forked from raffaelj/cockpit_rljUtils
-
Notifications
You must be signed in to change notification settings - Fork 0
/
admin.php
148 lines (93 loc) · 4.19 KB
/
admin.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
<?php
$this->on('admin.init', function() use ($hardening) {
if ($this->module('cockpit')->isSuperAdmin()) {
// bind admin routes
$this->bindClass('rljUtils\\Controller\\Admin', 'rljutils');
// add settings entry
$this->on('cockpit.view.settings.item', function () {
$this->renderView('rljutils:views/partials/settings.php');
});
}
// restrict built-in helper functions
// deny request for `find` and `_find`
if ($hardening['collections_find']) {
$this->bind('/collections/find', function(){
$collection = $this->param('collection');
if (!$this->module('collections')->hasaccess($collection, 'entries_view')) {
return $this->helper('admin')->denyRequest();
} else {
return $this->invoke('Collections\\Controller\\Admin', 'find');
}
});
}
if ($hardening['collections_tree']) {
// deny request for `tree`
$this->bind('/collections/tree', function() {
$collection = $this->param('collection');
if (!$this->module('collections')->hasaccess($collection, 'entries_view')) {
return $this->helper('admin')->denyRequest();
} else {
return $this->invoke('Collections\\Controller\\Admin', 'tree');
}
});
}
if ($hardening['collections_collections']) {
// don't list collections schema of restricted collections
$this->bind('/collections/_collections', function() {
return $this->module('collections')->getCollectionsInGroup(null, false);
});
}
if ($hardening['accounts_find']) {
// to do: $this->app->trigger('cockpit.accounts.disguise', [&$account]);
// disable user lists for non-admins,
// non-admins must send a user id to receive the user name
$this->bind('/accounts/find', function() {
if ($this->module('cockpit')->hasaccess('cockpit', 'accounts')) {
return $this->invoke('Cockpit\\Controller\\Accounts', 'find');
}
// deny request to list all users
$options = $this->param('options', []);
if (!isset($options['filter']['_id'])) {
return $this->helper('admin')->denyRequest();
}
$accounts = $this->invoke('Cockpit\\Controller\\Accounts', 'find');
$allowed = [
'user',
'name',
'group', // dashboard group info
'_id' // used by cp-account field, page breaks if omitted
];
foreach ($accounts['accounts'] as $key => $account) {
$accounts['accounts'][$key] = array_intersect_key($account, array_flip($allowed));
}
return $accounts;
});
}
if ($hardening['assetsmanager']) {
// deny access to assetsmanager
if (!$this->module('cockpit')->hasaccess('cockpit', 'assets')) {
$this->bind('/assetsmanager', function() {
return $this->helper('admin')->denyRequest();
});
$this->bind('/assetsmanager/*', function() {
return $this->helper('admin')->denyRequest();
});
// remove assets link in settings dropdown
$this->helper('admin')->addAssets('rljutils:assets/hideassets.js');
}
}
if ($hardening['disable_getLinkedOverview']) {
if (!$this->module('cockpit')->isSuperAdmin()) {
// disable route
$this->bind('/collections/utils/getLinkedOverview', function() {
return $this->helper('admin')->denyRequest();
});
// hide LINKED button
$this->on('collections.entry.aside', function($collection) {
// target first button in sidebar to keep JSON button visible for admins
// might break if markup changes in future updates
echo '<script>this.on("mount", function() {App.$(".app-main > div > [data-is] > .uk-grid > .uk-width-medium-1-4 .uk-button-group .uk-button:first-child()").addClass("uk-hidden");});</script>';
});
}
}
});