Changeset 155
Legend:
- Unmodified
- Added
- Removed
-
trunk/DNSDB.pm
r152 r155 1488 1488 return 1 if $type1 eq 'group' && $id1 == 1; 1489 1489 1490 # groups are always (a) parent of themselves 1491 return 1 if $type1 eq 'group' && $type2 eq 'group' && $id1 == $id2; 1492 1490 1493 # almost the same loop as getParents() above 1491 1494 my $id = $id2; 1492 1495 my $type = $type2; 1493 1496 my $foundparent = 0; 1494 my $tmp = 0; 1497 1495 1498 while (1) { 1496 my $sql = "SELECT $par_col{$type} FROM $par_tbl{$type} WHERE $id_col{$type} = ?";1499 my $sql = "SELECT $par_col{$type} FROM $par_tbl{$type} WHERE $id_col{$type} = ?"; 1497 1500 my $result = $dbh->selectrow_hashref($sql, 1498 1501 undef, ($id) ) or warn $dbh->errstr." $sql"; … … 1505 1508 $id = $result->{$par_col{$type}}; 1506 1509 $type = $par_type{$type}; 1507 last if $tmp++ > 10;1508 1510 } 1509 1511 -
trunk/dns.cgi
r154 r155 207 207 208 208 # security check - does the user have permission to view this entity? 209 my $errmsg; 209 210 if (!(grep /^$webvar{group}$/, @viewablegroups)) { 210 211 # hmm. Reset the current group to the login group? Yes. Prevents confusing behaviour elsewhere. … … 212 213 $webvar{group} = $logingroup; 213 214 $curgroup = $logingroup; 214 $page->param(errmsg => "You are not permitted to view or make changes in the requested group"); 215 $errmsg = "You are not permitted to view or make changes in the requested group"; 216 $page->param(errmsg => $errmsg); 215 217 } 216 218 217 219 $session->param('curgroup', $webvar{group}); 218 220 $curgroup = ($webvar{group} ? $webvar{group} : $session->param('curgroup')); 221 222 # I hate special cases. 223 if ($webvar{page} eq 'reclist' && $webvar{defrec} eq 'y') { 224 my %args = (page => $webvar{page}, id => $curgroup, defrec => $webvar{defrec}); 225 $args{errmsg} = $errmsg if $errmsg; 226 changepage(%args); 227 } 228 219 229 } 220 230 } # handle global webvar{action}s … … 390 400 391 401 } elsif ($webvar{page} eq 'record') { 402 403 # security check - does the user have permission to access this entity? 404 if (!check_scope($webvar{id}, ($webvar{defrec} eq 'y' ? 'defrec' : 'record'))) { 405 $page->param(perm_err => "You are not permitted to add or edit the requested record"); 406 goto DONEREC; 407 } 408 # round 2, check the parent. 409 if (!check_scope($webvar{parentid}, ($webvar{defrec} eq 'y' ? 'group' : 'domain'))) { 410 my $msg = ($webvar{defrec} eq 'y' ? 411 "You are not permitted to add or edit default records in the requested group" : 412 "You are not permitted to add or edit records in the requested domain"); 413 $page->param(perm_err => $msg); 414 goto DONEREC; 415 } 416 392 417 393 418 if ($webvar{recact} eq 'new') { … … 519 544 $page->param(dohere => domainName($dbh,$webvar{parentid})); 520 545 } 546 547 # Yes, this is a GOTO target. PTBHTTT. 548 DONEREC: ; 521 549 522 550 } elsif ($webvar{page} eq 'delrec') { … … 750 778 fill_pgcount($count,'domains',groupName($dbh,$curgroup)); 751 779 fill_fpnla($count); 752 $page->param(offset => $offset); # since apparently this isn't set explicitly elsewhere. Who knew?753 780 $page->param(perpage => $perpage); 754 781 … … 777 804 } elsif ($webvar{page} eq 'bulkchange') { 778 805 806 # security check - does the user have permission to access this entity? 807 if (!check_scope($webvar{destgroup}, 'group')) { 808 $page->param(errmsg => "You are not permitted to make bulk changes in the requested group"); 809 goto DONEBULK; 810 } 811 779 812 if ($webvar{action} eq 'move') { 780 813 changepage(page => "domlist", errmsg => "You are not permitted to bulk-move domains") … … 789 822 my %row; 790 823 next unless $_ =~ /^dom_\d+$/; 824 # second security check - does the user have permission to meddle with this domain? 825 if (!check_scope($webvar{$_}, 'domain')) { 826 $row{domerr} = "You are not permitted to make changes to the requested domain"; 827 $row{domain} = $webvar{$_}; 828 push @bulkresults, \%row; 829 next; 830 } 791 831 $row{domain} = domainName($dbh,$webvar{$_}); 792 832 my ($code, $msg) = changeGroup($dbh, 'domain', $webvar{$_}, $webvar{destgroup}); … … 812 852 my %row; 813 853 next unless $_ =~ /^dom_\d+$/; 854 # second security check - does the user have permission to meddle with this domain? 855 if (!check_scope($webvar{$_}, 'domain')) { 856 $row{domerr} = "You are not permitted to make changes to the requested domain"; 857 $row{domain} = $webvar{$_}; 858 push @bulkresults, \%row; 859 next; 860 } 814 861 $row{domain} = domainName($dbh,$webvar{$_}); 815 862 ##fixme: error handling on status change … … 832 879 my %row; 833 880 next unless $_ =~ /^dom_\d+$/; 881 # second security check - does the user have permission to meddle with this domain? 882 if (!check_scope($webvar{$_}, 'domain')) { 883 $row{domerr} = "You are not permitted to make changes to the requested domain"; 884 $row{domain} = $webvar{$_}; 885 push @bulkresults, \%row; 886 next; 887 } 834 888 $row{domain} = domainName($dbh,$webvar{$_}); 835 889 my $pargroup = parentID($webvar{$_}, 'dom', 'group'); … … 851 905 # not going to handle the unknown $webvar{action} else; it should not be possible in normal 852 906 # operations, and anyone who meddles with the URL gets what they deserve. 907 908 # Yes, this is a GOTO target. PTHBTTT. 909 DONEBULK: ; 853 910 854 911 } elsif ($webvar{page} eq 'useradmin') { … … 1172 1229 $webvar{doit} = '' if !defined($webvar{doit}); 1173 1230 1231 # security check - does the user have permission to access this entity? 1232 if (!check_scope($webvar{group}, 'group')) { 1233 $page->param(errmsg => "You are not permitted to import domains into the requested group"); 1234 goto DONEAXFR; 1235 } 1236 1174 1237 if ($webvar{doit} eq 'y' && !$webvar{ifrom}) { 1175 1238 $page->param(errmsg => "Need to set host to import from"); … … 1200 1263 $page->param(axfrresults => \@results); 1201 1264 } 1265 1266 # Yes, this is a GOTO target. PTBHTTT. 1267 DONEAXFR: ; 1202 1268 1203 1269 } elsif ($webvar{page} eq 'whoisq') { … … 1972 2038 } 1973 2039 } 2040 2041 # so simple when defined as a sub instead of inline. O_o 2042 sub check_scope { 2043 my $entity = shift; 2044 my $entype = shift; 2045 2046 if ($entype eq 'group') { 2047 return 1 if grep /^$entity$/, @viewablegroups; 2048 } else { 2049 foreach (@viewablegroups) { 2050 return 1 if isParent($dbh, $_, 'group', $entity, $entype); 2051 } 2052 } 2053 } -
trunk/templates/record.tmpl
r100 r155 4 4 5 5 <td align="center" valign="top"> 6 7 <TMPL_IF perm_err> 8 <div class='errmsg'><TMPL_VAR NAME=perm_err></div> 9 <TMPL_ELSE> 6 10 7 11 <form action="dns.cgi" method="post"> … … 62 66 63 67 </fieldset> 64 </form> 68 </form> 69 70 </TMPL_IF> 65 71 66 72 </td>
Note:
See TracChangeset
for help on using the changeset viewer.