plugins/kolab_auth

Tue Aug 26 13:28:36 CEST 2014

plugins/kolab_auth/config.inc.php.dist |    5 +++
 plugins/kolab_auth/kolab_auth.php      |   44 +++++++++++++++++++++++++++++++++
 2 files changed, 49 insertions(+)

New commits:
commit fbaa3f865eacc5fb78b2fc5149cba4b68e3a5769
Author: Aleksander Machniak <machniak at kolabsys.com>
Date:   Mon Aug 25 14:27:23 2014 -0400

    Add option to define list of tasks to which an admin has access (#3444)
    E.g. allow admins (using "Login as" feature) to see only user settings.

diff --git a/plugins/kolab_auth/config.inc.php.dist b/plugins/kolab_auth/config.inc.php.dist
index 57ee79c..17c0915 100644
--- a/plugins/kolab_auth/config.inc.php.dist
+++ b/plugins/kolab_auth/config.inc.php.dist
@@ -50,6 +50,11 @@ $config['kolab_auth_role_value'] = '';
 // which adds privilege to login as another user.
 $config['kolab_auth_group'] = '';
 
+// List of tasks to which admin has access when logged in as another user.
+// To limit usage to Settings only use: array('settings'). Default: array() - all tasks.
+// When defined all non-authorized requests will be redirected to first task on the list.
+$config['kolab_auth_allowed_tasks'] = array();
+
 // Enable plugins on a role-by-role basis. In this example, the 'acl' plugin
 // is enabled for people with a 'cn=professional-user,dc=mykolab,dc=ch' role.
 //
diff --git a/plugins/kolab_auth/kolab_auth.php b/plugins/kolab_auth/kolab_auth.php
index 2b685a7..86f1649 100644
--- a/plugins/kolab_auth/kolab_auth.php
+++ b/plugins/kolab_auth/kolab_auth.php
@@ -83,8 +83,30 @@ class kolab_auth extends rcube_plugin
         }
     }
 
+    /**
+     * Startup hook handler
+     */
     public function startup($args)
     {
+        $rcmail = rcube::get_instance();
+
+        // Check access rights when logged in as another user
+        if (!empty($_SESSION['kolab_auth_admin']) && $rcmail->task != 'login' && $rcmail->task != 'logout') {
+            $tasks = $rcmail->config->get('kolab_auth_allowed_tasks');
+            // access to specified task is forbidden,
+            // redirect to the first task on the list
+            if (!empty($tasks)) {
+                if (!in_array($rcmail->task, (array) $tasks)) {
+                    header('Location: ?_task=' . array_shift($tasks));
+                    die;
+                }
+
+                // add script that will remove disabled taskbar buttons
+                $this->add_hook('render_page', array($this, 'render_page'));
+            }
+        }
+
+        // load per-user settings
         $this->load_user_role_plugins_and_settings();
 
         return $args;
@@ -634,6 +656,28 @@ class kolab_auth extends rcube_plugin
     }
 
     /**
+     * Action executed before the page is rendered to add an onload script
+     * that will remove all taskbar buttons for disabled tasks
+     */
+    public function render_page($args)
+    {
+        $rcmail  = rcube::get_instance();
+        $tasks   = $rcmail->config->get('kolab_auth_allowed_tasks');
+        $tasks[] = 'logout';
+
+        // disable buttons in taskbar
+        $script = "
+        \$('a').filter(function() {
+            var ev = \$(this).attr('onclick');
+            return ev && ev.match(/'switch-task','([a-z]+)'/)
+                && \$.inArray(RegExp.\$1, " . json_encode($tasks) . ") < 0;
+        }).remove();
+        ";
+
+        $rcmail->output->add_script($script, 'docready');
+    }
+
+    /**
      * Initializes LDAP object and connects to LDAP server
      */
     public static function ldap()


