Changeset 3726


Ignore:
Timestamp:
09/19/09 15:02:26 (2 years ago)
Author:
ringmaster
Message:

Add permission check to core dash modules so that users without access to moderate comments can't view the comment module on the dashboard. Likewise with the log module.

Prevent users who only have permission to edit their own user account from editing others' user accounts by twiddling the URL.

Add a permission token to grant/deny access for users to add dashboard modules.

Added "My Profile" to main menu under "M" accesskey. Links to user page for the current user. There should possibly be a way to omit this item from the menu if you also have access to the full user management page.

Bumped DB version to get new permission token.

Location:
trunk/htdocs/system
Files:
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/htdocs/system/classes/adminhandler.php

    r3725 r3726  
    433433                $modules = Modules::get_active(); 
    434434 
    435                 // append the 'Add Item' module 
    436                 $modules['nosort'] = 'Add Item'; 
    437  
    438                 // register the 'Add Item' filter 
    439                 Plugins::register( array( $this, 'filter_dash_module_add_item' ), 'filter', 'dash_module_add_item'); 
     435                if(User::identify()->can('manage_dash_modules')) { 
     436                        // append the 'Add Item' module 
     437                        $modules['nosort'] = 'Add Item'; 
     438         
     439                        // register the 'Add Item' filter 
     440                        Plugins::register( array( $this, 'filter_dash_module_add_item' ), 'filter', 'dash_module_add_item'); 
     441                } 
    440442 
    441443                foreach ( $modules as $id => $module_name ) { 
     
    620622 
    621623                $edit_user = User::identify(); 
     624                $permission = false; 
    622625 
    623626                if ( ($this->handler_vars['user'] == '') || (User::get_by_name($this->handler_vars['user']) == $edit_user) ) { 
     627                        if($edit_user->can('manage_self') || $edit_user->can('manage_users')) { 
     628                                $permission = true; 
     629                        } 
    624630                        $who = _t("You"); 
    625631                        $possessive = _t("Your User Information"); 
    626632                } 
    627633                else { 
     634                        if($edit_user->can('manage_users')) { 
     635                                $permission = true; 
     636                        } 
    628637                        $edit_user = User::get_by_name($this->handler_vars['user']); 
    629638                        $who = $edit_user->username; 
    630639                        $possessive = sprintf( _t("%s's User Information"), $who ); 
     640                } 
     641 
     642                if(!$permission) { 
     643                        Session::error(_t('Access to that page has been denied by the administrator.')); 
     644                        $this->get_blank(); 
     645                        return; 
    631646                } 
    632647 
     
    30863101                        'import' => array( 'url' => URL::get( 'admin', 'page=import' ), 'title' => _t( 'Import content from another blog' ), 'text' => _t( 'Import' ), 'hotkey' => 'I', 'access'=>array('manage_import'=>true) ), 
    30873102                        'users' => array( 'url' => URL::get( 'admin', 'page=users' ), 'title' => _t( 'View and manage users' ), 'text' => _t( 'Users' ), 'hotkey' => 'U', 'access'=>array('manage_users'=>true) ), 
     3103                        'profile' => array( 'url' => URL::get( 'admin', 'page=user' ), 'title' => _t( 'Manage your user profile' ), 'text' => _t( 'My Profile' ), 'hotkey' => 'M', 'access'=>array('manage_self'=>true, 'manage_users'=>true) ), 
    30883104                        'groups' => array( 'url' => URL::get( 'admin', 'page=groups' ), 'title' => _t( 'View and manage groups' ), 'text' => _t( 'Groups' ), 'hotkey' => 'G', 'access'=>array('manage_groups'=>true) ), 
    30893105                        'logs' => array( 'url' => URL::get( 'admin', 'page=logs'), 'title' => _t( 'View system log messages' ), 'text' => _t( 'Logs' ), 'hotkey' => 'L', 'access'=>array('manage_logs'=>true) ) , 

  • trunk/htdocs/system/classes/installhandler.php

    r3706 r3726  
    14491449                ACL::create_token( 'manage_self', _t('Edit own profile'), 'Administration' ); 
    14501450        } 
     1451         
     1452        private function upgrade_db_post_3701() 
     1453        { 
     1454                ACL::create_token( 'manage_dash_modules', _t('Manage dashboard modules'), 'Administration' ); 
     1455        } 
    14511456 
    14521457        /** 

  • trunk/htdocs/system/classes/version.php

    r3699 r3726  
    1515        // DB and API versions are aligned with the SVN revision 
    1616        // number in which they last changed. 
    17         const DB_VERSION = 3699; 
     17        const DB_VERSION = 3702; 
    1818        const API_VERSION = 3124; 
    1919 

  • trunk/htdocs/system/plugins/coredashmodules/coredashmodules.plugin.php

    r3624 r3726  
    4444        function filter_dash_modules( $modules ) 
    4545        { 
    46                 array_push( $modules, 'Latest Entries', 'Latest Comments', 'Latest Log Activity' ); 
     46                $modules[] = 'Latest Entries'; 
     47                if(User::identify()->can('manage_all_comments')) { 
     48                        $modules[] = 'Latest Comments'; 
     49                } 
     50                if(User::identify()->can('manage_logs')) { 
     51                        $modules[] = 'Latest Log Activity'; 
     52                } 
    4753                 
    4854                $this->add_template( 'dash_logs', dirname( __FILE__ ) . '/dash_logs.php' ); 
Note: See TracChangeset for help on using the changeset viewer.