summaryrefslogtreecommitdiffstats
path: root/web/html
diff options
context:
space:
mode:
authorLukas Fleischer <archlinux@cryptocrack.de>2014-07-15 20:52:54 +0200
committerLukas Fleischer <archlinux@cryptocrack.de>2014-07-15 22:56:57 +0200
commit03c6304e19d5d3ecd276dd3f42220db301ab511d (patch)
tree25f58ac23290a9e57f6bd93f6b5c8986bd9fcbef /web/html
parent9e6b861b6f40a90363c402b4d26602f33964cf41 (diff)
downloadaurweb-03c6304e19d5d3ecd276dd3f42220db301ab511d.tar.xz
Rework permission handling
Add a new function has_credential() that checks whether the currently logged in user is allowed to perform a given action. Moving all permission handling to this central place makes adding new user groups and adjusting permissions much more convenient. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Diffstat (limited to 'web/html')
-rw-r--r--web/html/account.php20
-rw-r--r--web/html/addvote.php7
-rw-r--r--web/html/packages.php7
-rw-r--r--web/html/pkgbase.php31
-rw-r--r--web/html/pkgdel.php8
-rw-r--r--web/html/pkgmerge.php8
-rw-r--r--web/html/pkgreq.php2
-rw-r--r--web/html/tu.php9
-rw-r--r--web/html/voters.php3
9 files changed, 27 insertions, 68 deletions
diff --git a/web/html/account.php b/web/html/account.php
index 47cf6d2..f212eab 100644
--- a/web/html/account.php
+++ b/web/html/account.php
@@ -18,18 +18,14 @@ echo " <h2>".__("Accounts")."</h2>\n";
$action = in_request("Action");
if (isset($_COOKIE["AURSID"])) {
- # visitor is logged in
- #
- $atype = account_from_sid($_COOKIE["AURSID"]);
-
if ($action == "SearchAccounts") {
# security check
#
- if ($atype == "Trusted User" || $atype == "Developer") {
+ if (has_credential(CRED_ACCOUNT_SEARCH)) {
# the user has entered search criteria, find any matching accounts
#
- search_results_page($atype, in_request("O"), in_request("SB"),
+ search_results_page(in_request("O"), in_request("SB"),
in_request("U"), in_request("T"), in_request("S"),
in_request("E"), in_request("R"), in_request("I"),
in_request("K"));
@@ -48,8 +44,8 @@ if (isset($_COOKIE["AURSID"])) {
print __("Could not retrieve information for the specified user.");
} else {
/* Verify user has permission to edit the account */
- if (can_edit_account($atype, $row, uid_from_sid($_COOKIE["AURSID"]))) {
- display_account_form($atype, "UpdateAccount", $row["Username"],
+ if (can_edit_account($row)) {
+ display_account_form("UpdateAccount", $row["Username"],
$row["AccountTypeID"], $row["Suspended"], $row["Email"],
"", "", $row["RealName"], $row["LangPreference"],
$row["IRCNick"], $row["PGPKey"],
@@ -70,22 +66,20 @@ if (isset($_COOKIE["AURSID"])) {
}
} elseif ($action == "UpdateAccount") {
- $uid = uid_from_sid($_COOKIE['AURSID']);
-
/* Details for account being updated */
$acctinfo = account_details(in_request('ID'), in_request('U'));
/* Verify user permissions and that the request is a valid POST */
- if (can_edit_account($atype, $acctinfo, $uid) && check_token()) {
+ if (can_edit_account($acctinfo) && check_token()) {
/* Update the details for the existing account */
- process_account_form($atype, "edit", "UpdateAccount",
+ process_account_form("edit", "UpdateAccount",
in_request("U"), in_request("T"), in_request("S"),
in_request("E"), in_request("P"), in_request("C"),
in_request("R"), in_request("L"), in_request("I"),
in_request("K"), in_request("J"), in_request("ID"));
}
} else {
- if ($atype == "Trusted User" || $atype == "Developer") {
+ if (has_credential(CRED_ACCOUNT_SEARCH)) {
# display the search page if they're a TU/dev
#
print __("Use this form to search existing accounts.")."<br />\n";
diff --git a/web/html/addvote.php b/web/html/addvote.php
index 3ce99c0..0b6b9c6 100644
--- a/web/html/addvote.php
+++ b/web/html/addvote.php
@@ -11,13 +11,10 @@ $title = __("Add Proposal");
html_header($title);
if (isset($_COOKIE["AURSID"])) {
- $atype = account_from_sid($_COOKIE["AURSID"]);
- $uid = uid_from_sid($_COOKIE["AURSID"]);
-} else {
- $atype = "";
+ $uid = uid_from_sid($_COOKIE["AURSID"]);
}
-if ($atype == "Trusted User" || $atype == "Developer") {
+if (has_credential(CRED_TU_ADD_VOTE)) {
if (!empty($_POST['addVote']) && !check_token()) {
$error = __("Invalid token for user action.");
diff --git a/web/html/packages.php b/web/html/packages.php
index 2fb9cbc..645806e 100644
--- a/web/html/packages.php
+++ b/web/html/packages.php
@@ -35,13 +35,6 @@ if (isset($pkgname)) {
$title = __("Packages");
}
-# Retrieve account type
-if (isset($_COOKIE["AURSID"])) {
- $atype = account_from_sid($_COOKIE["AURSID"]);
-} else {
- $atype = "";
-}
-
$details = array();
if (isset($pkgname)) {
$details = pkg_get_details($pkgid);
diff --git a/web/html/pkgbase.php b/web/html/pkgbase.php
index cf2b774..4f35a67 100644
--- a/web/html/pkgbase.php
+++ b/web/html/pkgbase.php
@@ -32,13 +32,6 @@ if (!isset($base_id) || !isset($pkgbase_name)) {
/* Set the title to package base name. */
$title = $pkgbase_name;
-/* Retrieve account type. */
-if (isset($_COOKIE["AURSID"])) {
- $atype = account_from_sid($_COOKIE["AURSID"]);
-} else {
- $atype = "";
-}
-
/* Grab the list of package base IDs to be operated on. */
$ids = array();
if (isset($_POST['IDs'])) {
@@ -55,29 +48,29 @@ $ret = false;
$output = "";
if (check_token()) {
if (current_action("do_Flag")) {
- list($ret, $output) = pkgbase_flag($atype, $ids);
+ list($ret, $output) = pkgbase_flag($ids);
} elseif (current_action("do_UnFlag")) {
- list($ret, $output) = pkgbase_unflag($atype, $ids);
+ list($ret, $output) = pkgbase_unflag($ids);
} elseif (current_action("do_Adopt")) {
- list($ret, $output) = pkgbase_adopt($atype, $ids, true, NULL);
+ list($ret, $output) = pkgbase_adopt($ids, true, NULL);
} elseif (current_action("do_Disown")) {
$via = isset($_POST['via']) ? $_POST['via'] : NULL;
- list($ret, $output) = pkgbase_adopt($atype, $ids, false, $via);
+ list($ret, $output) = pkgbase_adopt($ids, false, $via);
} elseif (current_action("do_Vote")) {
- list($ret, $output) = pkgbase_vote($atype, $ids, true);
+ list($ret, $output) = pkgbase_vote($ids, true);
} elseif (current_action("do_UnVote")) {
- list($ret, $output) = pkgbase_vote($atype, $ids, false);
+ list($ret, $output) = pkgbase_vote($ids, false);
} elseif (current_action("do_Delete")) {
if (isset($_POST['confirm_Delete'])) {
$via = isset($_POST['via']) ? $_POST['via'] : NULL;
if (!isset($_POST['merge_Into']) || empty($_POST['merge_Into'])) {
- list($ret, $output) = pkgbase_delete($atype, $ids, NULL, $via);
+ list($ret, $output) = pkgbase_delete($ids, NULL, $via);
unset($_GET['ID']);
}
else {
$merge_base_id = pkgbase_from_name($_POST['merge_Into']);
if ($merge_base_id) {
- list($ret, $output) = pkgbase_delete($atype, $ids, $merge_base_id, $via);
+ list($ret, $output) = pkgbase_delete($ids, $merge_base_id, $via);
unset($_GET['ID']);
} else {
$output = __("Cannot find package to merge votes and comments into.");
@@ -90,13 +83,13 @@ if (check_token()) {
$ret = false;
}
} elseif (current_action("do_Notify")) {
- list($ret, $output) = pkgbase_notify($atype, $ids);
+ list($ret, $output) = pkgbase_notify($ids);
} elseif (current_action("do_UnNotify")) {
- list($ret, $output) = pkgbase_notify($atype, $ids, false);
+ list($ret, $output) = pkgbase_notify($ids, false);
} elseif (current_action("do_DeleteComment")) {
- list($ret, $output) = pkgbase_delete_comment($atype);
+ list($ret, $output) = pkgbase_delete_comment();
} elseif (current_action("do_ChangeCategory")) {
- list($ret, $output) = pkgbase_change_category($base_id, $atype);
+ list($ret, $output) = pkgbase_change_category($base_id);
} elseif (current_action("do_FileRequest")) {
list($ret, $output) = pkgreq_file($ids, $_POST['type'], $_POST['merge_into'], $_POST['comments']);
} elseif (current_action("do_CloseRequest")) {
diff --git a/web/html/pkgdel.php b/web/html/pkgdel.php
index 621c3c9..41900e4 100644
--- a/web/html/pkgdel.php
+++ b/web/html/pkgdel.php
@@ -10,13 +10,7 @@ check_sid();
html_header(__("Package Deletion"));
-$atype = "";
-
-if (isset($_COOKIE["AURSID"])) {
- $atype = account_from_sid($_COOKIE["AURSID"]);
-}
-
-if ($atype == "Trusted User" || $atype == "Developer"): ?>
+if (has_credential(CRED_PKGBASE_DELETE)): ?>
<div class="box">
<h2><?= __('Delete Package: %s', htmlspecialchars($pkgbase_name)) ?></h2>
<p>
diff --git a/web/html/pkgmerge.php b/web/html/pkgmerge.php
index ba3f742..6a3b3c5 100644
--- a/web/html/pkgmerge.php
+++ b/web/html/pkgmerge.php
@@ -10,13 +10,7 @@ check_sid();
html_header(__("Package Merging"));
-$atype = "";
-
-if (isset($_COOKIE["AURSID"])) {
- $atype = account_from_sid($_COOKIE["AURSID"]);
-}
-
-if ($atype == "Trusted User" || $atype == "Developer"): ?>
+if (has_credential(CRED_PKGBASE_DELETE)): ?>
<div class="box">
<h2><?= __('Merge Package: %s', htmlspecialchars($pkgbase_name)) ?></h2>
<p>
diff --git a/web/html/pkgreq.php b/web/html/pkgreq.php
index 9dec1f6..03b31b8 100644
--- a/web/html/pkgreq.php
+++ b/web/html/pkgreq.php
@@ -16,7 +16,7 @@ if (isset($base_id)) {
$pkgbase_name = pkgreq_get_pkgbase_name($pkgreq_id);
include('pkgreq_close_form.php');
} else {
- if (!check_user_privileges()) {
+ if (!has_credential(CRED_PKGREQ_LIST)) {
header('Location: /');
exit();
}
diff --git a/web/html/tu.php b/web/html/tu.php
index 5d4e37d..158632a 100644
--- a/web/html/tu.php
+++ b/web/html/tu.php
@@ -14,12 +14,7 @@ html_header($title);
$pp = 10;
$prev_Len = 75;
-$atype = "";
-if (isset($_COOKIE["AURSID"])) {
- $atype = account_from_sid($_COOKIE["AURSID"]);
-}
-
-if ($atype == "Trusted User" || $atype == "Developer") {
+if (has_credential(CRED_TU_LIST_VOTES)) {
if (isset($_GET['id'])) {
if (is_numeric($_GET['id'])) {
@@ -39,7 +34,7 @@ if ($atype == "Trusted User" || $atype == "Developer") {
if ($isrunning == 0) {
$canvote = 0;
$errorvote = __("Voting is closed for this proposal.");
- } else if ($atype == "Developer") {
+ } else if (!has_credential(CRED_TU_VOTE)) {
$canvote = 0;
$errorvote = __("Only Trusted Users are allowed to vote.");
} else if ($row['User'] == username_from_sid($_COOKIE["AURSID"])) {
diff --git a/web/html/voters.php b/web/html/voters.php
index bbcf547..8766fa7 100644
--- a/web/html/voters.php
+++ b/web/html/voters.php
@@ -6,11 +6,10 @@ include_once('pkgfuncs.inc.php');
$SID = $_COOKIE['AURSID'];
$pkgname = htmlspecialchars($_GET['N']);
$votes = pkgbase_votes_from_name($pkgname);
-$atype = account_from_sid($SID);
html_header(__("Voters"));
-if ($atype == 'Trusted User' || $atype== 'Developer'):
+if (has_credential(CRED_PKGBASE_LIST_VOTERS)):
?>
<div class="box">