Changeset 180 for trunk/dns.cgi


Ignore:
Timestamp:
12/02/11 16:40:12 (13 years ago)
Author:
Kris Deugau
Message:

/trunk

Apply scope checks on user and domain for logs. Scope checks
for group logs are applied through the change-group check since
the group log is for the current group instead of user input.
See #30.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/dns.cgi

    r179 r180  
    14561456  my $id = $curgroup;  # we do this because the group log may be called from (almost) any page,
    14571457                       # but the others are much more limited.  this is probably non-optimal.
     1458
    14581459  if ($webvar{ltype} && $webvar{ltype} eq 'user') {
    14591460    $sql .= "user_id=?";
    14601461    $id = $webvar{id};
     1462    if (!check_scope(id => $id, type => 'user')) {
     1463      $page->param(errmsg => "You are not permitted to view log entries for the requested user");
     1464      goto DONELOG;
     1465    }
    14611466    $page->param(logfor => 'user '.userFullName($dbh,$id));
    14621467  } elsif ($webvar{ltype} && $webvar{ltype} eq 'dom') {
    14631468    $sql .= "domain_id=?";
    14641469    $id = $webvar{id};
     1470    if (!check_scope(id => $id, type => 'domain')) {
     1471      $page->param(errmsg => "You are not permitted to view log entries for the requested domain");
     1472      goto DONELOG;
     1473    }
    14651474    $page->param(logfor => 'domain '.domainName($dbh,$id));
    14661475  } else {
     
    14681477    $sql .= "group_id=?";
    14691478    $page->param(logfor => 'group '.groupName($dbh,$id));
     1479    # note that scope limitations are applied via the change-group check;
     1480    # group log is always for the "current" group
    14701481  }
    14711482  my $sth = $dbh->prepare($sql);
     
    14821493  }
    14831494  $page->param(logentries => \@logbits);
     1495
     1496  # scope check fail target
     1497  DONELOG: ;
    14841498
    14851499} # end $webvar{page} dance
Note: See TracChangeset for help on using the changeset viewer.