diff --git a/lib/NGCP/Panel/Controller/Administrator.pm b/lib/NGCP/Panel/Controller/Administrator.pm index 56d88aa10b..a3646af517 100644 --- a/lib/NGCP/Panel/Controller/Administrator.pm +++ b/lib/NGCP/Panel/Controller/Administrator.pm @@ -20,8 +20,9 @@ sub list_admin :PathPart('administrator') :Chained('/') :CaptureArgs(0) { my ($self, $c) = @_; my $dispatch_to = '_admin_resultset_' . $c->user->roles; + my $is_li_admin = $c->user->lawful_intercept; $c->stash( - admins => $self->$dispatch_to($c), + admins => $self->$dispatch_to($c, $is_li_admin), template => 'administrator/list.tt', ); my $cols = [ @@ -42,23 +43,23 @@ sub list_admin :PathPart('administrator') :Chained('/') :CaptureArgs(0) { { name => "billing_data", title => $c->loc("Show Billing Info") }, { name => "can_reset_password", title => $c->loc("Can Reset Password") }, ); - if($c->user->is_superuser) { - @{ $cols } = (@{ $cols }, { name => "lawful_intercept", title => $c->loc("Lawful Intercept") }); - } $c->stash->{admin_dt_columns} = NGCP::Panel::Utils::Datatables::set_columns($c, $cols); $c->stash->{special_admin_login} = NGCP::Panel::Utils::Auth::get_special_admin_login(); return; } sub _admin_resultset_admin { - my ($self, $c) = @_; - return $c->model('DB')->resultset('admins'); + my ($self, $c, $is_li_admin) = @_; + my $condition = $is_li_admin ? {'me.id' => $c->user->id} : {lawful_intercept => 0}; + return $c->model('DB')->resultset('admins')->search($condition); } sub _admin_resultset_reseller { - my ($self, $c) = @_; + my ($self, $c, $is_li_admin) = @_; + my $condition = $is_li_admin ? {'me.id' => $c->user->id} : {lawful_intercept => 0}; return $c->model('DB')->resultset('admins')->search({ reseller_id => $c->user->reseller_id, + %$condition }); } @@ -148,8 +149,8 @@ sub base :Chained('list_admin') :PathPart('') :CaptureArgs(1) { ); NGCP::Panel::Utils::Navigation::back_or($c, $c->uri_for('/administrator')); } - $c->stash(administrator => $c->stash->{admins}->find($administrator_id)); - unless($c->stash->{administrator}) { + $c->stash(administrator => $c->stash->{admins}->find({id => $administrator_id})); + if(!$c->stash->{administrator} || ($c->stash->{administrator} && $c->stash->{administrator}->lawful_intercept && $administrator_id != $c->user->id)) { NGCP::Panel::Utils::Message::error( c => $c, desc => $c->loc('Administrator not found'), @@ -180,7 +181,8 @@ sub edit :Chained('base') :PathPart('edit') :Args(0) { posted => $posted, params => $c->request->params, item => $params, - inactive => $c->stash->{administrator}->id != $c->user->id ? ['password'] : [], + inactive => $c->stash->{administrator}->id != $c->user->id ? ['password'] : + $c->user->lawful_intercept ? ['login', 'is_superuser', 'is_ccare', 'is_master', 'is_active', 'read_only', 'show_passwords', 'call_data', 'billing_data', 'can_reset_password'] : [], ); NGCP::Panel::Utils::Navigation::check_form_buttons( c => $c, diff --git a/lib/NGCP/Panel/Form/Administrator/Admin.pm b/lib/NGCP/Panel/Form/Administrator/Admin.pm index 0ba0b8a0af..3b4c409ff7 100644 --- a/lib/NGCP/Panel/Form/Administrator/Admin.pm +++ b/lib/NGCP/Panel/Form/Administrator/Admin.pm @@ -5,9 +5,7 @@ extends 'NGCP::Panel::Form::Administrator::Reseller'; use NGCP::Panel::Utils::Auth; -for (qw(is_superuser lawful_intercept)) { - has_field $_ => (type => 'Boolean',); -} +has_field 'is_superuser' => (type => 'Boolean',); has_field 'reseller' => ( type => '+NGCP::Panel::Field::Reseller', label => 'Reseller', @@ -17,7 +15,7 @@ has_block 'fields' => ( tag => 'div', class => [qw(modal-body)], render_list => [qw( - reseller login password email is_superuser is_master is_ccare is_active read_only show_passwords call_data billing_data lawful_intercept can_reset_password + reseller login password email is_superuser is_master is_ccare is_active read_only show_passwords call_data billing_data can_reset_password )], ); diff --git a/lib/NGCP/Panel/Role/API/Admins.pm b/lib/NGCP/Panel/Role/API/Admins.pm index 2ed1d4b79b..7d55b4f241 100644 --- a/lib/NGCP/Panel/Role/API/Admins.pm +++ b/lib/NGCP/Panel/Role/API/Admins.pm @@ -32,18 +32,22 @@ sub _item_rs { my ($self, $c) = @_; my $item_rs = $c->model('DB')->resultset('admins'); + my $condition = $c->user->lawful_intercept ? {'me.id' => $c->user->id} : {lawful_intercept => 0}; if($c->user->roles eq "reseller") { $item_rs = $item_rs->search({ - reseller_id => $c->user->reseller_id + reseller_id => $c->user->reseller_id, + %$condition }); } if($c->user->is_master || $c->user->is_superuser) { - # return all (or all of reseller) admins + # return all (or all of reseller) admins except lawful intercept admin + $item_rs = $item_rs->search($condition); } else { # otherwise, only return the own admin if master is not set $item_rs = $item_rs->search({ id => $c->user->id, + %$condition }); } return $item_rs; @@ -79,7 +83,7 @@ sub process_form_resource{ $resource->{md5pass} = undef; $resource->{saltedpass} = NGCP::Panel::Utils::Auth::generate_salted_hash($pass); } - foreach my $f(qw/billing_data call_data is_active is_master is_superuser is_ccare lawful_intercept read_only show_passwords/) { + foreach my $f(qw/billing_data call_data is_active is_master is_superuser is_ccare read_only show_passwords/) { $resource->{$f} = (ref $resource->{$f} eq 'JSON::true' || ( defined $resource->{$f} && ( $resource->{$f} eq 'true' || $resource->{$f} eq '1' ) ) ) ? 1 : 0; } return $resource; @@ -146,6 +150,12 @@ sub update_item { $resource = $old_resource; $resource->{is_active} = $active; } + + if ($c->user->lawful_intercept) { + #allow LI admins to only change password and email + delete @$resource{qw/billing_data call_data can_reset_password is_active is_ccare is_master is_superuser login read_only show_passwords/}; + } + $item->update($resource); return $item;