Commit 0d7f8ee9 authored by Richard Mansfield's avatar Richard Mansfield

Add support for pages accessible by both admins and staff

To allow for pages that are accessible by both admins and staff, two
new constants are added, STAFF and INSTITUTIONALSTAFF.  The existing
checks for admin and institutional admin permissions are moved into a
new function which also takes account of the new staff permissions.

Change-Id: I60de6f74bd5f2a208be8e15e8a71f16b689c80d6
Signed-off-by: default avatarRichard Mansfield <richard.mansfield@catalyst.net.nz>
parent 52fe3992
......@@ -415,26 +415,26 @@ function auth_setup () {
// The session is still active, so continue it.
// Make sure that if a user's admin status has changed, they're kicked
// out of the admin section
if (defined('ADMIN')) {
$userreallyadmin = get_field('usr', 'admin', 'id', $USER->id);
if (!$USER->get('admin') && $userreallyadmin) {
if (in_admin_section()) {
// Reload site admin/staff permissions
$realuser = get_record('usr', 'id', $USER->id, null, null, null, null, 'admin,staff');
if (!$USER->get('admin') && $realuser->admin) {
// The user has been made into an admin
$USER->admin = 1;
}
else if ($USER->get('admin') && !$userreallyadmin) {
else if ($USER->get('admin') && !$realuser->admin) {
// The user's admin rights have been taken away
$USER->admin = 0;
}
if (!$USER->get('admin')) {
$SESSION->add_error_msg(get_string('accessforbiddentoadminsection'));
redirect();
if (!$USER->get('staff') && $realuser->staff) {
$USER->staff = 1;
}
} else if (defined('INSTITUTIONALADMIN') && !$USER->get('admin')) {
$USER->reset_institutions();
if (!$USER->is_institutional_admin()) {
$SESSION->add_error_msg(get_string('accessforbiddentoadminsection'));
redirect();
else if ($USER->get('staff') && !$realuser->staff) {
$USER->staff = 0;
}
// Reload institutional admin/staff permissions
$USER->reset_institutions();
auth_check_admin_section();
}
$USER->renew();
auth_check_required_fields();
......@@ -1366,13 +1366,7 @@ function login_submit(Pieform $form, $values) {
}
}
// Only admins in the admin section!
if (!$USER->get('admin') &&
(defined('ADMIN') || defined('INSTITUTIONALADMIN') && !$USER->is_institutional_admin())) {
$SESSION->add_error_msg(get_string('accessforbiddentoadminsection'));
redirect();
}
auth_check_admin_section();
ensure_user_account_is_active();
// User is allowed to log in
......@@ -1380,6 +1374,35 @@ function login_submit(Pieform $form, $values) {
auth_check_required_fields();
}
/**
* Redirect to the home page if the user is trying to access the admin
* area without permission
*/
function auth_check_admin_section() {
global $USER, $SESSION;
if (defined('ADMIN')) {
$allowed = $USER->get('admin');
}
else if (defined('STAFF')) {
$allowed = $USER->get('admin') || $USER->get('staff');
}
else if (defined('INSTITUTIONALADMIN')) {
$allowed = $USER->get('admin') || $USER->is_institutional_admin();
}
else if (defined('INSTITUTIONALSTAFF')) {
$allowed = $USER->get('admin') || $USER->get('staff') || $USER->is_institutional_admin() || $USER->is_institutional_staff();
}
else {
return;
}
if (!$allowed) {
$SESSION->add_error_msg(get_string('accessforbiddentoadminsection'));
redirect();
}
}
/**
* Die and log the user out if their account is not active.
*
......
......@@ -551,12 +551,7 @@ function auth_saml_login_submit(Pieform $form, $values) {
redirect('/auth/saml/');
}
// Only admins in the admin section!
if (!$USER->get('admin') &&
(defined('ADMIN') || defined('INSTITUTIONALADMIN') && !$USER->is_institutional_admin())) {
$SESSION->add_error_msg(get_string('accessforbiddentoadminsection'));
redirect();
}
auth_check_admin_section();
// Check if the user's account has been deleted
if ($USER->deleted) {
......
......@@ -339,7 +339,8 @@ EOF;
$stylesheets = array_merge($stylesheets, array_reverse($pluginsheets));
}
}
if (defined('ADMIN') || defined('INSTITUTIONALADMIN')) {
if ($adminsection = in_admin_section()) {
if ($adminsheets = $THEME->get_url('style/admin.css', true)) {
$stylesheets = array_merge($stylesheets, array_reverse($adminsheets));
}
......@@ -408,6 +409,12 @@ EOF;
if (defined('INSTITUTIONALADMIN')) {
$smarty->assign('INSTITUTIONALADMIN', true);
}
if (defined('STAFF')) {
$smarty->assign('STAFF', true);
}
if (defined('INSTITUTIONALSTAFF')) {
$smarty->assign('INSTITUTIONALSTAFF', true);
}
$smarty->assign('LOGGEDIN', $USER->is_logged_in());
if ($USER->is_logged_in()) {
......@@ -461,7 +468,7 @@ EOF;
// ---------- sideblock stuff ----------
$sidebars = !isset($extraconfig['sidebars']) || $extraconfig['sidebars'] !== false;
if ($sidebars && !defined('INSTALLER') && (!defined('MENUITEM') || substr(MENUITEM, 0, 5) != 'admin')) {
if (get_config('installed') && !defined('ADMIN') && !defined('INSTITUTIONALADMIN')) {
if (get_config('installed') && !$adminsection) {
$data = site_menu();
if (!empty($data)) {
$smarty->assign('SITEMENU', site_menu());
......@@ -492,7 +499,7 @@ EOF;
}
}
if($USER->is_logged_in() && !defined('ADMIN') && !defined('INSTITUTIONALADMIN')) {
if ($USER->is_logged_in() && !$adminsection) {
$SIDEBLOCKS[] = array(
'name' => 'profile',
'id' => 'sb-profile',
......@@ -1714,6 +1721,14 @@ function pieform_get_help(Pieform $form, $element) {
$form->get_name(), $element['name']);
}
/**
* Is this a page in the admin area?
*
* @return bool
*/
function in_admin_section() {
return defined('ADMIN') || defined('INSTITUTIONALADMIN') || defined('STAFF') || defined('INSTITUTIONALSTAFF');
}
/**
* Returns the entries in the standard admin menu
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment