![[ DNS Administrator ]](/fx/dnsadmin-logo.png){kind=logo}
Changeset 244
Legend:
- Unmodified
- Added
- Removed
-
trunk/DNSDB.pm
r243 r244 2118 2118 2119 2119 # Reference hashes. 2120 2120 my %par_tbl = ( 2121 2121 group => 'groups', 2122 2122 user => 'users', 2123 2123 defrec => 'default_records', 2124 defrevrec => 'default_rev_records', 2124 2125 domain => 'domains', 2126 revzone => 'revzones', 2125 2127 record => 'records' 2126 2128 ); 2127 2129 my %id_col = ( 2128 2130 group => 'group_id', 2129 2131 user => 'user_id', 2130 2132 defrec => 'record_id', 2133 defrevrec => 'record_id', 2131 2134 domain => 'domain_id', 2135 revzone => 'rdns_id', 2132 2136 record => 'record_id' 2133 2137 ); 2134 2138 my %par_col = ( 2135 2139 group => 'parent_group_id', 2136 2140 user => 'group_id', 2137 2141 defrec => 'group_id', 2142 defrevrec => 'group_id', 2138 2143 domain => 'group_id', 2144 revzone => 'group_id', 2139 2145 record => 'domain_id' 2140 2146 ); 2141 2147 my %par_type = ( 2142 2148 group => 'group', 2143 2149 user => 'group', 2144 2150 defrec => 'group', 2151 defrevrec => 'group', 2145 2152 domain => 'group', 2153 revzone => 'group', 2146 2154 record => 'domain' 2147 2155 ); … … 2231 2239 2232 2240 # Return false on invalid types 2233 return 0 if !grep /^$type1$/, ('record','defrec',' user','domain','group');2234 return 0 if !grep /^$type2$/, ('record','defrec',' user','domain','group');2241 return 0 if !grep /^$type1$/, ('record','defrec','defrevrec','user','domain','revzone','group'); 2242 return 0 if !grep /^$type2$/, ('record','defrec','defrevrec','user','domain','revzone','group'); 2235 2243 2236 2244 # Return false on impossible relations 2237 2245 return 0 if $type1 eq 'record'; # nothing may be a child of a record 2238 2246 return 0 if $type1 eq 'defrec'; # nothing may be a child of a record 2247 return 0 if $type1 eq 'defrevrec'; # nothing may be a child of a record 2239 2248 return 0 if $type1 eq 'user'; # nothing may be child of a user 2240 2249 return 0 if $type1 eq 'domain' && $type2 ne 'record'; # domain may not be a parent of anything other than a record 2250 return 0 if $type1 eq 'revzone' && $type2 ne 'record';# reverse zone may not be a parent of anything other than a record 2241 2251 2242 2252 # ennnhhhh.... if we're passed an id of 0, it will never be found. usual 2243 2253 # case would be the UI creating a new <thing>, and so we don't have an ID for 2244 2254 # <thing> to look up yet. in that case the UI should check the parent as well. 2245 # argument for returning 1 is2246 2255 return 0 if $id1 == 0; # nothing can have a parent id of 0 2247 2256 return 1 if $id2 == 0; # anything could have a child id of 0 (or "unknown") … … 2253 2262 return 1 if $type1 eq 'group' && $type2 eq 'group' && $id1 == $id2; 2254 2263 2255 # almost the same loop as getParents() above2256 2264 my $id = $id2; 2257 2265 my $type = $type2; 2258 2266 my $foundparent = 0; 2259 2267 2268 # Records are the only entity with two possible parents. We need to split the parent checks on 2269 # domain/rdns. 2270 if ($type eq 'record') { 2271 my ($dom,$rdns) = $dbh->selectrow_array("SELECT domain_id,rdns_id FROM records WHERE record_id=?", 2272 undef, ($id)); 2273 # check immediate parent against request 2274 return 1 if $type1 eq 'domain' && $id1 == $dom; 2275 return 1 if $type1 eq 'revzone' && $id1 == $rdns; 2276 # if request is group, check *both* parents. Only check if the parent is nonzero though. 2277 return 1 if $dom && isParent($dbh, $id1, $type1, $dom, 'domain'); 2278 return 1 if $rdns && isParent($dbh, $id1, $type1, $rdns, 'revzone'); 2279 # exit here since we've executed the loop below by proxy in the above recursive calls. 2280 return 0; 2281 } 2282 2283 # almost the same loop as getParents() above 2260 2284 my $limiter = 0; 2261 2285 while (1) { … … 2265 2289 if (!$result) { 2266 2290 $limiter++; 2267 ##fixme: how often will this happen on a live site? 2291 ##fixme: how often will this happen on a live site? fail at max limiter <n>? 2268 2292 warn "no results looking for $sql with id $id (depth $limiter)\n"; 2269 2293 last; … … 2274 2298 } else { 2275 2299 ##fixme: do we care about trying to return a "no such record/domain/user/group" error? 2300 # should be impossible to create an inconsistent DB just with API calls. 2276 2301 warn $dbh->errstr." $sql, $id" if $dbh->errstr; 2277 2302 } -
trunk/dns.cgi
r243 r244 429 429 430 430 # security check - does the user have permission to view this entity? 431 if (!check_scope(id => $webvar{id}, type => ($webvar{defrec} eq 'y' ? 'group' : 'domain'))) { 431 if (!check_scope(id => $webvar{id}, type => 432 ($webvar{defrec} eq 'y' ? 'group' : ($webvar{revrec} eq 'y' ? 'revzone' : 'domain')))) { 432 433 $page->param(errmsg => "You are not permitted to view or change the requested ". 433 ($webvar{defrec} eq 'y' ? "group's default records" : "domain's records")); 434 ($webvar{defrec} eq 'y' ? "group's default records" : 435 ($webvar{revrec} eq 'y' ? "reverse zone's records" : "domain's records"))); 434 436 $page->param(perm_err => 1); # this causes the template to skip the record listing output. 435 437 goto DONERECLIST; # and now we skip filling in the content which is not printed due to perm_err above … … 520 522 521 523 # security check - does the user have permission to access this entity? 522 if (!check_scope(id => $webvar{id}, type => ($webvar{defrec} eq 'y' ? 'defrec' : 'record'))) { 524 if (!check_scope(id => $webvar{id}, type => 525 ($webvar{defrec} eq 'y' ? ($webvar{revrec eq 'y' ? 'defrevrec' : 'defrec') : 'record'))) { 523 526 $page->param(perm_err => "You are not permitted to edit the requested record"); 524 527 goto DONEREC; 525 528 } 526 529 # round 2, check the parent. 527 if (!check_scope(id => $webvar{parentid}, type => ($webvar{defrec} eq 'y' ? 'group' : 'domain'))) { 530 if (!check_scope(id => $webvar{parentid}, type => 531 ($webvar{defrec} eq 'y' ? 'group' : ($webvar{revrec} eq 'y' ? 'revzone' : 'domain')))) { 528 532 my $msg = ($webvar{defrec} eq 'y' ? 529 533 "You are not permitted to add or edit default records in the requested group" : 530 "You are not permitted to add or edit records in the requested domain ");534 "You are not permitted to add or edit records in the requested domain/zone"); 531 535 $page->param(perm_err => $msg); 532 536 goto DONEREC; … … 696 700 697 701 changepage(page => "reclist", errmsg => "You are not permitted to delete records", id => $webvar{parentid}, 698 revrec => $webvar{revrec})702 defrec => $webvar{defrec}, revrec => $webvar{revrec}) 699 703 unless ($permissions{admin} || $permissions{record_delete}); 700 704 701 if (!check_scope(id => $webvar{id}, type => ($webvar{defrec} eq 'y' ? 'group' : 'domain'))) { 705 if (!check_scope(id => $webvar{id}, type => 706 ($webvar{defrec} eq 'y' ? ($webvar{revrec} eq 'y' ? 'defrevrec' : 'defrec') : 'record'))) { 707 # redirect to domlist because we don't have permission for the entity requested 702 708 changepage(page => 'domlist', errmsg => "You do not have permission to delete records in the requested ". 703 709 ($webvar{defrec} eq 'y' ? 'group' : 'domain')); … … 753 759 754 760 # security check - does the user have permission to view this entity? 755 if (!check_scope(id => $webvar{id}, type => ($webvar{defrec} eq 'y' ? 'group' : 'domain'))) { 761 # id is domain/revzone/group id 762 if (!check_scope(id => $webvar{id}, type => 763 ($webvar{defrec} eq 'y' ? 'group' : ($webvar{revrec} eq 'y' ? 'revzone' : 'domain'))) { 756 764 changepage(page => 'domlist', errmsg => "You do not have permission to edit the ". 757 765 ($webvar{defrec} eq 'y' ? 'default ' : '')."SOA record for the requested ". … … 773 781 # security check - does the user have permission to view this entity? 774 782 # pass 1, record ID 775 if (!check_scope(id => $webvar{recid}, type => ($webvar{defrec} eq 'y' ? 'defrec' : 'record'))) { 783 if (!check_scope(id => $webvar{recid}, type => 784 ($webvar{defrec} eq 'y' ? ($webvar{revrec} eq 'y' ? 'defrevrec' : 'defrec') : 'record'))) { 776 785 changepage(page => 'domlist', errmsg => "You do not have permission to edit the requested SOA record"); 777 786 } 778 787 # pass 2, parent (group or domain) ID 779 if (!check_scope(id => $webvar{id}, type => ($webvar{defrec} eq 'y' ? 'group' : 'domain'))) { 788 if (!check_scope(id => $webvar{id}, type => 789 ($webvar{defrec} eq 'y' ? 'group' : ($webvar{revrec} eq 'y' ? 'revzone' : 'domain')))) { 780 790 changepage(page => 'domlist', errmsg => "You do not have permission to edit the ". 781 791 ($webvar{defrec} eq 'y' ? 'default ' : '')."SOA record for the requested ".
Note:
See TracChangeset
for help on using the changeset viewer.
