Changeset 111


Ignore:
Timestamp:
08/01/11 19:24:30 (13 years ago)
Author:
Kris Deugau
Message:

/trunk

Add ACL checks to prevent contructed-URL ACL bypasses on SOA records, group
add/edit/delete, axfr import; correct logic in bulk domain ACL check

Location:
trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/DNSDB.pm

    r108 r111  
    759759                |c:\d+  # clone
    760760                        # custom.  no, the leading , is not a typo
    761                 |C:(?:,(?:group|user|domain|record|self)_(?:edit|create|delete))+
     761                |C:(?:,(?:group|user|domain|record|self)_(?:edit|create|delete))*
    762762                )$/x;
    763763# bleh.  I'd call another function to do my dirty work, but we're in the middle of a transaction already.
  • trunk/dns.cgi

    r110 r111  
    265265} elsif ($webvar{page} eq 'reclist') {
    266266
     267  $page->param(mayeditsoa => $permissions{admin} || $permissions{domain_edit});
    267268##fixme:  ACL needs pondering.  Does "edit domain" interact with record add/remove/etc?
    268269# Note this seems to be answered "no" in Vega.
     
    439440
    440441} elsif ($webvar{page} eq 'delrec') {
     442
     443  # This is a complete separate segment since it uses a different template from add/edit records above
    441444
    442445  changepage(page => "reclist", errmsg => "You are not permitted to delete records", id => $webvar{parentid})
     
    488491} elsif ($webvar{page} eq 'editsoa') {
    489492
     493  changepage(page => "reclist", errmsg => "You are not permitted to edit domain SOA records", id => $webvar{id})
     494        unless ($permissions{admin} || $permissions{domain_edit});
     495
    490496  fillsoa($webvar{defrec},$webvar{id});
    491497
    492498} elsif ($webvar{page} eq 'updatesoa') {
     499
     500  changepage(page => "reclist", errmsg => "You are not permitted to edit domain SOA records", id => $webvar{id})
     501        unless ($permissions{admin} || $permissions{domain_edit});
    493502
    494503  my $sth;
     
    527536
    528537} elsif ($webvar{page} eq 'newgrp') {
     538
     539  changepage(page => "grpman", errmsg => "You are not permitted to add groups", id => $webvar{parentid})
     540        unless ($permissions{admin} || $permissions{group_add});
    529541
    530542  # do.. uhh.. stuff.. if we have no webvar{action}
     
    557569} elsif ($webvar{page} eq 'delgrp') {
    558570
     571  changepage(page => "grpman", errmsg => "You are not permitted to delete groups", id => $webvar{parentid})
     572        unless ($permissions{admin} || $permissions{group_delete});
     573
    559574  $page->param(id => $webvar{id});
    560575  # first pass = confirm y/n (sorta)
     
    588603} elsif ($webvar{page} eq 'edgroup') {
    589604
     605  changepage(page => "grpman", errmsg => "You are not permitted to edit groups", id => $webvar{parentid})
     606        unless ($permissions{admin} || $permissions{group_edit});
     607
    590608  if ($webvar{action} eq 'updperms') {
    591609    # extra safety check;  make sure user can't construct a URL to bypass ACLs
     
    617635
    618636  changepage(page => "domlist", errmsg => "You are not permitted to make bulk domain changes")
    619         unless ($permissions{admin} || ($permissions{domain_edit} && $permissions{domain_create} && $permissions{domain_delete}));
     637        unless ($permissions{admin} || $permissions{domain_edit} || $permissions{domain_create} || $permissions{domain_delete});
    620638
    621639##fixme
     
    669687
    670688} elsif ($webvar{page} eq 'user') {
     689
     690  # All user add/edit actions fall through the same page, since there aren't
     691  # really any hard differences between the templates
    671692
    672693  #fill_actypelist($webvar{accttype});
     
    9901011} elsif ($webvar{page} eq 'axfr') {
    9911012
     1013  changepage(page => "domlist", errmsg => "You are not permitted to import domains")
     1014        unless ($permissions{admin} || $permissions{domain_create});
     1015
    9921016  # don't need this while we've got the dropdown in the menu.  hmm.
    9931017  #fill_grouplist;
     
    11091133  $page->param(groupname => groupName($dbh,$curgroup));
    11101134  $page->param(logingrp => groupName($dbh,$logingroup));
     1135
     1136  $page->param(mayimport => $permissions{admin} || $permissions{domain_create});
     1137  $page->param(maybulk => $permissions{admin} || $permissions{domain_edit} || $permissions{domain_create} || $permissions{domain_delete});
    11111138
    11121139  # group tree.  should go elsewhere, probably
  • trunk/templates/menu.tmpl

    r110 r111  
    77<a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=log">Log</a><br />
    88<a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=reclist&amp;id=<TMPL_VAR NAME=group>&amp;defrec=y">Default Records</a><br />
    9 <a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=axfr">AXFR Import</a><br />
    10 <a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=bulkdomain">Bulk Domain Operations</a><br />
     9<TMPL_IF mayimport><a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=axfr">AXFR Import</a><br /></TMPL_IF>
     10<TMPL_IF maybulk><a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=bulkdomain">Bulk Domain Operations</a><br /></TMPL_IF>
    1111<hr />
    1212Current group:
  • trunk/templates/soadata.tmpl

    r39 r111  
    22<tr class="darkrowheader">
    33        <td align="left">SOA:</td>
    4         <td align="right"><a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=editsoa&amp;id=<TMPL_VAR NAME=id>&amp;recid=<TMPL_VAR NAME=recid>&amp;defrec=<TMPL_VAR NAME=defrec>">edit</a></td>
     4<TMPL_IF mayeditsoa>
     5        <td align="right"><a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=editsoa&amp;id=<TMPL_VAR NAME=id>&amp;recid=<TMPL_VAR NAME=recid>&amp;defrec=<TMPL_VAR NAME=defrec>">edit</a></td></TMPL_IF>
    56</tr>
    67</table>
Note: See TracChangeset for help on using the changeset viewer.