Merge branch 'feature/suspended-user-access' into feature/user-roles

Kristan Kenney · Kristan Kenney · commit 65a161f4529e · 2021-04-03T16:38:47.000-03:00
diff --git a/bin/v-delete-user-backup b/bin/v-delete-user-backup
@@ -33,7 +33,6 @@ check_args '2' "$#" 'USER BACKUP'
 is_format_valid 'user' 'backup'
 is_system_enabled "$BACKUP_SYSTEM" 'BACKUP_SYSTEM'
 is_object_valid 'user' 'USER' "$user"
-is_object_unsuspended 'user' 'USER' "$user"
 is_object_valid 'backup' 'BACKUP' "$2"
 
 # Perform verification if read-only mode is enabled
diff --git a/bin/v-list-sys-config b/bin/v-list-sys-config
@@ -80,6 +80,7 @@ json_list() {
         "POLICY_SYSTEM_HIDE_ADMIN": "'$POLICY_SYSTEM_HIDE_ADMIN'",
         "POLICY_SYSTEM_HIDE_SERVICES": "'$POLICY_SYSTEM_HIDE_SERVICES'",
         "POLICY_SYSTEM_PASSWORD_RESET": "'$POLICY_SYSTEM_PASSWORD_RESET'",
+        "POLICY_USER_VIEW_SUSPENDED": "'$POLICY_USER_VIEW_SUSPENDED'",
         "POLICY_USER_EDIT_DETAILS": "'$POLICY_USER_EDIT_DETAILS'",
         "POLICY_USER_DELETE_LOGS": "'$POLICY_USER_DELETE_LOGS'",
         "POLICY_USER_VIEW_LOGS": "'$POLICY_USER_VIEW_LOGS'",
diff --git a/bin/v-suspend-user b/bin/v-suspend-user
@@ -43,13 +43,16 @@ check_hestia_demo_mode
 #                       Action                             #
 #----------------------------------------------------------#
 
-# Adding '!' in front of the password
-/usr/sbin/usermod --lock $user
-
-# Suspending ftp accounts
-for ftp in $(grep "^${user}_" /etc/passwd |cut -f 1 -d : ); do
-    /usr/sbin/usermod --lock $ftp 2>/dev/null
-done
+# Do not restrict access to SFTP/FTP/SSH if POLICY_USER_VIEW_SUSPENDED is set to yes
+if [ -z "$POLICY_USER_VIEW_SUSPENDED" ] || [ "$POLICY_USER_VIEW_SUSPENDED" = 'no' ]; then
+    # Adding '!' in front of the password
+    /usr/sbin/usermod --lock $user
+
+    # Suspending ftp accounts
+    for ftp in $(grep "^${user}_" /etc/passwd |cut -f 1 -d : ); do
+        /usr/sbin/usermod --lock $ftp 2>/dev/null
+    done
+fi
 
 # Suspending web domains
 if [ ! -z "$WEB_SYSTEM" ] && [ "$WEB_SYSTEM" != 'no' ]; then
diff --git a/bin/v-unsuspend-user b/bin/v-unsuspend-user
@@ -41,13 +41,16 @@ check_hestia_demo_mode
 #                       Action                             #
 #----------------------------------------------------------#
 
-# Deleting '!' in front of the password
-/usr/sbin/usermod --unlock $user
-
-# Unsuspending ftp accounts
-for ftp in $(grep "^${user}_" /etc/passwd |cut -f 1 -d : ); do
-    /usr/sbin/usermod --unlock $ftp 2>/dev/null
-done
+# Do not restrict access to SFTP/FTP/SSH if POLICY_USER_VIEW_SUSPENDED is set to yes
+if [ -z "$POLICY_USER_VIEW_SUSPENDED" ] || [ "$POLICY_USER_VIEW_SUSPENDED" = 'no' ]; then
+    # Deleting '!' in front of the password
+    /usr/sbin/usermod --unlock $user
+
+    # Unsuspending ftp accounts
+    for ftp in $(grep "^${user}_" /etc/passwd |cut -f 1 -d : ); do
+        /usr/sbin/usermod --unlock $ftp 2>/dev/null
+    done
+fi
 
 # Changing suspend value
 update_user_value "$user" '$SUSPENDED' 'no'
diff --git a/web/edit/server/index.php b/web/edit/server/index.php
@@ -750,6 +750,17 @@
         }
     }
 
+    // Change POLICY_USER_VIEW_SUSPENDED
+    if (empty($_SESSION['error_msg'])) {
+        if ($_POST['v_policy_user_view_suspended'] != $_SESSION['POLICY_USER_VIEW_SUSPENDED']) {
+            exec (HESTIA_CMD."v-change-sys-config-value POLICY_USER_VIEW_SUSPENDED ".escapeshellarg($_POST['v_policy_user_view_suspended']), $output, $return_var);
+            check_return_code($return_var,$output);
+            unset($output);
+            if (empty($_SESSION['error_msg'])) $v_policy_system_hide_admin = $_POST['v_policy_user_view_suspended'];
+            $v_security_adv = 'yes';
+        }
+    }
+
     // Change POLICY_USER_CHANGE_THEME
     if (empty($_SESSION['error_msg'])) {
         if ($_POST['v_policy_user_change_theme'] == 'on') { $_POST['v_policy_user_change_theme'] = 'no'; } else { $_POST['v_policy_user_change_theme'] = 'yes'; } {
diff --git a/web/inc/main.php b/web/inc/main.php
@@ -155,7 +155,7 @@ function top_panel($user, $TAB) {
     unset($output);
 
     // Log out active sessions for suspended users
-    if ($panel[$user]['SUSPENDED'] === 'yes') {
+    if (($panel[$user]['SUSPENDED'] === 'yes') && ($_SESSION['POLICY_USER_VIEW_SUSPENDED'] !== 'yes')) {
         $_SESSION['error_msg'] = "You have been logged out. Please log in again.";
         session_destroy();
         header("Location: /login/");
diff --git a/web/templates/pages/edit_server.html b/web/templates/pages/edit_server.html
@@ -1059,7 +1059,7 @@
                                                         </tr>
                                                         <tr>
                                                             <td class="vst-text input-label">
-                                                                <?php print _('Disable Server Settings access for other administrators');?>
+                                                                <?php print _('Do not allow other administrators to access Server Settings');?>
                                                             </td>
                                                         </tr>
                                                         <tr>
@@ -1091,7 +1091,21 @@
                                                             <?=_('Users');?>
                                                         </td>
                                                         
-                                                    </tr>
+                                            </tr>
+                                              <tr>
+                                            <td class="vst-text input-label">
+                                                <?php print _('Allow suspended users to log in with read-only access');?>
+                                            </td>
+                                        </tr>
+                                        <tr>
+                                            <td>
+                                                <select class="vst-list" name="v_policy_user_view_suspended">
+                                                    <option value='yes' <?php if($_SESSION['POLICY_USER_VIEW_SUSPENDED'] !== 'no') echo 'selected' ?>><?php print _('yes'); ?></option>
+                                                    <option value='no' <?php if($_SESSION['POLICY_USER_VIEW_SUSPENDED'] == 'no') echo 'selected' ?>><?php print _('no'); ?></option>
+                                                </select>
+                                                <br><br>
+                                            </td>
+                                        </tr>
                                         <tr>
                                             <td class="vst-text input-label">
                                                 <?php print _('Allow users to edit their account details');?>
