Erlaube subusers, die nur Zugriff auf bestimmte Module haben (ff0f9b9)

Erlaube subusers, die nur Zugriff auf bestimmte Module haben

bernd commited on 2010-10-01 10:45:34
Zeige 5 geänderte Dateien mit 57 Einfügungen und 3 Löschungen.

git-svn-id: https://svn.schokokeks.org/repos/tools/webinterface/trunk@1822 87cf0b9e-d624-0410-a070-f6ee81989793

inc/base.php a9a46ce..8e96c40
inc/top.php c74e79d..c654e4e
modules/index/index.php 3a074b8..7ec7a1e
modules/index/menu.php a014df6..0bc52c3
session/checkuser.php 34fdf5e..bd6ab3f

inc/base.php

Zeige Datei @ ff0f9b9

@@ -6,6 +6,18 @@ require_once('inc/debug.php');
 function config($key)
 {
   global $config;
+
+  if ($key == 'modules' && isset($_SESSION['restrict_modules']))
+  {
+    $modules = array();
+    foreach ($config['modules'] as $mod)
+    {
+      if (in_array($mod, $_SESSION['restrict_modules']))
+        $modules[] = $mod;
+    }
+    return $modules;
+  }
+
   if (array_key_exists($key, $config))
     return $config[$key];
   

inc/top.php

Zeige Datei @ ff0f9b9

@@ -114,7 +114,11 @@ $userinfo = '';
 $role = $_SESSION['role'];
 if ($role != ROLE_ANONYMOUS) {
   $userinfo .= '<p class="userinfo">Angemeldet als:<br />';
-  if ($role & ROLE_SYSTEMUSER) {
+  if ($role & ROLE_SYSTEMUSER && isset($_SESSION['subuser'])) {
+    $userinfo .= '<strong>'.$_SESSION['subuser'].'</strong>';
+    $userinfo .= '<br />Mitbenutzer von '.$_SESSION['userinfo']['username'];
+  }
+  elseif ($role & ROLE_SYSTEMUSER) {
     $userinfo .= '<strong>'.$_SESSION['userinfo']['username'].'</strong>';
     $userinfo .= '<br />'.$_SESSION['userinfo']['name'];
     $userinfo .= '<br />(Benutzer'.(($role & ROLE_CUSTOMER) ? ', Kunde' : '').')';

modules/index/index.php

Zeige Datei @ ff0f9b9

@@ -27,6 +27,9 @@ case ROLE_MAILACCOUNT:
 case ROLE_SYSTEMUSER:
   $role = "{$_SESSION['userinfo']['name']}, angemeldet als Benutzer";
   break;
+case ROLE_SYSTEMUSER | ROLE_SUBUSER:
+  $role = "{$_SESSION['subuser']}, Unternutzer von {$_SESSION['userinfo']['username']}";
+  break;
 case ROLE_CUSTOMER:
   $role = "{$_SESSION['customerinfo']['name']}, angemeldet als Kunde";
   break;

modules/index/menu.php

Zeige Datei @ ff0f9b9

@@ -6,9 +6,9 @@ if ($role == ROLE_ANONYMOUS) {
   $menu["index_login"] = array("label" => "Login", "file" => "index", "weight" => 0);
   $menu["certlogin"] = array("label" => "Client-Zertifikat", "file" => "certinfo", "weight" => 10);
 } else {
-  if ($role & ROLE_SYSTEMUSER)
+  if ($role & ROLE_SYSTEMUSER && ! ($role & ROLE_SUBUSER))
     $menu["index_cert"] = array("label" => "Client-Zertifikat", "file" => "cert", "weight" => 10, "submenu" => "index_index");
-  if ($role & (ROLE_SYSTEMUSER | ROLE_CUSTOMER)) {
+  if ($role & (ROLE_SYSTEMUSER | ROLE_CUSTOMER) && ! $role & ROLE_SUBUSER) {
     $menu["index_chpass"] = array("label" => "Passwort ändern", "file" => "chpass", "weight" => 98);
   }
 

session/checkuser.php

Zeige Datei @ ff0f9b9

@@ -12,6 +12,7 @@ define('ROLE_VMAIL_ACCOUNT', 2);
 define('ROLE_SYSTEMUSER', 4);
 define('ROLE_CUSTOMER', 8);
 define('ROLE_SYSADMIN', 16);
+define('ROLE_SUBUSER', 32);
 
 
 // Gibt die Rolle aus, wenn das Passwort stimmt
@@ -92,6 +93,15 @@ function find_role($login, $password, $i_am_admin = False)
   }
   
 
+  // Sub-User
+
+  $result = db_query("SELECT uid FROM system.subusers WHERE username='{$login}' AND password=SHA1('{$password}')");
+  if (@mysql_num_rows($result) > 0)
+  {
+    // FIXME: Admin-Su-Anmeldung geht damit nicht
+    return ROLE_SUBUSER;
+  }
+
 
   // Nothing?
   return NULL;
@@ -129,6 +139,21 @@ function get_customer_info($customer)
 }
 
 
+function get_subuser_info($username)
+{
+  $result = db_query("SELECT uid, modules FROM system.subusers WHERE username='{$username}'");
+  if (mysql_num_rows($result) < 1)
+  {
+    logger(LOG_ERR, "session/checkuser", "login", "error reading subuser's data: »{$username}«");
+    system_failure('Das Auslesen Ihrer Benutzerdaten ist fehlgeschlagen. Bitte melden Sie dies einem Administrator');
+  }
+  $data = mysql_fetch_assoc($result);
+  $userinfo = get_user_info($data['uid']);
+  $userinfo['modules'] = $data['modules'];
+  return $userinfo;
+}
+
+
 function get_user_info($username)
 {
   $username = mysql_real_escape_string($username);
@@ -194,6 +219,16 @@ function setup_session($role, $useridentity)
 {
   session_regenerate_id();
   $_SESSION['role'] = $role;
+  if ($role & ROLE_SUBUSER)
+  {
+    DEBUG("We are a sub-user");
+    $info = get_subuser_info($useridentity);
+    $_SESSION['userinfo'] = $info;
+    $_SESSION['subuser'] = $useridentity;
+    $_SESSION['role'] = ROLE_SYSTEMUSER | ROLE_SUBUSER;
+    $_SESSION['restrict_modules'] = explode(',', $info['modules']);
+    logger(LOG_INFO, "session/start", "login", "logged in user »{$info['username']}«");
+  }
   if ($role & ROLE_SYSTEMUSER)
   {
     DEBUG("We are system user");


...	...	@@ -114,7 +114,11 @@ $userinfo = '';
114	114	$role = $_SESSION['role'];
115	115	if ($role != ROLE_ANONYMOUS) {
116	116	$userinfo .= '<p class="userinfo">Angemeldet als:<br />';
117		- if ($role & ROLE_SYSTEMUSER) {
	117	+ if ($role & ROLE_SYSTEMUSER && isset($_SESSION['subuser'])) {
	118	+ $userinfo .= '<strong>'.$_SESSION['subuser'].'</strong>';
	119	+ $userinfo .= '<br />Mitbenutzer von '.$_SESSION['userinfo']['username'];
	120	+ }
	121	+ elseif ($role & ROLE_SYSTEMUSER) {
118	122	$userinfo .= '<strong>'.$_SESSION['userinfo']['username'].'</strong>';
119	123	$userinfo .= '<br />'.$_SESSION['userinfo']['name'];
120	124	$userinfo .= '<br />(Benutzer'.(($role & ROLE_CUSTOMER) ? ', Kunde' : '').')';

...	...	@@ -6,6 +6,18 @@ require_once('inc/debug.php');
6	6	function config($key)
7	7	{
8	8	global $config;
	9	+
	10	+ if ($key == 'modules' && isset($_SESSION['restrict_modules']))
	11	+ {
	12	+ $modules = array();
	13	+ foreach ($config['modules'] as $mod)
	14	+ {
	15	+ if (in_array($mod, $_SESSION['restrict_modules']))
	16	+ $modules[] = $mod;
	17	+ }
	18	+ return $modules;
	19	+ }
	20	+
9	21	if (array_key_exists($key, $config))
10	22	return $config[$key];
11	23

...	...	@@ -27,6 +27,9 @@ case ROLE_MAILACCOUNT:
27	27	case ROLE_SYSTEMUSER:
28	28	$role = "{$_SESSION['userinfo']['name']}, angemeldet als Benutzer";
29	29	break;
	30	+case ROLE_SYSTEMUSER \| ROLE_SUBUSER:
	31	+ $role = "{$_SESSION['subuser']}, Unternutzer von {$_SESSION['userinfo']['username']}";
	32	+ break;
30	33	case ROLE_CUSTOMER:
31	34	$role = "{$_SESSION['customerinfo']['name']}, angemeldet als Kunde";
32	35	break;

...	...	@@ -6,9 +6,9 @@ if ($role == ROLE_ANONYMOUS) {
6	6	$menu["index_login"] = array("label" => "Login", "file" => "index", "weight" => 0);
7	7	$menu["certlogin"] = array("label" => "Client-Zertifikat", "file" => "certinfo", "weight" => 10);
8	8	} else {
9		- if ($role & ROLE_SYSTEMUSER)
	9	+ if ($role & ROLE_SYSTEMUSER && ! ($role & ROLE_SUBUSER))
10	10	$menu["index_cert"] = array("label" => "Client-Zertifikat", "file" => "cert", "weight" => 10, "submenu" => "index_index");
11		- if ($role & (ROLE_SYSTEMUSER \| ROLE_CUSTOMER)) {
	11	+ if ($role & (ROLE_SYSTEMUSER \| ROLE_CUSTOMER) && ! $role & ROLE_SUBUSER) {
12	12	$menu["index_chpass"] = array("label" => "Passwort ändern", "file" => "chpass", "weight" => 98);
13	13	}
14	14

...	...	@@ -12,6 +12,7 @@ define('ROLE_VMAIL_ACCOUNT', 2);
12	12	define('ROLE_SYSTEMUSER', 4);
13	13	define('ROLE_CUSTOMER', 8);
14	14	define('ROLE_SYSADMIN', 16);
	15	+define('ROLE_SUBUSER', 32);
15	16
16	17
17	18	// Gibt die Rolle aus, wenn das Passwort stimmt
...	...	@@ -92,6 +93,15 @@ function find_role($login, $password, $i_am_admin = False)
92	93	}
93	94
94	95
	96	+ // Sub-User
	97	+
	98	+ $result = db_query("SELECT uid FROM system.subusers WHERE username='{$login}' AND password=SHA1('{$password}')");
	99	+ if (@mysql_num_rows($result) > 0)
	100	+ {
	101	+ // FIXME: Admin-Su-Anmeldung geht damit nicht
	102	+ return ROLE_SUBUSER;
	103	+ }
	104	+
95	105
96	106	// Nothing?
97	107	return NULL;
...	...	@@ -129,6 +139,21 @@ function get_customer_info($customer)
129	139	}
130	140
131	141
	142	+function get_subuser_info($username)
	143	+{
	144	+ $result = db_query("SELECT uid, modules FROM system.subusers WHERE username='{$username}'");
	145	+ if (mysql_num_rows($result) < 1)
	146	+ {
	147	+ logger(LOG_ERR, "session/checkuser", "login", "error reading subuser's data: »{$username}«");
	148	+ system_failure('Das Auslesen Ihrer Benutzerdaten ist fehlgeschlagen. Bitte melden Sie dies einem Administrator');
	149	+ }
	150	+ $data = mysql_fetch_assoc($result);
	151	+ $userinfo = get_user_info($data['uid']);
	152	+ $userinfo['modules'] = $data['modules'];
	153	+ return $userinfo;
	154	+}
	155	+
	156	+
132	157	function get_user_info($username)
133	158	{
134	159	$username = mysql_real_escape_string($username);
...	...	@@ -194,6 +219,16 @@ function setup_session($role, $useridentity)
194	219	{
195	220	session_regenerate_id();
196	221	$_SESSION['role'] = $role;
	222	+ if ($role & ROLE_SUBUSER)
	223	+ {
	224	+ DEBUG("We are a sub-user");
	225	+ $info = get_subuser_info($useridentity);
	226	+ $_SESSION['userinfo'] = $info;
	227	+ $_SESSION['subuser'] = $useridentity;
	228	+ $_SESSION['role'] = ROLE_SYSTEMUSER \| ROLE_SUBUSER;
	229	+ $_SESSION['restrict_modules'] = explode(',', $info['modules']);
	230	+ logger(LOG_INFO, "session/start", "login", "logged in user »{$info['username']}«");
	231	+ }
197	232	if ($role & ROLE_SYSTEMUSER)
198	233	{
199	234	DEBUG("We are system user");
200	235

webinterface.git