From 9e8d69739f21e5ac85977d57a2a6c961e318c26e Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Wed, 10 Nov 2021 20:44:51 +0300
Subject: [PATCH] add two helper account access levels:  - read only - can't
 subscribe to more feeds, feed updates are skipped  - disabled - can't login
 define used access levels as UserHelper constants and refactor code to use
 them instead of hardcoded numbers

---
 backend.php                        | 11 +++++++----
 classes/feeds.php                  |  7 +++++++
 classes/handler/administrative.php |  2 +-
 classes/pref/feeds.php             | 12 ++++++++++++
 classes/pref/prefs.php             | 16 ++++++++--------
 classes/rpc.php                    |  7 ++++---
 classes/rssutils.php               | 19 +++++++++++++++++--
 classes/userhelper.php             | 19 +++++++++++++++++--
 include/sessions.php               |  9 ++++++++-
 js/App.js                          | 12 ++++++++++--
 js/CommonDialogs.js                | 15 ++++++++++++---
 js/PrefUsers.js                    |  2 +-
 prefs.php                          |  2 +-
 13 files changed, 105 insertions(+), 28 deletions(-)

diff --git a/backend.php b/backend.php
index bd24416f6..cb7daadad 100644
--- a/backend.php
+++ b/backend.php
@@ -86,10 +86,13 @@
 		1440 => __("Daily"),
 		10080 => __("Weekly"));
 
-	$access_level_names = array(
-		0 => __("User"),
-		5 => __("Power User"),
-		10 => __("Administrator"));
+	$access_level_names = [
+		UserHelper::ACCESS_LEVEL_DISABLED 	=> __("Disabled"),
+		UserHelper::ACCESS_LEVEL_READONLY 	=> __("Read Only"),
+		UserHelper::ACCESS_LEVEL_USER			=> __("User"),
+		UserHelper::ACCESS_LEVEL_POWERUSER	=> __("Power User"),
+		UserHelper::ACCESS_LEVEL_ADMIN		=> __("Administrator")
+	];
 
 	// shortcut syntax for plugin methods (?op=plugin--pmethod&...params)
 	/* if (strpos($op, PluginHost::PUBLIC_METHOD_DELIMITER) !== false) {
diff --git a/classes/feeds.php b/classes/feeds.php
index 987123a21..cd2633ffb 100755
--- a/classes/feeds.php
+++ b/classes/feeds.php
@@ -1027,10 +1027,17 @@ class Feeds extends Handler_Protected {
 	 *                 5 - Couldn't download the URL content.
 	 *                 6 - Content is an invalid XML.
 	 *                 7 - Error while creating feed database entry.
+	 *                 8 - Permission denied (ACCESS_LEVEL_READONLY).
 	 */
 	static function _subscribe($url, $cat_id = 0,
 							   $auth_login = '', $auth_pass = '') : array {
 
+		$user = ORM::for_table("ttrss_users")->find_one($_SESSION['uid']);
+
+		if ($user && $user->access_level == UserHelper::ACCESS_LEVEL_READONLY) {
+			return ["code" => 8];
+		}
+
 		$pdo = Db::pdo();
 
 		$url = UrlHelper::validate($url);
diff --git a/classes/handler/administrative.php b/classes/handler/administrative.php
index 52dfed8b7..f2f5b36ba 100644
--- a/classes/handler/administrative.php
+++ b/classes/handler/administrative.php
@@ -2,7 +2,7 @@
 class Handler_Administrative extends Handler_Protected {
    function before($method) {
       if (parent::before($method)) {
-         if (($_SESSION["access_level"] ?? 0) >= 10) {
+         if (($_SESSION["access_level"] ?? 0) >= UserHelper::ACCESS_LEVEL_ADMIN) {
             return true;
          }
       }
diff --git a/classes/pref/feeds.php b/classes/pref/feeds.php
index 95bbcd190..ac0874259 100755
--- a/classes/pref/feeds.php
+++ b/classes/pref/feeds.php
@@ -538,6 +538,8 @@ class Pref_Feeds extends Handler_Protected {
 				$local_purge_intervals = [ T_nsprintf('%d day', '%d days', $purge_interval, $purge_interval) ];
 			}
 
+			$user = ORM::for_table("ttrss_users")->find_one($_SESSION["uid"]);
+
 			print json_encode([
 				"feed" => $row,
 				"cats" => [
@@ -550,6 +552,9 @@ class Pref_Feeds extends Handler_Protected {
 					"update" => $local_update_intervals,
 					"purge" => $local_purge_intervals,
 				],
+				"user" => [
+					"access_level" => $user->access_level
+				],
 				"lang" => [
 					"enabled" => Config::get(Config::DB_TYPE) == "pgsql",
 					"default" => get_pref(Prefs::DEFAULT_SEARCH_LANGUAGE),
@@ -1207,6 +1212,13 @@ class Pref_Feeds extends Handler_Protected {
 		$login = clean($_REQUEST['login']);
 		$pass = clean($_REQUEST['pass']);
 
+		$user = ORM::for_table('ttrss_users')->find_one($_SESSION["uid"]);
+
+		// TODO: we should return some kind of error code to frontend here
+		if ($user->access_level == UserHelper::ACCESS_LEVEL_READONLY) {
+			return false;
+		}
+
 		$csth = $this->pdo->prepare("SELECT id FROM ttrss_feeds
 						WHERE feed_url = ? AND owner_uid = ?");
 
diff --git a/classes/pref/prefs.php b/classes/pref/prefs.php
index c47a99469..c45d6d6ea 100644
--- a/classes/pref/prefs.php
+++ b/classes/pref/prefs.php
@@ -813,7 +813,7 @@ class Pref_Prefs extends Handler_Protected {
 
 		usort($rv, function($a, $b) { return strcmp($a["name"], $b["name"]); });
 
-		print json_encode(['plugins' => $rv, 'is_admin' => $_SESSION['access_level'] >= 10]);
+		print json_encode(['plugins' => $rv, 'is_admin' => $_SESSION['access_level'] >= UserHelper::ACCESS_LEVEL_ADMIN]);
 	}
 
 	function index_plugins() {
@@ -890,7 +890,7 @@ class Pref_Prefs extends Handler_Protected {
 
 					<?= \Controls\button_tag(\Controls\icon("refresh"), "", ["title" => __("Reload"), "onclick" => "Helpers.Plugins.reload()"]) ?>
 
-					<?php if ($_SESSION["access_level"] >= 10) { ?>
+					<?php if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN) { ?>
 						<?php if (Config::get(Config::CHECK_FOR_UPDATES) && Config::get(Config::CHECK_FOR_PLUGIN_UPDATES)) { ?>
 
 							<button class='alt-warning' dojoType='dijit.form.Button' onclick="Helpers.Plugins.update()">
@@ -1152,7 +1152,7 @@ class Pref_Prefs extends Handler_Protected {
 	}
 
 	function uninstallPlugin() {
-		if ($_SESSION["access_level"] >= 10) {
+		if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN) {
 			$plugin_name = basename(clean($_REQUEST['plugin']));
 			$status = 0;
 
@@ -1167,7 +1167,7 @@ class Pref_Prefs extends Handler_Protected {
 	}
 
 	function installPlugin() {
-		if ($_SESSION["access_level"] >= 10 && Config::get(Config::ENABLE_PLUGIN_INSTALLER)) {
+		if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN && Config::get(Config::ENABLE_PLUGIN_INSTALLER)) {
 			$plugin_name = basename(clean($_REQUEST['plugin']));
 			$all_plugins = $this->_get_available_plugins();
 			$plugin_dir = dirname(dirname(__DIR__)) . "/plugins.local";
@@ -1252,18 +1252,18 @@ class Pref_Prefs extends Handler_Protected {
 	}
 
 	private function _get_available_plugins() {
-		if ($_SESSION["access_level"] >= 10 && Config::get(Config::ENABLE_PLUGIN_INSTALLER)) {
+		if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN && Config::get(Config::ENABLE_PLUGIN_INSTALLER)) {
 			return json_decode(UrlHelper::fetch(['url' => 'https://tt-rss.org/plugins.json']), true);
 		}
 	}
 	function getAvailablePlugins() {
-		if ($_SESSION["access_level"] >= 10) {
+		if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN) {
 			print json_encode($this->_get_available_plugins());
 		}
 	}
 
 	function checkForPluginUpdates() {
-		if ($_SESSION["access_level"] >= 10 && Config::get(Config::CHECK_FOR_UPDATES) && Config::get(Config::CHECK_FOR_PLUGIN_UPDATES)) {
+		if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN && Config::get(Config::CHECK_FOR_UPDATES) && Config::get(Config::CHECK_FOR_PLUGIN_UPDATES)) {
 			$plugin_name = $_REQUEST["name"] ?? "";
 
 			$root_dir = dirname(dirname(__DIR__)); # we're in classes/pref/
@@ -1279,7 +1279,7 @@ class Pref_Prefs extends Handler_Protected {
 	}
 
 	function updateLocalPlugins() {
-		if ($_SESSION["access_level"] >= 10) {
+		if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN) {
 			$plugins = explode(",", $_REQUEST["plugins"] ?? "");
 
 			# we're in classes/pref/
diff --git a/classes/rpc.php b/classes/rpc.php
index b6c4a5fc9..0432ed2d3 100755
--- a/classes/rpc.php
+++ b/classes/rpc.php
@@ -299,7 +299,8 @@ class RPC extends Handler_Protected {
 				ttrss_feeds f, ttrss_users u LEFT JOIN ttrss_user_prefs2 p ON
 					(p.owner_uid = u.id AND profile IS NULL AND pref_name = 'DEFAULT_UPDATE_INTERVAL')
 			WHERE
-				f.owner_uid = u.id
+				f.owner_uid = u.id AND
+				u.access_level NOT IN (".sprintf("%d, %d", UserHelper::ACCESS_LEVEL_DISABLED, UserHelper::ACCESS_LEVEL_READONLY).")
 				$owner_check_qpart
 				$update_limit_qpart
 				$updstart_thresh_qpart
@@ -403,7 +404,7 @@ class RPC extends Handler_Protected {
 		$git_timestamp = $version["timestamp"] ?? false;
 		$git_commit = $version["commit"] ?? false;
 
-		if (Config::get(Config::CHECK_FOR_UPDATES) && $_SESSION["access_level"] >= 10 && $git_timestamp) {
+		if (Config::get(Config::CHECK_FOR_UPDATES) && $_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN && $git_timestamp) {
 			$content = @UrlHelper::fetch(["url" => "https://tt-rss.org/version.json"]);
 
 			if ($content) {
@@ -510,7 +511,7 @@ class RPC extends Handler_Protected {
 		$data['cdm_expanded'] = get_pref(Prefs::CDM_EXPANDED);
 		$data["labels"] = Labels::get_all($_SESSION["uid"]);
 
-		if (Config::get(Config::LOG_DESTINATION) == 'sql' && $_SESSION['access_level'] >= 10) {
+		if (Config::get(Config::LOG_DESTINATION) == 'sql' && $_SESSION['access_level'] >= UserHelper::ACCESS_LEVEL_ADMIN) {
 			if (Config::get(Config::DB_TYPE) == 'pgsql') {
 				$log_interval = "created_at > NOW() - interval '1 hour'";
 			} else {
diff --git a/classes/rssutils.php b/classes/rssutils.php
index 87e52ba42..927a6c251 100755
--- a/classes/rssutils.php
+++ b/classes/rssutils.php
@@ -123,7 +123,8 @@ class RSSUtils {
 				ttrss_feeds f, ttrss_users u LEFT JOIN ttrss_user_prefs2 p ON
 					(p.owner_uid = u.id AND profile IS NULL AND pref_name = 'DEFAULT_UPDATE_INTERVAL')
 			WHERE
-				f.owner_uid = u.id
+				f.owner_uid = u.id AND
+				u.access_level NOT IN (".sprintf("%d, %d", UserHelper::ACCESS_LEVEL_DISABLED, UserHelper::ACCESS_LEVEL_READONLY).")
 				$login_thresh_qpart
 				$update_limit_qpart
 				$updstart_thresh_qpart
@@ -163,7 +164,8 @@ class RSSUtils {
 			FROM ttrss_feeds f, ttrss_users u LEFT JOIN ttrss_user_prefs2 p ON
 					(p.owner_uid = u.id AND profile IS NULL AND pref_name = 'DEFAULT_UPDATE_INTERVAL')
 			WHERE
-				f.owner_uid = u.id
+				f.owner_uid = u.id AND
+				u.access_level NOT IN (".sprintf("%d, %d", UserHelper::ACCESS_LEVEL_DISABLED, UserHelper::ACCESS_LEVEL_READONLY).")
 				AND feed_url = :feed
 				$login_thresh_qpart
 				$update_limit_qpart
@@ -352,6 +354,19 @@ class RSSUtils {
 			if (!$feed_language) $feed_language = mb_strtolower(get_pref(Prefs::DEFAULT_SEARCH_LANGUAGE, $feed_obj->owner_uid));
 			if (!$feed_language) $feed_language = 'simple';
 
+			$user = ORM::for_table('ttrss_users')->find_one($feed_obj->owner_uid);
+
+			if ($user) {
+				if ($user->access_level == UserHelper::ACCESS_LEVEL_READONLY) {
+					Debug::log("error: denied update for $feed: permission denied by owner access level");
+					return false;
+				}
+			} else {
+				// this would indicate database corruption of some kind
+				Debug::log("error: owner not found for feed: $feed");
+				return false;
+			}
+
 		} else {
 			Debug::log("error: feeds table record not found for feed: $feed");
 			return false;
diff --git a/classes/userhelper.php b/classes/userhelper.php
index 1cdd320a1..ea714b76b 100644
--- a/classes/userhelper.php
+++ b/classes/userhelper.php
@@ -17,6 +17,21 @@ class UserHelper {
 		self::HASH_ALGO_SHA1
 	];
 
+	/** forbidden to login */
+	const ACCESS_LEVEL_DISABLED 		= -2;
+
+	/** can't subscribe to new feeds, feeds are not updated */
+	const ACCESS_LEVEL_READONLY		= -1;
+
+	/** no restrictions, regular user */
+	const ACCESS_LEVEL_USER				= 0;
+
+	/** not used, same as regular user */
+	const ACCESS_LEVEL_POWERUSER		= 5;
+
+	/** has administrator permissions */
+	const ACCESS_LEVEL_ADMIN			= 10;
+
 	static function authenticate(string $login = null, string $password = null, bool $check_only = false, string $service = null) {
 		if (!Config::get(Config::SINGLE_USER_MODE)) {
 			$user_id = false;
@@ -41,7 +56,7 @@ class UserHelper {
 
 				$user = ORM::for_table('ttrss_users')->find_one($user_id);
 
-				if ($user) {
+				if ($user && $user->access_level != self::ACCESS_LEVEL_DISABLED) {
 					$_SESSION["uid"] = $user_id;
 					$_SESSION["auth_module"] = $auth_module;
 					$_SESSION["name"] = $user->login;
@@ -68,7 +83,7 @@ class UserHelper {
 
 			$_SESSION["uid"] = 1;
 			$_SESSION["name"] = "admin";
-			$_SESSION["access_level"] = 10;
+			$_SESSION["access_level"] = self::ACCESS_LEVEL_ADMIN;
 
 			$_SESSION["hide_hello"] = true;
 			$_SESSION["hide_logout"] = true;
diff --git a/include/sessions.php b/include/sessions.php
index 52ab80b71..26f4e0bca 100644
--- a/include/sessions.php
+++ b/include/sessions.php
@@ -1,7 +1,9 @@
 <?php
 	namespace Sessions;
 
-	require_once "autoload.php";
+use UserHelper;
+
+require_once "autoload.php";
 	require_once "functions.php";
 	require_once "errorhandler.php";
 	require_once "lib/gettext/gettext.inc.php";
@@ -42,6 +44,11 @@
 					$_SESSION["login_error_msg"] = __("Session failed to validate (password changed)");
 					return false;
 				}
+
+				if ($user->access_level == UserHelper::ACCESS_LEVEL_DISABLED) {
+					$_SESSION["login_error_msg"] = __("Session failed to validate (account is disabled)");
+					return false;
+				}
 			} else {
 				$_SESSION["login_error_msg"] = __("Session failed to validate (user not found)");
 				return false;
diff --git a/js/App.js b/js/App.js
index 0afcb0b77..6c4b6a187 100644
--- a/js/App.js
+++ b/js/App.js
@@ -17,6 +17,9 @@ const App = {
    hotkey_actions: {},
    is_prefs: false,
    LABEL_BASE_INDEX: -1024,
+	UserAccessLevels: {
+		ACCESS_LEVEL_READONLY: -1
+	},
    _translations: {},
    Hash: {
       get: function() {
@@ -76,10 +79,15 @@ const App = {
             </select>
          `
       },
-      select_hash: function(name, value, values = {}, attributes = {}, id = "") {
+      select_hash: function(name, value, values = {}, attributes = {}, id = "", params = {}) {
+			let keys = Object.keys(values);
+
+			if (params.numeric_sort)
+				keys = keys.sort((a,b) => a - b);
+
          return `
             <select name="${name}" dojoType="fox.form.Select" id="${App.escapeHtml(id)}" ${this.attributes_to_string(attributes)}>
-               ${Object.keys(values).map((vk) =>
+               ${keys.map((vk) =>
                      `<option ${vk == value ? 'selected="selected"' : ''} value="${App.escapeHtml(vk)}">${App.escapeHtml(values[vk])}</option>`
                ).join("")}
             </select>
diff --git a/js/CommonDialogs.js b/js/CommonDialogs.js
index a68dc8068..4c169b026 100644
--- a/js/CommonDialogs.js
+++ b/js/CommonDialogs.js
@@ -131,6 +131,9 @@ const	CommonDialogs = {
 											console.log(rc);
 
 											switch (parseInt(rc['code'])) {
+												case 0:
+													dialog.show_error(__("You are already subscribed to this feed."));
+													break;
 												case 1:
 													dialog.hide();
 													Notify.info(__("Subscribed to %s").replace("%s", feed_url));
@@ -175,8 +178,11 @@ const	CommonDialogs = {
 												case 6:
 													dialog.show_error(__("XML validation failed: %s").replace("%s", rc['message']));
 													break;
-												case 0:
-													dialog.show_error(__("You are already subscribed to this feed."));
+												case 7:
+													dialog.show_error(__("Error while creating feed database entry."));
+													break;
+												case 8:
+													dialog.show_error(__("You are not allowed to perform this operation."));
 													break;
 											}
 
@@ -451,6 +457,7 @@ const	CommonDialogs = {
 
 				xhr.json("backend.php", {op: "pref-feeds", method: "editfeed", id: feed_id}, (reply) => {
 					const feed = reply.feed;
+					const is_readonly = reply.user.access_level == App.UserAccessLevels.ACCESS_LEVEL_READONLY;
 
 					// for unsub prompt
 					dialog.feed_title = feed.title;
@@ -524,7 +531,9 @@ const	CommonDialogs = {
 
 									<fieldset>
 										<label>${__("Update interval:")}</label>
-										${App.FormFields.select_hash("update_interval", feed.update_interval, reply.intervals.update)}
+										${App.FormFields.select_hash("update_interval", is_readonly ? -1 : feed.update_interval,
+											reply.intervals.update,
+											{disabled: is_readonly})}
 									</fieldset>
 									<fieldset>
 										<label>${__('Article purging:')}</label>
diff --git a/js/PrefUsers.js b/js/PrefUsers.js
index 7ce3cae94..a6081f35f 100644
--- a/js/PrefUsers.js
+++ b/js/PrefUsers.js
@@ -75,7 +75,7 @@ const	Users = {
 									<fieldset>
 										<label>${__('Access level: ')}</label>
 										${App.FormFields.select_hash("access_level",
-											user.access_level, reply.access_level_names, {disabled: admin_disabled.toString()})}
+											user.access_level, reply.access_level_names, {disabled: admin_disabled.toString()}, "", {numeric_sort: true})}
 
 										${admin_disabled ? App.FormFields.hidden_tag("access_level",
 											user.access_level.toString()) : ''}
diff --git a/prefs.php b/prefs.php
index 14820f707..84d89f914 100644
--- a/prefs.php
+++ b/prefs.php
@@ -148,7 +148,7 @@
             style="padding : 0px"
             href="backend.php?op=pref-labels"
             title="<i class='material-icons'>label_outline1</i> <?= __('Labels') ?>"></div>
-        <?php if ($_SESSION["access_level"] >= 10) { ?>
+        <?php if ($_SESSION["access_level"] >= UserHelper::ACCESS_LEVEL_ADMIN) { ?>
             <div id="usersTab" dojoType="dijit.layout.ContentPane"
                 style="padding : 0px"
                 href="backend.php?op=pref-users"