aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorplegall <plg@piwigo.org>2014-07-25 09:10:49 +0000
committerplegall <plg@piwigo.org>2014-07-25 09:10:49 +0000
commitbf58209d7dd6cc0f53c2c4b34115dfec9574cfb8 (patch)
tree4b66991e0ff85300f21e565ea27e80f8d183e9f6
parent30fa11fb9aca3988ca9339dc54902a10eb1254ec (diff)
bug 3104: less rights for admins (compared to webmaster). Now an admin can't:
* delete a webmaster * give webmaster/admin status to any user * change status of a webmaster/admin git-svn-id: http://piwigo.org/svn/trunk@29074 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to '')
-rw-r--r--admin/themes/default/template/user_list.tpl12
-rw-r--r--admin/user_list.php29
-rw-r--r--include/ws_functions/pwg.users.php66
3 files changed, 77 insertions, 30 deletions
diff --git a/admin/themes/default/template/user_list.tpl b/admin/themes/default/template/user_list.tpl
index 2c41cc1a4..66de20e31 100644
--- a/admin/themes/default/template/user_list.tpl
+++ b/admin/themes/default/template/user_list.tpl
@@ -34,6 +34,12 @@ var truefalse = {
'true':"{'Yes'|translate}",
'false':"{'No'|translate}",
};
+
+var statusLabels = {
+{foreach from=$label_of_status key=status item=label}
+ '{$status}' : '{$label|escape:javascript}',
+{/foreach}
+};
{/footer_script}
{footer_script}{literal}
@@ -260,11 +266,7 @@ jQuery(document).ready(function() {
user.email = user.email || '';
- jQuery("#action select[name=status] option").each(function() {
- if (user.status == jQuery(this).val()) {
- user.statusLabel = jQuery(this).html();
- }
- });
+ user.statusLabel = statusLabels[user.status];
/* Render the underscore template */
_.templateSettings.variable = "user";
diff --git a/admin/user_list.php b/admin/user_list.php
index cda20a002..d9f85b6bd 100644
--- a/admin/user_list.php
+++ b/admin/user_list.php
@@ -99,6 +99,18 @@ $protected_users = array(
$conf['webmaster_id'],
);
+// an admin can't delete other admin/webmaster
+if ('admin' == $user['status'])
+{
+ $query = '
+SELECT
+ user_id
+ FROM '.USER_INFOS_TABLE.'
+ WHERE status IN (\'webmaster\', \'admin\')
+;';
+ $protected_users = array_merge($protected_users, query2array($query, null, 'user_id'));
+}
+
$template->assign(
array(
'PWG_TOKEN' => get_pwg_token(),
@@ -117,12 +129,19 @@ $template->assign(
// Status options
foreach (get_enums(USER_INFOS_TABLE, 'status') as $status)
{
- // Only status <= can be assign
- if (is_autorize_status(get_access_type_status($status)))
- {
- $pref_status_options[$status] = l10n('user_status_'.$status);
- }
+ $label_of_status[$status] = l10n('user_status_'.$status);
}
+
+$pref_status_options = $label_of_status;
+
+// a simple "admin" can set/remove statuses webmaster/admin
+if ('admin' == $user['status'])
+{
+ unset($pref_status_options['webmaster']);
+ unset($pref_status_options['admin']);
+}
+
+$template->assign('label_of_status', $label_of_status);
$template->assign('pref_status_options', $pref_status_options);
$template->assign('pref_status_selected', 'normal');
diff --git a/include/ws_functions/pwg.users.php b/include/ws_functions/pwg.users.php
index e007dd111..d0436acb7 100644
--- a/include/ws_functions/pwg.users.php
+++ b/include/ws_functions/pwg.users.php
@@ -325,25 +325,39 @@ function ws_users_delete($params, &$service)
include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
- // protect some users
- $params['user_id'] = array_diff(
- $params['user_id'],
- array(
- $user['id'],
- $conf['guest_id'],
- $conf['default_user_id'],
- $conf['webmaster_id'],
- )
+ $protected_users = array(
+ $user['id'],
+ $conf['guest_id'],
+ $conf['default_user_id'],
+ $conf['webmaster_id'],
);
+ // an admin can't delete other admin/webmaster
+ if ('admin' == $user['status'])
+ {
+ $query = '
+SELECT
+ user_id
+ FROM '.USER_INFOS_TABLE.'
+ WHERE status IN (\'webmaster\', \'admin\')
+;';
+ $protected_users = array_merge($protected_users, query2array($query, null, 'user_id'));
+ }
+
+ // protect some users
+ $params['user_id'] = array_diff($params['user_id'], $protected_users);
+
+ $counter = 0;
+
foreach ($params['user_id'] as $user_id)
{
delete_user($user_id);
+ $counter++;
}
return l10n_dec(
'%d user deleted', '%d users deleted',
- count($params['user_id'])
+ $counter
);
}
@@ -418,25 +432,37 @@ function ws_users_setInfo($params, &$service)
if (!empty($params['status']))
{
- if ( $params['status'] == 'webmaster' and !is_webmaster() )
+ if (in_array($params['status'], array('webmaster', 'admin')) and !is_webmaster() )
{
- return new PwgError(403, 'Only webmasters can grant "webmaster" status');
+ return new PwgError(403, 'Only webmasters can grant "webmaster/admin" status');
}
+
if ( !in_array($params['status'], array('guest','generic','normal','admin','webmaster')) )
{
return new PwgError(WS_ERR_INVALID_PARAM, 'Invalid status');
}
+ $protected_users = array(
+ $user['id'],
+ $conf['guest_id'],
+ $conf['webmaster_id'],
+ );
+
+ // an admin can't change status of other admin/webmaster
+ if ('admin' == $user['status'])
+ {
+ $query = '
+SELECT
+ user_id
+ FROM '.USER_INFOS_TABLE.'
+ WHERE status IN (\'webmaster\', \'admin\')
+;';
+ $protected_users = array_merge($protected_users, query2array($query, null, 'user_id'));
+ }
+
// status update query is separated from the rest as not applying to the same
// set of users (current, guest and webmaster can't be changed)
- $params['user_id_for_status'] = array_diff(
- $params['user_id'],
- array(
- $user['id'],
- $conf['guest_id'],
- $conf['webmaster_id'],
- )
- );
+ $params['user_id_for_status'] = array_diff($params['user_id'], $protected_users);
$update_status = $params['status'];
}