From fc78600e64bb759b21f3099fbdeb86bd6122c93f Mon Sep 17 00:00:00 2001 From: Florian Schlichting Date: Fri, 30 Dec 2016 21:43:29 +0100 Subject: [PATCH] Allow deletion of collections, tickets, bindings of principals to whom you have write access (closes: #47) Previously, only the Admin or the principal herself could delete a collection. Deletion is immediate and irreversible, so there is a risk in allowing this. But it doesn't make sense to allow the creation of a test collection and then block the subsequent clean-up. --- inc/ui/principal-edit.php | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/inc/ui/principal-edit.php b/inc/ui/principal-edit.php index bb33e6db..f2961057 100644 --- a/inc/ui/principal-edit.php +++ b/inc/ui/principal-edit.php @@ -48,19 +48,19 @@ function handle_subaction( $subaction ) { global $delete_ticket_confirmation_required; global $delete_bind_in_confirmation_required; global $delete_binding_confirmation_required; + global $can_write_principal; dbg_error_log('admin-principal-edit',':handle_action: Action %s', $subaction ); switch( $subaction ) { case 'delete_collection': dbg_error_log('admin-principal-edit',':handle_action: Deleting collection %s for principal %d', $_GET['dav_name'], $id ); - if ( $session->AllowedTo('Admin') - || ($id > 0 && $session->principal_id == $id) ) { + if ($can_write_principal) { if ( $session->CheckConfirmationHash('GET', 'confirm') ) { dbg_error_log('admin-principal-edit',':handle_action: Allowed to delete collection %s for principal %d', $_GET['dav_name'], $id ); $qry = new AwlQuery('DELETE FROM collection WHERE dav_name=?;', $_GET['dav_name'] ); if ( $qry->Exec() ) { - $c->messages[] = i18n('Collection deleted'); + $c->messages[] = i18n('Collection deleted.'); return true; } else { @@ -86,7 +86,7 @@ function handle_subaction( $subaction ) { dbg_error_log('admin-principal-edit',':handle_action: Allowed to delete principal %d -%s', $id ); $qry = new AwlQuery('DELETE FROM dav_principal WHERE principal_id=?', $id ); if ( $qry->Exec() ) { - $c->messages[] = i18n('Principal deleted'); + $c->messages[] = i18n('Principal deleted.'); return true; } else { @@ -107,13 +107,12 @@ function handle_subaction( $subaction ) { case 'delete_ticket': dbg_error_log('admin-principal-edit',':handle_action: Deleting ticket "%s" for principal %d', $_GET['ticket_id'], $id ); - if ( $session->AllowedTo('Admin') - || ($id > 0 && $session->principal_id == $id) ) { + if ($can_write_principal) { if ( $session->CheckConfirmationHash('GET', 'confirm') ) { dbg_error_log('admin-principal-edit',':handle_action: Allowed to delete ticket "%s" for principal %d', $_GET['ticket_id'], $id ); $qry = new AwlQuery('DELETE FROM access_ticket WHERE ticket_id=?;', $_GET['ticket_id'] ); if ( $qry->Exec() ) { - $c->messages[] = i18n('Access ticket deleted'); + $c->messages[] = i18n('Access ticket deleted.'); return true; } else { @@ -135,13 +134,12 @@ function handle_subaction( $subaction ) { case 'delete_bind_in': case 'delete_binding': dbg_error_log('admin-principal-edit',':handle_action: Deleting binding "%s" for principal %d', $_GET['bind_id'], $id ); - if ( $session->AllowedTo('Admin') - || ($id > 0 && $session->principal_id == $id) ) { + if ($can_write_principal) { if ( $session->CheckConfirmationHash('GET', 'confirm') ) { dbg_error_log('admin-principal-edit',':handle_action: Allowed to delete binding "%s" for principal %d', $_GET['bind_id'], $id ); $qry = new AwlQuery('DELETE FROM dav_binding WHERE bind_id=?;', $_GET['bind_id'] ); if ( $qry->Exec() ) { - $c->messages[] = i18n('Binding deleted'); + $c->messages[] = i18n('Binding deleted.'); return true; } else {