mirror/zoneminder
1
0
Fork 0
mirror of https://github.com/ZoneMinder/zoneminder.git synced 2026-03-26 01:32:29 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
23cb4e42e95a7a8646a5170cbefbc92ec409bbec
zoneminder/web/includes/actions/role.php
Isaac Connor 4e60cb96a7 feat: add User Roles feature for reusable permission templates 
Add a User Roles system where roles define reusable permission templates.
When a user has a role assigned, the role provides fallback permissions
(user's direct permissions take precedence; role is used when user has 'None').

Database changes:
- Add User_Roles table with same permission fields as Users
- Add Role_Groups_Permissions table for per-role group overrides
- Add Role_Monitors_Permissions table for per-role monitor overrides
- Add RoleId foreign key to Users table

Permission resolution order:
1. User's direct Monitor/Group permissions (if not 'Inherit')
2. Role's Monitor/Group permissions (if user has role)
3. Role's base permission (if user's is 'None')
4. User's base permission (fallback)

Includes:
- PHP models: User_Role, Role_Group_Permission, Role_Monitor_Permission
- Role management UI in Options > Roles tab
- Role selector in user edit form
- REST API endpoints for roles CRUD
- Translation strings for en_gb

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-29 13:34:27 -05:00

90 lines
3.0 KiB
PHP
Raw Blame History

<?php
//
// ZoneMinder web action file
// Copyright (C) 2019 ZoneMinder LLC
//
// This program is free software; you can redistribute it and/or
// modify it under the terms of the GNU General Public License
// as published by the Free Software Foundation; either version 2
// of the License, or (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with this program; if not, write to the Free Software
// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
global $error_message;
if (!canEdit('System')) {
ZM\Warning('Must have System permissions to perform role actions');
return;
}
if ($action == 'Save') {
require_once('includes/User_Role.php');
require_once('includes/Role_Group_Permission.php');
require_once('includes/Role_Monitor_Permission.php');
require_once('includes/Group.php');
require_once('includes/Monitor.php');
$rid = isset($_REQUEST['rid']) ? validInt($_REQUEST['rid']) : 0;
$dbRole = new ZM\User_Role($rid);
# Need to check for uniqueness of Name
if (isset($_REQUEST['role']['Name']) && $_REQUEST['role']['Name']) {
$role_with_my_name = ZM\User_Role::find_one(array('Name'=>$_REQUEST['role']['Name']));
if ($role_with_my_name and
(($rid and ($role_with_my_name->Id() != $rid)) or !$rid)
) {
$error_message = 'There already exists a role with this Name<br/>';
unset($_REQUEST['redirect']);
return;
}
} else {
$error_message = 'Role name is required<br/>';
unset($_REQUEST['redirect']);
return;
}
$changes = $dbRole->changes($_REQUEST['role']);
if (count($changes)) {
if (!$dbRole->save($changes)) {
$error_message .= $dbRole->get_last_error().'<br/>';
unset($_REQUEST['redirect']);
return;
}
}
# Save group permissions
if (isset($_POST['group_permission'])) {
foreach (ZM\Group::find() as $g) {
$permission = $dbRole->Group_Permission($g->Id());
$new_permission = isset($_POST['group_permission'][$g->Id()]) ? $_POST['group_permission'][$g->Id()] : 'Inherit';
if ($permission->Permission() != $new_permission) {
$permission->RoleId($dbRole->Id());
$permission->save(array('Permission'=>$new_permission));
}
}
}
# Save monitor permissions
if (isset($_POST['monitor_permission'])) {
foreach (ZM\Monitor::find(['Deleted'=>false]) as $m) {
if (isset($_POST['monitor_permission'][$m->Id()])) {
$permission = $dbRole->Monitor_Permission($m->Id());
$new_permission = $_POST['monitor_permission'][$m->Id()];
if ($permission->Permission() != $new_permission) {
$permission->RoleId($dbRole->Id());
$permission->save(['Permission'=>$new_permission]);
}
}
}
}
} // end if $action == Save
?>
Reference in New Issue View Git Blame Copy Permalink