#593: Admins can take user rights temporarily

git-svn-id: svn+ssh://murphy/home/svn/platal/trunk@1254 839d8a87-29fc-0310-9880-83ba4fa771e5

diff --git a/ChangeLog b/ChangeLog
index 3b08849..f7d6ab4 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -25,6 +25,9 @@ New:
 
 Bug/Wish:
 
+    * Admin:
+        - #593: Admins can take temporarily user rights                    -FRU
+
     * Core:
         - #558: Propose a valid URL when getting a 404 error               -FRU
 

diff --git a/include/xnet/page.inc.php b/include/xnet/page.inc.php
index 47e011a..b52d7fc 100644 (file)
--- a/include/xnet/page.inc.php
+++ b/include/xnet/page.inc.php
@@ -132,7 +132,13 @@ function list_all_my_groups($params)
                FROM  groupex.asso    AS a
          INNER JOIN  groupex.membres AS m ON m.asso_id = a.id
               WHERE  m.uid={?}", S::v('uid'));
-    $html = '<div>Mes groupes (<a href="exit">déconnexion</a>) :</div>';
+    $links = '<a href="exit">déconnexion</a>';
+    if (S::has('suid')) {
+        $links = '<a href="exit">reprendre les droits d\'admin</a>';
+    } elseif (S::has_perms()) {
+        $links = '<a href="get_rights/user">perdre les droits d\'admin</a>|' . $links;
+    }
+    $html = '<div>Mes groupes (' . $links . ') :</div>';
     while (list($nom, $mini) = $res->next()) {
         $html .= "<span class='gp'>&bull; <a href='login/$mini'>$nom</a></span>";
     }

diff --git a/include/xorg/session.inc.php b/include/xorg/session.inc.php
index e6b838a..c112f40 100644 (file)
--- a/include/xorg/session.inc.php
+++ b/include/xorg/session.inc.php
@@ -25,8 +25,8 @@ class XorgSession
 
     public static function init() {
         S::init();
-       if (!S::has('uid')) {
-           try_cookie();
+    if (!S::has('uid')) {
+        try_cookie();
         }
     }
 
@@ -43,10 +43,10 @@ class XorgSession
 
     public static function doAuth($new_name = false)
     {
-       global $globals;
-       if (S::identified()) { // ok, c'est bon, on n'a rien à faire
-           return true;
-       }
+        global $globals;
+        if (S::identified()) { // ok, c'est bon, on n'a rien à faire
+            return true;
+        }
 
         if (!Env::has('username') || !Env::has('response')
         ||  !S::has('challenge'))
@@ -56,24 +56,29 @@ class XorgSession
 
         // si on vient de recevoir une identification par passwordpromptscreen.tpl
         // ou passwordpromptscreenlogged.tpl
-        $uname = Env::v('username');
-
-        if (Env::v('domain') == "alias") {
-
-            $res = XDB::query(
-                "SELECT redirect
-                   FROM virtual
-             INNER JOIN virtual_redirect USING(vid)
-                  WHERE alias LIKE {?}", $uname."@".$globals->mail->alias_dom);
-            $redirect = $res->fetchOneCell();
-            if ($redirect) {
-                $login = substr($redirect, 0, strpos($redirect, '@'));
+        if (S::has('suid')) {
+            $suid = S::v('suid');
+            $login = $uname = $suid['forlife'];
+            $redirect = false;
+        } else {
+            $uname = Env::v('username');
+
+            if (Env::v('domain') == "alias") {
+                $res = XDB::query(
+                    "SELECT redirect
+                       FROM virtual
+                 INNER JOIN virtual_redirect USING(vid)
+                      WHERE alias LIKE {?}", $uname."@".$globals->mail->alias_dom);
+                $redirect = $res->fetchOneCell();
+                if ($redirect) {
+                    $login = substr($redirect, 0, strpos($redirect, '@'));
+                } else {
+                    $login = "";
+                }
             } else {
-                $login = "";
+                $login = $uname;
+                $redirect = false;
             }
-        } else {
-            $login = $uname;
-            $redirect = false;
         }
 
         $field = (!$redirect && preg_match('/^\d*$/', $uname)) ? 'id' : 'alias';
@@ -85,18 +90,18 @@ class XorgSession
 
         $logger = S::v('log');
         if (list($uid, $password) = $res->fetchOneRow()) {
-                require_once('secure_hash.inc.php');
-                    $expected_response = hash_encrypt("$uname:$password:".S::v('challenge'));
-                    // le password de la base est peut-être encore encodé en md5
-                    if (Env::v('response') != $expected_response) {
-                      $new_password = hash_xor(Env::v('xorpass'), $password);
-                      $expected_response = hash_encrypt("$uname:$new_password:".S::v('challenge'));
-                      if (Env::v('response') == $expected_response) {
-                          XDB::execute("UPDATE auth_user_md5 SET password = {?} WHERE user_id = {?}",
-                                       $new_password, $uid);
-                      }
-                    }
-                    if (Env::v('response') == $expected_response) {
+            require_once('secure_hash.inc.php');
+            $expected_response = hash_encrypt("$uname:$password:".S::v('challenge'));
+            // le password de la base est peut-être encore encodé en md5
+            if (Env::v('response') != $expected_response) {
+                $new_password = hash_xor(Env::v('xorpass'), $password);
+                $expected_response = hash_encrypt("$uname:$new_password:".S::v('challenge'));
+                if (Env::v('response') == $expected_response) {
+                      XDB::execute("UPDATE auth_user_md5 SET password = {?} WHERE user_id = {?}",
+                                   $new_password, $uid);
+                }
+            }
+            if (Env::v('response') == $expected_response) {
                 if (Env::has('domain')) {
                     if (($domain = Env::v('domain', 'login')) == 'alias') {
                         setcookie('ORGdomain', "alias", (time()+25920000), '/', '', 0);
@@ -111,7 +116,7 @@ class XorgSession
                 if ($logger) {
                     $logger->log('auth_ok');
                 }
-                        start_connexion($uid, true);
+                start_connexion($uid, true);
                 if (Env::v('remember', 'false') == 'true') {
                     $cookie = hash_encrypt(S::v('password'));
                     setcookie('ORGaccess',$cookie,(time()+25920000),'/','',0);
@@ -125,8 +130,8 @@ class XorgSession
                         $logger->log("cookie_off");
                     }
                 }
-                        return true;
-                    } elseif ($logger) {
+                return true;
+            } elseif ($logger) {
                 $logger->log('auth_fail','bad password');
             }
         } elseif ($logger) {
@@ -145,16 +150,16 @@ class XorgSession
      */
     public static function doAuthCookie()
     {
-       if (S::logged()) {
-           return true;
+    if (S::logged()) {
+        return true;
         }
 
-       if (Env::has('username') and Env::has('response')) {
-           return XorgSession::doAuth();
+    if (Env::has('username') and Env::has('response')) {
+        return XorgSession::doAuth();
         }
 
-       if ($r = try_cookie()) {
-           return XorgSession::doAuth(($r > 0));
+    if ($r = try_cookie()) {
+        return XorgSession::doAuth(($r > 0));
         }
 
         return false;
@@ -172,7 +177,7 @@ class XorgSession
 function try_cookie()
 {
     if (Cookie::v('ORGaccess') == '' or !Cookie::has('ORGuid')) {
-       return -1;
+    return -1;
     }
 
     $res = @XDB::query(
@@ -181,13 +186,13 @@ function try_cookie()
             Cookie::i('ORGuid'));
 
     if ($res->numRows() != 0) {
-       list($uid, $password) = $res->fetchOneRow();
-       require_once('secure_hash.inc.php');
-       $expected_value       = hash_encrypt($password);
-       if ($expected_value == Cookie::v('ORGaccess')) {
-           start_connexion($uid, false);
-           return 0;
-       } else {
+    list($uid, $password) = $res->fetchOneRow();
+    require_once('secure_hash.inc.php');
+    $expected_value       = hash_encrypt($password);
+    if ($expected_value == Cookie::v('ORGaccess')) {
+        start_connexion($uid, false);
+        return 0;
+    } else {
             return 1;
         }
     }
@@ -206,13 +211,13 @@ function try_cookie()
 function start_connexion ($uid, $identified)
 {
     $res  = XDB::query("
-       SELECT  u.user_id AS uid, prenom, nom, perms, promo, matricule, password, FIND_IN_SET('femme', u.flags) AS femme,
+    SELECT  u.user_id AS uid, prenom, nom, perms, promo, matricule, password, FIND_IN_SET('femme', u.flags) AS femme,
                 UNIX_TIMESTAMP(s.start) AS lastlogin, s.host, a.alias AS forlife, a2.alias AS bestalias,
                 q.core_mail_fmt AS mail_fmt, UNIX_TIMESTAMP(q.banana_last) AS banana_last, q.watch_last, q.core_rss_hash
           FROM  auth_user_md5   AS u
     INNER JOIN  auth_user_quick AS q  USING(user_id)
-    INNER JOIN aliases         AS a  ON (u.user_id = a.id AND a.type='a_vie')
-    INNER JOIN  aliases                AS a2 ON (u.user_id = a2.id AND FIND_IN_SET('bestalias',a2.flags))
+    INNER JOIN  aliases         AS a  ON (u.user_id = a.id AND a.type='a_vie')
+    INNER JOIN  aliases     AS a2 ON (u.user_id = a2.id AND FIND_IN_SET('bestalias',a2.flags))
      LEFT JOIN  logger.sessions AS s  ON (s.uid=u.user_id AND s.suid=0)
          WHERE  u.user_id = {?} AND u.perms IN('admin','user')
       ORDER BY  s.start DESC
@@ -221,9 +226,10 @@ function start_connexion ($uid, $identified)
     $suid = S::v('suid');
 
     if ($suid) {
-       $logger = new CoreLogger($uid, $suid);
-       $logger->log("suid_start", S::v('forlife')." by {$suid['uid']}");
+        $logger = new CoreLogger($uid, $suid);
+        $logger->log("suid_start", S::v('forlife')." by {$suid['uid']}");
         $sess['suid'] = $suid;
+        $sess['perms'] = $_SESSION['perms'];
     } else {
         $logger = S::v('log', new CoreLogger($uid));
         $logger->log("connexion", Env::v('n'));
@@ -243,11 +249,11 @@ function set_skin()
     global $globals;
     if (S::logged() && !S::has('skin')) {
         $uid = S::v('uid');
-       $res = XDB::query("SELECT  skin_tpl
+    $res = XDB::query("SELECT  skin_tpl
                              FROM  auth_user_quick AS a
                        INNER JOIN  skins           AS s ON a.skin = s.id
                             WHERE  user_id = {?} AND skin_tpl != ''", $uid);
-       if ($_SESSION['skin'] = $res->fetchOneCell()) {
+    if ($_SESSION['skin'] = $res->fetchOneCell()) {
             return;
         }
     }

diff --git a/modules/core.php b/modules/core.php
index 84aaccb..78955b1 100644 (file)
--- a/modules/core.php
+++ b/modules/core.php
@@ -27,6 +27,7 @@ class CoreModule extends PLModule
             '403'         => $this->make_hook('403', AUTH_PUBLIC),
             '404'         => $this->make_hook('404', AUTH_PUBLIC),
             'purge_cache' => $this->make_hook('purge_cache', AUTH_COOKIE, 'admin'),
+            'get_rights'  => $this->make_hook('get_rights', AUTH_MDP, 'admin'),
 
             'valid.html'  => $this->make_hook('valid', AUTH_PUBLIC),
             'favicon.ico' => $this->make_hook('favicon', AUTH_PUBLIC),
@@ -70,6 +71,21 @@ class CoreModule extends PLModule
 
         http_redirect(empty($_SERVER['HTTP_REFERER']) ? './' : $_SERVER['HTTP_REFERER']);
     }
+
+    function handler_get_rights(&$page, $level)
+    {
+        if (S::has('suid')) {
+            $page->kill('Déjà en SUID');
+        }
+
+        if (isset($_SESSION['log'])) {
+            $_SESSION['log']->log("suid_start", "login by ".S::v('forlife'));
+        }    
+        $_SESSION['suid'] = $_SESSION;
+        $_SESSION['perms'] = $level;
+
+        pl_redirect('/');
+    }
 }
 
 ?>

diff --git a/modules/platal.php b/modules/platal.php
index d1cf8c6..d8fa628 100644 (file)
--- a/modules/platal.php
+++ b/modules/platal.php
@@ -355,17 +355,13 @@ Mail envoy
     function handler_exit(&$page, $level = null)
     {
         if (S::has('suid')) {
-            if (S::has('suid')) {
-                $a4l  = S::v('forlife');
-                $suid = S::v('suid');
-                $log  = S::v('log');
-                $log->log("suid_stop", S::v('forlife') . " by " . $suid['forlife']);
-                $_SESSION = $suid;
-                S::kill('suid');
-                pl_redirect('admin/utilisateurs.php', 'login='.$a4l);
-            } else {
-                pl_redirect('events');
-            }
+            $a4l  = S::v('forlife');
+            $suid = S::v('suid');
+            $log  = S::v('log');
+            $log->log("suid_stop", S::v('forlife') . " by " . $suid['forlife']);
+            $_SESSION = $suid;
+            S::kill('suid');
+            pl_redirect('admin/user/' . $a4l);
         }
 
         if ($level == 'forget' || $level == 'forgetall') {

diff --git a/modules/xnet.php b/modules/xnet.php
index f46ec86..2116744 100644 (file)
--- a/modules/xnet.php
+++ b/modules/xnet.php
@@ -89,8 +89,15 @@ class XnetModule extends PLModule
 
     function handler_exit(&$page)
     {
-        XnetSession::destroy();
-        $page->changeTpl('xnet/deconnexion.tpl');
+        if (S::has('suid')) {
+            $suid = S::v('suid');
+            $_SESSION['perms'] = $suid['perms'];
+            S::kill('suid');
+        } else {
+            XnetSession::destroy();
+            $page->changeTpl('xnet/deconnexion.tpl');
+        }
+        pl_redirect('/');
     }
 
     function handler_admin(&$page)

diff --git a/templates/skin/common.menu.tpl b/templates/skin/common.menu.tpl
index bc1f2ea..5066cdc 100644 (file)
--- a/templates/skin/common.menu.tpl
+++ b/templates/skin/common.menu.tpl
@@ -78,6 +78,7 @@
 <div class="menu_item"><a href="marketing">Marketing</a></div>
 <div class="menu_item"><a href="admin/">Administration</a></div>
 <div class="menu_item"><a href="purge_cache">Clear cache</a></div>
+<div class="menu_item"><a href="get_rights/user">Quitter les droits d'admin</a></div>
 <div class="menu_item"><a href="http://trackers.polytechnique.org">Trackers</a></div>
 <div class="menu_item"><a href="http://support.polytechnique.org">Support</a></div>