From e74411f79a8d88aac5ffa260daa4dce27dfba37f Mon Sep 17 00:00:00 2001 From: x2003bruneau Date: Thu, 7 Dec 2006 15:34:11 +0000 Subject: [PATCH] #593: Admins can take user rights temporarily git-svn-id: svn+ssh://murphy/home/svn/platal/trunk@1254 839d8a87-29fc-0310-9880-83ba4fa771e5 --- ChangeLog | 3 + include/xnet/page.inc.php | 8 ++- include/xorg/session.inc.php | 122 +++++++++++++++++++++-------------------- modules/core.php | 16 ++++++ modules/platal.php | 18 +++--- modules/xnet.php | 11 +++- templates/skin/common.menu.tpl | 1 + 7 files changed, 107 insertions(+), 72 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3b08849..f7d6ab4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -25,6 +25,9 @@ New: Bug/Wish: + * Admin: + - #593: Admins can take temporarily user rights -FRU + * Core: - #558: Propose a valid URL when getting a 404 error -FRU diff --git a/include/xnet/page.inc.php b/include/xnet/page.inc.php index 47e011a..b52d7fc 100644 --- a/include/xnet/page.inc.php +++ b/include/xnet/page.inc.php @@ -132,7 +132,13 @@ function list_all_my_groups($params) FROM groupex.asso AS a INNER JOIN groupex.membres AS m ON m.asso_id = a.id WHERE m.uid={?}", S::v('uid')); - $html = '
Mes groupes (déconnexion) :
'; + $links = 'déconnexion'; + if (S::has('suid')) { + $links = 'reprendre les droits d\'admin'; + } elseif (S::has_perms()) { + $links = 'perdre les droits d\'admin|' . $links; + } + $html = '
Mes groupes (' . $links . ') :
'; while (list($nom, $mini) = $res->next()) { $html .= "$nom"; } diff --git a/include/xorg/session.inc.php b/include/xorg/session.inc.php index e6b838a..c112f40 100644 --- a/include/xorg/session.inc.php +++ b/include/xorg/session.inc.php @@ -25,8 +25,8 @@ class XorgSession public static function init() { S::init(); - if (!S::has('uid')) { - try_cookie(); + if (!S::has('uid')) { + try_cookie(); } } @@ -43,10 +43,10 @@ class XorgSession public static function doAuth($new_name = false) { - global $globals; - if (S::identified()) { // ok, c'est bon, on n'a rien à faire - return true; - } + global $globals; + if (S::identified()) { // ok, c'est bon, on n'a rien à faire + return true; + } if (!Env::has('username') || !Env::has('response') || !S::has('challenge')) @@ -56,24 +56,29 @@ class XorgSession // si on vient de recevoir une identification par passwordpromptscreen.tpl // ou passwordpromptscreenlogged.tpl - $uname = Env::v('username'); - - if (Env::v('domain') == "alias") { - - $res = XDB::query( - "SELECT redirect - FROM virtual - INNER JOIN virtual_redirect USING(vid) - WHERE alias LIKE {?}", $uname."@".$globals->mail->alias_dom); - $redirect = $res->fetchOneCell(); - if ($redirect) { - $login = substr($redirect, 0, strpos($redirect, '@')); + if (S::has('suid')) { + $suid = S::v('suid'); + $login = $uname = $suid['forlife']; + $redirect = false; + } else { + $uname = Env::v('username'); + + if (Env::v('domain') == "alias") { + $res = XDB::query( + "SELECT redirect + FROM virtual + INNER JOIN virtual_redirect USING(vid) + WHERE alias LIKE {?}", $uname."@".$globals->mail->alias_dom); + $redirect = $res->fetchOneCell(); + if ($redirect) { + $login = substr($redirect, 0, strpos($redirect, '@')); + } else { + $login = ""; + } } else { - $login = ""; + $login = $uname; + $redirect = false; } - } else { - $login = $uname; - $redirect = false; } $field = (!$redirect && preg_match('/^\d*$/', $uname)) ? 'id' : 'alias'; @@ -85,18 +90,18 @@ class XorgSession $logger = S::v('log'); if (list($uid, $password) = $res->fetchOneRow()) { - require_once('secure_hash.inc.php'); - $expected_response = hash_encrypt("$uname:$password:".S::v('challenge')); - // le password de la base est peut-être encore encodé en md5 - if (Env::v('response') != $expected_response) { - $new_password = hash_xor(Env::v('xorpass'), $password); - $expected_response = hash_encrypt("$uname:$new_password:".S::v('challenge')); - if (Env::v('response') == $expected_response) { - XDB::execute("UPDATE auth_user_md5 SET password = {?} WHERE user_id = {?}", - $new_password, $uid); - } - } - if (Env::v('response') == $expected_response) { + require_once('secure_hash.inc.php'); + $expected_response = hash_encrypt("$uname:$password:".S::v('challenge')); + // le password de la base est peut-être encore encodé en md5 + if (Env::v('response') != $expected_response) { + $new_password = hash_xor(Env::v('xorpass'), $password); + $expected_response = hash_encrypt("$uname:$new_password:".S::v('challenge')); + if (Env::v('response') == $expected_response) { + XDB::execute("UPDATE auth_user_md5 SET password = {?} WHERE user_id = {?}", + $new_password, $uid); + } + } + if (Env::v('response') == $expected_response) { if (Env::has('domain')) { if (($domain = Env::v('domain', 'login')) == 'alias') { setcookie('ORGdomain', "alias", (time()+25920000), '/', '', 0); @@ -111,7 +116,7 @@ class XorgSession if ($logger) { $logger->log('auth_ok'); } - start_connexion($uid, true); + start_connexion($uid, true); if (Env::v('remember', 'false') == 'true') { $cookie = hash_encrypt(S::v('password')); setcookie('ORGaccess',$cookie,(time()+25920000),'/','',0); @@ -125,8 +130,8 @@ class XorgSession $logger->log("cookie_off"); } } - return true; - } elseif ($logger) { + return true; + } elseif ($logger) { $logger->log('auth_fail','bad password'); } } elseif ($logger) { @@ -145,16 +150,16 @@ class XorgSession */ public static function doAuthCookie() { - if (S::logged()) { - return true; + if (S::logged()) { + return true; } - if (Env::has('username') and Env::has('response')) { - return XorgSession::doAuth(); + if (Env::has('username') and Env::has('response')) { + return XorgSession::doAuth(); } - if ($r = try_cookie()) { - return XorgSession::doAuth(($r > 0)); + if ($r = try_cookie()) { + return XorgSession::doAuth(($r > 0)); } return false; @@ -172,7 +177,7 @@ class XorgSession function try_cookie() { if (Cookie::v('ORGaccess') == '' or !Cookie::has('ORGuid')) { - return -1; + return -1; } $res = @XDB::query( @@ -181,13 +186,13 @@ function try_cookie() Cookie::i('ORGuid')); if ($res->numRows() != 0) { - list($uid, $password) = $res->fetchOneRow(); - require_once('secure_hash.inc.php'); - $expected_value = hash_encrypt($password); - if ($expected_value == Cookie::v('ORGaccess')) { - start_connexion($uid, false); - return 0; - } else { + list($uid, $password) = $res->fetchOneRow(); + require_once('secure_hash.inc.php'); + $expected_value = hash_encrypt($password); + if ($expected_value == Cookie::v('ORGaccess')) { + start_connexion($uid, false); + return 0; + } else { return 1; } } @@ -206,13 +211,13 @@ function try_cookie() function start_connexion ($uid, $identified) { $res = XDB::query(" - SELECT u.user_id AS uid, prenom, nom, perms, promo, matricule, password, FIND_IN_SET('femme', u.flags) AS femme, + SELECT u.user_id AS uid, prenom, nom, perms, promo, matricule, password, FIND_IN_SET('femme', u.flags) AS femme, UNIX_TIMESTAMP(s.start) AS lastlogin, s.host, a.alias AS forlife, a2.alias AS bestalias, q.core_mail_fmt AS mail_fmt, UNIX_TIMESTAMP(q.banana_last) AS banana_last, q.watch_last, q.core_rss_hash FROM auth_user_md5 AS u INNER JOIN auth_user_quick AS q USING(user_id) - INNER JOIN aliases AS a ON (u.user_id = a.id AND a.type='a_vie') - INNER JOIN aliases AS a2 ON (u.user_id = a2.id AND FIND_IN_SET('bestalias',a2.flags)) + INNER JOIN aliases AS a ON (u.user_id = a.id AND a.type='a_vie') + INNER JOIN aliases AS a2 ON (u.user_id = a2.id AND FIND_IN_SET('bestalias',a2.flags)) LEFT JOIN logger.sessions AS s ON (s.uid=u.user_id AND s.suid=0) WHERE u.user_id = {?} AND u.perms IN('admin','user') ORDER BY s.start DESC @@ -221,9 +226,10 @@ function start_connexion ($uid, $identified) $suid = S::v('suid'); if ($suid) { - $logger = new CoreLogger($uid, $suid); - $logger->log("suid_start", S::v('forlife')." by {$suid['uid']}"); + $logger = new CoreLogger($uid, $suid); + $logger->log("suid_start", S::v('forlife')." by {$suid['uid']}"); $sess['suid'] = $suid; + $sess['perms'] = $_SESSION['perms']; } else { $logger = S::v('log', new CoreLogger($uid)); $logger->log("connexion", Env::v('n')); @@ -243,11 +249,11 @@ function set_skin() global $globals; if (S::logged() && !S::has('skin')) { $uid = S::v('uid'); - $res = XDB::query("SELECT skin_tpl + $res = XDB::query("SELECT skin_tpl FROM auth_user_quick AS a INNER JOIN skins AS s ON a.skin = s.id WHERE user_id = {?} AND skin_tpl != ''", $uid); - if ($_SESSION['skin'] = $res->fetchOneCell()) { + if ($_SESSION['skin'] = $res->fetchOneCell()) { return; } } diff --git a/modules/core.php b/modules/core.php index 84aaccb..78955b1 100644 --- a/modules/core.php +++ b/modules/core.php @@ -27,6 +27,7 @@ class CoreModule extends PLModule '403' => $this->make_hook('403', AUTH_PUBLIC), '404' => $this->make_hook('404', AUTH_PUBLIC), 'purge_cache' => $this->make_hook('purge_cache', AUTH_COOKIE, 'admin'), + 'get_rights' => $this->make_hook('get_rights', AUTH_MDP, 'admin'), 'valid.html' => $this->make_hook('valid', AUTH_PUBLIC), 'favicon.ico' => $this->make_hook('favicon', AUTH_PUBLIC), @@ -70,6 +71,21 @@ class CoreModule extends PLModule http_redirect(empty($_SERVER['HTTP_REFERER']) ? './' : $_SERVER['HTTP_REFERER']); } + + function handler_get_rights(&$page, $level) + { + if (S::has('suid')) { + $page->kill('Déjà en SUID'); + } + + if (isset($_SESSION['log'])) { + $_SESSION['log']->log("suid_start", "login by ".S::v('forlife')); + } + $_SESSION['suid'] = $_SESSION; + $_SESSION['perms'] = $level; + + pl_redirect('/'); + } } ?> diff --git a/modules/platal.php b/modules/platal.php index d1cf8c6..d8fa628 100644 --- a/modules/platal.php +++ b/modules/platal.php @@ -355,17 +355,13 @@ Mail envoy function handler_exit(&$page, $level = null) { if (S::has('suid')) { - if (S::has('suid')) { - $a4l = S::v('forlife'); - $suid = S::v('suid'); - $log = S::v('log'); - $log->log("suid_stop", S::v('forlife') . " by " . $suid['forlife']); - $_SESSION = $suid; - S::kill('suid'); - pl_redirect('admin/utilisateurs.php', 'login='.$a4l); - } else { - pl_redirect('events'); - } + $a4l = S::v('forlife'); + $suid = S::v('suid'); + $log = S::v('log'); + $log->log("suid_stop", S::v('forlife') . " by " . $suid['forlife']); + $_SESSION = $suid; + S::kill('suid'); + pl_redirect('admin/user/' . $a4l); } if ($level == 'forget' || $level == 'forgetall') { diff --git a/modules/xnet.php b/modules/xnet.php index f46ec86..2116744 100644 --- a/modules/xnet.php +++ b/modules/xnet.php @@ -89,8 +89,15 @@ class XnetModule extends PLModule function handler_exit(&$page) { - XnetSession::destroy(); - $page->changeTpl('xnet/deconnexion.tpl'); + if (S::has('suid')) { + $suid = S::v('suid'); + $_SESSION['perms'] = $suid['perms']; + S::kill('suid'); + } else { + XnetSession::destroy(); + $page->changeTpl('xnet/deconnexion.tpl'); + } + pl_redirect('/'); } function handler_admin(&$page) diff --git a/templates/skin/common.menu.tpl b/templates/skin/common.menu.tpl index bc1f2ea..5066cdc 100644 --- a/templates/skin/common.menu.tpl +++ b/templates/skin/common.menu.tpl @@ -78,6 +78,7 @@
Marketing
Administration
Clear cache
+
Quitter les droits d'admin
Trackers
Support
-- 2.1.4