diff --git a/misuzu.php b/misuzu.php index 2851bf3e..68329813 100644 --- a/misuzu.php +++ b/misuzu.php @@ -296,10 +296,22 @@ MIG; } } - if (!$misuzuBypassLockdown && $app->isStagingSite() && !$app->hasActiveSession()) { - http_response_code(401); - echo tpl_render('auth.private'); - exit; + $privateInfo = $app->getPrivateInfo(); + + if (!$misuzuBypassLockdown && $privateInfo['enabled'] && !$app->hasActiveSession()) { + if ($app->hasActiveSession()) { + $generalPerms = perms_get_user(MSZ_PERMS_GENERAL, $app->getUserId()); + + if (!perms_check($generalPerms, $privateInfo['permission'])) { + $app->stopSession(); // au revoir + } + } else { + http_response_code(401); + echo tpl_render('auth.private', [ + 'private_info'=> $privateInfo, + ]); + exit; + } } $inManageMode = starts_with($_SERVER['REQUEST_URI'], '/manage'); diff --git a/public/auth.php b/public/auth.php index 0b874be5..1ca09efa 100644 --- a/public/auth.php +++ b/public/auth.php @@ -18,7 +18,7 @@ $usernameValidationErrors = [ ]; $preventRegistration = $app->disableRegistration(); -$isStagingSite = $app->isStagingSite(); +$preventPasswordReset = !($privateInfo['password_reset'] ?? true); $authUsername = $isSubmission ? ($_POST['auth']['username'] ?? '') : ($_GET['username'] ?? ''); $authEmail = $isSubmission ? ($_POST['auth']['email'] ?? '') : ($_GET['email'] ?? ''); @@ -27,7 +27,7 @@ $authVerification = $_POST['auth']['verification'] ?? ''; tpl_vars([ 'prevent_registration' => $preventRegistration, - 'is_staging_site' => $isStagingSite, + 'prevent_password_reset' => $preventPasswordReset, 'auth_mode' => $authMode, 'auth_username' => $authUsername, 'auth_email' => $authEmail, @@ -61,7 +61,7 @@ switch ($authMode) { break; } - if ($isStagingSite) { + if ($preventPasswordReset) { header('Location: /'); return; } @@ -153,7 +153,7 @@ switch ($authMode) { break; case 'forgot': - if ($app->hasActiveSession() || $isStagingSite) { + if ($app->hasActiveSession() || $preventPasswordReset) { header('Location: /'); break; } @@ -287,6 +287,16 @@ MSG; } user_login_attempt_record(true, $userId, $ipAddress, $userAgent); + + if (!empty($privateInfo['permission'])) { + $generalPerms = perms_get_user(MSZ_PERMS_GENERAL, $userId); + + if (!perms_check($generalPerms, $privateInfo['permission'])) { + $authLoginError = 'Your credentials were correct, but your account lacks the proper permissions to use this website.'; + break; + } + } + $sessionKey = user_session_create($userId, $ipAddress, $userAgent); if ($sessionKey === '') { @@ -305,6 +315,8 @@ MSG; if (!empty($authLoginError)) { tpl_var('auth_login_error', $authLoginError); + } elseif (!empty($privateInfo['enabled'])) { + tpl_var('auth_register_message', $privateInfo['message'] ?? ''); } echo tpl_render('auth.auth'); diff --git a/src/Application.php b/src/Application.php index 9e468161..8caa2199 100644 --- a/src/Application.php +++ b/src/Application.php @@ -141,6 +141,12 @@ final class Application } } + public function stopSession(): void + { + $this->currentSessionId = 0; + $this->currentUserId = 0; + } + public function hasActiveSession(): bool { return $this->getSessionId() > 0; @@ -307,13 +313,15 @@ final class Application public function disableRegistration(): bool { return $this->underLockdown() - || $this->isStagingSite() + || $this->getPrivateInfo()['enabled'] || boolval($this->config['Auth']['prevent_registration'] ?? false); } - public function isStagingSite(): bool + public function getPrivateInfo(): array { - return boolval($this->config['Auth']['staging'] ?? false); + return !empty($this->config['Private']) && boolval($this->config['Private']['enabled']) + ? $this->config['Private'] + : ['enabled' => false]; } public function getLinkedData(): array diff --git a/src/general.php b/src/general.php index 47195fa1..ea7c772c 100644 --- a/src/general.php +++ b/src/general.php @@ -3,3 +3,4 @@ define('MSZ_PERM_GENERAL_CAN_MANAGE', 1); define('MSZ_PERM_GENERAL_VIEW_LOGS', 1 << 1); define('MSZ_PERM_GENERAL_MANAGE_EMOTICONS', 1 << 2); define('MSZ_PERM_GENERAL_MANAGE_SETTINGS', 1 << 3); +define('MSZ_PERM_GENERAL_TESTER', 1 << 4); diff --git a/src/manage.php b/src/manage.php index 29451121..2cf4f7e9 100644 --- a/src/manage.php +++ b/src/manage.php @@ -184,6 +184,16 @@ function manage_perms_list(array $rawPerms): array $rawPerms['general_perms_deny'] ) ], + [ + 'section' => 'tester', + 'title' => 'Can use experimental features.', + 'perm' => MSZ_PERM_GENERAL_TESTER, + 'value' => manage_perms_value( + MSZ_PERM_GENERAL_TESTER, + $rawPerms['general_perms_allow'], + $rawPerms['general_perms_deny'] + ) + ], ], ], [ diff --git a/templates/auth/auth.twig b/templates/auth/auth.twig index cfedbe53..fdee2f62 100644 --- a/templates/auth/auth.twig +++ b/templates/auth/auth.twig @@ -38,7 +38,7 @@ {% endif %} - {% if not is_staging_site %} + {% if not prevent_password_reset %}
Forgot password
diff --git a/templates/auth/private.twig b/templates/auth/private.twig index 82c8444e..08085e14 100644 --- a/templates/auth/private.twig +++ b/templates/auth/private.twig @@ -4,7 +4,7 @@ {% block content %} {{ auth_login( auth_username|default(''), - auth_login_error|default('You must log in to access the testing site.'), + auth_login_error|default(private_info.message|default('')), auth_login_error is not defined ) }} {% endblock %}