From 130a000cda2baf02e4e56d8435f985145ff24def Mon Sep 17 00:00:00 2001
From: Pepijn Over <pep@neanderthal-technology.com>
Date: Sat, 15 Mar 2014 22:38:17 +0100
Subject: [PATCH] restricting server edit/add/delete to admins only

---
 src/psm/Module/AbstractController.class.php   | 59 ++++++++++++++-----
 .../Controller/ServerController.class.php     | 25 ++++++++
 src/templates/main.tpl.html                   |  2 +-
 src/templates/servers.tpl.html                | 36 ++++++-----
 4 files changed, 89 insertions(+), 33 deletions(-)

diff --git a/src/psm/Module/AbstractController.class.php b/src/psm/Module/AbstractController.class.php
index 79187456..1bc7a41e 100755
--- a/src/psm/Module/AbstractController.class.php
+++ b/src/psm/Module/AbstractController.class.php
@@ -112,6 +112,13 @@ abstract class AbstractController implements ControllerInterface {
 	 */
 	protected $user_level_required = PSM_USER_USER;
 
+	/**
+	 * Required user level for certain actions
+	 * @var int $user_level_required_actions
+	 * @see setMinUserLevelRequiredForAction()
+	 */
+	protected $user_level_required_actions = array();
+
 	function __construct(Database $db, Template $tpl) {
 		$this->db = $db;
 		$this->tpl = $tpl;
@@ -121,22 +128,10 @@ abstract class AbstractController implements ControllerInterface {
 	 * Initialize the module
 	 */
 	public function initialize() {
-		// yeh baby, "initialize" me..
-		// right, anyway, lets determine the aciton
-		$action = null;
+		$action = psm_GET('action', psm_POST('action', $this->action_default));
 
-		if(isset($_GET['action'])) {
-			$action = $_GET['action'];
-		} elseif(isset($_POST['action'])) {
-			$action = $_POST['action'];
-		}
-		if($action !== null && in_array($action, $this->actions)) {
-			// we have an action
-			$this->initializeAction($action);
-		} elseif($this->action_default !== null) {
+		if(!in_array($action, $this->actions) || !$this->initializeAction($action)) {
 			$this->initializeAction($this->action_default);
-		} else {
-			// else what..?
 		}
 
 		$this->createHTML();
@@ -145,15 +140,26 @@ abstract class AbstractController implements ControllerInterface {
 	/**
 	 * Run a specified action
 	 *
-	 * For it to run, the "execute$action" method must exist
+	 * For it to run, the "execute$action" method must exist.
 	 * @param string $action
+	 * @return boolean whether action has been initialized successfully
 	 */
 	protected function initializeAction($action) {
-		$this->action = $action;
+		if(isset($this->user_level_required_actions[$action])) {
+			$ulvl = ($this->user) ? $this->user->getUserLevel() : PSM_USER_ANONYMOUS;
+
+			if($ulvl > $this->user_level_required_actions[$action]) {
+				// user is not allowed to access this action..
+				return false;
+			}
+		}
 		$method = 'execute' . ucfirst($action);
 		if(method_exists($this, $method)) {
+			$this->action = $action;
 			$this->$method();
+			return true;
 		}
+		return false;
 	}
 
 	/**
@@ -390,9 +396,11 @@ abstract class AbstractController implements ControllerInterface {
 	/**
 	 * Set the minimum required user level for this module
 	 * @param int $level
+	 * @return \psm\Module\AbstractController
 	 */
 	public function setMinUserLevelRequired($level) {
 		$this->user_level_required = intval($level);
+		return $this;
 	}
 
 	/**
@@ -402,4 +410,23 @@ abstract class AbstractController implements ControllerInterface {
 	public function getMinUserLevelRequired() {
 		return $this->user_level_required;
 	}
+
+	/**
+	 * Set the minimum required user level for a certain action.
+	 *
+	 * Use this only if one of the access is more restricted than the entire controller
+	 * @param int $level
+	 * @param string|array $actions one or more actions to set this level for
+	 * @return \psm\Module\AbstractController
+	 * @see setMinUserLevelRequired()
+	 */
+	public function setMinUserLevelRequiredForAction($level, $actions) {
+		if(!is_array($actions)) {
+			$actions = array($actions);
+		}
+		foreach($actions as $action) {
+			$this->user_level_required_actions[$action] = intval($level);
+		}
+		return $this;
+	}
 }
diff --git a/src/psm/Module/Server/Controller/ServerController.class.php b/src/psm/Module/Server/Controller/ServerController.class.php
index a74cbd97..f066bd38 100755
--- a/src/psm/Module/Server/Controller/ServerController.class.php
+++ b/src/psm/Module/Server/Controller/ServerController.class.php
@@ -41,6 +41,11 @@ class ServerController extends AbstractController {
 		$this->setActions(array(
 			'index', 'edit', 'save', 'delete',
 		), 'index');
+
+		// make sure only admins are allowed to edit/delete servers:
+		$this->setMinUserLevelRequiredForAction(PSM_USER_ADMIN, array(
+			'delete', 'edit', 'save'
+		));
 	}
 
 	/**
@@ -48,6 +53,22 @@ class ServerController extends AbstractController {
 	 */
 	protected function executeIndex() {
 		$this->setTemplateId('servers_list', 'servers.tpl.html');
+		// check if user is admin, in that case we add the buttons
+		if($this->user->getUserLevel() == PSM_USER_ADMIN) {
+			// first add buttons at the top
+			$this->tpl->newTemplate('servers_list_admin_buttons', 'servers.tpl.html');
+			$this->tpl->addTemplateData($this->getTemplateId(), array(
+				'html_buttons_admin' => $this->tpl->getTemplate('servers_list_admin_buttons'),
+				'url_add' => psm_build_url(array('mod' => 'server', 'action' => 'edit'))
+			));
+			// get the action buttons per server
+			$this->tpl->newTemplate('servers_list_admin_actions', 'servers.tpl.html');
+			$html_actions = $this->tpl->getTemplate('servers_list_admin_actions');
+		} else {
+			$html_actions = '';
+		}
+		// we need an array for our template magic (see below):
+		$html_actions = array('html_actions' => $html_actions);
 
 		// get servers from database
 		$servers = $this->db->query(
@@ -81,6 +102,10 @@ class ServerController extends AbstractController {
 		$server_count = count($servers);
 
 		for ($x = 0; $x < $server_count; $x++) {
+			// template magic: push the actions html to the front of the server array
+			// so the template handler will add it first. that way the other server vars
+			// will also be replaced in the html_actions template itself
+			$servers[$x] = $html_actions + $servers[$x];
 			$servers[$x]['class'] = ($x & 1) ? 'odd' : 'even';
 			$servers[$x]['rtime'] = round((float) $servers[$x]['rtime'], 4);
 
diff --git a/src/templates/main.tpl.html b/src/templates/main.tpl.html
index a824e4fc..ae51a537 100755
--- a/src/templates/main.tpl.html
+++ b/src/templates/main.tpl.html
@@ -82,7 +82,7 @@
 			</ul>
             <ul class="nav">
 				<!--%tpl_repeat_menu-->
-                <li id="nav_option_{key}" class="{active}">
+                <li class="{active}">
                     <a href="{url}">{label}</a>
                 </li>
 				<!--%%tpl_repeat_menu-->
diff --git a/src/templates/servers.tpl.html b/src/templates/servers.tpl.html
index 35f141f5..02d7fc75 100755
--- a/src/templates/servers.tpl.html
+++ b/src/templates/servers.tpl.html
@@ -1,12 +1,6 @@
 <!--%tpl_servers_list-->
 <div class="span12">
-    <div class="top_buutons">
-        <a class="btn btn-success" href="index.php?mod=server&action=edit">
-            <i class="icon-plus icon-white"></i>
-            {label_add_new}
-        </a>
-    </div>
-
+{html_buttons_admin}
     <table class="table table-bordered table-striped">
         <thead>
             <tr>
@@ -21,7 +15,7 @@
                 <th>{label_monitoring}</th>
                 <th>{label_send_email}</th>
                 <th>{label_send_sms}</th>
-                <th width="75">{label_action}</th>
+                <th>{label_action}</th>
             </tr>
         </thead>
         <tbody>
@@ -42,14 +36,7 @@
                 <td>{active}</td>
                 <td>{email}</td>
                 <td>{sms}</td>
-                <td>
-                    <a class="btn btn-small" href="index.php?mod=server&amp;action=edit&amp;id={server_id}" title="{label_edit}">
-                        <i class="icon-pencil"></i>
-                    </a>
-            	    <a class="btn btn-small btn-danger" href="javascript:sm_delete('{server_id}', 'server');" title="{label_delete}">
-                        <i class="icon-remove icon-white"></i>
-                    </a>
-                </td>
+                <td>{html_actions}</td>
             </tr>
             <!--%%tpl_repeat_servers-->
             {servers}
@@ -58,6 +45,23 @@
 </div>
 <!--%%tpl_servers_list-->
 
+<!--%tpl_servers_list_admin_buttons-->
+<div class="top_buutons">
+	<a class="btn btn-success" href="{url_add}">
+		<i class="icon-plus icon-white"></i>
+		{label_add_new}
+	</a>
+</div>
+<!--%%tpl_servers_list_admin_buttons-->
+
+<!--%tpl_servers_list_admin_actions-->
+<a class="btn btn-small" href="index.php?mod=server&amp;action=edit&amp;id={server_id}" title="{label_edit}">
+	<i class="icon-pencil"></i>
+</a>
+<a class="btn btn-small btn-danger" href="javascript:sm_delete('{server_id}', 'server');" title="{label_delete}">
+	<i class="icon-remove icon-white"></i>
+</a>
+<!--%%tpl_servers_list_admin_actions-->
 
 <!--%tpl_servers_update-->
 <div class="span12">