search

meeting-room-booking-system / mrbs-code

MRBS application code
Other
121 stars 59 forks source link

Can we block access to USERS tab and ROOMS tab for the role of USER? #3738

Open jshrek opened 1 month ago

jshrek commented 1 month ago

When I give somebody the role of USER (not admin) they still have access to the USERS tab and the ROOMS tab.

Is there a way to prevent them from having access to these two tabs?

My USER role only should have access to the calendar to create bookings.

Thanks

campbell-m commented 1 month ago

Edit the function get_page_level() in mrbs_auth.inc and comment out the lines

    case 'edit_room.php':               // Ordinary users can view room details
    case 'edit_users.php':              // Ordinary users can edit their own details

Their level will then default to 2 and so the menu entries won't appear for ordinary users.

jshrek commented 1 month ago

Suggested code changes to make View Room Details an an option...

In systemdefaults.inc.php add new variable $role_user_can_view_room_details = true; so Role=User will still have access by default.

In config.inc.php you can optionally add $role_user_can_view_room_details = false; to disable access.

In mrbs_auth.inc make the following changes:

LINE 78 from this: global $auth, $max_level; To this: global $auth, $max_level, $role_user_can_view_room_details; // MOD add new global var

LINES 110 from this:

    // made within the page to prevent ordinary users gaining access to admin features.
    case 'admin.php':
    case 'approve_entry_handler.php':   // Ordinary users are allowed to remind admins
    case 'edit_message.php':            // Booking admins can edit messages
    case 'edit_message_handler.php':    // Booking admins can edit messages
    case 'edit_room.php':               // Ordinary users can view room details
    case 'edit_users.php':              // Ordinary users can edit their own details
    case 'pending.php':                 // Ordinary users can view their own entries
    case 'registration_handler.php':    // Ordinary users can register for an event
    case 'usernames.php':               // Ajax page for getting a list of users (booking admins can use this)
      $result = 1;
      break;

    // These pages allow users to create and delete entries

To this:

    // made within the page to prevent ordinary users gaining access to admin features.
    case 'admin.php':
    case 'approve_entry_handler.php':   // Ordinary users are allowed to remind admins
    case 'edit_message.php':            // Booking admins can edit messages
    case 'edit_message_handler.php':    // Booking admins can edit messages
    case 'edit_users.php':              // Ordinary users can edit their own details
    case 'pending.php':                 // Ordinary users can view their own entries
    case 'registration_handler.php':    // Ordinary users can register for an event
    case 'usernames.php':               // Ajax page for getting a list of users (booking admins can use this)
      $result = 1;
      break;

    case 'edit_room.php':               // Ordinary users can view room details /* MOD: moved this down to its own block */
      $result = 1;
      if ($role_user_can_view_room_details == false) {
        $result = (isset($max_level)) ? $max_level : 2;
      }
      break;

    // These pages allow users to create and delete entries