From d2f7ccfd1bab830e7758b3af4a70dc31e64327f3 Mon Sep 17 00:00:00 2001
From: Sebastian Reichel <sre@ring0.de>
Date: Sat, 14 Feb 2015 22:53:22 +0100
Subject: web: more detailed authentication system

---
 src/database/database.vala     |  8 +++++++-
 src/database/db-interface.vala |  3 +++
 src/web/template.vala          |  3 ++-
 src/web/web.vala               | 23 +++++++++++++----------
 src/web/websession.vala        | 21 +++++++++++++++++++++
 5 files changed, 46 insertions(+), 12 deletions(-)

(limited to 'src')

diff --git a/src/database/database.vala b/src/database/database.vala
index ddc71d4..9335b35 100644
--- a/src/database/database.vala
+++ b/src/database/database.vala
@@ -103,7 +103,7 @@ public class DataBase : Object {
 		queries["password_get"]      = "SELECT password FROM authentication WHERE user = ?";
 		queries["password_set"]      = "UPDATE authentication SET password=? WHERE user = ?";
 		queries["userinfo"]          = "SELECT firstname, lastname, email, gender, street, plz, city, pgp FROM users WHERE id = ?";
-		queries["userauth"]          = "SELECT disabled, superuser FROM authentication WHERE user = ?";
+		queries["userauth"]          = "SELECT disabled, superuser, auth_users, auth_products, auth_cashbox FROM authentication WHERE user = ?";
 		queries["profit_by_product"] = "SELECT name, SUM(memberprice - (SELECT price FROM purchaseprices WHERE product = purch.product)) AS price FROM sales purch, prices, products WHERE purch.product = products.id AND purch.product = prices.product AND purch.user > 0 AND purch.timestamp > ? AND purch.timestamp < ? AND prices.valid_from = (SELECT valid_from FROM prices WHERE product = purch.product AND valid_from < purch.timestamp ORDER BY valid_from DESC LIMIT 1) GROUP BY name ORDER BY price;";
 		queries["invoice"]           = "SELECT timestamp, id AS productid, name AS productname, CASE WHEN user < 0 THEN (SELECT price FROM purchaseprices WHERE purchaseprices.product = id) else (SELECT CASE WHEN user=0 THEN guestprice else memberprice END FROM prices WHERE product = id AND valid_from <= timestamp ORDER BY valid_from DESC LIMIT 1) END AS price FROM sales INNER JOIN products ON sales.product = products.id WHERE user = ? AND timestamp >= ? AND timestamp <= ? ORDER BY timestamp";
 		queries["purchase_first"]    = "SELECT timestamp FROM sales WHERE user = ? ORDER BY timestamp ASC  LIMIT 1";
@@ -558,6 +558,9 @@ public class DataBase : Object {
 		result.id = user;
 		result.disabled = false;
 		result.superuser = false;
+		result.auth_cashbox = false;
+		result.auth_products = false;
+		result.auth_users = false;
 
 		statements["userauth"].reset();
 		statements["userauth"].bind_int(1, user);
@@ -566,6 +569,9 @@ public class DataBase : Object {
 		if(rc == Sqlite.ROW) {
 			result.disabled  = statements["userauth"].column_int(0) == 1;
 			result.superuser = statements["userauth"].column_int(1) == 1;
+			result.auth_users = statements["userauth"].column_int(2) == 1;
+			result.auth_products = statements["userauth"].column_int(3) == 1;
+			result.auth_cashbox = statements["userauth"].column_int(4) == 1;
 		} else if(rc == Sqlite.DONE) {
 			/* entry not found, we return defaults */
 		} else {
diff --git a/src/database/db-interface.vala b/src/database/db-interface.vala
index 6ec77eb..5042c7f 100644
--- a/src/database/db-interface.vala
+++ b/src/database/db-interface.vala
@@ -115,6 +115,9 @@ public struct UserAuth {
 	public int id;
 	public bool disabled;
 	public bool superuser;
+	public bool auth_cashbox;
+	public bool auth_products;
+	public bool auth_users;
 }
 
 public struct Product {
diff --git a/src/web/template.vala b/src/web/template.vala
index 690de00..b5265d8 100644
--- a/src/web/template.vala
+++ b/src/web/template.vala
@@ -66,7 +66,8 @@ public class WebTemplate {
 		this.template = this.template.replace("{{{CONTENT}}}", ((string) template));
 		this.template = this.template.replace("{{{USERNAME}}}", login.name);
 		this.template = this.template.replace("{{{USERID}}}", "%d".printf(login.user));
-		this.template = this.template.replace("{{{SUPERUSER}}}", login.superuser ? "" : "hidden");
+		this.template = this.template.replace("{{{AUTH_USERS}}}", (login.superuser || login.auth_users) ? "" : "hidden");
+		this.template = this.template.replace("{{{AUTH_CASHBOX}}}", (login.superuser || login.auth_cashbox) ? "" : "hidden");
 	}
 
 	public WebTemplate.DATA(string file) throws TemplateError {
diff --git a/src/web/web.vala b/src/web/web.vala
index aa00586..db32974 100644
--- a/src/web/web.vala
+++ b/src/web/web.vala
@@ -87,7 +87,7 @@ public class WebServer {
 	void handler_user_list(Soup.Server server, Soup.Message msg, string path, GLib.HashTable<string,string>? query, Soup.ClientContext client) {
 		try {
 			var session = new WebSession(server, msg, path, query, client);
-			if(!session.superuser) {
+			if(!session.superuser && !session.auth_users) {
 				handler_403(server, msg, path, query, client);
 				return;
 			}
@@ -122,7 +122,7 @@ public class WebServer {
 	void handler_user_pgp_import(Soup.Server server, Soup.Message msg, string path, GLib.HashTable<string,string>? query, Soup.ClientContext client) {
 		try {
 			var session = new WebSession(server, msg, path, query, client);
-			if(!session.superuser) {
+			if(!session.superuser && !session.auth_users) {
 				handler_403(server, msg, path, query, client);
 				return;
 			}
@@ -175,7 +175,7 @@ public class WebServer {
 	void handler_user_import(Soup.Server server, Soup.Message msg, string path, GLib.HashTable<string,string>? query, Soup.ClientContext client) {
 		try {
 			var session = new WebSession(server, msg, path, query, client);
-			if(!session.superuser) {
+			if(!session.superuser && !session.auth_users) {
 				handler_403(server, msg, path, query, client);
 				return;
 			}
@@ -302,6 +302,9 @@ public class WebServer {
 			var userauth = db.get_user_auth(id);
 			t.replace("DISABLED", userauth.disabled ? "true" : "false");
 			t.replace("ISSUPERUSER", userauth.superuser ? "true" : "false");
+			t.replace("HAS_AUTH_PRODUCTS", userauth.auth_products ? "true" : "false");
+			t.replace("HAS_AUTH_CASHBOX", userauth.auth_cashbox ? "true" : "false");
+			t.replace("HAS_AUTH_USERS", userauth.auth_users ? "true" : "false");
 
 			var postdata = Soup.Form.decode_multipart(msg, null, null, null, null);
 			if(postdata != null && postdata.contains("password1") && postdata.contains("password2")) {
@@ -488,7 +491,7 @@ public class WebServer {
 
 			t.replace("DATA", table);
 
-			if(l.superuser)
+			if(l.superuser || l.auth_products)
 				t.replace("NEWPRODUCT", "block");
 			else
 				t.replace("NEWPRODUCT", "none");
@@ -523,7 +526,7 @@ public class WebServer {
 			/* amount */
 			t.replace("AMOUNT", "%d".printf(db.get_product_amount(id)));
 
-			if(l.superuser)
+			if(l.superuser || l.auth_products)
 				t.replace("ISADMIN", "block");
 			else
 				t.replace("ISADMIN", "none");
@@ -583,7 +586,7 @@ public class WebServer {
 			template.replace("TITLE", "KtT Shop System: New Product");
 			template.menu_set_active("products");
 
-			if(!session.superuser) {
+			if(!session.superuser && !session.auth_products) {
 				handler_403(server, msg, path, query, client);
 				return;
 			}
@@ -630,7 +633,7 @@ public class WebServer {
 		try {
 			var session = new WebSession(server, msg, path, query, client);
 
-			if(!session.superuser) {
+			if(!session.superuser && !session.auth_products) {
 				handler_403(server, msg, path, query, client);
 				return;
 			}
@@ -688,7 +691,7 @@ public class WebServer {
 			var session = new WebSession(server, msg, path, query, client);
 			int64 timestamp = (new DateTime.now_utc()).to_unix();
 
-			if(!session.superuser) {
+			if(!session.superuser && !session.auth_products) {
 				handler_403(server, msg, path, query, client);
 				return;
 			}
@@ -913,7 +916,7 @@ public class WebServer {
 		try {
 			var session = new WebSession(server, msg, path, query, client);
 
-			if(!session.superuser) {
+			if(!session.superuser && !session.auth_cashbox) {
 				handler_403(server, msg, path, query, client);
 				return;
 			}
@@ -939,7 +942,7 @@ public class WebServer {
 		try {
 			var session = new WebSession(server, msg, path, query, client);
 
-			if(!session.superuser) {
+			if(!session.superuser && !session.auth_cashbox) {
 				handler_403(server, msg, path, query, client);
 				return;
 			}
diff --git a/src/web/websession.vala b/src/web/websession.vala
index 1dc6319..a3bf973 100644
--- a/src/web/websession.vala
+++ b/src/web/websession.vala
@@ -44,6 +44,21 @@ public class WebSession {
 		private set;
 		default = false;
 	}
+	public bool auth_cashbox {
+		get;
+		private set;
+		default = false;
+	}
+	public bool auth_products {
+		get;
+		private set;
+		default = false;
+	}
+	public bool auth_users {
+		get;
+		private set;
+		default = false;
+	}
 	public bool disabled {
 		get;
 		private set;
@@ -71,6 +86,9 @@ public class WebSession {
 		var auth = db.get_user_auth(user);
 		this.disabled  = auth.disabled;
 		this.superuser = auth.superuser;
+		this.auth_cashbox = auth.auth_cashbox;
+		this.auth_products = auth.auth_products;
+		this.auth_users = auth.auth_users;
 		this.logged_in = true;
 	}
 
@@ -78,6 +96,9 @@ public class WebSession {
 		if(logged_in) {
 			db.set_sessionid(user, "");
 			superuser = false;
+			auth_cashbox = false;
+			auth_products = false;
+			auth_users = false;
 			logged_in = false;
 		}
 	}
-- 
cgit v1.2.3