AS1024
/
Kanboard-Prod
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add new role Project Administrator

This commit is contained in:
Frederic Guillot 2015-08-14 15:43:08 -04:00
parent 80fb3bc9aa
commit b2cce5a3a1
49 changed files with 337 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ChangeLog
View File

@ -3,6 +3,7 @@ Version 1.0.18 (unreleased)
New features:
* Add new role "Project Administrator"
* Add login bruteforce protection with captcha and account lockdown
* Add new api procedures: getDefaultTaskColor(), getDefaultTaskColors() and getColorList()
* Add user api access

10
app/Api/User.php
View File

@ -27,7 +27,7 @@ class User extends \Core\Base
return $this->user->remove($user_id);
}
public function createUser($username, $password, $name = '', $email = '', $is_admin = 0)
public function createUser($username, $password, $name = '', $email = '', $is_admin = 0, $is_project_admin = 0)
{
$values = array(
'username' => $username,
@ -36,14 +36,14 @@ class User extends \Core\Base
'name' => $name,
'email' => $email,
'is_admin' => $is_admin,
'is_project_admin' => $is_project_admin,
);
list($valid,) = $this->user->validateCreation($values);
return $valid ? $this->user->create($values) : false;
}
public function createLdapUser($username = '', $email = '', $is_admin = 0)
public function createLdapUser($username = '', $email = '', $is_admin = 0, $is_project_admin = 0)
{
$ldap = new Ldap($this->container);
$user = $ldap->lookup($username, $email);
@ -58,12 +58,13 @@ class User extends \Core\Base
'email' => $user['email'],
'is_ldap_user' => 1,
'is_admin' => $is_admin,
'is_project_admin' => $is_project_admin,
);
return $this->user->create($values);
}
public function updateUser($id, $username = null, $name = null, $email = null, $is_admin = null)
public function updateUser($id, $username = null, $name = null, $email = null, $is_admin = null, $is_project_admin = null)
{
$values = array(
'id' => $id,
@ -71,6 +72,7 @@ class User extends \Core\Base
'name' => $name,
'email' => $email,
'is_admin' => $is_admin,
'is_project_admin' => $is_project_admin,
);
foreach ($values as $key => $value) {

13
app/Controller/Project.php
View File

@ -141,8 +141,15 @@ class Project extends Base
$project = $this->getProject();
$values = $this->request->getValues();
if ($project['is_private'] == 1 && $this->userSession->isAdmin() && ! isset($values['is_private'])) {
$values += array('is_private' => 0);
if (isset($values['is_private'])) {
if (! $this->helper->user->isProjectAdministrationAllowed($project['id'])) {
unset($values['is_private']);
}
}
else if ($project['is_private'] == 1 && ! isset($values['is_private'])) {
if ($this->helper->user->isProjectAdministrationAllowed($project['id'])) {
$values += array('is_private' => 0);
}
}
list($valid, $errors) = $this->project->validateModification($values);
@ -402,7 +409,7 @@ class Project extends Base
*/
public function create(array $values = array(), array $errors = array())
{
$is_private = $this->request->getIntegerParam('private', $this->userSession->isAdmin() ? 0 : 1);
$is_private = $this->request->getIntegerParam('private', $this->userSession->isAdmin() || $this->userSession->isProjectAdmin() ? 0 : 1);
$this->response->html($this->template->layout('project/new', array(
'board_selector' => $this->projectPermission->getAllowedProjects($this->userSession->getId()),

10
app/Controller/User.php
View File

@ -303,12 +303,16 @@ class User extends Base
$values = $this->request->getValues();
if ($this->userSession->isAdmin()) {
$values += array('is_admin' => 0);
$values += array('is_admin' => 0, 'is_project_admin' => 0);
}
else {
// Regular users can't be admin
if (isset($values['is_admin'])) {
unset($values['is_admin']); // Regular users can't be admin
unset($values['is_admin']);
}
if (isset($values['is_project_admin'])) {
unset($values['is_project_admin']);
}
}

33
app/Helper/User.php
View File

@ -77,19 +77,44 @@ class User extends \Core\Base
}
/**
* Proxy cache helper for acl::isManagerActionAllowed()
* Return if the logged user is project admin
*
* @access public
* @param integer $project_id
* @return boolean
*/
public function isManager($project_id)
public function isProjectAdmin()
{
return $this->userSession->isProjectAdmin();
}
/**
* Check for project administration actions access (Project Admin group)
*
* @access public
* @return boolean
*/
public function isProjectAdministrationAllowed($project_id)
{
if ($this->userSession->isAdmin()) {
return true;
}
return $this->memoryCache->proxy('acl', 'isManagerActionAllowed', $project_id);
return $this->memoryCache->proxy('acl', 'handleProjectAdminPermissions', $project_id);
}
/**
* Check for project management actions access (Regular users who are Project Managers)
*
* @access public
* @return boolean
*/
public function isProjectManagementAllowed($project_id)
{
if ($this->userSession->isAdmin()) {
return true;
}
return $this->memoryCache->proxy('acl', 'handleProjectManagerPermissions', $project_id);
}
/**

2
app/Locale/cs_CZ/translations.php
View File

@ -1015,4 +1015,6 @@ return array(
// 'contributors' => '',
// 'License:' => '',
// 'License' => '',
// 'Project Administrator' => '',
// 'Enter the text below' => '',
);

2
app/Locale/da_DK/translations.php
View File

@ -1015,4 +1015,6 @@ return array(
// 'contributors' => '',
// 'License:' => '',
// 'License' => '',
// 'Project Administrator' => '',
// 'Enter the text below' => '',
);

2
app/Locale/de_DE/translations.php
View File

@ -1015,4 +1015,6 @@ return array(
// 'contributors' => '',
// 'License:' => '',
// 'License' => '',
// 'Project Administrator' => '',
// 'Enter the text below' => '',
);

2
app/Locale/es_ES/translations.php
View File

@ -1015,4 +1015,6 @@ return array(
// 'contributors' => '',
// 'License:' => '',
// 'License' => '',
// 'Project Administrator' => '',
// 'Enter the text below' => '',
);

2
app/Locale/fi_FI/translations.php
View File

@ -1015,4 +1015,6 @@ return array(
// 'contributors' => '',
// 'License:' => '',
// 'License' => '',
// 'Project Administrator' => '',
// 'Enter the text below' => '',
);

2
app/Locale/fr_FR/translations.php
View File

@ -1017,4 +1017,6 @@ return array(
'contributors' => 'contributeurs',
'License:' => 'Licence :',
'License' => 'Licence',
'Project Administrator' => 'Administrateur de projet',
'Enter the text below' => 'Entrez le texte ci-dessous',
);

2
app/Locale/hu_HU/translations.php
View File

@ -1015,4 +1015,6 @@ return array(
// 'contributors' => '',
// 'License:' => '',
// 'License' => '',
// 'Project Administrator' => '',
// 'Enter the text below' => '',
);

2
app/Locale/it_IT/translations.php
View File

@ -1015,4 +1015,6 @@ return array(
// 'contributors' => '',
// 'License:' => '',
// 'License' => '',
// 'Project Administrator' => '',
// 'Enter the text below' => '',
);

2
app/Locale/ja_JP/translations.php
View File

@ -1015,4 +1015,6 @@ return array(
// 'contributors' => '',
// 'License:' => '',
// 'License' => '',
// 'Project Administrator' => '',
// 'Enter the text below' => '',
);

2
app/Locale/nl_NL/translations.php
View File

@ -1015,4 +1015,6 @@ return array(
// 'contributors' => '',
// 'License:' => '',
// 'License' => '',
// 'Project Administrator' => '',
// 'Enter the text below' => '',
);

2
app/Locale/pl_PL/translations.php
View File

@ -1015,4 +1015,6 @@ return array(
// 'contributors' => '',
// 'License:' => '',
// 'License' => '',
// 'Project Administrator' => '',
// 'Enter the text below' => '',
);

2
app/Locale/pt_BR/translations.php
View File

@ -1015,4 +1015,6 @@ return array(
// 'contributors' => '',
// 'License:' => '',
// 'License' => '',
// 'Project Administrator' => '',
// 'Enter the text below' => '',
);

2
app/Locale/pt_PT/translations.php
View File

@ -1015,4 +1015,6 @@ return array(
'contributors' => 'contribuidores',
'License:' => 'Licença:',
'License' => 'Licença',
// 'Project Administrator' => '',
// 'Enter the text below' => '',
);

2
app/Locale/ru_RU/translations.php
View File

@ -1015,4 +1015,6 @@ return array(
// 'contributors' => '',
// 'License:' => '',
// 'License' => '',
// 'Project Administrator' => '',
// 'Enter the text below' => '',
);

2
app/Locale/sr_Latn_RS/translations.php
View File

@ -1015,4 +1015,6 @@ return array(
// 'contributors' => '',
// 'License:' => '',
// 'License' => '',
// 'Project Administrator' => '',
// 'Enter the text below' => '',
);

2
app/Locale/sv_SE/translations.php
View File

@ -1015,4 +1015,6 @@ return array(
// 'contributors' => '',
// 'License:' => '',
// 'License' => '',
// 'Project Administrator' => '',
// 'Enter the text below' => '',
);

2
app/Locale/th_TH/translations.php
View File

@ -1015,4 +1015,6 @@ return array(
// 'contributors' => '',
// 'License:' => '',
// 'License' => '',
// 'Project Administrator' => '',
// 'Enter the text below' => '',
);

2
app/Locale/tr_TR/translations.php
View File

@ -1015,4 +1015,6 @@ return array(
// 'contributors' => '',
// 'License:' => '',
// 'License' => '',
// 'Project Administrator' => '',
// 'Enter the text below' => '',
);

2
app/Locale/zh_CN/translations.php
View File

@ -1015,4 +1015,6 @@ return array(
// 'contributors' => '',
// 'License:' => '',
// 'License' => '',
// 'Project Administrator' => '',
// 'Enter the text below' => '',
);

89
app/Model/Acl.php
View File

@ -32,7 +32,7 @@ class Acl extends Base
* @access private
* @var array
*/
private $member_acl = array(
private $project_member_acl = array(
'board' => '*',
'comment' => '*',
'file' => '*',
@ -56,17 +56,27 @@ class Acl extends Base
* @access private
* @var array
*/
private $manager_acl = array(
private $project_manager_acl = array(
'action' => '*',
'analytic' => '*',
'category' => '*',
'column' => '*',
'export' => array('tasks', 'subtasks', 'summary'),
'export' => '*',
'project' => array('edit', 'update', 'share', 'integration', 'users', 'alloweverybody', 'allow', 'setowner', 'revoke', 'duplicate', 'disable', 'enable'),
'swimlane' => '*',
'budget' => '*',
);
/**
* Controllers and actions for project admins
*
* @access private
* @var array
*/
private $project_admin_acl = array(
'project' => array('remove'),
);
/**
* Controllers and actions for admins
*
@ -77,8 +87,6 @@ class Acl extends Base
'user' => array('index', 'create', 'save', 'remove', 'authentication'),
'config' => '*',
'link' => '*',
'project' => array('remove'),
'hourlyrate' => '*',
'currency' => '*',
'twofactor' => array('disable'),
);
@ -149,9 +157,22 @@ class Acl extends Base
* @param string $action Action name
* @return bool
*/
public function isManagerAction($controller, $action)
public function isProjectManagerAction($controller, $action)
{
return $this->matchAcl($this->manager_acl, $controller, $action);
return $this->matchAcl($this->project_manager_acl, $controller, $action);
}
/**
* Return true if the given action is for application managers
*
* @access public
* @param string $controller Controller name
* @param string $action Action name
* @return bool
*/
public function isProjectAdminAction($controller, $action)
{
return $this->matchAcl($this->project_admin_acl, $controller, $action);
}
/**
@ -162,9 +183,9 @@ class Acl extends Base
* @param string $action Action name
* @return bool
*/
public function isMemberAction($controller, $action)
public function isProjectMemberAction($controller, $action)
{
return $this->matchAcl($this->member_acl, $controller, $action);
return $this->matchAcl($this->project_member_acl, $controller, $action);
}
/**
@ -189,13 +210,18 @@ class Acl extends Base
return false;
}
// Check project admin permissions
if ($this->isProjectAdminAction($controller, $action)) {
return $this->handleProjectAdminPermissions($project_id);
}
// Check project manager permissions
if ($this->isManagerAction($controller, $action)) {
return $this->isManagerActionAllowed($project_id);
if ($this->isProjectManagerAction($controller, $action)) {
return $this->handleProjectManagerPermissions($project_id);
}
// Check project member permissions
if ($this->isMemberAction($controller, $action)) {
if ($this->isProjectMemberAction($controller, $action)) {
return $project_id > 0 && $this->projectPermission->isMember($project_id, $this->userSession->getId());
}
@ -203,12 +229,43 @@ class Acl extends Base
return true;
}
public function isManagerActionAllowed($project_id)
/**
* Handle permission for project manager
*
* @access public
* @param integer $project_id
* @return boolean
*/
public function handleProjectManagerPermissions($project_id)
{
if ($this->userSession->isAdmin()) {
return true;
if ($project_id > 0) {
if ($this->userSession->isProjectAdmin()) {
return $this->projectPermission->isMember($project_id, $this->userSession->getId());
}
return $this->projectPermission->isManager($project_id, $this->userSession->getId());
}
return $project_id > 0 && $this->projectPermission->isManager($project_id, $this->userSession->getId());
return false;
}
/**
* Handle permission for project admins
*
* @access public
* @param integer $project_id
* @return boolean
*/
public function handleProjectAdminPermissions($project_id)
{
if (! $this->userSession->isProjectAdmin()) {
return false;
}
if ($project_id > 0) {
return $this->projectPermission->isMember($project_id, $this->userSession->getId());
}
return true;
}
}

4
app/Model/User.php
View File

@ -57,6 +57,7 @@ class User extends Base
'name',
'email',
'is_admin',
'is_project_admin',
'is_ldap_user',
'notifications_enabled',
'google_id',
@ -254,7 +255,7 @@ class User extends Base
}
$this->removeFields($values, array('confirmation', 'current_password'));
$this->resetFields($values, array('is_admin', 'is_ldap_user'));
$this->resetFields($values, array('is_admin', 'is_ldap_user', 'is_project_admin'));
}
/**
@ -442,6 +443,7 @@ class User extends Base
new Validators\Unique('username', t('The username must be unique'), $this->db->getConnection(), self::TABLE, 'id'),
new Validators\Email('email', t('Email address invalid')),
new Validators\Integer('is_admin', t('This value must be an integer')),
new Validators\Integer('is_project_admin', t('This value must be an integer')),
new Validators\Integer('is_ldap_user', t('This value must be an integer')),
);
}

12
app/Model/UserSession.php
View File

@ -34,6 +34,7 @@ class UserSession extends Base
$user['id'] = (int) $user['id'];
$user['is_admin'] = (bool) $user['is_admin'];
$user['is_project_admin'] = (bool) $user['is_project_admin'];
$user['is_ldap_user'] = (bool) $user['is_ldap_user'];
$user['twofactor_activated'] = (bool) $user['twofactor_activated'];
@ -73,6 +74,17 @@ class UserSession extends Base
return isset($this->session['user']['is_admin']) && $this->session['user']['is_admin'] === true;
}
/**
* Return true if the logged user is project admin
*
* @access public
* @return bool
*/
public function isProjectAdmin()
{
return isset($this->session['user']['is_project_admin']) && $this->session['user']['is_project_admin'] === true;
}
/**
* Get the connected user id
*

7
app/Schema/Mysql.php
View File

@ -6,7 +6,12 @@ use PDO;
use Core\Security;
use Model\Link;
const VERSION = 82;
const VERSION = 83;
function version_83($pdo)
{
$pdo->exec("ALTER TABLE users ADD COLUMN is_project_admin INT DEFAULT 0");
}
function version_82($pdo)
{

7
app/Schema/Postgres.php
View File

@ -6,7 +6,12 @@ use PDO;
use Core\Security;
use Model\Link;
const VERSION = 62;
const VERSION = 63;
function version_63($pdo)
{
$pdo->exec("ALTER TABLE users ADD COLUMN is_project_admin INTEGER DEFAULT 0");
}
function version_62($pdo)
{

7
app/Schema/Sqlite.php
View File

@ -6,7 +6,12 @@ use Core\Security;
use PDO;
use Model\Link;
const VERSION = 78;
const VERSION = 79;
function version_79($pdo)
{
$pdo->exec("ALTER TABLE users ADD COLUMN is_project_admin INTEGER DEFAULT 0");
}
function version_78($pdo)
{

2
app/Template/activity/project.php
View File

@ -19,7 +19,7 @@
<i class="fa fa-calendar fa-fw"></i>
<?= $this->url->link(t('Back to the calendar'), 'calendar', 'show', array('project_id' => $project['id'])) ?>
</li>
<?php if ($this->user->isManager($project['id'])): ?>
<?php if ($this->user->isProjectManagementAllowed($project['id'])): ?>
<li>
<i class="fa fa-cog fa-fw"></i>
<?= $this->url->link(t('Project settings'), 'project', 'show', array('project_id' => $project['id'])) ?>

2
app/Template/analytic/layout.php
View File

@ -19,7 +19,7 @@
<i class="fa fa-calendar fa-fw"></i>
<?= $this->url->link(t('Back to the calendar'), 'calendar', 'show', array('project_id' => $project['id'])) ?>
</li>
<?php if ($this->user->isManager($project['id'])): ?>
<?php if ($this->user->isProjectManagementAllowed($project['id'])): ?>
<li>
<i class="fa fa-cog fa-fw"></i>
<?= $this->url->link(t('Project settings'), 'project', 'show', array('project_id' => $project['id'])) ?>

2
app/Template/app/layout.php
View File

@ -1,7 +1,7 @@
<section id="main">
<div class="page-header page-header-mobile">
<ul>
<?php if ($this->user->isAdmin()): ?>
<?php if ($this->user->isProjectAdmin()): ?>
<li>
<i class="fa fa-plus fa-fw"></i>
<?= $this->url->link(t('New project'), 'project', 'create') ?>

2
app/Template/app/projects.php
View File

@ -16,7 +16,7 @@
<?= $this->url->link('#'.$project['id'], 'board', 'show', array('project_id' => $project['id']), false, 'dashboard-table-link') ?>
</td>
<td>
<?php if ($this->user->isManager($project['id'])): ?>
<?php if ($this->user->isProjectManagementAllowed($project['id'])): ?>
<?= $this->url->link('<i class="fa fa-cog"></i>', 'project', 'show', array('project_id' => $project['id']), false, 'dashboard-table-link', t('Settings')) ?>&nbsp;
<?php endif ?>

2
app/Template/project/dropdown.php
View File

@ -9,7 +9,7 @@
</li>
<?php endif ?>
<?php if ($this->user->isManager($project['id'])): ?>
<?php if ($this->user->isProjectManagementAllowed($project['id'])): ?>
<li>
<i class="fa fa-line-chart fa-fw"></i>
<?= $this->url->link(t('Analytics'), 'analytic', 'tasks', array('project_id' => $project['id'])) ?>

2
app/Template/project/edit.php
View File

@ -13,7 +13,7 @@
<?= $this->form->text('identifier', $values, $errors, array('maxlength="50"')) ?>
<p class="form-help"><?= t('The project identifier is an optional alphanumeric code used to identify your project.') ?></p>
<?php if ($this->user->isAdmin()): ?>
<?php if ($this->user->isAdmin() || $this->user->isProjectAdministrationAllowed($project['id'])): ?>
<?= $this->form->checkbox('is_private', t('Private project'), 1, $project['is_private'] == 1) ?>
<?php endif ?>

2
app/Template/project/index.php
View File

@ -1,7 +1,7 @@
<section id="main">
<div class="page-header">
<ul>
<?php if ($this->user->isAdmin()): ?>
<?php if ($this->user->isProjectAdmin()): ?>
<li><i class="fa fa-plus fa-fw"></i><?= $this->url->link(t('New project'), 'project', 'create') ?></li>
<?php endif ?>
<li><i class="fa fa-lock fa-fw"></i><?= $this->url->link(t('New private project'), 'project', 'create', array('private' => 1)) ?></li>

4
app/Template/project/sidebar.php
View File

@ -5,7 +5,7 @@
<?= $this->url->link(t('Summary'), 'project', 'show', array('project_id' => $project['id'])) ?>
</li>
<?php if ($this->user->isManager($project['id'])): ?>
<?php if ($this->user->isProjectManagementAllowed($project['id'])): ?>
<li>
<?= $this->url->link(t('Public access'), 'project', 'share', array('project_id' => $project['id'])) ?>
</li>
@ -42,7 +42,7 @@
<?= $this->url->link(t('Enable'), 'project', 'enable', array('project_id' => $project['id']), true) ?>
<?php endif ?>
</li>
<?php if ($this->user->isAdmin()): ?>
<?php if ($this->user->isProjectAdministrationAllowed($project['id'])): ?>
<li>
<?= $this->url->link(t('Remove'), 'project', 'remove', array('project_id' => $project['id'])) ?>
</li>

2
app/Template/task/layout.php
View File

@ -9,7 +9,7 @@
<i class="fa fa-calendar fa-fw"></i>
<?= $this->url->link(t('Back to the calendar'), 'calendar', 'show', array('project_id' => $task['project_id'])) ?>
</li>
<?php if ($this->user->isManager($task['project_id'])): ?>
<?php if ($this->user->isProjectManagementAllowed($task['project_id'])): ?>
<li>
<i class="fa fa-cog fa-fw"></i>
<?= $this->url->link(t('Project settings'), 'project', 'show', array('project_id' => $task['project_id'])) ?>

1
app/Template/user/create_local.php
View File

@ -39,6 +39,7 @@
<?= $this->form->checkbox('notifications_enabled', t('Enable notifications'), 1, isset($values['notifications_enabled']) && $values['notifications_enabled'] == 1 ? true : false) ?>
<?= $this->form->checkbox('is_admin', t('Administrator'), 1, isset($values['is_admin']) && $values['is_admin'] == 1 ? true : false) ?>
<?= $this->form->checkbox('is_project_admin', t('Project Administrator'), 1, isset($values['is_project_admin']) && $values['is_project_admin'] == 1 ? true : false) ?>
</div>
<div class="form-actions">

1
app/Template/user/create_remote.php
View File

@ -39,6 +39,7 @@
<?= $this->form->checkbox('notifications_enabled', t('Enable notifications'), 1, isset($values['notifications_enabled']) && $values['notifications_enabled'] == 1 ? true : false) ?>
<?= $this->form->checkbox('is_admin', t('Administrator'), 1, isset($values['is_admin']) && $values['is_admin'] == 1 ? true : false) ?>
<?= $this->form->checkbox('is_project_admin', t('Project Administrator'), 1, isset($values['is_project_admin']) && $values['is_project_admin'] == 1 ? true : false) ?>
<?= $this->form->checkbox('disable_login_form', t('Disallow login form'), 1, isset($values['disable_login_form']) && $values['disable_login_form'] == 1) ?>
</div>

1
app/Template/user/edit.php
View File

@ -24,6 +24,7 @@
<?php if ($this->user->isAdmin()): ?>
<?= $this->form->checkbox('is_admin', t('Administrator'), 1, isset($values['is_admin']) && $values['is_admin'] == 1) ?><br/>
<?= $this->form->checkbox('is_project_admin', t('Project Administrator'), 1, isset($values['is_project_admin']) && $values['is_project_admin'] == 1) ?><br/>
<?php endif ?>
<div class="form-actions">

15
app/Template/user/index.php
View File

@ -18,9 +18,9 @@
<th><?= $paginator->order(t('Name'), 'name') ?></th>
<th><?= $paginator->order(t('Email'), 'email') ?></th>
<th><?= $paginator->order(t('Administrator'), 'is_admin') ?></th>
<th><?= $paginator->order(t('Project Administrator'), 'is_project_admin') ?></th>
<th><?= $paginator->order(t('Two factor authentication'), 'twofactor_activated') ?></th>
<th><?= $paginator->order(t('Notifications'), 'notifications_enabled') ?></th>
<th><?= t('External accounts') ?></th>
<th><?= $paginator->order(t('Account type'), 'is_ldap_user') ?></th>
</tr>
<?php foreach ($paginator->getCollection() as $user): ?>
@ -40,6 +40,9 @@
<td>
<?= $user['is_admin'] ? t('Yes') : t('No') ?>
</td>
<td>
<?= $user['is_project_admin'] ? t('Yes') : t('No') ?>
</td>
<td>
<?= $user['twofactor_activated'] ? t('Yes') : t('No') ?>
</td>
@ -50,16 +53,6 @@
<?= t('Disabled') ?>
<?php endif ?>
</td>
<td>
<ul class="no-bullet">
<?php if ($user['google_id']): ?>
<li><i class="fa fa-google fa-fw"></i><?= t('Google account linked') ?></li>
<?php endif ?>
<?php if ($user['github_id']): ?>
<li><i class="fa fa-github fa-fw"></i><?= t('Github account linked') ?></li>
<?php endif ?>
</ul>
</td>
<td>
<?= $user['is_ldap_user'] ? t('Remote') : t('Local') ?>
</td>

2
app/Template/user/show.php
View File

@ -11,7 +11,7 @@
<h2><?= t('Security') ?></h2>
</div>
<ul class="listing">
<li><?= t('Group:') ?> <strong><?= $user['is_admin'] ? t('Administrator') : t('Regular user') ?></strong></li>
<li><?= t('Group:') ?> <strong><?= $user['is_admin'] ? t('Administrator') : ($user['is_project_admin'] ? t('Project Administrator') : t('Regular user')) ?></strong></li>
<li><?= t('Account type:') ?> <strong><?= $user['is_ldap_user'] ? t('Remote') : t('Local') ?></strong></li>
<li><?= $user['twofactor_activated'] == 1 ? t('Two factor authentication enabled') : t('Two factor authentication disabled') ?></li>
</ul>

3
docs/api-json-rpc.markdown
View File

@ -2632,6 +2632,7 @@ Response example:
- **name** (string, optional)
- **email** (string, optional)
- **is_admin** Set the value 1 for admins or 0 for regular users (integer, optional)
- **is_project_admin** Set the value 1 for project admins or 0 for regular users (integer, optional)
- Result on success: **user_id**
- Result on failure: **false**
@ -2666,6 +2667,7 @@ Response example:
- **username** (string, optional if email is set)
- **email** (string, optional if username is set)
- **is_admin** Set the value 1 for admins or 0 for regular users (integer, optional)
- **is_project_admin** Set the value 1 for project admins or 0 for regular users (integer, optional)
- Result on success: **user_id**
- Result on failure: **false**
@ -2787,6 +2789,7 @@ Response example:
- **name** (string, optional)
- **email** (string, optional)
- **is_admin** (integer, optional)
- **is_project_admin** Set the value 1 for project admins or 0 for regular users (integer, optional)
- Result on success: **true**
- Result on failure: **false**

2
docs/project-permissions.markdown
View File

@ -4,7 +4,7 @@ Project permissions
A project can have two kinds of people: **project managers** and **project members**.
- Project managers can manage the configuration of the project and access to the reports.
- Project members are standard users, they have less privileges.
- Project members can only do basic operations (create or move tasks).
When you create a new project, you are automatically assigned as a project manager.

43
docs/user-management.markdown
View File

@ -1,22 +1,45 @@
User management
===============
Group of users
--------------
Roles at the application level
------------------------------
Kanboard use a basic permission system, there is two kind of users:
Kanboard use a basic permission system, there are 3 type of users:
- Administrators
- Standard users
### Administrators
Administrator have access to everything. By example, they can add or remove projects.
- Access to everything
There is also permissions defined at the project level, users can be seen as:
### Project Administrators
- Project member
- Project manager
- Can create multi-users and private projects
- Can convert multi-users and private projects
- Can see only their own projects
- Cannot change application settings
- Cannot manage users
Project managers have more privileges than a simple user member.
### Standard Users
- Can create only private projects
- Can see only their own projects
- Cannot remove projects
Roles at the project level
--------------------------
These role are related to the project permission.
### Project Managers
- Can manage only their own projects
- Can access to reports and budget section
### Project Members
- Can do any daily operations in their projects (create and move tasks...)
- Cannot configure projects
Note: Any "Standard User" can be promotted "Project Manager" for a given project, they don't necessary need to be "Project Administrator".
Local and remote users
----------------------

88
tests/units/AclTest.php
View File

@ -35,12 +35,18 @@ class AclTest extends Base
public function testPublicActions()
{
$acl = new Acl($this->container);
$this->assertTrue($acl->isPublicAction('task', 'readonly'));
$this->assertTrue($acl->isPublicAction('board', 'readonly'));
$this->assertFalse($acl->isPublicAction('board', 'show'));
$this->assertTrue($acl->isPublicAction('feed', 'project'));
$this->assertTrue($acl->isPublicAction('feed', 'user'));
$this->assertTrue($acl->isPublicAction('ical', 'project'));
$this->assertTrue($acl->isPublicAction('ical', 'user'));
$this->assertTrue($acl->isPublicAction('oauth', 'github'));
$this->assertTrue($acl->isPublicAction('oauth', 'google'));
$this->assertTrue($acl->isPublicAction('auth', 'login'));
$this->assertTrue($acl->isPublicAction('auth', 'check'));
$this->assertTrue($acl->isPublicAction('auth', 'captcha'));
}
public function testAdminActions()
@ -54,21 +60,32 @@ class AclTest extends Base
$this->assertTrue($acl->isAdminAction('user', 'save'));
}
public function testManagerActions()
public function testProjectAdminActions()
{
$acl = new Acl($this->container);
$this->assertFalse($acl->isManagerAction('board', 'readonly'));
$this->assertFalse($acl->isManagerAction('project', 'remove'));
$this->assertFalse($acl->isManagerAction('project', 'show'));
$this->assertTrue($acl->isManagerAction('project', 'disable'));
$this->assertTrue($acl->isManagerAction('category', 'index'));
$this->assertTrue($acl->isManagerAction('project', 'users'));
$this->assertFalse($acl->isManagerAction('app', 'index'));
$this->assertFalse($acl->isProjectAdminAction('config', 'save'));
$this->assertFalse($acl->isProjectAdminAction('user', 'index'));
$this->assertTrue($acl->isProjectAdminAction('project', 'remove'));
}
public function testProjectManagerActions()
{
$acl = new Acl($this->container);
$this->assertFalse($acl->isProjectManagerAction('board', 'readonly'));
$this->assertFalse($acl->isProjectManagerAction('project', 'remove'));
$this->assertFalse($acl->isProjectManagerAction('project', 'show'));
$this->assertTrue($acl->isProjectManagerAction('project', 'disable'));
$this->assertTrue($acl->isProjectManagerAction('category', 'index'));
$this->assertTrue($acl->isProjectManagerAction('project', 'users'));
$this->assertFalse($acl->isProjectManagerAction('app', 'index'));
}
public function testPageAccessNoSession()
{
$acl = new Acl($this->container);
$session = new Session;
$session = array();
$this->assertFalse($acl->isAllowed('board', 'readonly'));
$this->assertFalse($acl->isAllowed('task', 'show'));
$this->assertFalse($acl->isAllowed('config', 'application'));
@ -81,7 +98,6 @@ class AclTest extends Base
{
$acl = new Acl($this->container);
$session = new Session;
$session['user'] = array();
$this->assertFalse($acl->isAllowed('board', 'readonly'));
@ -106,15 +122,60 @@ class AclTest extends Base
$this->assertTrue($acl->isAllowed('webhook', 'github'));
$this->assertTrue($acl->isAllowed('task', 'show'));
$this->assertTrue($acl->isAllowed('task', 'update'));
$this->assertTrue($acl->isAllowed('project', 'show'));
$this->assertTrue($acl->isAllowed('config', 'application'));
$this->assertTrue($acl->isAllowed('project', 'show'));
$this->assertTrue($acl->isAllowed('project', 'users'));
$this->assertTrue($acl->isAllowed('project', 'remove'));
$this->assertTrue($acl->isAllowed('category', 'edit'));
$this->assertTrue($acl->isAllowed('task', 'remove'));
$this->assertTrue($acl->isAllowed('app', 'index'));
}
public function testPageAccessManager()
public function testPageAccessProjectAdmin()
{
$acl = new Acl($this->container);
$p = new Project($this->container);
$pp = new ProjectPermission($this->container);
$u = new User($this->container);
$session = new Session;
// We create our user
$this->assertEquals(2, $u->create(array('username' => 'unittest', 'password' => 'unittest')));
// We create a project and set our user as project manager
$this->assertEquals(1, $p->create(array('name' => 'UnitTest')));
$this->assertTrue($pp->addMember(1, 2));
$this->assertTrue($pp->isMember(1, 2));
$this->assertFalse($pp->isManager(1, 2));
// We fake a session for him
$session['user'] = array(
'id' => 2,
'is_admin' => false,
'is_project_admin' => true,
);
$this->assertTrue($acl->isAllowed('board', 'readonly', 1));
$this->assertTrue($acl->isAllowed('task', 'readonly', 1));
$this->assertTrue($acl->isAllowed('webhook', 'github', 1));
$this->assertTrue($acl->isAllowed('task', 'show', 1));
$this->assertFalse($acl->isAllowed('task', 'show', 2));
$this->assertTrue($acl->isAllowed('task', 'update', 1));
$this->assertTrue($acl->isAllowed('project', 'show', 1));
$this->assertFalse($acl->isAllowed('config', 'application', 1));
$this->assertTrue($acl->isAllowed('project', 'users', 1));
$this->assertFalse($acl->isAllowed('project', 'users', 2));
$this->assertTrue($acl->isAllowed('project', 'remove', 1));
$this->assertFalse($acl->isAllowed('project', 'remove', 2));
$this->assertTrue($acl->isAllowed('category', 'edit', 1));
$this->assertTrue($acl->isAllowed('task', 'remove', 1));
$this->assertTrue($acl->isAllowed('app', 'index', 1));
}
public function testPageAccessProjectManager()
{
$acl = new Acl($this->container);
$p = new Project($this->container);
@ -144,8 +205,13 @@ class AclTest extends Base
$this->assertTrue($acl->isAllowed('task', 'update', 1));
$this->assertTrue($acl->isAllowed('project', 'show', 1));
$this->assertFalse($acl->isAllowed('config', 'application', 1));
$this->assertTrue($acl->isAllowed('project', 'users', 1));
$this->assertFalse($acl->isAllowed('project', 'users', 2));
$this->assertFalse($acl->isAllowed('project', 'remove', 1));
$this->assertFalse($acl->isAllowed('project', 'remove', 2));
$this->assertTrue($acl->isAllowed('category', 'edit', 1));
$this->assertTrue($acl->isAllowed('task', 'remove', 1));
$this->assertTrue($acl->isAllowed('app', 'index', 1));

8
tests/units/UserTest.php
View File

@ -112,6 +112,7 @@ class UserTest extends Base
$u = new User($this->container);
$this->assertNotFalse($u->create(array('username' => 'toto', 'password' => '123456', 'name' => 'Toto')));
$this->assertNotFalse($u->create(array('username' => 'titi', 'is_ldap_user' => 1)));
$this->assertNotFalse($u->create(array('username' => 'papa', 'is_project_admin' => 1)));
$this->assertFalse($u->create(array('username' => 'toto')));
$user = $u->getById(1);
@ -137,6 +138,13 @@ class UserTest extends Base
$this->assertEquals('', $user['name']);
$this->assertEquals(0, $user['is_admin']);
$this->assertEquals(1, $user['is_ldap_user']);
$user = $u->getById(4);
$this->assertNotFalse($user);
$this->assertTrue(is_array($user));
$this->assertEquals('papa', $user['username']);
$this->assertEquals(0, $user['is_admin']);
$this->assertEquals(1, $user['is_project_admin']);
}
public function testUpdate()