Merge pull request #335 from LDAPAccountManager/feature/285_owner_access

Feature/285 owner access

lam/HISTORY

@@ -8,6 +8,7 @@ June 2024 8.8
   -> Request access: request data can be imported and exported as part of configuration
   -> Request access: added $$approveLink$$ and $$rejectLink$$ in approval mails
   -> Request access: added history (283)
+  -> Request access: allow to request group ownership
  - Fixed bugs:
   -> Custom Fields: LDAP search select list - wrong value for empty option (334)
 

lam/docs/manual-sources/chapter-selfService.xml

@@ -1886,21 +1886,30 @@
       <title>Request Access</title>
 
       <para>Use this feature to allow your users to request access for group
-      memberships. Requests will require the approval by the group
+      memberships/ownerships. Requests will require the approval by the group
       owners/managers and optionally a special approver group (leave empty for
       owner/manager approval only).</para>
 
+      <para><emphasis role="bold">Setup cleanup</emphasis></para>
+
+      <para>Please use the <link linkend="confMainGlobalCron">global cron
+      job</link> to clean any outdated requests or history entries. Here you
+      can configure how long requests should be kept open and when to clean
+      the history.</para>
+
       <para><emphasis role="bold">Module Configuration</emphasis></para>
 
       <para>First, the request access module needs to be activated and
       configured on tab "Module settings". Here tick "Enable request access"
       and provide the information where your groups are located.</para>
 
-      <para>Group of names and group of unique names are supported. The LDAP
-      filter is optional, LAM will offer the user only group of (unique) names
-      or Windows groups that have defined owners/managers.<screenshot>
+      <para>Group of names, group of unique names and Windows groups are
+      supported. The LDAP filter is optional, LAM will offer the user only
+      groups of (unique) names or Windows groups that have defined
+      owners/managers.<screenshot>
           <graphic fileref="images/mod_requestAccess1.png"/>
-        </screenshot></para>
+        </screenshot><literallayout>
+</literallayout></para>
 
       <para><screenshot>
           <graphic fileref="images/mod_requestAccess1a.png"/>
@@ -1916,6 +1925,14 @@
       <para>The wildcard $$requested_groups$$ will resolve to the requested
       groups. This is available for all mails.</para>
 
+      <para>In addition, $$requested_groups_member$$ and
+      $$requested_groups_owner$$ can be used to inject the groups for member
+      or owner requests (only emails for approved/denied requests).</para>
+
+      <para>Use the wildcard $$requested_type$$ in owner emails to get the
+      request type (Member/Owner). The request type label is replaced in the
+      language of the requester's self service session.</para>
+
       <para>The wildcard $$requester_notes$$ resolves to the requester's
       optional notes. This is available for the mails to the group
       owners/managers.</para>
@@ -1996,6 +2013,28 @@
           <para>Request Access: Approver view - Approver view for approver
           group</para>
         </listitem>
+
+        <listitem>
+          <para>Request Access: History of own requests - History of the
+          current user's requests</para>
+        </listitem>
+
+        <listitem>
+          <para>Request Access: History of requests - History of all
+          requests</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>Users that have no approver role see only requests for
+              their managed groups</para>
+            </listitem>
+
+            <listitem>
+              <para>Users that are neither approver nor managing groups will
+              not see anything</para>
+            </listitem>
+          </itemizedlist>
+        </listitem>
       </itemizedlist>
 
       <para>You can set custom labels using the pencil icon.</para>
@@ -2017,7 +2056,7 @@
         <graphic fileref="images/mod_requestAccess4.png"/>
       </screenshot>
 
-      <para><emphasis role="bold">Approval view</emphasis></para>
+      <para><emphasis role="bold">Owner/approver view</emphasis></para>
 
       <para>Once the request is created, all owners of the respective groups
       get an email notification. They can then enter self service and view
@@ -2031,6 +2070,18 @@
       <screenshot>
         <graphic fileref="images/mod_requestAccess5.png"/>
       </screenshot>
+
+      <para><emphasis role="bold">Own request history</emphasis></para>
+
+      <screenshot>
+        <graphic fileref="images/mod_requestAccess6.png"/>
+      </screenshot>
+
+      <para><emphasis role="bold">Request history</emphasis></para>
+
+      <screenshot>
+        <graphic fileref="images/mod_requestAccess7.png"/>
+      </screenshot>
     </section>
 
     <section>

lam/lib/account.inc

@@ -1171,7 +1171,7 @@ function getAbstractDN($dn) {
 			$parts[$i] = $subparts[1];
 		}
 	}
-	$abstractDn = implode(' > ', $parts);
+	$abstractDn = implode(' ❭ ', $parts);
 	return unescapeLdapSpecialCharacters($abstractDn);
 }
 

lam/lib/html.inc

@@ -448,6 +448,7 @@ class htmlDataTable extends htmlElement {
 			$columnOptions[] = '{
 				title: "' . $column->label . '",
 				field: "' . $column->name . '",
+				headerTooltip: "' . $column->label . '",
 				formatter: "textarea"
 				' . $headerFilter . '
 			}';

lam/lib/modules/windowsGroup.inc

@@ -7,7 +7,7 @@ use \LAM\TYPES\TypeManager;
 /*
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2013 - 2023  Roland Gruber
+  Copyright (C) 2013 - 2024  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -1104,6 +1104,7 @@ class windowsGroup extends baseModule {
 			'info' => _('Notes'),
 			'member' => _('Members'),
 			'memberof' => _('Member of'),
+			'managedby' => _('Managed by'),
 			'grouptype' => _('Group type'),
 			'groupscope' => _('Group scope'),
 			'whencreated' => _('Creation time'),

lam/templates/config/confImportExport.php

@@ -93,7 +93,7 @@ if (isset($_POST['exportConfig']) && $cfg->checkPassword($_SESSION["mainconf_pas
 			throw new LAMException(_('Unable to create temporary file.'));
         }
         $fileSize = filesize($zipFile);
-		if ($fileSize === false) {
+		if (($fileSize === false) || ($fileSize <= 0)) {
 			throw new LAMException(_('Unable to create temporary file.'));
 		}
         $contents = fread($handle, $fileSize);

lam/tests/lib/AccountTest.php

@@ -2,7 +2,7 @@
 use PHPUnit\Framework\TestCase;
 /*
  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
- Copyright (C) 2018 - 2023  Roland Gruber
+ Copyright (C) 2018 - 2024  Roland Gruber
 
  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@@ -144,9 +144,9 @@ class AccountTest extends TestCase {
 	 * Tests getAbstractDN().
 	 */
 	function testGetAbstractDN() {
-		$this->assertEquals('test > test > de', getAbstractDN('cn=test,o=test,c=de'));
-		$this->assertEquals('test,user > test > de', getAbstractDN('cn=test\\,user,o=test,c=de'));
-		$this->assertEquals('test,user > test > de', getAbstractDN('cn=test\\2Cuser,o=test,c=de'));
+		$this->assertEquals('test ❭ test ❭ de', getAbstractDN('cn=test,o=test,c=de'));
+		$this->assertEquals('test,user ❭ test ❭ de', getAbstractDN('cn=test\\,user,o=test,c=de'));
+		$this->assertEquals('test,user ❭ test ❭ de', getAbstractDN('cn=test\\2Cuser,o=test,c=de'));
 	}
 
 	/**