new: Allow further role settings

- exclude a role from non site admin assignment
- set max memory usage and execution time / role

app/Controller/AppController.php

@@ -282,6 +282,18 @@ class AppController extends Controller {
 					$this->redirect(array('controller' => 'users', 'action' => 'login', 'admin' => false));
 				}
 			}
+			$this->set('default_memory_limit', ini_get('memory_limit'));
+			if (isset($this->Auth->user('Role')['memory_limit'])) {
+				if ($this->Auth->user('Role')['memory_limit'] !== '') {
+					ini_set('memory_limit', $this->Auth->user('Role')['memory_limit']);
+				}
+			}
+			$this->set('default_max_execution_time', ini_get('max_execution_time'));
+			if (isset($this->Auth->user('Role')['max_execution_time'])) {
+				if ($this->Auth->user('Role')['max_execution_time'] !== '') {
+					ini_set('max_execution_time', $this->Auth->user('Role')['max_execution_time']);
+				}
+			}
 		} else {
 			if (!($this->params['controller'] === 'users' && $this->params['action'] === 'login')) $this->redirect(array('controller' => 'users', 'action' => 'login', 'admin' => false));
 		}

app/Controller/UsersController.php

@@ -490,7 +490,12 @@ class UsersController extends AppController {
 				$this->loadModel('Role');
 				$this->Role->recursive = -1;
 				$chosenRole = $this->Role->findById($this->request->data['User']['role_id']);
-				if ($chosenRole['Role']['perm_site_admin'] == 1 || $chosenRole['Role']['perm_regexp_access'] == 1 || $chosenRole['Role']['perm_sync'] == 1) {
+				if (
+					$chosenRole['Role']['perm_site_admin'] == 1 ||
+					$chosenRole['Role']['perm_regexp_access'] == 1 ||
+					$chosenRole['Role']['perm_sync'] == 1 ||
+					$chosenRole['Role']['restricted_to_site_admin'] == 1
+				) {
 					throw new Exception('You are not authorised to assign that role to a user.');
 				}
 			}
@@ -617,7 +622,7 @@ class UsersController extends AppController {
 			$params = array('conditions' => array(
 					'OR' => array(
 							'AND' => array(
-								'perm_site_admin' => 0, 'perm_sync' => 0, 'perm_regexp_access' => 0
+								'perm_site_admin' => 0, 'perm_sync' => 0, 'perm_regexp_access' => 0, 'restricted_to_site_admin' => 0
 							),
 							'id' => $allowedRole,
 					)

app/Model/AppModel.php

@@ -60,7 +60,7 @@ class AppModel extends Model {
 	);
 
 	public $db_changes = array(
-		1 => false, 2 => false, 3 => false
+		1 => false, 2 => false, 3 => false, 4 => true
 	);
 
 	function afterSave($created, $options = array()) {
@@ -862,7 +862,6 @@ class AppModel extends Model {
 				$indexArray[] = array('attributes', 'deleted');
 				break;
 			case '2.4.86':
-
 				break;
 			case '2.4.87':
 				$sqlArray[] = "ALTER TABLE `feeds` ADD `headers` TEXT COLLATE utf8_bin;";
@@ -886,6 +885,11 @@ class AppModel extends Model {
 				$this->__addIndex('fuzzy_correlate_ssdeep', 'chunk');
 				$this->__addIndex('fuzzy_correlate_ssdeep', 'attribute_id');
 				break;
+			case 4:
+				$sqlArray[] = 'ALTER TABLE `roles` ADD `memory_limit` VARCHAR(255) COLLATE utf8_bin DEFAULT "";';
+				$sqlArray[] = 'ALTER TABLE `roles` ADD `max_execution_time` VARCHAR(255) COLLATE utf8_bin DEFAULT "";';
+				$sqlArray[] = "ALTER TABLE `roles` ADD `restricted_to_site_admin` tinyint(1) NOT NULL DEFAULT 0;";
+				break;
 			case 'fixNonEmptySharingGroupID':
 				$sqlArray[] = 'UPDATE `events` SET `sharing_group_id` = 0 WHERE `distribution` != 4;';
 				$sqlArray[] = 'UPDATE `attributes` SET `sharing_group_id` = 0 WHERE `distribution` != 4;';

app/Model/Role.php

@@ -67,7 +67,7 @@ class Role extends AppModel {
 		'perm_sharing_group' => array('id' => 'RolePermSharingGroup', 'text' => 'Sharing Group Editor', 'readonlyenabled' => false),
 		'perm_delegate' => array('id' => 'RolePermDelegate', 'text' => 'Delegations Access', 'readonlyenabled' => false),
 		'perm_sighting' => array('id' => 'RolePermSighting', 'text' => 'Sighting Creator', 'readonlyenabled' => true),
-		'perm_object_template' => array('id' => 'RolePermObjectTemplate', 'text' => 'Object Template Editor', 'readonlyenabled' => false),
+		'perm_object_template' => array('id' => 'RolePermObjectTemplate', 'text' => 'Object Template Editor', 'readonlyenabled' => false)
 	);
 
 	public $premissionLevelName = array('Read Only', 'Manage Own Events', 'Manage Organisation Events', 'Manage and Publish Organisation Events');
@@ -119,6 +119,20 @@ class Role extends AppModel {
 					$this->data['Role'][$permFlag] = 0;
 				}
 			}
+			if (!isset($this->data['Role']['max_execution_time'])) {
+				$this->data['Role']['max_execution_time'] = '';
+			} else if ($this->data['Role']['max_execution_time'] !== '') {
+				$this->data['Role']['max_execution_time'] = intval($this->data['Role']['max_execution_time']);
+			}
+			if (!isset($this->data['Role']['memory_limit'])) {
+				$this->data['Role']['memory_limit'] = '';
+			} else if (
+				$this->data['Role']['memory_limit'] !== '' &&
+				!preg_match('/^[0-9]+[MG]$/i', $this->data['Role']['memory_limit']) &&
+				$this->data['Role']['memory_limit'] != -1
+			) {
+				$this->data['Role']['memory_limit'] = '';
+			}
 		}
 		return true;
 	}

app/View/Roles/admin_add.ctp

@@ -2,9 +2,23 @@
 <?php echo $this->Form->create('Role'); ?>
 	<fieldset>
 		<legend><?php echo __('Add Role');?></legend>
-	<?php
-		echo $this->Form->input('name');?>
-		<?php echo $this->Form->input('permission', array('type' => 'select', 'options' => $options), array('value' => '3'));?>
+		<?php
+			echo $this->Form->input('restricted_to_site_admin', array(
+				'type' => 'checkbox',
+				'class' => 'checkbox readonlyenabled',
+				'label' => __('Restrict to site admins')
+			));
+		?>
+			<div class = 'input clear'></div>
+		<?php
+			echo $this->Form->input('name');
+			echo $this->Form->input('permission', array('type' => 'select', 'options' => $options), array('value' => '3'));
+		?>
+		<div class = 'input clear'></div>
+		<?php
+			echo $this->Form->input('memory_limit', array('label' => __('Memory limit') .  ' (' . h($default_memory_limit) . ')'));
+			echo $this->Form->input('max_execution_time', array('label' => __('Maximum execution time') . ' (' . h($default_max_execution_time) . ')'));
+		?>
 		<div class = 'input clear'></div>
 		<?php
 			$counter = 1;

app/View/Roles/admin_edit.ctp

@@ -2,10 +2,23 @@
 <?php echo $this->Form->create('Role');?>
 	<fieldset>
 		<legend><?php echo __('Edit Role'); ?></legend>
+		<?php
+			echo $this->Form->input('restricted_to_site_admin', array(
+				'type' => 'checkbox',
+				'class' => 'checkbox readonlyenabled',
+				'label' => __('Restrict to site admins')
+			));
+		?>
+		<div class = 'input clear'></div>
 	<?php
 		echo $this->Form->input('name');?>
 		<?php echo $this->Form->input('permission', array('label' => __('Permissions'), 'type' => 'select', 'options' => $options), array('value' => '3'));?>
 		<div class = 'input clear'></div>
+		<?php
+			echo $this->Form->input('memory_limit', array('label' => __('Memory limit') .  ' (' . h($default_memory_limit) . ')'));
+			echo $this->Form->input('max_execution_time', array('label' => __('Maximum execution time') . ' (' . h($default_max_execution_time) . ')'));
+		?>
+		<div class = 'input clear'></div>
 		<?php
 			$counter = 1;
 			foreach ($permFlags as $k => $flag):

app/View/Roles/admin_index.ctp

@@ -21,6 +21,7 @@
 			<th><?php echo $this->Paginator->sort('id');?></th>
 			<th><?php echo __('Default');?></th>
 			<th><?php echo $this->Paginator->sort('name');?></th>
+			<th><?php echo $this->Paginator->sort('restricted_to_site_admin');?></th>
 			<th><?php echo $this->Paginator->sort('permission', 'Permission');?></th>
 			<?php
 				foreach ($permFlags as $k => $flags):
@@ -29,6 +30,8 @@
 			<?php
 				endforeach;
 			?>
+			<th><?php echo $this->Paginator->sort('memory_limit');?></th>
+			<th><?php echo $this->Paginator->sort('max_execution_time');?></th>
 			<th class="actions"><?php echo __('Actions');?></th>
 	</tr><?php
 foreach ($list as $item): ?>
@@ -36,10 +39,29 @@ foreach ($list as $item): ?>
 		<td><?php echo $this->Html->link(h($item['Role']['id']), array('admin' => true, 'action' => 'edit', $item['Role']['id'])); ?>&nbsp;</td>
 		<td class="short" style="text-align:center;width:20px;"><input class="servers_default_role_checkbox" type="checkbox" data-id="<?php echo h($item['Role']['id']); ?>" <?php if ($default_role_id && $default_role_id == $item['Role']['id']) echo 'checked'; ?>></td>
 		<td><?php echo h($item['Role']['name']); ?>&nbsp;</td>
+		<td class="short"><span class="<?php if ($item['Role']['restricted_to_site_admin']) echo 'icon-ok'; ?>"></span>&nbsp;</td>
 		<td><?php echo h($options[$item['Role']['permission']]); ?>&nbsp;</td>
 		<?php foreach ($permFlags as $k => $flags): ?>
 			<td class="short"><span class="<?php if ($item['Role'][$k]) echo 'icon-ok'; ?>"></span>&nbsp;</td>
 		<?php endforeach; ?>
+		<td class="short">
+			<?php
+				if (empty($item['Role']['memory_limit'])) {
+					echo h($default_memory_limit);
+				} else {
+					echo h($item['Role']['memory_limit']);
+				}
+			?>
+		</td>
+		<td class="short">
+			<?php
+				if (empty($item['Role']['max_execution_time'])) {
+					echo h($default_max_execution_time);
+				} else {
+					echo h($item['Role']['max_execution_time']);
+				}
+			?>
+		</td>
 		<td class="short action-links">
 			<?php echo $this->Html->link('', array('admin' => true, 'action' => 'edit', $item['Role']['id']), array('class' => 'icon-edit', 'title' => 'Edit')); ?>
 			<?php echo $this->Form->postLink('', array('admin' => true, 'action' => 'delete', $item['Role']['id']), array('class' => 'icon-trash', 'title' => __('Delete')), __('Are you sure you want to delete %s?', $item['Role']['name'])); ?>