valvin
/
ttrss
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add two helper account access levels: 

- read only - can't subscribe to more feeds, feed updates are skipped
 - disabled - can't login
define used access levels as UserHelper constants and refactor code to
use them instead of hardcoded numbers
This commit is contained in:
Andrew Dolgov 2021-11-10 20:44:51 +03:00
parent 7a52560e4e
commit 9e8d69739f
13 changed files with 105 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
backend.php
View File

@ -86,10 +86,13 @@
1440 => __("Daily"), 1440 => __("Daily"),
10080 => __("Weekly")); 10080 => __("Weekly"));
$access_level_names = array( $access_level_names = [
0 => __("User"), UserHelper::ACCESS_LEVEL_DISABLED => __("Disabled"),
5 => __("Power User"), UserHelper::ACCESS_LEVEL_READONLY => __("Read Only"),
10 => __("Administrator")); UserHelper::ACCESS_LEVEL_USER => __("User"),
UserHelper::ACCESS_LEVEL_POWERUSER => __("Power User"),
UserHelper::ACCESS_LEVEL_ADMIN => __("Administrator")
];
// shortcut syntax for plugin methods (?op=plugin--pmethod&...params) // shortcut syntax for plugin methods (?op=plugin--pmethod&...params)
/* if (strpos($op, PluginHost::PUBLIC_METHOD_DELIMITER) !== false) { /* if (strpos($op, PluginHost::PUBLIC_METHOD_DELIMITER) !== false) {

7
classes/feeds.php
View File

@ -1027,10 +1027,17 @@ class Feeds extends Handler_Protected {
* 5 - Couldn't download the URL content. * 5 - Couldn't download the URL content.
* 6 - Content is an invalid XML. * 6 - Content is an invalid XML.
* 7 - Error while creating feed database entry. * 7 - Error while creating feed database entry.
* 8 - Permission denied (ACCESS_LEVEL_READONLY).
*/ */
static function _subscribe($url, $cat_id = 0, static function _subscribe($url, $cat_id = 0,
$auth_login = '', $auth_pass = '') : array { $auth_login = '', $auth_pass = '') : array {
$user = ORM::for_table("ttrss_users")->find_one($_SESSION['uid']);
if ($user && $user->access_level == UserHelper::ACCESS_LEVEL_READONLY) {
return ["code" => 8];
}
$pdo = Db::pdo(); $pdo = Db::pdo();
$url = UrlHelper::validate($url); $url = UrlHelper::validate($url);

2
classes/handler/administrative.php
View File

@ -2,7 +2,7 @@
class Handler_Administrative extends Handler_Protected { class Handler_Administrative extends Handler_Protected {
function before($method) { function before($method) {
if (parent::before($method)) { if (parent::before($method)) {
if (($_SESSION["access_level"] ?? 0) >= 10) { if (($_SESSION["access_level"] ?? 0) >= UserHelper::ACCESS_LEVEL_ADMIN) {
return true; return true;
} }
} }

12
classes/pref/feeds.php
View File

@ -538,6 +538,8 @@ class Pref_Feeds extends Handler_Protected {
$local_purge_intervals = [ T_nsprintf('%d day', '%d days', $purge_interval, $purge_interval) ]; $local_purge_intervals = [ T_nsprintf('%d day', '%d days', $purge_interval, $purge_interval) ];
} }
$user = ORM::for_table("ttrss_users")->find_one($_SESSION["uid"]);
print json_encode([ print json_encode([
"feed" => $row, "feed" => $row,
"cats" => [ "cats" => [
@ -550,6 +552,9 @@ class Pref_Feeds extends Handler_Protected {
"update" => $local_update_intervals, "update" => $local_update_intervals,
"purge" => $local_purge_intervals, "purge" => $local_purge_intervals,
], ],
"user" => [
"access_level" => $user->access_level
],
"lang" => [ "lang" => [
"enabled" => Config::get(Config::DB_TYPE) == "pgsql", "enabled" => Config::get(Config::DB_TYPE) == "pgsql",
"default" => get_pref(Prefs::DEFAULT_SEARCH_LANGUAGE), "default" => get_pref(Prefs::DEFAULT_SEARCH_LANGUAGE),
@ -1207,6 +1212,13 @@ class Pref_Feeds extends Handler_Protected {
$login = clean($_REQUEST['login']); $login = clean($_REQUEST['login']);
$pass = clean($_REQUEST['pass']); $pass = clean($_REQUEST['pass']);
$user = ORM::for_table('ttrss_users')->find_one($_SESSION["uid"]);
// TODO: we should return some kind of error code to frontend here
if ($user->access_level == UserHelper::ACCESS_LEVEL_READONLY) {
return false;
}
$csth = $this->pdo->prepare("SELECT id FROM ttrss_feeds $csth = $this->pdo->prepare("SELECT id FROM ttrss_feeds
WHERE feed_url = ? AND owner_uid = ?"); WHERE feed_url = ? AND owner_uid = ?");

16
classes/pref/prefs.php
View File

@ -813,7 +813,7 @@ class Pref_Prefs extends Handler_Protected {
usort($rv, function($a, $b) { return strcmp($a["name"], $b["name"]); }); usort($rv, function($a, $b) { return strcmp($a["name"], $b["name"]); });
print json_encode(['plugins' => $rv, 'is_admin' => $_SESSION['access_level'] >= 10]); print json_encode(['plugins' => $rv, 'is_admin' => $_SESSION['access_level'] >= UserHelper::ACCESS_LEVEL_ADMIN]);
} }
function index_plugins() { function index_plugins() {
@ -890,7 +890,7 @@ class Pref_Prefs extends Handler_Protected {
<?= \Controls\button_tag(\Controls\icon("refresh"), "", ["title" => __("Reload"), "onclick" => "Helpers.Plugins.reload()"]) ?> <?= \Controls\button_tag(\Controls\icon("refresh"), "", ["title" => __("Reload"), "onclick" => "Helpers.Plugins.reload()"]) ?>
<?php if ($_SESSION["access_level"] >= 10) { ?> <?php if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN) { ?>
<?php if (Config::get(Config::CHECK_FOR_UPDATES) && Config::get(Config::CHECK_FOR_PLUGIN_UPDATES)) { ?> <?php if (Config::get(Config::CHECK_FOR_UPDATES) && Config::get(Config::CHECK_FOR_PLUGIN_UPDATES)) { ?>
<button class='alt-warning' dojoType='dijit.form.Button' onclick="Helpers.Plugins.update()"> <button class='alt-warning' dojoType='dijit.form.Button' onclick="Helpers.Plugins.update()">
@ -1152,7 +1152,7 @@ class Pref_Prefs extends Handler_Protected {
} }
function uninstallPlugin() { function uninstallPlugin() {
if ($_SESSION["access_level"] >= 10) { if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN) {
$plugin_name = basename(clean($_REQUEST['plugin'])); $plugin_name = basename(clean($_REQUEST['plugin']));
$status = 0; $status = 0;
@ -1167,7 +1167,7 @@ class Pref_Prefs extends Handler_Protected {
} }
function installPlugin() { function installPlugin() {
if ($_SESSION["access_level"] >= 10 && Config::get(Config::ENABLE_PLUGIN_INSTALLER)) { if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN && Config::get(Config::ENABLE_PLUGIN_INSTALLER)) {
$plugin_name = basename(clean($_REQUEST['plugin'])); $plugin_name = basename(clean($_REQUEST['plugin']));
$all_plugins = $this->_get_available_plugins(); $all_plugins = $this->_get_available_plugins();
$plugin_dir = dirname(dirname(__DIR__)) . "/plugins.local"; $plugin_dir = dirname(dirname(__DIR__)) . "/plugins.local";
@ -1252,18 +1252,18 @@ class Pref_Prefs extends Handler_Protected {
} }
private function _get_available_plugins() { private function _get_available_plugins() {
if ($_SESSION["access_level"] >= 10 && Config::get(Config::ENABLE_PLUGIN_INSTALLER)) { if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN && Config::get(Config::ENABLE_PLUGIN_INSTALLER)) {
return json_decode(UrlHelper::fetch(['url' => 'https://tt-rss.org/plugins.json']), true); return json_decode(UrlHelper::fetch(['url' => 'https://tt-rss.org/plugins.json']), true);
} }
} }
function getAvailablePlugins() { function getAvailablePlugins() {
if ($_SESSION["access_level"] >= 10) { if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN) {
print json_encode($this->_get_available_plugins()); print json_encode($this->_get_available_plugins());
} }
} }
function checkForPluginUpdates() { function checkForPluginUpdates() {
if ($_SESSION["access_level"] >= 10 && Config::get(Config::CHECK_FOR_UPDATES) && Config::get(Config::CHECK_FOR_PLUGIN_UPDATES)) { if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN && Config::get(Config::CHECK_FOR_UPDATES) && Config::get(Config::CHECK_FOR_PLUGIN_UPDATES)) {
$plugin_name = $_REQUEST["name"] ?? ""; $plugin_name = $_REQUEST["name"] ?? "";
$root_dir = dirname(dirname(__DIR__)); # we're in classes/pref/ $root_dir = dirname(dirname(__DIR__)); # we're in classes/pref/
@ -1279,7 +1279,7 @@ class Pref_Prefs extends Handler_Protected {
} }
function updateLocalPlugins() { function updateLocalPlugins() {
if ($_SESSION["access_level"] >= 10) { if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN) {
$plugins = explode(",", $_REQUEST["plugins"] ?? ""); $plugins = explode(",", $_REQUEST["plugins"] ?? "");
# we're in classes/pref/ # we're in classes/pref/

7
classes/rpc.php
View File

@ -299,7 +299,8 @@ class RPC extends Handler_Protected {
ttrss_feeds f, ttrss_users u LEFT JOIN ttrss_user_prefs2 p ON ttrss_feeds f, ttrss_users u LEFT JOIN ttrss_user_prefs2 p ON
(p.owner_uid = u.id AND profile IS NULL AND pref_name = 'DEFAULT_UPDATE_INTERVAL') (p.owner_uid = u.id AND profile IS NULL AND pref_name = 'DEFAULT_UPDATE_INTERVAL')
WHERE WHERE
f.owner_uid = u.id f.owner_uid = u.id AND
u.access_level NOT IN (".sprintf("%d, %d", UserHelper::ACCESS_LEVEL_DISABLED, UserHelper::ACCESS_LEVEL_READONLY).")
$owner_check_qpart $owner_check_qpart
$update_limit_qpart $update_limit_qpart
$updstart_thresh_qpart $updstart_thresh_qpart
@ -403,7 +404,7 @@ class RPC extends Handler_Protected {
$git_timestamp = $version["timestamp"] ?? false; $git_timestamp = $version["timestamp"] ?? false;
$git_commit = $version["commit"] ?? false; $git_commit = $version["commit"] ?? false;
if (Config::get(Config::CHECK_FOR_UPDATES) && $_SESSION["access_level"] >= 10 && $git_timestamp) { if (Config::get(Config::CHECK_FOR_UPDATES) && $_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN && $git_timestamp) {
$content = @UrlHelper::fetch(["url" => "https://tt-rss.org/version.json"]); $content = @UrlHelper::fetch(["url" => "https://tt-rss.org/version.json"]);
if ($content) { if ($content) {
@ -510,7 +511,7 @@ class RPC extends Handler_Protected {
$data['cdm_expanded'] = get_pref(Prefs::CDM_EXPANDED); $data['cdm_expanded'] = get_pref(Prefs::CDM_EXPANDED);
$data["labels"] = Labels::get_all($_SESSION["uid"]); $data["labels"] = Labels::get_all($_SESSION["uid"]);
if (Config::get(Config::LOG_DESTINATION) == 'sql' && $_SESSION['access_level'] >= 10) { if (Config::get(Config::LOG_DESTINATION) == 'sql' && $_SESSION['access_level'] >= UserHelper::ACCESS_LEVEL_ADMIN) {
if (Config::get(Config::DB_TYPE) == 'pgsql') { if (Config::get(Config::DB_TYPE) == 'pgsql') {
$log_interval = "created_at > NOW() - interval '1 hour'"; $log_interval = "created_at > NOW() - interval '1 hour'";
} else { } else {

19
classes/rssutils.php
View File

@ -123,7 +123,8 @@ class RSSUtils {
ttrss_feeds f, ttrss_users u LEFT JOIN ttrss_user_prefs2 p ON ttrss_feeds f, ttrss_users u LEFT JOIN ttrss_user_prefs2 p ON
(p.owner_uid = u.id AND profile IS NULL AND pref_name = 'DEFAULT_UPDATE_INTERVAL') (p.owner_uid = u.id AND profile IS NULL AND pref_name = 'DEFAULT_UPDATE_INTERVAL')
WHERE WHERE
f.owner_uid = u.id f.owner_uid = u.id AND
u.access_level NOT IN (".sprintf("%d, %d", UserHelper::ACCESS_LEVEL_DISABLED, UserHelper::ACCESS_LEVEL_READONLY).")
$login_thresh_qpart $login_thresh_qpart
$update_limit_qpart $update_limit_qpart
$updstart_thresh_qpart $updstart_thresh_qpart
@ -163,7 +164,8 @@ class RSSUtils {
FROM ttrss_feeds f, ttrss_users u LEFT JOIN ttrss_user_prefs2 p ON FROM ttrss_feeds f, ttrss_users u LEFT JOIN ttrss_user_prefs2 p ON
(p.owner_uid = u.id AND profile IS NULL AND pref_name = 'DEFAULT_UPDATE_INTERVAL') (p.owner_uid = u.id AND profile IS NULL AND pref_name = 'DEFAULT_UPDATE_INTERVAL')
WHERE WHERE
f.owner_uid = u.id f.owner_uid = u.id AND
u.access_level NOT IN (".sprintf("%d, %d", UserHelper::ACCESS_LEVEL_DISABLED, UserHelper::ACCESS_LEVEL_READONLY).")
AND feed_url = :feed AND feed_url = :feed
$login_thresh_qpart $login_thresh_qpart
$update_limit_qpart $update_limit_qpart
@ -352,6 +354,19 @@ class RSSUtils {
if (!$feed_language) $feed_language = mb_strtolower(get_pref(Prefs::DEFAULT_SEARCH_LANGUAGE, $feed_obj->owner_uid)); if (!$feed_language) $feed_language = mb_strtolower(get_pref(Prefs::DEFAULT_SEARCH_LANGUAGE, $feed_obj->owner_uid));
if (!$feed_language) $feed_language = 'simple'; if (!$feed_language) $feed_language = 'simple';
$user = ORM::for_table('ttrss_users')->find_one($feed_obj->owner_uid);
if ($user) {
if ($user->access_level == UserHelper::ACCESS_LEVEL_READONLY) {
Debug::log("error: denied update for $feed: permission denied by owner access level");
return false;
}
} else {
// this would indicate database corruption of some kind
Debug::log("error: owner not found for feed: $feed");
return false;
}
} else { } else {
Debug::log("error: feeds table record not found for feed: $feed"); Debug::log("error: feeds table record not found for feed: $feed");
return false; return false;

19
classes/userhelper.php
View File

@ -17,6 +17,21 @@ class UserHelper {
self::HASH_ALGO_SHA1 self::HASH_ALGO_SHA1
]; ];
/** forbidden to login */
const ACCESS_LEVEL_DISABLED = -2;
/** can't subscribe to new feeds, feeds are not updated */
const ACCESS_LEVEL_READONLY = -1;
/** no restrictions, regular user */
const ACCESS_LEVEL_USER = 0;
/** not used, same as regular user */
const ACCESS_LEVEL_POWERUSER = 5;
/** has administrator permissions */
const ACCESS_LEVEL_ADMIN = 10;
static function authenticate(string $login = null, string $password = null, bool $check_only = false, string $service = null) { static function authenticate(string $login = null, string $password = null, bool $check_only = false, string $service = null) {
if (!Config::get(Config::SINGLE_USER_MODE)) { if (!Config::get(Config::SINGLE_USER_MODE)) {
$user_id = false; $user_id = false;
@ -41,7 +56,7 @@ class UserHelper {
$user = ORM::for_table('ttrss_users')->find_one($user_id); $user = ORM::for_table('ttrss_users')->find_one($user_id);
if ($user) { if ($user && $user->access_level != self::ACCESS_LEVEL_DISABLED) {
$_SESSION["uid"] = $user_id; $_SESSION["uid"] = $user_id;
$_SESSION["auth_module"] = $auth_module; $_SESSION["auth_module"] = $auth_module;
$_SESSION["name"] = $user->login; $_SESSION["name"] = $user->login;
@ -68,7 +83,7 @@ class UserHelper {
$_SESSION["uid"] = 1; $_SESSION["uid"] = 1;
$_SESSION["name"] = "admin"; $_SESSION["name"] = "admin";
$_SESSION["access_level"] = 10; $_SESSION["access_level"] = self::ACCESS_LEVEL_ADMIN;
$_SESSION["hide_hello"] = true; $_SESSION["hide_hello"] = true;
$_SESSION["hide_logout"] = true; $_SESSION["hide_logout"] = true;

9
include/sessions.php
View File

@ -1,7 +1,9 @@
<?php <?php
namespace Sessions; namespace Sessions;
require_once "autoload.php"; use UserHelper;
require_once "autoload.php";
require_once "functions.php"; require_once "functions.php";
require_once "errorhandler.php"; require_once "errorhandler.php";
require_once "lib/gettext/gettext.inc.php"; require_once "lib/gettext/gettext.inc.php";
@ -42,6 +44,11 @@
$_SESSION["login_error_msg"] = __("Session failed to validate (password changed)"); $_SESSION["login_error_msg"] = __("Session failed to validate (password changed)");
return false; return false;
} }
if ($user->access_level == UserHelper::ACCESS_LEVEL_DISABLED) {
$_SESSION["login_error_msg"] = __("Session failed to validate (account is disabled)");
return false;
}
} else { } else {
$_SESSION["login_error_msg"] = __("Session failed to validate (user not found)"); $_SESSION["login_error_msg"] = __("Session failed to validate (user not found)");
return false; return false;

12
js/App.js
View File

@ -17,6 +17,9 @@ const App = {
hotkey_actions: {}, hotkey_actions: {},
is_prefs: false, is_prefs: false,
LABEL_BASE_INDEX: -1024, LABEL_BASE_INDEX: -1024,
UserAccessLevels: {
ACCESS_LEVEL_READONLY: -1
},
_translations: {}, _translations: {},
Hash: { Hash: {
get: function() { get: function() {
@ -76,10 +79,15 @@ const App = {
</select> </select>
` `
}, },
select_hash: function(name, value, values = {}, attributes = {}, id = "") { select_hash: function(name, value, values = {}, attributes = {}, id = "", params = {}) {
let keys = Object.keys(values);
if (params.numeric_sort)
keys = keys.sort((a,b) => a - b);
return ` return `
<select name="${name}" dojoType="fox.form.Select" id="${App.escapeHtml(id)}" ${this.attributes_to_string(attributes)}> <select name="${name}" dojoType="fox.form.Select" id="${App.escapeHtml(id)}" ${this.attributes_to_string(attributes)}>
${Object.keys(values).map((vk) => ${keys.map((vk) =>
`<option ${vk == value ? 'selected="selected"' : ''} value="${App.escapeHtml(vk)}">${App.escapeHtml(values[vk])}</option>` `<option ${vk == value ? 'selected="selected"' : ''} value="${App.escapeHtml(vk)}">${App.escapeHtml(values[vk])}</option>`
).join("")} ).join("")}
</select> </select>

15
js/CommonDialogs.js
View File

@ -131,6 +131,9 @@ const CommonDialogs = {
console.log(rc); console.log(rc);
switch (parseInt(rc['code'])) { switch (parseInt(rc['code'])) {
case 0:
dialog.show_error(__("You are already subscribed to this feed."));
break;
case 1: case 1:
dialog.hide(); dialog.hide();
Notify.info(__("Subscribed to %s").replace("%s", feed_url)); Notify.info(__("Subscribed to %s").replace("%s", feed_url));
@ -175,8 +178,11 @@ const CommonDialogs = {
case 6: case 6:
dialog.show_error(__("XML validation failed: %s").replace("%s", rc['message'])); dialog.show_error(__("XML validation failed: %s").replace("%s", rc['message']));
break; break;
case 0: case 7:
dialog.show_error(__("You are already subscribed to this feed.")); dialog.show_error(__("Error while creating feed database entry."));
break;
case 8:
dialog.show_error(__("You are not allowed to perform this operation."));
break; break;
} }
@ -451,6 +457,7 @@ const CommonDialogs = {
xhr.json("backend.php", {op: "pref-feeds", method: "editfeed", id: feed_id}, (reply) => { xhr.json("backend.php", {op: "pref-feeds", method: "editfeed", id: feed_id}, (reply) => {
const feed = reply.feed; const feed = reply.feed;
const is_readonly = reply.user.access_level == App.UserAccessLevels.ACCESS_LEVEL_READONLY;
// for unsub prompt // for unsub prompt
dialog.feed_title = feed.title; dialog.feed_title = feed.title;
@ -524,7 +531,9 @@ const CommonDialogs = {
<fieldset> <fieldset>
<label>${__("Update interval:")}</label> <label>${__("Update interval:")}</label>
${App.FormFields.select_hash("update_interval", feed.update_interval, reply.intervals.update)} ${App.FormFields.select_hash("update_interval", is_readonly ? -1 : feed.update_interval,
reply.intervals.update,
{disabled: is_readonly})}
</fieldset> </fieldset>
<fieldset> <fieldset>
<label>${__('Article purging:')}</label> <label>${__('Article purging:')}</label>

2
js/PrefUsers.js
View File

@ -75,7 +75,7 @@ const Users = {
<fieldset> <fieldset>
<label>${__('Access level: ')}</label> <label>${__('Access level: ')}</label>
${App.FormFields.select_hash("access_level", ${App.FormFields.select_hash("access_level",
user.access_level, reply.access_level_names, {disabled: admin_disabled.toString()})} user.access_level, reply.access_level_names, {disabled: admin_disabled.toString()}, "", {numeric_sort: true})}
${admin_disabled ? App.FormFields.hidden_tag("access_level", ${admin_disabled ? App.FormFields.hidden_tag("access_level",
user.access_level.toString()) : ''} user.access_level.toString()) : ''}

2
prefs.php
View File

@ -148,7 +148,7 @@
style="padding : 0px" style="padding : 0px"
href="backend.php?op=pref-labels" href="backend.php?op=pref-labels"
title="<i class='material-icons'>label_outline1</i> <?= __('Labels') ?>"></div> title="<i class='material-icons'>label_outline1</i> <?= __('Labels') ?>"></div>
<?php if ($_SESSION["access_level"] >= 10) { ?> <?php if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN) { ?>
<div id="usersTab" dojoType="dijit.layout.ContentPane" <div id="usersTab" dojoType="dijit.layout.ContentPane"
style="padding : 0px" style="padding : 0px"
href="backend.php?op=pref-users" href="backend.php?op=pref-users"