openrat-cms

OpenRat Content Management System
git clone http://git.code.weiherhei.de/openrat-cms.git
Log | Files | Refs | README

commit fba79c326f8f4e31bb9a53b4bf10551f65fd5b62
parent 3fe465591ec040fce71fc384f1dd77eb6ea5bb96
Author: Jan Dankert <develop@jandankert.de>
Date:   Sat,  6 Mar 2021 02:09:25 +0100

New: Allow permissions for guests only.

Diffstat:
Mmodules/cms/action/ObjectAction.class.php | 15+++++++++++++++
Mmodules/cms/action/object/ObjectAclformAction.class.php | 17+++++++++++------
Mmodules/cms/model/BaseObject.class.php | 37++++++-------------------------------
Mmodules/cms/model/Permission.class.php | 24++++++++++++++++++++----
Mmodules/cms/ui/themes/default/html/views/object/aclform.php | 9+++++++++
Mmodules/cms/ui/themes/default/html/views/object/aclform.tpl.src.xml | 4++++
Mmodules/cms/update/Update.class.php | 2+-
Amodules/cms/update/version/DBVersion000027.class.php | 50++++++++++++++++++++++++++++++++++++++++++++++++++
8 files changed, 116 insertions(+), 42 deletions(-)

diff --git a/modules/cms/action/ObjectAction.class.php b/modules/cms/action/ObjectAction.class.php @@ -14,6 +14,7 @@ use cms\model\Project; use cms\model\User; use language\Messages; use util\ArrayUtils; +use util\exception\SecurityException; use util\exception\ValidationException; use util\Http; use util\Session; @@ -70,4 +71,18 @@ class ObjectAction extends BaseAction return $rootFolder->hasRight(Permission::ACL_PROP); } + + + /** + * Checks if the current user has sufficient rights. + * + * If not, an exception is thrown. + * + * @return bool + */ + protected function checkRight( $permission ) { + + if ( ! $this->baseObject->hasRight($permission ) ) + throw new SecurityException('User has insufficient permissions ('.$permission.')' ); + } } \ No newline at end of file diff --git a/modules/cms/action/object/ObjectAclformAction.class.php b/modules/cms/action/object/ObjectAclformAction.class.php @@ -32,6 +32,8 @@ class ObjectAclformAction extends ObjectAction implements Method { $this->setTemplateVar('objectid' ,$o->objectid ); $this->setTemplateVar('action' ,$this->request->action); } + + public function post() { $permission = new Permission(); @@ -39,17 +41,15 @@ class ObjectAclformAction extends ObjectAction implements Method { // Nachschauen, ob der Benutzer ueberhaupt berechtigt ist, an // diesem Objekt die ACLs zu aendern. - $o = new BaseObject( $permission->objectid ); + $this->checkRight( Permission::ACL_GRANT ); - if ( !$o->hasRight( Permission::ACL_GRANT ) ) - throw new \util\exception\SecurityException('Not allowed to insert permissions.'); // Scheiss Hacker ;) - // Handelt es sich um eine Benutzer- oder Gruppen ACL? switch( $this->request->getText('type') ) { case 'user': $permission->userid = $this->request->getText('userid' ); - + $permission->type = Permission::TYPE_USER; + if ( $permission->userid <= 0 ) { $this->addValidationError('type' ); @@ -59,6 +59,7 @@ class ObjectAclformAction extends ObjectAction implements Method { break; case 'group': $permission->groupid = $this->request->getText('groupid'); + $permission->type = Permission::TYPE_GROUP; if ( $permission->groupid <= 0 ) { $this->addValidationError('type' ); @@ -67,6 +68,10 @@ class ObjectAclformAction extends ObjectAction implements Method { } break; case 'all': + $permission->type = Permission::TYPE_AUTH; + break; + case 'guest': + $permission->type = Permission::TYPE_GUEST; break; default: $this->addValidationError('type'); @@ -114,6 +119,6 @@ class ObjectAclformAction extends ObjectAction implements Method { $this->addNoticeFor( $this->baseObject,Messages::ADDED); - $o->setTimestamp(); + $this->baseObject->setTimestamp(); } } diff --git a/modules/cms/model/BaseObject.class.php b/modules/cms/model/BaseObject.class.php @@ -280,12 +280,12 @@ class BaseObject extends ModelBase $sql = Db::sql( <<<SQL SELECT {{acl}}.* FROM {{acl}} WHERE objectid={objectid} - AND {{acl}}.userid IS NULL - AND {{acl}}.groupid IS NULL + AND {{acl}}.type = {guest} SQL ); - $sql->setInt ( 'objectid' ,$this->objectid ); + $sql->setInt ( 'objectid' ,$this->objectid ); + $sql->setInt ( 'guest' ,Permission::TYPE_GUEST ); foreach($sql->getAll() as $row ) { @@ -295,38 +295,12 @@ SQL $this->aclMask |= $permission->getMask(); } - $guestMask = 0; - switch( Configuration::Conf()->subset('security')->get('guest-access','read') ) - { - case 'read': - case 'readonly': - $guestMask = Permission::ACL_READ; - break; - case 'write': - $guestMask = Permission::ACL_READ + Permission::ACL_WRITE; - break; - default: - // nothing allowed for guests. - } - - $this->aclMask = $guestMask && $this->aclMask; } elseif ( $user->isAdmin ) { // Administratoren erhalten eine Maske mit allen Rechten - $this->aclMask = Permission::ACL_READ + - Permission::ACL_WRITE + - Permission::ACL_PROP + - Permission::ACL_DELETE + - Permission::ACL_RELEASE + - Permission::ACL_PUBLISH + - Permission::ACL_CREATE_FOLDER + - Permission::ACL_CREATE_FILE + - Permission::ACL_CREATE_LINK + - Permission::ACL_CREATE_PAGE + - Permission::ACL_GRANT + - Permission::ACL_TRANSMIT; + $this->aclMask = Permission::ACL_ALL; } else { @@ -357,7 +331,8 @@ SQL } if ( Startup::readonly() ) - // System ist im Nur-Lese-Zustand + // System is readonly. + // The maximum permission is readonly. $this->aclMask = Permission::ACL_READ && $this->aclMask; // Ermittelte Maske auswerten diff --git a/modules/cms/model/Permission.class.php b/modules/cms/model/Permission.class.php @@ -53,12 +53,26 @@ class Permission extends ModelBase const ACL_GRANT = 1024; const ACL_TRANSMIT = 2048; + const ACL_ALL = 4095; + + const TYPE_USER = 1; + const TYPE_GROUP = 2; + const TYPE_AUTH = 3; + const TYPE_GUEST = 4; + /** * eindeutige ID dieser ACL * @type Integer */ public $aclid; + + /** + * one of the TYPE_* constants + * @var int + */ + public $type; + /** * ID des Objektes, f?r das diese Berechtigung gilt * @type Integer @@ -250,7 +264,8 @@ class Permission extends ModelBase */ public function setDatabaseRow( $row ) { - $this->aclid = $row['id']; + $this->aclid = $row['id' ]; + $this->type = $row['type']; $this->write = ( $row['is_write' ] == '1' ); $this->prop = ( $row['is_prop' ] == '1' ); @@ -471,13 +486,14 @@ SQL $stmt = Db::sql( <<<SQL INSERT INTO {{acl}} - (id,userid,groupid,objectid,is_write,is_prop,is_create_folder,is_create_file,is_create_link,is_create_page,is_delete,is_release,is_publish,is_grant,is_transmit,languageid) - VALUES( {aclid},{userid},{groupid},{objectid},{write},{prop},{create_folder},{create_file},{create_link},{create_page},{delete},{release},{publish},{grant},{transmit},{languageid} ) + (id,type,userid,groupid,objectid,is_write,is_prop,is_create_folder,is_create_file,is_create_link,is_create_page,is_delete,is_release,is_publish,is_grant,is_transmit,languageid) + VALUES( {aclid},{type},{userid},{groupid},{objectid},{write},{prop},{create_folder},{create_file},{create_link},{create_page},{delete},{release},{publish},{grant},{transmit},{languageid} ) SQL ); $stmt->setInt('aclid' ,$this->aclid ); - + $stmt->setInt('type' ,$this->type ); + if ( intval($this->userid) == 0 ) $stmt->setNull('userid'); else diff --git a/modules/cms/ui/themes/default/html/views/object/aclform.php b/modules/cms/ui/themes/default/html/views/object/aclform.php @@ -17,6 +17,15 @@ <h3 class="<?php echo O::escapeHtml('or-fieldset-label') ?>"><?php echo O::escapeHtml('') ?></h3> <div class="<?php echo O::escapeHtml('or-fieldset-value') ?>"><?php echo O::escapeHtml('') ?> <label><?php echo O::escapeHtml('') ?> + <input type="<?php echo O::escapeHtml('radio') ?>" name="<?php echo O::escapeHtml('type') ?>" value="<?php echo O::escapeHtml('guest') ?>" <?php if(@$type=='guest'){ ?>checked="<?php echo O::escapeHtml('checked') ?>"<?php } ?> class="<?php echo O::escapeHtml('or-form-radio') ?>" /><?php echo O::escapeHtml('') ?> + <span class="<?php echo O::escapeHtml('or-form-label') ?>"><?php echo O::escapeHtml(''.@O::lang('GUEST').'') ?></span> + </label> + </div> + </section> + <section class="<?php echo O::escapeHtml('or-fieldset') ?>"><?php echo O::escapeHtml('') ?> + <h3 class="<?php echo O::escapeHtml('or-fieldset-label') ?>"><?php echo O::escapeHtml('') ?></h3> + <div class="<?php echo O::escapeHtml('or-fieldset-value') ?>"><?php echo O::escapeHtml('') ?> + <label><?php echo O::escapeHtml('') ?> <input type="<?php echo O::escapeHtml('radio') ?>" name="<?php echo O::escapeHtml('type') ?>" value="<?php echo O::escapeHtml('all') ?>" <?php if(@$type=='all'){ ?>checked="<?php echo O::escapeHtml('checked') ?>"<?php } ?> class="<?php echo O::escapeHtml('or-form-radio') ?>" /><?php echo O::escapeHtml('') ?> <span class="<?php echo O::escapeHtml('or-form-label') ?>"><?php echo O::escapeHtml(''.@O::lang('ALL').'') ?></span> </label> diff --git a/modules/cms/ui/themes/default/html/views/object/aclform.tpl.src.xml b/modules/cms/ui/themes/default/html/views/object/aclform.tpl.src.xml @@ -3,6 +3,10 @@ <form> <group title="${message:users}"> <fieldset class="line" label=""> + <radio name="type" value="guest" label="${message:GUEST}"/> + </fieldset> + + <fieldset class="line" label=""> <radio name="type" value="all" label="${message:ALL}"/> </fieldset> diff --git a/modules/cms/update/Update.class.php b/modules/cms/update/Update.class.php @@ -12,7 +12,7 @@ use logger\Logger; class Update { // This is the required DB version: - const SUPPORTED_VERSION = 26; + const SUPPORTED_VERSION = 27; // -----------------------^^----------------------------- const STATUS_UPDATE_PROGRESS = 0; diff --git a/modules/cms/update/version/DBVersion000027.class.php b/modules/cms/update/version/DBVersion000027.class.php @@ -0,0 +1,50 @@ +<?php + +namespace cms\update\version; + +use database\DbVersion; +use database\Column; +use security\Password; + +/** + * The type of a permission is stored in a new column. + * + * @author dankert + * + */ +class DBVersion000027 extends DbVersion +{ + /** + * + */ + public function update() + { + $table = $this->table('acl'); + $table->column('type' )->type(Column::TYPE_INT)->size(1)->defaultValue(3)->add(); + + // Initial Value: Copy from element. + $tableSqlName = $table->getSqlName(); + + $updateStmt = $this->getDb()->sql(<<<SQL +UPDATE $tableSqlName + SET type=3; +SQL + ); + $updateStmt->query(); + + $updateStmt = $this->getDb()->sql(<<<SQL +UPDATE $tableSqlName + SET type=2 where groupid is not null; +SQL + ); + $updateStmt->query(); + + $updateStmt = $this->getDb()->sql(<<<SQL +UPDATE $tableSqlName + SET type=1 where userid is not null; +SQL + ); + $updateStmt->query(); + } +} +