auth: admin permissions per function

Replace generic .admin files by lines of right identifiers.
Check specific rights for: edit, user, site, news, foto.

diff --git a/auth.inc.php b/auth.inc.php
index 4d9b29e2a297f00e05184cdb954e54c802d1c958..a1ccedf50cf16ea328ac107e4c8ee8fd9326fa15 100644 (file)
--- a/auth.inc.php
+++ b/auth.inc.php
@@ -37,9 +37,15 @@ class User
                return rtrim(@file_get_contents("{$this->dir}/email.txt"));
        }
 
-       function admin()
+       function admin($permission = NULL)
        {
-               return @file_exists("{$this->dir}/.admin");
+               if (isset($permission)) {
+                       return $this->admin && isset($this->admin[$permission]);  # check level
+               }
+               if (!@file_exists("{$this->dir}/.admin")) {
+                       return FALSE;  # not an admin
+               }
+               return array_fill_keys(explode("\n", file_get_contents("{$this->dir}/.admin")), TRUE);
        }
 
        function seen()

diff --git a/edit/foto/cover/index.php b/edit/foto/cover/index.php
index b863f02b0a8bab5bbca8da87abcf1348f2ac6895..3ae5dcf99f6e0d4e251eff101c1b0c20b6b4662a 100644 (file)
--- a/edit/foto/cover/index.php
+++ b/edit/foto/cover/index.php
@@ -1,7 +1,7 @@
 <?php
 ob_clean();
 
-if (!$User or !$User->admin) {
+if (!$User or !$User->admin('foto')) {
        http_response_code(403);
        print "Beheerrechten verplicht voor instellen van covers\n";
        exit;

diff --git a/edit/nieuws/tag/index.php b/edit/nieuws/tag/index.php
index 0152be4786fd0f1003b5a2c7e75b58a1dca408a5..01a385c0c1175b987204b1f7fcb8bb6960824d75 100644 (file)
--- a/edit/nieuws/tag/index.php
+++ b/edit/nieuws/tag/index.php
@@ -1,7 +1,7 @@
 <?php
 ob_clean();
 
-if (!$User or !$User->admin)
+if (!$User or !$User->admin('news'))
        abort("geen beheersrechten", '401 unauthorised');
 
 if (!$_POST)

diff --git a/edit/page/index.php b/edit/page/index.php
index 1daed8542c798f9b64e087c4afd523c7be933b1a..20ebcc5d9aa247636c7e9f6dd82172069f3dde44 100644 (file)
--- a/edit/page/index.php
+++ b/edit/page/index.php
@@ -1,7 +1,7 @@
 <?php
 ob_clean();
 
-if (!$User or !$User->admin)
+if (!$User or !$User->admin('edit'))
        abort("geen beheersrechten", '401 unauthorised');
 
 if ($_FILES) {

diff --git a/foto/album.inc.php b/foto/album.inc.php
index 6d706ca99769bd5c37a3dfc7c46d20c2f55f1cb4..42061d7624f805fa0807df62267d6e27dd652b55 100644 (file)
--- a/foto/album.inc.php
+++ b/foto/album.inc.php
@@ -24,7 +24,7 @@ function openphotoswipe(index) {
                closeElClasses: [], 
                shareButtons: [
 <?php
-if ($User and $User->admin) {
+if ($User and $User->admin('foto')) {
        printf("\t\t\t{id:'%s', label:'%s', url:'%s'},\n",
                'cover', 'Cover instellen', "/edit/foto/cover$Args?img={{image_url}}"
        );

diff --git a/foto/index.php b/foto/index.php
index 358ef942aae9bf492c13358ad22b6cb685fbd4c1..550e7a3e674870ecf7909aba100a53ccc9fadf57 100644 (file)
--- a/foto/index.php
+++ b/foto/index.php
@@ -3,7 +3,7 @@ $intro = ob_get_clean();
 
 $rootdir = $Page . $Args;
 
-if ($User and $User->admin) {
+if ($User and $User->admin('foto')) {
        $access = '🔓 Openbaar';
        if (isset($PageAccess)) {
                $access = "🔒 Bewoners";

diff --git a/login/admin/index.php b/login/admin/index.php
index 1677b1b8b592bb0b994a90b115064af691aeba85..28f513d8a3e506f28af95c4525f9d2d95d83818a 100644 (file)
--- a/login/admin/index.php
+++ b/login/admin/index.php
@@ -1,5 +1,5 @@
 <?php
-if (!$User or !$User->admin) {
+if (!$User or !$User->admin('site')) {
        ob_clean();
        http_response_code(403);
 ?>

diff --git a/nieuws/index.php b/nieuws/index.php
index 8b82b61fb6f4b15a8b25ae9ce6028f295a6eedcf..9e972676ffd8eccc974e8cd41f2ca764b8cd3962 100644 (file)
--- a/nieuws/index.php
+++ b/nieuws/index.php
@@ -2,18 +2,18 @@
 $replyform = $Page == 'melding' && !empty($User);
 @list ($year, $page) = explode('/', trim($Args, '/'));
 
-if ($User and $User->admin) {
+if ($User and $User->admin('news')) {
        print '<script src="/nieuws/edit.js"></script>'."\n";
 }
 
 if ($page and !is_numeric($page)) {
-       $edit = $User && $User->admin ? htmlspecialchars(@$_GET['edit']) : NULL;
+       $edit = $User && $User->admin('news') ? htmlspecialchars(@$_GET['edit']) : NULL;
        if ($edit) {
                $Article->title = $edit;
        }
        $Place[1] = ' <small class="date">'.$Article->date.'</small>';
        print preg_replace('{(?<=<h2>)(.*?)(?=</h2>)}', ($edit ?: '\1').' [[1]]', ob_get_clean());
-       if ($User and $User->admin) {
+       if ($User and $User->admin('news')) {
                $taglist = [];
                foreach (glob("$Page/.tags/*") as $tagpath) {
                        $tagname = pathinfo($tagpath, PATHINFO_BASENAME);

diff --git a/page.inc.php b/page.inc.php
index 8298c6d4482ca806b747380433696f0634334cbf..c93fcbcd9b68898073c569bac9eb6522b0af93ab 100644 (file)
--- a/page.inc.php
+++ b/page.inc.php
@@ -10,7 +10,7 @@ ob_start();
 if ($User) {
        print '<div class="login"><p>';
        printf('<span>Ingelogd: <b><a href="%s">%s</a></b></span>', '/login', $User->login);
-       if ($User->admin) {
+       if ($User->admin('edit')) {
                $editpage = $Page.$Args;
                if (is_dir($editpage)) {
                        if (file_exists("$editpage/index.html")) {
@@ -44,7 +44,7 @@ register_shutdown_function(function () {
        print "</footer>\n";
 
        global $User;
-       if ($User and $User->admin) {
+       if ($User and $User->admin('edit')) {
                $ckesrc = '/lib/ckeditor'; # local install
                if (!file_exists(DOCROOT . $ckesrc)) {
                        $ckesrc = '//cdn.ckeditor.com/4.7.3/full-all'; # remote fallback

diff --git a/page.php b/page.php
index 5e529850e3bca3f51e1e1d59ca3fc173de845a94..c2c4282ab1b38bce9cfc0cfa172d952056acc551 100644 (file)
--- a/page.php
+++ b/page.php
@@ -159,7 +159,7 @@ if (file_exists("$Page$Args.html")) {
 elseif (file_exists("$Page$Args/index.html")) {
        $staticpage = "$Page$Args/index.html";
 }
-elseif ($User and $User->admin) {
+elseif ($User and $User->admin('edit')) {
        $staticpage = (file_exists("$Page/template.html") ? "$Page/template.html" : 'template.html');
 }
 

diff --git a/widget/login/edit.php b/widget/login/edit.php
index d6ee4c905c8dc5663e76a9d0febfcd478c0eb408..0d61a4f2a029e2ffa2a3758da6e09c8f47ee1fe9 100644 (file)
--- a/widget/login/edit.php
+++ b/widget/login/edit.php
@@ -4,7 +4,7 @@ if (empty($user = &$User)) {
        return;
 }
 
-if ($User->admin
+if ($User->admin('user')
 and !empty($Place['user']) and $Place['user'] !== $User->login) {
        $username = strtolower($Place['user']);
        unset($user);
@@ -15,7 +15,7 @@ require_once('edit.inc.php');
 
 foreach ($cols as $col => &$colconf) {
        if (isset($colconf['visible'])) {
-               if ($colconf['visible'] == 'admin' and !$User->admin) {
+               if ($colconf['visible'] == 'admin' and !$User->admin('user')) {
                        $colconf['visible'] = FALSE;
                        continue;
                }

diff --git a/widget/login/list.php b/widget/login/list.php
index 698b805dc30bb9989e4bb780be94d50aa05b0957..da4acd20c4b083fe8e10ebbb6295f39d612100dd 100644 (file)
--- a/widget/login/list.php
+++ b/widget/login/list.php
@@ -38,7 +38,7 @@ print ">\n";
 
 foreach ($users as $user) {
        $name = $user->name ?: $user->login;
-       if ($GLOBALS['User'] and $GLOBALS['User']->admin) {
+       if ($GLOBALS['User'] and $GLOBALS['User']->admin('user')) {
                $link = '/login/edit/'.$user->login;
                $name = sprintf('<a href="%s">%s</a>', $link, $name);
        }