From c3da5ab4e1186d230c1c836a08f0cb68c55ce231 Mon Sep 17 00:00:00 2001 From: Michael Foster Date: Sun, 4 Aug 2013 17:53:09 -0400 Subject: [PATCH] ?/config: Advanced permissions --- inc/config.php | 43 +++++++++++++++++++++++++++++++++++++++---- inc/mod/config-editor.php | 42 ++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 79 insertions(+), 6 deletions(-) diff --git a/inc/config.php b/inc/config.php index 410078d3..1437aa58 100644 --- a/inc/config.php +++ b/inc/config.php @@ -1187,12 +1187,47 @@ $config['mod']['news_custom'] = ADMIN; // Delete news entries $config['mod']['news_delete'] = ADMIN; - - // Edit the current configuration (via web interface) - $config['mod']['edit_config'] = ADMIN; - // Execute un-filtered SQL queries on the database (?/debug/sql) $config['mod']['debug_sql'] = DISABLED; + // Edit the current configuration (via web interface) + $config['mod']['edit_config'] = MOD; + + // Config editor permissions + $config['mod']['config'] = array( + JANITOR => false, + MOD => false, + ADMIN => false, + DISABLED => false, + ); + + // Disable the following configuration variables from being changed via ?/config. The following default + // banned variables are considered somewhat dangerous. + $config['mod']['config'][DISABLED] = array( + 'mod>config', + 'mod>config_editor_php', + 'convert_args', + 'db>password', + ); + + $config['mod']['config'][JANITOR] = array( + '!', // Allow editing ONLY the variables listed (in this case, nothing). + ); + + $config['mod']['config'][MOD] = array( + '!', // Allow editing ONLY the variables listed (plus that in $config['mod']['config'][JANITOR]). + 'global_message', + ); + + // Example: Disallow ADMIN from editing (and viewing) $config['db']['password']. + // $config['mod']['config'][ADMIN] = array( + // 'db>password', + // ); + + // Example: Allow ADMIN to edit anything other than $config['db'] + // (and $config['mod']['config'][DISABLED]). + // $config['mod']['config'][ADMIN] = array( + // 'db', + // ); /* * ==================== diff --git a/inc/mod/config-editor.php b/inc/mod/config-editor.php index caca5a0e..27740378 100644 --- a/inc/mod/config-editor.php +++ b/inc/mod/config-editor.php @@ -1,5 +1,43 @@ ', $disabled_var_name); + if (count($disabled_var_name) == 1) + $disabled_var_name = $disabled_var_name[0]; + if ($varname == $disabled_var_name) + return false; + } + } + + $allow_only = false; + // for ($perm = (int)$mod['type']; $perm >= JANITOR; $perm --) { + for ($perm = JANITOR; $perm <= (int)$mod['type']; $perm ++) { + $allow_only = false; + if (is_array($config['mod']['config'][$perm])) { + foreach ($config['mod']['config'][$perm] as $perm_var_name) { + if ($perm_var_name == '!') { + $allow_only = true; + continue; + } + $perm_var_name = explode('>', $perm_var_name); + if ((count($perm_var_name) == 1 && $varname == $perm_var_name[0]) || + (is_array($varname) && array_slice($varname, 0, count($perm_var_name)) == $perm_var_name)) { + if ($allow_only) + return true; + else + return false; + } + } + } + } + + return !$allow_only; +} + function config_vars() { global $config; @@ -77,8 +115,8 @@ function config_vars() { $already_exists = true; } - if (!$already_exists) - $conf[] = $var; + if (!$already_exists && permission_to_edit_config_var($var['name'])) + $conf[] = $var; } }