Changeset 154 for trunk/dns.cgi
- Timestamp:
- 10/24/11 17:51:33 (13 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/dns.cgi
r153 r154 160 160 push @viewablegroups, $logingroup; 161 161 162 my $page = HTML::Template->new(filename => "$templatedir/$webvar{page}.tmpl"); 163 162 164 # handle login redirect 163 165 if ($webvar{action}) { … … 204 206 $uri_self =~ s/\&group=[^&]*//g; 205 207 206 # security check - does the user have permission to view this entity?207 if (!(grep /^$webvar{group}$/, @viewablegroups)) {208 # hmm. Reset the current group to the login group? Yes. Prevents confusing behaviour elsewhere.209 $session->param('curgroup',$logingroup);210 ##fixme: need to either carry the errmsg forward, or init the template earlier 211 # $page->param(errmsg => "You are not permitted to view or make changes in the requested group");212 $curgroup = $logingroup;213 }208 # security check - does the user have permission to view this entity? 209 if (!(grep /^$webvar{group}$/, @viewablegroups)) { 210 # hmm. Reset the current group to the login group? Yes. Prevents confusing behaviour elsewhere. 211 $session->param('curgroup',$logingroup); 212 $webvar{group} = $logingroup; 213 $curgroup = $logingroup; 214 $page->param(errmsg => "You are not permitted to view or make changes in the requested group"); 215 } 214 216 215 217 $session->param('curgroup', $webvar{group}); … … 219 221 220 222 initPermissions($dbh,$session->param('uid')); 221 222 ## Default page is a login page223 #my $page; # to be initialized as an HTML::Template entity sooner or later224 225 226 #if (!$webvar{page}) {227 # $page = HTML::Template->new(filename => "$templatedir/login.tmpl");228 #} else {229 #}230 231 my $page = HTML::Template->new(filename => "$templatedir/$webvar{page}.tmpl");232 223 233 224 $page->param(sid => $sid); … … 244 235 # this currently only handles "domain on", "domain off" 245 236 if (defined($webvar{domstatus})) { 246 my $stat = domStatus($dbh,$webvar{id},$webvar{domstatus}); 247 logaction($webvar{id}, $session->param("username"), parentID($webvar{id}, 'dom', 'group'), 237 # security check - does the user have permission to access this entity? 238 my $flag = 0; 239 foreach (@viewablegroups) { 240 $flag = 1 if isParent($dbh, $_, 'group', $webvar{id}, 'domain'); 241 } 242 if ($flag && ($permissions{admin} || $permissions{edit_domain})) { 243 my $stat = domStatus($dbh,$webvar{id},$webvar{domstatus}); 244 logaction($webvar{id}, $session->param("username"), parentID($webvar{id}, 'dom', 'group'), 248 245 "Changed ".domainName($dbh, $webvar{id})." state to ".($stat ? 'active' : 'inactive')); 246 } else { 247 $page->param(errmsg => "You are not permitted to view or change the requested domain"); 248 } 249 249 } 250 250 … … 322 322 } elsif ($webvar{page} eq 'reclist') { 323 323 324 # security check - does the user have permission to view this entity? 325 my $flag = 0; 326 foreach (@viewablegroups) { 327 $flag = 1 if isParent($dbh, $_, 'group', $webvar{id}, ($webvar{defrec} eq 'y' ? 'group' : 'domain')); 328 } 329 if (!$flag) { 330 $page->param(errmsg => "You are not permitted to view or change the requested ". 331 ($webvar{defrec} eq 'y' ? "group's default records" : "domain's records")); 332 $page->param(perm_err => 1); 333 } 334 324 335 # hmm. where do we send them? 325 336 if ($webvar{defrec} eq 'y' && !$permissions{admin}) { 326 337 $page->param(errmsg => "You are not permitted to edit default records"); 327 338 $page->param(perm_err => 1); 328 } els e {339 } elsif ($flag) { # $flag carries the scope check results 329 340 330 341 $page->param(mayeditsoa => $permissions{admin} || $permissions{domain_edit}); … … 1569 1580 1570 1581 sub listdomains { 1571 1572 # security check - does the user have permission to view this entity?1573 my @viewablegroups;1574 getChildren($dbh, $logingroup, \@viewablegroups, 'all');1575 push @viewablegroups, $logingroup;1576 if (!(grep /^$curgroup$/, @viewablegroups)) {1577 # hmm. Reset the current group to the login group? Yes. Prevents confusing behaviour elsewhere.1578 $session->param('curgroup',$logingroup);1579 $page->param(errmsg => "You are not permitted to view domains in the requested group");1580 $curgroup = $logingroup;1581 }1582 1582 1583 1583 # $startwith = $session->param($webvar{page}.'startwith'); … … 1670 1670 1671 1671 # security check - does the user have permission to view this entity? 1672 my @viewablegroups;1673 getChildren($dbh, $logingroup, \@viewablegroups, 'all');1674 push @viewablegroups, $logingroup;1675 1672 if (!(grep /^$curgroup$/, @viewablegroups)) { 1676 1673 # hmm. Reset the current group to the login group? Yes. Prevents confusing behaviour elsewhere.
Note:
See TracChangeset
for help on using the changeset viewer.