Changeset 154


Ignore:
Timestamp:
10/24/11 17:51:33 (13 years ago)
Author:
Kris Deugau
Message:

/trunk

Move template init further up, so we can set error-message params earlier
Tweak group-scope check in global action segment now that we can
emit error messages to the template(s) here
Delete some long-stale comments around template init
Add scope check to domain status change
Add scope check to record list
Remove local group-scope check in listdomains() in favour of global check
Remove some duplicated boilerplate for scope checks in listgroups()

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/dns.cgi

    r153 r154  
    160160push @viewablegroups, $logingroup;
    161161
     162my $page = HTML::Template->new(filename => "$templatedir/$webvar{page}.tmpl");
     163
    162164# handle login redirect
    163165if ($webvar{action}) {
     
    204206    $uri_self =~ s/\&group=[^&]*//g;
    205207
    206 # security check - does the user have permission to view this entity?
    207   if (!(grep /^$webvar{group}$/, @viewablegroups)) {
    208     # hmm.  Reset the current group to the login group?  Yes.  Prevents confusing behaviour elsewhere.
    209     $session->param('curgroup',$logingroup);
    210 ##fixme:  need to either carry the errmsg forward, or init the template earlier
    211 #    $page->param(errmsg => "You are not permitted to view or make changes in the requested group");
    212     $curgroup = $logingroup;
    213   }
     208    # security check - does the user have permission to view this entity?
     209    if (!(grep /^$webvar{group}$/, @viewablegroups)) {
     210      # hmm.  Reset the current group to the login group?  Yes.  Prevents confusing behaviour elsewhere.
     211      $session->param('curgroup',$logingroup);
     212      $webvar{group} = $logingroup;
     213      $curgroup = $logingroup;
     214      $page->param(errmsg => "You are not permitted to view or make changes in the requested group");
     215    }
    214216
    215217    $session->param('curgroup', $webvar{group});
     
    219221
    220222initPermissions($dbh,$session->param('uid'));
    221 
    222 ## Default page is a login page
    223 #my $page;      # to be initialized as an HTML::Template entity sooner or later
    224 
    225 
    226 #if (!$webvar{page}) {
    227 #  $page = HTML::Template->new(filename => "$templatedir/login.tmpl");
    228 #} else {
    229 #}
    230 
    231 my $page = HTML::Template->new(filename => "$templatedir/$webvar{page}.tmpl");
    232223
    233224$page->param(sid => $sid);
     
    244235# this currently only handles "domain on", "domain off"
    245236  if (defined($webvar{domstatus})) {
    246     my $stat = domStatus($dbh,$webvar{id},$webvar{domstatus});
    247     logaction($webvar{id}, $session->param("username"), parentID($webvar{id}, 'dom', 'group'),
     237    # security check - does the user have permission to access this entity?
     238    my $flag = 0;
     239    foreach (@viewablegroups) {
     240      $flag = 1 if isParent($dbh, $_, 'group', $webvar{id}, 'domain');
     241    }
     242    if ($flag && ($permissions{admin} || $permissions{edit_domain})) {
     243      my $stat = domStatus($dbh,$webvar{id},$webvar{domstatus});
     244      logaction($webvar{id}, $session->param("username"), parentID($webvar{id}, 'dom', 'group'),
    248245        "Changed ".domainName($dbh, $webvar{id})." state to ".($stat ? 'active' : 'inactive'));
     246    } else {
     247      $page->param(errmsg => "You are not permitted to view or change the requested domain");
     248    }
    249249  }
    250250
     
    322322} elsif ($webvar{page} eq 'reclist') {
    323323
     324# security check - does the user have permission to view this entity?
     325  my $flag = 0;
     326  foreach (@viewablegroups) {
     327    $flag = 1 if isParent($dbh, $_, 'group', $webvar{id}, ($webvar{defrec} eq 'y' ? 'group' : 'domain'));
     328  }
     329  if (!$flag) {
     330    $page->param(errmsg => "You are not permitted to view or change the requested ".
     331        ($webvar{defrec} eq 'y' ? "group's default records" : "domain's records"));
     332    $page->param(perm_err => 1);
     333  }
     334 
    324335# hmm.  where do we send them?
    325336  if ($webvar{defrec} eq 'y' && !$permissions{admin}) {
    326337    $page->param(errmsg => "You are not permitted to edit default records");
    327338    $page->param(perm_err => 1);
    328   } else {
     339  } elsif ($flag) {     # $flag carries the scope check results
    329340
    330341    $page->param(mayeditsoa => $permissions{admin} || $permissions{domain_edit});
     
    15691580
    15701581sub listdomains {
    1571 
    1572 # security check - does the user have permission to view this entity?
    1573   my @viewablegroups;
    1574   getChildren($dbh, $logingroup, \@viewablegroups, 'all');
    1575   push @viewablegroups, $logingroup;
    1576   if (!(grep /^$curgroup$/, @viewablegroups)) {
    1577     # hmm.  Reset the current group to the login group?  Yes.  Prevents confusing behaviour elsewhere.
    1578     $session->param('curgroup',$logingroup);
    1579     $page->param(errmsg => "You are not permitted to view domains in the requested group");
    1580     $curgroup = $logingroup;
    1581   }
    15821582
    15831583#  $startwith = $session->param($webvar{page}.'startwith');
     
    16701670
    16711671# security check - does the user have permission to view this entity?
    1672   my @viewablegroups;
    1673   getChildren($dbh, $logingroup, \@viewablegroups, 'all');
    1674   push @viewablegroups, $logingroup;
    16751672  if (!(grep /^$curgroup$/, @viewablegroups)) {
    16761673    # hmm.  Reset the current group to the login group?  Yes.  Prevents confusing behaviour elsewhere.
Note: See TracChangeset for help on using the changeset viewer.