add two helper account access levels:

- read only - can't subscribe to more feeds, feed updates are skipped
 - disabled - can't login
define used access levels as UserHelper constants and refactor code to
use them instead of hardcoded numbers
This commit is contained in:
Andrew Dolgov 2021-11-10 20:44:51 +03:00
parent 7a52560e4e
commit 9e8d69739f
13 changed files with 105 additions and 28 deletions

View File

@ -86,10 +86,13 @@
1440 => __("Daily"), 1440 => __("Daily"),
10080 => __("Weekly")); 10080 => __("Weekly"));
$access_level_names = array( $access_level_names = [
0 => __("User"), UserHelper::ACCESS_LEVEL_DISABLED => __("Disabled"),
5 => __("Power User"), UserHelper::ACCESS_LEVEL_READONLY => __("Read Only"),
10 => __("Administrator")); UserHelper::ACCESS_LEVEL_USER => __("User"),
UserHelper::ACCESS_LEVEL_POWERUSER => __("Power User"),
UserHelper::ACCESS_LEVEL_ADMIN => __("Administrator")
];
// shortcut syntax for plugin methods (?op=plugin--pmethod&...params) // shortcut syntax for plugin methods (?op=plugin--pmethod&...params)
/* if (strpos($op, PluginHost::PUBLIC_METHOD_DELIMITER) !== false) { /* if (strpos($op, PluginHost::PUBLIC_METHOD_DELIMITER) !== false) {

View File

@ -1027,10 +1027,17 @@ class Feeds extends Handler_Protected {
* 5 - Couldn't download the URL content. * 5 - Couldn't download the URL content.
* 6 - Content is an invalid XML. * 6 - Content is an invalid XML.
* 7 - Error while creating feed database entry. * 7 - Error while creating feed database entry.
* 8 - Permission denied (ACCESS_LEVEL_READONLY).
*/ */
static function _subscribe($url, $cat_id = 0, static function _subscribe($url, $cat_id = 0,
$auth_login = '', $auth_pass = '') : array { $auth_login = '', $auth_pass = '') : array {
$user = ORM::for_table("ttrss_users")->find_one($_SESSION['uid']);
if ($user && $user->access_level == UserHelper::ACCESS_LEVEL_READONLY) {
return ["code" => 8];
}
$pdo = Db::pdo(); $pdo = Db::pdo();
$url = UrlHelper::validate($url); $url = UrlHelper::validate($url);

View File

@ -2,7 +2,7 @@
class Handler_Administrative extends Handler_Protected { class Handler_Administrative extends Handler_Protected {
function before($method) { function before($method) {
if (parent::before($method)) { if (parent::before($method)) {
if (($_SESSION["access_level"] ?? 0) >= 10) { if (($_SESSION["access_level"] ?? 0) >= UserHelper::ACCESS_LEVEL_ADMIN) {
return true; return true;
} }
} }

View File

@ -538,6 +538,8 @@ class Pref_Feeds extends Handler_Protected {
$local_purge_intervals = [ T_nsprintf('%d day', '%d days', $purge_interval, $purge_interval) ]; $local_purge_intervals = [ T_nsprintf('%d day', '%d days', $purge_interval, $purge_interval) ];
} }
$user = ORM::for_table("ttrss_users")->find_one($_SESSION["uid"]);
print json_encode([ print json_encode([
"feed" => $row, "feed" => $row,
"cats" => [ "cats" => [
@ -550,6 +552,9 @@ class Pref_Feeds extends Handler_Protected {
"update" => $local_update_intervals, "update" => $local_update_intervals,
"purge" => $local_purge_intervals, "purge" => $local_purge_intervals,
], ],
"user" => [
"access_level" => $user->access_level
],
"lang" => [ "lang" => [
"enabled" => Config::get(Config::DB_TYPE) == "pgsql", "enabled" => Config::get(Config::DB_TYPE) == "pgsql",
"default" => get_pref(Prefs::DEFAULT_SEARCH_LANGUAGE), "default" => get_pref(Prefs::DEFAULT_SEARCH_LANGUAGE),
@ -1207,6 +1212,13 @@ class Pref_Feeds extends Handler_Protected {
$login = clean($_REQUEST['login']); $login = clean($_REQUEST['login']);
$pass = clean($_REQUEST['pass']); $pass = clean($_REQUEST['pass']);
$user = ORM::for_table('ttrss_users')->find_one($_SESSION["uid"]);
// TODO: we should return some kind of error code to frontend here
if ($user->access_level == UserHelper::ACCESS_LEVEL_READONLY) {
return false;
}
$csth = $this->pdo->prepare("SELECT id FROM ttrss_feeds $csth = $this->pdo->prepare("SELECT id FROM ttrss_feeds
WHERE feed_url = ? AND owner_uid = ?"); WHERE feed_url = ? AND owner_uid = ?");

View File

@ -813,7 +813,7 @@ class Pref_Prefs extends Handler_Protected {
usort($rv, function($a, $b) { return strcmp($a["name"], $b["name"]); }); usort($rv, function($a, $b) { return strcmp($a["name"], $b["name"]); });
print json_encode(['plugins' => $rv, 'is_admin' => $_SESSION['access_level'] >= 10]); print json_encode(['plugins' => $rv, 'is_admin' => $_SESSION['access_level'] >= UserHelper::ACCESS_LEVEL_ADMIN]);
} }
function index_plugins() { function index_plugins() {
@ -890,7 +890,7 @@ class Pref_Prefs extends Handler_Protected {
<?= \Controls\button_tag(\Controls\icon("refresh"), "", ["title" => __("Reload"), "onclick" => "Helpers.Plugins.reload()"]) ?> <?= \Controls\button_tag(\Controls\icon("refresh"), "", ["title" => __("Reload"), "onclick" => "Helpers.Plugins.reload()"]) ?>
<?php if ($_SESSION["access_level"] >= 10) { ?> <?php if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN) { ?>
<?php if (Config::get(Config::CHECK_FOR_UPDATES) && Config::get(Config::CHECK_FOR_PLUGIN_UPDATES)) { ?> <?php if (Config::get(Config::CHECK_FOR_UPDATES) && Config::get(Config::CHECK_FOR_PLUGIN_UPDATES)) { ?>
<button class='alt-warning' dojoType='dijit.form.Button' onclick="Helpers.Plugins.update()"> <button class='alt-warning' dojoType='dijit.form.Button' onclick="Helpers.Plugins.update()">
@ -1152,7 +1152,7 @@ class Pref_Prefs extends Handler_Protected {
} }
function uninstallPlugin() { function uninstallPlugin() {
if ($_SESSION["access_level"] >= 10) { if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN) {
$plugin_name = basename(clean($_REQUEST['plugin'])); $plugin_name = basename(clean($_REQUEST['plugin']));
$status = 0; $status = 0;
@ -1167,7 +1167,7 @@ class Pref_Prefs extends Handler_Protected {
} }
function installPlugin() { function installPlugin() {
if ($_SESSION["access_level"] >= 10 && Config::get(Config::ENABLE_PLUGIN_INSTALLER)) { if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN && Config::get(Config::ENABLE_PLUGIN_INSTALLER)) {
$plugin_name = basename(clean($_REQUEST['plugin'])); $plugin_name = basename(clean($_REQUEST['plugin']));
$all_plugins = $this->_get_available_plugins(); $all_plugins = $this->_get_available_plugins();
$plugin_dir = dirname(dirname(__DIR__)) . "/plugins.local"; $plugin_dir = dirname(dirname(__DIR__)) . "/plugins.local";
@ -1252,18 +1252,18 @@ class Pref_Prefs extends Handler_Protected {
} }
private function _get_available_plugins() { private function _get_available_plugins() {
if ($_SESSION["access_level"] >= 10 && Config::get(Config::ENABLE_PLUGIN_INSTALLER)) { if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN && Config::get(Config::ENABLE_PLUGIN_INSTALLER)) {
return json_decode(UrlHelper::fetch(['url' => 'https://tt-rss.org/plugins.json']), true); return json_decode(UrlHelper::fetch(['url' => 'https://tt-rss.org/plugins.json']), true);
} }
} }
function getAvailablePlugins() { function getAvailablePlugins() {
if ($_SESSION["access_level"] >= 10) { if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN) {
print json_encode($this->_get_available_plugins()); print json_encode($this->_get_available_plugins());
} }
} }
function checkForPluginUpdates() { function checkForPluginUpdates() {
if ($_SESSION["access_level"] >= 10 && Config::get(Config::CHECK_FOR_UPDATES) && Config::get(Config::CHECK_FOR_PLUGIN_UPDATES)) { if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN && Config::get(Config::CHECK_FOR_UPDATES) && Config::get(Config::CHECK_FOR_PLUGIN_UPDATES)) {
$plugin_name = $_REQUEST["name"] ?? ""; $plugin_name = $_REQUEST["name"] ?? "";
$root_dir = dirname(dirname(__DIR__)); # we're in classes/pref/ $root_dir = dirname(dirname(__DIR__)); # we're in classes/pref/
@ -1279,7 +1279,7 @@ class Pref_Prefs extends Handler_Protected {
} }
function updateLocalPlugins() { function updateLocalPlugins() {
if ($_SESSION["access_level"] >= 10) { if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN) {
$plugins = explode(",", $_REQUEST["plugins"] ?? ""); $plugins = explode(",", $_REQUEST["plugins"] ?? "");
# we're in classes/pref/ # we're in classes/pref/

View File

@ -299,7 +299,8 @@ class RPC extends Handler_Protected {
ttrss_feeds f, ttrss_users u LEFT JOIN ttrss_user_prefs2 p ON ttrss_feeds f, ttrss_users u LEFT JOIN ttrss_user_prefs2 p ON
(p.owner_uid = u.id AND profile IS NULL AND pref_name = 'DEFAULT_UPDATE_INTERVAL') (p.owner_uid = u.id AND profile IS NULL AND pref_name = 'DEFAULT_UPDATE_INTERVAL')
WHERE WHERE
f.owner_uid = u.id f.owner_uid = u.id AND
u.access_level NOT IN (".sprintf("%d, %d", UserHelper::ACCESS_LEVEL_DISABLED, UserHelper::ACCESS_LEVEL_READONLY).")
$owner_check_qpart $owner_check_qpart
$update_limit_qpart $update_limit_qpart
$updstart_thresh_qpart $updstart_thresh_qpart
@ -403,7 +404,7 @@ class RPC extends Handler_Protected {
$git_timestamp = $version["timestamp"] ?? false; $git_timestamp = $version["timestamp"] ?? false;
$git_commit = $version["commit"] ?? false; $git_commit = $version["commit"] ?? false;
if (Config::get(Config::CHECK_FOR_UPDATES) && $_SESSION["access_level"] >= 10 && $git_timestamp) { if (Config::get(Config::CHECK_FOR_UPDATES) && $_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN && $git_timestamp) {
$content = @UrlHelper::fetch(["url" => "https://tt-rss.org/version.json"]); $content = @UrlHelper::fetch(["url" => "https://tt-rss.org/version.json"]);
if ($content) { if ($content) {
@ -510,7 +511,7 @@ class RPC extends Handler_Protected {
$data['cdm_expanded'] = get_pref(Prefs::CDM_EXPANDED); $data['cdm_expanded'] = get_pref(Prefs::CDM_EXPANDED);
$data["labels"] = Labels::get_all($_SESSION["uid"]); $data["labels"] = Labels::get_all($_SESSION["uid"]);
if (Config::get(Config::LOG_DESTINATION) == 'sql' && $_SESSION['access_level'] >= 10) { if (Config::get(Config::LOG_DESTINATION) == 'sql' && $_SESSION['access_level'] >= UserHelper::ACCESS_LEVEL_ADMIN) {
if (Config::get(Config::DB_TYPE) == 'pgsql') { if (Config::get(Config::DB_TYPE) == 'pgsql') {
$log_interval = "created_at > NOW() - interval '1 hour'"; $log_interval = "created_at > NOW() - interval '1 hour'";
} else { } else {

View File

@ -123,7 +123,8 @@ class RSSUtils {
ttrss_feeds f, ttrss_users u LEFT JOIN ttrss_user_prefs2 p ON ttrss_feeds f, ttrss_users u LEFT JOIN ttrss_user_prefs2 p ON
(p.owner_uid = u.id AND profile IS NULL AND pref_name = 'DEFAULT_UPDATE_INTERVAL') (p.owner_uid = u.id AND profile IS NULL AND pref_name = 'DEFAULT_UPDATE_INTERVAL')
WHERE WHERE
f.owner_uid = u.id f.owner_uid = u.id AND
u.access_level NOT IN (".sprintf("%d, %d", UserHelper::ACCESS_LEVEL_DISABLED, UserHelper::ACCESS_LEVEL_READONLY).")
$login_thresh_qpart $login_thresh_qpart
$update_limit_qpart $update_limit_qpart
$updstart_thresh_qpart $updstart_thresh_qpart
@ -163,7 +164,8 @@ class RSSUtils {
FROM ttrss_feeds f, ttrss_users u LEFT JOIN ttrss_user_prefs2 p ON FROM ttrss_feeds f, ttrss_users u LEFT JOIN ttrss_user_prefs2 p ON
(p.owner_uid = u.id AND profile IS NULL AND pref_name = 'DEFAULT_UPDATE_INTERVAL') (p.owner_uid = u.id AND profile IS NULL AND pref_name = 'DEFAULT_UPDATE_INTERVAL')
WHERE WHERE
f.owner_uid = u.id f.owner_uid = u.id AND
u.access_level NOT IN (".sprintf("%d, %d", UserHelper::ACCESS_LEVEL_DISABLED, UserHelper::ACCESS_LEVEL_READONLY).")
AND feed_url = :feed AND feed_url = :feed
$login_thresh_qpart $login_thresh_qpart
$update_limit_qpart $update_limit_qpart
@ -352,6 +354,19 @@ class RSSUtils {
if (!$feed_language) $feed_language = mb_strtolower(get_pref(Prefs::DEFAULT_SEARCH_LANGUAGE, $feed_obj->owner_uid)); if (!$feed_language) $feed_language = mb_strtolower(get_pref(Prefs::DEFAULT_SEARCH_LANGUAGE, $feed_obj->owner_uid));
if (!$feed_language) $feed_language = 'simple'; if (!$feed_language) $feed_language = 'simple';
$user = ORM::for_table('ttrss_users')->find_one($feed_obj->owner_uid);
if ($user) {
if ($user->access_level == UserHelper::ACCESS_LEVEL_READONLY) {
Debug::log("error: denied update for $feed: permission denied by owner access level");
return false;
}
} else {
// this would indicate database corruption of some kind
Debug::log("error: owner not found for feed: $feed");
return false;
}
} else { } else {
Debug::log("error: feeds table record not found for feed: $feed"); Debug::log("error: feeds table record not found for feed: $feed");
return false; return false;

View File

@ -17,6 +17,21 @@ class UserHelper {
self::HASH_ALGO_SHA1 self::HASH_ALGO_SHA1
]; ];
/** forbidden to login */
const ACCESS_LEVEL_DISABLED = -2;
/** can't subscribe to new feeds, feeds are not updated */
const ACCESS_LEVEL_READONLY = -1;
/** no restrictions, regular user */
const ACCESS_LEVEL_USER = 0;
/** not used, same as regular user */
const ACCESS_LEVEL_POWERUSER = 5;
/** has administrator permissions */
const ACCESS_LEVEL_ADMIN = 10;
static function authenticate(string $login = null, string $password = null, bool $check_only = false, string $service = null) { static function authenticate(string $login = null, string $password = null, bool $check_only = false, string $service = null) {
if (!Config::get(Config::SINGLE_USER_MODE)) { if (!Config::get(Config::SINGLE_USER_MODE)) {
$user_id = false; $user_id = false;
@ -41,7 +56,7 @@ class UserHelper {
$user = ORM::for_table('ttrss_users')->find_one($user_id); $user = ORM::for_table('ttrss_users')->find_one($user_id);
if ($user) { if ($user && $user->access_level != self::ACCESS_LEVEL_DISABLED) {
$_SESSION["uid"] = $user_id; $_SESSION["uid"] = $user_id;
$_SESSION["auth_module"] = $auth_module; $_SESSION["auth_module"] = $auth_module;
$_SESSION["name"] = $user->login; $_SESSION["name"] = $user->login;
@ -68,7 +83,7 @@ class UserHelper {
$_SESSION["uid"] = 1; $_SESSION["uid"] = 1;
$_SESSION["name"] = "admin"; $_SESSION["name"] = "admin";
$_SESSION["access_level"] = 10; $_SESSION["access_level"] = self::ACCESS_LEVEL_ADMIN;
$_SESSION["hide_hello"] = true; $_SESSION["hide_hello"] = true;
$_SESSION["hide_logout"] = true; $_SESSION["hide_logout"] = true;

View File

@ -1,6 +1,8 @@
<?php <?php
namespace Sessions; namespace Sessions;
use UserHelper;
require_once "autoload.php"; require_once "autoload.php";
require_once "functions.php"; require_once "functions.php";
require_once "errorhandler.php"; require_once "errorhandler.php";
@ -42,6 +44,11 @@
$_SESSION["login_error_msg"] = __("Session failed to validate (password changed)"); $_SESSION["login_error_msg"] = __("Session failed to validate (password changed)");
return false; return false;
} }
if ($user->access_level == UserHelper::ACCESS_LEVEL_DISABLED) {
$_SESSION["login_error_msg"] = __("Session failed to validate (account is disabled)");
return false;
}
} else { } else {
$_SESSION["login_error_msg"] = __("Session failed to validate (user not found)"); $_SESSION["login_error_msg"] = __("Session failed to validate (user not found)");
return false; return false;

View File

@ -17,6 +17,9 @@ const App = {
hotkey_actions: {}, hotkey_actions: {},
is_prefs: false, is_prefs: false,
LABEL_BASE_INDEX: -1024, LABEL_BASE_INDEX: -1024,
UserAccessLevels: {
ACCESS_LEVEL_READONLY: -1
},
_translations: {}, _translations: {},
Hash: { Hash: {
get: function() { get: function() {
@ -76,10 +79,15 @@ const App = {
</select> </select>
` `
}, },
select_hash: function(name, value, values = {}, attributes = {}, id = "") { select_hash: function(name, value, values = {}, attributes = {}, id = "", params = {}) {
let keys = Object.keys(values);
if (params.numeric_sort)
keys = keys.sort((a,b) => a - b);
return ` return `
<select name="${name}" dojoType="fox.form.Select" id="${App.escapeHtml(id)}" ${this.attributes_to_string(attributes)}> <select name="${name}" dojoType="fox.form.Select" id="${App.escapeHtml(id)}" ${this.attributes_to_string(attributes)}>
${Object.keys(values).map((vk) => ${keys.map((vk) =>
`<option ${vk == value ? 'selected="selected"' : ''} value="${App.escapeHtml(vk)}">${App.escapeHtml(values[vk])}</option>` `<option ${vk == value ? 'selected="selected"' : ''} value="${App.escapeHtml(vk)}">${App.escapeHtml(values[vk])}</option>`
).join("")} ).join("")}
</select> </select>

View File

@ -131,6 +131,9 @@ const CommonDialogs = {
console.log(rc); console.log(rc);
switch (parseInt(rc['code'])) { switch (parseInt(rc['code'])) {
case 0:
dialog.show_error(__("You are already subscribed to this feed."));
break;
case 1: case 1:
dialog.hide(); dialog.hide();
Notify.info(__("Subscribed to %s").replace("%s", feed_url)); Notify.info(__("Subscribed to %s").replace("%s", feed_url));
@ -175,8 +178,11 @@ const CommonDialogs = {
case 6: case 6:
dialog.show_error(__("XML validation failed: %s").replace("%s", rc['message'])); dialog.show_error(__("XML validation failed: %s").replace("%s", rc['message']));
break; break;
case 0: case 7:
dialog.show_error(__("You are already subscribed to this feed.")); dialog.show_error(__("Error while creating feed database entry."));
break;
case 8:
dialog.show_error(__("You are not allowed to perform this operation."));
break; break;
} }
@ -451,6 +457,7 @@ const CommonDialogs = {
xhr.json("backend.php", {op: "pref-feeds", method: "editfeed", id: feed_id}, (reply) => { xhr.json("backend.php", {op: "pref-feeds", method: "editfeed", id: feed_id}, (reply) => {
const feed = reply.feed; const feed = reply.feed;
const is_readonly = reply.user.access_level == App.UserAccessLevels.ACCESS_LEVEL_READONLY;
// for unsub prompt // for unsub prompt
dialog.feed_title = feed.title; dialog.feed_title = feed.title;
@ -524,7 +531,9 @@ const CommonDialogs = {
<fieldset> <fieldset>
<label>${__("Update interval:")}</label> <label>${__("Update interval:")}</label>
${App.FormFields.select_hash("update_interval", feed.update_interval, reply.intervals.update)} ${App.FormFields.select_hash("update_interval", is_readonly ? -1 : feed.update_interval,
reply.intervals.update,
{disabled: is_readonly})}
</fieldset> </fieldset>
<fieldset> <fieldset>
<label>${__('Article purging:')}</label> <label>${__('Article purging:')}</label>

View File

@ -75,7 +75,7 @@ const Users = {
<fieldset> <fieldset>
<label>${__('Access level: ')}</label> <label>${__('Access level: ')}</label>
${App.FormFields.select_hash("access_level", ${App.FormFields.select_hash("access_level",
user.access_level, reply.access_level_names, {disabled: admin_disabled.toString()})} user.access_level, reply.access_level_names, {disabled: admin_disabled.toString()}, "", {numeric_sort: true})}
${admin_disabled ? App.FormFields.hidden_tag("access_level", ${admin_disabled ? App.FormFields.hidden_tag("access_level",
user.access_level.toString()) : ''} user.access_level.toString()) : ''}

View File

@ -148,7 +148,7 @@
style="padding : 0px" style="padding : 0px"
href="backend.php?op=pref-labels" href="backend.php?op=pref-labels"
title="<i class='material-icons'>label_outline1</i> <?= __('Labels') ?>"></div> title="<i class='material-icons'>label_outline1</i> <?= __('Labels') ?>"></div>
<?php if ($_SESSION["access_level"] >= 10) { ?> <?php if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN) { ?>
<div id="usersTab" dojoType="dijit.layout.ContentPane" <div id="usersTab" dojoType="dijit.layout.ContentPane"
style="padding : 0px" style="padding : 0px"
href="backend.php?op=pref-users" href="backend.php?op=pref-users"