Revision: 1034
http://mrbs.svn.sourceforge.net/mrbs/?rev=1034&view=rev
Author: cimorrison
Date: 2009-02-25 12:06:53 +0000 (Wed, 25 Feb 2009)
Log Message:
-----------
Generalised the code for editing users so that it can in the future cope with
having admin levels higher than 2. This might be necessary if one wants to
have greater granularity of admin rights, for example distinguishing between
booking admins, user admins and system admins. (A system admin might be
necessary if, for example, some of the parameters currently in the config file
are made editable from MRBS).
Modified Paths:
--------------
mrbs/trunk/web/auth_db.inc
mrbs/trunk/web/edit_users.php
Modified: mrbs/trunk/web/auth_db.inc
===================================================================
--- mrbs/trunk/web/auth_db.inc 2009-02-25 11:47:35 UTC (rev 1033)
+++ mrbs/trunk/web/auth_db.inc 2009-02-25 12:06:53 UTC (rev 1034)
@@ -19,10 +19,12 @@
in the logon box, if the value $user_list_link is set. */
$user_list_link = "edit_users.php";
-// The highest level of access (0=none; 1=user; 2=admin). Used in
edit_users.php
+// The highest level of access (0=none; 1=user; 2+=admin). Used in
edit_users.php
// In the future we might want a higher level of granularity, eg to
distinguish between
// different levels of admin
$max_level = 2;
+// The lowest level of admin allowed to edit other users
+$min_user_editing_level = 2;
/* authValidateUser($user, $pass)
*
Modified: mrbs/trunk/web/edit_users.php
===================================================================
--- mrbs/trunk/web/edit_users.php 2009-02-25 11:47:35 UTC (rev 1033)
+++ mrbs/trunk/web/edit_users.php 2009-02-25 12:06:53 UTC (rev 1034)
@@ -12,6 +12,22 @@
* modifying the editor code. Only to add the fields in *
* the database creation code. *
* *
+* An admin rights model is used where the level (an *
+* integer between 0 and $max_level) denotes rights: *
+* 0: no rights *
+* 1: an ordinary user *
+* 2+: admins, with increasing rights. Designed to *
+* allow more granularity of admin rights, for *
+* example by having booking admins, user admins *
+* snd system admins. (System admins might be *
+* necessary in the future if, for example, some *
+* parameters curreently in the config file are *
+* made editable from MRBS) *
+* *
+* Only admins with at least user editing rights (level >= *
+* $min_user_editing_level) can edit other users, and they *
+* cannot edit users with a higher level than themselves *
+* *
* To do: *
* - Localisability *
* *
@@ -223,8 +239,8 @@
// or admin rights are removed!
if ($Action == "Edit")
{
- $n_admins = sql_query1("select count(*) from $tbl_users where
level>=2");
- $editing_last_admin = ($n_admins <= 1) && ($data['level'] == 2);
+ $n_admins = sql_query1("select count(*) from $tbl_users where
level=$max_level");
+ $editing_last_admin = ($n_admins <= 1) && ($data['level'] ==
$max_level);
}
else
{
@@ -234,7 +250,7 @@
// Work out whether the level select input should be disabled (NB
you can't make a <select> readonly)
// We don't want the user to be able to change the level if (a) it's
the first user being created or
// (b) it's the last admin left or (c) they don't have admin rights
- $disable_select = ($initial_user_creation || $editing_last_admin ||
($level < 2));
+ $disable_select = ($initial_user_creation || $editing_last_admin ||
($level < $min_user_editing_level));
foreach ($fields as $fieldname)
{
@@ -252,7 +268,10 @@
echo "<div>\n";
echo "<label for=\"Field_$fieldname\">" .
get_loc_field_name($fieldname) . ":</label>\n";
echo "<select id=\"Field_$fieldname\"
name=\"Field_$fieldname\"" . ($disable_select ? " disabled=\"disabled\"" : "")
. ">\n";
- for ($i=0; $i<=$max_level; $i++)
+ // Only display options up to and including one's own level
(you can't upgrade yourself).
+ // If you're not some kind of admin then the select will also
be disabled.
+ // (Note - disabling individual options doesn't work in older
browsers, eg IE6)
+ for ($i=0; $i<=$level; $i++)
{
echo "<option value=\"$i\"";
// Work out which option should be selected by default:
@@ -260,7 +279,7 @@
// if we're adding the very first entry, then it should be
an admin;
// if we're adding a subsequent entry, then it should be
an ordinary user;
if ( (($Action == "Edit") && ($i == $data[$fieldname])) ||
- (($Action == "Add") && $initial_user_creation && ($i ==
2)) ||
+ (($Action == "Add") && $initial_user_creation && ($i ==
$max_level)) ||
(($Action == "Add") && !$initial_user_creation && ($i
== 1)) )
{
echo " selected=\"selected\"";
@@ -274,7 +293,7 @@
{
if ($initial_user_creation)
{
- $v = 2;
+ $v = $max_level;
}
else
{
@@ -340,7 +359,8 @@
</fieldset>
</form>
<?php
- if (($Id >= 0) && ($level >= 2)) /* Administrators get the right to
delete users */
+ /* Administrators get the right to delete users, but only those at the
same level as them or lower */
+ if (($Id >= 0) && ($level >= $min_user_editing_level) && ($level >=
$data['level']))
{
echo "<form id=\"form_delete_users\" method=\"post\" action=\"" .
htmlspecialchars(basename($PHP_SELF)) . "\">\n";
echo "<div>\n";
@@ -586,8 +606,15 @@
if (isset($Action) && ($Action == "Delete"))
{
- if ($level < 2)
+ $target_level = sql_query1("SELECT level FROM $tbl_users WHERE id=$Id LIMIT
1");
+ if ($target_level < 0)
{
+ fatal_error(TRUE, "Fatal error while deleting a user");
+ }
+ // you can't delete a user if you're not some kind of admin, and then you
can't
+ // delete someone higher than you
+ if (($level < $min_user_editing_level) || ($level < $target_level))
+ {
showAccessDenied(0, 0, 0, "", "");
exit();
}
@@ -624,7 +651,7 @@
print "<h2>" . get_vocab("user_list") . "</h2>\n";
-if ($level >= 2) /* Administrators get the right to add new users */
+if ($level >= $min_user_editing_level) /* Administrators get the right to add
new users */
{
print "<form method=\"post\" action=\"" .
htmlspecialchars(basename($PHP_SELF)) . "\">\n";
print " <div>\n";
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Mrbs-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mrbs-commits
