Changeset 111 for trunk/dns.cgi

Timestamp:

08/01/11 19:24:30 (13 years ago)

Author:

Kris Deugau

Message:

/trunk

Add ACL checks to prevent contructed-URL ACL bypasses on SOA records, group
add/edit/delete, axfr import; correct logic in bulk domain ACL check

File:

• trunk/dns.cgi (modified) (10 diffs)

trunk/dns.cgi

@@ -265 +265 @@
 } elsif ($webvar{page} eq 'reclist') {
 
+  $page->param(mayeditsoa => $permissions{admin} || $permissions{domain_edit});
 ##fixme:  ACL needs pondering.  Does "edit domain" interact with record add/remove/etc?
 # Note this seems to be answered "no" in Vega.
@@ -439 +440 @@
 
 } elsif ($webvar{page} eq 'delrec') {
+
+  # This is a complete separate segment since it uses a different template from add/edit records above
 
   changepage(page => "reclist", errmsg => "You are not permitted to delete records", id => $webvar{parentid})
@@ -488 +491 @@
 } elsif ($webvar{page} eq 'editsoa') {
 
+  changepage(page => "reclist", errmsg => "You are not permitted to edit domain SOA records", id => $webvar{id})
+        unless ($permissions{admin} || $permissions{domain_edit});
+
   fillsoa($webvar{defrec},$webvar{id});
 
 } elsif ($webvar{page} eq 'updatesoa') {
+
+  changepage(page => "reclist", errmsg => "You are not permitted to edit domain SOA records", id => $webvar{id})
+        unless ($permissions{admin} || $permissions{domain_edit});
 
   my $sth;
@@ -527 +536 @@
 
 } elsif ($webvar{page} eq 'newgrp') {
+
+  changepage(page => "grpman", errmsg => "You are not permitted to add groups", id => $webvar{parentid})
+        unless ($permissions{admin} || $permissions{group_add});
 
   # do.. uhh.. stuff.. if we have no webvar{action}
@@ -557 +569 @@
 } elsif ($webvar{page} eq 'delgrp') {
 
+  changepage(page => "grpman", errmsg => "You are not permitted to delete groups", id => $webvar{parentid})
+        unless ($permissions{admin} || $permissions{group_delete});
+
   $page->param(id => $webvar{id});
   # first pass = confirm y/n (sorta)
@@ -588 +603 @@
 } elsif ($webvar{page} eq 'edgroup') {
 
+  changepage(page => "grpman", errmsg => "You are not permitted to edit groups", id => $webvar{parentid})
+        unless ($permissions{admin} || $permissions{group_edit});
+
   if ($webvar{action} eq 'updperms') {
     # extra safety check;  make sure user can't construct a URL to bypass ACLs
@@ -617 +635 @@
 
   changepage(page => "domlist", errmsg => "You are not permitted to make bulk domain changes")
-        unless ($permissions{admin} || ($permissions{domain_edit} && $permissions{domain_create} && $permissions{domain_delete}));
+        unless ($permissions{admin} || $permissions{domain_edit} || $permissions{domain_create} || $permissions{domain_delete});
 
 ##fixme
@@ -669 +687 @@
 
 } elsif ($webvar{page} eq 'user') {
+
+  # All user add/edit actions fall through the same page, since there aren't
+  # really any hard differences between the templates
 
   #fill_actypelist($webvar{accttype});
@@ -990 +1011 @@
 } elsif ($webvar{page} eq 'axfr') {
 
+  changepage(page => "domlist", errmsg => "You are not permitted to import domains")
+        unless ($permissions{admin} || $permissions{domain_create});
+
   # don't need this while we've got the dropdown in the menu.  hmm.
   #fill_grouplist;
@@ -1109 +1133 @@
   $page->param(groupname => groupName($dbh,$curgroup));
   $page->param(logingrp => groupName($dbh,$logingroup));
+
+  $page->param(mayimport => $permissions{admin} || $permissions{domain_create});
+  $page->param(maybulk => $permissions{admin} || $permissions{domain_edit} || $permissions{domain_create} || $permissions{domain_delete});
 
   # group tree.  should go elsewhere, probably