Changeset 244 for trunk/dns.cgi


Ignore:
Timestamp:
02/24/12 17:59:45 (12 years ago)
Author:
Kris Deugau
Message:

/trunk

Scope check cleanup for rdns, should be complete. Some checks
seem to have been wrong (eg default record delete) and may be
candidates for backporting to a stable release. See #26.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/dns.cgi

    r243 r244  
    429429
    430430  # security check - does the user have permission to view this entity?
    431   if (!check_scope(id => $webvar{id}, type => ($webvar{defrec} eq 'y' ? 'group' : 'domain'))) {
     431  if (!check_scope(id => $webvar{id}, type =>
     432        ($webvar{defrec} eq 'y' ? 'group' : ($webvar{revrec} eq 'y' ? 'revzone' : 'domain')))) {
    432433    $page->param(errmsg => "You are not permitted to view or change the requested ".
    433         ($webvar{defrec} eq 'y' ? "group's default records" : "domain's records"));
     434        ($webvar{defrec} eq 'y' ? "group's default records" :
     435                ($webvar{revrec} eq 'y' ? "reverse zone's records" : "domain's records")));
    434436    $page->param(perm_err => 1);        # this causes the template to skip the record listing output.
    435437    goto DONERECLIST;   # and now we skip filling in the content which is not printed due to perm_err above
     
    520522
    521523  # security check - does the user have permission to access this entity?
    522   if (!check_scope(id => $webvar{id}, type => ($webvar{defrec} eq 'y' ? 'defrec' : 'record'))) {
     524  if (!check_scope(id => $webvar{id}, type =>
     525        ($webvar{defrec} eq 'y' ? ($webvar{revrec eq 'y' ? 'defrevrec' : 'defrec') : 'record'))) {
    523526    $page->param(perm_err => "You are not permitted to edit the requested record");
    524527    goto DONEREC;
    525528  }
    526529  # round 2, check the parent.
    527   if (!check_scope(id => $webvar{parentid}, type => ($webvar{defrec} eq 'y' ? 'group' : 'domain'))) {
     530  if (!check_scope(id => $webvar{parentid}, type =>
     531        ($webvar{defrec} eq 'y' ? 'group' : ($webvar{revrec} eq 'y' ? 'revzone' : 'domain')))) {
    528532    my $msg = ($webvar{defrec} eq 'y' ?
    529533        "You are not permitted to add or edit default records in the requested group" :
    530         "You are not permitted to add or edit records in the requested domain");
     534        "You are not permitted to add or edit records in the requested domain/zone");
    531535    $page->param(perm_err => $msg);
    532536    goto DONEREC;
     
    696700
    697701  changepage(page => "reclist", errmsg => "You are not permitted to delete records", id => $webvar{parentid},
    698                 revrec => $webvar{revrec})
     702                defrec => $webvar{defrec}, revrec => $webvar{revrec})
    699703        unless ($permissions{admin} || $permissions{record_delete});
    700704
    701   if (!check_scope(id => $webvar{id}, type => ($webvar{defrec} eq 'y' ? 'group' : 'domain'))) {
     705  if (!check_scope(id => $webvar{id}, type =>
     706        ($webvar{defrec} eq 'y' ? ($webvar{revrec} eq 'y' ? 'defrevrec' : 'defrec') : 'record'))) {
     707    # redirect to domlist because we don't have permission for the entity requested
    702708    changepage(page => 'domlist', errmsg => "You do not have permission to delete records in the requested ".
    703709        ($webvar{defrec} eq 'y' ? 'group' : 'domain'));
     
    753759
    754760  # security check - does the user have permission to view this entity?
    755   if (!check_scope(id => $webvar{id}, type => ($webvar{defrec} eq 'y' ? 'group' : 'domain'))) {
     761  # id is domain/revzone/group id
     762  if (!check_scope(id => $webvar{id}, type =>
     763        ($webvar{defrec} eq 'y' ? 'group' : ($webvar{revrec} eq 'y' ? 'revzone' : 'domain'))) {
    756764    changepage(page => 'domlist', errmsg => "You do not have permission to edit the ".
    757765        ($webvar{defrec} eq 'y' ? 'default ' : '')."SOA record for the requested ".
     
    773781  # security check - does the user have permission to view this entity?
    774782  # pass 1, record ID
    775   if (!check_scope(id => $webvar{recid}, type => ($webvar{defrec} eq 'y' ? 'defrec' : 'record'))) {
     783  if (!check_scope(id => $webvar{recid}, type =>
     784        ($webvar{defrec} eq 'y' ? ($webvar{revrec} eq 'y' ? 'defrevrec' : 'defrec') : 'record'))) {
    776785    changepage(page => 'domlist', errmsg => "You do not have permission to edit the requested SOA record");
    777786  }
    778787  # pass 2, parent (group or domain) ID
    779   if (!check_scope(id => $webvar{id}, type => ($webvar{defrec} eq 'y' ? 'group' : 'domain'))) {
     788  if (!check_scope(id => $webvar{id}, type =>
     789        ($webvar{defrec} eq 'y' ? 'group' : ($webvar{revrec} eq 'y' ? 'revzone' : 'domain')))) {
    780790    changepage(page => 'domlist', errmsg => "You do not have permission to edit the ".
    781791        ($webvar{defrec} eq 'y' ? 'default ' : '')."SOA record for the requested ".
Note: See TracChangeset for help on using the changeset viewer.