Changeset 181 for trunk/dns.cgi


Ignore:
Timestamp:
12/02/11 17:04:43 (13 years ago)
Author:
Kris Deugau
Message:

/trunk

Scope check (see #30)

  • user add
  • user edit/update
  • user delete
File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/dns.cgi

    r180 r181  
    11671167        changepage(page => "useradmin", errmsg => "You do not have permission to add new users")
    11681168                unless $permissions{admin} || $permissions{user_create};
     1169        # no scope check;  user is created in the current group
    11691170        ($code,$msg) = addUser($dbh, $webvar{uname}, $curgroup, $webvar{pass1},
    11701171                ($webvar{makeactive} eq 'on' ? 1 : 0), $webvar{accttype}, $permstring,
     
    11751176        changepage(page => "useradmin", errmsg => "You do not have permission to edit users")
    11761177                unless $permissions{admin} || $permissions{user_edit};
     1178        # security check - does the user have permission to access this entity?
     1179        if (!check_scope(id => $webvar{user}, type => 'user')) {
     1180          changepage(page => "useradmin", errmsg => "You do not have permission to edit the requested user");
     1181        }
    11771182# User update is icky.  I'd really like to do this in one atomic
    11781183# operation, but that would duplicate a **lot** of code in DNSDB.pm
     
    12301235        unless $permissions{admin} || $permissions{user_edit};
    12311236
     1237    # security check - does the user have permission to access this entity?
     1238    if (!check_scope(id => $webvar{user}, type => 'user')) {
     1239      changepage(page => "useradmin", errmsg => "You do not have permission to edit the requested user");
     1240    }
     1241
    12321242    $page->param(set_permgroup => 1);
    12331243    $page->param(action => 'update');
     
    12671277  changepage(page=> "useradmin", errmsg => "You are not allowed to delete users")
    12681278        unless $permissions{admin} || $permissions{user_delete};
     1279
     1280  # security check - does the user have permission to access this entity?
     1281  if (!check_scope(id => $webvar{id}, type => 'user')) {
     1282    changepage(page => "useradmin", errmsg => "You are not permitted to delete the requested user");
     1283  }
    12691284
    12701285  $page->param(id => $webvar{id});
Note: See TracChangeset for help on using the changeset viewer.