From d0e09c1664cb54e21ba3717931ff1f29e0845fb7 Mon Sep 17 00:00:00 2001 From: hickert Date: Thu, 11 Jan 2007 10:10:49 +0000 Subject: [PATCH] Fixed group acls. - You can't add members without acls. - You can't use copy & paste without all acls. - Delete of group is only possible if delete acl is given - groupMail was updated to use new account toggle - groupApplication too git-svn-id: https://oss.gonicus.de/repositories/gosa/branches/2.5@5532 594d385d-05f5-0310-b6e9-bd551577e9d8 --- plugins/admin/groups/acl_definition.inc | 7 +++- plugins/admin/groups/class_divListGroup.inc | 37 ++++++++++++------- .../admin/groups/class_groupApplication.inc | 8 +++- plugins/admin/groups/class_groupGeneric.inc | 6 +-- plugins/admin/groups/class_groupMail.inc | 10 ++++- .../admin/groups/class_groupManagement.inc | 23 ++++++++++-- plugins/admin/users/class_userManagement.inc | 8 +++- 7 files changed, 74 insertions(+), 25 deletions(-) diff --git a/plugins/admin/groups/acl_definition.inc b/plugins/admin/groups/acl_definition.inc index 651c2dd30..51288bdc3 100644 --- a/plugins/admin/groups/acl_definition.inc +++ b/plugins/admin/groups/acl_definition.inc @@ -54,16 +54,19 @@ $ACLD['blocklists']= array("cn", "goFaxBlocklist"); $ACLD['ogroup']= array("ogroup","create","delete","cn", "description", "gosaGroupObjects","base"); $ACLD['group']= array("cn", + "memberUid", "create", "delete", "description", "force_gid", "password", "gidNumber"); -$ACLD['appgroup']= array(); +$ACLD['appgroup']= array("create"); $ACLD['all']= array(); $ACLD['acl']= array('acl'); -$ACLD['mailgroup']= array("default_permission", +$ACLD['mailgroup']= array( + "create", + "default_permission", "imap_perms", "member_permissions", "mail", diff --git a/plugins/admin/groups/class_divListGroup.inc b/plugins/admin/groups/class_divListGroup.inc index b2feee42e..505985fa6 100644 --- a/plugins/admin/groups/class_divListGroup.inc +++ b/plugins/admin/groups/class_divListGroup.inc @@ -133,19 +133,6 @@ class divListGroup extends MultiSelectWindow // Space $empty = ""; - /* Create action icons - copy & paste icons */ - $actions = ""; - if($this->parent->CopyPasteHandler){ - $actions.= " "; - $actions.= " "; - } - $actions.= ""; - $actions.= ""; - // User and Template Images $editlink = "%s"; @@ -153,6 +140,30 @@ class divListGroup extends MultiSelectWindow // Test Every Entry and generate divlist Array foreach($groups as $key => $val){ + $acl= get_permissions ($val['dn'], $this->ui->subtreeACL); + $acl= get_module_permission($acl, "user", $val['dn']); + + + + /* Create action icons - copy & paste icons */ + $actions = ""; + if($this->parent->CopyPasteHandler && $acl == "#all#"){ + $actions.= " "; + $actions.= " "; + } + $actions.= ""; + + if(chkacl($acl,"delete") == ""){ + $actions.= ""; + } + + + + $posix=$mail=$samba=$appl=$phone=$enviro=$empty; if(isset($val['objectClass'])){ diff --git a/plugins/admin/groups/class_groupApplication.inc b/plugins/admin/groups/class_groupApplication.inc index 064b94e6b..f6512315e 100644 --- a/plugins/admin/groups/class_groupApplication.inc +++ b/plugins/admin/groups/class_groupApplication.inc @@ -386,7 +386,13 @@ class appgroup extends plugin /* Do we need to flip is_account state? */ if (isset($_POST['modify_state'])){ - $this->is_account= !$this->is_account; + + /* Onyl change account state if allowed */ + if($this->is_account && $this->acl == "#all#"){ + $this->is_account= !$this->is_account; + }elseif(!$this->is_account && chkacl($this->acl,"create") == ""){ + $this->is_account= !$this->is_account; + } } /* Do we represent a valid group? */ diff --git a/plugins/admin/groups/class_groupGeneric.inc b/plugins/admin/groups/class_groupGeneric.inc index dba7c496a..9f1e5f31f 100644 --- a/plugins/admin/groups/class_groupGeneric.inc +++ b/plugins/admin/groups/class_groupGeneric.inc @@ -183,7 +183,7 @@ class group extends plugin } /* Delete user from group */ - if (isset($_POST['del_users']) && isset($_POST['members'])){ + if (isset($_POST['del_users']) && isset($_POST['members']) && chkacl($this->acl,"memberUid") ==""){ foreach ($_POST['members'] as $value){ unset ($this->members["$value"]); $this->removeUser($value); @@ -192,7 +192,7 @@ class group extends plugin } /* Add objects? */ - if (isset($_POST["edit_membership"])){ + if (isset($_POST["edit_membership"]) && chkacl($this->acl,"memberUid") ==""){ $this->group_dialog= TRUE; $this->dialog= TRUE; } @@ -731,7 +731,7 @@ class group extends plugin $ui= get_userinfo(); $acl= get_permissions ($ui->dn, $ui->subtreeACL); $acl= get_module_permission($acl, "group", $ui->dn); - if (chkacl($this->acl, "create") != ""){ + if ($this-> dn == "new" && chkacl($this->acl, "create") != ""){ $message[]= _("You have no permissions to create a group on this 'Base'."); } diff --git a/plugins/admin/groups/class_groupMail.inc b/plugins/admin/groups/class_groupMail.inc index b4bdc2962..cb0559b8f 100644 --- a/plugins/admin/groups/class_groupMail.inc +++ b/plugins/admin/groups/class_groupMail.inc @@ -312,9 +312,15 @@ class mailgroup extends plugin /* Do we need to flip is_account state? */ if (isset($_POST['modify_state'])){ - $this->is_account= !$this->is_account; - } + /* Onyl change account state if allowed */ + if($this->is_account && $this->acl == "#all#"){ + $this->is_account= !$this->is_account; + }elseif(!$this->is_account && chkacl($this->acl,"create") == ""){ + $this->is_account= !$this->is_account; + } + } + /* Do we represent a valid account? */ if (!$this->is_account && $this->parent == NULL){ diff --git a/plugins/admin/groups/class_groupManagement.inc b/plugins/admin/groups/class_groupManagement.inc index 002cbb788..33fe9dfd6 100644 --- a/plugins/admin/groups/class_groupManagement.inc +++ b/plugins/admin/groups/class_groupManagement.inc @@ -126,9 +126,26 @@ class groupManagement extends plugin /* Only perform copy&paste requests if it is enabled */ - if($this->CopyPasteHandler){ - if($str = $this->copyPasteHandling($s_action,$s_entry)){ - return $str; + /* Get 'dn' from posted 'uid' */ + if(in_array_ics($s_action,array("editPaste","cut","copy"))){ + + if(isset($this->grouplist[trim($s_entry)]['dn'])){ + $dn= $this->grouplist[trim($s_entry)]['dn']; + }else{ + $dn = $this->DivListGroup->selectedBase; + } + + $acl= get_permissions ($dn, $this->ui->subtreeACL); + $acl= get_module_permission($acl, "group", $dn); + + if($acl != "#all#"){ + print_red (_("You are not allowed to execute this method!")); + }else{ + /* Display the copy & paste dialog, if it is currently open */ + $ret = $this->copyPasteHandling($s_action,$s_entry); + if($ret){ + return($ret); + } } } diff --git a/plugins/admin/users/class_userManagement.inc b/plugins/admin/users/class_userManagement.inc index a7034846f..b1c2c1b2b 100644 --- a/plugins/admin/users/class_userManagement.inc +++ b/plugins/admin/users/class_userManagement.inc @@ -112,7 +112,13 @@ class userManagement extends plugin /* Get 'dn' from posted 'uid' */ if(in_array_ics($s_action,array("editPaste","cut","copy"))){ - $dn= $this->list[trim($s_entry)]['dn']; + + if(isset($this->list[trim($s_entry)]['dn'])){ + $dn= $this->list[trim($s_entry)]['dn']; + }else{ + $dn = $this->DivListUsers->selectedBase; + } + $acl= get_permissions ($dn, $this->ui->subtreeACL); $acl= get_module_permission($acl, "user", $dn); -- 2.30.2