summaryrefslogtreecommitdiff
path: root/plugins/kolab_auth
diff options
context:
space:
mode:
authorAleksander Machniak <machniak@kolabsys.com>2014-08-25 18:27:23 (GMT)
committerAleksander Machniak <machniak@kolabsys.com>2014-08-25 18:27:23 (GMT)
commitfbaa3f865eacc5fb78b2fc5149cba4b68e3a5769 (patch)
tree0720ff678747f1d071b51fb260617e23236aa526 /plugins/kolab_auth
parent89f65253bd736a71fbfdd7bde31581c8f6762068 (diff)
downloadroundcubemail-plugins-kolab-fbaa3f865eacc5fb78b2fc5149cba4b68e3a5769.tar.gz
Add option to define list of tasks to which an admin has access (#3444)
E.g. allow admins (using "Login as" feature) to see only user settings.
Diffstat (limited to 'plugins/kolab_auth')
-rw-r--r--plugins/kolab_auth/config.inc.php.dist5
-rw-r--r--plugins/kolab_auth/kolab_auth.php44
2 files changed, 49 insertions, 0 deletions
diff --git a/plugins/kolab_auth/config.inc.php.dist b/plugins/kolab_auth/config.inc.php.dist
index 57ee79c..17c0915 100644
--- a/plugins/kolab_auth/config.inc.php.dist
+++ b/plugins/kolab_auth/config.inc.php.dist
@@ -50,6 +50,11 @@ $config['kolab_auth_role_value'] = '';
// which adds privilege to login as another user.
$config['kolab_auth_group'] = '';
+// List of tasks to which admin has access when logged in as another user.
+// To limit usage to Settings only use: array('settings'). Default: array() - all tasks.
+// When defined all non-authorized requests will be redirected to first task on the list.
+$config['kolab_auth_allowed_tasks'] = array();
+
// Enable plugins on a role-by-role basis. In this example, the 'acl' plugin
// is enabled for people with a 'cn=professional-user,dc=mykolab,dc=ch' role.
//
diff --git a/plugins/kolab_auth/kolab_auth.php b/plugins/kolab_auth/kolab_auth.php
index 2b685a7..86f1649 100644
--- a/plugins/kolab_auth/kolab_auth.php
+++ b/plugins/kolab_auth/kolab_auth.php
@@ -83,8 +83,30 @@ class kolab_auth extends rcube_plugin
}
}
+ /**
+ * Startup hook handler
+ */
public function startup($args)
{
+ $rcmail = rcube::get_instance();
+
+ // Check access rights when logged in as another user
+ if (!empty($_SESSION['kolab_auth_admin']) && $rcmail->task != 'login' && $rcmail->task != 'logout') {
+ $tasks = $rcmail->config->get('kolab_auth_allowed_tasks');
+ // access to specified task is forbidden,
+ // redirect to the first task on the list
+ if (!empty($tasks)) {
+ if (!in_array($rcmail->task, (array) $tasks)) {
+ header('Location: ?_task=' . array_shift($tasks));
+ die;
+ }
+
+ // add script that will remove disabled taskbar buttons
+ $this->add_hook('render_page', array($this, 'render_page'));
+ }
+ }
+
+ // load per-user settings
$this->load_user_role_plugins_and_settings();
return $args;
@@ -634,6 +656,28 @@ class kolab_auth extends rcube_plugin
}
/**
+ * Action executed before the page is rendered to add an onload script
+ * that will remove all taskbar buttons for disabled tasks
+ */
+ public function render_page($args)
+ {
+ $rcmail = rcube::get_instance();
+ $tasks = $rcmail->config->get('kolab_auth_allowed_tasks');
+ $tasks[] = 'logout';
+
+ // disable buttons in taskbar
+ $script = "
+ \$('a').filter(function() {
+ var ev = \$(this).attr('onclick');
+ return ev && ev.match(/'switch-task','([a-z]+)'/)
+ && \$.inArray(RegExp.\$1, " . json_encode($tasks) . ") < 0;
+ }).remove();
+ ";
+
+ $rcmail->output->add_script($script, 'docready');
+ }
+
+ /**
* Initializes LDAP object and connects to LDAP server
*/
public static function ldap()