Add security notes for privilege assignment pages

Suggested solution for Redmine 2247

1 files changed, 19 insertions, 1 deletions

diff --git a/src/usr/local/www/system_usermanager.php b/src/usr/local/www/system_usermanager.php
index fca8657..c4bca18 100644
--- a/src/usr/local/www/system_usermanager.php
+++ b/src/usr/local/www/system_usermanager.php
@@ -29,6 +29,7 @@
 ##|*IDENT=page-system-usermanager
 ##|*NAME=System: User Manager
 ##|*DESCR=Allow access to the 'System: User Manager' page.
+##|*WARN=standard-warning-root
 ##|*MATCH=system_usermanager.php*
 ##|-PRIV
 
@@ -443,6 +444,7 @@ function build_priv_table() {
 	$privhtml .=		'<tbody>';
 
 	$i = 0;
+	$user_has_root_priv = false;
 
 	foreach (get_user_privdesc($a_user[$id]) as $priv) {
 		$group = false;
@@ -453,7 +455,12 @@ function build_priv_table() {
 		$privhtml .=		'<tr>';
 		$privhtml .=			'<td>' . htmlspecialchars($priv['group']) . '</td>';
 		$privhtml .=			'<td>' . htmlspecialchars($priv['name']) . '</td>';
-		$privhtml .=			'<td>' . htmlspecialchars($priv['descr']) . '</td>';
+		$privhtml .=			'<td>' . htmlspecialchars($priv['descr']);
+		if (isset($priv['warn']) && ($priv['warn'] == 'standard-warning-root')) {
+			$privhtml .=			' ' . gettext('(root privilege)');
+			$user_has_root_priv = true;
+		}
+		$privhtml .=			'</td>';
 		$privhtml .=			'<td>';
 		if (!$group) {
 			$privhtml .=			'<a class="fa fa-trash no-confirm icon-pointer" title="' . gettext('Delete Privilege') . '" id="delprivid' . $i . '"></a>';
@@ -467,6 +474,17 @@ function build_priv_table() {
 		}
 	}
 
+	if ($user_has_root_priv) {
+		$privhtml .=		'<tr>';
+		$privhtml .=			'<td colspan="3">';
+		$privhtml .=				'<b>' . gettext('Security notice: This user effectively has root privilege') . '</b>';
+		$privhtml .=			'</td>';
+		$privhtml .=			'<td>';
+		$privhtml .=			'</td>';
+		$privhtml .=		'</tr>';
+		
+	}
+
 	$privhtml .=		'</tbody>';
 	$privhtml .=	'</table>';
 	$privhtml .= '</div>';