Version 0.10.0
- remove depricated PHP function 'split' - restrict access to plugin.php and plugin pages to admin only - add option to allow individual plugin pages to non-admin - remove disallowed plugin pages from link list - fix undefined variables and typos - add hooks to allow plugins to filter various data
This commit is contained in:
parent
6d4c5d65a8
commit
e885a3f28a
@ -3,7 +3,7 @@
|
|||||||
Plugin Name: Authorization Manager
|
Plugin Name: Authorization Manager
|
||||||
Plugin URI: https://github.com/nicwaller/yourls-authmgr-plugin
|
Plugin URI: https://github.com/nicwaller/yourls-authmgr-plugin
|
||||||
Description: Restrict classes of users to specific functions
|
Description: Restrict classes of users to specific functions
|
||||||
Version: 0.9.3
|
Version: 0.10.0
|
||||||
Author: nicwaller
|
Author: nicwaller
|
||||||
Author URI: https://github.com/nicwaller
|
Author URI: https://github.com/nicwaller
|
||||||
*/
|
*/
|
||||||
@ -81,17 +81,37 @@ function authmgr_intercept_admin() {
|
|||||||
'activate' => AuthmgrCapability::ManagePlugins,
|
'activate' => AuthmgrCapability::ManagePlugins,
|
||||||
'deactivate' => AuthmgrCapability::ManagePlugins,
|
'deactivate' => AuthmgrCapability::ManagePlugins,
|
||||||
);
|
);
|
||||||
// allow manipulation of this list
|
// allow manipulation of this list ( be mindfull of extending Authmgr Capability class if needed )
|
||||||
yourls_apply_filter( 'authmgr_action_capability_map', $action_capability_map);
|
yourls_apply_filter( 'authmgr_action_capability_map', $action_capability_map);
|
||||||
|
|
||||||
// intercept requests for plugin management
|
// Intercept requests for plugin management
|
||||||
if ( isset( $_REQUEST['plugin'] ) ) {
|
if( isset( $_SERVER['REQUEST_URI'] ) && preg_match('/\/admin\/plugins\.php.*/', $_SERVER['REQUEST_URI'] ) ) {
|
||||||
|
// Is this a plugin page request?
|
||||||
|
if ( isset( $_REQUEST['page'] ) ) {
|
||||||
|
// Is this an allowed plugin?
|
||||||
|
global $authmgr_allowed_plugin_pages;
|
||||||
|
if ( authmgr_have_capability( AuthmgrCapability::ManagePlugins ) !== true) {
|
||||||
|
$r = $_REQUEST['page'];
|
||||||
|
if(!in_array($r, $authmgr_allowed_plugin_pages ) ) {
|
||||||
|
yourls_redirect( yourls_admin_url( '?access=denied' ), 302 );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
// Should this user touch plugins?
|
||||||
|
if ( authmgr_have_capability( AuthmgrCapability::ManagePlugins ) !== true) {
|
||||||
|
yourls_redirect( yourls_admin_url( '?access=denied' ), 302 );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// intercept requests for global plugin management actions
|
||||||
|
if (isset( $_REQUEST['plugin'] ) ) {
|
||||||
$action_keyword = $_REQUEST['action'];
|
$action_keyword = $_REQUEST['action'];
|
||||||
$cap_needed = $action_capability_map[$action_keyword];
|
$cap_needed = $action_capability_map[$action_keyword];
|
||||||
if ( $cap_needed !== NULL && authmgr_have_capability( $cap_needed ) !== true) {
|
if ( $cap_needed !== NULL && authmgr_have_capability( $cap_needed ) !== true) {
|
||||||
yourls_redirect( yourls_admin_url( '?access=denied' ), 302 );
|
yourls_redirect( yourls_admin_url( '?access=denied' ), 302 );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Key actions like Add/Edit/Delete are AJAX requests
|
// Key actions like Add/Edit/Delete are AJAX requests
|
||||||
if ( yourls_is_Ajax() ) {
|
if ( yourls_is_Ajax() ) {
|
||||||
@ -108,6 +128,23 @@ function authmgr_intercept_admin() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
/*
|
||||||
|
* This is a cosmetic filter that removes disallowed plugins from link list
|
||||||
|
*/
|
||||||
|
yourls_add_filter( 'admin_sublinks', 'authmgr_admin_sublinks' );
|
||||||
|
function authmgr_admin_sublinks( $links ) {
|
||||||
|
|
||||||
|
global $authmgr_allowed_plugin_pages;
|
||||||
|
|
||||||
|
if ( authmgr_have_capability( AuthmgrCapability::ManagePlugins ) !== true) {
|
||||||
|
foreach( $links['plugins'] as $link => $ar ) {
|
||||||
|
if(!in_array($link, $authmgr_allowed_plugin_pages) )
|
||||||
|
unset($links['plugins'][$link]);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
sort($links['plugins']);
|
||||||
|
return $links;
|
||||||
|
}
|
||||||
|
|
||||||
yourls_add_filter( 'logout_link', 'authmgr_html_append_roles' );
|
yourls_add_filter( 'logout_link', 'authmgr_html_append_roles' );
|
||||||
/**
|
/**
|
||||||
@ -160,7 +197,7 @@ function authmgr_enumerate_current_capabilities() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
function authmgr_enumerate_all_capabilities() {
|
function authmgr_enumerate_all_capabilities() {
|
||||||
return array(
|
$return = array(
|
||||||
AuthmgrCapability::ShowAdmin,
|
AuthmgrCapability::ShowAdmin,
|
||||||
AuthmgrCapability::AddURL,
|
AuthmgrCapability::AddURL,
|
||||||
AuthmgrCapability::DeleteURL,
|
AuthmgrCapability::DeleteURL,
|
||||||
@ -169,6 +206,10 @@ function authmgr_enumerate_all_capabilities() {
|
|||||||
AuthmgrCapability::API,
|
AuthmgrCapability::API,
|
||||||
AuthmgrCapability::ViewStats,
|
AuthmgrCapability::ViewStats,
|
||||||
);
|
);
|
||||||
|
// allow manipulation of this list ( be mindfull of extending the AuthmgrCapability class if needed )
|
||||||
|
yourls_apply_filter( 'authmgr_enumerate_all_capabilities', $return);
|
||||||
|
|
||||||
|
return $return;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -198,7 +239,7 @@ function authmgr_check_anon_capability( $original, $capability ) {
|
|||||||
if ( $original === true ) return true;
|
if ( $original === true ) return true;
|
||||||
|
|
||||||
// Make sure the anon rights list has been setup
|
// Make sure the anon rights list has been setup
|
||||||
authmgr_environment_check();
|
authmgr_env_check();
|
||||||
|
|
||||||
// Check list of capabilities that don't require authentication
|
// Check list of capabilities that don't require authentication
|
||||||
return in_array( $capability, $authmgr_anon_capabilities );
|
return in_array( $capability, $authmgr_anon_capabilities );
|
||||||
@ -215,7 +256,7 @@ function authmgr_check_user_capability( $original, $capability ) {
|
|||||||
if ( $original === true ) return true;
|
if ( $original === true ) return true;
|
||||||
|
|
||||||
// ensure $authmgr_role_capabilities has been set up
|
// ensure $authmgr_role_capabilities has been set up
|
||||||
authmgr_environment_check();
|
authmgr_env_check();
|
||||||
|
|
||||||
// If the user is not authenticated, then give up because only users have roles.
|
// If the user is not authenticated, then give up because only users have roles.
|
||||||
$authenticated = yourls_is_valid_user();
|
$authenticated = yourls_is_valid_user();
|
||||||
@ -250,7 +291,7 @@ function authmgr_check_admin_ipranges( $original, $capability ) {
|
|||||||
if ( $original === true ) return true;
|
if ( $original === true ) return true;
|
||||||
|
|
||||||
// ensure $authmgr_admin_ipranges is setup
|
// ensure $authmgr_admin_ipranges is setup
|
||||||
authmgr_environment_check();
|
authmgr_env_check();
|
||||||
|
|
||||||
foreach ($authmgr_admin_ipranges as $range) {
|
foreach ($authmgr_admin_ipranges as $range) {
|
||||||
if ( authmgr_cidr_match( $_SERVER['REMOTE_ADDR'], $range ) )
|
if ( authmgr_cidr_match( $_SERVER['REMOTE_ADDR'], $range ) )
|
||||||
@ -316,10 +357,12 @@ function authmgr_user_has_role_in_config( $original, $username, $rolename ) {
|
|||||||
|
|
||||||
/********************* VALIDATE CONFIGURATION ************************/
|
/********************* VALIDATE CONFIGURATION ************************/
|
||||||
|
|
||||||
function authmgr_environment_check() {
|
function authmgr_env_check() {
|
||||||
global $authmgr_anon_capabilities;
|
global $authmgr_anon_capabilities;
|
||||||
global $authmgr_role_capabilities;
|
global $authmgr_role_capabilities;
|
||||||
global $authmgr_role_assignment;
|
global $authmgr_role_assignment;
|
||||||
|
global $authmgr_admin_ipranges;
|
||||||
|
global $authmgr_allowed_plugin_pages;
|
||||||
|
|
||||||
if ( !isset( $authmgr_anon_capabilities) ) {
|
if ( !isset( $authmgr_anon_capabilities) ) {
|
||||||
$authmgr_anon_capabilities = array();
|
$authmgr_anon_capabilities = array();
|
||||||
@ -355,12 +398,17 @@ function authmgr_environment_check() {
|
|||||||
$authmgr_role_assignment = array();
|
$authmgr_role_assignment = array();
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( !isset( $authmgr_iprange_roles ) ) {
|
if ( !isset( $authmgr_admin_ipranges ) ) {
|
||||||
$authmgr_admin_ipranges = array(
|
$authmgr_admin_ipranges = array(
|
||||||
'127.0.0.0/8',
|
'127.0.0.0/8',
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ( !isset( $authmgr_allowed_plugin_pages ) ) {
|
||||||
|
$authmgr_allowed_plugin_pages = array(
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
// convert role assignment table to lower case if it hasn't been done already
|
// convert role assignment table to lower case if it hasn't been done already
|
||||||
// this makes searches much easier!
|
// this makes searches much easier!
|
||||||
$authmgr_role_assignment_lower = array();
|
$authmgr_role_assignment_lower = array();
|
||||||
@ -372,6 +420,15 @@ function authmgr_environment_check() {
|
|||||||
$authmgr_role_assignment = $authmgr_role_assignment_lower;
|
$authmgr_role_assignment = $authmgr_role_assignment_lower;
|
||||||
unset($authmgr_role_assignment_lower);
|
unset($authmgr_role_assignment_lower);
|
||||||
|
|
||||||
|
// allow manipulation of env by other plugins ( be mindfull of extending AuthmgrCapability and AuthmgrRoles classes if needed )
|
||||||
|
$a = $authmgr_anon_capabilities;
|
||||||
|
$b = $authmgr_role_capabilities;
|
||||||
|
$c = $authmgr_role_assignment;
|
||||||
|
$d = $authmgr_admin_ipranges;
|
||||||
|
$e = $authmgr_allowed_plugin_pages;
|
||||||
|
|
||||||
|
yourls_apply_filter( 'authmgr_env_check', $a, $b, $c, $d, $e );
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -382,7 +439,7 @@ function authmgr_environment_check() {
|
|||||||
* http://stackoverflow.com/questions/594112/matching-an-ip-to-a-cidr-mask-in-php5
|
* http://stackoverflow.com/questions/594112/matching-an-ip-to-a-cidr-mask-in-php5
|
||||||
*/
|
*/
|
||||||
function authmgr_cidr_match($ip, $range) {
|
function authmgr_cidr_match($ip, $range) {
|
||||||
list ($subnet, $bits) = split('/', $range);
|
list ($subnet, $bits) = explode('/', $range);
|
||||||
$ip = ip2long($ip);
|
$ip = ip2long($ip);
|
||||||
$subnet = ip2long($subnet);
|
$subnet = ip2long($subnet);
|
||||||
$mask = -1 << (32 - $bits);
|
$mask = -1 << (32 - $bits);
|
||||||
|
Loading…
Reference in New Issue
Block a user