Allow super admins to edit other super admins
authorJean-Michel Vourgère <jvourger@greenpeace.org>
Fri, 10 Mar 2017 15:24:09 +0000 (15:24 +0000)
committerJean-Michel Vourgère <jvourger@greenpeace.org>
Fri, 10 Mar 2017 18:54:58 +0000 (18:54 +0000)
Give full permissions to all super-admins

squasher.sql
templates/admin.tpl
templates/edit_user.tpl
templates/udmin.tpl
webroot/squasher.class.php
webroot/squasher.php

index 3b1754019b59694986e604d336ee87643e0357cc..852a89e7be4e74b1138230ca01b1fe52e477c940 100644 (file)
@@ -72,16 +72,6 @@ CREATE TABLE `user_rights` (
 ) ENGINE=MyISAM DEFAULT CHARSET=utf-8;
 /*!40101 SET character_set_client = @saved_cs_client */;
 
---
--- Dumping data for table `user_rights`
---
-
-LOCK TABLES `user_rights` WRITE;
-/*!40000 ALTER TABLE `user_rights` DISABLE KEYS */;
-INSERT INTO `user_rights` VALUES (0,'/',2);
-/*!40000 ALTER TABLE `user_rights` ENABLE KEYS */;
-UNLOCK TABLES;
-
 --
 -- Table structure for table `users`
 --
index 1fac2b5f0338bff7e88f5205270707deaaf931a0..ee36b7fb63466f1ad59d63d8ea76ceb22ff93f0b 100644 (file)
 {block menu}
 <div class="menu">
        <div class="menuhead">users</div>
-       {foreach item=user key=user_id from=$users}<a {if $user_id eq $edited_user}class="selected"{/if} href="?tools=access&amp;user={$user.id|escape:'url'}">{$user.name|escape}</a>{/foreach}
+       {foreach item=user key=user_id from=$users}
+               {if $user.level<200} {* Don't show Super-admins. They have all the rights anyways. *}
+               <a {if $user_id eq $edited_user}class="selected"{/if} href="?tools=access&amp;user={$user.id|escape:'url'}">{$user.name|escape}</a>
+               {/if}
+       {/foreach}
 </div>
 {/block}
 
index b11f9497dad5eefcde447f881a5846ebb68a6f95..a5db67bdb5c80b94235a771d92cc6259ebca0a25 100644 (file)
@@ -3,11 +3,17 @@
 {block extra_head}
 {literal}
 <script>
-       function check_passwords_match() {
+       function check_form(wasenabled) {
                password1 = document.getElementById("u[user_pass]").value;
                password2 = document.getElementById("user_pass2").value;
+               levelel = document.getElementById("u[user_level]");
+               level = levelel!=null ? levelel.value : null;
                if (password1 != password2)
                        alert("Passwords typo check failed:\r\nYou must enter the same password twice.");
+               else if (!wasenabled && level>0 && !password1)
+                       alert("Account was disabled. A new password is required to enable it.");
+               else if (level==0 && password1)
+                       alert("Disabling the account clears the password. It cannot be set now.");
                else
                        document.usereditform.submit();
        }
@@ -18,8 +24,8 @@
 {block menu}
 <div class="menu">
        <div class="menuhead">users</div>
-       {foreach item=user key=user_id from=$users}
-               <a {if $user_id eq $edited_user}class="selected"{/if} href="?tools=edituser&amp;edited_user={$user.id|escape:'url'}">{$user.name|escape}</a>
+       {foreach item=user key=muser_id from=$users}
+               <a {if $muser_id eq $edited_user}class="selected"{/if} href="?tools=edituser&amp;edited_user={$user.id|escape:'url'}">{$user.name|escape}</a>
        {/foreach}
        <a href="?tools=edituser" class="tool add">New User</a>
 </div>
        <tr>
                <td><label for="user_pass2">Confirm password:</label>
                <td><input type=password name="user_pass2" id="user_pass2">
+       {if $user_level >= 200} {* only super admins see that table row *}
        <tr>
                <td><label for="u[user_level]">Profile:</label>
-               <td>{html_options name="u[user_level]" id="u[user_level]" options=$user_levels selected=$u.level}
+               <td>
+               {if $user_id == $edited_user}
+                       {$disabled = true}
+               {else}
+                       {$disabled = false}
+               {/if}
+               {if $disabled}
+                       {html_options name="u[user_level]" id="u[user_level]" disabled=disabled options=$user_levels selected=$u.level}
+               {else}
+                       {html_options name="u[user_level]" id="u[user_level]" options=$user_levels selected=$u.level}
+               {/if}
+       {/if}
 </table>
 </form>
 <div style='float:left;'>
-       <input type='submit' value='Save' onclick="check_passwords_match();">
+       <input type='submit' value='Save' onclick="check_form({$u.enabled});">
 </div>
 {/block}
 
index 32bc83e0de5b3bd6bd191589dc9917a6d78777c1..fcb6d00865a1c98bbd25fe74163a773b2916f351 100644 (file)
@@ -26,7 +26,7 @@
                <th>Login
                <th>Account type
                <th>
-       {foreach item=user key=user_id from=$users}
+       {foreach item=user key=id from=$users}
        <tr>
                <td>{$user.name|escape}
                <td>{if $user.enabled}
                        Disabled
                        {/if}
                <td>
-                       <a href="?tools=edituser&amp;edited_user={$user_id|escape}" class=edit></a>
-                       <a href="javascript:confirm_delete('{$user.name|escape:'javascript'|escape}', {$user_id});" class=deletenotext>delete</a>
+                       <a href="?tools=edituser&amp;edited_user={$id|escape}" class=edit></a>
+                       {if $user_id != $id }
+                       <a href="javascript:confirm_delete('{$user.name|escape:'javascript'|escape}', {$id});" class=deletenotext>delete</a>
+                       {/if}
        {/foreach}
 </table>
 {/block}
index d97e794c57393843664850666732a0048e3b31bb..583a659a70b6515cdfe3fbc82820c85bf1f77337 100644 (file)
@@ -118,7 +118,10 @@ function update_history() {
 }
 
 function get_users($user_level) {
-       $q = "SELECT * FROM users WHERE user_level < ".$user_level." ORDER BY user_name ASC";
+       $q = "SELECT * FROM users";
+       if ($user_level<200) // super user have no restrictions at all
+               $q .= " WHERE user_level < ".$user_level;
+       $q .= " ORDER BY user_name ASC";
        $r = mysql_query($q);
 
        while ($o = mysql_fetch_object($r)) {
@@ -207,7 +210,10 @@ function update_users($u, $user_id) {
        $user_id = (int)$user_id;
        $user_name = @$u['user_name'];
        $user_pass = @$u['user_pass'];
-       $user_level = (int)@$u['user_level'];
+       if (array_key_exists('user_level', $u))
+               $user_level = $u['user_level'];
+       else
+               $user_level = null;
        if ($user_name) {
                $q = "UPDATE users SET user_name = '".mysql_escape_string($user_name)."' WHERE user_id = ".$user_id;
                $r = mysql_query($q);
@@ -216,13 +222,14 @@ function update_users($u, $user_id) {
                $q = "UPDATE users SET user_pass = '".mysql_escape_string(md5($user_pass))."' WHERE user_id = ".$user_id;
                $r = mysql_query($q);
        }
-       if ($user_level) {
-               $q = "UPDATE users SET user_level = ".$user_level." WHERE user_id = ".$user_id;
-               $r = mysql_query($q);
-       }
-       if ($user_level == 0) {
-               $q = "UPDATE users SET user_pass = '' WHERE user_id = ".$user_id;
-               $r = mysql_query($q);
+       if ($user_level !== null) {
+               if ($user_level > 0) {
+                       $q = "UPDATE users SET user_level = ".$user_level." WHERE user_id = ".$user_id;
+                       $r = mysql_query($q);
+               } else {
+                       $q = "UPDATE users SET user_pass = '' WHERE user_id = ".$user_id;
+                       $r = mysql_query($q);
+               }
        }
 }
 
index c50e72995b7ef1c08bccef25078be1a962a3555f..12c6cd78b8b63a7b31ee54563ff0db51983e6b43 100644 (file)
@@ -26,7 +26,7 @@ if (@$_POST['edited_user'] > 0 && @$_POST['formtype'] == 'folderrights')
        $squashweb->update_rights($_POST['edited_user'], $_POST['m'], $_SESSION['creds']['user_level']);
 
 //set folder rights
-if (@$_GET['f']) {
+if (@$_GET['f'] || $_SESSION['creds']['user_level']>200) {
        $squashweb->give_rights(-1); // full access
 } else {
        $squashweb->give_rights($_SESSION['creds']['user_id']);
@@ -152,6 +152,7 @@ if (@$_GET['f']) {
 
        $smarty->assign('user_level', $_SESSION['creds']['user_level']);
        $smarty->assign('user_name', $_SESSION['creds']['user_name']);
+       $smarty->assign('user_id', $_SESSION['creds']['user_id']);
 
        $smarty->assign('users', $squashweb->get_users($_SESSION['creds']['user_level']));
 
@@ -168,7 +169,10 @@ if (@$_GET['f']) {
                if ($edited_user) {
                        $squashweb->update_users($u, $edited_user);
                } else {
-                        $squashweb->insert_users($u, $_SESSION['creds']['user_level']);
+                       // Simple admin don't have the user_level <tr>. Just set the value for them now:
+                       if ($_SESSION['creds']['user_level'] < 200)
+                               $u['user_level'] = 55;
+                       $squashweb->insert_users($u, $_SESSION['creds']['user_level']);
                }
                header('302 done');
                header('Location: ?tools=users');
@@ -176,22 +180,22 @@ if (@$_GET['f']) {
                $smarty = get_smarty();
                $smarty->assign('user_level', $_SESSION['creds']['user_level']);
                $smarty->assign('user_name', $_SESSION['creds']['user_name']);
+               $smarty->assign('user_id', $_SESSION['creds']['user_id']);
 
                $smarty->assign('users', $users);
                $smarty->assign('edited_user', $edited_user);
 
-               if (array_key_exists($edited_user, $users))
-               {
+               if (array_key_exists($edited_user, $users)) {
                        $user = $users[$edited_user];
-                       if (!$user->enabled)
-                               $user-> user_level = 0;
+                       if (!$user['enabled'])
+                               $user['level'] = 0;
                        $smarty->assign('u', $user);
                }
 
                if ($_SESSION['creds']['user_level'] > 199) {
-                       $smarty->assign('user_levels', array(55 => 'user', 155 => 'admin', 0 => 'disabled') );
+                       $smarty->assign('user_levels', array(55 => 'User', 155 => 'Admin', 255 => 'Super admin', 0 => 'Disabled') );
                } else {
-                       $smarty->assign('user_levels', array(55 => 'user', 0 => 'disabled') );
+                       $smarty->assign('user_levels', array(55 => 'User', 0 => 'Disabled') );
                }
 
                $smarty->assign('debug', @$_GET['debug']);