bug 3104: less rights for admins (compared to webmaster). Now an admin can't:
* delete a webmaster * give webmaster/admin status to any user * change status of a webmaster/admin git-svn-id: http://piwigo.org/svn/trunk@29074 68402e56-0260-453c-a942-63ccdbb3a9ee
This commit is contained in:
plegall
parent
30fa11fb9a
commit
bf58209d7d
3 changed files with 77 additions and 30 deletions
|
|
@ -34,6 +34,12 @@ var truefalse = {
|
|||
'true':"{'Yes'|translate}",
|
||||
'false':"{'No'|translate}",
|
||||
};
|
||||
|
||||
var statusLabels = {
|
||||
{foreach from=$label_of_status key=status item=label}
|
||||
'{$status}' : '{$label|escape:javascript}',
|
||||
{/foreach}
|
||||
};
|
||||
{/footer_script}
|
||||
|
||||
{footer_script}{literal}
|
||||
|
|
@ -260,11 +266,7 @@ jQuery(document).ready(function() {
|
|||
|
||||
user.email = user.email || '';
|
||||
|
||||
jQuery("#action select[name=status] option").each(function() {
|
||||
if (user.status == jQuery(this).val()) {
|
||||
user.statusLabel = jQuery(this).html();
|
||||
}
|
||||
});
|
||||
user.statusLabel = statusLabels[user.status];
|
||||
|
||||
/* Render the underscore template */
|
||||
_.templateSettings.variable = "user";
|
||||
|
|
|
|||
|
|
@ -99,6 +99,18 @@ $protected_users = array(
|
|||
$conf['webmaster_id'],
|
||||
);
|
||||
|
||||
// an admin can't delete other admin/webmaster
|
||||
if ('admin' == $user['status'])
|
||||
{
|
||||
$query = '
|
||||
SELECT
|
||||
user_id
|
||||
FROM '.USER_INFOS_TABLE.'
|
||||
WHERE status IN (\'webmaster\', \'admin\')
|
||||
;';
|
||||
$protected_users = array_merge($protected_users, query2array($query, null, 'user_id'));
|
||||
}
|
||||
|
||||
$template->assign(
|
||||
array(
|
||||
'PWG_TOKEN' => get_pwg_token(),
|
||||
|
|
@ -117,12 +129,19 @@ $template->assign(
|
|||
// Status options
|
||||
foreach (get_enums(USER_INFOS_TABLE, 'status') as $status)
|
||||
{
|
||||
// Only status <= can be assign
|
||||
if (is_autorize_status(get_access_type_status($status)))
|
||||
{
|
||||
$pref_status_options[$status] = l10n('user_status_'.$status);
|
||||
}
|
||||
$label_of_status[$status] = l10n('user_status_'.$status);
|
||||
}
|
||||
|
||||
$pref_status_options = $label_of_status;
|
||||
|
||||
// a simple "admin" can set/remove statuses webmaster/admin
|
||||
if ('admin' == $user['status'])
|
||||
{
|
||||
unset($pref_status_options['webmaster']);
|
||||
unset($pref_status_options['admin']);
|
||||
}
|
||||
|
||||
$template->assign('label_of_status', $label_of_status);
|
||||
$template->assign('pref_status_options', $pref_status_options);
|
||||
$template->assign('pref_status_selected', 'normal');
|
||||
|
||||
|
|
|
|||
|
|
@ -325,25 +325,39 @@ function ws_users_delete($params, &$service)
|
|||
|
||||
include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
|
||||
|
||||
// protect some users
|
||||
$params['user_id'] = array_diff(
|
||||
$params['user_id'],
|
||||
array(
|
||||
$user['id'],
|
||||
$conf['guest_id'],
|
||||
$conf['default_user_id'],
|
||||
$conf['webmaster_id'],
|
||||
)
|
||||
$protected_users = array(
|
||||
$user['id'],
|
||||
$conf['guest_id'],
|
||||
$conf['default_user_id'],
|
||||
$conf['webmaster_id'],
|
||||
);
|
||||
|
||||
// an admin can't delete other admin/webmaster
|
||||
if ('admin' == $user['status'])
|
||||
{
|
||||
$query = '
|
||||
SELECT
|
||||
user_id
|
||||
FROM '.USER_INFOS_TABLE.'
|
||||
WHERE status IN (\'webmaster\', \'admin\')
|
||||
;';
|
||||
$protected_users = array_merge($protected_users, query2array($query, null, 'user_id'));
|
||||
}
|
||||
|
||||
// protect some users
|
||||
$params['user_id'] = array_diff($params['user_id'], $protected_users);
|
||||
|
||||
$counter = 0;
|
||||
|
||||
foreach ($params['user_id'] as $user_id)
|
||||
{
|
||||
delete_user($user_id);
|
||||
$counter++;
|
||||
}
|
||||
|
||||
return l10n_dec(
|
||||
'%d user deleted', '%d users deleted',
|
||||
count($params['user_id'])
|
||||
$counter
|
||||
);
|
||||
}
|
||||
|
||||
|
|
@ -418,25 +432,37 @@ function ws_users_setInfo($params, &$service)
|
|||
|
||||
if (!empty($params['status']))
|
||||
{
|
||||
if ( $params['status'] == 'webmaster' and !is_webmaster() )
|
||||
if (in_array($params['status'], array('webmaster', 'admin')) and !is_webmaster() )
|
||||
{
|
||||
return new PwgError(403, 'Only webmasters can grant "webmaster" status');
|
||||
return new PwgError(403, 'Only webmasters can grant "webmaster/admin" status');
|
||||
}
|
||||
|
||||
if ( !in_array($params['status'], array('guest','generic','normal','admin','webmaster')) )
|
||||
{
|
||||
return new PwgError(WS_ERR_INVALID_PARAM, 'Invalid status');
|
||||
}
|
||||
|
||||
$protected_users = array(
|
||||
$user['id'],
|
||||
$conf['guest_id'],
|
||||
$conf['webmaster_id'],
|
||||
);
|
||||
|
||||
// an admin can't change status of other admin/webmaster
|
||||
if ('admin' == $user['status'])
|
||||
{
|
||||
$query = '
|
||||
SELECT
|
||||
user_id
|
||||
FROM '.USER_INFOS_TABLE.'
|
||||
WHERE status IN (\'webmaster\', \'admin\')
|
||||
;';
|
||||
$protected_users = array_merge($protected_users, query2array($query, null, 'user_id'));
|
||||
}
|
||||
|
||||
// status update query is separated from the rest as not applying to the same
|
||||
// set of users (current, guest and webmaster can't be changed)
|
||||
$params['user_id_for_status'] = array_diff(
|
||||
$params['user_id'],
|
||||
array(
|
||||
$user['id'],
|
||||
$conf['guest_id'],
|
||||
$conf['webmaster_id'],
|
||||
)
|
||||
);
|
||||
$params['user_id_for_status'] = array_diff($params['user_id'], $protected_users);
|
||||
|
||||
$update_status = $params['status'];
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue