Changeset 153
- Timestamp:
- 10/21/11 18:00:14 (13 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/dns.cgi
r151 r153 154 154 initGlobals($dbh); 155 155 156 # security check - does the user have permission to view this entity? 157 # this is a prep step used "many" places 158 my @viewablegroups; 159 getChildren($dbh, $logingroup, \@viewablegroups, 'all'); 160 push @viewablegroups, $logingroup; 161 156 162 # handle login redirect 157 163 if ($webvar{action}) { … … 197 203 # ... and the "change group" bits... 198 204 $uri_self =~ s/\&group=[^&]*//g; 205 206 # security check - does the user have permission to view this entity? 207 if (!(grep /^$webvar{group}$/, @viewablegroups)) { 208 # hmm. Reset the current group to the login group? Yes. Prevents confusing behaviour elsewhere. 209 $session->param('curgroup',$logingroup); 210 ##fixme: need to either carry the errmsg forward, or init the template earlier 211 # $page->param(errmsg => "You are not permitted to view or make changes in the requested group"); 212 $curgroup = $logingroup; 213 } 199 214 200 215 $session->param('curgroup', $webvar{group}); … … 829 844 830 845 if (defined($webvar{userstatus})) { 831 userStatus($dbh,$webvar{id},$webvar{userstatus}); 846 # security check - does the user have permission to access this entity? 847 my $flag = 0; 848 foreach (@viewablegroups) { 849 $flag = 1 if isParent($dbh, $_, 'group', $webvar{id}, 'user'); 850 } 851 if ($flag) { 852 userStatus($dbh,$webvar{id},$webvar{userstatus}); 853 } else { 854 $page->param(errmsg => "You are not permitted to view or change the requested user"); 855 } 832 856 } 833 857 … … 1545 1569 1546 1570 sub listdomains { 1571 1572 # security check - does the user have permission to view this entity? 1573 my @viewablegroups; 1574 getChildren($dbh, $logingroup, \@viewablegroups, 'all'); 1575 push @viewablegroups, $logingroup; 1576 if (!(grep /^$curgroup$/, @viewablegroups)) { 1577 # hmm. Reset the current group to the login group? Yes. Prevents confusing behaviour elsewhere. 1578 $session->param('curgroup',$logingroup); 1579 $page->param(errmsg => "You are not permitted to view domains in the requested group"); 1580 $curgroup = $logingroup; 1581 } 1547 1582 1548 1583 # $startwith = $session->param($webvar{page}.'startwith'); … … 1634 1669 sub listgroups { 1635 1670 1671 # security check - does the user have permission to view this entity? 1672 my @viewablegroups; 1673 getChildren($dbh, $logingroup, \@viewablegroups, 'all'); 1674 push @viewablegroups, $logingroup; 1675 if (!(grep /^$curgroup$/, @viewablegroups)) { 1676 # hmm. Reset the current group to the login group? Yes. Prevents confusing behaviour elsewhere. 1677 $session->param('curgroup',$logingroup); 1678 $page->param(errmsg => "You are not permitted to view the requested group"); 1679 $curgroup = $logingroup; 1680 # changepage(page => grpman, errmsg => "You are not permitted to view the requested group"); 1681 # return; 1682 } 1683 # if ( grep { eq $curgroup }, @childlist ) { 1684 # errmsg => "You are not permitted to view this group" 1685 # return; 1686 # } 1687 1636 1688 my @childgroups; 1637 1689 getChildren($dbh, $curgroup, \@childgroups, 'all') if $searchsubs;
Note:
See TracChangeset
for help on using the changeset viewer.