add two helper account access levels:
- read only - can't subscribe to more feeds, feed updates are skipped - disabled - can't login define used access levels as UserHelper constants and refactor code to use them instead of hardcoded numbers
This commit is contained in:
parent
7a52560e4e
commit
9e8d69739f
11
backend.php
11
backend.php
|
@ -86,10 +86,13 @@
|
|||
1440 => __("Daily"),
|
||||
10080 => __("Weekly"));
|
||||
|
||||
$access_level_names = array(
|
||||
0 => __("User"),
|
||||
5 => __("Power User"),
|
||||
10 => __("Administrator"));
|
||||
$access_level_names = [
|
||||
UserHelper::ACCESS_LEVEL_DISABLED => __("Disabled"),
|
||||
UserHelper::ACCESS_LEVEL_READONLY => __("Read Only"),
|
||||
UserHelper::ACCESS_LEVEL_USER => __("User"),
|
||||
UserHelper::ACCESS_LEVEL_POWERUSER => __("Power User"),
|
||||
UserHelper::ACCESS_LEVEL_ADMIN => __("Administrator")
|
||||
];
|
||||
|
||||
// shortcut syntax for plugin methods (?op=plugin--pmethod&...params)
|
||||
/* if (strpos($op, PluginHost::PUBLIC_METHOD_DELIMITER) !== false) {
|
||||
|
|
|
@ -1027,10 +1027,17 @@ class Feeds extends Handler_Protected {
|
|||
* 5 - Couldn't download the URL content.
|
||||
* 6 - Content is an invalid XML.
|
||||
* 7 - Error while creating feed database entry.
|
||||
* 8 - Permission denied (ACCESS_LEVEL_READONLY).
|
||||
*/
|
||||
static function _subscribe($url, $cat_id = 0,
|
||||
$auth_login = '', $auth_pass = '') : array {
|
||||
|
||||
$user = ORM::for_table("ttrss_users")->find_one($_SESSION['uid']);
|
||||
|
||||
if ($user && $user->access_level == UserHelper::ACCESS_LEVEL_READONLY) {
|
||||
return ["code" => 8];
|
||||
}
|
||||
|
||||
$pdo = Db::pdo();
|
||||
|
||||
$url = UrlHelper::validate($url);
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
class Handler_Administrative extends Handler_Protected {
|
||||
function before($method) {
|
||||
if (parent::before($method)) {
|
||||
if (($_SESSION["access_level"] ?? 0) >= 10) {
|
||||
if (($_SESSION["access_level"] ?? 0) >= UserHelper::ACCESS_LEVEL_ADMIN) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -538,6 +538,8 @@ class Pref_Feeds extends Handler_Protected {
|
|||
$local_purge_intervals = [ T_nsprintf('%d day', '%d days', $purge_interval, $purge_interval) ];
|
||||
}
|
||||
|
||||
$user = ORM::for_table("ttrss_users")->find_one($_SESSION["uid"]);
|
||||
|
||||
print json_encode([
|
||||
"feed" => $row,
|
||||
"cats" => [
|
||||
|
@ -550,6 +552,9 @@ class Pref_Feeds extends Handler_Protected {
|
|||
"update" => $local_update_intervals,
|
||||
"purge" => $local_purge_intervals,
|
||||
],
|
||||
"user" => [
|
||||
"access_level" => $user->access_level
|
||||
],
|
||||
"lang" => [
|
||||
"enabled" => Config::get(Config::DB_TYPE) == "pgsql",
|
||||
"default" => get_pref(Prefs::DEFAULT_SEARCH_LANGUAGE),
|
||||
|
@ -1207,6 +1212,13 @@ class Pref_Feeds extends Handler_Protected {
|
|||
$login = clean($_REQUEST['login']);
|
||||
$pass = clean($_REQUEST['pass']);
|
||||
|
||||
$user = ORM::for_table('ttrss_users')->find_one($_SESSION["uid"]);
|
||||
|
||||
// TODO: we should return some kind of error code to frontend here
|
||||
if ($user->access_level == UserHelper::ACCESS_LEVEL_READONLY) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$csth = $this->pdo->prepare("SELECT id FROM ttrss_feeds
|
||||
WHERE feed_url = ? AND owner_uid = ?");
|
||||
|
||||
|
|
|
@ -813,7 +813,7 @@ class Pref_Prefs extends Handler_Protected {
|
|||
|
||||
usort($rv, function($a, $b) { return strcmp($a["name"], $b["name"]); });
|
||||
|
||||
print json_encode(['plugins' => $rv, 'is_admin' => $_SESSION['access_level'] >= 10]);
|
||||
print json_encode(['plugins' => $rv, 'is_admin' => $_SESSION['access_level'] >= UserHelper::ACCESS_LEVEL_ADMIN]);
|
||||
}
|
||||
|
||||
function index_plugins() {
|
||||
|
@ -890,7 +890,7 @@ class Pref_Prefs extends Handler_Protected {
|
|||
|
||||
<?= \Controls\button_tag(\Controls\icon("refresh"), "", ["title" => __("Reload"), "onclick" => "Helpers.Plugins.reload()"]) ?>
|
||||
|
||||
<?php if ($_SESSION["access_level"] >= 10) { ?>
|
||||
<?php if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN) { ?>
|
||||
<?php if (Config::get(Config::CHECK_FOR_UPDATES) && Config::get(Config::CHECK_FOR_PLUGIN_UPDATES)) { ?>
|
||||
|
||||
<button class='alt-warning' dojoType='dijit.form.Button' onclick="Helpers.Plugins.update()">
|
||||
|
@ -1152,7 +1152,7 @@ class Pref_Prefs extends Handler_Protected {
|
|||
}
|
||||
|
||||
function uninstallPlugin() {
|
||||
if ($_SESSION["access_level"] >= 10) {
|
||||
if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN) {
|
||||
$plugin_name = basename(clean($_REQUEST['plugin']));
|
||||
$status = 0;
|
||||
|
||||
|
@ -1167,7 +1167,7 @@ class Pref_Prefs extends Handler_Protected {
|
|||
}
|
||||
|
||||
function installPlugin() {
|
||||
if ($_SESSION["access_level"] >= 10 && Config::get(Config::ENABLE_PLUGIN_INSTALLER)) {
|
||||
if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN && Config::get(Config::ENABLE_PLUGIN_INSTALLER)) {
|
||||
$plugin_name = basename(clean($_REQUEST['plugin']));
|
||||
$all_plugins = $this->_get_available_plugins();
|
||||
$plugin_dir = dirname(dirname(__DIR__)) . "/plugins.local";
|
||||
|
@ -1252,18 +1252,18 @@ class Pref_Prefs extends Handler_Protected {
|
|||
}
|
||||
|
||||
private function _get_available_plugins() {
|
||||
if ($_SESSION["access_level"] >= 10 && Config::get(Config::ENABLE_PLUGIN_INSTALLER)) {
|
||||
if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN && Config::get(Config::ENABLE_PLUGIN_INSTALLER)) {
|
||||
return json_decode(UrlHelper::fetch(['url' => 'https://tt-rss.org/plugins.json']), true);
|
||||
}
|
||||
}
|
||||
function getAvailablePlugins() {
|
||||
if ($_SESSION["access_level"] >= 10) {
|
||||
if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN) {
|
||||
print json_encode($this->_get_available_plugins());
|
||||
}
|
||||
}
|
||||
|
||||
function checkForPluginUpdates() {
|
||||
if ($_SESSION["access_level"] >= 10 && Config::get(Config::CHECK_FOR_UPDATES) && Config::get(Config::CHECK_FOR_PLUGIN_UPDATES)) {
|
||||
if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN && Config::get(Config::CHECK_FOR_UPDATES) && Config::get(Config::CHECK_FOR_PLUGIN_UPDATES)) {
|
||||
$plugin_name = $_REQUEST["name"] ?? "";
|
||||
|
||||
$root_dir = dirname(dirname(__DIR__)); # we're in classes/pref/
|
||||
|
@ -1279,7 +1279,7 @@ class Pref_Prefs extends Handler_Protected {
|
|||
}
|
||||
|
||||
function updateLocalPlugins() {
|
||||
if ($_SESSION["access_level"] >= 10) {
|
||||
if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN) {
|
||||
$plugins = explode(",", $_REQUEST["plugins"] ?? "");
|
||||
|
||||
# we're in classes/pref/
|
||||
|
|
|
@ -299,7 +299,8 @@ class RPC extends Handler_Protected {
|
|||
ttrss_feeds f, ttrss_users u LEFT JOIN ttrss_user_prefs2 p ON
|
||||
(p.owner_uid = u.id AND profile IS NULL AND pref_name = 'DEFAULT_UPDATE_INTERVAL')
|
||||
WHERE
|
||||
f.owner_uid = u.id
|
||||
f.owner_uid = u.id AND
|
||||
u.access_level NOT IN (".sprintf("%d, %d", UserHelper::ACCESS_LEVEL_DISABLED, UserHelper::ACCESS_LEVEL_READONLY).")
|
||||
$owner_check_qpart
|
||||
$update_limit_qpart
|
||||
$updstart_thresh_qpart
|
||||
|
@ -403,7 +404,7 @@ class RPC extends Handler_Protected {
|
|||
$git_timestamp = $version["timestamp"] ?? false;
|
||||
$git_commit = $version["commit"] ?? false;
|
||||
|
||||
if (Config::get(Config::CHECK_FOR_UPDATES) && $_SESSION["access_level"] >= 10 && $git_timestamp) {
|
||||
if (Config::get(Config::CHECK_FOR_UPDATES) && $_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN && $git_timestamp) {
|
||||
$content = @UrlHelper::fetch(["url" => "https://tt-rss.org/version.json"]);
|
||||
|
||||
if ($content) {
|
||||
|
@ -510,7 +511,7 @@ class RPC extends Handler_Protected {
|
|||
$data['cdm_expanded'] = get_pref(Prefs::CDM_EXPANDED);
|
||||
$data["labels"] = Labels::get_all($_SESSION["uid"]);
|
||||
|
||||
if (Config::get(Config::LOG_DESTINATION) == 'sql' && $_SESSION['access_level'] >= 10) {
|
||||
if (Config::get(Config::LOG_DESTINATION) == 'sql' && $_SESSION['access_level'] >= UserHelper::ACCESS_LEVEL_ADMIN) {
|
||||
if (Config::get(Config::DB_TYPE) == 'pgsql') {
|
||||
$log_interval = "created_at > NOW() - interval '1 hour'";
|
||||
} else {
|
||||
|
|
|
@ -123,7 +123,8 @@ class RSSUtils {
|
|||
ttrss_feeds f, ttrss_users u LEFT JOIN ttrss_user_prefs2 p ON
|
||||
(p.owner_uid = u.id AND profile IS NULL AND pref_name = 'DEFAULT_UPDATE_INTERVAL')
|
||||
WHERE
|
||||
f.owner_uid = u.id
|
||||
f.owner_uid = u.id AND
|
||||
u.access_level NOT IN (".sprintf("%d, %d", UserHelper::ACCESS_LEVEL_DISABLED, UserHelper::ACCESS_LEVEL_READONLY).")
|
||||
$login_thresh_qpart
|
||||
$update_limit_qpart
|
||||
$updstart_thresh_qpart
|
||||
|
@ -163,7 +164,8 @@ class RSSUtils {
|
|||
FROM ttrss_feeds f, ttrss_users u LEFT JOIN ttrss_user_prefs2 p ON
|
||||
(p.owner_uid = u.id AND profile IS NULL AND pref_name = 'DEFAULT_UPDATE_INTERVAL')
|
||||
WHERE
|
||||
f.owner_uid = u.id
|
||||
f.owner_uid = u.id AND
|
||||
u.access_level NOT IN (".sprintf("%d, %d", UserHelper::ACCESS_LEVEL_DISABLED, UserHelper::ACCESS_LEVEL_READONLY).")
|
||||
AND feed_url = :feed
|
||||
$login_thresh_qpart
|
||||
$update_limit_qpart
|
||||
|
@ -352,6 +354,19 @@ class RSSUtils {
|
|||
if (!$feed_language) $feed_language = mb_strtolower(get_pref(Prefs::DEFAULT_SEARCH_LANGUAGE, $feed_obj->owner_uid));
|
||||
if (!$feed_language) $feed_language = 'simple';
|
||||
|
||||
$user = ORM::for_table('ttrss_users')->find_one($feed_obj->owner_uid);
|
||||
|
||||
if ($user) {
|
||||
if ($user->access_level == UserHelper::ACCESS_LEVEL_READONLY) {
|
||||
Debug::log("error: denied update for $feed: permission denied by owner access level");
|
||||
return false;
|
||||
}
|
||||
} else {
|
||||
// this would indicate database corruption of some kind
|
||||
Debug::log("error: owner not found for feed: $feed");
|
||||
return false;
|
||||
}
|
||||
|
||||
} else {
|
||||
Debug::log("error: feeds table record not found for feed: $feed");
|
||||
return false;
|
||||
|
|
|
@ -17,6 +17,21 @@ class UserHelper {
|
|||
self::HASH_ALGO_SHA1
|
||||
];
|
||||
|
||||
/** forbidden to login */
|
||||
const ACCESS_LEVEL_DISABLED = -2;
|
||||
|
||||
/** can't subscribe to new feeds, feeds are not updated */
|
||||
const ACCESS_LEVEL_READONLY = -1;
|
||||
|
||||
/** no restrictions, regular user */
|
||||
const ACCESS_LEVEL_USER = 0;
|
||||
|
||||
/** not used, same as regular user */
|
||||
const ACCESS_LEVEL_POWERUSER = 5;
|
||||
|
||||
/** has administrator permissions */
|
||||
const ACCESS_LEVEL_ADMIN = 10;
|
||||
|
||||
static function authenticate(string $login = null, string $password = null, bool $check_only = false, string $service = null) {
|
||||
if (!Config::get(Config::SINGLE_USER_MODE)) {
|
||||
$user_id = false;
|
||||
|
@ -41,7 +56,7 @@ class UserHelper {
|
|||
|
||||
$user = ORM::for_table('ttrss_users')->find_one($user_id);
|
||||
|
||||
if ($user) {
|
||||
if ($user && $user->access_level != self::ACCESS_LEVEL_DISABLED) {
|
||||
$_SESSION["uid"] = $user_id;
|
||||
$_SESSION["auth_module"] = $auth_module;
|
||||
$_SESSION["name"] = $user->login;
|
||||
|
@ -68,7 +83,7 @@ class UserHelper {
|
|||
|
||||
$_SESSION["uid"] = 1;
|
||||
$_SESSION["name"] = "admin";
|
||||
$_SESSION["access_level"] = 10;
|
||||
$_SESSION["access_level"] = self::ACCESS_LEVEL_ADMIN;
|
||||
|
||||
$_SESSION["hide_hello"] = true;
|
||||
$_SESSION["hide_logout"] = true;
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
<?php
|
||||
namespace Sessions;
|
||||
|
||||
use UserHelper;
|
||||
|
||||
require_once "autoload.php";
|
||||
require_once "functions.php";
|
||||
require_once "errorhandler.php";
|
||||
|
@ -42,6 +44,11 @@
|
|||
$_SESSION["login_error_msg"] = __("Session failed to validate (password changed)");
|
||||
return false;
|
||||
}
|
||||
|
||||
if ($user->access_level == UserHelper::ACCESS_LEVEL_DISABLED) {
|
||||
$_SESSION["login_error_msg"] = __("Session failed to validate (account is disabled)");
|
||||
return false;
|
||||
}
|
||||
} else {
|
||||
$_SESSION["login_error_msg"] = __("Session failed to validate (user not found)");
|
||||
return false;
|
||||
|
|
12
js/App.js
12
js/App.js
|
@ -17,6 +17,9 @@ const App = {
|
|||
hotkey_actions: {},
|
||||
is_prefs: false,
|
||||
LABEL_BASE_INDEX: -1024,
|
||||
UserAccessLevels: {
|
||||
ACCESS_LEVEL_READONLY: -1
|
||||
},
|
||||
_translations: {},
|
||||
Hash: {
|
||||
get: function() {
|
||||
|
@ -76,10 +79,15 @@ const App = {
|
|||
</select>
|
||||
`
|
||||
},
|
||||
select_hash: function(name, value, values = {}, attributes = {}, id = "") {
|
||||
select_hash: function(name, value, values = {}, attributes = {}, id = "", params = {}) {
|
||||
let keys = Object.keys(values);
|
||||
|
||||
if (params.numeric_sort)
|
||||
keys = keys.sort((a,b) => a - b);
|
||||
|
||||
return `
|
||||
<select name="${name}" dojoType="fox.form.Select" id="${App.escapeHtml(id)}" ${this.attributes_to_string(attributes)}>
|
||||
${Object.keys(values).map((vk) =>
|
||||
${keys.map((vk) =>
|
||||
`<option ${vk == value ? 'selected="selected"' : ''} value="${App.escapeHtml(vk)}">${App.escapeHtml(values[vk])}</option>`
|
||||
).join("")}
|
||||
</select>
|
||||
|
|
|
@ -131,6 +131,9 @@ const CommonDialogs = {
|
|||
console.log(rc);
|
||||
|
||||
switch (parseInt(rc['code'])) {
|
||||
case 0:
|
||||
dialog.show_error(__("You are already subscribed to this feed."));
|
||||
break;
|
||||
case 1:
|
||||
dialog.hide();
|
||||
Notify.info(__("Subscribed to %s").replace("%s", feed_url));
|
||||
|
@ -175,8 +178,11 @@ const CommonDialogs = {
|
|||
case 6:
|
||||
dialog.show_error(__("XML validation failed: %s").replace("%s", rc['message']));
|
||||
break;
|
||||
case 0:
|
||||
dialog.show_error(__("You are already subscribed to this feed."));
|
||||
case 7:
|
||||
dialog.show_error(__("Error while creating feed database entry."));
|
||||
break;
|
||||
case 8:
|
||||
dialog.show_error(__("You are not allowed to perform this operation."));
|
||||
break;
|
||||
}
|
||||
|
||||
|
@ -451,6 +457,7 @@ const CommonDialogs = {
|
|||
|
||||
xhr.json("backend.php", {op: "pref-feeds", method: "editfeed", id: feed_id}, (reply) => {
|
||||
const feed = reply.feed;
|
||||
const is_readonly = reply.user.access_level == App.UserAccessLevels.ACCESS_LEVEL_READONLY;
|
||||
|
||||
// for unsub prompt
|
||||
dialog.feed_title = feed.title;
|
||||
|
@ -524,7 +531,9 @@ const CommonDialogs = {
|
|||
|
||||
<fieldset>
|
||||
<label>${__("Update interval:")}</label>
|
||||
${App.FormFields.select_hash("update_interval", feed.update_interval, reply.intervals.update)}
|
||||
${App.FormFields.select_hash("update_interval", is_readonly ? -1 : feed.update_interval,
|
||||
reply.intervals.update,
|
||||
{disabled: is_readonly})}
|
||||
</fieldset>
|
||||
<fieldset>
|
||||
<label>${__('Article purging:')}</label>
|
||||
|
|
|
@ -75,7 +75,7 @@ const Users = {
|
|||
<fieldset>
|
||||
<label>${__('Access level: ')}</label>
|
||||
${App.FormFields.select_hash("access_level",
|
||||
user.access_level, reply.access_level_names, {disabled: admin_disabled.toString()})}
|
||||
user.access_level, reply.access_level_names, {disabled: admin_disabled.toString()}, "", {numeric_sort: true})}
|
||||
|
||||
${admin_disabled ? App.FormFields.hidden_tag("access_level",
|
||||
user.access_level.toString()) : ''}
|
||||
|
|
|
@ -148,7 +148,7 @@
|
|||
style="padding : 0px"
|
||||
href="backend.php?op=pref-labels"
|
||||
title="<i class='material-icons'>label_outline1</i> <?= __('Labels') ?>"></div>
|
||||
<?php if ($_SESSION["access_level"] >= 10) { ?>
|
||||
<?php if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN) { ?>
|
||||
<div id="usersTab" dojoType="dijit.layout.ContentPane"
|
||||
style="padding : 0px"
|
||||
href="backend.php?op=pref-users"
|
||||
|
|
Loading…
Reference in New Issue