Index: /trunk/dns.cgi
===================================================================
--- /trunk/dns.cgi (revision 161)
+++ /trunk/dns.cgi (revision 162)
@@ -299,5 +299,10 @@
unless ($permissions{admin} || $permissions{domain_create});
-##fixme: scope check on $webvar{group}
+ # security check - does the user have permission to access this entity?
+ if (!check_scope($webvar{group}, 'group')) {
+ changepage(page => "newdomain", add_failed => 1, domain => $webvar{domain},
+ errmsg => "You do not have permission to add a domain to the requested group");
+ }
+
my ($code,$msg) = addDomain($dbh,$webvar{domain},$webvar{group},($webvar{makeactive} eq 'on' ? 1 : 0));
@@ -315,5 +320,9 @@
unless ($permissions{admin} || $permissions{domain_delete});
-##fixme: scope check on $webvar{id}
+ # security check - does the user have permission to access this entity?
+ if (!check_scope($webvar{id}, 'domain')) {
+ changepage(page => "domlist", errmsg => "You do not have permission to delete the requested domain");
+ }
+
$page->param(id => $webvar{id});
@@ -325,5 +334,4 @@
} elsif ($webvar{del} eq 'ok') {
-
my $pargroup = parentID($webvar{id}, 'dom', 'group');
my $dom = domainName($dbh, $webvar{id});
@@ -344,21 +352,17 @@
} elsif ($webvar{page} eq 'reclist') {
-# security check - does the user have permission to view this entity?
- my $flag = 0;
- foreach (@viewablegroups) {
- $flag = 1 if isParent($dbh, $_, 'group', $webvar{id}, ($webvar{defrec} eq 'y' ? 'group' : 'domain'));
- }
- if (!$flag) {
+ # security check - does the user have permission to view this entity?
+ if (!check_scope($webvar{id}, ($webvar{defrec} eq 'y' ? 'group' : 'domain'))) {
$page->param(errmsg => "You are not permitted to view or change the requested ".
($webvar{defrec} eq 'y' ? "group's default records" : "domain's records"));
$page->param(perm_err => 1); # this causes the template to skip the record listing output.
-##fixme: we could skip down to the end of the $webvar{page} eq 'reclist' block...
- }
-
+ goto DONERECLIST; # and now we skip filling in the content which is not printed due to perm_err above
+ }
+
# hmm. where do we send them?
if ($webvar{defrec} eq 'y' && !$permissions{admin}) {
$page->param(errmsg => "You are not permitted to edit default records");
$page->param(perm_err => 1);
- } elsif ($flag) { # $flag carries the scope check results
+ } else {
$page->param(mayeditsoa => $permissions{admin} || $permissions{domain_edit});
@@ -412,4 +416,7 @@
} # close "you can't edit default records" check
+
+ # Yes, this is a GOTO target. PTBHTTT.
+ DONERECLIST: ;
} elsif ($webvar{page} eq 'record') {
@@ -621,24 +628,53 @@
} elsif ($webvar{page} eq 'editsoa') {
+ # security check - does the user have permission to view this entity?
+ if (!check_scope($webvar{id}, ($webvar{defrec} eq 'y' ? 'group' : 'domain'))) {
+ changepage(page => 'domlist', errmsg => "You do not have permission to edit the ".
+ ($webvar{defrec} eq 'y' ? 'default ' : '')."SOA record for the requested ".
+ ($webvar{defrec} eq 'y' ? 'group' : 'domain'));
+ }
+
+ if ($webvar{defrec} eq 'y') {
+ changepage(page => "domlist", errmsg => "You are not permitted to edit default records")
+ unless $permissions{admin};
+ } else {
+ changepage(page => "reclist", errmsg => "You are not permitted to edit domain SOA records", id => $webvar{id})
+ unless ($permissions{admin} || $permissions{domain_edit});
+ }
+
+ fillsoa($webvar{defrec},$webvar{id});
+
+} elsif ($webvar{page} eq 'updatesoa') {
+
+ # security check - does the user have permission to view this entity?
+ # pass 1, record ID
+ if (!check_scope($webvar{recid}, ($webvar{defrec} eq 'y' ? 'defrec' : 'record'))) {
+ changepage(page => 'domlist', errmsg => "You do not have permission to edit the requested SOA record");
+ }
+ # pass 2, parent (group or domain) ID
+ if (!check_scope($webvar{id}, ($webvar{defrec} eq 'y' ? 'group' : 'domain'))) {
+ changepage(page => 'domlist', errmsg => "You do not have permission to edit the ".
+ ($webvar{defrec} eq 'y' ? 'default ' : '')."SOA record for the requested ".
+ ($webvar{defrec} eq 'y' ? 'group' : 'domain'));
+ }
+
changepage(page => "reclist", errmsg => "You are not permitted to edit domain SOA records", id => $webvar{id})
unless ($permissions{admin} || $permissions{domain_edit});
- fillsoa($webvar{defrec},$webvar{id});
-
-} elsif ($webvar{page} eq 'updatesoa') {
-
- changepage(page => "reclist", errmsg => "You are not permitted to edit domain SOA records", id => $webvar{id})
- unless ($permissions{admin} || $permissions{domain_edit});
+ # get old SOA for log
+ my %soa = getSOA($dbh,$webvar{defrec},$webvar{id});
my $sth;
- my $sql = '';
+##fixme: push SQL into DNSDB.pm
+##fixme: data validation: make sure {recid} is really the SOA for {id}
# no domain ID, so we're editing the default SOA for a group (we don't care which one here)
# plus a bit of magic to update the appropriate table
- $sql = "update ".($webvar{defrec} eq 'y' ? "default_records" : "records").
- " set host='$webvar{prins}:$webvar{contact}',".
- " val='$webvar{refresh}:$webvar{retry}:$webvar{expire}:$webvar{minttl}',".
- " ttl=$webvar{ttl} where record_id=$webvar{recid}";
+ my $sql = "UPDATE ".($webvar{defrec} eq 'y' ? "default_records" : "records").
+ " SET host=?, val=?, ttl=? WHERE record_id=?";
$sth = $dbh->prepare($sql);
- $sth->execute;
+ $sth->execute("$webvar{prins}:$webvar{contact}",
+ "$webvar{refresh}:$webvar{retry}:$webvar{expire}:$webvar{minttl}",
+ $webvar{ttl},
+ $webvar{recid});
if ($sth->err) {
@@ -648,14 +684,23 @@
} else {
-##fixme! need to set group ID properly here
-# SELECT group_id FROM domains WHERE domain_id=?
-# $sth->execute($webvar{id});
-##log
- logaction(0, $session->param("username"), $webvar{group},
- "Updated SOA (ns $webvar{prins}, contact $webvar{contact}, refresh $webvar{refresh},".
- " retry $webvar{retry}, expire $webvar{expire}, minTTL $webvar{minttl}, TTL $webvar{ttl}");
- changepage(page => "reclist", id => $webvar{id}, defrec => $webvar{defrec});
-# $page->param(update_failed => 0);
-# showdomain('y',1);
+ # do this in the order of "default to most common case"
+ my $loggroup;
+ my $logdomain = $webvar{id};
+ if ($webvar{defrec} eq 'y') {
+ $loggroup = $webvar{id};
+ $logdomain = 0;
+ } else {
+ $loggroup = parentID($logdomain, 'dom', 'group', $webvar{defrec});
+ }
+
+ logaction($logdomain, $session->param("username"), $loggroup,
+ "Updated ".($webvar{defrec} eq 'y' ? 'default ' : '')."SOA for ".
+ ($webvar{defrec} eq 'y' ? groupName($dbh, $webvar{id}) : domainName($dbh, $webvar{id}) ).
+ ": (ns $soa{prins}, contact $soa{contact}, refresh $soa{refresh},".
+ " retry $soa{retry}, expire $soa{expire}, minTTL $soa{minttl}, TTL $soa{ttl}) to ".
+ "(ns $webvar{prins}, contact $webvar{contact}, refresh $webvar{refresh},".
+ " retry $webvar{retry}, expire $webvar{expire}, minTTL $webvar{minttl}, TTL $webvar{ttl})");
+ changepage(page => "reclist", id => $webvar{id}, defrec => $webvar{defrec},
+ resultmsg => "SOA record updated");
}
@@ -1118,6 +1163,4 @@
$page->param(perm_custom => 1);
}
-##work
-# } elsif ($webvar{action} eq 'update') {
} else {
changepage(page => "useradmin", errmsg => "You are not allowed to add new users")
@@ -1247,10 +1290,4 @@
$webvar{doit} = '' if !defined($webvar{doit});
- # security check - does the user have permission to access this entity?
- if (!check_scope($webvar{group}, 'group')) {
- $page->param(errmsg => "You are not permitted to import domains into the requested group");
- goto DONEAXFR;
- }
-
if ($webvar{doit} eq 'y' && !$webvar{ifrom}) {
$page->param(errmsg => "Need to set host to import from");
@@ -1258,4 +1295,11 @@
$page->param(errmsg => "Need domains to import");
} elsif ($webvar{doit} eq 'y') {
+
+ # security check - does the user have permission to access this entity?
+ if (!check_scope($webvar{group}, 'group')) {
+ $page->param(errmsg => "You are not permitted to import domains into the requested group");
+ goto DONEAXFR;
+ }
+
my @domlist = split /\s+/, $webvar{importdoms};
my @results;
@@ -1502,5 +1546,4 @@
my %soa = getSOA($dbh,$def,$id);
- $page->param(recid => $soa{recid});
$page->param(contact => $soa{contact});
$page->param(prins => $soa{prins});
@@ -1871,5 +1914,4 @@
# fill page count and first-previous-next-last-all bits
-##fixme - hardcoded group bit
fill_pgcount($count,"users",'');
fill_fpnla($count);
@@ -2040,6 +2082,6 @@
# so simple when defined as a sub instead of inline. O_o
sub check_scope {
- my $entity = shift;
- my $entype = shift;
+ my $entity = shift || '';
+ my $entype = shift || '';
if ($entype eq 'group') {
Index: /trunk/templates/soadata.tmpl
===================================================================
--- /trunk/templates/soadata.tmpl (revision 161)
+++ /trunk/templates/soadata.tmpl (revision 162)
@@ -3,5 +3,5 @@
| SOA: |
- edit |
+ edit |