Commit 2f43bf94 authored by Richard Mansfield's avatar Richard Mansfield
Browse files

Allow staff to access the admin user search page (bug #919009)



Staff members will be able to search through all users in their
institutions, but they cannot edit a user unless they are also an
administrator for them (institution or site administrator).

Links from the usernames to the account settings page are only
displayed when the logged-in user is an administrator for the listed
user.

The "edit selected users" button is only displayed to site and
institutional admins, and the bulk actions page it links to now
explicitly states which users have been filtered out due to lack of
institutional admin privileges.

Email addresses are removed from the list for staff users.

If the logged-in user is an admin in one institution, and staff in
another, email is displayed and usernames linked only for the
'adminned' users.  The bulk actions page is still reachable, but any
selected users who are not adminned by the logged-in user will be
removed.

Change-Id: Ia65a960df9af7c5794002007e7580ba5f9a4c9d7
Signed-off-by: default avatarRichard Mansfield <richard.mansfield@catalyst.net.nz>
parent 0d7f8ee9
......@@ -58,6 +58,13 @@ $users = get_records_sql_assoc('
$ph
);
// Display the number of users filtered out due to institution permissions. This is not an
// exception, because the logged in user might be an admin in one institution, and staff in
// another.
if ($uneditableusers = count($userids) - count($users)) {
$SESSION->add_info_msg(get_string('uneditableusers', 'admin', $uneditableusers));
}
$userids = array_keys($users);
// Export CSV
......
......@@ -27,7 +27,7 @@
define('INTERNAL', 1);
define('JSON', 1);
define('INSTITUTIONALADMIN', 1);
define('INSTITUTIONALSTAFF', 1);
require(dirname(dirname(dirname(__FILE__))) . '/init.php');
......
......@@ -26,7 +26,7 @@
*/
define('INTERNAL', 1);
define('INSTITUTIONALADMIN', 1);
define('INSTITUTIONALSTAFF', 1);
define('MENUITEM', 'configusers/usersearch');
require(dirname(dirname(dirname(__FILE__))) . '/init.php');
define('TITLE', get_string('usersearch', 'admin'));
......@@ -46,11 +46,18 @@ $search = (object) array(
$offset = param_integer('offset', 0);
$limit = param_integer('limit', 10);
if ($USER->get('admin')) {
if ($USER->get('admin') || $USER->get('staff')) {
$institutions = get_records_array('institution', '', '', 'displayname');
$search->institution = param_alphanum('institution', 'all');
} else {
$institutions = get_records_select_array('institution', "name IN ('" . join("','", array_keys($USER->get('admininstitutions'))) . "')", null, 'displayname');
}
else {
$institutionnames = array_keys(array_merge($USER->get('admininstitutions'), $USER->get('staffinstitutions')));
$institutions = get_records_select_array(
'institution',
'name IN (' . join(',', array_fill(0, count($institutionnames), '?')) . ')',
$institutionnames,
'displayname'
);
}
$smarty = smarty(array('adminusersearch'));
......
......@@ -117,6 +117,7 @@ $string['uploadgroupmemberscsv'] = 'Update Group Members by CSV';
$string['usersearch'] = 'User Search';
$string['usersearchdescription'] = 'Search all users and perform administrative actions on them';
$string['usersearchinstructions'] = 'You can search for users by clicking on the initials of their first and last names, or by entering a name in the search box. You can also enter an email address in the search box if you would like to search email addresses.';
$string['emailaddresshidden'] = 'Email address hidden';
$string['administergroups'] = 'Administer Groups';
$string['administergroupsdescription'] = 'Appoint group administrators and delete groups';
......@@ -867,6 +868,10 @@ $string['editselectedusers'] = 'Edit selected users';
// Bulk actions
$string['bulkactions'] = 'Bulk actions';
$string['editselectedusersdescription'] = 'Suspend, delete, change authentication method, or download a CSV file of the users you have selected on the search page.';
$string['uneditableusers'] = array(
0 => 'One of the users you selected is not editable by you, and has been removed from the list.',
1 => 'You selected %s users that are not editable by you. They have been removed from the list.',
);
$string['exportusersascsv'] = 'Export users in CSV format';
$string['Download'] = 'Download';
$string['suspendusers'] = 'Suspend users';
......
......@@ -225,8 +225,8 @@ function get_admin_user_search_results($search, $offset, $limit) {
// Filter by viewable institutions:
global $USER;
if (!$USER->get('admin')) {
$allowed = $USER->get('admininstitutions');
if (!$USER->get('admin') && !$USER->get('staff')) {
$allowed = array_merge($USER->get('admininstitutions'), $USER->get('staffinstitutions'));
if (empty($search->institution)) {
$search->institution = 'all';
}
......@@ -256,11 +256,26 @@ function get_admin_user_search_results($search, $offset, $limit) {
);
if ($results['count']) {
$isadmin = $USER->get('admin');
$admininstitutions = $USER->get('admininstitutions');
foreach ($results['data'] as &$result) {
$result['name'] = display_name($result);
if (!empty($result['institutions'])) {
$result['institutions'] = array_combine($result['institutions'],$result['institutions']);
}
if ($isadmin) {
continue;
}
// Remove email address when viewed by staff
if (!$hideemail = (empty($admininstitutions) || empty($result['institutions']))) {
$commoninstitutions = array_intersect($admininstitutions, $result['institutions']);
$hideemail |= empty($commoninstitutions);
}
if ($hideemail) {
unset($result['email']);
}
}
}
......@@ -337,6 +352,17 @@ function build_admin_user_search_results($search, $offset, $limit) {
'class' => 'center nojs-hidden-table-cell',
);
if (!$USER->get('admin') && !$USER->is_institutional_admin()) {
unset($cols['email']);
}
else if (!$USER->get('admin')) {
foreach ($results['data'] as &$r) {
if (!isset($r['email'])) {
$r['email'] = '- ' . get_string('emailaddresshidden', 'admin') . ' -';
}
}
}
$smarty = smarty_core();
$smarty->assign_by_ref('results', $results);
$smarty->assign_by_ref('institutions', $institutions);
......
......@@ -22,11 +22,13 @@
</span>
{/foreach}
</div>
{if $USER->get('admin') || $USER->is_institutional_admin()}
<form class="fr nojs-hidden-block" id="bulkactions" action="{$WWWROOT}admin/users/bulk.php" method="post">
{str tag=editselectedusers section=admin}:
<input type="button" class="button" name="go" value="{str tag=go}">
<div id="nousersselected" class="hidden error">{str tag=nousersselected section=admin}</div>
</form>
{/if}
<form action="{$WWWROOT}admin/users/search.php" method="post">
<div class="searchform">
<label>{str tag='Search' section='admin'}:</label>
......
<a href="{$WWWROOT}admin/users/edit.php?id={$r.id}">{$r.username}</a>
{assign var=canedituser value=$USER->get('admin')}
{if !$canedituser && $USER->is_institutional_admin()}
{foreach from=$r.institutions item=i}
{if $USER->is_institutional_admin($i)}{assign var=canedituser value=1}{/if}
{/foreach}
{/if}
{if $canedituser}
<a href="{$WWWROOT}admin/users/edit.php?id={$r.id}">{$r.username}</a>
{else}
{$r.username}
{/if}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment