Changeset 179


Ignore:
Timestamp:
12/02/11 15:37:10 (12 years ago)
Author:
Kris Deugau
Message:

/trunk

Fix up ACL and scope checks on groups (see #30)

  • check correct ACL permission for group creation
  • check parent group of a new group is in-scope for user
  • make sure new groups do not exceed the ACL given to the user
  • normalize action reporting (success and warning) compared to the same actions elsewhere
  • check scope deleting a group
  • check scope editing a group
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/dns.cgi

    r178 r179  
    766766} elsif ($webvar{page} eq 'newgrp') {
    767767
    768   changepage(page => "grpman", errmsg => "You are not permitted to add groups", id => $webvar{parentid})
    769         unless ($permissions{admin} || $permissions{group_add});
     768  changepage(page => "grpman", errmsg => "You are not permitted to add groups")
     769        unless ($permissions{admin} || $permissions{group_create});
    770770
    771771  # do.. uhh.. stuff.. if we have no webvar{action}
    772772  if ($webvar{action} && $webvar{action} eq 'add') {
     773
     774    # security check - does the user have permission to access this entity?
     775    if (!check_scope(id => $webvar{pargroup}, type => 'group')) {
     776      changepage(page => "grpman", errmsg => "You are not permitted to add a group to the requested parent group");
     777    }
     778
    773779    my %newperms;
     780    my $alterperms = 0;
    774781    foreach (@permtypes) {
    775782      $newperms{$_} = 0;
    776       $newperms{$_} = (defined($webvar{$_}) && $webvar{$_} eq 'on' ? 1 : 0);
     783      if ($permissions{admin} || $permissions{$_}) {
     784        $newperms{$_} = (defined($webvar{$_}) && $webvar{$_} eq 'on' ? 1 : 0);
     785      } else {
     786        $alterperms = 1;
     787      }
    777788    }
    778789    # not gonna provide the 4th param: template-or-clone flag, just yet
     
    780791    if ($code eq 'OK') {
    781792      logaction(0, $session->param("username"), $webvar{pargroup}, "Added group $webvar{newgroup}");
    782       changepage(page => "grpman");
     793      if ($alterperms) {
     794        changepage(page => "grpman", warnmsg =>
     795                "You can only grant permissions you hold.  New group $webvar{newgroup} added with reduced access.");
     796      } else {
     797        changepage(page => "grpman", resultmsg => "Added group $webvar{newgroup}");
     798      }
    783799    }
    784800    # no point in doing extra work
     
    801817        unless ($permissions{admin} || $permissions{group_delete});
    802818
     819  # security check - does the user have permission to access this entity?
     820  if (!check_scope(id => $webvar{id}, type => 'group')) {
     821    changepage(page => "grpman", errmsg => "You are not permitted to delete the requested group");
     822  }
     823
    803824  $page->param(id => $webvar{id});
    804825  # first pass = confirm y/n (sorta)
     
    839860  changepage(page => "grpman", errmsg => "You are not permitted to edit groups")
    840861        unless ($permissions{admin} || $permissions{group_edit});
     862
     863  # security check - does the user have permission to access this entity?
     864  if (!check_scope(id => $webvar{gid}, type => 'group')) {
     865    changepage(page => "grpman", errmsg => "You are not permitted to edit the requested group");
     866  }
    841867
    842868  if ($webvar{action} eq 'updperms') {
Note: See TracChangeset for help on using the changeset viewer.