Changeset 162


Ignore:
Timestamp:
11/03/11 18:06:41 (13 years ago)
Author:
Kris Deugau
Message:

/trunk

Add scope checks - domain add/delete
Tweak scope check on record list
Add scope checks on editsoa/updatesoa pages
Clean up SQL with bind parameters for SOA update
Properly log SOA changes
Move AXFR scope check where it will actually have something to trigger on
Drop a handful of stale ##work/##fixme comments
Tweak SOA data template - remove recid from edit link. It's only

used on the actual update, and should be used as a data-validation
check Any Day Real Soon Now(TM)

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/dns.cgi

    r160 r162  
    299299        unless ($permissions{admin} || $permissions{domain_create});
    300300
    301 ##fixme:  scope check on $webvar{group}
     301  # security check - does the user have permission to access this entity?
     302  if (!check_scope($webvar{group}, 'group')) {
     303    changepage(page => "newdomain", add_failed => 1, domain => $webvar{domain},
     304        errmsg => "You do not have permission to add a domain to the requested group");
     305  }
     306
    302307  my ($code,$msg) = addDomain($dbh,$webvar{domain},$webvar{group},($webvar{makeactive} eq 'on' ? 1 : 0));
    303308
     
    315320        unless ($permissions{admin} || $permissions{domain_delete});
    316321
    317 ##fixme: scope check on $webvar{id}
     322  # security check - does the user have permission to access this entity?
     323  if (!check_scope($webvar{id}, 'domain')) {
     324    changepage(page => "domlist", errmsg => "You do not have permission to delete the requested domain");
     325  }
     326
    318327  $page->param(id => $webvar{id});
    319328
     
    325334
    326335  } elsif ($webvar{del} eq 'ok') {
    327 
    328336    my $pargroup = parentID($webvar{id}, 'dom', 'group');
    329337    my $dom = domainName($dbh, $webvar{id});
     
    344352} elsif ($webvar{page} eq 'reclist') {
    345353
    346 # security check - does the user have permission to view this entity?
    347   my $flag = 0;
    348   foreach (@viewablegroups) {
    349     $flag = 1 if isParent($dbh, $_, 'group', $webvar{id}, ($webvar{defrec} eq 'y' ? 'group' : 'domain'));
    350   }
    351   if (!$flag) {
     354  # security check - does the user have permission to view this entity?
     355  if (!check_scope($webvar{id}, ($webvar{defrec} eq 'y' ? 'group' : 'domain'))) {
    352356    $page->param(errmsg => "You are not permitted to view or change the requested ".
    353357        ($webvar{defrec} eq 'y' ? "group's default records" : "domain's records"));
    354358    $page->param(perm_err => 1);        # this causes the template to skip the record listing output.
    355 ##fixme:  we could skip down to the end of the $webvar{page} eq 'reclist' block...
    356   }
    357  
     359    goto DONERECLIST;   # and now we skip filling in the content which is not printed due to perm_err above
     360  }
     361
    358362# hmm.  where do we send them?
    359363  if ($webvar{defrec} eq 'y' && !$permissions{admin}) {
    360364    $page->param(errmsg => "You are not permitted to edit default records");
    361365    $page->param(perm_err => 1);
    362   } elsif ($flag) {     # $flag carries the scope check results
     366  } else {
    363367
    364368    $page->param(mayeditsoa => $permissions{admin} || $permissions{domain_edit});
     
    412416
    413417  } # close "you can't edit default records" check
     418
     419  # Yes, this is a GOTO target.  PTBHTTT.
     420  DONERECLIST: ;
    414421
    415422} elsif ($webvar{page} eq 'record') {
     
    621628} elsif ($webvar{page} eq 'editsoa') {
    622629
     630  # security check - does the user have permission to view this entity?
     631  if (!check_scope($webvar{id}, ($webvar{defrec} eq 'y' ? 'group' : 'domain'))) {
     632    changepage(page => 'domlist', errmsg => "You do not have permission to edit the ".
     633        ($webvar{defrec} eq 'y' ? 'default ' : '')."SOA record for the requested ".
     634        ($webvar{defrec} eq 'y' ? 'group' : 'domain'));
     635  }
     636
     637  if ($webvar{defrec} eq 'y') {
     638    changepage(page => "domlist", errmsg => "You are not permitted to edit default records")
     639        unless $permissions{admin};
     640  } else {
     641    changepage(page => "reclist", errmsg => "You are not permitted to edit domain SOA records", id => $webvar{id})
     642        unless ($permissions{admin} || $permissions{domain_edit});
     643  }
     644
     645  fillsoa($webvar{defrec},$webvar{id});
     646
     647} elsif ($webvar{page} eq 'updatesoa') {
     648
     649  # security check - does the user have permission to view this entity?
     650  # pass 1, record ID
     651  if (!check_scope($webvar{recid}, ($webvar{defrec} eq 'y' ? 'defrec' : 'record'))) {
     652    changepage(page => 'domlist', errmsg => "You do not have permission to edit the requested SOA record");
     653  }
     654  # pass 2, parent (group or domain) ID
     655  if (!check_scope($webvar{id}, ($webvar{defrec} eq 'y' ? 'group' : 'domain'))) {
     656    changepage(page => 'domlist', errmsg => "You do not have permission to edit the ".
     657        ($webvar{defrec} eq 'y' ? 'default ' : '')."SOA record for the requested ".
     658        ($webvar{defrec} eq 'y' ? 'group' : 'domain'));
     659  }
     660
    623661  changepage(page => "reclist", errmsg => "You are not permitted to edit domain SOA records", id => $webvar{id})
    624662        unless ($permissions{admin} || $permissions{domain_edit});
    625663
    626   fillsoa($webvar{defrec},$webvar{id});
    627 
    628 } elsif ($webvar{page} eq 'updatesoa') {
    629 
    630   changepage(page => "reclist", errmsg => "You are not permitted to edit domain SOA records", id => $webvar{id})
    631         unless ($permissions{admin} || $permissions{domain_edit});
     664  # get old SOA for log
     665  my %soa = getSOA($dbh,$webvar{defrec},$webvar{id});
    632666
    633667  my $sth;
    634   my $sql = '';
     668##fixme:  push SQL into DNSDB.pm
     669##fixme: data validation: make sure {recid} is really the SOA for {id}
    635670  # no domain ID, so we're editing the default SOA for a group (we don't care which one here)
    636671  # plus a bit of magic to update the appropriate table
    637   $sql = "update ".($webvar{defrec} eq 'y' ? "default_records" : "records").
    638         " set host='$webvar{prins}:$webvar{contact}',".
    639         " val='$webvar{refresh}:$webvar{retry}:$webvar{expire}:$webvar{minttl}',".
    640         " ttl=$webvar{ttl} where record_id=$webvar{recid}";
     672  my $sql = "UPDATE ".($webvar{defrec} eq 'y' ? "default_records" : "records").
     673        " SET host=?, val=?, ttl=? WHERE record_id=?";
    641674  $sth = $dbh->prepare($sql);
    642   $sth->execute;
     675  $sth->execute("$webvar{prins}:$webvar{contact}",
     676        "$webvar{refresh}:$webvar{retry}:$webvar{expire}:$webvar{minttl}",
     677        $webvar{ttl},
     678        $webvar{recid});
    643679
    644680  if ($sth->err) {
     
    648684  } else {
    649685
    650 ##fixme!  need to set group ID properly here
    651 # SELECT group_id FROM domains WHERE domain_id=?
    652 # $sth->execute($webvar{id});
    653 ##log
    654     logaction(0, $session->param("username"), $webvar{group},
    655         "Updated SOA (ns $webvar{prins}, contact $webvar{contact}, refresh $webvar{refresh},".
    656         " retry $webvar{retry}, expire $webvar{expire}, minTTL $webvar{minttl}, TTL $webvar{ttl}");
    657     changepage(page => "reclist", id => $webvar{id}, defrec => $webvar{defrec});
    658 #    $page->param(update_failed => 0);
    659 #    showdomain('y',1);
     686    # do this in the order of "default to most common case"
     687    my $loggroup;
     688    my $logdomain = $webvar{id};
     689    if ($webvar{defrec} eq 'y') {
     690      $loggroup = $webvar{id};
     691      $logdomain = 0;
     692    } else {
     693      $loggroup = parentID($logdomain, 'dom', 'group', $webvar{defrec});
     694    }
     695
     696    logaction($logdomain, $session->param("username"), $loggroup,
     697        "Updated ".($webvar{defrec} eq 'y' ? 'default ' : '')."SOA for ".
     698        ($webvar{defrec} eq 'y' ? groupName($dbh, $webvar{id}) : domainName($dbh, $webvar{id}) ).
     699        ": (ns $soa{prins}, contact $soa{contact}, refresh $soa{refresh},".
     700        " retry $soa{retry}, expire $soa{expire}, minTTL $soa{minttl}, TTL $soa{ttl}) to ".
     701        "(ns $webvar{prins}, contact $webvar{contact}, refresh $webvar{refresh},".
     702        " retry $webvar{retry}, expire $webvar{expire}, minTTL $webvar{minttl}, TTL $webvar{ttl})");
     703    changepage(page => "reclist", id => $webvar{id}, defrec => $webvar{defrec},
     704        resultmsg => "SOA record updated");
    660705  }
    661706
     
    11181163      $page->param(perm_custom => 1);
    11191164    }
    1120 ##work
    1121 #  } elsif ($webvar{action} eq 'update') {
    11221165  } else {
    11231166    changepage(page => "useradmin", errmsg => "You are not allowed to add new users")
     
    12471290  $webvar{doit} = '' if !defined($webvar{doit});
    12481291
    1249   # security check - does the user have permission to access this entity?
    1250   if (!check_scope($webvar{group}, 'group')) {
    1251     $page->param(errmsg => "You are not permitted to import domains into the requested group");
    1252     goto DONEAXFR;
    1253   }
    1254 
    12551292  if ($webvar{doit} eq 'y' && !$webvar{ifrom}) {
    12561293    $page->param(errmsg => "Need to set host to import from");
     
    12581295    $page->param(errmsg => "Need domains to import");
    12591296  } elsif ($webvar{doit} eq 'y') {
     1297
     1298    # security check - does the user have permission to access this entity?
     1299    if (!check_scope($webvar{group}, 'group')) {
     1300      $page->param(errmsg => "You are not permitted to import domains into the requested group");
     1301      goto DONEAXFR;
     1302    }
     1303
    12601304    my @domlist = split /\s+/, $webvar{importdoms};
    12611305    my @results;
     
    15021546  my %soa = getSOA($dbh,$def,$id);
    15031547
    1504   $page->param(recid    => $soa{recid});
    15051548  $page->param(contact  => $soa{contact});
    15061549  $page->param(prins    => $soa{prins});
     
    18711914
    18721915# fill page count and first-previous-next-last-all bits
    1873 ##fixme - hardcoded group bit
    18741916  fill_pgcount($count,"users",'');
    18751917  fill_fpnla($count);
     
    20402082# so simple when defined as a sub instead of inline.  O_o
    20412083sub check_scope {
    2042   my $entity = shift;
    2043   my $entype = shift;
     2084  my $entity = shift || '';
     2085  my $entype = shift || '';
    20442086
    20452087  if ($entype eq 'group') {
  • trunk/templates/soadata.tmpl

    r111 r162  
    33        <td align="left">SOA:</td>
    44<TMPL_IF mayeditsoa>
    5         <td align="right"><a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=editsoa&amp;id=<TMPL_VAR NAME=id>&amp;recid=<TMPL_VAR NAME=recid>&amp;defrec=<TMPL_VAR NAME=defrec>">edit</a></td></TMPL_IF>
     5        <td align="right"><a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=editsoa&amp;id=<TMPL_VAR NAME=id>&amp;defrec=<TMPL_VAR NAME=defrec>">edit</a></td></TMPL_IF>
    66</tr>
    77</table>
Note: See TracChangeset for help on using the changeset viewer.