Changeset 1652

Timestamp:

12/30/07 15:23:58 (8 months ago)

Author:

Shadowhand

Message:

Fine-tuning the permissions on the admin part of the website:

• Only admins can edit any user, change user roles, or delete a user.
  
• Non-admins can edit their own information and manage tutorials.
  

Location:

branches/website/application

Files:

• controllers/admin.php (modified) (4 diffs)
• views/admin/edit_list.php (modified) (1 diff)

branches/website/application/controllers/admin.php

@@ -102 +102 @@
             $this->template->title = 'Manage Users';
 
-            $users = array();
-            foreach (ORM::factory('user')->find(ALL) as $user)
-            {
-                // Create a list of all users
-                $users[$user->username] = $user->username;
-            }
-
             $this->template->content = View::factory('admin/edit_list')
-                ->set('new', 'Add a new user')
-                ->set('items', $users)
                 ->set('edit_action', 'admin/manage_users')
-                ->set('delete_action', 'admin/delete_user');
+                ->set('delete_action', 'admin/delete_user')
+                ->bind('items', $items);
+
+            if ($this->user->has_role('admin'))
+            {
+                $this->template->content->set('new', 'Add a new user');
+
+                foreach (ORM::factory('user')->find(ALL) as $user)
+                {
+                    // Create a list of all users
+                    $items[$user->username] = $user->username;
+                }
+            }
+            else
+            {
+                // Show only this user
+                $items[$this->user->username] = $this->user->username;
+            }
         }
         else
@@ -145 +153 @@
             }
 
+            if ( ! $this->user->has_role('admin'))
+            {
+                // Only admins are allowed to change user roles
+                $form->roles->disabled(TRUE);
+            }
+
             if ($form->validate() AND $data = $form->as_array())
             {
@@ -165 +179 @@
                 $user->save() and $this->session->set_flash('message', '<p><strong>Success!</strong> User saved successfully.</p>');
 
-                foreach (array_diff($user->roles, $set_roles) as $role)
-                {
-                    // Remove roles that were unchecked
-                    $user->remove_role($role);
-                }
-
-                foreach (array_diff($set_roles, $user->roles) as $role)
-                {
-                    // Add new roles
-                    $user->add_role($role);
+                // Only admins are allowed to change user roles
+                if ($this->user->has_role('admin'))
+                {
+                    foreach (array_diff($user->roles, $set_roles) as $role)
+                    {
+                        // Remove roles that were unchecked
+                        $user->remove_role($role);
+                    }
+
+                    foreach (array_diff($set_roles, $user->roles) as $role)
+                    {
+                        // Add new roles
+                        $user->add_role($role);
+                    }
                 }
 
@@ -193 +211 @@
         $user = new User_Model($id);
 
-        if ($confirm === 'no' OR $user->id == 0)
+        if (! $this->user->has_role('admin') OR $confirm === 'no' OR $user->id == 0)
         {
             // Go back the to the management page

branches/website/application/views/admin/edit_list.php

@@ -18 +18 @@
 
 <ul class="edit_list">
+<?php if ($new != ''): ?>
 <li class="new"><?php echo html::anchor($edit_action.'new', $new) ?></li>
+<?php endif ?>
 <?php foreach ($items as $id => $name): ?>
 <li><?php echo html::anchor($edit_action.$id, $name) ?> <span>[<?php echo html::anchor($delete_action.$id, 'Delete') ?>]</span></li>