Minor change to roles code and major change to roles. Replaced ALL, CREATE, READ, UPDATE, and DELETE with GUEST, USER, EDITOR, EXPERT, and ADMIN. Changed all roles files and modified some html files to hide options without permissions. Determine default roles from roles files, rather than hard-coded, and added ability to modify default roles by adding permissions.

git-svn-id: svn://svn.alpinelinux.org/acf/core/trunk@1563 ab2d0c66-481e-0410-8bed-d214d4d58bed
author: Ted Trask <ttrask01@yahoo.com> 2008-10-24 15:20:36 +0000
committer: Ted Trask <ttrask01@yahoo.com> 2008-10-24 15:20:36 +0000
commit: 43915f5de0ae60da41615a3edacca18cd85dd921 (patch)
tree: 0eb4d66c612feaea5b4d789d3293012447afe07c
parent: 062423a2cd98a8c1dfd23453853bf73b8db1b180 (diff)
download: acf-core-43915f5de0ae60da41615a3edacca18cd85dd921.tar.bz2
acf-core-43915f5de0ae60da41615a3edacca18cd85dd921.tar.xz
9 files changed, 111 insertions, 46 deletions
diff --git a/app/Makefile b/app/Makefile
index b840e75..49f3ec0 100644
--- a/app/Makefile
+++ b/app/Makefile
@@ -1,6 +1,7 @@
 include ../config.mk
 
 APP_DIST= \
+	acf-util/acf-util.roles \
 	acf-util/logon-controller.lua \
 	acf-util/logon-html.lsp \
 	acf-util/logon-model.lua \
diff --git a/app/acf-util/acf-util.roles b/app/acf-util/acf-util.roles
new file mode 100644
index 0000000..b31297c
--- /dev/null
+++ b/app/acf-util/acf-util.roles
@@ -0,0 +1,4 @@
+GUEST=logon:logon,logon:logout,logon:status,welcome:read
+USER=password:editme,roles:read
+EXPERT=
+ADMIN=logon:logon,logon:logout,logon:status,password:editme,password:status,password:edituser,password:newuser,password:deleteuser,roles:read,roles:getpermslist,roles:viewuserroles,roles:viewroleperms,roles:viewroles,roles:editrole,roles:deleterole,roles:newrole,welcome:read,password:status,password:edituser,password:newuser,password:deleteuser,roles:getpermslist,roles:viewuserroles,roles:viewroleperms,roles:viewroles,roles:editrole,roles:deleterole,roles:newrole
diff --git a/app/acf-util/roles-editrole-html.lsp b/app/acf-util/roles-editrole-html.lsp
index 5f106fc..0a32839 100644
--- a/app/acf-util/roles-editrole-html.lsp
+++ b/app/acf-util/roles-editrole-html.lsp
@@ -7,11 +7,67 @@
 
 <H1><%= form.label %></H1>
 <%
-	form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action
+	displayformstart(form, page_info)
 	-- If editing existing role, disable role
 	if page_info.action ~= "newrole" then
 		form.value.role.contenteditable = false
 	end
-	local order = { "role", "permissions" }
-	displayform(form, order)
+	io.write("<DL>\n")
+	displayformitem(form.value.role, "role")
+
+	-- copied this code from viewfunctions so we can disable the default boxes
+	local myitem = form.value.permissions
+	myitem.name = "permissions"
+	io.write("<DT")
+	if myitem.errtxt then 
+		myitem.class = "error"
+		io.write(' class="error"')
+	end
+	io.write(">" .. myitem.label .. "</DT>\n")
+	io.write("<DD>")
+	-- FIXME multiple select doesn't work in haserl, so use series of checkboxes
+	myitem.class = nil
+	local tempname = myitem.name
+	local tempval = myitem.value or {}
+	local reversedefault = {}
+	for x,val in ipairs(myitem.default or {}) do
+		reversedefault[val] = x
+	end
+	local reverseval = {}
+	for x,val in ipairs(tempval) do
+		reverseval[val] = x
+	end
+	local reverseopt = {}
+	for x,val in ipairs(myitem.option) do
+		reverseopt[val] = x
+		myitem.value = val
+		myitem.checked = reverseval[val]
+		if reversedefault[val] then myitem.disabled = true else myitem.disabled = nil end
+		myitem.name = tempname .. "." .. x
+		io.write(html.form.checkbox(myitem) .. val .. "<br>\n")
+	end
+	-- Check for values not in options
+	if myitem.errtxt then
+		myitem.class = "error"
+		io.write('<p class="error">\n')
+	end
+	for x,val in ipairs(tempval) do
+		if not reverseopt[val] then
+			myitem.value = val
+			myitem.checked = true
+			io.write(html.form.checkbox(myitem) .. val .. "<br>\n")
+		end
+	end
+	if myitem.errtxt then
+		io.write('</p>\n')
+	end
+	myitem.name = tempname
+	myitem.value = tempval
+
+	if myitem.descr then io.write('<P CLASS="descr">' .. string.gsub(myitem.descr, "\n", "<BR>") .. "</P>\n") end
+	if myitem.errtxt then io.write('<P CLASS="error">' .. string.gsub(myitem.errtxt, "\n", "<BR>") .. "</P>\n") end
+	io.write("</DD>\n")
+
+	io.write("</DL>\n")
+	displayformend(form)
 %>
diff --git a/app/acf-util/roles-model.lua b/app/acf-util/roles-model.lua
index bdfe20d..79c1b14 100644
--- a/app/acf-util/roles-model.lua
+++ b/app/acf-util/roles-model.lua
@@ -58,10 +58,13 @@ end
 
 getpermissions = function(self, role)
 	local my_perms = {}
+	local default_perms = {} 
 
 	if role then
-		tmp, my_perms = roles.get_role_perm(self, role)
+		local tmp
+		tmp, my_perms, default_perms = roles.get_role_perm(self, role)
 		my_perms = my_perms or {}
+		default_perms = default_perms or {}
 	else
 		role = ""
 	end
@@ -69,7 +72,7 @@ getpermissions = function(self, role)
 	local tmp, all_perms = get_all_permissions(self)
 	table.sort(all_perms)
 	
-	local permissions_cfe = cfe({ type="multi", value=my_perms, option=all_perms, label="Role permissions" })
+	local permissions_cfe = cfe({ type="multi", value=my_perms, option=all_perms, label="Role permissions", default=default_perms })
 	local role_cfe = cfe({ value=role, label="Role" })
 
 	return cfe({ type="table", value={role=role_cfe, permissions=permissions_cfe} })
diff --git a/app/acf-util/roles-viewroles-html.lsp b/app/acf-util/roles-viewroles-html.lsp
index 8b9a10f..0334499 100644
--- a/app/acf-util/roles-viewroles-html.lsp
+++ b/app/acf-util/roles-viewroles-html.lsp
@@ -18,9 +18,10 @@
 <% if view.value.default_roles then %>
 	<dl>
 	<% for x,role in pairs(view.value.default_roles.value) do %>
-		<dt><img src='/static/tango/16x16/categories/applications-system.png' height='16' width='16'> <%= role %></dt>
+		<dt><img src='/skins/static/tango/16x16/categories/applications-system.png' height='16' width='16'> <%= role %></dt>
 		<dd>
 		[<a href='viewroleperms?role=<%= role %>'>View this role</a>]
+		[<a href='editrole?role=<%= role %>&redir=<%= page_info.orig_action %>'>Edit this role</a>]
 		</dd>
 	<% end %>
 	</dl>
@@ -29,7 +30,7 @@
 	<dl>
 	<% table.sort(view.value.defined_roles.value) %>
 	<% for x,role in pairs(view.value.defined_roles.value) do %>
-		<dt><img src='/static/tango/16x16/apps/system-users.png' height='16' width='16'> <%= role %></dt>
+		<dt><img src='/skins/static/tango/16x16/apps/system-users.png' height='16' width='16'> <%= role %></dt>
 		<dd>
 		[<a href='viewroleperms?role=<%= role %>'>View this role</a>]
 		[<a href='editrole?role=<%= role %>&redir=<%= page_info.orig_action %>'>Edit this role</a>]
diff --git a/lib/authenticator.lua b/lib/authenticator.lua
index 1b55150..941e19f 100644
--- a/lib/authenticator.lua
+++ b/lib/authenticator.lua
@@ -171,7 +171,7 @@ get_userinfo_roles = function(self, userid)
 	if rol then
 		local avail_roles = rol.list_all_roles(self)
 		for x,role in ipairs(avail_roles) do
-			if role=="ALL" then
+			if role==rol.guest_role then
 				table.remove(avail_roles,x)
 				break
 			end
diff --git a/lib/roles.lua b/lib/roles.lua
index ecd9798..85f59da 100644
--- a/lib/roles.lua
+++ b/lib/roles.lua
@@ -6,7 +6,7 @@ require ("format")
 
 module (..., package.seeall)
 
-local default_roles = { "CREATE", "UPDATE", "DELETE", "READ", "ALL" }
+guest_role = "GUEST"
 
 -- returns a table of the *.roles files
 -- startdir should be the app dir
@@ -81,16 +81,29 @@ get_controllers_view = function(self,controller_info)
 	return temp	
 end
 
-list_default_roles = function()
-	return default_roles
+list_default_roles = function(self)
+	local default_roles = {}
+	local reverseroles = {}
+
+	-- find all of the default roles files and parse them
+	local rolesfiles = get_roles_candidates(self.conf.appdir)
+
+	for x,file in ipairs(rolesfiles) do
+		f = fs.read_file_as_array(file)
+		for y,line in pairs(f) do
+			if not reverseroles[string.match(line,"^[%w_]+")] then
+				default_roles[#default_roles+1] = string.match(line,"^[%w_]+")
+				reverseroles[default_roles[#default_roles]] = #default_roles
+			end
+		end
+	end
+
+	return default_roles, reverseroles
 end
 
 list_roles = function(self)
 	local defined_roles = {}
-	local reverseroles = {}
-	for x,role in ipairs(default_roles) do
-		reverseroles[role] = x
-	end
+	local default_roles, reverseroles = list_default_roles(self)
 
 	-- Open the roles file and parse for defined roles
 	local entries = authenticator.auth.read_field(self, authenticator.roletable, "") or {}
@@ -111,19 +124,19 @@ list_all_roles = function(self)
 	return default_roles
 end	
 
--- Go through the roles files and determine the permissions for the specified roles
+-- Go through the roles files and determine the permissions for the specified list of roles (including guest)
 get_roles_perm = function(self,roles)
 	permissions = {}
 	permissions_array = {}
 
-	-- find all of the roles files and add in the master file
-	local rolesfiles = get_roles_candidates(self.conf.appdir)
-
 	local reverseroles = {}
 	for x,role in ipairs(roles) do
-		reverseroles[role] = {}
+		reverseroles[role] = x
 	end
-	reverseroles["ALL"] = {} -- always include ALL role
+	reverseroles[guest_role] = 0 -- always include guest role
+
+	-- find all of the default roles files and parse them
+	local rolesfiles = get_roles_candidates(self.conf.appdir)
 
 	for x,file in ipairs(rolesfiles) do
 		f = fs.read_file_as_array(file)
@@ -137,7 +150,7 @@ get_roles_perm = function(self,roles)
 							permissions[control] = {}
 						end
 						if action then
-							permissions[control][action] = {}
+							permissions[control][action] = {file}
 							permissions_array[#permissions_array + 1] = control .. ":" .. action
 						end
 					end
@@ -146,6 +159,7 @@ get_roles_perm = function(self,roles)
 		end
 	end
 
+	-- then look in the user-editable roles
 	local entries = authenticator.auth.read_field(self, authenticator.roletable, "") or {}
 	for x,entry in ipairs(entries) do
 		if reverseroles[entry.id] then
@@ -172,8 +186,9 @@ end
 get_role_perm = function(self,role)
 	permissions = {}
 	permissions_array = {}
+	default_permissions_array = {}
 
-	-- find all of the roles files and add in the master file
+	-- find all of the default roles files and parse them
 	local rolesfiles = get_roles_candidates(self.conf.appdir)
 
 	for x,file in ipairs(rolesfiles) do
@@ -188,15 +203,17 @@ get_role_perm = function(self,role)
 							permissions[control] = {}
 						end
 						if action then
-							permissions[control][action] = {}
+							permissions[control][action] = {file}
 							permissions_array[#permissions_array + 1] = control .. ":" .. action
+							default_permissions_array[#default_permissions_array + 1] = control .. ":" .. action
 						end
 					end
 				end
 			end
 		end
 	end
-	
+
+	-- then look in the user-editable roles
 	local entry = authenticator.auth.read_entry(self, authenticator.roletable, "", role)
 	if entry then
 		temp = format.string_to_table(entry, ",")
@@ -214,17 +231,11 @@ get_role_perm = function(self,role)
 		end
 	end
 
-	return permissions, permissions_array
+	return permissions, permissions_array, default_permissions_array
 end
 
 -- Delete a role from role file
 delete_role = function(self, role)
-	for x,ro in ipairs(default_roles) do
-		if role==ro then
-			return false, "Cannot delete default roles"
-		end
-	end
-	
 	local result = authenticator.auth.delete_entry(self, authenticator.roletable, "", role)
 	local cmdresult = "Role entry not found"
 	if result then cmdresult = "Role deleted" end
@@ -237,11 +248,6 @@ set_role_perm = function(self, role, permissions, permissions_array)
 	if role==nil or role=="" then
 		return false, "Invalid Role"
 	end
-	for x,ro in ipairs(default_roles) do
-		if role==ro then
-			return false, "Cannot modify default roles"
-		end
-	end
 	if string.find(role, '[^%w_]') then
 		return false, "Role can only contain letters, numbers, and '_'"
 	end
@@ -253,9 +259,6 @@ set_role_perm = function(self, role, permissions, permissions_array)
 			end
 		end
 	end
-	if permissions_array==nil or #permissions_array==0 then
-		return false, "No permissions set"
-	end
 	
-	return authenticator.auth.write_entry(self, authenticator.roletable, "", role, table.concat(permissions_array,","))
+	return authenticator.auth.write_entry(self, authenticator.roletable, "", role, table.concat(permissions_array or {},","))
 end
diff --git a/passwd b/passwd
index e0fdf92..16c8b69 100644
--- a/passwd
+++ b/passwd
@@ -1,2 +1,2 @@
-alpine:cc03e747a6afbbcbf8be7668acfebee5:Test Account:CREATE,UPDATE,DELETE,READ
-foo:cc03e747a6afbbcbf8be7668acfebee5:Test Account:CREATE,DELETE
+alpine:cc03e747a6afbbcbf8be7668acfebee5:Test Account:ADMIN
+foo:cc03e747a6afbbcbf8be7668acfebee5:Test Account:USER
diff --git a/roles b/roles
index 90e3221..e69de29 100644
--- a/roles
+++ b/roles
@@ -1,3 +0,0 @@
-ALL=welcome:read,logon:logon,logon:logout,logon:status
-CREATE=password:status,password:edituser,password:newuser,password:deleteuser,roles:getpermslist,roles:viewuserroles,roles:viewroleperms,roles:viewroles,roles:editrole,roles:deleterole,roles:newrole
-READ=password:editme,roles:read
author	Ted Trask <ttrask01@yahoo.com>	2008-10-24 15:20:36 +0000
committer	Ted Trask <ttrask01@yahoo.com>	2008-10-24 15:20:36 +0000
commit	43915f5de0ae60da41615a3edacca18cd85dd921 (patch)
tree	0eb4d66c612feaea5b4d789d3293012447afe07c
parent	062423a2cd98a8c1dfd23453853bf73b8db1b180 (diff)
download	acf-core-43915f5de0ae60da41615a3edacca18cd85dd921.tar.bz2 acf-core-43915f5de0ae60da41615a3edacca18cd85dd921.tar.xz