Changeset 207 for trunk/dns.cgi

Timestamp:

12/19/11 17:20:54 (12 years ago)

Author:

Kris Deugau

Message:

/trunk

Fix overloaded-$webvar{action}-related buglet - changing the default
group can cause the page to mutate due to template/page overloading.
Reported by Reid Sutherland on the "Edit user" page, when clicking
a group to change the default group.

Group edit and bulk domain change pages tweaked although the impact
is limited to changing the starting data, not the page operation.

File:

• trunk/dns.cgi (modified) (11 diffs)

trunk/dns.cgi

@@ -807 +807 @@
         unless ($permissions{admin} || $permissions{group_create});
 
-  # do.. uhh.. stuff.. if we have no webvar{action}
-  if ($webvar{action} && $webvar{action} eq 'add') {
+  # do.. uhh.. stuff.. if we have no webvar{grpaction}
+  if ($webvar{grpaction} && $webvar{grpaction} eq 'add') {
 
     # security check - does the user have permission to access this entity?
@@ -901 +901 @@
   }
 
-  if ($webvar{action} eq 'updperms') {
+  if ($webvar{grpaction} eq 'updperms') {
     # extra safety check;  make sure user can't construct a URL to bypass ACLs
     my %curperms;
@@ -994 +994 @@
   }
 
-  if ($webvar{action} eq 'move') {
+  if ($webvar{bulkaction} eq 'move') {
     changepage(page => "domlist", errmsg => "You are not permitted to bulk-move domains")
         unless ($permissions{admin} || ($permissions{domain_edit} && $permissions{domain_create} && $permissions{domain_delete}));
@@ -1029 +1029 @@
     $page->param(bulkresults => \@bulkresults);
 
-  } elsif ($webvar{action} eq 'deactivate' || $webvar{action} eq 'activate') {
-    changepage(page => "domlist", errmsg => "You are not permitted to bulk-$webvar{action} domains")
+  } elsif ($webvar{bulkaction} eq 'deactivate' || $webvar{bulkaction} eq 'activate') {
+    changepage(page => "domlist", errmsg => "You are not permitted to bulk-$webvar{bulkaction} domains")
         unless ($permissions{admin} || $permissions{domain_edit});
-    $page->param(action => "$webvar{action} domains");
+    $page->param(action => "$webvar{bulkaction} domains");
     my @bulkresults;
     foreach (keys %webvar) {
@@ -1046 +1046 @@
       $row{domain} = domainName($dbh,$webvar{$_});
 ##fixme:  error handling on status change
-      my $stat = domStatus($dbh,$webvar{$_},($webvar{action} eq 'activate' ? 'domon' : 'domoff'));
+      my $stat = domStatus($dbh,$webvar{$_},($webvar{bulkaction} eq 'activate' ? 'domon' : 'domoff'));
       logaction($webvar{$_}, $session->param("username"), parentID($webvar{$_}, 'dom', 'group'),
                 "Changed domain ".domainName($dbh, $webvar{$_})." state to ".($stat ? 'active' : 'inactive'));
@@ -1056 +1056 @@
     $page->param(bulkresults => \@bulkresults);
 
-  } elsif ($webvar{action} eq 'delete') {
+  } elsif ($webvar{bulkaction} eq 'delete') {
     changepage(page => "domlist", errmsg => "You are not permitted to bulk-delete domains")
         unless ($permissions{admin} || $permissions{domain_delete});
-    $page->param(action => "$webvar{action} domains");
+    $page->param(action => "$webvar{bulkaction} domains");
     my @bulkresults;
     foreach (keys %webvar) {
@@ -1155 +1155 @@
   $page->param(is_admin => $permissions{admin});
 
-  $webvar{action} = '' if !$webvar{action};
-
-  if ($webvar{action} eq 'add' or $webvar{action} eq 'update') {
-
-    $page->param(add => 1) if $webvar{action} eq 'add';
+  $webvar{useraction} = '' if !$webvar{useraction};
+
+  if ($webvar{useraction} eq 'add' or $webvar{useraction} eq 'update') {
+
+    $page->param(add => 1) if $webvar{useraction} eq 'add';
 
     my ($code,$msg);
@@ -1208 +1208 @@
         $permstring = 'i';
       }
-      if ($webvar{action} eq 'add') {
+      if ($webvar{useraction} eq 'add') {
         changepage(page => "useradmin", errmsg => "You do not have permission to add new users")
                 unless $permissions{admin} || $permissions{user_create};
@@ -1244 +1244 @@
         changepage(page => "useradmin", warnmsg =>
                 "You can only grant permissions you hold.  $webvar{uname} ".
-                ($webvar{action} eq 'add' ? 'added' : 'updated')." with reduced access.");
+                ($webvar{useraction} eq 'add' ? 'added' : 'updated')." with reduced access.");
       } else {
         changepage(page => "useradmin", resultmsg => "Successfully ".
-                ($webvar{action} eq 'add' ? 'added' : 'updated')." user $webvar{uname}");
+                ($webvar{useraction} eq 'add' ? 'added' : 'updated')." user $webvar{uname}");
       }
 
@@ -1253 +1253 @@
     } else {
       $page->param(add_failed => 1);
-      $page->param(action => $webvar{action});
+      $page->param(action => $webvar{useraction});
       $page->param(set_permgroup => 1);
       if ($webvar{perms_type} eq 'inherit') {   # set permission class radio
@@ -1271 +1271 @@
       fill_actypelist($webvar{accttype});
       fill_clonemelist();
-      logaction(0, $session->param("username"), $curgroup, "Failed to $webvar{action} user ".
+      logaction(0, $session->param("username"), $curgroup, "Failed to $webvar{useraction} user ".
         "$webvar{uname}: $msg")
         if $config{log_failures};
     }
 
-  } elsif ($webvar{action} eq 'edit') {
+  } elsif ($webvar{useraction} eq 'edit') {
 
     changepage(page => "useradmin", errmsg => "You do not have permission to edit users")