#!/usr/bin/perl

=head1 modify-admin.pl

Updates an extra administrator for a virtual server

This program can be used to change the details of an extra administrator.
The required parameters are C<--domain> followed by the domain name, and
C<--name> followed by the administrator account name, which specify the
account to change.

You can then use the C<--pass> parameter to set a new password, C<--desc> to
change the description, and C<--newname> to change the login name. The admin
can be allowed to denied the ability to create servers, rename domains, manage
features and use other Webmin modules with the C<--can-create>,
C<--cannot-create>, C<--can-rename>, C<--cannot-rename>, C<--can-features>,
C<--cannot-features>, C<--can-modules> and C<--cannot-modules> options
respectively.

When renaming C<--append> flag can be used to add the domain name, prefix or
suffix to the final admin username. Similarly, C<--no-append> can be used to
prevent this from happening. If neither flag is given, the default behavior
set in the Virtualmin configuration will be used.

The extra admin's contact email address can be set or changed with the 
C<--email> flag (followed by an address), or removed with the C<--no-email>
parameter.

Editing capabilities can be granted to the user with the C<--can-edit> option
followed by a capability name. Similarly, they can be taken away with the
C<--cannot-edit> option.

To add a domain to the list of those an extra administrator is allowed to
manage, use the C<--add-domain> flag followed by a domain name. If all virtual
servers are currently allowed, this will restrict the extra admin to just that
virtual server.

To remove a server from the allowed list, use the C<--remove-domain> parameter
followed by the domain name. To grant access to all virtual servers under
the parent server, use the C<--all-domains> flag.

=cut

package virtual_server;
if (!$module_name) {
	$main::no_acl_check++;
	$ENV{'WEBMIN_CONFIG'} ||= "/etc/webmin";
	$ENV{'WEBMIN_VAR'} ||= "/var/webmin";
	if ($0 =~ /^(.*)\/[^\/]+$/) {
		chdir($pwd = $1);
		}
	else {
		chop($pwd = `pwd`);
		}
	$0 = "$pwd/modify-admin.pl";
	require './virtual-server-lib.pl';
	$< == 0 || die "modify-admin.pl must be run as root";
	}
&licence_status();
@OLDARGV = @ARGV;

# Parse command-line args
$append = $config{'appendadmin'};
while(@ARGV > 0) {
	local $a = shift(@ARGV);
	if ($a eq "--domain") {
		$domain = shift(@ARGV);
		}
	elsif ($a eq "--name") {
		$name = shift(@ARGV);
		}
	elsif ($a eq "--newname") {
		$newname = shift(@ARGV);
		}
	elsif ($a eq "--pass") {
		$pass = shift(@ARGV);
		}
	elsif ($a eq "--passfile") {
		$pass = &read_file_contents(shift(@ARGV));
		$pass =~ s/\r|\n//g;
		}
	elsif ($a eq "--desc") {
		$desc = shift(@ARGV);
		}
	elsif ($a eq "--email") {
		$email = shift(@ARGV);
		}
	elsif ($a eq "--no-email") {
		$email = "";
		}
	elsif ($a eq "--can-edit" || $a eq "--cannot-edit") {
		$edit = shift(@ARGV);
		&indexof($edit, @edit_limits) >= 0 ||
			&usage("Unknown edit capability. Valid capabilities are : ".join(" ", @edit_limits));
		if ($a eq "--can-edit") { push(@canedits, $edit); }
		else { push(@cannotedits, $edit); }
		}
	elsif ($a eq "--can-create") {
		$create = 1;
		}
	elsif ($a eq "--cannot-create") {
		$create = 0;
		}
	elsif ($a eq "--can-rename") {
		$norename = 0;
		}
	elsif ($a eq "--cannot-rename") {
		$norename = 1;
		}
	elsif ($a eq "--can-features") {
		$features = 1;
		}
	elsif ($a eq "--cannot-features") {
		$features = 0;
		}
	elsif ($a eq "--can-modules") {
		$modules = 1;
		}
	elsif ($a eq "--cannot-modules") {
		$modules = 0;
		}
	elsif ($a eq "--all-domains") {
		$allowedall = 1;
		}
	elsif ($a eq "--add-domain") {
		push(@allowednames, shift(@ARGV));
		}
	elsif ($a eq "--remove-domain") {
		push(@deniednames, shift(@ARGV));
		}
	elsif ($a eq "--append") {
		$append = 1;
		}
	elsif ($a eq "--no-append") {
		$append = 0;
		}
	elsif ($a eq "--multiline") {
		$multiline = 1;
		}
	elsif ($a eq "--help") {
		&usage();
		}
	else {
		&usage("Unknown parameter $a");
		}
	}

$domain && $name || &usage("No domain or username specified");
$d = &get_domain_by("dom", $domain);
$d || usage("Virtual server $domain does not exist");

# Find the admin
&obtain_lock_webmin();
@admins = &list_extra_admins($d);
($admin) = grep { $_->{'name'} eq $name ||
		  $_->{'origname'} eq $name } @admins;
$admin || &usage("Extra administrator $name does not exist in this virtual server");
$old = { %$admin };

# Update the object
if (defined($newname)) {
	# Changing username, perhaps updating to match the domain
	($clash) = grep { $_->{'origname'} eq $newname } @admins;
	$clash && &usage("An extra admin named $newname already exists");
	if ($admin->{'name'} ne $admin->{'origname'} && $append) {
		$admin->{'origname'} = $newname;
		$newname = &userdom_name($newname, $d);
		}
	&require_acl();
	($clash) = grep { $_->{'name'} eq $newname } &acl::list_users();
	$clash && &usage("The Webmin username $newname is already in use");
	$admin->{'name'} = $newname;
	}
if (defined($pass)) {
	$admin->{'pass'} = $pass;
	}
if (defined($desc)) {
	$admin->{'desc'} = $desc;
	}
if (defined($email)) {
	if ($email) {
		$admin->{'email'} = $email;
		}
	else {
		delete($admin->{'email'});
		}
	}
if (defined($create)) {
	$admin->{'create'} = $create;
	}
if (defined($norename)) {
	$admin->{'norename'} = $norename;
	}
if (defined($features)) {
	$admin->{'features'} = $features;
	}
if (defined($modules)) {
	$admin->{'modules'} = $modules;
	}
foreach $e (@canedits) {
	$admin->{'edit_'.$e} = 1;
	}
foreach $e (@cannotedits) {
	$admin->{'edit_'.$e} = 0;
	}

# Apply allowed domain changes
@allowed = split(/\s+/, $admin->{'doms'});
if ($allowedall) {
	@allowed = ( );
	}
foreach $aname (@allowednames) {
	$a = &get_domain_by("dom", $aname);
        $a || &usage("The allowed virtual server $aname does not exist");
	$a->{'user'} eq $d->{'user'} ||
                &usage("The allowed virtual server $a->{'dom'} is not owned ".
                       "by the same user as $d->{'dom'}");
	push(@allowed, $a->{'id'});
	}
foreach $aname (@deniednames) {
	$a = &get_domain_by("dom", $aname);
        $a || &usage("The allowed virtual server $aname does not exist");
	@allowed = grep { $_ ne $a->{'id'} } @allowed;
	@allowed || &usage("You cannot remove all allowed virtual servers");
	}
if (@allowed) {
        $admin->{'doms'} = join(" ", @allowed);
        }
else {
	delete($admin->{'doms'});
	}

# Save him
&modify_extra_admin($admin, $old, $d);
&release_lock_webmin();
&run_post_actions_silently();
&virtualmin_api_log(\@OLDARGV, $d);
print "Extra administrator $name modified successfully\n";

sub usage
{
print "$_[0]\n\n" if ($_[0]);
print "Modifies an extra administrator associated with some virtual server.\n";
print "\n";
print "virtualmin modify-admin --domain domain.name\n";
print "                        --name login\n";
print "                       [--newname login]\n";
print "                       [--pass password | --passfile password-file]\n";
print "                       [--desc description]\n";
print "                       [--email user\@domain | --no-email]\n";
print "                       [--can-create] | [--cannot-create]\n";
print "                       [--can-rename] | [--cannot-rename]\n";
print "                       [--can-features] | [--cannot-features]\n";
print "                       [--can-modules] | [--cannot-modules]\n";
print "                       [--can-edit capability]*\n";
print "                       [--cannot-edit capability]*\n";
print "                       [--all-domains]\n";
print "                       [--add-domain name]* [--remove-domain name]*\n";
print "                       [--append | --no-append]\n";
exit(1);
}