From b3ed433e388b83e055958b395ebc0e08172cd079 Mon Sep 17 00:00:00 2001 From: Nik Okuntseff Date: Fri, 30 Mar 2018 20:07:13 +0000 Subject: [PATCH] Introduced IP based access control for groups. --- WEB-INF/lib/common.lib.php | 15 +++++++++++++++ WEB-INF/lib/ttRoleHelper.class.php | 4 ++-- WEB-INF/lib/ttTeamHelper.class.php | 4 +++- WEB-INF/lib/ttUser.class.php | 14 ++++++++------ WEB-INF/resources/en.lang.php | 1 + WEB-INF/templates/footer.tpl | 2 +- WEB-INF/templates/group_edit.tpl | 6 +++++- dbinstall.php | 11 +++++++---- group_edit.php | 6 ++++++ mysql.sql | 5 +++-- 10 files changed, 51 insertions(+), 17 deletions(-) diff --git a/WEB-INF/lib/common.lib.php b/WEB-INF/lib/common.lib.php index 7086fe29..210ec41c 100644 --- a/WEB-INF/lib/common.lib.php +++ b/WEB-INF/lib/common.lib.php @@ -339,6 +339,21 @@ function ttAccessAllowed($required_right) exit(); } + // Check IP restriction, if set. + if ($user->allow_ip && !$user->can('override_allow_ip')) { + $access_allowed = false; + $user_ip = $_SERVER['REMOTE_ADDR']; + $allowed_ip_array = explode(',', $user->allow_ip); + foreach ($allowed_ip_array as $allowed_ip) { + $len = strlen($allowed_ip); + if (substr($user_ip, 0, $len) === $allowed_ip) { + $access_allowed = true; + break; + } + } + if (!$access_allowed) return false; + } + // Check if user has the right. if (in_array($required_right, $user->rights)) { import('ttUserHelper'); diff --git a/WEB-INF/lib/ttRoleHelper.class.php b/WEB-INF/lib/ttRoleHelper.class.php index f4168094..a5f16f9c 100644 --- a/WEB-INF/lib/ttRoleHelper.class.php +++ b/WEB-INF/lib/ttRoleHelper.class.php @@ -186,7 +186,7 @@ class ttRoleHelper { $rights_client = 'view_own_reports,view_own_charts,view_own_invoices,manage_own_settings'; $rights_user = 'track_own_time,track_own_expenses,view_own_reports,view_own_charts,view_own_projects,manage_own_settings,view_users'; $rights_supervisor = $rights_user.',track_time,track_expenses,view_reports,view_charts,override_punch_mode,override_date_lock,override_own_date_lock,swap_roles,approve_timesheets'; - $rights_comanager = $rights_supervisor.',manage_own_account,manage_users,manage_projects,manage_tasks,manage_custom_fields,manage_clients,manage_invoices,view_all_reports'; + $rights_comanager = $rights_supervisor.',manage_own_account,manage_users,manage_projects,manage_tasks,manage_custom_fields,manage_clients,manage_invoices,override_allow_ip,view_all_reports'; $rights_manager = $rights_comanager.',manage_features,manage_basic_settings,manage_advanced_settings,manage_roles,export_data,manage_subgroups'; // Active roles. @@ -244,7 +244,7 @@ class ttRoleHelper { $rights_client = 'view_own_reports,view_own_charts,view_own_invoices,manage_own_settings'; $rights_user = 'track_own_time,track_own_expenses,view_own_reports,view_own_charts,view_own_projects,manage_own_settings,view_users'; $rights_supervisor = $rights_user.',track_time,track_expenses,view_reports,view_charts,override_punch_mode,override_date_lock,override_own_date_lock,swap_roles,approve_timesheets'; - $rights_comanager = $rights_supervisor.',manage_own_account,manage_users,manage_projects,manage_tasks,manage_custom_fields,manage_clients,manage_invoices,view_all_reports'; + $rights_comanager = $rights_supervisor.',manage_own_account,manage_users,manage_projects,manage_tasks,manage_custom_fields,manage_clients,manage_invoices,override_allow_ip,view_all_reports'; $rights_manager = $rights_comanager.',manage_features,manage_basic_settings,manage_advanced_settings,manage_roles,export_data,manage_subgroups'; // Active roles. diff --git a/WEB-INF/lib/ttTeamHelper.class.php b/WEB-INF/lib/ttTeamHelper.class.php index 01b0db36..0093e928 100644 --- a/WEB-INF/lib/ttTeamHelper.class.php +++ b/WEB-INF/lib/ttTeamHelper.class.php @@ -869,6 +869,7 @@ class ttTeamHelper { $task_required_part = ' , task_required = '.(int) $fields['task_required']; $record_type_part = ''; $bcc_email_part = ''; + $allow_ip = ''; $plugins_part = ''; $config_part = ''; $lock_spec_part = ''; @@ -883,6 +884,7 @@ class ttTeamHelper { if (isset($fields['tracking_mode'])) $tracking_mode_part = ', tracking_mode = '.(int) $fields['tracking_mode']; if (isset($fields['record_type'])) $record_type_part = ', record_type = '.(int) $fields['record_type']; if (isset($fields['bcc_email'])) $bcc_email_part = ', bcc_email = '.$mdb2->quote($fields['bcc_email']); + if (isset($fields['allow_ip'])) $allow_ip_part = ', allow_ip = '.$mdb2->quote($fields['allow_ip']); if (isset($fields['plugins'])) $plugins_part = ', plugins = '.$mdb2->quote($fields['plugins']); if (isset($fields['config'])) $config_part = ', config = '.$mdb2->quote($fields['config']); if (isset($fields['lock_spec'])) $lock_spec_part = ', lock_spec = '.$mdb2->quote($fields['lock_spec']); @@ -891,7 +893,7 @@ class ttTeamHelper { $sql = "update tt_groups set $name_part $currency_part $lang_part $decimal_mark_part $date_format_part $time_format_part $week_start_part $tracking_mode_part $task_required_part $record_type_part - $bcc_email_part $plugins_part $config_part $lock_spec_part $workday_minutes_part $modified_part where id = $group_id"; + $bcc_email_part $allow_ip_part $plugins_part $config_part $lock_spec_part $workday_minutes_part $modified_part where id = $group_id"; $affected = $mdb2->exec($sql); if (is_a($affected, 'PEAR_Error')) return false; diff --git a/WEB-INF/lib/ttUser.class.php b/WEB-INF/lib/ttUser.class.php index 70e55040..2781ea6f 100644 --- a/WEB-INF/lib/ttUser.class.php +++ b/WEB-INF/lib/ttUser.class.php @@ -53,6 +53,7 @@ class ttUser { var $future_entries = 0; // Whether to allow creating future entries. var $uncompleted_indicators = 0; // Uncompleted time entry indicators (show nowhere or on users page). var $bcc_email = null; // Bcc email. + var $allow_ip = null; // Specification from where user is allowed access. var $currency = null; // Currency. var $plugins = null; // Comma-separated list of enabled plugins. var $config = null; // Comma-separated list of miscellaneous config options. @@ -72,11 +73,11 @@ class ttUser { $mdb2 = getConnection(); - $sql = "SELECT u.id, u.login, u.name, u.group_id, u.role_id, r.rank, r.name as role_name, r.rights, u.client_id, u.email, t.name as team_name, - t.currency, t.lang, t.decimal_mark, t.date_format, t.time_format, t.week_start, - t.tracking_mode, t.project_required, t.task_required, t.record_type, - t.bcc_email, t.plugins, t.config, t.lock_spec, t.workday_minutes, t.custom_logo - FROM tt_users u LEFT JOIN tt_groups t ON (u.group_id = t.id) LEFT JOIN tt_roles r on (r.id = u.role_id) WHERE "; + $sql = "SELECT u.id, u.login, u.name, u.group_id, u.role_id, r.rank, r.name as role_name, r.rights, u.client_id, u.email, g.name as group_name, + g.currency, g.lang, g.decimal_mark, g.date_format, g.time_format, g.week_start, + g.tracking_mode, g.project_required, g.task_required, g.record_type, + g.bcc_email, g.allow_ip, g.plugins, g.config, g.lock_spec, g.workday_minutes, g.custom_logo + FROM tt_users u LEFT JOIN tt_groups g ON (u.group_id = g.id) LEFT JOIN tt_roles r on (r.id = u.role_id) WHERE "; if ($id) $sql .= "u.id = $id"; else @@ -111,7 +112,8 @@ class ttUser { $this->task_required = $val['task_required']; $this->record_type = $val['record_type']; $this->bcc_email = $val['bcc_email']; - $this->team = $val['team_name']; + $this->allow_ip = $val['allow_ip']; + $this->team = $val['group_name']; $this->currency = $val['currency']; $this->plugins = $val['plugins']; $this->lock_spec = $val['lock_spec']; diff --git a/WEB-INF/resources/en.lang.php b/WEB-INF/resources/en.lang.php index 2063f4ee..7e930e4f 100644 --- a/WEB-INF/resources/en.lang.php +++ b/WEB-INF/resources/en.lang.php @@ -446,6 +446,7 @@ $i18n_key_words = array( 'form.profile.allow_overlap' => 'Allow overlap', 'form.profile.future_entries' => 'Future entries', 'form.profile.uncompleted_indicators' => 'Uncompleted indicators', +'form.profile.allow_ip' => 'Allow IP', 'form.profile.plugins' => 'Plugins', // Mail form. See example at https://timetracker.anuko.com/report_send.php when emailing a report. diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl index fb117e2f..873d5ec4 100644 --- a/WEB-INF/templates/footer.tpl +++ b/WEB-INF/templates/footer.tpl @@ -12,7 +12,7 @@
- -{if $user->isManager()} +{if $user->can('manage_advanced_settings')} + + + + {/if} {* initialize preview text *}
 Anuko Time Tracker 1.17.82.4202 | Copyright © Anuko | +  Anuko Time Tracker 1.17.83.4203 | Copyright © Anuko | {$i18n.footer.credits} | {$i18n.footer.license} | {$i18n.footer.improve} diff --git a/WEB-INF/templates/group_edit.tpl b/WEB-INF/templates/group_edit.tpl index 9b341b67..4dedafdf 100644 --- a/WEB-INF/templates/group_edit.tpl +++ b/WEB-INF/templates/group_edit.tpl @@ -164,11 +164,15 @@ function handlePluginCheckboxes() { {$i18n.form.profile.uncompleted_indicators}: {$forms.groupForm.uncompleted_indicators.control} {$i18n.label.what_is_it}
{$i18n.label.bcc}: {$forms.groupForm.bcc_email.control} {$i18n.label.what_is_it}
{$i18n.form.profile.allow_ip}:{$forms.groupForm.allow_ip.control} {$i18n.label.what_is_it}