Provide a possibility to regularly review the permissions in the system.
This commit is contained in:
Wytze van der Raay
parent
cb10487370
commit
eed6f97bef
4 changed files with 144 additions and 8 deletions
102
scripts/cron/permissionreview.php
Executable file
102
scripts/cron/permissionreview.php
Executable file
|
|
@ -0,0 +1,102 @@
|
|||
#!/usr/bin/php -q
|
||||
<?php
|
||||
/*
|
||||
LibreSSL - CAcert web application
|
||||
Copyright (C) 2004-2012 CAcert Inc.
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; version 2 of the License.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program; if not, write to the Free Software
|
||||
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
||||
*/
|
||||
|
||||
require_once(dirname(__FILE__).'/../../includes/mysql.php');
|
||||
|
||||
$BOARD_PRIVATE = 'cacert-board-private@lists.cacert.org';
|
||||
|
||||
$flags = array(
|
||||
'admin' => 'Support Engineer',
|
||||
'orgadmin' => 'Organisation Assurer',
|
||||
'board' => 'Board Member',
|
||||
'ttpadmin' => 'Trusted Third Party Admin',
|
||||
'tverify' => 'Tverify Admin',
|
||||
'locadmin' => 'Location Admin'
|
||||
);
|
||||
|
||||
$adminlist = array();
|
||||
|
||||
foreach ($flags as $flag => $description) {
|
||||
$query = "select `fname`, `lname`, `email` from `users` where `$flag` = 1";
|
||||
if(! $res = mysql_query($query) ) {
|
||||
fwrite(STDERR,
|
||||
"MySQL query for flag $flag failed:\n".
|
||||
"\"$query\"\n".
|
||||
mysql_error()
|
||||
);
|
||||
|
||||
continue;
|
||||
}
|
||||
|
||||
$admins = array();
|
||||
$adminlist[$flag] = "";
|
||||
|
||||
while ($row = mysql_fetch_assoc($res)) {
|
||||
$admins[] = $row;
|
||||
$adminlist[$flag] .= "$row[fname] $row[lname] $row[email]\n";
|
||||
}
|
||||
|
||||
foreach ($admins as $admin) {
|
||||
$message = <<<EOF
|
||||
Hello $admin[fname],
|
||||
|
||||
you get this message, because you are listed as $description on
|
||||
CAcert.org. Please review the following list of persons with the same privilege
|
||||
and report to the responsible team leader or board
|
||||
($BOARD_PRIVATE) if you spot any errors.
|
||||
|
||||
$adminlist[$flag]
|
||||
|
||||
|
||||
Best Regards,
|
||||
CAcert Support
|
||||
EOF;
|
||||
sendmail($admin['email'], "Permissions Review", $message, 'support@cacert.org');
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
$message = <<<EOF
|
||||
Dear Board Members,
|
||||
|
||||
it's time for the permission review again. Here is the list of privileged users
|
||||
in the CAcert web application. Please review them and also ask the persons
|
||||
responsible for an up-to-date copy of access lists not directly recorded in the
|
||||
web application (critical admins, software assessors etc.)
|
||||
|
||||
|
||||
EOF;
|
||||
|
||||
foreach ($flags as $flag => $description) {
|
||||
$message .= <<<EOF
|
||||
List of ${description}s:
|
||||
$adminlist[$flag]
|
||||
|
||||
EOF;
|
||||
}
|
||||
|
||||
$message .= <<<EOF
|
||||
|
||||
Best Regards,
|
||||
CAcert Support
|
||||
EOF;
|
||||
|
||||
sendmail($BOARD_PRIVATE, "Permissions Review", $message, 'support@cacert.org');
|
||||
|
|
@ -17,8 +17,8 @@
|
|||
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
||||
*/
|
||||
|
||||
include_once("/home/cacert/www/includes/mysql.php");
|
||||
require_once('/home/cacert/www/includes/lib/l10n.php');
|
||||
require_once(dirname(__FILE__).'/../../includes/mysql.php');
|
||||
require_once(dirname(__FILE__).'/../../includes/lib/l10n.php');
|
||||
|
||||
$query = "select * from `users` where `users`.`verified`=0 and
|
||||
(UNIX_TIMESTAMP(NOW()) - UNIX_TIMESTAMP(`users`.`created`)) >= 172800";
|
||||
|
|
@ -16,12 +16,27 @@
|
|||
along with this program; if not, write to the Free Software
|
||||
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
||||
*/
|
||||
include_once("../includes/mysql.php");
|
||||
require_once(dirname(__FILE__).'/../../includes/mysql.php');
|
||||
|
||||
|
||||
|
||||
//mysql_query("update users set assurer=0");
|
||||
$query = "select notary.`to` as uid from notary group by notary.`to` having sum(points)>=100;";
|
||||
/* Set assurer flag for accounts who miss it
|
||||
|
||||
See also includes/lib/account.php, function fix_assurer_flag($userID)
|
||||
|
||||
We may have some performance problems here, there are 150k assurances and 220k users
|
||||
in the production database. The exists-clause on cats_passed should be a good filter... */
|
||||
|
||||
/* Synchronisation of assurer flag currently deactivated, see https://bugs.cacert.org/view.php?id=1003
|
||||
and https://bugs.cacert.org/view.php?id=1024 */
|
||||
/*
|
||||
$query = "select `n`.`to` as `uid` from `notary` as `n`, `users` as `u` ".
|
||||
" where `n`.`to`=`u`.`id` and `u`.`assurer`<>'1' ".
|
||||
" and (`n`.`expire` > now() OR `n`.`expire` IS NULL) ".
|
||||
" and exists(select 1 from `cats_passed` as `cp`, `cats_variant` as `cv` ".
|
||||
" where `cp`.`variant_id`=`cv`.`id` and `cv`.`type_id` = 1 and `cp`.`user_id`=`n`.`to`)".
|
||||
" group by `n`.`to` having sum(`n`.`points`)>=100";
|
||||
|
||||
$res = mysql_query($query);
|
||||
while($row = mysql_fetch_assoc($res))
|
||||
{
|
||||
|
|
@ -29,7 +44,28 @@
|
|||
//echo $query."\n";
|
||||
mysql_query($query);
|
||||
}
|
||||
*/
|
||||
/* Remove assurer flag from accounts not eligible.
|
||||
|
||||
Also a bit performance critical, but assurer flag is only set at 5k accounts
|
||||
|
||||
*/
|
||||
/* Synchronisation of assurer flag currently deactivated, see https://bugs.cacert.org/view.php?id=1003
|
||||
and https://bugs.cacert.org/view.php?id=1024 */
|
||||
/*
|
||||
$query = "select `u`.id as `uid` from `users` as `u` " .
|
||||
" where `u`.`assurer` = '1' ".
|
||||
" and (not exists(select 1 from `cats_passed` as `cp`, `cats_variant` as `cv` ".
|
||||
" where `cp`.`variant_id`=`cv`.`id` and `cv`.`type_id` = 1 and `cp`.`user_id`=`u`.`id`) ".
|
||||
" or (select sum(`n`.`points`) from `notary` as `n` where `n`.`to`=`u`.`id` and (`n`.`expire` > now() OR `n`.`expire` IS NULL)) < 100) ";
|
||||
$res = mysql_query($query);
|
||||
while($row = mysql_fetch_assoc($res))
|
||||
{
|
||||
$query = "update users set `assurer`='0' where `id`='${row['uid']}'";
|
||||
//echo $query."\n";
|
||||
mysql_query($query);
|
||||
}
|
||||
*/
|
||||
|
||||
mysql_query("update `locations` set `acount`=0");
|
||||
$query = "SELECT `users`.`locid` AS `locid`, count(*) AS `total` FROM `users`
|
||||
|
|
@ -72,6 +108,4 @@
|
|||
}
|
||||
|
||||
|
||||
|
||||
|
||||
?>
|
||||
|
|
@ -17,7 +17,7 @@
|
|||
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
||||
*/
|
||||
|
||||
include_once("/home/cacert/www/includes/mysql.php");
|
||||
require_once(dirname(__FILE__).'/../../includes/mysql.php');
|
||||
|
||||
$days = array("1" => "3", "15" => "2", "30" => "1", "45" => "0");
|
||||
|
||||
Loading…
Reference in a new issue