commit fba79c326f8f4e31bb9a53b4bf10551f65fd5b62
parent 3fe465591ec040fce71fc384f1dd77eb6ea5bb96
Author: Jan Dankert <develop@jandankert.de>
Date: Sat, 6 Mar 2021 02:09:25 +0100
New: Allow permissions for guests only.
Diffstat:
8 files changed, 116 insertions(+), 42 deletions(-)
diff --git a/modules/cms/action/ObjectAction.class.php b/modules/cms/action/ObjectAction.class.php
@@ -14,6 +14,7 @@ use cms\model\Project;
use cms\model\User;
use language\Messages;
use util\ArrayUtils;
+use util\exception\SecurityException;
use util\exception\ValidationException;
use util\Http;
use util\Session;
@@ -70,4 +71,18 @@ class ObjectAction extends BaseAction
return $rootFolder->hasRight(Permission::ACL_PROP);
}
+
+
+ /**
+ * Checks if the current user has sufficient rights.
+ *
+ * If not, an exception is thrown.
+ *
+ * @return bool
+ */
+ protected function checkRight( $permission ) {
+
+ if ( ! $this->baseObject->hasRight($permission ) )
+ throw new SecurityException('User has insufficient permissions ('.$permission.')' );
+ }
}
\ No newline at end of file
diff --git a/modules/cms/action/object/ObjectAclformAction.class.php b/modules/cms/action/object/ObjectAclformAction.class.php
@@ -32,6 +32,8 @@ class ObjectAclformAction extends ObjectAction implements Method {
$this->setTemplateVar('objectid' ,$o->objectid );
$this->setTemplateVar('action' ,$this->request->action);
}
+
+
public function post() {
$permission = new Permission();
@@ -39,17 +41,15 @@ class ObjectAclformAction extends ObjectAction implements Method {
// Nachschauen, ob der Benutzer ueberhaupt berechtigt ist, an
// diesem Objekt die ACLs zu aendern.
- $o = new BaseObject( $permission->objectid );
+ $this->checkRight( Permission::ACL_GRANT );
- if ( !$o->hasRight( Permission::ACL_GRANT ) )
- throw new \util\exception\SecurityException('Not allowed to insert permissions.'); // Scheiss Hacker ;)
-
// Handelt es sich um eine Benutzer- oder Gruppen ACL?
switch( $this->request->getText('type') )
{
case 'user':
$permission->userid = $this->request->getText('userid' );
-
+ $permission->type = Permission::TYPE_USER;
+
if ( $permission->userid <= 0 )
{
$this->addValidationError('type' );
@@ -59,6 +59,7 @@ class ObjectAclformAction extends ObjectAction implements Method {
break;
case 'group':
$permission->groupid = $this->request->getText('groupid');
+ $permission->type = Permission::TYPE_GROUP;
if ( $permission->groupid <= 0 )
{
$this->addValidationError('type' );
@@ -67,6 +68,10 @@ class ObjectAclformAction extends ObjectAction implements Method {
}
break;
case 'all':
+ $permission->type = Permission::TYPE_AUTH;
+ break;
+ case 'guest':
+ $permission->type = Permission::TYPE_GUEST;
break;
default:
$this->addValidationError('type');
@@ -114,6 +119,6 @@ class ObjectAclformAction extends ObjectAction implements Method {
$this->addNoticeFor( $this->baseObject,Messages::ADDED);
- $o->setTimestamp();
+ $this->baseObject->setTimestamp();
}
}
diff --git a/modules/cms/model/BaseObject.class.php b/modules/cms/model/BaseObject.class.php
@@ -280,12 +280,12 @@ class BaseObject extends ModelBase
$sql = Db::sql( <<<SQL
SELECT {{acl}}.* FROM {{acl}}
WHERE objectid={objectid}
- AND {{acl}}.userid IS NULL
- AND {{acl}}.groupid IS NULL
+ AND {{acl}}.type = {guest}
SQL
);
- $sql->setInt ( 'objectid' ,$this->objectid );
+ $sql->setInt ( 'objectid' ,$this->objectid );
+ $sql->setInt ( 'guest' ,Permission::TYPE_GUEST );
foreach($sql->getAll() as $row )
{
@@ -295,38 +295,12 @@ SQL
$this->aclMask |= $permission->getMask();
}
- $guestMask = 0;
- switch( Configuration::Conf()->subset('security')->get('guest-access','read') )
- {
- case 'read':
- case 'readonly':
- $guestMask = Permission::ACL_READ;
- break;
- case 'write':
- $guestMask = Permission::ACL_READ + Permission::ACL_WRITE;
- break;
- default:
- // nothing allowed for guests.
- }
-
- $this->aclMask = $guestMask && $this->aclMask;
}
elseif ( $user->isAdmin )
{
// Administratoren erhalten eine Maske mit allen Rechten
- $this->aclMask = Permission::ACL_READ +
- Permission::ACL_WRITE +
- Permission::ACL_PROP +
- Permission::ACL_DELETE +
- Permission::ACL_RELEASE +
- Permission::ACL_PUBLISH +
- Permission::ACL_CREATE_FOLDER +
- Permission::ACL_CREATE_FILE +
- Permission::ACL_CREATE_LINK +
- Permission::ACL_CREATE_PAGE +
- Permission::ACL_GRANT +
- Permission::ACL_TRANSMIT;
+ $this->aclMask = Permission::ACL_ALL;
}
else
{
@@ -357,7 +331,8 @@ SQL
}
if ( Startup::readonly() )
- // System ist im Nur-Lese-Zustand
+ // System is readonly.
+ // The maximum permission is readonly.
$this->aclMask = Permission::ACL_READ && $this->aclMask;
// Ermittelte Maske auswerten
diff --git a/modules/cms/model/Permission.class.php b/modules/cms/model/Permission.class.php
@@ -53,12 +53,26 @@ class Permission extends ModelBase
const ACL_GRANT = 1024;
const ACL_TRANSMIT = 2048;
+ const ACL_ALL = 4095;
+
+ const TYPE_USER = 1;
+ const TYPE_GROUP = 2;
+ const TYPE_AUTH = 3;
+ const TYPE_GUEST = 4;
+
/**
* eindeutige ID dieser ACL
* @type Integer
*/
public $aclid;
+
+ /**
+ * one of the TYPE_* constants
+ * @var int
+ */
+ public $type;
+
/**
* ID des Objektes, f?r das diese Berechtigung gilt
* @type Integer
@@ -250,7 +264,8 @@ class Permission extends ModelBase
*/
public function setDatabaseRow( $row )
{
- $this->aclid = $row['id'];
+ $this->aclid = $row['id' ];
+ $this->type = $row['type'];
$this->write = ( $row['is_write' ] == '1' );
$this->prop = ( $row['is_prop' ] == '1' );
@@ -471,13 +486,14 @@ SQL
$stmt = Db::sql( <<<SQL
INSERT INTO {{acl}}
- (id,userid,groupid,objectid,is_write,is_prop,is_create_folder,is_create_file,is_create_link,is_create_page,is_delete,is_release,is_publish,is_grant,is_transmit,languageid)
- VALUES( {aclid},{userid},{groupid},{objectid},{write},{prop},{create_folder},{create_file},{create_link},{create_page},{delete},{release},{publish},{grant},{transmit},{languageid} )
+ (id,type,userid,groupid,objectid,is_write,is_prop,is_create_folder,is_create_file,is_create_link,is_create_page,is_delete,is_release,is_publish,is_grant,is_transmit,languageid)
+ VALUES( {aclid},{type},{userid},{groupid},{objectid},{write},{prop},{create_folder},{create_file},{create_link},{create_page},{delete},{release},{publish},{grant},{transmit},{languageid} )
SQL
);
$stmt->setInt('aclid' ,$this->aclid );
-
+ $stmt->setInt('type' ,$this->type );
+
if ( intval($this->userid) == 0 )
$stmt->setNull('userid');
else
diff --git a/modules/cms/ui/themes/default/html/views/object/aclform.php b/modules/cms/ui/themes/default/html/views/object/aclform.php
@@ -17,6 +17,15 @@
<h3 class="<?php echo O::escapeHtml('or-fieldset-label') ?>"><?php echo O::escapeHtml('') ?></h3>
<div class="<?php echo O::escapeHtml('or-fieldset-value') ?>"><?php echo O::escapeHtml('') ?>
<label><?php echo O::escapeHtml('') ?>
+ <input type="<?php echo O::escapeHtml('radio') ?>" name="<?php echo O::escapeHtml('type') ?>" value="<?php echo O::escapeHtml('guest') ?>" <?php if(@$type=='guest'){ ?>checked="<?php echo O::escapeHtml('checked') ?>"<?php } ?> class="<?php echo O::escapeHtml('or-form-radio') ?>" /><?php echo O::escapeHtml('') ?>
+ <span class="<?php echo O::escapeHtml('or-form-label') ?>"><?php echo O::escapeHtml(''.@O::lang('GUEST').'') ?></span>
+ </label>
+ </div>
+ </section>
+ <section class="<?php echo O::escapeHtml('or-fieldset') ?>"><?php echo O::escapeHtml('') ?>
+ <h3 class="<?php echo O::escapeHtml('or-fieldset-label') ?>"><?php echo O::escapeHtml('') ?></h3>
+ <div class="<?php echo O::escapeHtml('or-fieldset-value') ?>"><?php echo O::escapeHtml('') ?>
+ <label><?php echo O::escapeHtml('') ?>
<input type="<?php echo O::escapeHtml('radio') ?>" name="<?php echo O::escapeHtml('type') ?>" value="<?php echo O::escapeHtml('all') ?>" <?php if(@$type=='all'){ ?>checked="<?php echo O::escapeHtml('checked') ?>"<?php } ?> class="<?php echo O::escapeHtml('or-form-radio') ?>" /><?php echo O::escapeHtml('') ?>
<span class="<?php echo O::escapeHtml('or-form-label') ?>"><?php echo O::escapeHtml(''.@O::lang('ALL').'') ?></span>
</label>
diff --git a/modules/cms/ui/themes/default/html/views/object/aclform.tpl.src.xml b/modules/cms/ui/themes/default/html/views/object/aclform.tpl.src.xml
@@ -3,6 +3,10 @@
<form>
<group title="${message:users}">
<fieldset class="line" label="">
+ <radio name="type" value="guest" label="${message:GUEST}"/>
+ </fieldset>
+
+ <fieldset class="line" label="">
<radio name="type" value="all" label="${message:ALL}"/>
</fieldset>
diff --git a/modules/cms/update/Update.class.php b/modules/cms/update/Update.class.php
@@ -12,7 +12,7 @@ use logger\Logger;
class Update
{
// This is the required DB version:
- const SUPPORTED_VERSION = 26;
+ const SUPPORTED_VERSION = 27;
// -----------------------^^-----------------------------
const STATUS_UPDATE_PROGRESS = 0;
diff --git a/modules/cms/update/version/DBVersion000027.class.php b/modules/cms/update/version/DBVersion000027.class.php
@@ -0,0 +1,50 @@
+<?php
+
+namespace cms\update\version;
+
+use database\DbVersion;
+use database\Column;
+use security\Password;
+
+/**
+ * The type of a permission is stored in a new column.
+ *
+ * @author dankert
+ *
+ */
+class DBVersion000027 extends DbVersion
+{
+ /**
+ *
+ */
+ public function update()
+ {
+ $table = $this->table('acl');
+ $table->column('type' )->type(Column::TYPE_INT)->size(1)->defaultValue(3)->add();
+
+ // Initial Value: Copy from element.
+ $tableSqlName = $table->getSqlName();
+
+ $updateStmt = $this->getDb()->sql(<<<SQL
+UPDATE $tableSqlName
+ SET type=3;
+SQL
+ );
+ $updateStmt->query();
+
+ $updateStmt = $this->getDb()->sql(<<<SQL
+UPDATE $tableSqlName
+ SET type=2 where groupid is not null;
+SQL
+ );
+ $updateStmt->query();
+
+ $updateStmt = $this->getDb()->sql(<<<SQL
+UPDATE $tableSqlName
+ SET type=1 where userid is not null;
+SQL
+ );
+ $updateStmt->query();
+ }
+}
+