die();
 	}
-	if (!checkIfDeleteEntriesIsAllowed($_GET['type'])) {
+	if (!checkIfDeleteEntriesIsAllowed($_GET['type']) || !checkIfWriteAccessIsAllowed($_GET['type'])) {
 		logNewMessage(LOG_ERR, 'User tried to delete entries of forbidden type '. $_GET['type']);
 		die();
 	}
@@ -142,7 +142,7 @@ elseif (isset($_POST['cancelAllOk'])) {
 }
 
 if (isset($_POST['delete'])) {
-	if (!checkIfDeleteEntriesIsAllowed($_POST['type'])) {
+	if (!checkIfDeleteEntriesIsAllowed($_POST['type']) || !checkIfWriteAccessIsAllowed($_GET['type'])) {
 		logNewMessage(LOG_ERR, 'User tried to delete entries of forbidden type '. $_POST['type']);
 		die();
 	}

lam/templates/massBuildAccounts.php

@@ -97,7 +97,7 @@ if (isAccountTypeHidden($scope)) {
 	logNewMessage(LOG_ERR, 'User tried to access hidden upload: ' . $scope);
 	die();
 }
-if (!checkIfNewEntriesAreAllowed($scope)) {
+if (!checkIfNewEntriesAreAllowed($scope) || !checkIfWriteAccessIsAllowed($scope)) {
 	logNewMessage(LOG_ERR, 'User tried to access forbidden upload: ' . $scope);
 	die();
 }

lam/templates/massDoUpload.php

@@ -68,7 +68,7 @@ if (isAccountTypeHidden($scope)) {
 	logNewMessage(LOG_ERR, 'User tried to access hidden upload: ' . $scope);
 	die();
 }
-if (!checkIfNewEntriesAreAllowed($scope)) {
+if (!checkIfNewEntriesAreAllowed($scope) || !checkIfWriteAccessIsAllowed($scope)) {
 	logNewMessage(LOG_ERR, 'User tried to access forbidden upload: ' . $scope);
 	die();
 }

lam/templates/masscreate.php

@@ -81,7 +81,8 @@ $types = $_SESSION['config']->get_ActiveTypes();
 $count = sizeof($types);
 for ($i = 0; $i < $count; $i++) {
 	$myType = new $types[$i]();
-	if (!$myType->supportsFileUpload() || isAccountTypeHidden($types[$i]) || !checkIfNewEntriesAreAllowed($types[$i])) {
+	if (!$myType->supportsFileUpload() || isAccountTypeHidden($types[$i])
+			|| !checkIfNewEntriesAreAllowed($types[$i]) || !checkIfWriteAccessIsAllowed($types[$i])) {
 		unset($types[$i]);
 	}
 }
@@ -145,7 +146,7 @@ $selectedType = array();
 if (isset($_REQUEST['type'])) {
 	$selectedType[] = $_REQUEST['type'];
 }
-else {
+elseif (!empty($types)) {
 	$selectedType[] = $types[0];
 }
 $typeSelect = new htmlTableExtendedSelect('type', $typeList, $selectedType, _("Account type"));
@@ -206,7 +207,9 @@ $table->addElement($moduleGroup, true);
 
 // ok button
 $table->addElement(new htmlSpacer(null, '20px'), true);
-$table->addElement(new htmlButton('submit', _('Ok')), true);
+if (!empty($types)) {
+	$table->addElement(new htmlButton('submit', _('Ok')), true);
+}
 
 parseHtml(null, $table, array(), false, $tabindex, 'user');
 ?>

lam/templates/ou_edit.php

@@ -164,7 +164,7 @@ function display_main($message, $error) {
 	$types = array();
 	$typeList = $_SESSION['config']->get_ActiveTypes();
 	for ($i = 0; $i < sizeof($typeList); $i++) {
-		if (isAccountTypeHidden($typeList[$i])) {
+		if (isAccountTypeHidden($typeList[$i]) || !checkIfWriteAccessIsAllowed($typeList[$i])) {
 			continue;
 		}
 		$types[$typeList[$i]] = getTypeAlias($typeList[$i]);
@@ -179,31 +179,34 @@ function display_main($message, $error) {
 		}
 		$options[$title] = $elements;
 	}
-	// new OU
-	$container->addElement(new htmlOutputText(_("New organisational unit")));
-	$parentOUSelect = new htmlSelect('parentOU', $options, array());
-	$parentOUSelect->setContainsOptgroups(true);
-	$parentOUSelect->setHasDescriptiveElements(true);
-	$parentOUSelect->setRightToLeftTextDirection(true);
-	$parentOUSelect->setSortElements(false);
-	$container->addElement($parentOUSelect);
-	$container->addElement(new htmlInputField('newOU'));
-	$container->addElement(new htmlButton('createOU', _("Ok")));
-	$container->addElement(new htmlHelpLink('601'), true);
 	
-	$container->addElement(new htmlSpacer(null, '10px'), true);
+	if (!empty($options)) {
-
+		// new OU
-	// delete OU
+		$container->addElement(new htmlOutputText(_("New organisational unit")));
-	$container->addElement(new htmlOutputText(_("Delete organisational unit")));
+		$parentOUSelect = new htmlSelect('parentOU', $options, array());
-	$deleteableOUSelect = new htmlSelect('deleteableOU', $options, array());
+		$parentOUSelect->setContainsOptgroups(true);
-	$deleteableOUSelect->setContainsOptgroups(true);
+		$parentOUSelect->setHasDescriptiveElements(true);
-	$deleteableOUSelect->setHasDescriptiveElements(true);
+		$parentOUSelect->setRightToLeftTextDirection(true);
-	$deleteableOUSelect->setRightToLeftTextDirection(true);
+		$parentOUSelect->setSortElements(false);
-	$deleteableOUSelect->setSortElements(false);
+		$container->addElement($parentOUSelect);
-	$container->addElement($deleteableOUSelect);
+		$container->addElement(new htmlInputField('newOU'));
-	$container->addElement(new htmlOutputText(''));
+		$container->addElement(new htmlButton('createOU', _("Ok")));
-	$container->addElement(new htmlButton('deleteOU', _("Ok")));
+		$container->addElement(new htmlHelpLink('601'), true);
-	$container->addElement(new htmlHelpLink('602'), true);
+		
+		$container->addElement(new htmlSpacer(null, '10px'), true);
+	
+		// delete OU
+		$container->addElement(new htmlOutputText(_("Delete organisational unit")));
+		$deleteableOUSelect = new htmlSelect('deleteableOU', $options, array());
+		$deleteableOUSelect->setContainsOptgroups(true);
+		$deleteableOUSelect->setHasDescriptiveElements(true);
+		$deleteableOUSelect->setRightToLeftTextDirection(true);
+		$deleteableOUSelect->setSortElements(false);
+		$container->addElement($deleteableOUSelect);
+		$container->addElement(new htmlOutputText(''));
+		$container->addElement(new htmlButton('deleteOU', _("Ok")));
+		$container->addElement(new htmlHelpLink('602'), true);
+	}
 	
 	parseHtml(null, $container, array(), false, $tabindex, 'user');
 	echo ("</form>\n");

lam/templates/pdfedit/pdfmain.php

@@ -4,7 +4,7 @@ $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
   Copyright (C) 2003 - 2006  Michael Duergner
-                2005 - 2013  Roland Gruber
+                2005 - 2014  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -73,7 +73,7 @@ if(isset($_POST['createNewTemplate'])) {
 $scopes = $_SESSION['config']->get_ActiveTypes();
 $sortedScopes = array();
 for ($i = 0; $i < sizeof($scopes); $i++) {
-	if (isAccountTypeHidden($scopes[$i])) {
+	if (isAccountTypeHidden($scopes[$i]) || !checkIfWriteAccessIsAllowed($scopes[$i])) {
 		continue;
 	}
 	$sortedScopes[$scopes[$i]] = getTypeAlias($scopes[$i]);
@@ -171,16 +171,18 @@ include '../main_header.php';
 		}
 
 		// new template
-		$container->addElement(new htmlSubTitle(_('Create a new PDF structure')), true);
+		if (!empty($availableScopes)) {
-		$newPDFContainer = new htmlTable();
+			$container->addElement(new htmlSubTitle(_('Create a new PDF structure')), true);
-		$newScopeSelect = new htmlSelect('scope', $availableScopes);
+			$newPDFContainer = new htmlTable();
-		$newScopeSelect->setHasDescriptiveElements(true);
+			$newScopeSelect = new htmlSelect('scope', $availableScopes);
-		$newScopeSelect->setWidth('15em');
+			$newScopeSelect->setHasDescriptiveElements(true);
-		$newPDFContainer->addElement($newScopeSelect);
+			$newScopeSelect->setWidth('15em');
-		$newPDFContainer->addElement(new htmlSpacer('10px', null));
+			$newPDFContainer->addElement($newScopeSelect);
-		$newPDFContainer->addElement(new htmlButton('createNewTemplate', _('Create')));
+			$newPDFContainer->addElement(new htmlSpacer('10px', null));
-		$container->addElement($newPDFContainer, true);
+			$newPDFContainer->addElement(new htmlButton('createNewTemplate', _('Create')));
-		$container->addElement(new htmlSpacer(null, '10px'), true);
+			$container->addElement($newPDFContainer, true);
+			$container->addElement(new htmlSpacer(null, '10px'), true);
+		}
 
 		// existing templates
 		$configProfiles = getConfigProfiles();

lam/templates/pdfedit/pdfpage.php

@@ -4,7 +4,7 @@ $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
   Copyright (C) 2003 - 2006  Michael Duergner
-                2007 - 2013  Roland Gruber
+                2007 - 2014  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -69,7 +69,7 @@ if(isset($_POST['type'])) {
 	}
 }
 
-if (isAccountTypeHidden($_GET['type'])) {
+if (isAccountTypeHidden($_GET['type']) || !checkIfWriteAccessIsAllowed($_GET['type'])) {
 	logNewMessage(LOG_ERR, 'User tried to access hidden PDF structure: ' . $_GET['type']);
 	die();
 }

lam/templates/profedit/profilemain.php

@@ -3,7 +3,7 @@
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2012  Roland Gruber
+  Copyright (C) 2003 - 2014  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -51,7 +51,7 @@ $types = $_SESSION['config']->get_ActiveTypes();
 $profileClasses = array();
 $profileClassesTemp = array();
 for ($i = 0; $i < sizeof($types); $i++) {
-	if (isAccountTypeHidden($types[$i])) {
+	if (isAccountTypeHidden($types[$i]) || !checkIfWriteAccessIsAllowed($types[$i])) {
 		continue;
 	}
 	$profileClassesTemp[getTypeAlias($types[$i])] = array(
@@ -152,20 +152,22 @@ if (isset($_GET['savedSuccessfully'])) {
 }
 
 // new profile
-$container->addElement(new htmlSubTitle(_('Create a new profile')), true);
+if (!empty($profileClasses)) {
-$sortedTypes = array();
+	$container->addElement(new htmlSubTitle(_('Create a new profile')), true);
-for ($i = 0; $i < sizeof($profileClasses); $i++) {
+	$sortedTypes = array();
-	$sortedTypes[$profileClasses[$i]['title']] = $profileClasses[$i]['scope'];
+	for ($i = 0; $i < sizeof($profileClasses); $i++) {
+		$sortedTypes[$profileClasses[$i]['title']] = $profileClasses[$i]['scope'];
+	}
+	natcasesort($sortedTypes);
+	$newContainer = new htmlTable();
+	$newProfileSelect = new htmlSelect('createProfile', $sortedTypes);
+	$newProfileSelect->setHasDescriptiveElements(true);
+	$newProfileSelect->setWidth('15em');
+	$newContainer->addElement($newProfileSelect);
+	$newContainer->addElement(new htmlSpacer('10px', null));
+	$newContainer->addElement(new htmlButton('createProfileButton', _('Create')), true);
+	$container->addElement($newContainer, true);
 }
-natcasesort($sortedTypes);
-$newContainer = new htmlTable();
-$newProfileSelect = new htmlSelect('createProfile', $sortedTypes);
-$newProfileSelect->setHasDescriptiveElements(true);
-$newProfileSelect->setWidth('15em');
-$newContainer->addElement($newProfileSelect);
-$newContainer->addElement(new htmlSpacer('10px', null));
-$newContainer->addElement(new htmlButton('createProfileButton', _('Create')), true);
-$container->addElement($newContainer, true);
 
 $container->addElement(new htmlSpacer(null, '10px'), true);
 

lam/templates/profedit/profilepage.php

@@ -3,7 +3,7 @@
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2012  Roland Gruber
+  Copyright (C) 2003 - 2014  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -61,7 +61,7 @@ if (!$_SESSION['ldap'] || !$_SESSION['ldap']->server()) {
 if (isset($_POST['profname'])) $_GET['edit'] = $_POST['profname'];
 if (isset($_POST['accounttype'])) $_GET['type'] = $_POST['accounttype'];
 
-if (isAccountTypeHidden($_GET['type'])) {
+if (isAccountTypeHidden($_GET['type']) || !checkIfWriteAccessIsAllowed($_GET['type'])) {
 	logNewMessage(LOG_ERR, 'User tried to access hidden account type profile: ' . $_GET['type']);
 	die();
 }