Bootswatch, Summernote, and Captcheck mods for Mods for HESK (mods-for-hesk.com). In use at support.netsyms.com.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

manage_permission_groups.php 24KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515
  1. <?php
  2. /**
  3. *
  4. * This file is part of HESK - PHP Help Desk Software.
  5. *
  6. * (c) Copyright Klemen Stirn. All rights reserved.
  7. * https://www.hesk.com
  8. *
  9. * For the full copyright and license agreement information visit
  10. * https://www.hesk.com/eula.php
  11. *
  12. */
  13. define('IN_SCRIPT', 1);
  14. define('HESK_PATH', '../');
  15. define('VALIDATOR', 1);
  16. define('PAGE_TITLE', 'ADMIN_PERMISSION_TPL');
  17. define('MFH_PAGE_LAYOUT', 'TOP_ONLY');
  18. /* Get all the required files and functions */
  19. require(HESK_PATH . 'hesk_settings.inc.php');
  20. require(HESK_PATH . 'inc/common.inc.php');
  21. require(HESK_PATH . 'inc/admin_functions.inc.php');
  22. require(HESK_PATH . 'inc/mail_functions.inc.php');
  23. hesk_load_database_functions();
  24. hesk_session_start();
  25. hesk_dbConnect();
  26. hesk_isLoggedIn();
  27. /* Check permissions for this feature */
  28. hesk_checkPermission('can_man_permission_tpl');
  29. /* What should we do? */
  30. if ($action = hesk_REQUEST('a')) {
  31. if ($action == 'save') {
  32. save();
  33. } elseif ($action == 'create') {
  34. create();
  35. } elseif ($action == 'delete') {
  36. deleteTemplate();
  37. }
  38. }
  39. /* Print header */
  40. require_once(HESK_PATH . 'inc/headerAdmin.inc.php');
  41. /* Print main manage users page */
  42. require_once(HESK_PATH . 'inc/show_admin_nav.inc.php');
  43. $modsForHesk_settings = mfh_getSettings();
  44. $res = hesk_dbQuery("SELECT * FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "permission_templates` ORDER BY `name` ASC");
  45. $templates = array();
  46. while ($row = hesk_dbFetchAssoc($res)) {
  47. $templates[] = $row;
  48. }
  49. $featureArray = hesk_getFeatureArray();
  50. $orderBy = $modsForHesk_settings['category_order_column'];
  51. $res = hesk_dbQuery("SELECT * FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "categories` ORDER BY `" . $orderBy . "` ASC");
  52. $categories = array();
  53. while ($row = hesk_dbFetchAssoc($res)) {
  54. $categories[] = $row;
  55. }
  56. ?>
  57. <div class="content-wrapper">
  58. <section class="content">
  59. <?php hesk_handle_messages(); ?>
  60. <div class="box">
  61. <div class="box-header with-border">
  62. <h1 class="box-title">
  63. <?php echo $hesklang['manage_permission_groups']; ?>
  64. <i class="fa fa-question-circle settingsquestionmark" data-toggle="tooltip" data-placement="right"
  65. title="<?php echo $hesklang['manage_permission_groups_help']; ?>"></i>
  66. </h1>
  67. <div class="box-tools pull-right">
  68. <button type="button" class="btn btn-box-tool" data-widget="collapse">
  69. <i class="fa fa-minus"></i>
  70. </button>
  71. </div>
  72. </div>
  73. <div class="box-body">
  74. <div class="text-right">
  75. <a href="#" data-toggle="modal" data-target="#modal-template-new" class="btn btn-success nu-floatRight">
  76. <i class="fa fa-plus-circle"></i> <?php echo $hesklang['create_new']; ?>
  77. </a>
  78. </div>
  79. <table class="table table-striped">
  80. <thead>
  81. <tr>
  82. <th><?php echo $hesklang['name']; ?></th>
  83. <th><?php echo $hesklang['number_of_users']; ?></th>
  84. <th><?php echo $hesklang['actions']; ?></th>
  85. </tr>
  86. </thead>
  87. <tbody>
  88. <?php foreach ($templates as $row): ?>
  89. <tr>
  90. <td><?php echo $row['name']; ?></td>
  91. <td><?php echo getNumberOfUsersWithPermissionGroup($row['id']); ?></td>
  92. <td>
  93. <a href="#" data-toggle="modal" data-target="#modal-template-<?php echo $row['id'] ?>">
  94. <i class="fa fa-fw fa-pencil icon-link orange" data-toggle="tooltip"
  95. title="<?php echo $hesklang['view_permissions_for_this_group'] ?>"></i></a>
  96. <?php
  97. if ($row['id'] != 1 && $row['id'] != 2):
  98. ?>
  99. <a href="manage_permission_groups.php?a=delete&amp;id=<?php echo $row['id']; ?>">
  100. <i class="fa fa-fw fa-times icon-link red" data-toggle="tooltip"
  101. title="<?php echo $hesklang['delete']; ?>"></i></a>
  102. <?php endif; ?>
  103. </td>
  104. </tr>
  105. <?php endforeach; ?>
  106. </tbody>
  107. </table>
  108. </div>
  109. </div>
  110. </section>
  111. </div>
  112. <?php
  113. foreach ($templates as $template) {
  114. createEditModal($template, $featureArray, $categories);
  115. }
  116. buildCreateModal($featureArray, $categories);
  117. require_once(HESK_PATH . 'inc/footer.inc.php');
  118. exit();
  119. /*** START FUNCTIONS ***/
  120. function getNumberOfUsersWithPermissionGroup($templateId)
  121. {
  122. global $hesk_settings;
  123. $res = hesk_dbQuery("SELECT 1 FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "users` WHERE `permission_template` = " . intval($templateId));
  124. return hesk_dbNumRows($res);
  125. }
  126. function createEditModal($template, $features, $categories)
  127. {
  128. global $hesklang;
  129. $enabledFeatures = array();
  130. $enabledCategories = array();
  131. if ($template['heskprivileges'] !== 'ALL') {
  132. $enabledFeatures = explode(',', $template['heskprivileges']);
  133. $enabledCategories = explode(',', $template['categories']);
  134. }
  135. ?>
  136. <div class="modal fade" id="modal-template-<?php echo $template['id'] ?>" tabindex="-1" role="dialog"
  137. aria-labelledby="myLargeModalLabel" aria-hidden="true">
  138. <div class="modal-dialog modal-lg">
  139. <div class="modal-content">
  140. <form action="manage_permission_groups.php" role="form" method="post" id="form<?php echo $template['id']; ?>">
  141. <div class="modal-header">
  142. <button type="button" class="close" data-dismiss="modal" aria-label="Close"><span
  143. aria-hidden="true">&times;</span></button>
  144. <h4 class="modal-title"><?php echo sprintf($hesklang['permissions_for_group'], $template['name']); ?></h4>
  145. </div>
  146. <div class="modal-body">
  147. <?php if ($template['id'] == 1): ?>
  148. <div class="alert alert-info">
  149. <i class="fa fa-info-circle"></i>
  150. <?php echo $hesklang['protected_group']; ?>
  151. </div>
  152. <?php endif; ?>
  153. <div class="row">
  154. <div class="form-group">
  155. <div class="col-sm-2">
  156. <label for="name"
  157. class="control-label"><?php echo $hesklang['group_name']; ?></label>
  158. </div>
  159. <div class="col-sm-10">
  160. <input type="text" class="form-control" name="name"
  161. value="<?php echo htmlspecialchars($template['name']); ?>"
  162. placeholder="<?php echo htmlspecialchars($hesklang['group_name']); ?>"
  163. data-error="<?php echo htmlspecialchars($hesklang['this_field_is_required']); ?>"
  164. required>
  165. <div class="help-block with-errors"></div>
  166. </div>
  167. </div>
  168. </div>
  169. <div class="row">
  170. <div class="col-md-6 col-sm-12">
  171. <h4><?php echo $hesklang['menu_cat']; ?></h4>
  172. <div class="footerWithBorder blankSpace"></div>
  173. <div class="form-group">
  174. <?php
  175. foreach ($categories as $category):
  176. $can_man_categories = hesk_checkPermission('can_man_cat', 0);
  177. $checked = '';
  178. $disabled = '';
  179. if (in_array($category['id'], $enabledCategories) ||
  180. $template['categories'] == 'ALL') {
  181. $checked = 'checked ';
  182. }
  183. if ((!hesk_SESSION('isadmin') &&
  184. !in_array($category['id'], $_SESSION['categories']) &&
  185. !$can_man_categories) ||
  186. $template['categories'] === 'ALL') {
  187. $disabled = ' disabled';
  188. }
  189. if ($_SESSION['isadmin'] || $can_man_categories || in_array($category['id'], $_SESSION['categories']) || $checked): ?>
  190. <div class="checkbox">
  191. <label>
  192. <input type="checkbox" name="categories[]"
  193. value="<?php echo $category['id']; ?>" <?php echo $checked . ' ' . $disabled; ?>>
  194. <?php echo $category['name']; ?>
  195. </label>
  196. </div>
  197. <?php
  198. endif;
  199. endforeach; ?>
  200. <div class="help-block with-errors"></div>
  201. </div>
  202. </div>
  203. <div class="col-md-6 col-sm-12">
  204. <h4><?php echo $hesklang['allow_feat']; ?></h4>
  205. <div class="footerWithBorder blankSpace"></div>
  206. <div class="form-group">
  207. <?php
  208. foreach ($features as $feature): ?>
  209. <?php
  210. $checked = '';
  211. $disabled = '';
  212. if (in_array($feature, $enabledFeatures) ||
  213. $template['heskprivileges'] === 'ALL') {
  214. $checked = 'checked ';
  215. }
  216. if ((!hesk_SESSION('isadmin') &&
  217. strpos($_SESSION['heskprivileges'], $feature) === false) ||
  218. $template['heskprivileges'] === 'ALL') {
  219. $disabled = ' disabled';
  220. }
  221. if ($_SESSION['isadmin'] || strpos($_SESSION['heskprivileges'], $feature) !== false || $checked): ?>
  222. <div class="checkbox">
  223. <label>
  224. <input type="checkbox" name="features[]"
  225. value="<?php echo $feature; ?>" <?php echo $checked . $disabled; ?>>
  226. <?php echo $hesklang[$feature]; ?>
  227. </label>
  228. </div>
  229. <?php endif;
  230. endforeach; ?>
  231. <div class="help-block with-errors"></div>
  232. </div>
  233. </div>
  234. </div>
  235. </div>
  236. <div class="modal-footer">
  237. <input type="hidden" name="a" value="save">
  238. <input type="hidden" name="template_id" value="<?php echo $template['id']; ?>">
  239. <div class="btn-group">
  240. <input type="submit" class="btn btn-success"
  241. value="<?php echo $hesklang['save_changes']; ?>">
  242. <button type="button" class="btn btn-default"
  243. data-dismiss="modal"><?php echo $hesklang['close_modal_without_saving']; ?></button>
  244. </div>
  245. </div>
  246. </form>
  247. </div>
  248. </div>
  249. </div>
  250. <?php
  251. }
  252. function buildCreateModal($features, $categories)
  253. {
  254. global $hesklang;
  255. ?>
  256. <div class="modal fade" id="modal-template-new" tabindex="-1" role="dialog" aria-labelledby="myLargeModalLabel"
  257. aria-hidden="true">
  258. <div class="modal-dialog modal-lg">
  259. <div class="modal-content">
  260. <form action="manage_permission_groups.php" role="form" method="post" id="createForm">
  261. <div class="modal-header">
  262. <button type="button" class="close" data-dismiss="modal" aria-label="Close"><span
  263. aria-hidden="true">&times;</span></button>
  264. <h4 class="modal-title"><?php echo $hesklang['create_new_group_title']; ?></h4>
  265. </div>
  266. <div class="modal-body">
  267. <div class="row">
  268. <div class="form-group">
  269. <div class="col-sm-2">
  270. <label for="name"
  271. class="control-label"><?php echo $hesklang['group_name']; ?></label>
  272. </div>
  273. <div class="col-sm-10">
  274. <input type="text" class="form-control" name="name"
  275. placeholder="<?php echo $hesklang['group_name']; ?>" required>
  276. <div class="help-block with-errors"></div>
  277. </div>
  278. </div>
  279. </div>
  280. <div class="row">
  281. <div class="col-md-6 col-sm-12">
  282. <h4><?php echo $hesklang['menu_cat']; ?></h4>
  283. <div class="footerWithBorder blankSpace"></div>
  284. <div class="form-group">
  285. <?php
  286. foreach ($categories as $category):
  287. if (hesk_SESSION('isadmin') || in_array($category['id'], $_SESSION['categories'])): ?>
  288. <div class="checkbox">
  289. <label>
  290. <input type="checkbox" name="categories[]"
  291. data-modal="new-categories"
  292. data-checkbox="categories"
  293. value="<?php echo $category['id']; ?>">
  294. <?php echo $category['name']; ?>
  295. </label>
  296. </div>
  297. <?php endif; endforeach; ?>
  298. <div class="help-block with-errors"></div>
  299. </div>
  300. </div>
  301. <div class="col-md-6 col-sm-12">
  302. <h4><?php echo $hesklang['allow_feat']; ?></h4>
  303. <div class="footerWithBorder blankSpace"></div>
  304. <div class="form-group">
  305. <?php foreach ($features as $feature):
  306. if (strpos($_SESSION['heskprivileges'], $feature) !== false || hesk_SESSION('isadmin')):
  307. ?>
  308. <div class="checkbox">
  309. <label>
  310. <input type="checkbox" name="features[]"
  311. data-modal="new-features"
  312. data-checkbox="features"
  313. value="<?php echo $feature; ?>">
  314. <?php echo $hesklang[$feature]; ?>
  315. </label>
  316. </div>
  317. <?php endif; endforeach; ?>
  318. <div class="help-block with-errors"></div>
  319. </div>
  320. </div>
  321. </div>
  322. </div>
  323. <div class="modal-footer">
  324. <input type="hidden" name="a" value="create">
  325. <div class="btn-group">
  326. <input type="submit" class="btn btn-success"
  327. value="<?php echo $hesklang['save_changes']; ?>">
  328. <button type="button" class="btn btn-default"
  329. data-dismiss="modal"><?php echo $hesklang['close_modal_without_saving']; ?></button>
  330. </div>
  331. </div>
  332. </form>
  333. <script>
  334. buildValidatorForPermissionTemplates('createForm', '<?php echo $hesklang['select_at_least_one_value']; ?>');
  335. </script>
  336. </div>
  337. </div>
  338. </div>
  339. <?php
  340. }
  341. function save()
  342. {
  343. global $hesk_settings, $hesklang;
  344. $templateId = hesk_POST('template_id');
  345. $res = hesk_dbQuery("SELECT `heskprivileges`, `categories` FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "permission_templates`
  346. WHERE `id` = " . intval($templateId));
  347. $row = hesk_dbFetchAssoc($res);
  348. // Add 'can ban emails' if 'can unban emails' is set (but not added). Same with 'can ban ips'
  349. $catArray = hesk_POST_array('categories');
  350. $featArray = hesk_POST_array('features');
  351. validate($featArray, $catArray);
  352. if (in_array('can_unban_emails', $featArray) && !in_array('can_ban_emails', $featArray)) {
  353. array_push($catArray, 'can_ban_emails');
  354. }
  355. if (in_array('can_unban_ips', $featArray) && !in_array('can_ban_ips', $featArray)) {
  356. array_push($featArray, 'can_ban_ips');
  357. }
  358. $categories = implode(',', $catArray);
  359. $features = implode(',', $featArray);
  360. $name = hesk_POST('name');
  361. // Only allow users to add what they are allowed to add
  362. // Admins can handle anything
  363. if (!$_SESSION['isadmin']) {
  364. // Update categories based on user visibility
  365. $originalCategories = explode(',', $row['categories']);
  366. $newCategories = array();
  367. foreach ($originalCategories as $innerCategory) {
  368. if (in_array($innerCategory, $catArray) && in_array($innerCategory, $_SESSION['categories'])) {
  369. $newCategories[] = $innerCategory;
  370. } elseif (!in_array($innerCategory, $catArray) && !in_array($innerCategory, $_SESSION['categories'])) {
  371. // The user can't modify this, so keep it in
  372. $newCategories[] = $innerCategory;
  373. }
  374. // If neither, the user removed it.
  375. }
  376. // Update features based on user visibility
  377. $originalFeatures = explode(',', $row['heskprivileges']);
  378. $newFeatures = array();
  379. foreach ($originalFeatures as $innerFeature) {
  380. if (in_array($innerFeature, $featArray) && strpos($_SESSION['heskprivileges'], $innerFeature) !== false) {
  381. $newFeatures[] = $innerFeature;
  382. } elseif (!in_array($innerFeature, $featArray) && strpos($_SESSION['heskprivileges'], $innerFeature) === false) {
  383. // The user can't modify this, so keep it in
  384. $newFeatures[] = $innerFeature;
  385. }
  386. // If neither, the user removed it.
  387. }
  388. $categories = implode(',', $newCategories);
  389. $features = implode(',', $newFeatures);
  390. }
  391. hesk_dbQuery("UPDATE `" . hesk_dbEscape($hesk_settings['db_pfix']) . "permission_templates`
  392. SET `categories` = '" . hesk_dbEscape($categories) . "', `heskprivileges` = '" . hesk_dbEscape($features) . "',
  393. `name` = '" . hesk_dbEscape($name) . "'
  394. WHERE `id` = " . intval($templateId));
  395. if ($row['categories'] != $categories || $row['heskprivileges'] != $features) {
  396. // Any users with this template should have their permissions updated
  397. hesk_dbQuery("UPDATE `" . hesk_dbEscape($hesk_settings['db_pfix']) . "users` SET `heskprivileges` = '" . hesk_dbEscape($features) . "',
  398. `categories` = '" . hesk_dbEscape($categories) . "'
  399. WHERE `permission_template` = " . intval($templateId));
  400. }
  401. hesk_process_messages($hesklang['permission_group_updated'], $_SERVER['PHP_SELF'], 'SUCCESS');
  402. }
  403. function create()
  404. {
  405. global $hesk_settings, $hesklang;
  406. // Add 'can ban emails' if 'can unban emails' is set (but not added). Same with 'can ban ips'
  407. $catArray = hesk_POST_array('categories');
  408. $featArray = hesk_POST_array('features');
  409. $name = hesk_POST('name');
  410. validate($featArray, $catArray, true, $name);
  411. if (in_array('can_unban_emails', $featArray) && !in_array('can_ban_emails', $featArray)) {
  412. array_push($catArray, 'can_ban_emails');
  413. }
  414. if (in_array('can_unban_ips', $featArray) && !in_array('can_ban_ips', $featArray)) {
  415. array_push($featArray, 'can_ban_ips');
  416. }
  417. $categories = implode(',', $catArray);
  418. $features = implode(',', $featArray);
  419. hesk_dbQuery("INSERT INTO `" . hesk_dbEscape($hesk_settings['db_pfix']) . "permission_templates` (`name`, `heskprivileges`, `categories`)
  420. VALUES ('" . hesk_dbEscape($name) . "', '" . hesk_dbEscape($features) . "', '" . hesk_dbEscape($categories) . "')");
  421. hesk_process_messages($hesklang['group_created'], $_SERVER['PHP_SELF'], 'SUCCESS');
  422. }
  423. function validate($features, $categories, $create = false, $name = '')
  424. {
  425. global $hesklang;
  426. $errorMarkup = '<ul>';
  427. $isValid = true;
  428. if ($create && $name == '') {
  429. $errorMarkup .= '<li>' . $hesklang['group_name_required'] . '</li>';
  430. $isValid = false;
  431. }
  432. if (count($features) == 0) {
  433. $errorMarkup .= '<li>' . $hesklang['you_must_select_a_feature'] . '</li>';
  434. $isValid = false;
  435. }
  436. if (count($categories) == 0) {
  437. $errorMarkup .= '<li>' . $hesklang['you_must_select_a_category'] . '</li>';
  438. $isValid = false;
  439. }
  440. $errorMarkup .= '</ul>';
  441. if (!$isValid) {
  442. $error = sprintf($hesklang['permission_group_error'], $errorMarkup);
  443. hesk_process_messages($error, $_SERVER['PHP_SELF']);
  444. }
  445. return true;
  446. }
  447. function deleteTemplate()
  448. {
  449. global $hesk_settings, $hesklang;
  450. $id = hesk_GET('id');
  451. // Admin/Staff templates cannot be deleted!
  452. if ($id == 1 || $id == 2) {
  453. hesk_process_messages($hesklang['cannot_delete_admin_or_staff'], $_SERVER['PHP_SELF']);
  454. }
  455. // Otherwise delete the template
  456. hesk_dbQuery("DELETE FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "permission_templates` WHERE `id` = " . intval($id));
  457. if (hesk_dbAffectedRows() != 1) {
  458. hesk_process_messages($hesklang['no_group_were_deleted'], $_SERVER['PHP_SELF']);
  459. }
  460. // Move all users who used to be in this group to "custom"
  461. hesk_dbQuery("UPDATE `" . hesk_dbEscape($hesk_settings['db_pfix']) . "users` SET `permission_template` = NULL
  462. WHERE `permission_template` = " . intval($id));
  463. hesk_process_messages($hesklang['permission_group_deleted'], $_SERVER['PHP_SELF'], 'SUCCESS');
  464. }
  465. ?>