Skip to content

Commit b99b45d

Browse files
author
Kristan Kenney
committed
Prevent editing, deleting, or suspending domains under 'admin'
1 parent 10c3156 commit b99b45d

File tree

9 files changed

+364
-264
lines changed

9 files changed

+364
-264
lines changed

web/templates/admin/list_backup.html

Lines changed: 28 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,10 @@
11
<div class="l-center">
22
<div class="l-sort clearfix noselect">
33
<div class="l-unit-toolbar__buttonstrip">
4-
<a href="/schedule/backup/?token=<?=$_SESSION['token']?>" class="ui-button cancel" dir="ltr"><i class="fas fa-plus-circle status-icon green"></i><?=_('Create Backup')?></a>
54
<? if (($_SESSION['userContext'] === 'admin') && ($_SESSION['look'] === 'admin')) {?>
6-
<!-- Restrict ability to edit backup exclusions when impersonating 'admin' account -->
5+
<!-- Restrict ability to create or edit backups or exclusions when impersonating 'admin' account -->
76
<? } else { ?>
7+
<a href="/schedule/backup/?token=<?=$_SESSION['token']?>" class="ui-button cancel" dir="ltr"><i class="fas fa-plus-circle status-icon green"></i><?=_('Create Backup')?></a>
88
<a href="/list/backup/exclusions/" class="ui-button cancel" dir="ltr"><i class="fas fa-folder-minus status-icon orange"></i><?=_('backup exclusions')?></a>
99
<? } ?>
1010
</div>
@@ -18,17 +18,21 @@
1818
<button type="submit" class="l-sort-toolbar__filter-apply" onclick="return doSearch('/search/')" value=""><i class="fas fa-search"></i></button>
1919
</form>
2020
</td>
21-
<td>
22-
<form action="/bulk/backup/" method="post" id="objects">
23-
<input type="hidden" name="token" value="<?=$_SESSION['token']?>" />
24-
<div class="l-select">
25-
<select name="action" id="">
26-
<option value=""><?=_('apply to selected')?></option>
27-
<option value="delete"><?php print _('delete') ?></option>
28-
</select>
29-
</div>
30-
<button type="submit" class="l-sort-toolbar__filter-apply" value=""><i class="fas fa-arrow-right"></i></button>
31-
</td>
21+
<? if (($_SESSION['userContext'] === 'admin') && ($_SESSION['look'] === 'admin')) {?>
22+
<!-- Hide bulk actions for domain items when impersonating 'admin' account-->
23+
<? } else { ?>
24+
<td>
25+
<form action="/bulk/backup/" method="post" id="objects">
26+
<input type="hidden" name="token" value="<?=$_SESSION['token']?>" />
27+
<div class="l-select">
28+
<select name="action" id="">
29+
<option value=""><?=_('apply to selected')?></option>
30+
<option value="delete"><?php print _('delete') ?></option>
31+
</select>
32+
</div>
33+
<button type="submit" class="l-sort-toolbar__filter-apply" value=""><i class="fas fa-arrow-right"></i></button>
34+
</td>
35+
<? } ?>
3236
</tr>
3337
</table>
3438
</div>
@@ -78,16 +82,23 @@
7882
<div class="clearfix l-unit__stat-col--left super-compact">
7983
<input id="check<?php echo $i ?>" class="ch-toggle" type="checkbox" name="backup[]" value="<?php echo $key ?>">
8084
</div>
81-
<div class="clearfix l-unit__stat-col--left wide-3 truncate"><b><a href="/list/backup/?backup=<?=$key?>&token=<?=$_SESSION['token']?>" title="<?=_('restore')?>"><?=$key?></a></b></div>
85+
<div class="clearfix l-unit__stat-col--left wide-3 truncate">
86+
<? if (($_SESSION['userContext'] === 'admin') && ($_SESSION['look'] === 'admin')) {?>
87+
<b><?=$key?></b>
88+
<? } else { ?>
89+
<b><a href="/list/backup/?backup=<?=$key?>&token=<?=$_SESSION['token']?>" title="<?=_('restore')?>"><?=$key?></a></b>
90+
<? } ?>
91+
</div>
8292
<!-- START QUICK ACTION TOOLBAR AREA -->
8393
<div class="clearfix l-unit__stat-col--left compact-4 text-right">
8494
<div class="l-unit-toolbar__col l-unit-toolbar__col--right noselect">
8595
<div class="actions-panel clearfix">
86-
<div class="actions-panel__col actions-panel__download shortcut-d" key-action="href"><a href="/download/backup/?backup=<?=$key?>&token=<?=$_SESSION['token']?>" title="<?=_('download')?>"><i class="fas fa-file-download status-icon lightblue status-icon dim"></i></a></div>
87-
<div class="actions-panel__col actions-panel__list shortcut-enter" key-action="href"><a href="/list/backup/?backup=<?=$key?>&token=<?=$_SESSION['token']?>" title="<?=_('restore')?>"><i class="fas fa-undo status-icon green status-icon dim"></i></a></div>
8896
<? if (($_SESSION['userContext'] === 'admin') && ($_SESSION['look'] === 'admin')) {?>
89-
<!-- Restrict ability to delete backups when impersonating 'admin' account -->
97+
<!-- Restrict ability to restore or delete backups when impersonating 'admin' account -->
98+
&nbsp;
9099
<? } else { ?>
100+
<div class="actions-panel__col actions-panel__download shortcut-d" key-action="href"><a href="/download/backup/?backup=<?=$key?>&token=<?=$_SESSION['token']?>" title="<?=_('download')?>"><i class="fas fa-file-download status-icon lightblue status-icon dim"></i></a></div>
101+
<div class="actions-panel__col actions-panel__list shortcut-enter" key-action="href"><a href="/list/backup/?backup=<?=$key?>&token=<?=$_SESSION['token']?>" title="<?=_('restore')?>"><i class="fas fa-undo status-icon green status-icon dim"></i></a></div>
91102
<div class="actions-panel__col actions-panel__delete shortcut-delete" key-action="js">
92103
<a id="delete_link_<?=$i?>" class="data-controls do_delete" title="<?=_('delete')?>">
93104
<i class="fas fa-trash status-icon red status-icon dim do_delete"></i>

web/templates/admin/list_cron.html

Lines changed: 20 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -29,21 +29,25 @@
2929
<button type="submit" class="l-sort-toolbar__filter-apply" onclick="return doSearch('/search/')" value=""><i class="fas fa-search"></i></button>
3030
</form>
3131
</td>
32-
<td class="">
33-
<form action="/bulk/cron/" method="post" id="objects">
34-
<input type="hidden" name="token" value="<?=$_SESSION['token']?>" />
35-
<div class="l-select">
36-
<select name="action" id="">
37-
<option value=""><?=_('apply to selected')?></option>
38-
<? if($panel[$user]['CRON_REPORTS'] == 'yes') echo '<option value="delete-cron-reports">'._('turn off notifications').'</option>'; ?>
39-
<? if($panel[$user]['CRON_REPORTS'] == 'no') echo '<option value="add-cron-reports">'._('turn on notifications').'</option>'; ?>
40-
<option value="suspend"><?=_('suspend')?></option>
41-
<option value="unsuspend"><?=_('unsuspend')?></option>
42-
<option value="delete"><?=_('delete')?></option>
43-
</select>
44-
</div>
45-
<button type="submit" class="l-sort-toolbar__filter-apply" value=""><i class="fas fa-arrow-right"></i></button>
46-
</td>
32+
<? if (($_SESSION['userContext'] === 'admin') && ($_SESSION['look'] === 'admin')) {?>
33+
<!-- Hide bulk actions for domain items when impersonating 'admin' account-->
34+
<? } else { ?>
35+
<td class="">
36+
<form action="/bulk/cron/" method="post" id="objects">
37+
<input type="hidden" name="token" value="<?=$_SESSION['token']?>" />
38+
<div class="l-select">
39+
<select name="action" id="">
40+
<option value=""><?=_('apply to selected')?></option>
41+
<? if($panel[$user]['CRON_REPORTS'] == 'yes') echo '<option value="delete-cron-reports">'._('turn off notifications').'</option>'; ?>
42+
<? if($panel[$user]['CRON_REPORTS'] == 'no') echo '<option value="add-cron-reports">'._('turn on notifications').'</option>'; ?>
43+
<option value="suspend"><?=_('suspend')?></option>
44+
<option value="unsuspend"><?=_('unsuspend')?></option>
45+
<option value="delete"><?=_('delete')?></option>
46+
</select>
47+
</div>
48+
<button type="submit" class="l-sort-toolbar__filter-apply" value=""><i class="fas fa-arrow-right"></i></button>
49+
</td>
50+
<? } ?>
4751
</tr>
4852
</table>
4953
</div>
@@ -103,6 +107,7 @@
103107
<div class="actions-panel clearfix">
104108
<? if (($_SESSION['userContext'] === 'admin') && (isset($_SESSION['look'])) && ($_SESSION['look'] === 'admin')) {?>
105109
<!-- Restrict other administrators from editing, deleting, or suspending 'admin' user cron jobs -->
110+
&nbsp;
106111
<? } else { ?>
107112
<div class="actions-panel__col actions-panel__download shortcut-enter" key-action="href"><a href="/edit/cron/?job=<?=$data[$key]['JOB']?>&token=<?=$_SESSION['token']?>" title="<?=_('Editing Cron Job')?>"><i class="fas fa-pencil-alt status-icon orange status-icon dim"></i></a></div>
108113
<div class="actions-panel__col actions-panel__suspend shortcut-s" key-action="js">

web/templates/admin/list_db.html

Lines changed: 55 additions & 44 deletions
Original file line numberDiff line numberDiff line change
@@ -46,20 +46,24 @@
4646
<button type="submit" class="l-sort-toolbar__filter-apply" onclick="return doSearch('/search/')" value=""><i class="fas fa-search"></i></button>
4747
</form>
4848
</td>
49-
<td>
50-
<form action="/bulk/db/" method="post" id="objects">
51-
<input type="hidden" name="token" value="<?=$_SESSION['token']?>" />
52-
<div class="l-select">
53-
<select name="action" id="">
54-
<option value=""><?=_('apply to selected')?></option>
55-
<option value="rebuild"><?=_('rebuild')?></option>
56-
<option value="suspend"><?=_('suspend')?></option>
57-
<option value="unsuspend"><?=_('unsuspend')?></option>
58-
<option value="delete"><?=_('delete')?></option>
59-
</select>
60-
</div>
61-
<button type="submit" class="l-sort-toolbar__filter-apply" value=""><i class="fas fa-arrow-right"></i></button>
62-
</td>
49+
<? if (($_SESSION['userContext'] === 'admin') && ($_SESSION['look'] === 'admin')) {?>
50+
<!-- Hide bulk actions for domain items when impersonating 'admin' account-->
51+
<? } else { ?>
52+
<td>
53+
<form action="/bulk/db/" method="post" id="objects">
54+
<input type="hidden" name="token" value="<?=$_SESSION['token']?>" />
55+
<div class="l-select">
56+
<select name="action" id="">
57+
<option value=""><?=_('apply to selected')?></option>
58+
<option value="rebuild"><?=_('rebuild')?></option>
59+
<option value="suspend"><?=_('suspend')?></option>
60+
<option value="unsuspend"><?=_('unsuspend')?></option>
61+
<option value="delete"><?=_('delete')?></option>
62+
</select>
63+
</div>
64+
<button type="submit" class="l-sort-toolbar__filter-apply" value=""><i class="fas fa-arrow-right"></i></button>
65+
</td>
66+
<? } ?>
6367
</tr>
6468
</table>
6569
</div>
@@ -117,39 +121,46 @@
117121
<div class="clearfix l-unit__stat-col--left super-compact">
118122
<input id="check<?php echo $i ?>" class="ch-toggle" type="checkbox" name="database[]" value="<?php echo $key ?>">
119123
</div>
120-
<div class="clearfix l-unit__stat-col--left wide-3 truncate"><b><a href="/edit/db/?database=<?=$key?>&token=<?=$_SESSION['token']?>" title="<?=_('Editing Database')?>"><?=$key?></a></b></div>
124+
<div class="clearfix l-unit__stat-col--left wide-3 truncate">
125+
<? if (($_SESSION['userContext'] === 'admin') && ($_SESSION['look'] === 'admin')) {?>
126+
<b><?=$key?></b>
127+
<? } else { ?>
128+
<b><a href="/edit/db/?database=<?=$key?>&token=<?=$_SESSION['token']?>" title="<?=_('Editing Database')?>"><?=$key?></a></b>
129+
<? } ?>
130+
</div>
121131
<!-- START QUICK ACTION TOOLBAR AREA -->
122132
<div class="clearfix l-unit__stat-col--left text-right compact-3">
123-
<div class="l-unit-toolbar__col l-unit-toolbar__col--right noselect">
124-
<div class="actions-panel clearfix">
125-
<div class="actions-panel__col actions-panel__logs shortcut-enter" key-action="href"><a href="/edit/db/?database=<?=$key?>&token=<?=$_SESSION['token']?>" title="<?=_('Editing Database')?>"><i class="fas fa-pencil-alt status-icon orange status-icon dim"></i></a></div>
126-
<div class="actions-panel__col actions-panel__suspend shortcut-s" key-action="js">
127-
<a id="<?=$spnd_action ?>_link_<?=$i?>" class="data-controls do_<?=$spnd_action?>" title="<?=_($spnd_action)?>">
128-
<i class="fas <?=$spnd_icon?> status-icon highlight status-icon dim do_<?=$spnd_action?>"></i>
129-
<input type="hidden" name="<?=$spnd_action?>_url" value="/<?=$spnd_action?>/db/?database=<?=$key?>&token=<?=$_SESSION['token']?>" />
130-
<div id="<?=$spnd_action?>_dialog_<?=$i?>" class="confirmation-text-suspention hidden" title="<?=_('Confirmation')?>">
131-
<p class="confirmation"><?=sprintf($spnd_confirmation,$key)?></p>
132-
</div>
133-
</a>
134-
</div>
135-
<div class="actions-panel__col actions-panel__delete shortcut-delete" key-action="js">
136-
<a id="delete_link_<?=$i?>" class="data-controls do_delete" title="<?=_('delete')?>">
137-
<i class="fas fa-trash status-icon red status-icon dim do_delete"></i>
138-
<input type="hidden" name="delete_url" value="/delete/db/?database=<?=$key?>&token=<?=$_SESSION['token']?>" />
139-
<div id="delete_dialog_<?=$i?>" class="confirmation-text-delete hidden" title="<?=_('Confirmation')?>">
140-
<p class="confirmation"><?=sprintf(_('DELETE_DATABASE_CONFIRMATION'),$key)?></p>
141-
</div>
142-
</a>
143-
</div>
144-
<?php if ($data[$key]['TYPE'] == 'mysql' && isset($_SESSION['PHPMYADMIN_KEY']) && $_SESSION['PHPMYADMIN_KEY'] != '') {
145-
$time = time();
146-
?>
147-
<div class="actions-panel__col actions-panel__logs shortcut-enter" key-action="href"><a href="<?=$db_myadmin_link;?>/hestia-sso.php?database=<?=$key;?>&user=<?=$user;?>&exp=<?=$time;?>&hestia_token=<?=password_hash($key.$user.$_SESSION['user_combined_ip'].$time.$_SESSION['PHPMYADMIN_KEY'], PASSWORD_DEFAULT)?>" title="<?=_('Editing Database')?>"><i class="fas fa-sign-in-alt status-icon orange status-icon dim"></i></a></div>
148-
<?php
149-
}
150-
?>
133+
<div class="l-unit-toolbar__col l-unit-toolbar__col--right noselect">
134+
<div class="actions-panel clearfix">
135+
<? if (($_SESSION['userContext'] === 'admin') && ($_SESSION['look'] === 'admin')) {?>
136+
<!-- Restrict the ability to edit, delete, or suspend domain items when impersonating 'admin' user -->
137+
&nbsp;
138+
<? } else { ?>
139+
<div class="actions-panel__col actions-panel__logs shortcut-enter" key-action="href"><a href="/edit/db/?database=<?=$key?>&token=<?=$_SESSION['token']?>" title="<?=_('Editing Database')?>"><i class="fas fa-pencil-alt status-icon orange status-icon dim"></i></a></div>
140+
<?php if ($data[$key]['TYPE'] == 'mysql' && isset($_SESSION['PHPMYADMIN_KEY']) && $_SESSION['PHPMYADMIN_KEY'] != '') { $time = time(); ?>
141+
<div class="actions-panel__col actions-panel__logs shortcut-enter" key-action="href"><a href="<?=$db_myadmin_link;?>/hestia-sso.php?database=<?=$key;?>&user=<?=$user;?>&exp=<?=$time;?>&hestia_token=<?=password_hash($key.$user.$_SESSION['user_combined_ip'].$time.$_SESSION['PHPMYADMIN_KEY'], PASSWORD_DEFAULT)?>" title="<?=_('Editing Database')?>"><i class="fas fa-sign-in-alt status-icon orange status-icon dim"></i></a></div>
142+
<? } ?>
143+
<div class="actions-panel__col actions-panel__suspend shortcut-s" key-action="js">
144+
<a id="<?=$spnd_action ?>_link_<?=$i?>" class="data-controls do_<?=$spnd_action?>" title="<?=_($spnd_action)?>">
145+
<i class="fas <?=$spnd_icon?> status-icon highlight status-icon dim do_<?=$spnd_action?>"></i>
146+
<input type="hidden" name="<?=$spnd_action?>_url" value="/<?=$spnd_action?>/db/?database=<?=$key?>&token=<?=$_SESSION['token']?>" />
147+
<div id="<?=$spnd_action?>_dialog_<?=$i?>" class="confirmation-text-suspention hidden" title="<?=_('Confirmation')?>">
148+
<p class="confirmation"><?=sprintf($spnd_confirmation,$key)?></p>
149+
</div>
150+
</a>
151+
</div>
152+
<div class="actions-panel__col actions-panel__delete shortcut-delete" key-action="js">
153+
<a id="delete_link_<?=$i?>" class="data-controls do_delete" title="<?=_('delete')?>">
154+
<i class="fas fa-trash status-icon red status-icon dim do_delete"></i>
155+
<input type="hidden" name="delete_url" value="/delete/db/?database=<?=$key?>&token=<?=$_SESSION['token']?>" />
156+
<div id="delete_dialog_<?=$i?>" class="confirmation-text-delete hidden" title="<?=_('Confirmation')?>">
157+
<p class="confirmation"><?=sprintf(_('DELETE_DATABASE_CONFIRMATION'),$key)?></p>
158+
</div>
159+
</a>
151160
</div>
152-
</div>
161+
<? } ?>
162+
</div>
163+
</div>
153164
</div>
154165
<!-- END QUICK ACTION TOOLBAR AREA -->
155166
<div class="clearfix l-unit__stat-col--left text-center compact"><?=$data[$key]['TYPE']?></div>

0 commit comments

Comments
 (0)