summaryrefslogtreecommitdiff
path: root/www/admin/user/user.php.in
diff options
context:
space:
mode:
authorGunnar Wrobel <wrobel@pardus.de>2007-02-01 20:34:38 (GMT)
committerGunnar Wrobel <wrobel@pardus.de>2007-02-01 20:34:38 (GMT)
commitcc42eebf84bbf644b8860321baf8c3def4f8a6b0 (patch)
tree3b9ae29e4458b70c1e69cf7baa0cec4d69811289 /www/admin/user/user.php.in
parent1489858f0495db9fb9cf232480eb0b03712c21ff (diff)
downloadkolab-webadmin-cc42eebf84bbf644b8860321baf8c3def4f8a6b0.tar.gz
* www/admin/user/user.php.in (inMaintainerDomain):
New function to support checking if a given user lies in the domains of the current domain-maintainer. Should fix issue 1559 (https://intevation.de/roundup/kolab/issue1559)
Diffstat (limited to 'www/admin/user/user.php.in')
-rw-r--r--www/admin/user/user.php.in50
1 files changed, 46 insertions, 4 deletions
diff --git a/www/admin/user/user.php.in b/www/admin/user/user.php.in
index 0e739ef..a4cdba0 100644
--- a/www/admin/user/user.php.in
+++ b/www/admin/user/user.php.in
@@ -51,6 +51,40 @@ function endsWith( $str, $sub ) {
return ( substr( $str, strlen( $str ) - strlen( $sub ) ) == $sub );
}
+// check if the given dn is maintainable by the current user
+function inMaintainerDomain($dn) {
+
+ global $ldap;
+ global $auth;
+
+ // both groups have full access
+ if ($auth->group() == 'maintainer' || $auth->group() == 'admin') {
+ return true;
+ }
+
+ // user may not maintain anything
+ if ($auth->group() == 'user') {
+ return false;
+ }
+
+ // we have a domain maintainer. Get his domains
+ $domains = $ldap->domainsForMaintainerDn($auth->dn());
+
+ // retrieve the mail for the current dn
+ $mail = $ldap->mailForDn($dn);
+
+ $ok = false;
+
+ // Check if the mail is within that domain
+ foreach( $domains as $domain ) {
+ if( endsWith( $mail, '@'.$domain ) ) {
+ $ok = true;
+ }
+ }
+
+ return true;
+}
+
// Check that a uid is unique
function checkuniquemail( $form, $key, $value ) {
debug("checkuniquemail( $form, $key, $value )");
@@ -350,7 +384,9 @@ if (!$errors && $auth->group() != 'maintainer' && $auth->group() != 'admin' &&
!($auth->group() == 'user' && $dn == $auth->dn() )) {
array_push($errors, _("Error: You don't have the required Permissions") );
} else if( $auth->group() == 'domain-maintainer' ) {
- // TODO(steffen): Check that user is in correct domain(s)
+ if (!inMaintainerDomain($dn)) {
+ array_push($errors, _("Error: You don't have the required Permissions") );
+ }
}
@@ -767,9 +803,15 @@ switch( $action ) {
$content = $form->outputForm();
break;
case 'kill':
- if (!$dn) array_push($errors, _("Error: need DN for delete operation"));
- elseif ($auth->group() != "maintainer" && $auth->group() != "admin")
- array_push($errors, _("Error: you need administrative permissions to delete users"));
+ if (!$dn) {
+ array_push($errors, _("Error: need DN for delete operation"));
+ } elseif ( $auth->group() == 'domain-maintainer' ) {
+ if (!inMaintainerDomain($dn)) {
+ array_push($errors, _("Error: You don't have the required Permissions") );
+ }
+ } elseif ($auth->group() != "maintainer" && $auth->group() != "admin") {
+ array_push($errors, _("Error: you need administrative permissions to delete users"));
+ }
// Check for distribution lists with only this user as member
$ldap->search( $_SESSION['base_dn'],