From d414d9150f38e28fee59f1bfe6f52b26de06482b Mon Sep 17 00:00:00 2001 From: Anshul Saha Date: Thu, 13 Jul 2023 17:39:52 -0500 Subject: [PATCH 1/4] created unityperms.php --- resources/lib/UnityPerms.php | 123 +++++++++++++ resources/lib/UnitySQL.php | 72 ++++++++ resources/lib/UnityUser.php | 18 ++ tools/docker-dev/sql/bootstrap.sql | 275 ++++++++++++++++++++++------- 4 files changed, 420 insertions(+), 68 deletions(-) create mode 100644 resources/lib/UnityPerms.php diff --git a/resources/lib/UnityPerms.php b/resources/lib/UnityPerms.php new file mode 100644 index 0000000..49b9d6f --- /dev/null +++ b/resources/lib/UnityPerms.php @@ -0,0 +1,123 @@ +SQL = $SQL; + $this->USER = $USER; + } + + public function checkApproveUser($uid, $operated_on, $group) + { + if (!$this->USER->isInGroup($uid, $group)) { + return false; + } + + $role = $this->SQL->getRole($uid, $group); + + if ($this->SQL->hasPermission($role, 'unity.admin') || $this->SQL->hasPermission($role, 'unity.admin_no_grant')) { + return true; + } + + if (!$this->SQL->hasPermission($role, 'unity.approve_user')) { + return false; + } + + $operated_on_role = $this->SQL->getRole($operated_on, $group); + + if ($this->SQL->getPriority($operated_on_role) >= $this->SQL->getPriority($role)) { + return false; + } + + return true; + } + + public function checkDenyUser($uid, $operated_on, $group) + { + if (!$this->USER->isInGroup($uid, $group)) { + return false; + } + + $role = $this->SQL->getRole($uid, $group); + + if ($this->SQL->hasPermission($role, 'unity.admin') || $this->SQL->hasPermission($role, 'unity.admin_no_grant')) { + return true; + } + + if (!$this->SQL->hasPermission($role, 'unity.deny_user')) { + return false; + } + + $operated_on_role = $this->SQL->getRole($operated_on, $group); + + if ($this->SQL->getPriority($operated_on_role) >= $this->SQL->getPriority($role)) { + return false; + } + + return true; + } + + public function checkGrantRole($uid, $group, $role) + { + if (!$this->USER->isInGroup($uid, $group)) { + return false; + } + + if (!$this->SQL->roleAvailableInGroup($uid, $group, $role)) { + return false; + } + + $user_role = $this->SQL->getRole($uid, $group); + + if ($this->SQL->hasPermission($user_role, 'unity.admin') || $this->SQL->hasPermission($user_role, 'unity.admin_no_grant')) { + return true; + } + + if (!$this->SQL->hasPermission($user_role, 'unity.grant_role')) { + return false; + } + + $role_to_grant = $this->SQL->getRole($role, $group); + + if ($this->SQL->getPriority($role_to_grant) >= $this->SQL->getPriority($user_role)) { + return false; + } + + return true; + } + + public function checkRevokeRole($uid, $group, $role) + { + if (!$this->USER->isInGroup($uid, $group)) { + return false; + } + + if (!$this->SQL->roleAvailableInGroup($uid, $group, $role)) { + return false; + } + + $user_role = $this->SQL->getRole($uid, $group); + + if ($this->SQL->hasPermission($user_role, 'unity.admin') || $this->SQL->hasPermission($user_role, 'unity.admin_no_grant')) { + return true; + } + + if (!$this->SQL->hasPermission($user_role, 'unity.revoke_role')) { + return false; + } + + $role_to_revoke = $this->SQL->getRole($role, $group); + + if ($this->SQL->getPriority($role_to_revoke) >= $this->SQL->getPriority($user_role)) { + return false; + } + + return true; + } +} \ No newline at end of file diff --git a/resources/lib/UnitySQL.php b/resources/lib/UnitySQL.php index 1dccc71..cd30a9f 100644 --- a/resources/lib/UnitySQL.php +++ b/resources/lib/UnitySQL.php @@ -14,6 +14,12 @@ class UnitySQL private const TABLE_AUDIT_LOG = "audit_log"; private const TABLE_ACCOUNT_DELETION_REQUESTS = "account_deletion_requests"; private const TABLE_SITEVARS = "sitevars"; + private const TABLE_GROUP_ROLES = "groupRoles"; + private const TABLE_GROUP_TYPES = "groupTypes"; + private const TABLE_GROUP_ROLE_ASSIGNMENTS = "groupRoleAssignments"; + private const TABLE_GROUP_REQUESTS = "groupRequests"; + private const TABLE_GROUP_JOIN_REQUESTS = "groupJoinRequests"; + private const REQUEST_ADMIN = "admin"; @@ -299,4 +305,70 @@ public function updateSiteVar($name, $value) $stmt->execute(); } + + public function getRole($uid, $group) + { + $stmt = $this->conn->prepare( + "SELECT * FROM " . self::TABLE_GROUP_ROLE_ASSIGNMENTS . " WHERE user=:uid AND `group`=:group" + ); + $stmt->bindParam(":uid", $uid); + $stmt->bindParam(":group", $group); + + $stmt->execute(); + + return $stmt->fetchAll()[0]['role']; + } + + public function hasPermission($role, $perm) + { + $stmt = $this->conn->prepare( + "SELECT * FROM " . self::TABLE_GROUP_ROLES . " WHERE slug=:role" + ); + $stmt->bindParam(":role", $role); + + $stmt->execute(); + + $row = $stmt->fetchAll()[0]; + $perms = explode(",", $row['perms']); + return in_array($perm, $perms); + } + + public function getPriority($role) + { + $stmt = $this->conn->prepare( + "SELECT * FROM " . self::TABLE_GROUP_ROLES . " WHERE slug=:role" + ); + $stmt->bindParam(":role", $role); + + $stmt->execute(); + + $row = $stmt->fetchAll()[0]; + return $row['priority']; + } + + public function roleAvailableInGroup($uid, $group, $role) + { + $stmt = $this->conn->prepare( + "SELECT * FROM " . self::TABLE_GROUP_ROLE_ASSIGNMENTS . " WHERE user=:uid AND `group`=:group" + ); + $stmt->bindParam(":uid", $uid); + $stmt->bindParam(":group", $group); + + $stmt->execute(); + $row = $stmt->fetchAll()[0]; + + $group_slug = $row['group']; + + $stmt = $this->conn->prepare( + "SELECT * FROM " . self::TABLE_GROUP_TYPES . " WHERE slug=:slug" + ); + + $stmt->bindParam(":slug", $group_slug); + $stmt->execute(); + + $row = $stmt->fetchAll()[0]; + $roles = explode(",", $row['roles']); + + return in_array($role, $roles); + } } diff --git a/resources/lib/UnityUser.php b/resources/lib/UnityUser.php index d2cc6d2..7b10e65 100644 --- a/resources/lib/UnityUser.php +++ b/resources/lib/UnityUser.php @@ -671,4 +671,22 @@ public function hasRequestedAccountDeletion() { return $this->SQL->accDeletionRequestExists($this->getUID()); } + + /** + * Checks whether a user is in a group or not + */ + + public function isInGroup($uid, $group) + { + $group = new UnityGroup( + $group, + $this->LDAP, + $this->SQL, + $this->MAILER, + $this->REDIS, + $this->WEBHOOK + ); + + return in_array($uid, $group->getGroupMemberUIDs()); + } } diff --git a/tools/docker-dev/sql/bootstrap.sql b/tools/docker-dev/sql/bootstrap.sql index 88cf04b..96f8ad7 100644 --- a/tools/docker-dev/sql/bootstrap.sql +++ b/tools/docker-dev/sql/bootstrap.sql @@ -2,10 +2,10 @@ -- version 4.9.5deb2 -- https://www.phpmyadmin.net/ -- --- Host: localhost:3306 --- Generation Time: Sep 22, 2022 at 08:36 PM --- Server version: 10.3.34-MariaDB-0ubuntu0.20.04.1 --- PHP Version: 7.4.3 +-- Host: 127.0.0.1 +-- Generation Time: Jul 13, 2023 at 02:29 AM +-- Server version: 10.3.38-MariaDB-0ubuntu0.20.04.1 +-- PHP Version: 7.4.3-4ubuntu2.19 SET SQL_MODE = "NO_AUTO_VALUE_ON_ZERO"; SET AUTOCOMMIT = 0; @@ -24,6 +24,33 @@ SET time_zone = "+00:00"; -- -------------------------------------------------------- +-- +-- Table structure for table `account_deletion_requests` +-- + +CREATE TABLE `account_deletion_requests` ( + `id` int(11) NOT NULL, + `timestamp` timestamp NOT NULL DEFAULT current_timestamp(), + `uid` varchar(1000) NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci; + +-- -------------------------------------------------------- + +-- +-- Table structure for table `audit_log` +-- + +CREATE TABLE `audit_log` ( + `id` int(11) NOT NULL, + `timestamp` timestamp NOT NULL DEFAULT current_timestamp(), + `operator` varchar(1000) NOT NULL, + `operator_ip` varchar(1000) NOT NULL, + `action_type` varchar(1000) NOT NULL, + `recipient` varchar(1000) NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci; + +-- -------------------------------------------------------- + -- -- Table structure for table `events` -- @@ -34,7 +61,81 @@ CREATE TABLE `events` ( `action` varchar(300) NOT NULL, `entity` varchar(300) NOT NULL, `timestamp` timestamp NOT NULL DEFAULT current_timestamp() -) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4; +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci; + +-- -------------------------------------------------------- + +-- +-- Table structure for table `groupJoinRequests` +-- + +CREATE TABLE `groupJoinRequests` ( + `id` int(11) NOT NULL, + `group_name` varchar(1000) NOT NULL, + `requestor` varchar(1000) NOT NULL, + `requested_on` timestamp NOT NULL DEFAULT current_timestamp() +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci; + +-- -------------------------------------------------------- + +-- +-- Table structure for table `groupRequests` +-- + +CREATE TABLE `groupRequests` ( + `id` int(11) NOT NULL, + `group_type` varchar(1000) NOT NULL, + `group_name` varchar(1000) NOT NULL, + `requestor` varchar(1000) NOT NULL, + `requested_on` timestamp NOT NULL DEFAULT current_timestamp(), + `start_date` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00', + `end_date` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00' +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci; + +-- -------------------------------------------------------- + +-- +-- Table structure for table `groupRoleAssignments` +-- + +CREATE TABLE `groupRoleAssignments` ( + `id` int(11) NOT NULL, + `user` varchar(1000) NOT NULL, + `role` varchar(1000) NOT NULL, + `group` varchar(1000) NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci; + +-- -------------------------------------------------------- + +-- +-- Table structure for table `groupRoles` +-- + +CREATE TABLE `groupRoles` ( + `id` int(11) NOT NULL, + `name` varchar(1000) NOT NULL, + `slug` varchar(1000) NOT NULL, + `priority` int(11) NOT NULL, + `color` varchar(1000) NOT NULL, + `perms` varchar(1000) NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci; + +-- -------------------------------------------------------- + +-- +-- Table structure for table `groupTypes` +-- + +CREATE TABLE `groupTypes` ( + `id` int(11) NOT NULL, + `name` varchar(1000) NOT NULL, + `slug` varchar(1000) NOT NULL, + `color` varchar(1000) NOT NULL, + `time_limited` tinyint(1) NOT NULL, + `def_role` varchar(1000) NOT NULL, + `av_roles` varchar(1000) NOT NULL, + `can_request` tinyint(1) NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci; -- -------------------------------------------------------- @@ -47,7 +148,7 @@ CREATE TABLE `notices` ( `date` timestamp NOT NULL DEFAULT current_timestamp(), `title` varchar(300) NOT NULL, `message` longtext NOT NULL -) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4; +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci; -- -- Dumping data for table `notices` @@ -67,7 +168,7 @@ CREATE TABLE `pages` ( `id` int(11) NOT NULL, `page` varchar(300) NOT NULL, `content` longtext NOT NULL -) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4; +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci; -- -- Dumping data for table `pages` @@ -75,8 +176,7 @@ CREATE TABLE `pages` ( INSERT INTO `pages` (`id`, `page`, `content`) VALUES (1, 'support', '

Docmentation and FAQ

\r\n

You can find our documentation here. We also have an FAQ page which could help answer quick questions.\r\n\r\n

Office Hours

\r\n

We offer office hours every week on Tuesdays 2-4 PM in-person at W.E.B. DuBois Library 786 or remote on Zoom. Be sure to check the /index.php\">cluster notes page for up-to-date information on any canceled/delayed office hours.

\r\n\r\n

Support Email

\r\n

You can create a support ticket by emailing hpc@umass.edu. We will do our best to reply as fast as possible!

'), -(2, 'policy', '

By using resources associated with Unity, you agree to comply with the following conditions of use. This is an extension of the University of Massachussetts Amherst Information Technology Acceptable Use Policy, which can be found here.

\r\n\r\n
    \r\n
  1. You will not use Unity resources for illicit financial gain, such as virtual currency mining, or any unlawful purpose, nor attempt to breach or circumvent any Unity administrative or security controls. You will comply with all applicable laws, working with your home institution and the specific Unity service providers utilized to determine what constraints may be placed on you by any relevant regulations such as export control law or HIPAA.
    2. \r\n
  2. You will respect intellectual property rights and observe confidentiality agreements.
    3. \r\n
  3. You will protect the access credentials (e.g., passwords, private keys, and/or tokens) issued to you or generated to access Unity resources; these are issued to you for your sole use.
    4. \r\n
  4. You will immediately report any known or suspected security breach or loss or misuse of Unity access credentials to hpc@it.umass.edu.
    5. \r\n
  5. You will have only one Unity User account and will keep your profile information up-to-date.
    6. \r\n
  6. Use of resources and services through Unity is at your own risk. There are no guarantees that resources and services will be available, that they will suit every purpose, or that data will never be lost or corrupted. Users are responsible for backing up critical data.
    7. \r\n
  7. Logged information, including information provided by you for registration purposes, is used for administrative, operational, accounting, monitoring and security purposes. This information may be disclosed, via secured mechanisms, only for the same purposes and only as far as necessary to other organizations cooperating with Unity .
    8. \r\n
\r\n\r\n

The Unity team reserves the right to restrict access to any individual/group found to be in breach of the above.

'), -(3, 'home', '

Home page content

Other line

'); +(2, 'policy', '

By using resources associated with Unity, you agree to comply with the following conditions of use. This is an extension of the University of Massachussetts Amherst Information Technology Acceptable Use Policy, which can be found here.

\r\n\r\n
    \r\n
  1. You will not use Unity resources for illicit financial gain, such as virtual currency mining, or any unlawful purpose, nor attempt to breach or circumvent any Unity administrative or security controls. You will comply with all applicable laws, working with your home institution and the specific Unity service providers utilized to determine what constraints may be placed on you by any relevant regulations such as export control law or HIPAA.
    2. \r\n
  2. You will respect intellectual property rights and observe confidentiality agreements.
    3. \r\n
  3. You will protect the access credentials (e.g., passwords, private keys, and/or tokens) issued to you or generated to access Unity resources; these are issued to you for your sole use.
    4. \r\n
  4. You will immediately report any known or suspected security breach or loss or misuse of Unity access credentials to hpc@it.umass.edu.
    5. \r\n
  5. You will have only one Unity User account and will keep your profile information up-to-date.
    6. \r\n
  6. Use of resources and services through Unity is at your own risk. There are no guarantees that resources and services will be available, that they will suit every purpose, or that data will never be lost or corrupted. Users are responsible for backing up critical data.
    7. \r\n
  7. Logged information, including information provided by you for registration purposes, is used for administrative, operational, accounting, monitoring and security purposes. This information may be disclosed, via secured mechanisms, only for the same purposes and only as far as necessary to other organizations cooperating with Unity .
    8. \r\n
\r\n\r\n

The Unity team reserves the right to restrict access to any individual/group found to be in breach of the above.

'); -- -------------------------------------------------------- @@ -89,61 +189,85 @@ CREATE TABLE `requests` ( `request_for` varchar(1000) NOT NULL, `uid` varchar(1000) NOT NULL, `timestamp` timestamp NOT NULL DEFAULT current_timestamp() -) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4; +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci; -- -------------------------------------------------------- -- --- Table structure for table `audit_log` +-- Table structure for table `sitevars` -- -CREATE TABLE `audit_log` ( +CREATE TABLE `sitevars` ( `id` int(11) NOT NULL, - `timestamp` timestamp NOT NULL DEFAULT current_timestamp(), - `operator` varchar(1000) NOT NULL, - `operator_ip` varchar(1000) NOT NULL, - `action_type` varchar(1000) NOT NULL, - `recipient` varchar(1000) NOT NULL -) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4; + `name` varchar(1000) NOT NULL, + `value` varchar(1000) NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci; -- -------------------------------------------------------- --- -------------------------------------------------------- +-- +-- Table structure for table `sso_log` +-- + +CREATE TABLE `sso_log` ( + `id` int(10) NOT NULL, + `uid` varchar(300) NOT NULL, + `firstname` varchar(300) NOT NULL, + `lastname` varchar(300) NOT NULL, + `mail` varchar(300) NOT NULL, + `org` varchar(300) NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci; -- --- Table structure for table `account_deletion_requests` +-- Indexes for dumped tables -- -CREATE TABLE `account_deletion_requests` ( - `id` int(11) NOT NULL, - `timestamp` timestamp NOT NULL DEFAULT current_timestamp(), - `uid` varchar(1000) NOT NULL, -) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4; +-- +-- Indexes for table `account_deletion_requests` +-- +ALTER TABLE `account_deletion_requests` + ADD PRIMARY KEY (`id`); --- -------------------------------------------------------- +-- +-- Indexes for table `audit_log` +-- +ALTER TABLE `audit_log` + ADD PRIMARY KEY (`id`); --- -------------------------------------------------------- +-- +-- Indexes for table `events` +-- +ALTER TABLE `events` + ADD PRIMARY KEY (`id`); -- --- Table structure for table `sitevars` +-- Indexes for table `groupJoinRequests` -- +ALTER TABLE `groupJoinRequests` + ADD PRIMARY KEY (`id`); -CREATE TABLE `sitevars` ( - `id` int(11) NOT NULL, - `name` varchar(1000) NOT NULL, - `value` varchar(1000) NOT NULL -) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4; +-- +-- Indexes for table `groupRequests` +-- +ALTER TABLE `groupRequests` + ADD PRIMARY KEY (`id`); --- -------------------------------------------------------- +-- +-- Indexes for table `groupRoleAssignments` +-- +ALTER TABLE `groupRoleAssignments` + ADD PRIMARY KEY (`id`); -- --- Indexes for dumped tables +-- Indexes for table `groupRoles` -- +ALTER TABLE `groupRoles` + ADD PRIMARY KEY (`id`); -- --- Indexes for table `events` +-- Indexes for table `groupTypes` -- -ALTER TABLE `events` +ALTER TABLE `groupTypes` ADD PRIMARY KEY (`id`); -- @@ -165,32 +289,32 @@ ALTER TABLE `requests` ADD PRIMARY KEY (`id`); -- --- Indexes for table `sso_log` +-- Indexes for table `sitevars` -- -ALTER TABLE `sso_log` +ALTER TABLE `sitevars` ADD PRIMARY KEY (`id`); -- --- Indexes for table `audit_log` +-- Indexes for table `sso_log` -- -ALTER TABLE `audit_log` +ALTER TABLE `sso_log` ADD PRIMARY KEY (`id`); -- --- Indexes for table `audit_log` +-- AUTO_INCREMENT for dumped tables -- -ALTER TABLE `account_deletion_requests` - ADD PRIMARY KEY (`id`); -- --- Indexes for table `sitevars` +-- AUTO_INCREMENT for table `account_deletion_requests` -- -ALTER TABLE `sitevars` - ADD PRIMARY KEY (`id`); +ALTER TABLE `account_deletion_requests` + MODIFY `id` int(11) NOT NULL AUTO_INCREMENT; -- --- AUTO_INCREMENT for dumped tables +-- AUTO_INCREMENT for table `audit_log` -- +ALTER TABLE `audit_log` + MODIFY `id` int(11) NOT NULL AUTO_INCREMENT; -- -- AUTO_INCREMENT for table `events` @@ -199,49 +323,64 @@ ALTER TABLE `events` MODIFY `id` int(11) NOT NULL AUTO_INCREMENT; -- --- AUTO_INCREMENT for table `notices` +-- AUTO_INCREMENT for table `groupJoinRequests` -- -ALTER TABLE `notices` - MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=12; +ALTER TABLE `groupJoinRequests` + MODIFY `id` int(11) NOT NULL AUTO_INCREMENT; -- --- AUTO_INCREMENT for table `pages` +-- AUTO_INCREMENT for table `groupRequests` -- -ALTER TABLE `pages` - MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=3; +ALTER TABLE `groupRequests` + MODIFY `id` int(11) NOT NULL AUTO_INCREMENT; -- --- AUTO_INCREMENT for table `requests` +-- AUTO_INCREMENT for table `groupRoleAssignments` -- -ALTER TABLE `requests` - MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=1031; +ALTER TABLE `groupRoleAssignments` + MODIFY `id` int(11) NOT NULL AUTO_INCREMENT; -- --- AUTO_INCREMENT for table `sso_log` +-- AUTO_INCREMENT for table `groupRoles` -- -ALTER TABLE `sso_log` - MODIFY `id` int(10) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=8; +ALTER TABLE `groupRoles` + MODIFY `id` int(11) NOT NULL AUTO_INCREMENT; -- --- AUTO_INCREMENT for table `audit_log` +-- AUTO_INCREMENT for table `groupTypes` -- -ALTER TABLE `audit_log` +ALTER TABLE `groupTypes` MODIFY `id` int(11) NOT NULL AUTO_INCREMENT; -COMMIT; -- +-- AUTO_INCREMENT for table `notices` -- --- AUTO_INCREMENT for table `account_deletion_requests` +ALTER TABLE `notices` + MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=12; + -- -ALTER TABLE `account_deletion_requests` - MODIFY `id` int(11) NOT NULL AUTO_INCREMENT; -COMMIT; +-- AUTO_INCREMENT for table `pages` +-- +ALTER TABLE `pages` + MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=3; + +-- +-- AUTO_INCREMENT for table `requests` +-- +ALTER TABLE `requests` + MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=1031; -- -- AUTO_INCREMENT for table `sitevars` -- ALTER TABLE `sitevars` - MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=2; + MODIFY `id` int(11) NOT NULL AUTO_INCREMENT; + +-- +-- AUTO_INCREMENT for table `sso_log` +-- +ALTER TABLE `sso_log` + MODIFY `id` int(10) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=8; COMMIT; /*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */; From 3318a10326de98c55841dbd987d7e28d3e420739 Mon Sep 17 00:00:00 2001 From: Anshul Saha Date: Thu, 13 Jul 2023 17:51:25 -0500 Subject: [PATCH 2/4] cs fix (1) --- resources/lib/UnityPerms.php | 22 +++++++++++----------- resources/lib/UnitySQL.php | 4 ++-- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/resources/lib/UnityPerms.php b/resources/lib/UnityPerms.php index 49b9d6f..7afcd02 100644 --- a/resources/lib/UnityPerms.php +++ b/resources/lib/UnityPerms.php @@ -21,11 +21,11 @@ public function checkApproveUser($uid, $operated_on, $group) $role = $this->SQL->getRole($uid, $group); - if ($this->SQL->hasPermission($role, 'unity.admin') || $this->SQL->hasPermission($role, 'unity.admin_no_grant')) { + if ($this->SQL->hasPerm($role, 'unity.admin') || $this->SQL->hasPerm($role, 'unity.admin_no_grant')) { return true; } - if (!$this->SQL->hasPermission($role, 'unity.approve_user')) { + if (!$this->SQL->hasPerm($role, 'unity.approve_user')) { return false; } @@ -46,11 +46,11 @@ public function checkDenyUser($uid, $operated_on, $group) $role = $this->SQL->getRole($uid, $group); - if ($this->SQL->hasPermission($role, 'unity.admin') || $this->SQL->hasPermission($role, 'unity.admin_no_grant')) { + if ($this->SQL->hasPerm($role, 'unity.admin') || $this->SQL->hasPerm($role, 'unity.admin_no_grant')) { return true; } - if (!$this->SQL->hasPermission($role, 'unity.deny_user')) { + if (!$this->SQL->hasPerm($role, 'unity.deny_user')) { return false; } @@ -75,11 +75,11 @@ public function checkGrantRole($uid, $group, $role) $user_role = $this->SQL->getRole($uid, $group); - if ($this->SQL->hasPermission($user_role, 'unity.admin') || $this->SQL->hasPermission($user_role, 'unity.admin_no_grant')) { + if ($this->SQL->hasPerm($user_role, 'unity.admin') || $this->SQL->hasPerm($user_role, 'unity.admin_no_grant')) { return true; } - if (!$this->SQL->hasPermission($user_role, 'unity.grant_role')) { + if (!$this->SQL->hasPerm($user_role, 'unity.grant_role')) { return false; } @@ -89,7 +89,7 @@ public function checkGrantRole($uid, $group, $role) return false; } - return true; + return true; } public function checkRevokeRole($uid, $group, $role) @@ -104,11 +104,11 @@ public function checkRevokeRole($uid, $group, $role) $user_role = $this->SQL->getRole($uid, $group); - if ($this->SQL->hasPermission($user_role, 'unity.admin') || $this->SQL->hasPermission($user_role, 'unity.admin_no_grant')) { + if ($this->SQL->hasPerm($user_role, 'unity.admin') || $this->SQL->hasPerm($user_role, 'unity.admin_no_grant')) { return true; } - if (!$this->SQL->hasPermission($user_role, 'unity.revoke_role')) { + if (!$this->SQL->hasPerm($user_role, 'unity.revoke_role')) { return false; } @@ -118,6 +118,6 @@ public function checkRevokeRole($uid, $group, $role) return false; } - return true; + return true; } -} \ No newline at end of file +} diff --git a/resources/lib/UnitySQL.php b/resources/lib/UnitySQL.php index cd30a9f..904ea2f 100644 --- a/resources/lib/UnitySQL.php +++ b/resources/lib/UnitySQL.php @@ -319,7 +319,7 @@ public function getRole($uid, $group) return $stmt->fetchAll()[0]['role']; } - public function hasPermission($role, $perm) + public function hasPerm($role, $perm) { $stmt = $this->conn->prepare( "SELECT * FROM " . self::TABLE_GROUP_ROLES . " WHERE slug=:role" @@ -356,7 +356,7 @@ public function roleAvailableInGroup($uid, $group, $role) $stmt->execute(); $row = $stmt->fetchAll()[0]; - + $group_slug = $row['group']; $stmt = $this->conn->prepare( From 63b84c8255610ef5bcbbdcda50e44534a1df8d3b Mon Sep 17 00:00:00 2001 From: Anshul Saha Date: Thu, 13 Jul 2023 17:52:13 -0500 Subject: [PATCH 3/4] cs fix (2) --- resources/lib/UnityPerms.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/lib/UnityPerms.php b/resources/lib/UnityPerms.php index 7afcd02..6aedf83 100644 --- a/resources/lib/UnityPerms.php +++ b/resources/lib/UnityPerms.php @@ -118,6 +118,6 @@ public function checkRevokeRole($uid, $group, $role) return false; } - return true; + return true; } } From 5e587f37cfe9cc23c5c76c6eb43bcced238f540d Mon Sep 17 00:00:00 2001 From: Anshul Saha Date: Mon, 17 Jul 2023 11:23:21 -0500 Subject: [PATCH 4/4] changes --- resources/lib/UnityPerms.php | 8 ++++++++ resources/lib/UnityUser.php | 25 ++++++++++++++++--------- 2 files changed, 24 insertions(+), 9 deletions(-) diff --git a/resources/lib/UnityPerms.php b/resources/lib/UnityPerms.php index 6aedf83..e16a66d 100644 --- a/resources/lib/UnityPerms.php +++ b/resources/lib/UnityPerms.php @@ -75,6 +75,10 @@ public function checkGrantRole($uid, $group, $role) $user_role = $this->SQL->getRole($uid, $group); + if ($this->SQL->hasPerm($user_role, 'unity.admin_no_grant') && $role == 'unity.admin') { + return false; + } + if ($this->SQL->hasPerm($user_role, 'unity.admin') || $this->SQL->hasPerm($user_role, 'unity.admin_no_grant')) { return true; } @@ -104,6 +108,10 @@ public function checkRevokeRole($uid, $group, $role) $user_role = $this->SQL->getRole($uid, $group); + if ($this->SQL->hasPerm($user_role, 'unity.admin_no_grant') && $role == 'unity.admin') { + return false; + } + if ($this->SQL->hasPerm($user_role, 'unity.admin') || $this->SQL->hasPerm($user_role, 'unity.admin_no_grant')) { return true; } diff --git a/resources/lib/UnityUser.php b/resources/lib/UnityUser.php index 7b10e65..4f88eac 100644 --- a/resources/lib/UnityUser.php +++ b/resources/lib/UnityUser.php @@ -674,19 +674,26 @@ public function hasRequestedAccountDeletion() /** * Checks whether a user is in a group or not + * @param string $uid uid of the user + * @param string or object $group group to check + * @return boolean true if user is in group, false if not */ public function isInGroup($uid, $group) { - $group = new UnityGroup( - $group, - $this->LDAP, - $this->SQL, - $this->MAILER, - $this->REDIS, - $this->WEBHOOK - ); + if (gettype($group) == "string") { + $group_checked = new UnityGroup( + $group, + $this->LDAP, + $this->SQL, + $this->MAILER, + $this->REDIS, + $this->WEBHOOK + ); + } else { + $group_checked = $group; + } - return in_array($uid, $group->getGroupMemberUIDs()); + return in_array($uid, $group_checked->getGroupMemberUIDs()); } }