diff options
author | Scott Ullrich <sullrich@pfsense.org> | 2007-12-28 02:36:31 +0000 |
---|---|---|
committer | Scott Ullrich <sullrich@pfsense.org> | 2007-12-28 02:36:31 +0000 |
commit | 7e4a4513a330b9731e6c9b1e6e571defc2c4c73b (patch) | |
tree | eb7d66d36aebfc22257680c525e1debe96ff758d | |
parent | 9d265058e7693c830f80be173ab09d3ee850ec00 (diff) | |
download | pfsense-7e4a4513a330b9731e6c9b1e6e571defc2c4c73b.zip pfsense-7e4a4513a330b9731e6c9b1e6e571defc2c4c73b.tar.gz |
Allow multiple groups to be assigned per user.
Work sponsored-by: Centipede Networks
-rw-r--r-- | etc/inc/auth.inc | 21 | ||||
-rw-r--r-- | etc/inc/authgui.inc | 12 | ||||
-rw-r--r-- | usr/local/www/system_usermanager.php | 35 |
3 files changed, 49 insertions, 19 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 0245a1c..41882bf 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -57,6 +57,27 @@ function logout_session() { $scriptName = $scriptName[$scriptElms-1]; } +function getAllowedGroups($logged_in_user) { + global $g, $config; + + $final_allowed = array(); + + foreach($config['system']['user'] as $username) { + if($username['name'] = $logged_in_user) + $allowed_groups = explode(",", $username['groupname']); + } + + foreach($config['system']['group'] as $group) { + if(in_array($group['name'], $allowed_groups)) { + foreach($group['pages'] as $page) { + $allowed[] = $page; + } + } + } + + return $allowed; +} + function &getSystemAdminNames() { global $config, $g, $userindex; $adminUsers = array(); diff --git a/etc/inc/authgui.inc b/etc/inc/authgui.inc index 92214f7..c3d6f32 100644 --- a/etc/inc/authgui.inc +++ b/etc/inc/authgui.inc @@ -68,11 +68,13 @@ if (isset($_POST['scriptname']) && isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER']) // Once here, the user has authenticated with the web server. // Now, we give them access only to the appropriate pages for their group. if (!(isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER']))) { - $allowed[] = ''; - if (isset($config['system']['group'][$groupindex[$config['system']['user'][$userindex[$HTTP_SERVER_VARS['AUTH_USER']]]['groupname']]]['pages'])) { - $allowed = &$config['system']['group'][$groupindex[$config['system']['user'][$userindex[$HTTP_SERVER_VARS['AUTH_USER']]]['groupname']]]['pages']; - } - $g['privs'] = $allowed; + $g['privs'] = getAllowedGroups($HTTP_SERVER_VARS['AUTH_USER']); + $allowed = $g['privs']; + + $allowed_groups = print_r($g['privs'],true); + $fdny = fopen("/tmp/groups", "w"); + fwrite($fdny, $allowed_groups); + fclose($fdny); $group = $config['system']['user'][$userindex[$HTTP_SERVER_VARS['AUTH_USER']]]['groupname']; /* get the group homepage, to be able to forward diff --git a/usr/local/www/system_usermanager.php b/usr/local/www/system_usermanager.php index b4b7872..73e0a85 100644 --- a/usr/local/www/system_usermanager.php +++ b/usr/local/www/system_usermanager.php @@ -44,9 +44,8 @@ if (isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER'])) { if (isset($_POST['id'])) $id = $_POST['id']; - if (!is_array($config['system']['user'])) { - $config['system']['user'] = array(); - } + if (!is_array($config['system']['user'])) + $config['system']['user'] = array(); admin_users_sort(); $a_user = &$config['system']['user']; @@ -110,9 +109,11 @@ if (isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER'])) { } } - if ($pconfig['utype'] <> "system" && !isset($groupindex[$_POST['groupname']])) { - $input_errors[] = gettext("group does not exist, please define the group before assigning users."); - } + foreach($_POST['groupname'] as $groupname) { + if ($pconfig['utype'] <> "system" && !isset($groupindex[$groupname])) { + $input_errors[] = gettext("group {$groupname} does not exist, please define the group before assigning users."); + } + } if (isset($config['system']['ssh']['sshdkeyonly']) && empty($_POST['authorizedkeys'])) { @@ -130,6 +131,8 @@ if (isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER'])) { if (isset($id) && $a_user[$id]) $userent = $a_user[$id]; + + /* the user did change his username */ if ($_POST['usernamefld'] <> $_POST['oldusername']) { $_SERVER['REMOTE_USER'] = $_POST['usernamefld']; @@ -137,9 +140,10 @@ if (isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER'])) { $userent['name'] = $_POST['usernamefld']; $userent['fullname'] = $_POST['fullname']; - if ($pconfig['utype'] <> "system") { - $userent['groupname'] = $_POST['groupname']; - } + + if ($pconfig['utype'] <> "system") + $userent['groupname'] = implode(",", $_POST['groupname']); + isset($_POST['utype']) ? $userent['scope'] = $_POST['utype'] : $userent['scope'] = "system"; if ($_POST['passwordfld1']) @@ -189,7 +193,7 @@ if (isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER'])) { if (isset($id) && $a_user[$id]) { $pconfig['usernamefld'] = $a_user[$id]['name']; $pconfig['fullname'] = $a_user[$id]['fullname']; - $pconfig['groupname'] = $a_user[$id]['groupname']; + $pconfig['groupname'] = split(",", $a_user[$id]['groupname']); $pconfig['utype'] = $a_user[$id]['scope']; $pconfig['authorizedkeys'] = base64_decode($a_user[$id]['authorizedkeys']); } @@ -307,15 +311,15 @@ if (isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER'])) { <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Group Name");?></td> <td width="78%" class="vtable"> - <select name="groupname" class="formselect" id="groupname" <?php if ($pconfig['utype'] == "system") { echo "disabled=\"disabled\" "; } ?>> + <select size="10" name="groupname[]" class="formselect" id="groupname" <?php if ($pconfig['utype'] == "system") { echo "disabled=\"disabled\" "; } ?> MULTIPLE> <?php foreach ($config['system']['group'] as $group): ?> - <option value="<?=$group['name'];?>" <?php if ($group['name'] == $pconfig['groupname']) { echo "selected"; } ?>> + <option value="<?=$group['name'];?>" <?php if (in_array($group['name'],$pconfig['groupname'])) { echo "selected"; } ?>> <?=htmlspecialchars($group['name']);?> </option> <?php endforeach;?> </select> <br /> - <?=gettext("The admin group to which this user is assigned.");?> + <?=gettext("Hold down CTRL (pc)/COMMAND (mac) key to select multiple items");?> </td> </tr> <tr> @@ -363,7 +367,10 @@ if (isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER'])) { </td> <td class="listr"><?=htmlspecialchars($userent['fullname']);?> </td> <td class="listbg"> - <font color="white"><?=htmlspecialchars($userent['groupname']);?></font> + <?php + $groupname = split(",", $userent['groupname']); + ?> + <font color="white"><?=htmlspecialchars(implode(",",$groupname));?></font> </td> <td valign="middle" nowrap class="list"> <a href="system_usermanager.php?act=edit&id=<?=$i;?>"> |