Fix for https://bugs.cacert.org/view.php?id=1003

Provide a possibility to regularly review the permissions in the system

scripts/cron/permissionreview.php

@@ -21,19 +21,71 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 require_once(dirname(__FILE__).'/../../includes/mysql.php');
 
 $BOARD_PRIVATE = 'cacert-board-private@lists.cacert.org';
+$ASSURANCE_OFFICER = 'ao@cacert.org';
+$ORGANISATION_ASSURANCE_OFFICER = 'oao@cacert.org';
 
+
+//defines to whom to send the lists
 $flags = array(
-	'admin' => 'Support Engineer',
-	'orgadmin' => 'Organisation Assurer',
-	'board' => 'Board Member',
-	'ttpadmin' => 'Trusted Third Party Admin',
-	'tverify' => 'Tverify Admin',
-	'locadmin' => 'Location Admin'
+	'admin' => array(
+			'name'    => 'Support Engineer',
+			'own'     => false, //Don't send twice
+			'board'   => true,
+			'support' => true,
+			'ao'      => false,
+			'oao'     => false
+			),
+	
+	'orgadmin' => array(
+			'name'    => 'Organisation Assurer',
+			'own'     => true,
+			'board'   => true,
+			'support' => true,
+			'ao'      => true,
+			'oao'     => true
+			),
+	
+	'board' => array(
+			'name'    => 'Board Member',
+			'own'     => false,
+			'board'   => true,
+			'support' => true,
+			'ao'      => true,
+			'oao'     => false
+			),
+	
+	'ttpadmin' => array(
+			'name'    => 'Trusted Third Party Admin',
+			'own'     => true,
+			'board'   => true,
+			'support' => true,
+			'ao'      => true,
+			'oao'     => true
+			),
+	
+	'tverify' => array(
+			'name'    => 'Tverify Admin',
+			'own'     => false,
+			'board'   => true,
+			'support' => true,
+			'ao'      => true,
+			'oao'     => false
+			),
+	
+	'locadmin' => array(
+			'name'    => 'Location Admin',
+			'own'     => false,
+			'board'   => true,
+			'support' => true,
+			'ao'      => false,
+			'oao'     => false
+			),
 	);
 
-$adminlist = array();
 
-foreach ($flags as $flag => $description) {
+// Build up list of various admins
+$adminlist = array();
+foreach ($flags as $flag => $flag_properties) {
 	$query = "select `fname`, `lname`, `email` from `users` where `$flag` = 1";
 	if(! $res = mysql_query($query) ) {
 		fwrite(STDERR,
@@ -45,37 +97,95 @@ foreach ($flags as $flag => $description) {
 		continue;
 	}
 	
-	$admins = array();
-	$adminlist[$flag] = "";
+	$adminlist[$flag] = array();
 	
 	while ($row = mysql_fetch_assoc($res)) {
-		$admins[] = $row;
-		$adminlist[$flag] .= "$row[fname] $row[lname] $row[email]\n";
+		$adminlist[$flag][] = $row;
 	}
 	
-	foreach ($admins as $admin) {
+	
+	// Send mail to admins of this group if 'own' is set
+	if ($flag_properties['own']) {
+		foreach ($adminlist[$flag] as $admin) {
 			$message = <<<EOF
 Hello $admin[fname],
 
-you get this message, because you are listed as $description on
+you get this message, because you are listed as $flag_properties[name] on
 CAcert.org. Please review the following list of persons with the same privilege
 and report to the responsible team leader or board
 ($BOARD_PRIVATE) if you spot any errors.
 
-$adminlist[$flag]
+
+EOF;
+			
+			foreach ($adminlist[$flag] as $colleague) {
+				$message .= "$colleague[fname] $colleague[lname] $colleague[email]\n";
+			}
+			
+			$message .= <<<EOF
 
 
 Best Regards,
 CAcert Support
 EOF;
+			
 			sendmail($admin['email'], "Permissions Review", $message, 'support@cacert.org');
 		}
+	}
 }
 
 
 
+// Send to support engineers
 $message = <<<EOF
-Dear Board Members,
+Dear Support Engineers,
+
+it's time for the permission review again. Here is the list of privileged users
+in the CAcert web application. Please review them.
+
+
+EOF;
+
+foreach ($flags as $flag => $flag_properties) {
+	if ($flag_properties['support']) {
+		$message .= "List of $flag_properties[name]s:\n\n";
+		foreach ($adminlist[$flag] as $colleague) {
+			$message .= "$colleague[fname] $colleague[lname] $colleague[email]\n";
+		}
+		
+		$message .= "\n\n";
+	}
+}
+
+$message .= <<<EOF
+
+Best Regards,
+CAcert Support
+EOF;
+
+foreach ($adminlist['admin'] as $support_engineer) {
+	sendmail(
+			$support_engineer['email'],
+			"Permissions Review",
+			$message,
+			'support@cacert.org');
+}
+
+
+// Send to one-email addresses
+foreach (array(
+			'ao' => array(
+					'description' => 'Assurance Officer',
+					'email' => $ASSURANCE_OFFICER),
+			'oao' => array(
+					'description' => 'Organisation Assurance Officer',
+					'email' => $ORGANISATION_ASSURANCE_OFFICER),
+			'board' => array(
+					'description' => 'Board Members',
+					'email' => $BOARD_PRIVATE)
+		) as $key => $values) {
+	$message = <<<EOF
+Dear $values[description],
 
 it's time for the permission review again. Here is the list of privileged users
 in the CAcert web application. Please review them and also ask the persons 
@@ -83,20 +193,25 @@ responsible for an up-to-date copy of access lists not directly recorded in the
 web application (critical admins, software assessors etc.) 
 
 
+
 EOF;
 	
-foreach ($flags as $flag => $description) {
-	$message .= <<<EOF
-List of ${description}s:
-$adminlist[$flag]
+	foreach ($flags as $flag => $flag_properties) {
+		if ($flag_properties[$key]) {
+			$message .= "List of $flag_properties[name]s:\n\n";
+			foreach ($adminlist[$flag] as $colleague) {
+				$message .= "$colleague[fname] $colleague[lname] $colleague[email]\n";
+			}
+			$message .= "\n\n";
+		}
+	}
 	
-EOF;
-}
+	$message .= <<<EOF
 
-$message .= <<<EOF
 
 Best Regards,
 CAcert Support
 EOF;
 	
-sendmail($BOARD_PRIVATE, "Permissions Review", $message, 'support@cacert.org');
+	sendmail($values['email'], "Permissions Review", $message, 'support@cacert.org');
+}

scripts/resetpermissions.php

@@ -0,0 +1,71 @@
+#!/usr/bin/php -q
+<?php
+/*
+LibreSSL - CAcert web application
+Copyright (C) 2004-2012  CAcert Inc.
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; version 2 of the License.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+
+require_once(dirname(__FILE__).'/../includes/mysql.php');
+
+$flags = array('board', 'tverify');
+
+foreach ($flags as $flag) {
+	echo "Resetting $flag flag:\n";
+	$query = "select `id`, `fname`, `lname`, `email` from `users`
+			where `$flag` = 1";
+	if(! $res = mysql_query($query) ) {
+		fwrite(STDERR,
+				"MySQL query for flag $flag failed:\n".
+				"\"$query\"\n".
+				mysql_error()
+		);
+	
+		continue;
+	}
+	
+	while ($row = mysql_fetch_assoc($res)) {
+		echo "$row[fname] $row[lname] $row[email]";
+		
+		$update = "update `users` set `$flag` = 0 where `id` = $row[id]";
+		if(! $res2 = mysql_query($update) ) {
+			echo " NOT RESET!!!\n";
+			fwrite(STDERR,
+					"MySQL query for $flag flag reset on user $row[id] failed:\n".
+					"\"$update\"\n".
+					mysql_error()
+			);
+			
+		} else {
+			
+			$message = <<<EOF
+Hi $row[fname],
+
+As per Arbitration a20110118.1 [1] the $flag permission has been removed
+from your account.
+
+[1] https://wiki.cacert.org/Arbitrations/a20110118.1
+
+Best Regards,
+CAcert Support
+EOF;
+			sendmail($row['email'], "Permissions have been reset", $message, 'support@cacert.org');
+			
+			echo " reset.\n";
+		}
+	}
+	
+	echo "\n\n";
+}