From 251616969893b447852aad81a4e68be6853e202e Mon Sep 17 00:00:00 2001 From: Mischa POSLAWSKY Date: Tue, 15 Oct 2019 04:26:15 +0200 Subject: [PATCH] auth: admin permissions per function Replace generic .admin files by lines of right identifiers. Check specific rights for: edit, user, site, news, foto. --- auth.inc.php | 10 ++++++++-- edit/foto/cover/index.php | 2 +- edit/nieuws/tag/index.php | 2 +- edit/page/index.php | 2 +- foto/album.inc.php | 2 +- foto/index.php | 2 +- login/admin/index.php | 2 +- nieuws/index.php | 6 +++--- page.inc.php | 4 ++-- page.php | 2 +- widget/login/edit.php | 4 ++-- widget/login/list.php | 2 +- 12 files changed, 23 insertions(+), 17 deletions(-) diff --git a/auth.inc.php b/auth.inc.php index 4d9b29e..a1ccedf 100644 --- a/auth.inc.php +++ b/auth.inc.php @@ -37,9 +37,15 @@ class User return rtrim(@file_get_contents("{$this->dir}/email.txt")); } - function admin() + function admin($permission = NULL) { - return @file_exists("{$this->dir}/.admin"); + if (isset($permission)) { + return $this->admin && isset($this->admin[$permission]); # check level + } + if (!@file_exists("{$this->dir}/.admin")) { + return FALSE; # not an admin + } + return array_fill_keys(explode("\n", file_get_contents("{$this->dir}/.admin")), TRUE); } function seen() diff --git a/edit/foto/cover/index.php b/edit/foto/cover/index.php index b863f02..3ae5dcf 100644 --- a/edit/foto/cover/index.php +++ b/edit/foto/cover/index.php @@ -1,7 +1,7 @@ admin) { +if (!$User or !$User->admin('foto')) { http_response_code(403); print "Beheerrechten verplicht voor instellen van covers\n"; exit; diff --git a/edit/nieuws/tag/index.php b/edit/nieuws/tag/index.php index 0152be4..01a385c 100644 --- a/edit/nieuws/tag/index.php +++ b/edit/nieuws/tag/index.php @@ -1,7 +1,7 @@ admin) +if (!$User or !$User->admin('news')) abort("geen beheersrechten", '401 unauthorised'); if (!$_POST) diff --git a/edit/page/index.php b/edit/page/index.php index 1daed85..20ebcc5 100644 --- a/edit/page/index.php +++ b/edit/page/index.php @@ -1,7 +1,7 @@ admin) +if (!$User or !$User->admin('edit')) abort("geen beheersrechten", '401 unauthorised'); if ($_FILES) { diff --git a/foto/album.inc.php b/foto/album.inc.php index 6d706ca..42061d7 100644 --- a/foto/album.inc.php +++ b/foto/album.inc.php @@ -24,7 +24,7 @@ function openphotoswipe(index) { closeElClasses: [], shareButtons: [ admin) { +if ($User and $User->admin('foto')) { printf("\t\t\t{id:'%s', label:'%s', url:'%s'},\n", 'cover', 'Cover instellen', "/edit/foto/cover$Args?img={{image_url}}" ); diff --git a/foto/index.php b/foto/index.php index 358ef94..550e7a3 100644 --- a/foto/index.php +++ b/foto/index.php @@ -3,7 +3,7 @@ $intro = ob_get_clean(); $rootdir = $Page . $Args; -if ($User and $User->admin) { +if ($User and $User->admin('foto')) { $access = '🔓 Openbaar'; if (isset($PageAccess)) { $access = "🔒 Bewoners"; diff --git a/login/admin/index.php b/login/admin/index.php index 1677b1b..28f513d 100644 --- a/login/admin/index.php +++ b/login/admin/index.php @@ -1,5 +1,5 @@ admin) { +if (!$User or !$User->admin('site')) { ob_clean(); http_response_code(403); ?> diff --git a/nieuws/index.php b/nieuws/index.php index 8b82b61..9e97267 100644 --- a/nieuws/index.php +++ b/nieuws/index.php @@ -2,18 +2,18 @@ $replyform = $Page == 'melding' && !empty($User); @list ($year, $page) = explode('/', trim($Args, '/')); -if ($User and $User->admin) { +if ($User and $User->admin('news')) { print ''."\n"; } if ($page and !is_numeric($page)) { - $edit = $User && $User->admin ? htmlspecialchars(@$_GET['edit']) : NULL; + $edit = $User && $User->admin('news') ? htmlspecialchars(@$_GET['edit']) : NULL; if ($edit) { $Article->title = $edit; } $Place[1] = ' '.$Article->date.''; print preg_replace('{(?<=

)(.*?)(?=

)}', ($edit ?: '\1').' [[1]]', ob_get_clean()); - if ($User and $User->admin) { + if ($User and $User->admin('news')) { $taglist = []; foreach (glob("$Page/.tags/*") as $tagpath) { $tagname = pathinfo($tagpath, PATHINFO_BASENAME); diff --git a/page.inc.php b/page.inc.php index 8298c6d..c93fcbc 100644 --- a/page.inc.php +++ b/page.inc.php @@ -10,7 +10,7 @@ ob_start(); if ($User) { print '

'; printf('Ingelogd: %s', '/login', $User->login); - if ($User->admin) { + if ($User->admin('edit')) { $editpage = $Page.$Args; if (is_dir($editpage)) { if (file_exists("$editpage/index.html")) { @@ -44,7 +44,7 @@ register_shutdown_function(function () { print "\n"; global $User; - if ($User and $User->admin) { + if ($User and $User->admin('edit')) { $ckesrc = '/lib/ckeditor'; # local install if (!file_exists(DOCROOT . $ckesrc)) { $ckesrc = '//cdn.ckeditor.com/4.7.3/full-all'; # remote fallback diff --git a/page.php b/page.php index 5e52985..c2c4282 100644 --- a/page.php +++ b/page.php @@ -159,7 +159,7 @@ if (file_exists("$Page$Args.html")) { elseif (file_exists("$Page$Args/index.html")) { $staticpage = "$Page$Args/index.html"; } -elseif ($User and $User->admin) { +elseif ($User and $User->admin('edit')) { $staticpage = (file_exists("$Page/template.html") ? "$Page/template.html" : 'template.html'); } diff --git a/widget/login/edit.php b/widget/login/edit.php index d6ee4c9..0d61a4f 100644 --- a/widget/login/edit.php +++ b/widget/login/edit.php @@ -4,7 +4,7 @@ if (empty($user = &$User)) { return; } -if ($User->admin +if ($User->admin('user') and !empty($Place['user']) and $Place['user'] !== $User->login) { $username = strtolower($Place['user']); unset($user); @@ -15,7 +15,7 @@ require_once('edit.inc.php'); foreach ($cols as $col => &$colconf) { if (isset($colconf['visible'])) { - if ($colconf['visible'] == 'admin' and !$User->admin) { + if ($colconf['visible'] == 'admin' and !$User->admin('user')) { $colconf['visible'] = FALSE; continue; } diff --git a/widget/login/list.php b/widget/login/list.php index 698b805..da4acd2 100644 --- a/widget/login/list.php +++ b/widget/login/list.php @@ -38,7 +38,7 @@ print ">\n"; foreach ($users as $user) { $name = $user->name ?: $user->login; - if ($GLOBALS['User'] and $GLOBALS['User']->admin) { + if ($GLOBALS['User'] and $GLOBALS['User']->admin('user')) { $link = '/login/edit/'.$user->login; $name = sprintf('%s', $link, $name); } -- 2.30.0