Commit 9edea997 authored by Till Brehm's avatar Till Brehm

- Added warning in the interface when a path for a shelluser is set that is...

- Added warning in the interface when a path for a shelluser is set that is outside of the website docroot.
- Added security settings feature to allow the root user of a server to control most aspects of whet the admin user of the controlpanel is allowed to do in system settings. This is especially useful for managed severs where the ispconfig admin user and the root user of the server are different persons.
parent 77edf6ef
......@@ -46,7 +46,7 @@ class auth {
}
public function is_superadmin() {
if($_SESSION['s']['user']['typ'] == 'admin' && $_SESSION['s']['user']['userid'] === 1) {
if($_SESSION['s']['user']['typ'] == 'admin' && $_SESSION['s']['user']['userid'] == 1) {
return true;
} else {
return false;
......@@ -136,6 +136,22 @@ class auth {
exit;
}
}
public function check_security_permissions($permission) {
global $app;
$app->uses('getconf');
$security_config = $app->getconf->get_security_config('permissions');
$security_check = false;
if($security_config[$permission] == 'yes') $security_check = true;
if($security_config[$permission] == 'superadmin' && $app->auth->is_superadmin()) $security_check = true;
if($security_check !== true) {
$app->error($app->lng('security_check1_txt').' '.$permission.' '.$app->lng('security_check2_txt'));
}
}
public function get_random_password($length = 8) {
$base64_alphabet='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
......
......@@ -54,6 +54,15 @@ class getconf {
}
return ($section == '') ? $this->config['global'] : $this->config['global'][$section];
}
public function get_security_config($section = '') {
global $app;
$app->uses('ini_parser');
$security_config = $app->ini_parser->parse_ini_string(file_get_contents('/usr/local/ispconfig/security/security_settings.ini'));
return ($section == '') ? $security_config : $security_config[$section];
}
}
......
......@@ -58,7 +58,63 @@ class validate_systemuser {
}
}
/*
Validator function to check if a given dir is ok.
*/
function shelluser_dir($field_name, $field_value, $validator) {
global $app;
if($app->tform->primary_id == 0) {
$errmsg = $validator['errmsg'];
if(isset($app->tform->wordbook[$errmsg])) {
return $app->tform->wordbook[$errmsg]."<br>\r\n";
} else {
return $errmsg."<br>\r\n";
}
}
$shell_data = $app->db->queryOneRecord("SELECT parent_domain_id FROM shell_user WHERE shell_user_id = '".$app->db->quote($app->tform->primary_id)."'");
if(!is_array($shell_data) || $shell_data["parent_domain_id"] < 1) {
$errmsg = $validator['errmsg'];
if(isset($app->tform->wordbook[$errmsg])) {
return $app->tform->wordbook[$errmsg]."<br>\r\n";
} else {
return $errmsg."<br>\r\n";
}
}
$domain_data = $app->db->queryOneRecord("SELECT domain_id, document_root FROM web_domain WHERE domain_id = '".$app->db->quote($shell_data["parent_domain_id"])."'");
if(!is_array($domain_data) || $domain_data["domain_id"] < 1) {
$errmsg = $validator['errmsg'];
if(isset($app->tform->wordbook[$errmsg])) {
return $app->tform->wordbook[$errmsg]."<br>\r\n";
} else {
return $errmsg."<br>\r\n";
}
}
$doc_root = $domain_data["document_root"];
$is_ok = false;
if($doc_root == $field_value) $is_ok = true;
$doc_root .= "/";
if(substr($field_value, 0, strlen($doc_root)) == $doc_root) $is_ok = true;
if(stristr($field_value, '..') or stristr($field_value, './') or stristr($field_value, '/.')) $is_ok = false;
//* Final check if docroot path of website is >= 5 chars
if(strlen($doc_root) < 5) $is_ok = false;
if($is_ok == false) {
$errmsg = $validator['errmsg'];
if(isset($app->tform->wordbook[$errmsg])) {
return $app->tform->wordbook[$errmsg]."<br>\r\n";
} else {
return $errmsg."<br>\r\n";
}
}
}
}
......@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
$wb['security_check1_txt'] = 'Check for security permission:';
$wb['security_check2_txt'] = 'failed.';
?>
......@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
$wb['security_check1_txt'] = 'Check for security permission:';
$wb['security_check2_txt'] = 'failed.';
?>
......@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
$wb['security_check1_txt'] = 'Check for security permission:';
$wb['security_check2_txt'] = 'failed.';
?>
......@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Silná';
$wb['strength_5'] = 'Velmi silná';
$wb['weak_password_txt'] = 'Zvolené heslo neodpovídá požadavkům zásad pro tvorbu hesel. Heslo musí být alespoň {chars} znaků dlouhé a mající sílu \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'Zvolené heslo neodpovídá požadavkům zásad pro tvorbu hesel. Heslo musí být alespoň {chars} znaků dlouhé.';
$wb['security_check1_txt'] = 'Check for security permission:';
$wb['security_check2_txt'] = 'failed.';
?>
......@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Stark';
$wb['strength_5'] = 'Sehr stark';
$wb['weak_password_txt'] = 'Das gewählte Passwort erfüllt die Sicherheitsanforderungen nicht. Es muss mindestens {chars} Zeichen lang sein und die Stärke \\"{strength}\\" besitzen.';
$wb['weak_password_length_txt'] = 'Das gewählte Passwort erfüllt die Sicherheitsanforderungen nicht. Es muss mindestens {chars} Zeichen lang sein.';
$wb['security_check1_txt'] = 'Sicherheitsüberprüfung für:';
$wb['security_check2_txt'] = 'fehlgeschlagen.';
?>
......@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
$wb['security_check1_txt'] = 'Check for security permission:';
$wb['security_check2_txt'] = 'failed.';
?>
......@@ -131,7 +131,6 @@ $wb['datalog_status_d_web_folder'] = 'Delete folder protection';
$wb['datalog_status_i_web_folder_user'] = 'Create folder protection user';
$wb['datalog_status_u_web_folder_user'] = 'Update folder protection user';
$wb['datalog_status_d_web_folder_user'] = 'Delete folder protection user';
$wb['login_as_txt'] = 'Log in as';
$wb["no_domain_perm"] = 'You have no permission for this domain.';
$wb["no_destination_perm"] = 'You have no permission for this destination.';
......@@ -149,5 +148,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of "{strength}".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
?>
$wb['security_check1_txt'] = 'Check for security permission:';
$wb['security_check2_txt'] = 'failed.';
?>
\ No newline at end of file
......@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
$wb['security_check1_txt'] = 'Check for security permission:';
$wb['security_check2_txt'] = 'failed.';
?>
......@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
$wb['security_check1_txt'] = 'Check for security permission:';
$wb['security_check2_txt'] = 'failed.';
?>
......@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
$wb['security_check1_txt'] = 'Check for security permission:';
$wb['security_check2_txt'] = 'failed.';
?>
......@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
?>
$wb['security_check1_txt'] = 'Check for security permission:';
$wb['security_check2_txt'] = 'failed.';
?>
\ No newline at end of file
......@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
?>
$wb['security_check1_txt'] = 'Check for security permission:';
$wb['security_check2_txt'] = 'failed.';
?>
\ No newline at end of file
......@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
?>
$wb['security_check1_txt'] = 'Check for security permission:';
$wb['security_check2_txt'] = 'failed.';
?>
\ No newline at end of file
......@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
?>
$wb['security_check1_txt'] = 'Check for security permission:';
$wb['security_check2_txt'] = 'failed.';
?>
\ No newline at end of file
......@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
?>
$wb['security_check1_txt'] = 'Check for security permission:';
$wb['security_check2_txt'] = 'failed.';
?>
\ No newline at end of file
......@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
?>
$wb['security_check1_txt'] = 'Check for security permission:';
$wb['security_check2_txt'] = 'failed.';
?>
\ No newline at end of file
......@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
?>
$wb['security_check1_txt'] = 'Check for security permission:';
$wb['security_check2_txt'] = 'failed.';
?>
\ No newline at end of file
......@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
?>
$wb['security_check1_txt'] = 'Check for security permission:';
$wb['security_check2_txt'] = 'failed.';
?>
\ No newline at end of file
......@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
?>
$wb['security_check1_txt'] = 'Check for security permission:';
$wb['security_check2_txt'] = 'failed.';
?>
\ No newline at end of file
......@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
?>
$wb['security_check1_txt'] = 'Check for security permission:';
$wb['security_check2_txt'] = 'failed.';
?>
\ No newline at end of file
......@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Starkt';
$wb['strength_5'] = 'Väldigt starkt';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \"{strength}\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
?>
$wb['security_check1_txt'] = 'Check for security permission:';
$wb['security_check2_txt'] = 'failed.';
?>
\ No newline at end of file
......@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
?>
$wb['security_check1_txt'] = 'Check for security permission:';
$wb['security_check2_txt'] = 'failed.';
?>
\ No newline at end of file
......@@ -147,4 +147,6 @@ $wb['strength_4'] = 'Strong';
$wb['strength_5'] = 'Very Strong';
$wb['weak_password_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length and have a strength of \\"{strength}\\".';
$wb['weak_password_length_txt'] = 'The chosen password does not match the security guidelines. It has to be at least {chars} chars in length.';
?>
$wb['security_check1_txt'] = 'Check for security permission:';
$wb['security_check2_txt'] = 'failed.';
?>
\ No newline at end of file
......@@ -44,6 +44,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
$app->auth->check_security_permissions('admin_allow_firewall_config');
$app->uses("tform_actions");
$app->tform_actions->onDelete();
......
......@@ -43,6 +43,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
$app->auth->check_security_permissions('admin_allow_firewall_config');
// Loading classes
$app->uses('tpl,tform,tform_actions');
......
......@@ -44,6 +44,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
$app->auth->check_security_permissions('admin_allow_cpuser_group');
$app->uses("tform_actions");
$app->tform_actions->onDelete();
......
......@@ -43,6 +43,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
$app->auth->check_security_permissions('admin_allow_cpuser_group');
// Loading classes
$app->uses('tpl,tform,tform_actions');
......
<?php
die('unused');
/*
Copyright (c) 2011, Andrew "lathama" Latham, Till Brehm, projektfarm Gmbh
All rights reserved.
......
<?php
die('unused');
/*
Copyright (c) 2011, Andrew "lathama" Latham, Till Brehm, projektfarm Gmbh
All rights reserved.
......
<?php
die('unused');
/*
Copyright (c) 2011, Andrew "lathama" Latham, Till Brehm, projektfarm Gmbh
All rights reserved.
......
......@@ -32,6 +32,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
$app->auth->check_security_permissions('admin_allow_langedit');
//* This is only allowed for administrators
if(!$app->auth->is_admin()) die('only allowed for administrators.');
......
......@@ -32,6 +32,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
$app->auth->check_security_permissions('admin_allow_langedit');
if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
//* This is only allowed for administrators
......
......@@ -32,6 +32,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
$app->auth->check_security_permissions('admin_allow_langedit');
//* This is only allowed for administrators
if(!$app->auth->is_admin()) die('only allowed for administrators.');
......
......@@ -32,6 +32,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
$app->auth->check_security_permissions('admin_allow_langedit');
//* This is only allowed for administrators
if(!$app->auth->is_admin()) die('only allowed for administrators.');
......
......@@ -112,6 +112,7 @@ function validate_line($line) {
//* Check permissions for module
$app->auth->check_module_permissions('admin');
$app->auth->check_security_permissions('admin_allow_langedit');
//* This is only allowed for administrators
if(!$app->auth->is_admin()) die('only allowed for administrators.');
......
......@@ -32,6 +32,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
$app->auth->check_security_permissions('admin_allow_osupdate');
//* This is only allowed for administrators
if(!$app->auth->is_admin()) die('only allowed for administrators.');
......
......@@ -44,6 +44,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
$app->auth->check_security_permissions('admin_allow_remote_users');
$app->uses('tpl,tform');
$app->load('tform_actions');
......
......@@ -13,6 +13,9 @@ if(!stristr($_SESSION['s']['user']['modules'], 'admin')) {
die;
}
$app->auth->check_module_permissions('admin');
$app->auth->check_security_permissions('admin_allow_remote_users');
// Disable this function in demo mode
if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
......
......@@ -44,6 +44,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
$app->auth->check_security_permissions('admin_allow_server_config');
if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
$app->uses("tform_actions");
......
......@@ -43,6 +43,8 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
$app->auth->check_security_permissions('admin_allow_server_config');
// Loading classes
$app->uses('tpl,tform,tform_actions');
......
......@@ -44,6 +44,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
$app->auth->check_security_permissions('admin_allow_server_services');
if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
$app->uses("tform_actions");
......
......@@ -43,6 +43,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
$app->auth->check_security_permissions('admin_allow_server_services');
// Loading classes
$app->uses('tpl,tform,tform_actions');
......
......@@ -44,6 +44,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
$app->auth->check_security_permissions('admin_allow_server_ip');
$app->uses("tform_actions");
$app->tform_actions->onDelete();
......
......@@ -43,6 +43,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
$app->auth->check_security_permissions('admin_allow_server_ip');
// Loading classes
$app->uses('tpl,tform,tform_actions');
......
......@@ -44,6 +44,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
$app->auth->check_security_permissions('admin_allow_server_php');
$app->uses("tform_actions");
$app->tform_actions->onDelete();
......
......@@ -43,6 +43,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
$app->auth->check_security_permissions('admin_allow_server_php');
// Loading classes
$app->uses('tpl,tform,tform_actions');
......
......@@ -33,6 +33,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
$app->auth->check_security_permissions('admin_allow_software_packages');
if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
$software_update_inst_id = $app->functions->intval($_GET['software_update_inst_id']);
......
......@@ -43,6 +43,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
$app->auth->check_security_permissions('admin_allow_software_packages');
if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
// Loading classes
......
......@@ -33,6 +33,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
$app->auth->check_security_permissions('admin_allow_software_packages');
//* This is only allowed for administrators
if(!$app->auth->is_admin()) die('only allowed for administrators.');
......
......@@ -44,6 +44,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
$app->auth->check_security_permissions('admin_allow_software_repo');
if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
$app->uses("tform_actions");
......
......@@ -43,6 +43,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
$app->auth->check_security_permissions('admin_allow_software_repo');
if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
// Loading classes
......
......@@ -33,6 +33,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
$app->auth->check_security_permissions('admin_allow_software_packages');
//* This is only allowed for administrators
if(!$app->auth->is_admin()) die('only allowed for administrators.');
......
......@@ -43,6 +43,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
$app->auth->check_security_permissions('admin_allow_system_config');
// Loading classes
$app->uses('tpl,tform,tform_actions');
......
<?php
die('unused');
/*
Copyright (c) 2007, Till Brehm, projektfarm Gmbh
All rights reserved.
......
......@@ -44,6 +44,7 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('admin');
$app->auth->check_security_permissions('admin_allow_del_cpuser');
if($conf['demo_mode'] == true && $_REQUEST['id'] <= 3) $app->error('This function is disabled in demo mode.');
$app->uses("tform_actions");
......
......@@ -52,16 +52,29 @@ class page_action extends tform_actions {
function onBeforeInsert() {
global $app, $conf;
//* Security settings check
if(isset($this->dataRecord['typ']) && $this->dataRecord['typ'][0] == 'admin') {
$app->auth->check_security_permissions('admin_allow_new_admin');
}
if(!in_array($this->dataRecord['startmodule'], $this->dataRecord['modules'])) {
$app->tform->errorMessage .= $app->tform->wordbook['startmodule_err'];
}
}
function onBeforeUpdate() {
global $app, $conf;
if($conf['demo_mode'] == true && $_REQUEST['id'] <= 3) $app->error('This function is disabled in demo mode.');
//* Security settings check
if(isset($this->dataRecord['typ']) && $this->dataRecord['typ'][0] == 'admin') {
$app->auth->check_security_permissions('admin_allow_new_admin');
}
if(@is_array($this->dataRecord['modules']) && !in_array($this->dataRecord['startmodule'], $this->dataRecord['modules'])) {
$app->tform->errorMessage .= $app->tform->wordbook['startmodule_err'];
......
......@@ -6,7 +6,11 @@ require_once '../../lib/app.inc.php';
if($conf['demo_mode'] == true) $app->error('This function is disabled in demo mode.');
$app->load('remoting');
$app->load('remoting,getconf');
$security_config = $app->getconf->get_security_config('permissions');
if($security_config['remote_api_allowed'] != 'yes') die('Remote API is disabled in security settings.');
$server = new SoapServer(null, array('uri' => $_SERVER['REQUEST_URI']));
$server->setClass('remoting');
......
......@@ -237,6 +237,10 @@ if($_SESSION["s"]["user"]["typ"] == 'admin') {
1 => array ( 'type' => 'REGEX',
'regex' => '/^\/[a-zA-Z0-9\ \.\-\_\/]{10,128}$/',
'errmsg'=> 'directory_error_regex'),
2 => array ( 'type' => 'CUSTOM',
'class' => 'validate_systemuser',
'function' => 'shelluser_dir',
'errmsg' => 'directory_error_notinweb'),
),
'default' => '',
'value' => '',
......
......@@ -32,4 +32,5 @@ $wb['invalid_system_user_or_group_txt'] = 'Invalid system user or group';
$wb['directory_error_regex'] = 'Invalid directory';
$wb['shell_error_regex'] = 'Invalid shell';
$wb['invalid_username_txt'] = 'Invalid Username';
$wb['directory_error_notinweb'] = 'The directory has to be inside the web root.';
?>
......@@ -44,6 +44,10 @@ require_once '../../lib/app.inc.php';
//* Check permissions for module
$app->auth->check_module_permissions('tools');
if($_SESSION['s']['user']['typ'] == 'admin') {
$app->auth->check_security_permissions('admin_allow_new_admin');
}
// Loading classes
$app->uses('tpl,tform,tform_actions');
$app->load('tform_actions');
......
[permissions]
allow_shell_user=yes
admin_allow_server_config=superadmin
admin_allow_server_services=superadmin
admin_allow_server_ip=superadmin
admin_allow_remote_users=superadmin
admin_allow_system_config=superadmin
admin_allow_server_php=superadmin
admin_allow_langedit=superadmin
admin_allow_new_admin=superadmin
admin_allow_del_cpuser=superadmin
admin_allow_cpuser_group=superadmin
admin_allow_firewall_config=superadmin