From e21ef794c4b42b82fb64f02544c8168897b62437 Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Wed, 23 Jun 2021 08:58:55 +0200
Subject: [PATCH] add access control

---
 op/op.TransferDocument.php       |  5 +++++
 op/op.UsrMgr.php                 |  6 ++++++
 out/out.SendLoginData.php        |  2 ++
 views/bootstrap/class.UsrMgr.php | 16 ++++++++++------
 4 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/op/op.TransferDocument.php b/op/op.TransferDocument.php
index b3080a82c..12cd11810 100644
--- a/op/op.TransferDocument.php
+++ b/op/op.TransferDocument.php
@@ -24,12 +24,17 @@ include("../inc/inc.Language.php");
 include("../inc/inc.Init.php");
 include("../inc/inc.Extension.php");
 include("../inc/inc.DBInit.php");
+include("../inc/inc.ClassAccessOperation.php");
 include("../inc/inc.ClassUI.php");
 include("../inc/inc.ClassController.php");
 include("../inc/inc.Authentication.php");
 
 $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
 $controller = Controller::factory($tmp[1], array('dms'=>$dms, 'user'=>$user));
+$accessop = new SeedDMS_AccessOperation($dms, null, $user, $settings);
+if (!$accessop->check_controller_access($controller, $_POST)) {
+	UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("access_denied"));
+}
 
 /* Check if the form data comes from a trusted request */
 if(!checkFormKey('transferdocument')) {
diff --git a/op/op.UsrMgr.php b/op/op.UsrMgr.php
index 0982d019d..f5991e74a 100644
--- a/op/op.UsrMgr.php
+++ b/op/op.UsrMgr.php
@@ -26,6 +26,7 @@ include("../inc/inc.Language.php");
 include("../inc/inc.Init.php");
 include("../inc/inc.Extension.php");
 include("../inc/inc.DBInit.php");
+include("../inc/inc.ClassAccessOperation.php");
 include("../inc/inc.ClassUI.php");
 include("../inc/inc.Authentication.php");
 include("../inc/inc.ClassPasswordStrength.php");
@@ -34,6 +35,11 @@ if (!$user->isAdmin()) {
 	UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
 }
 
+$accessop = new SeedDMS_AccessOperation($dms, null, $user, $settings);
+if (!$accessop->check_controller_access('UsrMgr', $_POST)) {
+	UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
+}
+
 if (isset($_POST["action"])) $action=$_POST["action"];
 else $action=NULL;
 
diff --git a/out/out.SendLoginData.php b/out/out.SendLoginData.php
index c6a026da9..97db9e237 100644
--- a/out/out.SendLoginData.php
+++ b/out/out.SendLoginData.php
@@ -40,10 +40,12 @@ if (!is_object($newuser)) {
 	UI::exitError(getMLText("rm_user"),getMLText("invalid_user_id"));
 }
 
+$accessop = new SeedDMS_AccessOperation($dms, null, $user, $settings);
 $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
 $view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user));
 if($view) {
 	$view->setParam('newuser', $newuser);
+	$view->setParam('accessobject', $accessop);
 	$view($_GET);
 	exit;
 }
diff --git a/views/bootstrap/class.UsrMgr.php b/views/bootstrap/class.UsrMgr.php
index 984bb91e7..fa81cc378 100644
--- a/views/bootstrap/class.UsrMgr.php
+++ b/views/bootstrap/class.UsrMgr.php
@@ -181,6 +181,7 @@ $(document).ready( function() {
 		$quota = $this->params['quota'];
 		$undeluserids = $this->params['undeluserids'];
 		$enableemail = $this->params['enableemail'];
+		$accessobject = $this->params['accessobject'];
 
 		if($seluser) {
 			$button = array(
@@ -188,15 +189,18 @@ $(document).ready( function() {
 				'menuitems'=>array(
 				)
 			);
-			if(!in_array($seluser->getID(), $undeluserids)) {
+			if(!in_array($seluser->getID(), $undeluserids) && $accessobject->check_controller_access('UsrMgr', ['action'=>'removeuser'])) {
 				$button['menuitems'][] = array('label'=>'<i class="fa fa-remove"></i> '.getMLText("rm_user"), 'link'=>'../out/out.RemoveUser.php?userid='.$seluser->getID());
 			}
-			$button['menuitems'][] = array('label'=>'<i class="fa fa-unlink"></i> '.getMLText("rm_user_from_processes"), 'link'=>'../out/out.RemoveUserFromProcesses.php?userid='.$seluser->getID());
-			$button['menuitems'][] = array('label'=>'<i class="fa fa-share-square-o"></i> '.getMLText("transfer_objects"), 'link'=>'../out/out.TransferObjects.php?userid='.$seluser->getID());
+			if($accessobject->check_controller_access('UsrMgr', ['action'=>'removefromprocesses']))
+				$button['menuitems'][] = array('label'=>'<i class="fa fa-unlink"></i> '.getMLText("rm_user_from_processes"), 'link'=>'../out/out.RemoveUserFromProcesses.php?userid='.$seluser->getID());
+			if($accessobject->check_controller_access('UsrMgr', ['action'=>'transferobjects']))
+				$button['menuitems'][] = array('label'=>'<i class="fa fa-share-square-o"></i> '.getMLText("transfer_objects"), 'link'=>'../out/out.TransferObjects.php?userid='.$seluser->getID());
 			if($user->isAdmin() && $seluser->getID() != $user->getID())
-				$button['menuitems'][] = array('label'=>'<i class="fa fa-exchange"></i> '.getMLText("substitute_user"), 'link'=>'../op/op.SubstituteUser.php?userid='.$seluser->getID());
-			if($enableemail)
-				$button['menuitems'][] = array('label'=>'<i class="fa fa-envelope-o"></i> '.getMLText("send_login_data"), 'link'=>'../out/out.SendLoginData.php?userid='.$seluser->getID());
+				$button['menuitems'][] = array('label'=>'<i class="fa fa-exchange"></i> '.getMLText("substitute_user"), 'link'=>'../op/op.SubstituteUser.php?userid='.$seluser->getID()."&formtoken=".createFormKey('substituteuser'));
+			if($accessobject->check_controller_access('UsrMgr', ['action'=>'sendlogindata']))
+				if($enableemail)
+					$button['menuitems'][] = array('label'=>'<i class="fa fa-envelope-o"></i> '.getMLText("send_login_data"), 'link'=>'../out/out.SendLoginData.php?userid='.$seluser->getID());
 			self::showButtonwithMenu($button);
 		}
 	} /* }}} */