From bf58209d7dd6cc0f53c2c4b34115dfec9574cfb8 Mon Sep 17 00:00:00 2001 From: plegall Date: Fri, 25 Jul 2014 09:10:49 +0000 Subject: bug 3104: less rights for admins (compared to webmaster). Now an admin can't: * delete a webmaster * give webmaster/admin status to any user * change status of a webmaster/admin git-svn-id: http://piwigo.org/svn/trunk@29074 68402e56-0260-453c-a942-63ccdbb3a9ee --- admin/themes/default/template/user_list.tpl | 12 +++--- admin/user_list.php | 29 ++++++++++--- include/ws_functions/pwg.users.php | 66 ++++++++++++++++++++--------- 3 files changed, 77 insertions(+), 30 deletions(-) diff --git a/admin/themes/default/template/user_list.tpl b/admin/themes/default/template/user_list.tpl index 2c41cc1a4..66de20e31 100644 --- a/admin/themes/default/template/user_list.tpl +++ b/admin/themes/default/template/user_list.tpl @@ -34,6 +34,12 @@ var truefalse = { 'true':"{'Yes'|translate}", 'false':"{'No'|translate}", }; + +var statusLabels = { +{foreach from=$label_of_status key=status item=label} + '{$status}' : '{$label|escape:javascript}', +{/foreach} +}; {/footer_script} {footer_script}{literal} @@ -260,11 +266,7 @@ jQuery(document).ready(function() { user.email = user.email || ''; - jQuery("#action select[name=status] option").each(function() { - if (user.status == jQuery(this).val()) { - user.statusLabel = jQuery(this).html(); - } - }); + user.statusLabel = statusLabels[user.status]; /* Render the underscore template */ _.templateSettings.variable = "user"; diff --git a/admin/user_list.php b/admin/user_list.php index cda20a002..d9f85b6bd 100644 --- a/admin/user_list.php +++ b/admin/user_list.php @@ -99,6 +99,18 @@ $protected_users = array( $conf['webmaster_id'], ); +// an admin can't delete other admin/webmaster +if ('admin' == $user['status']) +{ + $query = ' +SELECT + user_id + FROM '.USER_INFOS_TABLE.' + WHERE status IN (\'webmaster\', \'admin\') +;'; + $protected_users = array_merge($protected_users, query2array($query, null, 'user_id')); +} + $template->assign( array( 'PWG_TOKEN' => get_pwg_token(), @@ -117,12 +129,19 @@ $template->assign( // Status options foreach (get_enums(USER_INFOS_TABLE, 'status') as $status) { - // Only status <= can be assign - if (is_autorize_status(get_access_type_status($status))) - { - $pref_status_options[$status] = l10n('user_status_'.$status); - } + $label_of_status[$status] = l10n('user_status_'.$status); } + +$pref_status_options = $label_of_status; + +// a simple "admin" can set/remove statuses webmaster/admin +if ('admin' == $user['status']) +{ + unset($pref_status_options['webmaster']); + unset($pref_status_options['admin']); +} + +$template->assign('label_of_status', $label_of_status); $template->assign('pref_status_options', $pref_status_options); $template->assign('pref_status_selected', 'normal'); diff --git a/include/ws_functions/pwg.users.php b/include/ws_functions/pwg.users.php index e007dd111..d0436acb7 100644 --- a/include/ws_functions/pwg.users.php +++ b/include/ws_functions/pwg.users.php @@ -325,25 +325,39 @@ function ws_users_delete($params, &$service) include_once(PHPWG_ROOT_PATH.'admin/include/functions.php'); - // protect some users - $params['user_id'] = array_diff( - $params['user_id'], - array( - $user['id'], - $conf['guest_id'], - $conf['default_user_id'], - $conf['webmaster_id'], - ) + $protected_users = array( + $user['id'], + $conf['guest_id'], + $conf['default_user_id'], + $conf['webmaster_id'], ); + // an admin can't delete other admin/webmaster + if ('admin' == $user['status']) + { + $query = ' +SELECT + user_id + FROM '.USER_INFOS_TABLE.' + WHERE status IN (\'webmaster\', \'admin\') +;'; + $protected_users = array_merge($protected_users, query2array($query, null, 'user_id')); + } + + // protect some users + $params['user_id'] = array_diff($params['user_id'], $protected_users); + + $counter = 0; + foreach ($params['user_id'] as $user_id) { delete_user($user_id); + $counter++; } return l10n_dec( '%d user deleted', '%d users deleted', - count($params['user_id']) + $counter ); } @@ -418,25 +432,37 @@ function ws_users_setInfo($params, &$service) if (!empty($params['status'])) { - if ( $params['status'] == 'webmaster' and !is_webmaster() ) + if (in_array($params['status'], array('webmaster', 'admin')) and !is_webmaster() ) { - return new PwgError(403, 'Only webmasters can grant "webmaster" status'); + return new PwgError(403, 'Only webmasters can grant "webmaster/admin" status'); } + if ( !in_array($params['status'], array('guest','generic','normal','admin','webmaster')) ) { return new PwgError(WS_ERR_INVALID_PARAM, 'Invalid status'); } + $protected_users = array( + $user['id'], + $conf['guest_id'], + $conf['webmaster_id'], + ); + + // an admin can't change status of other admin/webmaster + if ('admin' == $user['status']) + { + $query = ' +SELECT + user_id + FROM '.USER_INFOS_TABLE.' + WHERE status IN (\'webmaster\', \'admin\') +;'; + $protected_users = array_merge($protected_users, query2array($query, null, 'user_id')); + } + // status update query is separated from the rest as not applying to the same // set of users (current, guest and webmaster can't be changed) - $params['user_id_for_status'] = array_diff( - $params['user_id'], - array( - $user['id'], - $conf['guest_id'], - $conf['webmaster_id'], - ) - ); + $params['user_id_for_status'] = array_diff($params['user_id'], $protected_users); $update_status = $params['status']; } -- cgit v1.2.3