Adding the notion of Global admins. Functions added to main_api: api_is_global_platform_admin() api_protect_global_admin_script(); Blocking the access to the NO global admin users in the multiple URLs configuration See CT#1308

16 years ago · ec4a19c4ca
parent 360aaedb28
commit ec4a19c4ca
11 changed files with 123 additions and 47 deletions
--- a/main/admin/access_url_add_courses_to_url.php
+++ b/main/admin/access_url_add_courses_to_url.php
@ -15,7 +15,7 @@ require_once '../inc/global.inc.php';
 $this_section=SECTION_PLATFORM_ADMIN;

 require_once (api_get_path(LIBRARY_PATH).'urlmanager.lib.php');
-api_protect_admin_script();
+api_protect_global_admin_script();
 if (!$_configuration['multiple_access_urls']) {
 	header('Location: index.php');
 	exit;
--- a/main/admin/access_url_add_sessions_to_url.php
+++ b/main/admin/access_url_add_sessions_to_url.php
@ -15,7 +15,7 @@ require_once '../inc/global.inc.php';
 $this_section=SECTION_PLATFORM_ADMIN;

 require_once api_get_path(LIBRARY_PATH).'urlmanager.lib.php';
-api_protect_admin_script();
+api_protect_global_admin_script();
 if (!$_configuration['multiple_access_urls']) {
 	header('Location: index.php');
 	exit;
--- a/main/admin/access_url_add_users_to_url.php
+++ b/main/admin/access_url_add_users_to_url.php
@ -15,7 +15,7 @@ require_once '../inc/global.inc.php';
 $this_section=SECTION_PLATFORM_ADMIN;

 require_once api_get_path(LIBRARY_PATH).'urlmanager.lib.php';
-api_protect_admin_script();
+api_protect_global_admin_script();
 if (!$_configuration['multiple_access_urls']) {
 	header('Location: index.php');
 	exit;
--- a/main/admin/access_url_edit.php
+++ b/main/admin/access_url_edit.php
@ -10,7 +10,8 @@ $cidReset = true;
 require_once '../inc/global.inc.php';
 $this_section = SECTION_PLATFORM_ADMIN;

-api_protect_admin_script();
+//api_protect_admin_script();
+api_protect_global_admin_script();
 if (!$_configuration['multiple_access_urls']) {
 	header('Location: index.php');
 	exit;
--- a/main/admin/access_url_edit_courses_to_url.php
+++ b/main/admin/access_url_edit_courses_to_url.php
@ -24,7 +24,7 @@ $xajax -> registerFunction (array('search_courses', 'Accessurleditcoursestourl',
 $this_section = SECTION_PLATFORM_ADMIN;

 // Access restrictions
-api_protect_admin_script();
+api_protect_global_admin_script();
 if (!$_configuration['multiple_access_urls']) {
 	header('Location: index.php');
 	exit;
--- a/main/admin/access_url_edit_sessions_to_url.php
+++ b/main/admin/access_url_edit_sessions_to_url.php
@ -26,7 +26,7 @@ $xajax -> registerFunction (array('search_sessions', 'Accessurleditsessionstourl
 $this_section = SECTION_PLATFORM_ADMIN;

 // Access restrictions
-api_protect_admin_script();
+api_protect_global_admin_script();
 if (!$_configuration['multiple_access_urls']) {
 	header('Location: index.php');
 	exit;
--- a/main/admin/access_url_edit_users_to_url.php
+++ b/main/admin/access_url_edit_users_to_url.php
@ -25,7 +25,7 @@ $xajax -> registerFunction (array('search_users', 'Accessurledituserstourl', 'se
 $this_section = SECTION_PLATFORM_ADMIN;

 // Access restrictions
-api_protect_admin_script();
+api_protect_global_admin_script();
 if (!$_configuration['multiple_access_urls']) {
 	header('Location: index.php');
 	exit;
--- a/main/admin/access_urls.php
+++ b/main/admin/access_urls.php
@ -12,7 +12,9 @@ require_once '../inc/global.inc.php';
 require_once api_get_path(LIBRARY_PATH).'sortabletable.class.php';
 $this_section = SECTION_PLATFORM_ADMIN;

-api_protect_admin_script();
+//api_protect_admin_script();
+api_protect_global_admin_script();
+
 if (!$_configuration['multiple_access_urls']) {
 	header('Location: index.php');
 	exit;
--- a/main/admin/index.php
+++ b/main/admin/index.php
@ -161,9 +161,10 @@ if(api_is_platform_admin()) {
 	  <li><a href="<?php echo $phpMyAdminPath; ?>" target="_blank"><?php echo get_lang("AdminDatabases"); ?></a><br />(<?php echo get_lang("DBManagementOnlyForServerAdmin"); ?>)</li>
 	  <?php } ?>
 	  <?php
-	  if(!empty($_configuration['multiple_access_urls']))
-	  {
-	    echo '<li><a href="access_urls.php">'.get_lang('ConfigureMultipleAccessURLs').'</a></li>';
+		if(!empty($_configuration['multiple_access_urls'])) {
+			if (api_is_global_platform_admin()) { 
+	    		echo '<li><a href="access_urls.php">'.get_lang('ConfigureMultipleAccessURLs').'</a></li>';
+			}
 	  }

 	  if (api_get_setting('allow_reservation')=='true') {
--- a/main/inc/lib/main_api.lib.php
+++ b/main/inc/lib/main_api.lib.php
@ -4483,3 +4483,43 @@ function api_send_mail($to, $subject, $message, $additional_headers = null, $add
 	$mail->ClearAddresses();
 	return 1;
 }
+
+
+/**
+ * Function used to protect a "global" admin script.
+ * The function blocks access when the user has no global platform admin rights.
+ * Global admins are the admins that are registered in the main.admin table AND the users who have access to the "principal" portal. 
+ * That means that there is a record in the main.access_url_rel_user table with his user id and the access_url_id=1 
+ *
+ * @author Julio Montoya
+ */
+function api_is_global_platform_admin() {
+	if (api_is_platform_admin()) {
+		// This user is subscribed in these sites => $my_url_list
+        $my_url_list = api_get_access_url_from_user(api_get_user_id());
+		if (in_array(1, $my_url_list)) {
+			return true;
+		} else {
+			return false;
+		}
+	}
+	return false;
+}
+
+
+/**
+ * Function used to protect a global admin script.
+ * The function blocks access when the user has no global platform admin rights.
+ * See also the api_is_global_platform_admin() function wich defines who's a "global" admin
+ *
+ * @author Julio Montoya
+ */
+function api_protect_global_admin_script() {
+	if (!api_is_global_platform_admin()) {
+		include api_get_path(INCLUDE_PATH).'header.inc.php';
+		api_not_allowed();
+		return false;
+	}
+	return true;
+}
+
--- a/main/inc/local.inc.php
+++ b/main/inc/local.inc.php
@ -285,12 +285,14 @@ if (!empty($_SESSION['_user']['user_id']) && ! ($login || $logout)) {
 									$my_user_is_admin = true;
 							    }
 							    
+								// This user is subscribed in these sites => $my_url_list
+					            $my_url_list = api_get_access_url_from_user($uData['user_id']);
+					            
+					            //Check the access_url configuration setting if the user is registered in the access_url_rel_user table
+								//Getting the current access_url_id of the platform
+	                			$current_access_url_id = api_get_current_access_url_id();
+					            
 					            if ($my_user_is_admin === false) {									                				
-									//Check the access_url configuration setting if the user is registered in the access_url_rel_user table
-									//Getting the current access_url_id of the platform
-	                				$current_access_url_id = api_get_current_access_url_id();
-	                				// my user is subscribed in these sites => $my_url_list
-	                				$my_url_list = api_get_access_url_from_user($uData['user_id']);
 	
 	                				if (is_array($my_url_list) && count($my_url_list)>0 ){
 	                					// the user have the permissions to enter at this site
@ -310,11 +312,25 @@ if (!empty($_SESSION['_user']['user_id']) && ! ($login || $logout)) {
 										header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=access_url_inactive');
 										exit;
 	                				}
-					            } else {
-					            	//All admins can login in any multiple URL
-				            		$_user['user_id'] = $uData['user_id'];
-									api_session_register('_user');
-									event_login();				            	
+					            } else { //Only admins of the "main" (first) Chamilo portal can login wherever they want
+					            	//var_dump($current_access_url_id, $my_url_list); exit;
+					            	if (in_array(1, $my_url_list)) { //Check if this admin have the access_url_id = 1 which means the principal
+					            		$_user['user_id'] = $uData['user_id'];
+										api_session_register('_user');
+										event_login();				            	
+					            	} else {
+					            		//This means a secondary admin wants to login so we check as he's a normal user
+					            		if (in_array($current_access_url_id, $my_url_list)) {
+	                						$_user['user_id'] = $uData['user_id'];
+											api_session_register('_user');
+											event_login();
+	                					} else {
+		                					$loginFailed = true;
+											api_session_unregister('_uid');
+											header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=access_url_inactive');
+											exit;
+	                					}
+					            	}
 					            }
 	            			} else {
 	            				$_user['user_id'] = $uData['user_id'];
@ -469,6 +485,7 @@ if (!empty($_SESSION['_user']['user_id']) && ! ($login || $logout)) {
 		                        	// check if the expiration date has not been reached
 									if ($uData['expiration_date']>date('Y-m-d H:i:s') OR $uData['expiration_date']=='0000-00-00 00:00:00') {
 		                            	global $_configuration;
+		                            	//If Multiple URL is enabled
 										if ($_configuration['multiple_access_urls'] == true) {
 		                                  	$admin_table = Database::get_main_table(TABLE_MAIN_ADMIN);
 											//Check if user is an admin 
@ -479,14 +496,16 @@ if (!empty($_SESSION['_user']['user_id']) && ! ($login || $logout)) {
 										    if (Database::num_rows($result) > 0) {
 												$my_user_is_admin = true;
 										    }
-								            if ($my_user_is_admin === false) {						            	
-			                                      //check the access_url configuration setting if the user is registered in the access_url_rel_user table
-			                                      //getting the current access_url_id of the platform
-			                                      $current_access_url_id = api_get_current_access_url_id();
-			                                      // my user is subscribed in these sites => $my_url_list
-			                                      $my_url_list = api_get_access_url_from_user($uData['user_id']);
-			
-			                                      if (is_array($my_url_list) && count($my_url_list)>0 ) {
+										    		
+										    //Check the access_url configuration setting if the user is registered in the access_url_rel_user table
+											//Getting the current access_url_id of the platform
+		                                    $current_access_url_id = api_get_current_access_url_id();			                                      
+		                                      					            
+										    // my user is subscribed in these sites => $my_url_list
+			                                $my_url_list = api_get_access_url_from_user($uData['user_id']);
+			                                      
+											if ($my_user_is_admin === false) {
+			                                	if (is_array($my_url_list) && count($my_url_list)>0 ) {
 			                                          if (in_array($current_access_url_id, $my_url_list)) {
 			                                              // the user has permission to enter at this site
 			                                              $_user['user_id'] = $uData['user_id'];
@ -503,21 +522,34 @@ if (!empty($_SESSION['_user']['user_id']) && ! ($login || $logout)) {
 			                                              header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=access_url_inactive');
 			                                              exit;
 			                                          }
-			                                      } else {
+												} else {
 			                                          // there is no URL in the multiple urls list for this user
 			                                          $loginFailed = true;
 			                                          api_session_unregister('_uid');
 			                                          header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=access_url_inactive');
 			                                          exit;
-			                                      }
-								            } else {
-								            	//User is an admin, he can login wherever he wants
-												$_user['user_id'] = $uData['user_id'];
-		                                        api_session_register('_user');
-		                                        event_login();						            	
-								            }
+												}
+											} else { //Only admins of the "main" (first) Chamilo portal can login wherever they want
+										    	if (in_array(1, $my_url_list)) { //Check if this admin have the access_url_id = 1 which means the principal portal
+										        	$_user['user_id'] = $uData['user_id'];
+													api_session_register('_user');
+													event_login();				            	
+										        } else {
+										        	//This means a secondary admin wants to login so we check as a normal user
+										        	if (in_array($current_access_url_id, $my_url_list)) {
+						                				$_user['user_id'] = $uData['user_id'];
+														api_session_register('_user');
+														event_login();
+						                			} else {
+							                			$loginFailed = true;
+														api_session_unregister('_uid');
+														header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=access_url_inactive');
+														exit;
+						                			}
+												}
+											}
 										} else {
-											//Single URL access
+											//Single URL access (Only 1 portal)
 		                                    $_user['user_id'] = $uData['user_id'];
 		                                    api_session_register('_user');
 		                                    event_login();
@ -533,35 +565,35 @@ if (!empty($_SESSION['_user']['user_id']) && ! ($login || $logout)) {
 		                                exit;
 									}
 								} else {
-								    //user not active
+								    //User not active
 								    $loginFailed = true;
 								    api_session_unregister('_uid');
 								    header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=account_inactive');
 								    exit;
 								}
 							} else {
-							  //sha1 of password is wrong
+							  //SHA1 of password is wrong
 							  $loginFailed = true;
 							  api_session_unregister('_uid');
 							  header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=account_inactive');
 							  exit;
 							}
 	                    } else {
-	                        //auth_source is wrong
+	                        //Auth_source is wrong
 	                        $loginFailed = true;
 	                        api_session_unregister('_uid');
 	                        header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=account_inactive');
 	                        exit;
 	                    }
 	                } else {
-	                    //no user by that login
+	                    //No user by that login
 	                    $loginFailed = true;
 	                    api_session_unregister('_uid');
 	                    header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=account_inactive');
 	                    exit;
 	                }
 	            } else {
-	                //request comes from unknown source
+	                //Request comes from unknown source
 	                $loginFailed = true;
 	                api_session_unregister('_uid');
 	                header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=account_inactive');