Context Navigation

source: trunk/dns.cgi@ 410

Last change on this file since 410 was 397, checked in by Kris Deugau, 12 years ago

/trunk

Caught some inconsistencies getting the RPC CGI updated.

Normalize to use of odd in record list, same as other lists. Also normalize which case is which in templates so all lists look consistent.
Normalize calling convention and database calls in list-getting subs
- getZoneList, with light tweak to template for field name
- getDomRecs, with conversion from fixed arguments to hash
Normalize checks on list offsets to the best one, from getZoneList

Property svn:executable set to *
Property svn:keywords set to Date Rev Author Id

File size: 87.2 KB

Line
1	#!/usr/bin/perl -w -T
2	# Main web UI script for DeepNet DNS Administrator
3	##
4	# $Id: dns.cgi 397 2012-10-02 22:15:38Z kdeugau $
5	# Copyright 2008-2012 Kris Deugau <kdeugau@deepnet.cx>
6	#
7	# This program is free software: you can redistribute it and/or modify
8	# it under the terms of the GNU General Public License as published by
9	# the Free Software Foundation, either version 3 of the License, or
10	# (at your option) any later version.
11	#
12	# This program is distributed in the hope that it will be useful,
13	# but WITHOUT ANY WARRANTY; without even the implied warranty of
14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15	# GNU General Public License for more details.
16	#
17	# You should have received a copy of the GNU General Public License
18	# along with this program. If not, see <http://www.gnu.org/licenses/>.
19	##
20
21	use strict;
22	use warnings;
23
24	use CGI::Carp qw (fatalsToBrowser);
25	use CGI::Simple;
26	use HTML::Template;
27	use CGI::Session;
28	use Crypt::PasswdMD5;
29	use Digest::MD5 qw(md5_hex);
30	use Net::DNS;
31	use DBI;
32	use Data::Dumper;
33
34	#sub is_tainted {
35	# # from perldoc perlsec
36	# return ! eval { eval("#" . substr(join("", @_), 0, 0)); 1 };
37	#}
38	#use Cwd 'abs_path';
39	#use File::Basename;
40	#use lib dirname( abs_path $0 );
41	#die "argh! tainted!" if is_tainted($0);
42	#die "argh! \@INC got tainted!" if is_tainted(@INC);
43
44	# don't remove! required for GNU/FHS-ish install from tarball
45	use lib '.'; ##uselib##
46
47	use DNSDB qw(:ALL);
48
49	my @debugbits; # temp, to be spit out near the end of processing
50	my $debugenv = 0;
51
52	# Let's do these templates right...
53	my $templatedir = "templates";
54
55	# Set up the CGI object...
56	my $q = new CGI::Simple;
57	# ... and get query-string params as well as POST params if necessary
58	$q->parse_query_string;
59
60	# This is probably excessive fiddling, but it puts the parameters somewhere my fingers know about...
61	my %webvar = $q->Vars;
62
63	# shut up some warnings, in case we arrive somewhere we forgot to set this
64	$webvar{defrec} = 'n' if !$webvar{defrec}; # non-default records
65	$webvar{revrec} = 'n' if !$webvar{revrec}; # non-reverse (domain) records
66
67	# load some local system defaults (mainly DB connect info)
68	# note this is not absolutely fatal, since there's a default dbname/user/pass in DNSDB.pm
69	# we'll catch a bad DB connect string once we get to trying that
70	##fixme: pass params to loadConfig, and use them there, to allow one codebase to support multiple sites
71	if (!loadConfig()) {
72	warn "Using default configuration; unable to load custom settings: $DNSDB::errstr";
73	}
74
75	# persistent stuff needed on most/all pages
76	my $sid = ($webvar{sid} ? $webvar{sid} : undef);
77	my $session = new CGI::Session("driver:File", $sid, {Directory => $config{sessiondir}})
78	or die CGI::Session->errstr();
79	#$sid = $session->id() if !$sid;
80	if (!$sid) {
81	# init stuff. can probably axe this down to just above if'n'when user manipulation happens
82	$sid = $session->id();
83	$session->expire($config{timeout});
84	# need to know the "upper" group the user can deal with; may as well
85	# stick this in the session rather than calling out to the DB every time.
86	$session->param('logingroup',1);
87	$session->param('curgroup',1); # yes, we do need to track this too. er, probably.
88	$session->param('domlistsortby','domain');
89	$session->param('domlistorder','ASC');
90	$session->param('revzonessortby','revnet');
91	$session->param('revzonesorder','ASC');
92	$session->param('useradminsortby','user');
93	$session->param('useradminorder','ASC');
94	$session->param('grpmansortby','group');
95	$session->param('grpmanorder','ASC');
96	$session->param('reclistsortby','host');
97	$session->param('reclistorder','ASC');
98	$session->param('loclistsortby','description');
99	$session->param('loclistorder','ASC');
100	$session->param('logsortby','stamp');
101	$session->param('logorder','DESC');
102	}
103
104	# Just In Case. Stale sessions should not be resurrectable.
105	if ($sid ne $session->id()) {
106	$sid = '';
107	changepage(page=> "login", sessexpired => 1);
108	}
109
110	# normal expiry, more or less
111	if ($session->is_expired) {
112	$sid = '';
113	changepage(page=> "login", sessexpired => 1);
114	}
115
116	my $logingroup = ($session->param('logingroup') ? $session->param('logingroup') : 1);
117	my $curgroup = ($session->param('curgroup') ? $session->param('curgroup') : $logingroup);
118
119	# decide which page to spit out...
120	# also set $webvar{page} before we try to use it.
121	$webvar{page} = 'login' if !$webvar{page};
122
123	# per-page startwith, filter, searchsubs
124
125	##fixme: complain-munge-and-continue with non-"[a-z0-9-.]" filter and startwith
126	$webvar{startwith} =~ s/^(0-9\|[a-z]).*/$1/ if $webvar{startwith};
127	# not much call for chars not allowed in domain names
128	$webvar{filter} =~ s/[^a-zA-Z0-9_.:\@-]//g if $webvar{filter};
129	## only set 'y' if box is checked, no other values legal
130	## however, see https://secure.deepnet.cx/trac/dnsadmin/ticket/31
131	# first, drop obvious fakes
132	delete $webvar{searchsubs} if $webvar{searchsubs} && $webvar{searchsubs} !~ /^[ny]/;
133	# strip the known "turn me off!" bit.
134	$webvar{searchsubs} =~ s/^n\s?// if $webvar{searchsubs};
135	# strip non-y/n - note this legitimately allows {searchsubs} to go empty
136	$webvar{searchsubs} =~ s/[^yn]//g if $webvar{searchsubs};
137
138	$session->param($webvar{page}.'startwith', $webvar{startwith}) if defined($webvar{startwith});
139	$session->param($webvar{page}.'filter', $webvar{filter}) if defined($webvar{filter});
140	$session->param($webvar{page}.'searchsubs', $webvar{searchsubs}) if defined($webvar{searchsubs});
141
142	my $startwith = $session->param($webvar{page}.'startwith');
143	my $filter = $session->param($webvar{page}.'filter');
144	my $searchsubs = $session->param($webvar{page}.'searchsubs');
145
146	# ... and assemble the args
147	my @filterargs;
148	push @filterargs, "^[$startwith]" if $startwith;
149	push @filterargs, $filter if $filter;
150
151	# nrgh, can't handle login here because we don't have a database handle to check the user/pass with yet
152
153	my $header = HTML::Template->new(filename => "$templatedir/header.tmpl");
154	my $footer = HTML::Template->new(filename => "$templatedir/footer.tmpl");
155	$header->param(orgname => $config{orgname}) if $config{orgname} ne 'Example Corp';
156	$footer->param(version => $DNSDB::VERSION);
157
158	## set up "URL to self"
159	# @#$%@%@#% XHTML - & in a URL must be escaped. >:(
160	my $uri_self = $ENV{REQUEST_URI};
161	$uri_self =~ s/\&([a-z])/\&amp\;$1/g;
162
163	# le sigh. and we need to strip any previous action
164	$uri_self =~ s/\&action=[^&]+//g;
165
166	# and search filter options. these get stored in the session, but discarded
167	# as soon as you switch to a different page.
168	##fixme: think about retaining these on a per-page basis, as well as offset; same as the sort-order bits
169	no warnings qw(uninitialized);
170	$uri_self =~ s/\&startwith=[a-z09-]*(\&)?/$1/g;
171	$uri_self =~ s/\&searchsubs=[a-z09-]*(\&)?/$1/g;
172	$uri_self =~ s/\&filter=[a-z09-]*(\&)?/$1/g;
173	use warnings qw(uninitialized);
174
175	# Fix up $uri_self so we don't lose the session/page
176	$uri_self .= "?sid=$sid&page=$webvar{page}" if $uri_self =~ m{/dns.cgi$};
177	$uri_self = "$ENV{SCRIPT_NAME}?sid=$sid&page=$webvar{page}$1" if $uri_self =~ m{/dns.cgi\&(.+)$};
178
179	# pagination
180	my $perpage = 15;
181	$perpage = $config{perpage} if $config{perpage};
182	my $offset = ($webvar{offset} ? $webvar{offset} : 0);
183
184	# NB: these must match the field name and SQL ascend/descend syntax respectively
185	my $sortby = "domain";
186	my $sortorder = "ASC";
187
188	##fixme: quit throwing the database handle around, and put all the SQL and direct DB fiddling into DNSDB.pm
189	# dbname, user, pass, host (optional)
190	my ($dbh,$msg) = connectDB($config{dbname}, $config{dbuser}, $config{dbpass}, $config{dbhost});
191
192	if (!$dbh) {
193	print "Content-type: text/html\n\n";
194	print $header->output;
195	my $errpage = HTML::Template->new(filename => "$templatedir/dberr.tmpl");
196	$errpage->param(errmsg => $msg);
197	print $errpage->output;
198	print $footer->output;
199	exit;
200	}
201
202	# Load config pieces from the database. Ideally all but the DB user/pass/etc should be loaded here.
203	initGlobals($dbh);
204
205	# security check - does the user have permission to view this entity?
206	# this is a prep step used "many" places
207	my @viewablegroups;
208	getChildren($dbh, $logingroup, \@viewablegroups, 'all');
209	push @viewablegroups, $logingroup;
210
211	my $page;
212	eval {
213	# sigh. can't set loop_context_vars or global_vars once instantiated.
214	$page = HTML::Template->new(filename => "$templatedir/$webvar{page}.tmpl",
215	loop_context_vars => 1, global_vars => 1);
216	};
217	if ($@) {
218	my $msg = $@;
219	$page = HTML::Template->new(filename => "$templatedir/badpage.tmpl");
220	if (-e "$templatedir/$webvar{page}.tmpl") {
221	$page->param(badtemplate => $q->escapeHTML($msg));
222	} else {
223	warn "Bad page $webvar{page} requested";
224	$page->param(badpage => $q->escapeHTML($webvar{page}));
225	}
226	$webvar{page} = 'badpage';
227	}
228
229	# handle login redirect
230	if ($webvar{action}) {
231	if ($webvar{action} eq 'login') {
232	# Snag ACL/permissions here too
233
234	my $userdata = login($dbh, $webvar{username}, $webvar{password});
235
236	if ($userdata) {
237
238	# set session bits
239	$session->param('logingroup',$userdata->{group_id});
240	$session->param('curgroup',$userdata->{group_id});
241	$session->param('uid',$userdata->{user_id});
242	$session->param('username',$webvar{username});
243
244	changepage(page => "domlist");
245
246	} else {
247	$webvar{loginfailed} = 1;
248	} # user data fetch check
249
250	} elsif ($webvar{action} eq 'logout') {
251	# delete the session
252	$session->delete();
253	$session->flush();
254
255	my $newurl = "http://$ENV{HTTP_HOST}$ENV{SCRIPT_NAME}";
256	$newurl =~ s\|/[^/]+$\|/\|;
257	print "Status: 302\nLocation: $newurl\n\n";
258	exit;
259
260	} elsif ($webvar{action} eq 'chgroup') {
261	# fiddle session-stored group data
262	# magic incantation to... uhhh...
263
264	# ... and the "change group" bits...
265	$uri_self =~ s/\&group=[^&]*//g;
266
267	# security check - does the user have permission to view this entity?
268	my $errmsg;
269	if (!(grep /^$webvar{group}$/, @viewablegroups)) {
270	# hmm. Reset the current group to the login group? Yes. Prevents confusing behaviour elsewhere.
271	$session->param('curgroup',$logingroup);
272	$webvar{group} = $logingroup;
273	$curgroup = $logingroup;
274	$errmsg = "You are not permitted to view or make changes in the requested group";
275	$page->param(errmsg => $errmsg);
276	}
277
278	$session->param('curgroup', $webvar{group});
279	$curgroup = ($webvar{group} ? $webvar{group} : $session->param('curgroup'));
280
281	# I hate special cases.
282	##fixme: probably need to handle webvar{revrec}=='y' too
283	if ($webvar{page} eq 'reclist' && $webvar{defrec} eq 'y') {
284	my %args = (page => $webvar{page}, id => $curgroup, defrec => $webvar{defrec}, revrec => $webvar{revrec});
285	$args{errmsg} = $errmsg if $errmsg;
286	changepage(%args);
287	}
288
289	}
290	} # handle global webvar{action}s
291
292	# finally check if the user was disabled. we could just leave this for logout/session expiry,
293	# but if they keep the session active they'll continue to have access long after being disabled. :/
294	# Treat it as a session expiry.
295	if ($session->param('uid') && !userStatus($dbh, $session->param('uid')) ) {
296	$sid = '';
297	$session->delete; # force expiry of the session Right Away
298	$session->flush; # make sure it hits storage
299	changepage(page=> "login", sessexpired => 1);
300	}
301
302	# Misc Things To Do on most pages
303	initPermissions($dbh, $session->param('uid'));
304	initActionLog($dbh, $session->param('uid'));
305
306	$page->param(sid => $sid) unless $webvar{page} eq 'login'; # no session ID on the login page
307
308	if ($webvar{page} eq 'login') {
309
310	$page->param(loginfailed => 1) if $webvar{loginfailed};
311	$page->param(sessexpired => 1) if $webvar{sessexpired};
312	$page->param(version => $DNSDB::VERSION);
313
314	} elsif ($webvar{page} eq 'domlist' or $webvar{page} eq 'index') {
315
316	$page->param(domlist => 1);
317
318	# hmm. seeing problems in some possibly-not-so-corner cases.
319	# this currently only handles "domain on", "domain off"
320	if (defined($webvar{zonestatus})) {
321	# security check - does the user have permission to access this entity?
322	my $flag = 0;
323	foreach (@viewablegroups) {
324	$flag = 1 if isParent($dbh, $_, 'group', $webvar{id}, 'domain');
325	}
326	if ($flag && ($permissions{admin} \|\| $permissions{domain_edit})) {
327	my $stat = zoneStatus($dbh,$webvar{id},'n',$webvar{zonestatus});
328	$page->param(resultmsg => $DNSDB::resultstr);
329	} else {
330	$page->param(errmsg => "You are not permitted to view or change the requested domain");
331	}
332	$uri_self =~ s/\&zonestatus=[^&]*//g; # clean up URL for stuffing into templates
333	}
334
335	show_msgs();
336
337	$page->param(curpage => $webvar{page});
338
339	listdomains();
340
341	} elsif ($webvar{page} eq 'newdomain') {
342
343	changepage(page => "domlist", errmsg => "You are not permitted to add domains")
344	unless ($permissions{admin} \|\| $permissions{domain_create});
345
346	$webvar{group} = $curgroup if !$webvar{group};
347	fill_grouplist("grouplist", $webvar{group});
348	fill_loclist();
349
350	if ($session->param('add_failed')) {
351	$session->clear('add_failed');
352	$page->param(add_failed => 1);
353	$page->param(errmsg => $session->param('errmsg'));
354	$session->clear('errmsg');
355	$page->param(domain => $webvar{domain});
356	$page->param(addinactive => $webvar{makeactive} eq 'n');
357	}
358
359	} elsif ($webvar{page} eq 'adddomain') {
360
361	changepage(page => "domlist", errmsg => "You are not permitted to add domains")
362	unless ($permissions{admin} \|\| $permissions{domain_create});
363
364	# security check - does the user have permission to access this entity?
365	if (!check_scope(id => $webvar{group}, type => 'group')) {
366	$session->param('add_failed', 1);
367	##fixme: domain a security risk for XSS?
368	changepage(page => "newdomain", domain => $webvar{domain},
369	errmsg => "You do not have permission to add a domain to the requested group");
370	}
371
372	$webvar{makeactive} = 0 if !defined($webvar{makeactive});
373
374	my ($code,$msg) = addDomain($dbh,$webvar{domain},$webvar{group},($webvar{makeactive} eq 'on' ? 1 : 0));
375
376	if ($code eq 'OK') {
377	mailNotify($dbh, "New ".($webvar{makeactive} eq 'on' ? 'Active' : 'Inactive')." Domain Created",
378	($webvar{makeactive} eq 'on' ? 'Active' : 'Inactive').qq( domain "$webvar{domain}" added by ).
379	$session->param("username"));
380	changepage(page => "reclist", id => $msg);
381	} else {
382	$session->param('add_failed', 1);
383	##fixme: domain a security risk for XSS?
384	changepage(page => "newdomain", domain => $webvar{domain}, errmsg => $msg,
385	makeactive => ($webvar{makeactive} ? 'y' : 'n'), group => $webvar{group});
386	}
387
388	} elsif ($webvar{page} eq 'deldom') {
389
390	changepage(page => "domlist", errmsg => "You are not permitted to delete domains")
391	unless ($permissions{admin} \|\| $permissions{domain_delete});
392
393	# security check - does the user have permission to access this entity?
394	if (!check_scope(id => $webvar{id}, type => 'domain')) {
395	changepage(page => "domlist", errmsg => "You do not have permission to delete the requested domain");
396	}
397
398	$page->param(id => $webvar{id});
399
400	# first pass = confirm y/n (sorta)
401	if (!defined($webvar{del})) {
402
403	$page->param(del_getconf => 1);
404	$page->param(domain => domainName($dbh,$webvar{id}));
405
406	} elsif ($webvar{del} eq 'ok') {
407	my $pargroup = parentID($dbh, (id => $webvar{id}, type => 'domain', revrec => $webvar{revrec}));
408	my ($code,$msg) = delZone($dbh, $webvar{id}, $webvar{revrec});
409	if ($code eq 'OK') {
410	changepage(page => "domlist", resultmsg => $msg);
411	} else {
412	changepage(page => "domlist", errmsg => $msg);
413	}
414
415	} else {
416	# cancelled. whee!
417	changepage(page => "domlist");
418	}
419
420	} elsif ($webvar{page} eq 'revzones') {
421
422	$webvar{revrec} = 'y';
423
424	if (defined($webvar{zonestatus})) {
425	# security check - does the user have permission to access this entity?
426	my $flag = 0;
427	foreach (@viewablegroups) {
428	$flag = 1 if isParent($dbh, $_, 'group', $webvar{id}, 'revzone');
429	}
430	if ($flag && ($permissions{admin} \|\| $permissions{domain_edit})) {
431	my $stat = zoneStatus($dbh,$webvar{id},'y',$webvar{zonestatus});
432	$page->param(resultmsg => $DNSDB::resultstr);
433	} else {
434	$page->param(errmsg => "You are not permitted to view or change the requested reverse zone");
435	}
436	$uri_self =~ s/\&zonestatus=[^&]*//g; # clean up URL for stuffing into templates
437	}
438
439	show_msgs();
440
441	$page->param(curpage => $webvar{page});
442	listzones();
443
444	} elsif ($webvar{page} eq 'newrevzone') {
445
446	## scope/access check - use domain settings? invent new (bleh)
447	changepage(page => "revzones", errmsg => "You are not permitted to add reverse zones")
448	unless ($permissions{admin} \|\| $permissions{domain_create});
449
450	fill_grouplist("grouplist");
451
452	# prepopulate revpatt with the matching default record
453	# getRecByName($dbh, (revrec => $webvar{revrec}, defrec => $webvar{defrec}, host => 'string'));
454
455	if ($session->param('add_failed')) {
456	$session->clear('add_failed');
457	$page->param(errmsg => $session->param('errmsg'));
458	$session->clear('errmsg');
459	$page->param(revzone => $webvar{revzone});
460	$page->param(revpatt => $webvar{revpatt});
461	}
462
463	} elsif ($webvar{page} eq 'addrevzone') {
464
465	changepage(page => "revzones", errmsg => "You are not permitted to add reverse zones")
466	unless ($permissions{admin} \|\| $permissions{domain_create});
467
468	# security check - does the user have permission to access this entity?
469	if (!check_scope(id => $webvar{group}, type => 'group')) {
470	changepage(page => "newrevzone", add_failed => 1, revzone => $webvar{revzone}, revpatt => $webvar{revpatt},
471	errmsg => "You do not have permission to add a reverse zone to the requested group");
472	}
473
474	my ($code,$msg) = addRDNS($dbh, $webvar{revzone}, $webvar{revpatt}, $webvar{group},
475	($webvar{makeactive} eq 'on' ? 1 : 0));
476
477	if ($code eq 'OK') {
478	changepage(page => "reclist", id => $msg, revrec => 'y');
479	} elsif ($code eq 'WARN') {
480	changepage(page => "reclist", id => $msg, revrec => 'y', warnmsg => $DNSDB::resultstr);
481	} else {
482	$session->param('add_failed', 1);
483	changepage(page => "newrevzone", revzone => $webvar{revzone}, revpatt => $webvar{revpatt}, errmsg => $msg);
484	}
485
486	} elsif ($webvar{page} eq 'delrevzone') {
487
488	changepage(page => "revzones", errmsg => "You are not permitted to delete reverse zones")
489	unless ($permissions{admin} \|\| $permissions{domain_delete});
490
491	# security check - does the user have permission to access this entity?
492	if (!check_scope(id => $webvar{id}, type => 'revzone')) {
493	changepage(page => "revzones", errmsg => "You do not have permission to delete the requested reverse zone");
494	}
495
496	$page->param(id => $webvar{id});
497
498	# first pass = confirm y/n (sorta)
499	if (!defined($webvar{del})) {
500
501	$page->param(del_getconf => 1);
502	$page->param(revzone => revName($dbh,$webvar{id}));
503
504	} elsif ($webvar{del} eq 'ok') {
505	my $pargroup = parentID($dbh, (id => $webvar{id}, type => 'revzone', revrec => $webvar{revrec}));
506	my $zone = revName($dbh, $webvar{id});
507	my ($code,$msg) = delZone($dbh, $webvar{id}, 'y');
508	if ($code eq 'OK') {
509	changepage(page => "revzones", resultmsg => $msg);
510	} else {
511	changepage(page => "revzones", errmsg => $msg);
512	}
513
514	} else {
515	# cancelled. whee!
516	changepage(page => "revzones");
517	}
518
519	} elsif ($webvar{page} eq 'reclist') {
520
521	# security check - does the user have permission to view this entity?
522	if (!check_scope(id => $webvar{id}, type =>
523	($webvar{defrec} eq 'y' ? 'group' : ($webvar{revrec} eq 'y' ? 'revzone' : 'domain')))) {
524	$page->param(errmsg => "You are not permitted to view or change the requested ".
525	($webvar{defrec} eq 'y' ? "group's default records" :
526	($webvar{revrec} eq 'y' ? "reverse zone's records" : "domain's records")));
527	$page->param(perm_err => 1); # this causes the template to skip the record listing output.
528	goto DONERECLIST; # and now we skip filling in the content which is not printed due to perm_err above
529	}
530
531	# hmm. where do we send them?
532	if ($webvar{defrec} eq 'y' && !$permissions{admin}) {
533	$page->param(errmsg => "You are not permitted to edit default records");
534	$page->param(perm_err => 1);
535	} else {
536
537	$page->param(mayeditsoa => $permissions{admin} \|\| $permissions{domain_edit});
538	##fixme: ACL needs pondering. Does "edit domain" interact with record add/remove/etc?
539	# Note this seems to be answered "no" in Vega.
540	# ACLs
541	$page->param(record_create => ($permissions{admin} \|\| $permissions{record_create}) );
542	# we don't have any general edit links on the page; they're all embedded in the TMPL_LOOP
543	# $page->param(record_edit => ($permissions{admin} \|\| $permissions{record_edit}) );
544	$page->param(record_delete => ($permissions{admin} \|\| $permissions{record_delete}) );
545
546	# Handle record list for both default records (per-group) and live domain records
547
548	$page->param(defrec => $webvar{defrec});
549	$page->param(revrec => $webvar{revrec});
550	$page->param(id => $webvar{id});
551	$page->param(curpage => $webvar{page});
552
553	my $count = getRecCount($dbh, $webvar{defrec}, $webvar{revrec}, $webvar{id}, $filter);
554
555	$sortby = 'host';
556	# sort/order
557	$session->param($webvar{page}.'sortby', $webvar{sortby}) if $webvar{sortby};
558	$session->param($webvar{page}.'order', $webvar{order}) if $webvar{order};
559
560	$sortby = $session->param($webvar{page}.'sortby') if $session->param($webvar{page}.'sortby');
561	$sortorder = $session->param($webvar{page}.'order') if $session->param($webvar{page}.'order');
562
563	# set up the headers
564	my @cols;
565	my %colheads;
566	if ($webvar{revrec} eq 'n') {
567	@cols = ('host', 'type', 'val', 'distance', 'weight', 'port', 'ttl');
568	%colheads = (host => 'Name', type => 'Type', val => 'Address',
569	distance => 'Distance', weight => 'Weight', port => 'Port', ttl => 'TTL');
570	} else {
571	@cols = ('val', 'type', 'host', 'ttl');
572	%colheads = (val => 'IP Address', type => 'Type', host => 'Hostname', ttl => 'TTL');
573	}
574	my %custom = (id => $webvar{id}, defrec => $webvar{defrec}, revrec => $webvar{revrec});
575	fill_colheads($sortby, $sortorder, \@cols, \%colheads, \%custom);
576
577	# fill the page-count and first-previous-next-last-all details
578	fill_pgcount($count,"records",
579	($webvar{defrec} eq 'y' ? "group ".groupName($dbh,$webvar{id}) :
580	($webvar{revrec} eq 'y' ? revName($dbh,$webvar{id}) : domainName($dbh,$webvar{id}))
581	));
582	fill_fpnla($count); # should put some params on this sub...
583
584	$page->param(defrec => $webvar{defrec});
585	showzone($webvar{defrec}, $webvar{revrec}, $webvar{id});
586	if ($webvar{defrec} eq 'n') {
587	if ($webvar{revrec} eq 'n') {
588	$page->param(logdom => 1);
589	} else {
590	$page->param(logrdns => 1);
591	}
592	}
593
594	show_msgs();
595
596	} # close "you can't edit default records" check
597
598	# Yes, this is a GOTO target. PTBHTTT.
599	DONERECLIST: ;
600
601	} elsif ($webvar{page} eq 'record') {
602
603	# security check - does the user have permission to access this entity?
604	if (!check_scope(id => $webvar{id}, type =>
605	($webvar{defrec} eq 'y' ? ($webvar{revrec} eq 'y' ? 'defrevrec' : 'defrec') : 'record'))) {
606	$page->param(perm_err => "You are not permitted to edit the requested record");
607	goto DONEREC;
608	}
609	# round 2, check the parent.
610	if (!check_scope(id => $webvar{parentid}, type =>
611	($webvar{defrec} eq 'y' ? 'group' : ($webvar{revrec} eq 'y' ? 'revzone' : 'domain')))) {
612	my $msg = ($webvar{defrec} eq 'y' ?
613	"You are not permitted to add or edit default records in the requested group" :
614	"You are not permitted to add or edit records in the requested domain/zone");
615	$page->param(perm_err => $msg);
616	goto DONEREC;
617	}
618
619	$page->param(defrec => $webvar{defrec});
620	$page->param(revrec => $webvar{revrec});
621	$page->param(fwdzone => $webvar{revrec} eq 'n');
622
623	if ($webvar{recact} eq 'new') {
624
625	changepage(page => "reclist", errmsg => "You are not permitted to add records", id => $webvar{parentid})
626	unless ($permissions{admin} \|\| $permissions{record_create});
627
628	$page->param(todo => "Add record");
629	$page->param(recact => "add");
630	$page->param(parentid => $webvar{parentid});
631
632	fill_recdata();
633
634	if ($webvar{defrec} eq 'n') {
635	my $defloc = getZoneLocation($dbh, $webvar{revrec}, $webvar{parentid});
636	fill_loclist($curgroup, $defloc);
637	}
638
639	} elsif ($webvar{recact} eq 'add') {
640
641	changepage(page => "reclist", errmsg => "You are not permitted to add records", id => $webvar{parentid})
642	unless ($permissions{admin} \|\| $permissions{record_create});
643
644	# location check - if user does not have record_locchg, set $webvar{location} to default location for zone
645	my $parloc = getZoneLocation($dbh, $webvar{revrec}, $webvar{parentid});
646	$webvar{location} = $parloc unless ($permissions{admin} \|\| $permissions{record_locchg});
647
648	my @recargs = ($dbh,$webvar{defrec},$webvar{revrec},$webvar{parentid},
649	\$webvar{name},\$webvar{type},\$webvar{address},$webvar{ttl},$webvar{location});
650	if ($webvar{type} == $reverse_typemap{MX} or $webvar{type} == $reverse_typemap{SRV}) {
651	push @recargs, $webvar{distance};
652	if ($webvar{type} == $reverse_typemap{SRV}) {
653	push @recargs, $webvar{weight};
654	push @recargs, $webvar{port};
655	}
656	}
657
658	my ($code,$msg) = addRec(@recargs);
659
660	if ($code eq 'OK' \|\| $code eq 'WARN') {
661	my %pageparams = (page => "reclist", id => $webvar{parentid},
662	defrec => $webvar{defrec}, revrec => $webvar{revrec});
663	$pageparams{warnmsg} = $msg."<br><br>\n".$DNSDB::resultstr if $code eq 'WARN';
664	$pageparams{resultmsg} = $DNSDB::resultstr if $code eq 'OK';
665	changepage(%pageparams);
666	} else {
667	$page->param(failed => 1);
668	$page->param(errmsg => $msg);
669	$page->param(wastrying => "adding");
670	$page->param(todo => "Add record");
671	$page->param(recact => "add");
672	$page->param(parentid => $webvar{parentid});
673	$page->param(id => $webvar{id});
674	fill_recdata(); # populate the form... er, mostly.
675	if ($webvar{defrec} eq 'n') {
676	fill_loclist($curgroup, $webvar{location});
677	}
678	}
679
680	} elsif ($webvar{recact} eq 'edit') {
681
682	changepage(page => "reclist", errmsg => "You are not permitted to edit records", id => $webvar{parentid})
683	unless ($permissions{admin} \|\| $permissions{record_edit});
684
685	$page->param(todo => "Update record");
686	$page->param(recact => "update");
687	$page->param(parentid => $webvar{parentid});
688	$page->param(id => $webvar{id});
689	my $recdata = getRecLine($dbh, $webvar{defrec}, $webvar{revrec}, $webvar{id});
690	$page->param(name => $recdata->{host});
691	$page->param(address => $recdata->{val});
692	$page->param(distance => $recdata->{distance});
693	$page->param(weight => $recdata->{weight});
694	$page->param(port => $recdata->{port});
695	$page->param(ttl => $recdata->{ttl});
696	$page->param(typelist => getTypelist($dbh, $webvar{revrec}, $recdata->{type}));
697
698	if ($webvar{defrec} eq 'n') {
699	fill_loclist($curgroup, $recdata->{location});
700	}
701
702	} elsif ($webvar{recact} eq 'update') {
703
704	changepage(page => "reclist", errmsg => "You are not permitted to edit records", id => $webvar{parentid})
705	unless ($permissions{admin} \|\| $permissions{record_edit});
706
707	# retain old location if user doesn't have permission to fiddle locations
708	my $oldrec = getRecLine($dbh, $webvar{defrec}, $webvar{revrec}, $webvar{id});
709	$webvar{location} = $oldrec->{location} unless ($permissions{admin} \|\| $permissions{record_locchg});
710
711	my ($code,$msg) = updateRec($dbh,$webvar{defrec},$webvar{revrec},$webvar{id},$webvar{parentid},
712	\$webvar{name},\$webvar{type},\$webvar{address},$webvar{ttl},$webvar{location},
713	$webvar{distance},$webvar{weight},$webvar{port});
714
715	if ($code eq 'OK' \|\| $code eq 'WARN') {
716	my %pageparams = (page => "reclist", id => $webvar{parentid},
717	defrec => $webvar{defrec}, revrec => $webvar{revrec});
718	$pageparams{warnmsg} = $msg."<br><br>\n".$DNSDB::resultstr if $code eq 'WARN';
719	$pageparams{resultmsg} = $DNSDB::resultstr if $code eq 'OK';
720	changepage(%pageparams);
721	} else {
722	$page->param(failed => 1);
723	$page->param(errmsg => $msg);
724	$page->param(wastrying => "updating");
725	$page->param(todo => "Update record");
726	$page->param(recact => "update");
727	$page->param(parentid => $webvar{parentid});
728	$page->param(id => $webvar{id});
729	fill_recdata();
730	}
731	}
732
733	if ($webvar{defrec} eq 'y') {
734	$page->param(dohere => "default records in group ".groupName($dbh,$webvar{parentid}));
735	} else {
736	$page->param(dohere => domainName($dbh,$webvar{parentid})) if $webvar{revrec} eq 'n';
737	$page->param(dohere => revName($dbh,$webvar{parentid})) if $webvar{revrec} eq 'y';
738	}
739
740	# Yes, this is a GOTO target. PTBHTTT.
741	DONEREC: ;
742
743	} elsif ($webvar{page} eq 'delrec') {
744
745	# This is a complete separate segment since it uses a different template from add/edit records above
746
747	changepage(page => "reclist", errmsg => "You are not permitted to delete records", id => $webvar{parentid},
748	defrec => $webvar{defrec}, revrec => $webvar{revrec})
749	unless ($permissions{admin} \|\| $permissions{record_delete});
750
751	if (!check_scope(id => $webvar{id}, type =>
752	($webvar{defrec} eq 'y' ? ($webvar{revrec} eq 'y' ? 'defrevrec' : 'defrec') : 'record'))) {
753	# redirect to domlist because we don't have permission for the entity requested
754	changepage(page => 'domlist', revrec => $webvar{revrec},
755	errmsg => "You do not have permission to delete records in the requested ".
756	($webvar{defrec} eq 'y' ? 'group' : 'domain'));
757	}
758
759	$page->param(id => $webvar{id});
760	$page->param(defrec => $webvar{defrec});
761	$page->param(revrec => $webvar{revrec});
762	$page->param(parentid => $webvar{parentid});
763	# first pass = confirm y/n (sorta)
764	if (!defined($webvar{del})) {
765	$page->param(del_getconf => 1);
766	my $rec = getRecLine($dbh, $webvar{defrec}, $webvar{revrec}, $webvar{id});
767	$page->param(host => $rec->{host});
768	$page->param(ftype => $typemap{$rec->{type}});
769	$page->param(recval => $rec->{val});
770	} elsif ($webvar{del} eq 'ok') {
771	my ($code,$msg) = delRec($dbh, $webvar{defrec}, $webvar{revrec}, $webvar{id});
772	if ($code eq 'OK') {
773	changepage(page => "reclist", id => $webvar{parentid}, defrec => $webvar{defrec},
774	revrec => $webvar{revrec}, resultmsg => $msg);
775	} else {
776	## need to find failure mode
777	changepage(page => "reclist", id => $webvar{parentid}, defrec => $webvar{defrec},
778	revrec => $webvar{revrec}, errmsg => $msg);
779	}
780	} else {
781	changepage(page => "reclist", id => $webvar{parentid}, defrec => $webvar{defrec}, revrec => $webvar{revrec});
782	}
783
784	} elsif ($webvar{page} eq 'editsoa') {
785
786	# security check - does the user have permission to view this entity?
787	# id is domain/revzone/group id
788	if (!check_scope(id => $webvar{id}, type =>
789	($webvar{defrec} eq 'y' ? 'group' : ($webvar{revrec} eq 'y' ? 'revzone' : 'domain')))) {
790	changepage(page => 'domlist', errmsg => "You do not have permission to edit the ".
791	($webvar{defrec} eq 'y' ? 'default ' : '')."SOA record for the requested ".
792	($webvar{defrec} eq 'y' ? 'group' : 'domain'));
793	}
794
795	if ($webvar{defrec} eq 'y') {
796	changepage(page => "domlist", errmsg => "You are not permitted to edit default records")
797	unless $permissions{admin};
798	} else {
799	changepage(page => "reclist", errmsg => "You are not permitted to edit domain SOA records", id => $webvar{id})
800	unless ($permissions{admin} \|\| $permissions{domain_edit});
801	}
802
803	fillsoa($webvar{defrec},$webvar{revrec},$webvar{id});
804
805	} elsif ($webvar{page} eq 'updatesoa') {
806
807	# security check - does the user have permission to view this entity?
808	# pass 1, record ID
809	if (!check_scope(id => $webvar{recid}, type =>
810	($webvar{defrec} eq 'y' ? ($webvar{revrec} eq 'y' ? 'defrevrec' : 'defrec') : 'record'))) {
811	##fixme: should we redirect to the requested record list page instead of the domain list?
812	changepage(page => 'domlist', errmsg => "You do not have permission to edit the requested SOA record");
813	}
814	# pass 2, parent (group or domain) ID
815	if (!check_scope(id => $webvar{id}, type =>
816	($webvar{defrec} eq 'y' ? 'group' : ($webvar{revrec} eq 'y' ? 'revzone' : 'domain')))) {
817	changepage(page => ($webvar{revrec} eq 'y' ? 'revzones' : 'domlist'),
818	errmsg => "You do not have permission to edit the ".
819	($webvar{defrec} eq 'y' ? 'default ' : '')."SOA record for the requested ".
820	($webvar{defrec} eq 'y' ? 'group' : ($webvar{revrec} eq 'y' ? 'reverse zone' : 'domain')) );
821	}
822
823	changepage(page => "reclist", errmsg => "You are not permitted to edit domain SOA records", id => $webvar{id})
824	unless ($permissions{admin} \|\| $permissions{domain_edit});
825
826	my ($code, $msg) = updateSOA($dbh, $webvar{defrec}, $webvar{revrec},
827	(contact => $webvar{contact}, prins => $webvar{prins}, refresh => $webvar{refresh},
828	retry => $webvar{retry}, expire => $webvar{expire}, minttl => $webvar{minttl},
829	ttl => $webvar{ttl}, id => $webvar{id}) );
830	if ($code eq 'OK') {
831	changepage(page => "reclist", id => $webvar{id}, defrec => $webvar{defrec}, revrec => $webvar{revrec},
832	resultmsg => "SOA record updated");
833	} else {
834	$page->param(update_failed => 1);
835	$page->param(msg => $msg);
836	fillsoa($webvar{defrec}, $webvar{revrec}, $webvar{id}, 'w');
837	}
838
839	} elsif ($webvar{page} eq 'grpman') {
840
841	listgroups();
842
843	# Permissions!
844	$page->param(addgrp => $permissions{admin} \|\| $permissions{group_create});
845	$page->param(edgrp => $permissions{admin} \|\| $permissions{group_edit});
846	$page->param(delgrp => $permissions{admin} \|\| $permissions{group_delete});
847
848	show_msgs();
849	$page->param(curpage => $webvar{page});
850
851	} elsif ($webvar{page} eq 'newgrp') {
852
853	changepage(page => "grpman", errmsg => "You are not permitted to add groups")
854	unless ($permissions{admin} \|\| $permissions{group_create});
855
856	# do.. uhh.. stuff.. if we have no webvar{grpaction}
857	if ($webvar{grpaction} && $webvar{grpaction} eq 'add') {
858
859	# security check - does the user have permission to access this entity?
860	if (!check_scope(id => $webvar{pargroup}, type => 'group')) {
861	changepage(page => "grpman", errmsg => "You are not permitted to add a group to the requested parent group");
862	}
863
864	my %newperms;
865	my $alterperms = 0;
866	foreach (@permtypes) {
867	$newperms{$_} = 0;
868	if ($permissions{admin} \|\| $permissions{$_}) {
869	$newperms{$_} = (defined($webvar{$_}) && $webvar{$_} eq 'on' ? 1 : 0);
870	} else {
871	$alterperms = 1;
872	}
873	}
874	# "Chained" permissions. Some permissions imply others; make sure they get set.
875	foreach (keys %permchains) {
876	if ($newperms{$_} && !$newperms{$permchains{$_}}) {
877	$newperms{$permchains{$_}} = 1;
878	}
879	}
880	# not gonna provide the 4th param: template-or-clone flag, just yet
881	my ($code,$msg) = addGroup($dbh, $webvar{newgroup}, $webvar{pargroup}, \%newperms);
882	if ($code eq 'OK') {
883	if ($alterperms) {
884	changepage(page => "grpman", warnmsg =>
885	"You can only grant permissions you hold. New group $webvar{newgroup} added with reduced access.");
886	} else {
887	changepage(page => "grpman", resultmsg => "Added group $webvar{newgroup}");
888	}
889	} # fallthrough else
890	# no point in doing extra work
891	fill_permissions($page, \%newperms);
892	$page->param(add_failed => 1);
893	$page->param(errmsg => $msg);
894	$page->param(newgroup => $webvar{newgroup});
895	fill_grouplist('pargroup',$webvar{pargroup});
896	} else {
897	fill_grouplist('pargroup',$curgroup);
898	# fill default permissions with immediate parent's current ones
899	my %parperms;
900	getPermissions($dbh, 'group', $curgroup, \%parperms);
901	fill_permissions($page, \%parperms);
902	}
903
904	} elsif ($webvar{page} eq 'delgrp') {
905
906	changepage(page => "grpman", errmsg => "You are not permitted to delete groups", id => $webvar{parentid})
907	unless ($permissions{admin} \|\| $permissions{group_delete});
908
909	# security check - does the user have permission to access this entity?
910	if (!check_scope(id => $webvar{id}, type => 'group')) {
911	changepage(page => "grpman", errmsg => "You are not permitted to delete the requested group");
912	}
913
914	$page->param(id => $webvar{id});
915	# first pass = confirm y/n (sorta)
916	if (!defined($webvar{del})) {
917	$page->param(del_getconf => 1);
918
919	##fixme
920	# do a check for "group has stuff in it", and splatter a big warning
921	# up along with an unchecked-by-default check box to YES DAMMIT DELETE THE WHOLE THING
922
923	} elsif ($webvar{del} eq 'ok') {
924	my ($code,$msg) = delGroup($dbh, $webvar{id});
925	if ($code eq 'OK') {
926	##fixme: need to clean up log when deleting a major container
927	changepage(page => "grpman", resultmsg => $msg);
928	} else {
929	# need to find failure mode
930	changepage(page => "grpman", errmsg => $msg);
931	}
932	} else {
933	# cancelled. whee!
934	changepage(page => "grpman");
935	}
936	$page->param(delgroupname => groupName($dbh, $webvar{id}));
937
938	} elsif ($webvar{page} eq 'edgroup') {
939
940	changepage(page => "grpman", errmsg => "You are not permitted to edit groups")
941	unless ($permissions{admin} \|\| $permissions{group_edit});
942
943	# security check - does the user have permission to access this entity?
944	if (!check_scope(id => $webvar{gid}, type => 'group')) {
945	changepage(page => "grpman", errmsg => "You are not permitted to edit the requested group");
946	}
947
948	if ($webvar{grpaction} && $webvar{grpaction} eq 'updperms') {
949	# extra safety check; make sure user can't construct a URL to bypass ACLs
950	my %curperms;
951	getPermissions($dbh, 'group', $webvar{gid}, \%curperms);
952	my %chperms;
953	my $alterperms = 0;
954	foreach (@permtypes) {
955	$webvar{$_} = 0 if !defined($webvar{$_});
956	$webvar{$_} = 1 if $webvar{$_} eq 'on';
957	if ($permissions{admin} \|\| $permissions{$_}) {
958	$chperms{$_} = $webvar{$_} if $curperms{$_} ne $webvar{$_};
959	} else {
960	$alterperms = 1;
961	$chperms{$_} = 0;
962	}
963	}
964	# "Chained" permissions. Some permissions imply others; make sure they get set.
965	foreach (keys %permchains) {
966	if ($chperms{$_} && !$chperms{$permchains{$_}}) {
967	$chperms{$permchains{$_}} = 1;
968	}
969	}
970	my ($code,$msg) = changePermissions($dbh, 'group', $webvar{gid}, \%chperms);
971	if ($code eq 'OK') {
972	if ($alterperms) {
973	changepage(page => "grpman", warnmsg =>
974	"You can only grant permissions you hold. Default permissions in group ".
975	groupName($dbh, $webvar{gid})." updated with reduced access");
976	} else {
977	changepage(page => "grpman", resultmsg => $msg);
978	}
979	} # fallthrough else
980	# no point in doing extra work
981	fill_permissions($page, \%chperms);
982	$page->param(errmsg => $msg);
983	}
984	$page->param(gid => $webvar{gid});
985	$page->param(grpmeddle => groupName($dbh, $webvar{gid}));
986	my %grpperms;
987	getPermissions($dbh, 'group', $webvar{gid}, \%grpperms);
988	fill_permissions($page, \%grpperms);
989
990	} elsif ($webvar{page} eq 'bulkdomain') {
991	# Bulk operations on domains. Note all but group move are available on the domain list.
992	##fixme: do we care about bulk operations on revzones? Move-to-group, activate, deactivate,
993	# and delete should all be much rarer for revzones than for domains.
994
995	changepage(page => "domlist", errmsg => "You are not permitted to make bulk domain changes")
996	unless ($permissions{admin} \|\| $permissions{domain_edit} \|\| $permissions{domain_create} \|\| $permissions{domain_delete});
997
998	fill_grouplist("grouplist");
999
1000	my $count = getZoneCount($dbh, (revrec => 'n', curgroup => $curgroup) );
1001
1002	$page->param(curpage => $webvar{page});
1003	fill_pgcount($count,'domains',groupName($dbh,$curgroup));
1004	fill_fpnla($count);
1005	$page->param(perpage => $perpage);
1006
1007	my $domlist = getZoneList($dbh, (revrec => 'n', curgroup => $curgroup) );
1008	my $rownum = 0;
1009	foreach my $dom (@{$domlist}) {
1010	delete $dom->{status};
1011	delete $dom->{group};
1012	$dom->{newrow} = (++$rownum) % 5 == 0;
1013	}
1014
1015	$page->param(domtable => $domlist);
1016	# ACLs
1017	$page->param(maymove => ($permissions{admin} \|\| ($permissions{domain_edit} && $permissions{domain_create} && $permissions{domain_delete})));
1018	$page->param(maystatus => $permissions{admin} \|\| $permissions{domain_edit});
1019	$page->param(maydelete => $permissions{admin} \|\| $permissions{domain_delete});
1020
1021	} elsif ($webvar{page} eq 'bulkchange') {
1022
1023	# security check - does the user have permission to access this entity?
1024	if (!check_scope(id => $webvar{destgroup}, type => 'group')) {
1025	$page->param(errmsg => "You are not permitted to make bulk changes in the requested group");
1026	goto DONEBULK;
1027	}
1028
1029	# per-action scope checks
1030	if ($webvar{bulkaction} eq 'move') {
1031	changepage(page => "domlist", errmsg => "You are not permitted to bulk-move domains")
1032	unless ($permissions{admin} \|\| ($permissions{domain_edit} && $permissions{domain_create} && $permissions{domain_delete}));
1033	my $newgname = groupName($dbh,$webvar{destgroup});
1034	$page->param(action => "Move to group $newgname");
1035	} elsif ($webvar{bulkaction} eq 'deactivate' \|\| $webvar{bulkaction} eq 'activate') {
1036	changepage(page => "domlist", errmsg => "You are not permitted to bulk-$webvar{bulkaction} domains")
1037	unless ($permissions{admin} \|\| $permissions{domain_edit});
1038	$page->param(action => "$webvar{bulkaction} domains");
1039	} elsif ($webvar{bulkaction} eq 'delete') {
1040	changepage(page => "domlist", errmsg => "You are not permitted to bulk-delete domains")
1041	unless ($permissions{admin} \|\| $permissions{domain_delete});
1042	$page->param(action => "$webvar{bulkaction} domains");
1043	} else {
1044	# unknown action, bypass actually doing anything. it should not be possible in
1045	# normal operations, and anyone who meddles with the URL gets what they deserve.
1046	goto DONEBULK;
1047	} # move/(de)activate/delete if()
1048
1049	my @bulkresults;
1050	# nngh. due to alpha-sorting on the previous page, we can't use domid-numeric
1051	# order here, and since we don't have the domain names until we go around this
1052	# loop, we can't alpha-sort them here. :(
1053	foreach (keys %webvar) {
1054	my %row;
1055	next unless $_ =~ /^dom_\d+$/;
1056	# second security check - does the user have permission to meddle with this domain?
1057	if (!check_scope(id => $webvar{$_}, type => 'domain')) {
1058	$row{domerr} = "You are not permitted to make changes to the requested domain";
1059	$row{domain} = $webvar{$_};
1060	push @bulkresults, \%row;
1061	next;
1062	}
1063	$row{domain} = domainName($dbh,$webvar{$_});
1064
1065	# Do the $webvar{bulkaction}
1066	my ($code, $msg);
1067	($code, $msg) = changeGroup($dbh, 'domain', $webvar{$_}, $webvar{destgroup})
1068	if $webvar{bulkaction} eq 'move';
1069	if ($webvar{bulkaction} eq 'deactivate' \|\| $webvar{bulkaction} eq 'activate') {
1070	my $stat = zoneStatus($dbh,$webvar{$_},'n',($webvar{bulkaction} eq 'activate' ? 'domon' : 'domoff'));
1071	$code = (defined($stat) ? 'OK' : 'FAIL');
1072	$msg = (defined($stat) ? $DNSDB::resultstr : $DNSDB::errstr);
1073	}
1074	($code, $msg) = delZone($dbh, $webvar{$_}, 'n')
1075	if $webvar{bulkaction} eq 'delete';
1076
1077	# Set the result output from the action
1078	if ($code eq 'OK') {
1079	$row{domok} = $msg;
1080	} elsif ($code eq 'WARN') {
1081	$row{domwarn} = $msg;
1082	} else {
1083	$row{domerr} = $msg;
1084	}
1085	push @bulkresults, \%row;
1086
1087	} # foreach (keys %webvar)
1088	$page->param(bulkresults => \@bulkresults);
1089
1090	# Yes, this is a GOTO target. PTHBTTT.
1091	DONEBULK: ;
1092
1093	} elsif ($webvar{page} eq 'useradmin') {
1094
1095	if (defined($webvar{userstatus})) {
1096	# security check - does the user have permission to access this entity?
1097	my $flag = 0;
1098	foreach (@viewablegroups) {
1099	$flag = 1 if isParent($dbh, $_, 'group', $webvar{id}, 'user');
1100	}
1101	if ($flag && ($permissions{admin} \|\| $permissions{user_edit} \|\|
1102	($permissions{self_edit} && $webvar{id} == $session->param('uid')) )) {
1103	my $stat = userStatus($dbh,$webvar{id},$webvar{userstatus});
1104	$page->param(resultmsg => $DNSDB::resultstr);
1105	} else {
1106	$page->param(errmsg => "You are not permitted to view or change the requested user");
1107	}
1108	$uri_self =~ s/\&userstatus=[^&]*//g; # clean up URL for stuffing into templates
1109	}
1110
1111	list_users();
1112
1113	# Permissions!
1114	$page->param(adduser => $permissions{admin} \|\| $permissions{user_create});
1115	# should we block viewing other users? Vega blocks "editing"...
1116	# NB: no "edit self" link as with groups here. maybe there should be?
1117	# $page->param(eduser => $permissions{admin} \|\| $permissions{user_edit});
1118	$page->param(deluser => $permissions{admin} \|\| $permissions{user_delete});
1119
1120	show_msgs();
1121	$page->param(curpage => $webvar{page});
1122
1123	} elsif ($webvar{page} eq 'user') {
1124
1125	# All user add/edit actions fall through the same page, since there aren't
1126	# really any hard differences between the templates
1127
1128	#fill_actypelist($webvar{accttype});
1129	fill_clonemelist();
1130	my %grpperms;
1131	getPermissions($dbh, 'group', $curgroup, \%grpperms);
1132
1133	my $grppermlist = new HTML::Template(filename => "$templatedir/permlist.tmpl");
1134	my %noaccess;
1135	fill_permissions($grppermlist, \%grpperms, \%noaccess);
1136	$grppermlist->param(info => 1);
1137	$page->param(grpperms => $grppermlist->output);
1138
1139	$page->param(is_admin => $permissions{admin});
1140
1141	$webvar{useraction} = '' if !$webvar{useraction};
1142
1143	if ($webvar{useraction} eq 'add' or $webvar{useraction} eq 'update') {
1144
1145	$page->param(add => 1) if $webvar{useraction} eq 'add';
1146
1147	# can't re-use $code and $msg for update if we want to be able to identify separate failure states
1148	my ($code,$code2,$msg,$msg2) = ('OK','OK','OK','OK');
1149
1150	my $alterperms = 0; # flag iff we need to force custom permissions due to user's current access limits
1151
1152	my %newperms; # we're going to prefill the existing permissions, so we can change them.
1153	getPermissions($dbh, 'user', $webvar{uid}, \%newperms);
1154
1155	if ($webvar{pass1} ne $webvar{pass2}) {
1156	$code = 'FAIL';
1157	$msg = "Passwords don't match";
1158	} else {
1159
1160	# assemble a permission string - far simpler than trying to pass an
1161	# indeterminate set of permission flags individually
1162
1163	# But first, we have to see if the user can add any particular
1164	# permissions; otherwise we have a priviledge escalation. Whee.
1165
1166	if (!$permissions{admin}) {
1167	my %grpperms;
1168	getPermissions($dbh, 'group', $curgroup, \%grpperms);
1169	my $ret = comparePermissions(\%permissions, \%grpperms);
1170	if ($ret eq '<' \|\| $ret eq '!') {
1171	# User's permissions are not a superset or equivalent to group. Can't inherit
1172	# (and include access user doesn't currently have), so we force custom.
1173	$webvar{perms_type} = 'custom';
1174	$alterperms = 1;
1175	}
1176	}
1177
1178	my $permstring;
1179	if ($webvar{perms_type} eq 'custom') {
1180	$permstring = 'C:';
1181	foreach (@permtypes) {
1182	if ($permissions{admin} \|\| $permissions{$_}) {
1183	$permstring .= ",$_" if defined($webvar{$_}) && $webvar{$_} eq 'on';
1184	$newperms{$_} = (defined($webvar{$_}) && $webvar{$_} eq 'on' ? 1 : 0);
1185	}
1186	}
1187	$page->param(perm_custom => 1);
1188	} elsif ($permissions{admin} && $webvar{perms_type} eq 'clone') {
1189	$permstring = "c:$webvar{clonesrc}";
1190	getPermissions($dbh, 'user', $webvar{clonesrc}, \%newperms);
1191	$page->param(perm_clone => 1);
1192	} else {
1193	$permstring = 'i';
1194	}
1195	# "Chained" permissions. Some permissions imply others; make sure they get set.
1196	foreach (keys %permchains) {
1197	if ($newperms{$_} && !$newperms{$permchains{$_}}) {
1198	$newperms{$permchains{$_}} = 1;
1199	$permstring .= ",$permchains{$_}";
1200	}
1201	}
1202	if ($webvar{useraction} eq 'add') {
1203	changepage(page => "useradmin", errmsg => "You do not have permission to add new users")
1204	unless $permissions{admin} \|\| $permissions{user_create};
1205	# no scope check; user is created in the current group
1206	($code,$msg) = addUser($dbh, $webvar{uname}, $curgroup, $webvar{pass1},
1207	($webvar{makeactive} eq 'on' ? 1 : 0), $webvar{accttype}, $permstring,
1208	$webvar{fname}, $webvar{lname}, $webvar{phone});
1209	} else {
1210	changepage(page => "useradmin", errmsg => "You do not have permission to edit users")
1211	unless $permissions{admin} \|\| $permissions{user_edit} \|\|
1212	($permissions{self_edit} && $session->param('uid') == $webvar{uid});
1213	# security check - does the user have permission to access this entity?
1214	if (!check_scope(id => $webvar{user}, type => 'user')) {
1215	changepage(page => "useradmin", errmsg => "You do not have permission to edit the requested user");
1216	}
1217	# User update is icky. I'd really like to do this in one atomic operation,
1218	# but that gets hairy by either duplicating a lot of code in DNSDB.pm
1219	# or self-torture trying to not commit the transaction until we're really done.
1220	# Allowing for changing group, but not coding web support just yet.
1221	($code,$msg) = updateUser($dbh, $webvar{uid}, $webvar{uname}, $webvar{gid}, $webvar{pass1},
1222	($webvar{makeactive} eq 'on' ? 1 : 0), $webvar{accttype},
1223	$webvar{fname}, $webvar{lname}, $webvar{phone});
1224	if ($code eq 'OK') {
1225	$newperms{admin} = 1 if $webvar{accttype} eq 'S';
1226	($code2,$msg2) = changePermissions($dbh, 'user', $webvar{uid}, \%newperms, ($permstring eq 'i'));
1227	}
1228	}
1229	}
1230
1231	if ($code eq 'OK' && $code2 eq 'OK') {
1232	my %pageparams = (page => "useradmin");
1233	if ($alterperms) {
1234	$pageparams{warnmsg} = "You can only grant permissions you hold.\nUser ".
1235	($webvar{useraction} eq 'add' ? "$webvar{uname} added" : "info updated for $webvar{uname}").
1236	".\nPermissions ".($webvar{useraction} eq 'add' ? 'added' : 'updated')." with reduced access.";
1237	} else {
1238	$pageparams{resultmsg} = "$msg".($webvar{useraction} eq 'add' ? '' : "\n$msg2");
1239	}
1240	changepage(%pageparams);
1241
1242	# add/update failed:
1243	} else {
1244	$page->param(add_failed => 1);
1245	$page->param(action => $webvar{useraction});
1246	$page->param(set_permgroup => 1);
1247	if ($webvar{perms_type} eq 'inherit') { # set permission class radio
1248	$page->param(perm_inherit => 1);
1249	} elsif ($webvar{perms_type} eq 'clone') {
1250	$page->param(perm_clone => 1);
1251	} else {
1252	$page->param(perm_custom => 1);
1253	}
1254	$page->param(uname => $webvar{uname});
1255	$page->param(fname => $webvar{fname});
1256	$page->param(lname => $webvar{lname});
1257	$page->param(pass1 => $webvar{pass1});
1258	$page->param(pass2 => $webvar{pass2});
1259	$page->param(errmsg => "User info updated but permissions update failed: $msg2") if $code eq 'OK';
1260	$page->param(errmsg => $msg) if $code ne 'OK';
1261	fill_permissions($page, \%newperms);
1262	fill_actypelist($webvar{accttype});
1263	fill_clonemelist();
1264	}
1265
1266	} elsif ($webvar{useraction} eq 'edit') {
1267
1268	changepage(page => "useradmin", errmsg => "You do not have permission to edit users")
1269	unless $permissions{admin} \|\| $permissions{user_edit} \|\|
1270	($permissions{self_edit} && $session->param('uid') == $webvar{user});
1271
1272	# security check - does the user have permission to access this entity?
1273	if (!check_scope(id => $webvar{user}, type => 'user')) {
1274	changepage(page => "useradmin", errmsg => "You do not have permission to edit the requested user");
1275	}
1276
1277	$page->param(set_permgroup => 1);
1278	$page->param(action => 'update');
1279	$page->param(uid => $webvar{user});
1280	fill_clonemelist();
1281
1282	my $userinfo = getUserData($dbh,$webvar{user});
1283	fill_actypelist($userinfo->{type});
1284	# not using this yet, but adding it now means we can much more easily do so later.
1285	$page->param(gid => $userinfo->{group_id});
1286
1287	my %curperms;
1288	getPermissions($dbh, 'user', $webvar{user}, \%curperms);
1289	fill_permissions($page, \%curperms);
1290
1291	$page->param(uname => $userinfo->{username});
1292	$page->param(fname => $userinfo->{firstname});
1293	$page->param(lname => $userinfo->{lastname});
1294	$page->param(set_permgroup => 1);
1295	if ($userinfo->{inherit_perm}) {
1296	$page->param(perm_inherit => 1);
1297	} else {
1298	$page->param(perm_custom => 1);
1299	}
1300	} else {
1301	changepage(page => "useradmin", errmsg => "You are not allowed to add new users")
1302	unless $permissions{admin} \|\| $permissions{user_create};
1303	# default is "new"
1304	$page->param(add => 1);
1305	$page->param(action => 'add');
1306	fill_permissions($page, \%grpperms);
1307	fill_actypelist();
1308	}
1309
1310	} elsif ($webvar{page} eq 'deluser') {
1311
1312	changepage(page=> "useradmin", errmsg => "You are not allowed to delete users")
1313	unless $permissions{admin} \|\| $permissions{user_delete};
1314
1315	# security check - does the user have permission to access this entity?
1316	if (!check_scope(id => $webvar{id}, type => 'user')) {
1317	changepage(page => "useradmin", errmsg => "You are not permitted to delete the requested user");
1318	}
1319
1320	$page->param(id => $webvar{id});
1321	# first pass = confirm y/n (sorta)
1322	if (!defined($webvar{del})) {
1323	$page->param(del_getconf => 1);
1324	$page->param(user => userFullName($dbh,$webvar{id}));
1325	} elsif ($webvar{del} eq 'ok') {
1326	my ($code,$msg) = delUser($dbh, $webvar{id});
1327	if ($code eq 'OK') {
1328	# success. go back to the user list, do not pass "GO"
1329	changepage(page => "useradmin", resultmsg => $msg);
1330	} else {
1331	changepage(page => "useradmin", errmsg => $msg);
1332	}
1333	} else {
1334	# cancelled. whee!
1335	changepage(page => "useradmin");
1336	}
1337
1338	} elsif ($webvar{page} eq 'loclist') {
1339
1340	changepage(page => "domlist", errmsg => "You are not allowed access to this function")
1341	unless $permissions{admin} \|\| $permissions{location_view};
1342
1343	# security check - does the user have permission to access this entity?
1344	# if (!check_scope(id => $webvar{id}, type => 'loc')) {
1345	# changepage(page => "loclist", errmsg => "You are not permitted to <foo> the requested location/view");
1346	# }
1347	list_locations();
1348	show_msgs();
1349
1350	# Permissions!
1351	$page->param(addloc => $permissions{admin} \|\| $permissions{location_create});
1352	$page->param(delloc => $permissions{admin} \|\| $permissions{location_delete});
1353
1354	} elsif ($webvar{page} eq 'location') {
1355
1356	changepage(page => "domlist", errmsg => "You are not allowed access to this function")
1357	unless $permissions{admin} \|\| $permissions{location_view};
1358
1359	# security check - does the user have permission to access this entity?
1360	# if (!check_scope(id => $webvar{id}, type => 'loc')) {
1361	# changepage(page => "loclist", errmsg => "You are not permitted to <foo> the requested location/view");
1362	# }
1363
1364	if ($webvar{locact} eq 'new') {
1365	# uuhhmm....
1366	} elsif ($webvar{locact} eq 'add') {
1367	changepage(page => "loclist", errmsg => "You are not permitted to add locations/views", id => $webvar{parentid})
1368	unless ($permissions{admin} \|\| $permissions{location_create});
1369
1370	my ($code,$msg) = addLoc($dbh, $curgroup, $webvar{locname}, $webvar{comments}, $webvar{iplist});
1371
1372	if ($code eq 'OK' \|\| $code eq 'WARN') {
1373	my %pageparams = (page => "loclist", id => $webvar{parentid},
1374	defrec => $webvar{defrec}, revrec => $webvar{revrec});
1375	$pageparams{warnmsg} = $msg."<br><br>\n".$DNSDB::resultstr if $code eq 'WARN';
1376	$pageparams{resultmsg} = $DNSDB::resultstr if $code eq 'OK';
1377	changepage(%pageparams);
1378	} else {
1379	$page->param(failed => 1);
1380	$page->param(errmsg => $msg);
1381	$page->param(wastrying => "adding");
1382	$page->param(todo => "Add location/view");
1383	$page->param(locact => "add");
1384	$page->param(id => $webvar{id});
1385	$page->param(locname => $webvar{locname});
1386	$page->param(comments => $webvar{comments});
1387	$page->param(iplist => $webvar{iplist});
1388	}
1389
1390	} elsif ($webvar{locact} eq 'edit') {
1391	changepage(page => "loclist", errmsg => "You are not permitted to edit locations/views", id => $webvar{parentid})
1392	unless ($permissions{admin} \|\| $permissions{location_edit});
1393
1394	my $loc = getLoc($dbh, $webvar{loc});
1395	$page->param(wastrying => "editing");
1396	$page->param(todo => "Edit location/view");
1397	$page->param(locact => "update");
1398	$page->param(id => $webvar{loc});
1399	$page->param(locname => $loc->{description});
1400	$page->param(comments => $loc->{comments});
1401	$page->param(iplist => $loc->{iplist});
1402
1403	} elsif ($webvar{locact} eq 'update') {
1404	changepage(page => "loclist", errmsg => "You are not permitted to edit locations/views", id => $webvar{parentid})
1405	unless ($permissions{admin} \|\| $permissions{location_edit});
1406
1407	my ($code,$msg) = updateLoc($dbh, $webvar{id}, $curgroup, $webvar{locname}, $webvar{comments}, $webvar{iplist});
1408
1409	if ($code eq 'OK') {
1410	changepage(page => "loclist", resultmsg => $msg);
1411	} else {
1412	$page->param(failed => 1);
1413	$page->param(errmsg => $msg);
1414	$page->param(wastrying => "editing");
1415	$page->param(todo => "Edit location/view");
1416	$page->param(locact => "update");
1417	$page->param(id => $webvar{loc});
1418	$page->param(locname => $webvar{locname});
1419	$page->param(comments => $webvar{comments});
1420	$page->param(iplist => $webvar{iplist});
1421	}
1422	} else {
1423	changepage(page => "loclist", errmsg => "You are not permitted to add locations/views", id => $webvar{parentid})
1424	unless ($permissions{admin} \|\| $permissions{location_create});
1425
1426	$page->param(todo => "Add location/view");
1427	$page->param(locact => "add");
1428	$page->param(locname => ($webvar{locname} ? $webvar{locname} : ''));
1429	$page->param(iplist => ($webvar{iplist} ? $webvar{iplist} : ''));
1430
1431	show_msgs();
1432	}
1433
1434	} elsif ($webvar{page} eq 'dnsq') {
1435
1436	$page->param(qfor => $webvar{qfor}) if $webvar{qfor};
1437	$page->param(typelist => getTypelist($dbh, 'l', ($webvar{type} ? $webvar{type} : undef)));
1438	$page->param(nrecurse => $webvar{nrecurse}) if $webvar{nrecurse};
1439	$page->param(resolver => $webvar{resolver}) if $webvar{resolver};
1440
1441	if ($webvar{qfor}) {
1442	my $resolv = Net::DNS::Resolver->new;
1443	$resolv->tcp_timeout(5); # make me adjustable!
1444	$resolv->udp_timeout(5); # make me adjustable!
1445	$resolv->recurse(0) if $webvar{nrecurse};
1446	$resolv->nameservers($webvar{resolver}) if $webvar{resolver};
1447	my $query = $resolv->query($webvar{qfor}, $typemap{$webvar{type}});
1448	if ($query) {
1449
1450	$page->param(showresults => 1);
1451
1452	my @answer;
1453	foreach my $rr ($query->answer) {
1454	# next unless $rr->type eq "A" or $rr->type eq 'NS';
1455	my %row;
1456	my ($host,$ttl,$class,$type,$data) =
1457	($rr->string =~ /^([0-9a-zA-Z_.-]+)\s+(\d+)\s+([A-Za-z]+)\s+([A-Za-z]+)\s+(.+)$/s);
1458	$row{host} = $host;
1459	$row{ftype} = $type;
1460	$row{rdata} = ($type eq 'SOA' ? "<pre>$data</pre>" : $data);
1461	push @answer, \%row;
1462	}
1463	$page->param(answer => \@answer);
1464
1465	my @additional;
1466	foreach my $rr ($query->additional) {
1467	# next unless $rr->type eq "A" or $rr->type eq 'NS';
1468	my %row;
1469	my ($host,$ttl,$class,$type,$data) =
1470	($rr->string =~ /^([0-9a-zA-Z_.-]+)\s+(\d+)\s+([A-Za-z]+)\s+([A-Za-z]+)\s+(.+)$/);
1471	$row{host} = $host;
1472	$row{ftype} = $type;
1473	$row{rdata} = $data;
1474	push @additional, \%row;
1475	}
1476	$page->param(additional => \@additional);
1477
1478	my @authority;
1479	foreach my $rr ($query->authority) {
1480	# next unless $rr->type eq "A" or $rr->type eq 'NS';
1481	my %row;
1482	my ($host,$ttl,$class,$type,$data) =
1483	($rr->string =~ /^([0-9a-zA-Z_.-]+)\s+(\d+)\s+([A-Za-z]+)\s+([A-Za-z]+)\s+(.+)$/);
1484	$row{host} = $host;
1485	$row{ftype} = $type;
1486	$row{rdata} = $data;
1487	push @authority, \%row;
1488	}
1489	$page->param(authority => \@authority);
1490
1491	$page->param(usedresolver => $resolv->answerfrom);
1492	$page->param(frtype => $typemap{$webvar{type}});
1493
1494	} else {
1495	$page->param(errmsg => $resolv->errorstring);
1496	}
1497	}
1498	## done DNS query
1499
1500	} elsif ($webvar{page} eq 'axfr') {
1501
1502	changepage(page => "domlist", errmsg => "You are not permitted to import domains")
1503	unless ($permissions{admin} \|\| $permissions{domain_create});
1504
1505	# don't need this while we've got the dropdown in the menu. hmm.
1506	fill_grouplist("grouplist");
1507
1508	$page->param(ifrom => $webvar{ifrom}) if $webvar{ifrom};
1509	$page->param(rwsoa => $webvar{rwsoa}) if $webvar{rwsoa};
1510	$page->param(rwns => $webvar{rwns}) if $webvar{rwns};
1511	# This next one is arguably better on by default, but Breaking Things Is Bad, Mmmkay?
1512	$page->param(mergematching => $webvar{mergematching}) if $webvar{mergematching};
1513	$page->param(dominactive => 1) if (!$webvar{domactive} && $webvar{doit}); # eww.
1514	$page->param(importdoms => $webvar{importdoms}) if $webvar{importdoms};
1515
1516	# shut up warning about uninitialized variable
1517	$webvar{doit} = '' if !defined($webvar{doit});
1518
1519	if ($webvar{doit} eq 'y' && !$webvar{ifrom}) {
1520	$page->param(errmsg => "Need to set host to import from");
1521	} elsif ($webvar{doit} eq 'y' && !$webvar{importdoms}) {
1522	$page->param(errmsg => "Need domains to import");
1523	} elsif ($webvar{doit} eq 'y') {
1524
1525	# security check - does the user have permission to access this entity?
1526	if (!check_scope(id => $webvar{group}, type => 'group')) {
1527	$page->param(errmsg => "You are not permitted to import domains into the requested group");
1528	goto DONEAXFR;
1529	}
1530
1531	# Bizarre Things Happen when you AXFR a null-named zone.
1532	$webvar{importdoms} =~ s/^\s+//;
1533	my @domlist = split /\s+/, $webvar{importdoms};
1534	my @results;
1535	foreach my $domain (@domlist) {
1536	my %row;
1537	my ($code,$msg) = importAXFR($dbh, $webvar{ifrom}, $domain, $webvar{group},
1538	$webvar{zonestatus}, $webvar{rwsoa}, $webvar{rwns}, $webvar{mergematching});
1539	$row{domok} = $msg if $code eq 'OK';
1540	if ($code eq 'WARN') {
1541	$msg =~ s\|\n\|<br />\|g;
1542	$row{domwarn} = $msg;
1543	}
1544	if ($code eq 'FAIL') {
1545	$msg =~ s\|\n\|<br />\n\|g;
1546	$row{domerr} = $msg;
1547	}
1548	$msg = "<br />\n".$msg if $msg =~ m\|<br />\|;
1549	$row{domain} = $domain;
1550	push @results, \%row;
1551	}
1552	$page->param(axfrresults => \@results);
1553	}
1554
1555	# Yes, this is a GOTO target. PTBHTTT.
1556	DONEAXFR: ;
1557
1558	} elsif ($webvar{page} eq 'whoisq') {
1559
1560	if ($webvar{qfor}) {
1561	use Net::Whois::Raw;
1562	use Text::Wrap;
1563
1564	# caching useful?
1565	#$Net::Whois::Raw::CACHE_DIR = "/var/spool/pwhois/";
1566	#$Net::Whois::Raw::CACHE_TIME = 60;
1567
1568	my ($dominfo, $whois_server) = whois($webvar{qfor});
1569	##fixme: if we're given an IP, try rwhois as well as whois so we get the real final data
1570
1571	# le sigh. idjits spit out data without linefeeds...
1572	$Text::Wrap::columns = 88;
1573
1574	# &%$@%@# high-bit crap. We should probably find a way to properly recode these
1575	# instead of one-by-one. Note CGI::Simple's escapeHTML() doesn't do more than
1576	# the bare minimum. :/
1577	# Mainly an XHTML validation thing.
1578	$dominfo = $q->escapeHTML($dominfo);
1579	$dominfo =~ s/\xa9/\©/g;
1580	$dominfo =~ s/\xae/\®/g;
1581
1582	$page->param(qfor => $webvar{qfor});
1583	$page->param(dominfo => wrap('','',$dominfo));
1584	$page->param(whois_server => $whois_server);
1585	} else {
1586	$page->param(errmsg => "Missing host or domain to query in WHOIS") if $webvar{askaway};
1587	}
1588
1589	} elsif ($webvar{page} eq 'log') {
1590
1591	my $id = $curgroup; # we do this because the group log may be called from (almost) any page,
1592	# but the others are much more limited. this is probably non-optimal.
1593
1594	if ($webvar{ltype} && $webvar{ltype} eq 'user') {
1595	##fixme: where should we call this from?
1596	$id = $webvar{id};
1597	if (!check_scope(id => $id, type => 'user')) {
1598	$page->param(errmsg => "You are not permitted to view log entries for the requested user");
1599	goto DONELOG;
1600	}
1601	$page->param(logfor => 'user '.userFullName($dbh,$id));
1602	} elsif ($webvar{ltype} && $webvar{ltype} eq 'dom') {
1603	$id = $webvar{id};
1604	if (!check_scope(id => $id, type => 'domain')) {
1605	$page->param(errmsg => "You are not permitted to view log entries for the requested domain");
1606	goto DONELOG;
1607	}
1608	$page->param(logfor => 'domain '.domainName($dbh,$id));
1609	} elsif ($webvar{ltype} && $webvar{ltype} eq 'rdns') {
1610	$id = $webvar{id};
1611	if (!check_scope(id => $id, type => 'revzone')) {
1612	$page->param(errmsg => "You are not permitted to view log entries for the requested reverse zone");
1613	goto DONELOG;
1614	}
1615	$page->param(logfor => 'reverse zone '.revName($dbh,$id));
1616	} else {
1617	# Default to listing curgroup log
1618	$page->param(logfor => 'group '.groupName($dbh,$id));
1619	# note that scope limitations are applied via the change-group check;
1620	# group log is always for the "current" group
1621	}
1622	$webvar{ltype} = 'group' if !$webvar{ltype};
1623	my $lcount = getLogCount($dbh, (id => $id, logtype => $webvar{ltype})) or push @debugbits, $DNSDB::errstr;
1624
1625	$page->param(id => $id);
1626	$page->param(ltype => $webvar{ltype});
1627
1628	fill_fpnla($lcount);
1629	fill_pgcount($lcount, "log entries", '');
1630	$page->param(curpage => $webvar{page}.($webvar{ltype} ? "&ltype=$webvar{ltype}" : ''));
1631
1632	$sortby = 'stamp';
1633	$sortorder = 'DESC'; # newest-first; although filtering is probably going to be more useful than sorting
1634	# sort/order
1635	$session->param($webvar{page}.'sortby', $webvar{sortby}) if $webvar{sortby};
1636	$session->param($webvar{page}.'order', $webvar{order}) if $webvar{order};
1637
1638	$sortby = $session->param($webvar{page}.'sortby') if $session->param($webvar{page}.'sortby');
1639	$sortorder = $session->param($webvar{page}.'order') if $session->param($webvar{page}.'order');
1640
1641	# Set up the column headings with the sort info
1642	my @cols = ('fname','username','entry','stamp');
1643	my %colnames = (fname => 'Name', username => 'Username/Email', entry => 'Log Entry', stamp => 'Date/Time');
1644	fill_colheads($sortby, $sortorder, \@cols, \%colnames);
1645
1646	##fixme: increase per-page limit or use separate limit for log? some ops give lots of entries...
1647	my $logentries = getLogEntries($dbh, (id => $id, logtype => $webvar{ltype},
1648	offset => $webvar{offset}, sortby => $sortby, sortorder => $sortorder));
1649	$page->param(logentries => $logentries);
1650
1651	##fixme:
1652	# - filtering
1653	# - show reverse zone column?
1654	# - on log record creation, bundle "parented" log actions (eg, "AXFR record blah for domain foo",
1655	# or "Add record bar for new domain baz") into one entry (eg, "AXFR domain foo", "Add domain baz")?
1656	# need a way to expand this into the complete list, and to exclude "child" entries
1657
1658	# scope check fail target
1659	DONELOG: ;
1660
1661	} # end $webvar{page} dance
1662
1663
1664	# start output here so we can redirect pages.
1665	print "Content-type: text/html\n\n", $header->output;
1666
1667	##common bits
1668	# mostly things in the menu
1669	if ($webvar{page} ne 'login' && $webvar{page} ne 'badpage') {
1670	$page->param(username => $session->param("username"));
1671
1672	$page->param(group => $curgroup);
1673	$page->param(groupname => groupName($dbh,$curgroup));
1674	$page->param(logingrp => groupName($dbh,$logingroup));
1675	$page->param(logingrp_num => $logingroup);
1676
1677	##fixme
1678	$page->param(mayrdns => 1);
1679
1680	$page->param(mayloc => ($permissions{admin} \|\| $permissions{location_view}));
1681
1682	$page->param(maydefrec => $permissions{admin});
1683	$page->param(mayimport => $permissions{admin} \|\| $permissions{domain_create});
1684	$page->param(maybulk => $permissions{admin} \|\| $permissions{domain_edit} \|\| $permissions{domain_create} \|\| $permissions{domain_delete});
1685
1686	$page->param(chggrps => ($permissions{admin} \|\| $permissions{group_create} \|\| $permissions{group_edit} \|\| $permissions{group_delete}));
1687
1688	# group tree. should go elsewhere, probably
1689	my $tmpgrplist = fill_grptree($logingroup,$curgroup);
1690	$page->param(grptree => $tmpgrplist);
1691	$page->param(subs => ($tmpgrplist ? 1 : 0)); # probably not useful to pass gobs of data in for a boolean
1692	$page->param(inlogingrp => $curgroup == $logingroup);
1693
1694	# fill in the URL-to-self
1695	$page->param(whereami => $uri_self);
1696	}
1697
1698	if (@debugbits) {
1699	print "<pre>\n";
1700	foreach (@debugbits) { print; }
1701	print "</pre>\n";
1702	}
1703
1704	# spit it out
1705	print $page->output;
1706
1707	if ($debugenv) {
1708	print "<div id=\"debug\">webvar keys: <pre>\n";
1709	foreach my $key (keys %webvar) {
1710	print "key: $key\tval: $webvar{$key}\n";
1711	}
1712	print "</pre>\nsession:\n<pre>\n";
1713	my $sesdata = $session->dataref();
1714	foreach my $key (keys %$sesdata) {
1715	print "key: $key\tval: ".$sesdata->{$key}."\n";
1716	}
1717	print "</pre>\nENV:\n<pre>\n";
1718	foreach my $key (keys %ENV) {
1719	print "key: $key\tval: $ENV{$key}\n";
1720	}
1721	print "</pre></div>\n";
1722	}
1723
1724	print $footer->output;
1725
1726	# as per the docs, Just In Case
1727	$session->flush();
1728
1729	exit 0;
1730
1731
1732	sub fill_grptree {
1733	my $root = shift;
1734	my $cur = shift;
1735	my $indent = shift \|\| ' ';
1736
1737	my @childlist;
1738
1739	my $grptree = HTML::Template->new(filename => 'templates/grptree.tmpl');
1740	getChildren($dbh,$root,\@childlist,'immediate');
1741	return if $#childlist == -1;
1742	my @grouplist;
1743	foreach (@childlist) {
1744	my %row;
1745	$row{grpname} = groupName($dbh,$_);
1746	$row{grpnum} = $_;
1747	$row{whereami} = $uri_self;
1748	$row{curgrp} = ($_ == $cur);
1749	$row{expanded} = isParent($dbh, $_, 'group', $cur, 'group');
1750	$row{expanded} = 1 if $_ == $cur;
1751	$row{subs} = fill_grptree($_,$cur,$indent.' ');
1752	$row{indent} = $indent;
1753	push @grouplist, \%row;
1754	}
1755	$grptree->param(indent => $indent);
1756	$grptree->param(treelvl => \@grouplist);
1757	return $grptree->output;
1758	}
1759
1760	sub changepage {
1761	my %params = @_; # think this works the way I want...
1762
1763	# cross-site scripting fixup. instead of passing error messages by URL/form
1764	# variable, put them in the session where the nasty user can't meddle.
1765	# these are done here since it's far simpler to pass them in from wherever
1766	# than set them locally everywhere.
1767	foreach my $sessme ('resultmsg','warnmsg','errmsg') {
1768	if (my $tmp = $params{$sessme}) {
1769	$tmp =~ s/^\n//;
1770	$tmp =~ s\|\n\|<br />\n\|g;
1771	$session->param($sessme, $tmp);
1772	delete $params{$sessme};
1773	}
1774	}
1775
1776	# handle user check
1777	my $newurl = "http://$ENV{HTTP_HOST}$ENV{SCRIPT_NAME}?sid=$sid";
1778	foreach (sort keys %params) {
1779	$newurl .= "&$_=".$q->url_encode($params{$_});
1780	}
1781
1782	# Just In Case
1783	$session->flush();
1784
1785	print "Status: 302\nLocation: $newurl\n\n";
1786	exit;
1787	} # end changepage
1788
1789	# wrap up the usual suspects for result, warning, or error messages to be displayed
1790	sub show_msgs {
1791	if ($session->param('resultmsg')) {
1792	$page->param(resultmsg => $session->param('resultmsg'));
1793	$session->clear('resultmsg');
1794	}
1795	if ($session->param('warnmsg')) {
1796	$page->param(warnmsg => $session->param('warnmsg'));
1797	$session->clear('warnmsg');
1798	}
1799	if ($session->param('errmsg')) {
1800	$page->param(errmsg => $session->param('errmsg'));
1801	$session->clear('errmsg');
1802	}
1803	} # end show_msgs
1804
1805	sub fillsoa {
1806	my $defrec = shift;
1807	my $revrec = shift;
1808	my $id = shift;
1809	my $preserve = shift \|\| 'd'; # Flag to use webvar fields or retrieve from database
1810
1811	my $domname = ($defrec eq 'y' ? '' : "DOMAIN");
1812
1813	$page->param(defrec => $defrec);
1814	$page->param(revrec => $revrec);
1815
1816	# i had a good reason to do this when I wrote it...
1817	# $page->param(domain => $domname);
1818	# $page->param(group => $DNSDB::group);
1819	$page->param(isgrp => 1) if $defrec eq 'y';
1820	$page->param(parent => ($defrec eq 'y' ? groupName($dbh, $id) :
1821	($revrec eq 'n' ? domainName($dbh, $id) : revName($dbh, $id)) ) );
1822
1823	# defaults
1824	$page->param(defcontact => $DNSDB::def{contact});
1825	$page->param(defns => $DNSDB::def{prins});
1826	$page->param(defsoattl => $DNSDB::def{soattl});
1827	$page->param(defrefresh => $DNSDB::def{refresh});
1828	$page->param(defretry => $DNSDB::def{retry});
1829	$page->param(defexpire => $DNSDB::def{expire});
1830	$page->param(defminttl => $DNSDB::def{minttl});
1831
1832	$page->param(id => $id);
1833
1834	if ($preserve eq 'd') {
1835	# there are probably better ways to do this. TMTOWTDI.
1836	my $soa = getSOA($dbh,$defrec,$revrec,$id);
1837
1838	$page->param(prins => ($soa->{prins} ? $soa->{prins} : $DNSDB::def{prins}));
1839	$page->param(contact => ($soa->{contact} ? $soa->{contact} : $DNSDB::def{contact}));
1840	$page->param(refresh => ($soa->{refresh} ? $soa->{refresh} : $DNSDB::def{refresh}));
1841	$page->param(retry => ($soa->{retry} ? $soa->{retry} : $DNSDB::def{retry}));
1842	$page->param(expire => ($soa->{expire} ? $soa->{expire} : $DNSDB::def{expire}));
1843	$page->param(minttl => ($soa->{minttl} ? $soa->{minttl} : $DNSDB::def{minttl}));
1844	$page->param(ttl => ($soa->{ttl} ? $soa->{ttl} : $DNSDB::def{soattl}));
1845	} else {
1846	$page->param(prins => ($webvar{prins} ? $webvar{prins} : $DNSDB::def{prins}));
1847	$page->param(contact => ($webvar{contact} ? $webvar{contact} : $DNSDB::def{contact}));
1848	$page->param(refresh => ($webvar{refresh} ? $webvar{refresh} : $DNSDB::def{refresh}));
1849	$page->param(retry => ($webvar{retry} ? $webvar{retry} : $DNSDB::def{retry}));
1850	$page->param(expire => ($webvar{expire} ? $webvar{expire} : $DNSDB::def{expire}));
1851	$page->param(minttl => ($webvar{minttl} ? $webvar{minttl} : $DNSDB::def{minttl}));
1852	$page->param(ttl => ($webvar{ttl} ? $webvar{ttl} : $DNSDB::def{soattl}));
1853	}
1854	}
1855
1856	sub showzone {
1857	my $def = shift;
1858	my $rev = shift;
1859	my $id = shift;
1860
1861	# get the SOA first
1862	my $soa = getSOA($dbh,$def,$rev,$id);
1863
1864	$page->param(contact => $soa->{contact});
1865	$page->param(prins => $soa->{prins});
1866	$page->param(refresh => $soa->{refresh});
1867	$page->param(retry => $soa->{retry});
1868	$page->param(expire => $soa->{expire});
1869	$page->param(minttl => $soa->{minttl});
1870	$page->param(ttl => $soa->{ttl});
1871
1872	my $foo2 = getDomRecs($dbh,(defrec => $def, revrec => $rev, id => $id, offset => $webvar{offset},
1873	sortby => $sortby, sortorder => $sortorder, filter => $filter));
1874
1875	foreach my $rec (@$foo2) {
1876	$rec->{type} = $typemap{$rec->{type}};
1877	$rec->{sid} = $webvar{sid};
1878	$rec->{fwdzone} = $rev eq 'n';
1879	$rec->{distance} = 'n/a' unless ($rec->{type} eq 'MX' \|\| $rec->{type} eq 'SRV');
1880	$rec->{weight} = 'n/a' unless ($rec->{type} eq 'SRV');
1881	$rec->{port} = 'n/a' unless ($rec->{type} eq 'SRV');
1882	# ACLs
1883	$rec->{record_edit} = ($permissions{admin} \|\| $permissions{record_edit});
1884	$rec->{record_delete} = ($permissions{admin} \|\| $permissions{record_delete});
1885	$rec->{locname} = '' unless ($permissions{admin} \|\| $permissions{location_view});
1886	}
1887	$page->param(reclist => $foo2);
1888	}
1889
1890	sub fill_recdata {
1891	$page->param(typelist => getTypelist($dbh, $webvar{revrec}, $webvar{type}));
1892
1893	# le sigh. we may get called with many empty %webvar keys
1894	no warnings qw( uninitialized );
1895
1896	##todo: allow BIND-style bare names, ASS-U-ME that the name is within the domain?
1897	# prefill <domain> or DOMAIN in "Host" space for new records
1898	if ($webvar{revrec} eq 'n') {
1899	my $domroot = ($webvar{defrec} eq 'y' ? 'DOMAIN' : domainName($dbh,$webvar{parentid}));
1900	$page->param(name => ($webvar{name} ? $webvar{name} : $domroot));
1901	$page->param(address => $webvar{address});
1902	$page->param(distance => $webvar{distance})
1903	if ($webvar{type} == $reverse_typemap{MX} or $webvar{type} == $reverse_typemap{SRV});
1904	$page->param(weight => $webvar{weight}) if $webvar{type} == $reverse_typemap{SRV};
1905	$page->param(port => $webvar{port}) if $webvar{type} == $reverse_typemap{SRV};
1906	} else {
1907	my $domroot = ($webvar{defrec} eq 'y' ? 'ADMINDOMAIN' : ".$config{domain}");
1908	$page->param(name => ($webvar{name} ? $webvar{name} : $domroot));
1909	my $zname = ($webvar{defrec} eq 'y' ? 'ZONE' : revName($dbh,$webvar{parentid}));
1910	$zname =~ s\|\d*/\d+$\|\|;
1911	$page->param(address => ($webvar{address} ? $webvar{address} : $zname));
1912	}
1913	# retrieve the right ttl instead of falling (way) back to the hardcoded system default
1914	my $soa = getSOA($dbh,$webvar{defrec},$webvar{revrec},$webvar{parentid});
1915	$page->param(ttl => ($webvar{ttl} ? $webvar{ttl} : $soa->{minttl}));
1916	}
1917
1918	sub fill_actypelist {
1919	my $curtype = shift \|\| 'u';
1920
1921	my @actypes;
1922
1923	my %row1 = (actypeval => 'u', actypename => 'user');
1924	$row1{typesel} = 1 if $curtype eq 'u';
1925	push @actypes, \%row1;
1926
1927	my %row2 = (actypeval => 'S', actypename => 'superuser');
1928	$row2{typesel} = 1 if $curtype eq 'S';
1929	push @actypes, \%row2;
1930
1931	$page->param(actypelist => \@actypes);
1932	}
1933
1934	sub fill_clonemelist {
1935	# shut up some warnings, but don't stomp on caller's state
1936	local $webvar{clonesrc} = 0 if !defined($webvar{clonesrc});
1937
1938	my $clones = getUserDropdown($dbh, $curgroup, $webvar{clonesrc});
1939	$page->param(clonesrc => $clones);
1940	}
1941
1942	sub fill_fpnla {
1943	my $count = shift;
1944	if ($offset eq 'all') {
1945	$page->param(perpage => $perpage);
1946	# uhm....
1947	} else {
1948	# all these bits only have sensible behaviour if offset is numeric. err, probably.
1949	if ($count > $perpage) {
1950	# if there are more results than the default, always show the "all" link
1951	$page->param(navall => 1);
1952
1953	if ($offset > 0) {
1954	$page->param(navfirst => 1);
1955	$page->param(navprev => 1);
1956	$page->param(prevoffs => $offset-1);
1957	}
1958
1959	# show "next" and "last" links if we're not on the last page of results
1960	if ( (($offset+1) * $perpage - $count) < 0 ) {
1961	$page->param(navnext => 1);
1962	$page->param(nextoffs => $offset+1);
1963	$page->param(navlast => 1);
1964	$page->param(lastoffs => int (($count-1)/$perpage));
1965	}
1966	} else {
1967	$page->param(onepage => 1);
1968	}
1969	}
1970	} # end fill_fpnla()
1971
1972	sub fill_pgcount {
1973	my $pgcount = shift;
1974	my $pgtype = shift;
1975	my $parent = shift;
1976
1977	# Fix display/UI bug where if you are not on the first page of the list, and
1978	# you add a search term or click one of the "starts with" links, you end up
1979	# on a page showing nothing.
1980	# For bonus points, this reverts to the original offset on clicking the "All" link (mostly)
1981	if ($offset ne 'all') {
1982	$offset-- while ($offset * $perpage) >= $pgcount;
1983	}
1984
1985	$page->param(ntot => $pgcount);
1986	$page->param(nfirst => (($offset eq 'all' ? 0 : $offset)*$perpage+1));
1987	$page->param(npglast => ($offset eq 'all' ? $pgcount :
1988	( (($offset+1)$perpage) > $pgcount ? $pgcount : (($offset+1)$perpage) )
1989	));
1990	$page->param(pgtype => $pgtype);
1991	$page->param(parent => $parent);
1992	$page->param(filter => $filter);
1993	} # end fill_pgcount()
1994
1995
1996	sub listdomains { listzones(); } # temp
1997
1998	sub listzones {
1999	# ACLs
2000	$page->param(domain_create => ($permissions{admin} \|\| $permissions{domain_create}) );
2001	$page->param(domain_edit => ($permissions{admin} \|\| $permissions{domain_edit}) );
2002	$page->param(domain_delete => ($permissions{admin} \|\| $permissions{domain_delete}) );
2003
2004	my @childgroups;
2005	getChildren($dbh, $curgroup, \@childgroups, 'all') if $searchsubs;
2006	my $childlist = join(',',@childgroups);
2007
2008	my $count = getZoneCount($dbh, (childlist => $childlist, curgroup => $curgroup, revrec => $webvar{revrec},
2009	filter => ($filter ? $filter : undef), startwith => ($startwith ? $startwith : undef) ) );
2010
2011	# fill page count and first-previous-next-last-all bits
2012	fill_pgcount($count,($webvar{revrec} eq 'n' ? 'domains' : 'revzones'),groupName($dbh,$curgroup));
2013	fill_fpnla($count);
2014
2015	# sort/order
2016	$session->param($webvar{page}.'sortby', $webvar{sortby}) if $webvar{sortby};
2017	$session->param($webvar{page}.'order', $webvar{order}) if $webvar{order};
2018
2019	$sortby = $session->param($webvar{page}.'sortby') if $session->param($webvar{page}.'sortby');
2020	$sortorder = $session->param($webvar{page}.'order') if $session->param($webvar{page}.'order');
2021
2022	# set up the headers
2023	my @cols = (($webvar{revrec} eq 'n' ? 'domain' : 'revnet'), 'status', 'group');
2024	my %colheads = (domain => 'Domain', revnet => 'Reverse Zone', status => 'Status', group => 'Group');
2025	fill_colheads($sortby, $sortorder, \@cols, \%colheads);
2026
2027	# hack! hack! pthbttt. have to rethink the status column storage,
2028	# or inactive comes "before" active. sigh
2029	$sortorder = ($sortorder eq 'ASC' ? 'DESC' : 'ASC') if $sortby eq 'status';
2030
2031	# waffle, waffle - keep state on these as well as sortby, sortorder?
2032	##fixme: put this higher so the count doesn't get munched?
2033	$page->param("start$startwith" => 1) if $startwith && $startwith =~ /^(?:[a-z]\|0-9)$/;
2034
2035	$page->param(filter => $filter) if $filter;
2036	$page->param(searchsubs => $searchsubs) if $searchsubs;
2037
2038	$page->param(group => $curgroup);
2039
2040	my $zonelist = getZoneList($dbh, (childlist => $childlist, curgroup => $curgroup,
2041	revrec => $webvar{revrec},
2042	filter => ($filter ? $filter : undef), startwith => ($startwith ? $startwith : undef),
2043	offset => $webvar{offset}, sortby => $sortby, sortorder => $sortorder
2044	) );
2045	# probably don't need this, keeping for reference for now
2046	# foreach (@$zonelist) {
2047	# }
2048	$page->param(domtable => $zonelist);
2049	} # end listdomains()
2050
2051
2052	sub listgroups {
2053
2054	# security check - does the user have permission to view this entity?
2055	if (!(grep /^$curgroup$/, @viewablegroups)) {
2056	# hmm. Reset the current group to the login group? Yes. Prevents confusing behaviour elsewhere.
2057	$session->param('curgroup',$logingroup);
2058	$page->param(errmsg => "You are not permitted to view the requested group");
2059	$curgroup = $logingroup;
2060	}
2061
2062	my @childgroups;
2063	getChildren($dbh, $curgroup, \@childgroups, 'all') if $searchsubs;
2064	my $childlist = join(',',@childgroups);
2065
2066	my ($count) = getGroupCount($dbh, (childlist => $childlist, curgroup => $curgroup,
2067	filter => ($filter ? $filter : undef), startwith => ($startwith ? $startwith : undef) ) );
2068
2069	# fill page count and first-previous-next-last-all bits
2070	fill_pgcount($count,"groups",'');
2071	fill_fpnla($count);
2072
2073	$page->param(gid => $curgroup);
2074
2075	$sortby = 'group';
2076	# sort/order
2077	$session->param($webvar{page}.'sortby', $webvar{sortby}) if $webvar{sortby};
2078	$session->param($webvar{page}.'order', $webvar{order}) if $webvar{order};
2079
2080	$sortby = $session->param($webvar{page}.'sortby') if $session->param($webvar{page}.'sortby');
2081	$sortorder = $session->param($webvar{page}.'order') if $session->param($webvar{page}.'order');
2082
2083	# set up the headers
2084	my @cols = ('group','parent','nusers','ndomains','nrevzones');
2085	my %colnames = (group => 'Group', parent => 'Parent Group', nusers => 'Users', ndomains => 'Domains', nrevzones => 'Reverse Zones');
2086	fill_colheads($sortby, $sortorder, \@cols, \%colnames);
2087
2088	# waffle, waffle - keep state on these as well as sortby, sortorder?
2089	$page->param("start$startwith" => 1) if $startwith && $startwith =~ /^(?:[a-z]\|0-9)$/;
2090
2091	$page->param(filter => $filter) if $filter;
2092	$page->param(searchsubs => $searchsubs) if $searchsubs;
2093
2094	# munge sortby for columns in database
2095	$sortby = 'g.group_name' if $sortby eq 'group';
2096	$sortby = 'g2.group_name' if $sortby eq 'parent';
2097
2098	my $glist = getGroupList($dbh, (childlist => $childlist, curgroup => $curgroup,
2099	filter => ($filter ? $filter : undef), startwith => ($startwith ? $startwith : undef),
2100	offset => $webvar{offset}, sortby => $sortby, sortorder => $sortorder) );
2101
2102	$page->param(grouptable => $glist);
2103	} # end listgroups()
2104
2105
2106	sub fill_grouplist {
2107	my $template_var = shift;
2108	my $cur = shift \|\| $curgroup;
2109
2110	# little recursive utility sub-sub
2111	sub getgroupdrop {
2112	my $root = shift;
2113	my $cur = shift; # to tag the selected group
2114	my $grplist = shift;
2115	my $indent = shift \|\| '    ';
2116
2117	my @childlist;
2118	getChildren($dbh,$root,\@childlist,'immediate');
2119	return if $#childlist == -1;
2120	foreach (@childlist) {
2121	my %row;
2122	$row{groupval} = $_;
2123	$row{groupactive} = ($_ == $cur);
2124	$row{groupname} = $indent.groupName($dbh, $_);
2125	push @{$grplist}, \%row;
2126	getgroupdrop($_, $cur, $grplist, $indent.'    ');
2127	}
2128	}
2129
2130	my @grouplist;
2131	push @grouplist, { groupval => $logingroup, groupactive => $logingroup == $curgroup,
2132	groupname => groupName($dbh, $logingroup) };
2133	getgroupdrop($logingroup, $curgroup, \@grouplist);
2134
2135	$page->param("$template_var" => \@grouplist);
2136	} # end fill_grouplist()
2137
2138
2139	sub fill_loclist {
2140	my $cur = shift \|\| $curgroup;
2141	my $defloc = shift \|\| '';
2142
2143	return unless ($permissions{admin} \|\| $permissions{location_view});
2144
2145	$page->param(location_view => ($permissions{admin} \|\| $permissions{location_view}));
2146
2147	if ($permissions{admin} \|\| $permissions{record_locchg}) {
2148	my $loclist = getLocDropdown($dbh, $cur, $defloc);
2149	$page->param(record_locchg => 1);
2150	$page->param(loclist => $loclist);
2151	} else {
2152	my $loc = getLoc($dbh, $defloc);
2153	$page->param(loc_name => $loc->{description});
2154	}
2155	} # end fill_loclist()
2156
2157
2158	sub list_users {
2159
2160	my @childgroups;
2161	getChildren($dbh, $curgroup, \@childgroups, 'all') if $searchsubs;
2162	my $childlist = join(',',@childgroups);
2163
2164	my $count = getUserCount($dbh, (childlist => $childlist, curgroup => $curgroup,
2165	filter => ($filter ? $filter : undef), startwith => ($startwith ? $startwith : undef) ) );
2166
2167	# fill page count and first-previous-next-last-all bits
2168	fill_pgcount($count,"users",'');
2169	fill_fpnla($count);
2170
2171	$sortby = 'user';
2172	# sort/order
2173	$session->param($webvar{page}.'sortby', $webvar{sortby}) if $webvar{sortby};
2174	$session->param($webvar{page}.'order', $webvar{order}) if $webvar{order};
2175
2176	$sortby = $session->param($webvar{page}.'sortby') if $session->param($webvar{page}.'sortby');
2177	$sortorder = $session->param($webvar{page}.'order') if $session->param($webvar{page}.'order');
2178
2179	# set up the headers
2180	my @cols = ('user','fname','type','group','status');
2181	my %colnames = (user => 'Username', fname => 'Full Name', type => 'Type', group => 'Group', status => 'Status');
2182	fill_colheads($sortby, $sortorder, \@cols, \%colnames);
2183
2184	# waffle, waffle - keep state on these as well as sortby, sortorder?
2185	$page->param("start$startwith" => 1) if $startwith && $startwith =~ /^(?:[a-z]\|0-9)$/;
2186
2187	$page->param(filter => $filter) if $filter;
2188	$page->param(searchsubs => $searchsubs) if $searchsubs;
2189
2190	my $ulist = getUserList($dbh, (childlist => $childlist, curgroup => $curgroup,
2191	filter => ($filter ? $filter : undef), startwith => ($startwith ? $startwith : undef),
2192	offset => $webvar{offset}, sortby => $sortby, sortorder => $sortorder) );
2193	# Some UI things need to be done to the list (unlike other lists)
2194	foreach my $u (@{$ulist}) {
2195	$u->{eduser} = ($permissions{admin} \|\|
2196	($permissions{user_edit} && $u->{type} ne 'S') \|\|
2197	($permissions{self_edit} && $u->{user_id} == $session->param('uid')) );
2198	$u->{deluser} = ($permissions{admin} \|\| ($permissions{user_delete} && $u->{type} ne 'S'));
2199	$u->{type} = ($u->{type} eq 'S' ? 'superuser' : 'user');
2200	}
2201	$page->param(usertable => $ulist);
2202	} # end list_users()
2203
2204
2205	sub list_locations {
2206
2207	my @childgroups;
2208	getChildren($dbh, $curgroup, \@childgroups, 'all') if $searchsubs;
2209	my $childlist = join(',',@childgroups);
2210
2211	my $count = getLocCount($dbh, (childlist => $childlist, curgroup => $curgroup,
2212	filter => ($filter ? $filter : undef), startwith => ($startwith ? $startwith : undef) ) );
2213
2214	# fill page count and first-previous-next-last-all bits
2215	fill_pgcount($count,"locations/views",'');
2216	fill_fpnla($count);
2217
2218	$sortby = 'user';
2219	# sort/order
2220	$session->param($webvar{page}.'sortby', $webvar{sortby}) if $webvar{sortby};
2221	$session->param($webvar{page}.'order', $webvar{order}) if $webvar{order};
2222
2223	$sortby = $session->param($webvar{page}.'sortby') if $session->param($webvar{page}.'sortby');
2224	$sortorder = $session->param($webvar{page}.'order') if $session->param($webvar{page}.'order');
2225
2226	# set up the headers
2227	my @cols = ('description', 'iplist', 'group');
2228	my %colnames = (description => 'Location/View Name', iplist => 'Permitted IPs/Ranges', group => 'Group');
2229	fill_colheads($sortby, $sortorder, \@cols, \%colnames);
2230
2231	# waffle, waffle - keep state on these as well as sortby, sortorder?
2232	$page->param("start$startwith" => 1) if $startwith && $startwith =~ /^(?:[a-z]\|0-9)$/;
2233
2234	$page->param(filter => $filter) if $filter;
2235	$page->param(searchsubs => $searchsubs) if $searchsubs;
2236
2237	my $loclist = getLocList($dbh, (childlist => $childlist, curgroup => $curgroup,
2238	filter => ($filter ? $filter : undef), startwith => ($startwith ? $startwith : undef),
2239	offset => $webvar{offset}, sortby => $sortby, sortorder => $sortorder) );
2240	# Some UI things need to be done to the list
2241	foreach my $l (@{$loclist}) {
2242	$l->{iplist} = "(All IPs)" if !$l->{iplist};
2243	$l->{edloc} = ($permissions{admin} \|\| $permissions{loc_edit});
2244	$l->{delloc} = ($permissions{admin} \|\| $permissions{loc_delete});
2245	}
2246	$page->param(loctable => $loclist);
2247	} # end list_locations()
2248
2249
2250	# Generate all of the glop necessary to add or not the appropriate marker/flag for
2251	# the sort order and column in domain, user, group, and record lists
2252	# Takes an array ref and hash ref
2253	sub fill_colheads {
2254	my $sortby = shift;
2255	my $sortorder = shift;
2256	my $cols = shift;
2257	my $colnames = shift;
2258	my $custom = shift;
2259
2260	my @headings;
2261
2262	foreach my $col (@$cols) {
2263	my %coldata;
2264	$coldata{sid} = $sid;
2265	$coldata{page} = $webvar{page};
2266	$coldata{offset} = $webvar{offset} if $webvar{offset};
2267	$coldata{sortby} = $col;
2268	$coldata{colname} = $colnames->{$col};
2269	if ($col eq $sortby) {
2270	$coldata{order} = ($sortorder eq 'ASC' ? 'DESC' : 'ASC');
2271	$coldata{sortorder} = $sortorder;
2272	} else {
2273	$coldata{order} = 'ASC';
2274	}
2275	if ($custom) {
2276	foreach my $ckey (keys %$custom) {
2277	$coldata{$ckey} = $custom->{$ckey};
2278	}
2279	}
2280	push @headings, \%coldata;
2281	}
2282
2283	$page->param(colheads => \@headings);
2284
2285	} # end fill_colheads()
2286
2287
2288	# we have to do this in a variety of places; let's make it consistent
2289	sub fill_permissions {
2290	my $template = shift; # may need to do several sets on a single page
2291	my $permset = shift; # hashref to permissions on object
2292	my $usercan = shift \|\| \%permissions; # allow alternate user-is-allowed permission block
2293
2294	foreach (@permtypes) {
2295	$template->param("may_$_" => ($usercan->{admin} \|\| $usercan->{$_}));
2296	$template->param($_ => $permset->{$_});
2297	}
2298	}
2299
2300	# so simple when defined as a sub instead of inline. O_o
2301	sub check_scope {
2302	my %args = @_;
2303	my $entity = $args{id} \|\| 0; # prevent the shooting of feet with SQL "... intcolumn = '' ..."
2304	my $entype = $args{type} \|\| '';
2305
2306	if ($entype eq 'group') {
2307	return 1 if grep /^$entity$/, @viewablegroups;
2308	} else {
2309	foreach (@viewablegroups) {
2310	return 1 if isParent($dbh, $_, 'group', $entity, $entype);
2311	}
2312	}
2313	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: