From ab8b98c790161ae2064c08c6770bd1a8f8151ec3 Mon Sep 17 00:00:00 2001 From: Stefan Ritt Date: Tue, 19 Nov 2019 14:03:37 +0100 Subject: [PATCH] Implemented "Admin restrict edit time" --- doc/config.html | 174 ++++++++++++++++++++++++++++++++---------------- src/elogd.c | 65 +++++++++++++----- 2 files changed, 163 insertions(+), 76 deletions(-) diff --git a/doc/config.html b/doc/config.html index 917098b6..cd45b922 100755 --- a/doc/config.html +++ b/doc/config.html @@ -16,11 +16,13 @@
ELOG - Syntax of elogd.cfg -

+ +
[back to Administrator's Guide] -

+ +
* Server : [Global] - Logbooks : [General] [] [Flags] [Themes] [Mirroring] * -

+ +
Global and individual logbook options for an ELOG server
@@ -106,7 +109,7 @@ Use Mail Subject = Location Turn on Secure Socket Layer transport. If SSL is on, one can connect via https://... to the elogd daemon. If the URL = directive is used, make sure to use - https://... instead of http://... + https://... instead of http://... there. The ELOG distribution contains a simple self-signed certificate in the ssl subdirectory. One can replace this certificate and key with a real ceritficate to avoid browser pop-up @@ -199,7 +202,8 @@ Use Mail Subject = Location 
 Welcome title = <img src="welcome.jpg"><p><font size=5 color=white>Welcome to our Elog</font>
-

+ +
This displays an image and a text below.
  • @@ -272,7 +276,7 @@ Welcome title = <img src="welcome.jpg"><p><font size=5 color=whit -t switch when starting elogd. This is necessary since the password is encrypted. To set your SMPT password, enter on the command line: -
    +      
     elogd -t <your password>
    • @@ -432,7 +436,8 @@ Group Windows PCs = 98, ME, NT, XP, CE Group CE = 1.0, 2.0 -The logbook tabs would then look like this: + +The logbook tabs would then look like this:

    @@ -476,7 +481,8 @@ Password file = admin.pwd Admin user = bill -Note that there can be a [global] section for each + +Note that there can be a [global] section for each top level group of logbooks. The rule is that a configuration setting in an individual logbook section overrides a setting in the [global <top group>] setting, which by itsel overrides a setting @@ -566,7 +572,8 @@ not wanted, it can be disabled by setting Show top groups = elog.css. If different CSS'es should be used for different output media, this can be accomplished with a comma- separated list in the form - CSS = <file1>&<media1>,<file2>&<media2>. This will then be translated into separate style sheet + CSS = <file1>&<media1>,<file2>&<media2>. This will then be + translated into separate style sheet statements for the different media. For example a statement CSS = default.css&screen,print.css&print @@ -617,7 +624,7 @@ not wanted, it can be disabled by setting Show top groups = Date format = <string>
    This option determines how the date is displayed from attributes which are of type "date". The format of the string is the same as the C - function strftime, so a string of %A, %B %d, + function strftime, so a string of %A, %B %d, %Y yields in a display of Thursday, November 15, 2001 for example. @@ -639,7 +646,8 @@ not wanted, it can be disabled by setting Show top groups = <li><a href="?cmd=new">Enter</a> a new message <li><a href="?cmd=find">Search</a> the logbook </ul> -The file must be present in the resource directory. Alternatively, an + + The file must be present in the resource directory. Alternatively, an absolute path can be used if the file name starts with a "/" (Unix) or "\" or "x:" (Windows). @@ -652,7 +660,8 @@ not wanted, it can be disabled by setting Show top groups = ?cmd=xxx. To start with the search page, one uses 
     Start page = ?cmd=Find
-
    Please note that if another language than English is selected via the + + Please note that if another language than English is selected via the Language = xxx option, the commands have to be in that language as well (like "Start page = 0?cmd=Letzter" for German). @@ -664,7 +673,8 @@ Start page = ?cmd=Find <h1>You successfully submitted a message</h1> <a href="?cmd=Back">Back</a> to the logbook<p> <a href="?cmd=New">Enter</a> another message -The file must be present in the logbook directory. Alternatively, an + + The file must be present in the logbook directory. Alternatively, an absolute path can be used if the file name starts with a "/" (Unix) or "\" or "x:" (Windows). @@ -749,7 +759,8 @@ Start page = ?cmd=Find
  • Help - General help
    • -
    + +

    The commands are always in English, independent of the language = ... setting, and are automatically @@ -758,7 +769,8 @@ Start page = ?cmd=Find If this option is not present, following default is used:
     Menu commands = List, New, Edit, Delete, Reply, Duplicate, Find, Config, Help
-

    + +
  • Copy to = <logbook list> @@ -878,7 +890,8 @@ Guest menu commands = List, Find, Login, Help selection page like: 
     <center><a href="/">Main page</a></center>
-
    Or it can contain other useful links. If a file is specified, it must be + + Or it can contain other useful links. If a file is specified, it must be present in the logbook directory. Alternatively, an absolute path can be used if the file name starts with a "/" (Unix) or "\" or "x:" (Windows). @@ -942,6 +955,13 @@ Guest menu commands = List, Find, Login, Help ensure that old entries cannot be modified. Hours can also be fractional, like 0.5 for 30 min.
    • +
  • + Admin restrict edit time = <hours>
    + Same option for admin users. This can be useful if normal users are + not allowed to change entries after "restrict edit time", but an admin + user should be allowed to do so. Setting this to zero disables any + restriction for admin users and they can edit entries forever. +
  • Max content length = <bytes>
    This option restricts the size of attachments. When very large @@ -994,10 +1014,12 @@ Guest menu commands = List, Find, Login, Help with the original image size, and can then be resized and rotated interactively with the image manipulation buttons:

    -

    + +

    - Setting Thumbnail size = 0 turns off the thumbnail - creation.

    + Setting Thumbnail size = 0 turns off the thumbnail + creation. +

  • Thumbnail options = <options>
    @@ -1006,7 +1028,8 @@ Guest menu commands = List, Find, Login, Help used is the -density option to increase the image quality when converting from PDF or EPS files.

    • - + +
    Attributes @@ -1027,8 +1050,9 @@ Guest menu commands = List, Find, Login, Help
  • Locked by
  • Attachment
  • Path -

    - since these are used internally by elog. + +

    + since these are used internally by elog.

  • Options <attribute> = <list>
    @@ -1068,7 +1092,8 @@ Options town = San Francisco, "Paris, Texas", "Paris, France" checked for an entry. The attribue value then becomes 
     <value1> | <value2> | ...
-
    In the "find" page only one of these values can be specified, + + In the "find" page only one of these values can be specified, which is then treated as a substring in the search filter.
  • @@ -1079,7 +1104,8 @@ Options town = San Francisco, "Paris, Texas", "Paris, France" 
     Attributes = Author, Icon, Subject...
 IOptions Icon = icon1.gif, icon2.gif, icon3.gif, ...
-
    New icons are welcome and should be sent back to the author to be + + New icons are welcome and should be sent back to the author to be incorporated in the next version.
  • @@ -1120,7 +1146,8 @@ IOptions Icon = icon1.gif, icon2.gif, icon3.gif, ... login name for the author field like: 
     Preset Author = $long_name
-
    If the attribute should be locked at the Web submission, use the + + If the attribute should be locked at the Web submission, use the "Locked Attributes = ..." option. If a preset value is given for an attribute which has an options list, the preset value is selected in the drop down box by default.
    @@ -1247,13 +1274,15 @@ Preset on first reply Subject = Re: $Subject Delete to display a column with a delete icon to directly delete and entry
    • -
    + +
    The restriction to certain attributes can be helpful if many attributes are defined in a logbook, which usually makes the table too big to fit in the browser. The default is
     List display = ID, Date, <all attributs>
-
    Which displays the message number, date, and all attributes. The display + + Which displays the message number, date, and all attributes. The display of the message body is controlled by the Display mode and Summary lines options. If a search goes over "all logbooks", an additional colums with the logbook name of each entry is added in @@ -1293,7 +1322,8 @@ List display = ID, Date, <all attributs>
  • $message id: The message ID
    • -
    + +
    A typical example would be
     Thread display = $subject, posted by $author on $entry time
@@ -1327,7 +1357,8 @@ Thread display = $subject, posted by $author on $entry time
          
  • 
             $message id: The message ID
          
    • 
-      
    
+      
+      
    
       A typical example would be
    
       
     RSS Title = $subject, posted by $author on $entry time
@@ -1387,12 +1418,14 @@ RSS Title = $subject, posted by $author on $entry time
             $shell(<command>): <command> gets passed to the
             operating system shell and the result is taken for substitution.
          
-      
    
+      
+      
    
       Following example use this feature to add the remote host name to the
       author:
    
       
     Subst Author = $author from $remote_host
-

    
+
    
+      
    
       Following example substitutes an attribute with the contents of a
       file:
    
       
    @@ -1407,19 +1440,22 @@ Subst Author = $author from $remote_host
       statement
       
     Subst Number = XYZ-#####
-
    results in automatically created attributes "Number" of the form
+
    
+      results in automatically created attributes "Number" of the form
       
     XYZ-00001
 XYZ-00002
 XYZ-00003
-
    and so on. In addition to the #'s one may specify format specifiers which
+
    + and so on. In addition to the #'s one may specify format specifiers which are passed to the strftime function. This allows to create tags wich contain the current year, month and so on. Once the date part of the attribute changes, the index restarts from one. The statement 
     Subst Number = XYZ-%Y-%b-###
-
    results in automatically created attributes "Number" of the form + + results in automatically created attributes "Number" of the form 
     XYZ-2005-Oct-001
 XYZ-2005-Oct-002
@@ -1595,8 +1631,8 @@ Style importance severe = background-color:red
    For possible formattings, please refer to some CSS documentation. You can change the colors, font styles and sizes. The style is then valid for the - whole row of that entry.
    -
    + whole row of that entry.
    +
    For empty attributes one can specify "", such as 
     Style importance "" = background-color:red
@@ -1626,12 +1662,14 @@ Cell Style Status Under Process  = background-color:yellow
       
    
       
     http://any.company.com/telbook.cgi?search=<name>
-
    where <name> has to be replaced by a search string. Now one can
+
    + where <name> has to be replaced by a search string. Now one can construct an automatic telephonebook lookup with following options:
     Attributes = Name, Telephone, ...
 Display Telephone = <a href="http://any.company.com/telbook.cgi?search=$Name">$Name's telephone number</a>
-
    The attribute Telephone is now automatically + + The attribute Telephone is now automatically constructed from the attribute Name and consists of a link to the company's telephonebook. The advantage of this system is if the URL of the telephonebook changes one day, only one statement in the config file has to @@ -1658,7 +1696,8 @@ Display Telephone = <a href="http://any.company.com/telbook.cgi?search=$Name" writes a notification into some file: 
     Execute new = echo "New message wiht ID $message id of type $type from $long_name on $remote_host" >> /tmp/elog.log
-

    + +
    It should be noted that this feature can impose a security problem. If someone can edit the elogd.cfg through the Config command of elogd, that person can put malicious code into elogd.cfg and @@ -1687,7 +1726,8 @@ Execute new = echo "New message wiht ID $message id of type $type from $long_nam ID display = TAG-$message id - would display the entry ID as "TAG-1","TAG-2", ... and so on. + + would display the entry ID as "TAG-1","TAG-2", ... and so on.
  • Prepend on reply = <string>
    @@ -1723,7 +1763,8 @@ ID display = TAG-$message id together with other attributes, since it is sorted as the primary key anyhow.
    • - + +
    Conditional attributes @@ -2240,12 +2281,12 @@ Options Location = Main Building{a}, New Building{b}, Old Building{c}

    Beside the Kerberos authentication, elogd version 3.0 and higher can be configured to accept a authentication done by the webserver. +

    • Authentication = Webserver
    -

    You can also combine it with other authentication methods as shown for Kerberos.

    @@ -2260,7 +2301,8 @@ Options Location = Main Building{a}, New Building{b}, Old Building{c}

    LDAP (lightweight Directory Access Protocol) has been implemented by - vykozlov in a separate branch at https://github.com/vykozlov/elog-ldap. The code has been merged into this distribution on + vykozlov in a separate branch at https://github.com/vykozlov/elog-ldap. + The code has been merged into this distribution on an as-is basis. Following info has copied from the link above:

    @@ -2296,7 +2338,8 @@ Options Location = Main Building{a}, New Building{b}, Old Building{c} PAM authentication

    -PAM (Pluggable authentication modules) support has been implemented by Jan Christoph Terasa as a separate branch at https://bitbucket.org/ritt/elog/branch/pam. + PAM (Pluggable authentication modules) support has been implemented by Jan Christoph Terasa as a separate branch at + https://bitbucket.org/ritt/elog/branch/pam.

    To use PAM in elogd, do the following: @@ -2304,7 +2347,8 @@ PAM (Pluggable authentication modules) support has been implemented by Jan Chris

    • - Compile elogd with PAM support, by either setting USE_PAM = 1 in the Makefile, or by specifying it when invoking make + Compile elogd with PAM support, by either setting USE_PAM = 1 in the + Makefile, or by specifying it when invoking make
    • Enable PAM authentication in elogd.cfg: @@ -2313,16 +2357,25 @@ PAM (Pluggable authentication modules) support has been implemented by Jan Chris
    • Password file = elogd.passwd
    • Self register = 3
    - The Password file is used to store the user names and email addresses of PAM authenticated users, since this information can not be (universally) requested via PAM. For security reasons the password file does not store a hash of the user password. + The Password file is used to store the user names and email addresses of PAM authenticated + users, since this information can not be (universally) requested via PAM. For security reasons the password file + does not store a hash of the user password. Self registration has to be enabled (Self register ≥ 1) to use PAM authentication.
  • - To be able to use PAM, the PAM module in elogd needs to be able to access the authentication facilities on the system (e.g. be able to read /etc/shadow). This can be achieved by either running elogd as root, or by specifying the appropriate SUID/GUID values for the binary.
    - WARNING: When running elogd as root, be careful when using the -x option to enable execution of commands via $shell, since the commands will be executed using the access rights of the user running elogd! + To be able to use PAM, the PAM module in elogd needs to be able to access the authentication + facilities on the system (e.g. be able to read /etc/shadow). This can be achieved by either running + elogd as root, or by specifying the appropriate SUID/GUID values for the + binary.
    + WARNING: When running elogd as root, be careful when using the -x option + to enable execution of commands via $shell, since the commands will be executed using the access + rights of the user running elogd!     +

    • - Please note that it is not possible to change the PAM password within ELOG. Instead, please use the available methods on the system + Please note that it is not possible to change the PAM password within ELOG. Instead, please use the available methods + on the system

    @@ -2412,7 +2465,7 @@ PAM (Pluggable authentication modules) support has been implemented by Jan Chris for the "From:" field in the email. Since more and more email servers do not accept invalid "From:" addresses in order to reduce spam mail, it might be important that a "real" email address is used in - the "From:" field. If Use Email From is + the "From:" field. If Use Email From is present, it is always used. If not, the email address of the currently logged in user is used for the "From:" field. If no user is logged in, or the current user has not specified a email address in the password @@ -2442,7 +2495,7 @@ PAM (Pluggable authentication modules) support has been implemented by Jan Chris

    - The option Use Email URL = <URL> can be used to + The option Use Email URL = <URL> can be used to set the URL of the ELOG logbook used in email notifications. This can be useful if no URL = ... statement is used form some reason. @@ -2542,7 +2595,7 @@ PAM (Pluggable authentication modules) support has been implemented by Jan Chris

  • Allowed encoding = <n>
    - Allowed encoding options. <n> can be the sum of + Allowed encoding options. <n> can be the sum of following flags:
    • 1 : Plain @@ -2553,7 +2606,7 @@ PAM (Pluggable authentication modules) support has been implemented by Jan Chris
    To allow plain and HTML encoding for example, set - <n> to 5. Default is 7. Note that + <n> to 5. Default is 7. Note that allowing HTML encoding may cause some security risk, since an elog entry may contain malicious scripting code. It should therefor only be allowed for installations where it is really needed and with no @@ -2625,7 +2678,8 @@ PAM (Pluggable authentication modules) support has been implemented by Jan Chris
  • 64: Send names of optional attachments
    • - So to send for example only the attributes and the URL, set + + So to send for example only the attributes and the URL, set <n> to 6. Default is 63 (send everything).
  • @@ -2640,7 +2694,8 @@ PAM (Pluggable authentication modules) support has been implemented by Jan Chris
  • 4 : Full HTML page as shown in elog
    • - So to send email in plain text and full HTML, set <n> to + + So to send email in plain text and full HTML, set <n> to 5. Some email clients have the possibility then to switch from one view to the other. Default is 2. @@ -2704,7 +2759,8 @@ PAM (Pluggable authentication modules) support has been implemented by Jan Chris 3: Messages and replies are displayed together with the full message body. - The default is 1. + + The default is 1.
  • Hidden = 0|1
    @@ -3076,7 +3132,8 @@ elogd -v -C http://master.your.domain Once every hour from 7:00 to 18:00 from Monday to Friday -
    + +

    Valid ranges for each value are:

    @@ -3121,7 +3178,8 @@ elogd -v -C http://master.your.domain 0-6 with 0=Sunday, 1=Monday, etc. -
    + +

    If mirroring is turned on, it is advisable to use the Logfile = option to turn on logging, so that diff --git a/src/elogd.c b/src/elogd.c index 98f47c43..ddf5f829 100755 --- a/src/elogd.c +++ b/src/elogd.c @@ -10026,16 +10026,31 @@ void show_edit_form(LOGBOOK * lbs, int message_id, BOOL breply, BOOL bedit, BOOL } /* check for editing interval */ - if (bedit && getcfg(lbs->name, "Restrict edit time", str, sizeof(str))) { - for (i = 0; i < *lbs->n_el_index; i++) - if (lbs->el_index[i].message_id == message_id) - break; + if (is_admin_user(lbs, getparam("unm"))) { + if (bedit && getcfg(lbs->name, "Admin Restrict edit time", str, sizeof(str))) { + for (i = 0; i < *lbs->n_el_index; i++) + if (lbs->el_index[i].message_id == message_id) + break; - if (i < *lbs->n_el_index && time(NULL) > lbs->el_index[i].file_time + atof(str) * 3600) { - sprintf(str, loc("Entry can only be edited %1.2lg hours after creation"), atof(str)); - show_error(str); - xfree(text); - return; + if (i < *lbs->n_el_index && time(NULL) > lbs->el_index[i].file_time + atof(str) * 3600 && atof(str) > 0) { + sprintf(str, loc("Entry can only be edited %1.2lg hours after creation"), atof(str)); + show_error(str); + xfree(text); + return; + } + } + } else { + if (bedit && getcfg(lbs->name, "Restrict edit time", str, sizeof(str))) { + for (i = 0; i < *lbs->n_el_index; i++) + if (lbs->el_index[i].message_id == message_id) + break; + + if (i < *lbs->n_el_index && time(NULL) > lbs->el_index[i].file_time + atof(str) * 3600) { + sprintf(str, loc("Entry can only be edited %1.2lg hours after creation"), atof(str)); + show_error(str); + xfree(text); + return; + } } } @@ -23113,15 +23128,29 @@ void submit_elog(LOGBOOK * lbs) /* check for editing interval */ - if (bedit && getcfg(lbs->name, "Restrict edit time", str, sizeof(str))) { - for (i = 0; i < *lbs->n_el_index; i++) - if (lbs->el_index[i].message_id == atoi(getparam("edit_id"))) - break; - - if (i < *lbs->n_el_index && time(NULL) > lbs->el_index[i].file_time + atof(str) * 3600) { - sprintf(str, loc("Entry can only be edited %1.2lg hours after creation"), atof(str)); - show_error(str); - return; + if (is_admin_user(lbs, getparam("unm"))) { + if (bedit && getcfg(lbs->name, "Admin Restrict edit time", str, sizeof(str))) { + for (i = 0; i < *lbs->n_el_index; i++) + if (lbs->el_index[i].message_id == atoi(getparam("edit_id"))) + break; + + if (i < *lbs->n_el_index && time(NULL) > lbs->el_index[i].file_time + atof(str) * 3600 && atof(str) > 0) { + sprintf(str, loc("Entry can only be edited %1.2lg hours after creation"), atof(str)); + show_error(str); + return; + } + } + } else { + if (bedit && getcfg(lbs->name, "Restrict edit time", str, sizeof(str))) { + for (i = 0; i < *lbs->n_el_index; i++) + if (lbs->el_index[i].message_id == atoi(getparam("edit_id"))) + break; + + if (i < *lbs->n_el_index && time(NULL) > lbs->el_index[i].file_time + atof(str) * 3600) { + sprintf(str, loc("Entry can only be edited %1.2lg hours after creation"), atof(str)); + show_error(str); + return; + } } }