Changeset 207

Timestamp:

12/19/11 17:20:54 (13 years ago)

Author:

Kris Deugau

Message:

/trunk

Fix overloaded-$webvar{action}-related buglet - changing the default
group can cause the page to mutate due to template/page overloading.
Reported by Reid Sutherland on the "Edit user" page, when clicking
a group to change the default group.

Group edit and bulk domain change pages tweaked although the impact
is limited to changing the starting data, not the page operation.

Location:

trunk

Files:

• dns.cgi (modified) (11 diffs)
• templates/bulkdomain.tmpl (modified) (1 diff)
• templates/edgroup.tmpl (modified) (1 diff)
• templates/newgrp.tmpl (modified) (1 diff)
• templates/user.tmpl (modified) (1 diff)
• templates/useradmin.tmpl (modified) (1 diff)

trunk/dns.cgi

@@ -807 +807 @@
         unless ($permissions{admin} || $permissions{group_create});
 
-  # do.. uhh.. stuff.. if we have no webvar{action}
-  if ($webvar{action} && $webvar{action} eq 'add') {
+  # do.. uhh.. stuff.. if we have no webvar{grpaction}
+  if ($webvar{grpaction} && $webvar{grpaction} eq 'add') {
 
     # security check - does the user have permission to access this entity?
@@ -901 +901 @@
   }
 
-  if ($webvar{action} eq 'updperms') {
+  if ($webvar{grpaction} eq 'updperms') {
     # extra safety check;  make sure user can't construct a URL to bypass ACLs
     my %curperms;
@@ -994 +994 @@
   }
 
-  if ($webvar{action} eq 'move') {
+  if ($webvar{bulkaction} eq 'move') {
     changepage(page => "domlist", errmsg => "You are not permitted to bulk-move domains")
         unless ($permissions{admin} || ($permissions{domain_edit} && $permissions{domain_create} && $permissions{domain_delete}));
@@ -1029 +1029 @@
     $page->param(bulkresults => \@bulkresults);
 
-  } elsif ($webvar{action} eq 'deactivate' || $webvar{action} eq 'activate') {
-    changepage(page => "domlist", errmsg => "You are not permitted to bulk-$webvar{action} domains")
+  } elsif ($webvar{bulkaction} eq 'deactivate' || $webvar{bulkaction} eq 'activate') {
+    changepage(page => "domlist", errmsg => "You are not permitted to bulk-$webvar{bulkaction} domains")
         unless ($permissions{admin} || $permissions{domain_edit});
-    $page->param(action => "$webvar{action} domains");
+    $page->param(action => "$webvar{bulkaction} domains");
     my @bulkresults;
     foreach (keys %webvar) {
@@ -1046 +1046 @@
       $row{domain} = domainName($dbh,$webvar{$_});
 ##fixme:  error handling on status change
-      my $stat = domStatus($dbh,$webvar{$_},($webvar{action} eq 'activate' ? 'domon' : 'domoff'));
+      my $stat = domStatus($dbh,$webvar{$_},($webvar{bulkaction} eq 'activate' ? 'domon' : 'domoff'));
       logaction($webvar{$_}, $session->param("username"), parentID($webvar{$_}, 'dom', 'group'),
                 "Changed domain ".domainName($dbh, $webvar{$_})." state to ".($stat ? 'active' : 'inactive'));
@@ -1056 +1056 @@
     $page->param(bulkresults => \@bulkresults);
 
-  } elsif ($webvar{action} eq 'delete') {
+  } elsif ($webvar{bulkaction} eq 'delete') {
     changepage(page => "domlist", errmsg => "You are not permitted to bulk-delete domains")
         unless ($permissions{admin} || $permissions{domain_delete});
-    $page->param(action => "$webvar{action} domains");
+    $page->param(action => "$webvar{bulkaction} domains");
     my @bulkresults;
     foreach (keys %webvar) {
@@ -1155 +1155 @@
   $page->param(is_admin => $permissions{admin});
 
-  $webvar{action} = '' if !$webvar{action};
-
-  if ($webvar{action} eq 'add' or $webvar{action} eq 'update') {
-
-    $page->param(add => 1) if $webvar{action} eq 'add';
+  $webvar{useraction} = '' if !$webvar{useraction};
+
+  if ($webvar{useraction} eq 'add' or $webvar{useraction} eq 'update') {
+
+    $page->param(add => 1) if $webvar{useraction} eq 'add';
 
     my ($code,$msg);
@@ -1208 +1208 @@
         $permstring = 'i';
       }
-      if ($webvar{action} eq 'add') {
+      if ($webvar{useraction} eq 'add') {
         changepage(page => "useradmin", errmsg => "You do not have permission to add new users")
                 unless $permissions{admin} || $permissions{user_create};
@@ -1244 +1244 @@
         changepage(page => "useradmin", warnmsg =>
                 "You can only grant permissions you hold.  $webvar{uname} ".
-                ($webvar{action} eq 'add' ? 'added' : 'updated')." with reduced access.");
+                ($webvar{useraction} eq 'add' ? 'added' : 'updated')." with reduced access.");
       } else {
         changepage(page => "useradmin", resultmsg => "Successfully ".
-                ($webvar{action} eq 'add' ? 'added' : 'updated')." user $webvar{uname}");
+                ($webvar{useraction} eq 'add' ? 'added' : 'updated')." user $webvar{uname}");
       }
 
@@ -1253 +1253 @@
     } else {
       $page->param(add_failed => 1);
-      $page->param(action => $webvar{action});
+      $page->param(action => $webvar{useraction});
       $page->param(set_permgroup => 1);
       if ($webvar{perms_type} eq 'inherit') {   # set permission class radio
@@ -1271 +1271 @@
       fill_actypelist($webvar{accttype});
       fill_clonemelist();
-      logaction(0, $session->param("username"), $curgroup, "Failed to $webvar{action} user ".
+      logaction(0, $session->param("username"), $curgroup, "Failed to $webvar{useraction} user ".
         "$webvar{uname}: $msg")
         if $config{log_failures};
     }
 
-  } elsif ($webvar{action} eq 'edit') {
+  } elsif ($webvar{useraction} eq 'edit') {
 
     changepage(page => "useradmin", errmsg => "You do not have permission to edit users")

trunk/templates/bulkdomain.tmpl

@@ -21 +21 @@
                 <td>Action:</td>
                 <td align="left">
-<TMPL_IF maymove>               <input type="radio" name="action" value="move" checked="checked" /> Move to group: <select name="destgroup">
+<TMPL_IF maymove>               <input type="radio" name="bulkaction" value="move" checked="checked" /> Move to group: <select name="destgroup">
 <TMPL_LOOP name=grouplist>              <option value="<TMPL_VAR NAME=groupval>"<TMPL_IF groupactive> selected="selected"</TMPL_IF>><TMPL_VAR name=groupname></option>
 </TMPL_LOOP>
                 </select><br /></TMPL_IF>
-<TMPL_IF maystatus>             <input type="radio" name="action" value="deactivate" /> Deactivate<br />
-                <input type="radio" name="action" value="activate" /> Activate<br /></TMPL_IF>
-<TMPL_IF maydelete>             <input type="radio" name="action" value="delete" /> Delete<br /></TMPL_IF>
+<TMPL_IF maystatus>             <input type="radio" name="bulkaction" value="deactivate" /> Deactivate<br />
+                <input type="radio" name="bulkaction" value="activate" /> Activate<br /></TMPL_IF>
+<TMPL_IF maydelete>             <input type="radio" name="bulkaction" value="delete" /> Delete<br /></TMPL_IF>
                 </td>
         </tr>

trunk/templates/edgroup.tmpl

@@ -9 +9 @@
 <input type="hidden" name="sid" value="<TMPL_VAR NAME=sid>" />
 <input type="hidden" name="page" value="edgroup" />
-<input type="hidden" name="action" value="updperms" />
+<input type="hidden" name="grpaction" value="updperms" />
 <input type="hidden" name="gid" value="<TMPL_VAR NAME=gid>" />
 

trunk/templates/newgrp.tmpl

@@ -10 +10 @@
 <input type="hidden" name="sid" value="<TMPL_VAR NAME=sid>" />
 <input type="hidden" name="page" value="newgrp" />
-<input type="hidden" name="action" value="add" />
+<input type="hidden" name="grpaction" value="add" />
 
 <table class="container" width="450">

trunk/templates/user.tmpl

@@ -10 +10 @@
 <input type="hidden" name="sid" value="<TMPL_VAR NAME=sid>" />
 <input type="hidden" name="page" value="user" />
-<input type="hidden" name="action" value="<TMPL_VAR NAME=action>" />
+<input type="hidden" name="useraction" value="<TMPL_VAR NAME=action>" />
 <TMPL_IF uid><input type="hidden" name="uid" value="<TMPL_VAR NAME=uid>" /></TMPL_IF>
 <TMPL_IF gid><input type="hidden" name="gid" value="<TMPL_VAR NAME=gid>" /></TMPL_IF>

trunk/templates/useradmin.tmpl

@@ -37 +37 @@
 <TMPL_LOOP name=usertable>
 <tr class="row<TMPL_VAR name=bg>">
-        <td align="left"><TMPL_IF eduser><a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=user&amp;action=edit&amp;user=<TMPL_VAR NAME=userid>"><TMPL_VAR NAME=username></a><TMPL_ELSE><TMPL_VAR NAME=username></TMPL_IF></td>
+        <td align="left"><TMPL_IF eduser><a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=user&amp;useraction=edit&amp;user=<TMPL_VAR NAME=userid>"><TMPL_VAR NAME=username></a><TMPL_ELSE><TMPL_VAR NAME=username></TMPL_IF></td>
         <td class="data_nowrap"><TMPL_VAR name=userfull></td>
         <td><TMPL_VAR name=usertype></td>