Add option to define list of tasks to which an admin has access (#3444)

E.g. allow admins (using "Login as" feature) to see only user settings.
2014-08-25 14:27:23 -04:00 · 2014-08-25 14:27:23 -04:00 · fbaa3f865e
commit fbaa3f865e
parent 89f65253bd
2 changed files with 49 additions and 0 deletions
--- a/plugins/kolab_auth/config.inc.php.dist
+++ b/plugins/kolab_auth/config.inc.php.dist
@ -50,6 +50,11 @@ $config['kolab_auth_role_value'] = '';
 // which adds privilege to login as another user.
 $config['kolab_auth_group'] = '';

+// List of tasks to which admin has access when logged in as another user.
+// To limit usage to Settings only use: array('settings'). Default: array() - all tasks.
+// When defined all non-authorized requests will be redirected to first task on the list.
+$config['kolab_auth_allowed_tasks'] = array();
+
 // Enable plugins on a role-by-role basis. In this example, the 'acl' plugin
 // is enabled for people with a 'cn=professional-user,dc=mykolab,dc=ch' role.
 //
--- a/plugins/kolab_auth/kolab_auth.php
+++ b/plugins/kolab_auth/kolab_auth.php
@ -83,8 +83,30 @@ class kolab_auth extends rcube_plugin
        }
    }

+    /**
+     * Startup hook handler
+     */
    public function startup($args)
    {
+        $rcmail = rcube::get_instance();
+
+        // Check access rights when logged in as another user
+        if (!empty($_SESSION['kolab_auth_admin']) && $rcmail->task != 'login' && $rcmail->task != 'logout') {
+            $tasks = $rcmail->config->get('kolab_auth_allowed_tasks');
+            // access to specified task is forbidden,
+            // redirect to the first task on the list
+            if (!empty($tasks)) {
+                if (!in_array($rcmail->task, (array) $tasks)) {
+                    header('Location: ?_task=' . array_shift($tasks));
+                    die;
+                }
+
+                // add script that will remove disabled taskbar buttons
+                $this->add_hook('render_page', array($this, 'render_page'));
+            }
+        }
+
+        // load per-user settings
        $this->load_user_role_plugins_and_settings();

        return $args;
@ -633,6 +655,28 @@ class kolab_auth extends rcube_plugin
        return $args;
    }

+    /**
+     * Action executed before the page is rendered to add an onload script
+     * that will remove all taskbar buttons for disabled tasks
+     */
+    public function render_page($args)
+    {
+        $rcmail  = rcube::get_instance();
+        $tasks   = $rcmail->config->get('kolab_auth_allowed_tasks');
+        $tasks[] = 'logout';
+
+        // disable buttons in taskbar
+        $script = "
+        \$('a').filter(function() {
+            var ev = \$(this).attr('onclick');
+            return ev && ev.match(/'switch-task','([a-z]+)'/)
+                && \$.inArray(RegExp.\$1, " . json_encode($tasks) . ") < 0;
+        }).remove();
+        ";
+
+        $rcmail->output->add_script($script, 'docready');
+    }
+
    /**
     * Initializes LDAP object and connects to LDAP server
     */