?/config: Advanced permissions

This commit is contained in:
Michael Foster 2013-08-04 17:53:09 -04:00
parent 6e0e5b1e8a
commit c3da5ab4e1
2 changed files with 79 additions and 6 deletions

View File

@ -1187,12 +1187,47 @@
$config['mod']['news_custom'] = ADMIN;
// Delete news entries
$config['mod']['news_delete'] = ADMIN;
// Edit the current configuration (via web interface)
$config['mod']['edit_config'] = ADMIN;
// Execute un-filtered SQL queries on the database (?/debug/sql)
$config['mod']['debug_sql'] = DISABLED;
// Edit the current configuration (via web interface)
$config['mod']['edit_config'] = MOD;
// Config editor permissions
$config['mod']['config'] = array(
JANITOR => false,
MOD => false,
ADMIN => false,
DISABLED => false,
);
// Disable the following configuration variables from being changed via ?/config. The following default
// banned variables are considered somewhat dangerous.
$config['mod']['config'][DISABLED] = array(
'mod>config',
'mod>config_editor_php',
'convert_args',
'db>password',
);
$config['mod']['config'][JANITOR] = array(
'!', // Allow editing ONLY the variables listed (in this case, nothing).
);
$config['mod']['config'][MOD] = array(
'!', // Allow editing ONLY the variables listed (plus that in $config['mod']['config'][JANITOR]).
'global_message',
);
// Example: Disallow ADMIN from editing (and viewing) $config['db']['password'].
// $config['mod']['config'][ADMIN] = array(
// 'db>password',
// );
// Example: Allow ADMIN to edit anything other than $config['db']
// (and $config['mod']['config'][DISABLED]).
// $config['mod']['config'][ADMIN] = array(
// 'db',
// );
/*
* ====================

View File

@ -1,5 +1,43 @@
<?php
function permission_to_edit_config_var($varname) {
global $config, $mod;
if (is_array($config['mod']['config'][DISABLED])) {
foreach ($config['mod']['config'][DISABLED] as $disabled_var_name) {
$disabled_var_name = explode('>', $disabled_var_name);
if (count($disabled_var_name) == 1)
$disabled_var_name = $disabled_var_name[0];
if ($varname == $disabled_var_name)
return false;
}
}
$allow_only = false;
// for ($perm = (int)$mod['type']; $perm >= JANITOR; $perm --) {
for ($perm = JANITOR; $perm <= (int)$mod['type']; $perm ++) {
$allow_only = false;
if (is_array($config['mod']['config'][$perm])) {
foreach ($config['mod']['config'][$perm] as $perm_var_name) {
if ($perm_var_name == '!') {
$allow_only = true;
continue;
}
$perm_var_name = explode('>', $perm_var_name);
if ((count($perm_var_name) == 1 && $varname == $perm_var_name[0]) ||
(is_array($varname) && array_slice($varname, 0, count($perm_var_name)) == $perm_var_name)) {
if ($allow_only)
return true;
else
return false;
}
}
}
}
return !$allow_only;
}
function config_vars() {
global $config;
@ -77,7 +115,7 @@ function config_vars() {
$already_exists = true;
}
if (!$already_exists)
if (!$already_exists && permission_to_edit_config_var($var['name']))
$conf[] = $var;
}
}