Changeset 319


Ignore:
Timestamp:
04/26/12 17:25:09 (12 years ago)
Author:
Kris Deugau
Message:

/trunk

Refine permissions handling:

  • self_edit now has meaning; the user can edit (or delete) their own account but not others.
  • Check on each request to see if a user was disabled, otherwise a user could keep their session active just by making a request just before the session expiry, indefinitely.
  • Don't allow non-superusers to make changes to a superuser account
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/dns.cgi

    r318 r319  
    286286} # handle global webvar{action}s
    287287
     288# finally check if the user was disabled.  we could just leave this for logout/session expiry,
     289# but if they keep the session active they'll continue to have access long after being disabled.  :/
     290# Treat it as a session expiry.
     291if ($session->param('uid') && !userStatus($dbh, $session->param('uid')) ) {
     292  $sid = '';
     293  $session->delete;     # force expiry of the session Right Away
     294  $session->flush;      # make sure it hits storage
     295  changepage(page=> "login", sessexpired => 1);
     296}
     297
    288298# Misc Things To Do on most pages
    289299initPermissions($dbh, $session->param('uid'));
     
    10891099      $flag = 1 if isParent($dbh, $_, 'group', $webvar{id}, 'user');
    10901100    }
    1091     if ($flag && ($permissions{admin} || $permissions{user_edit})) {
     1101    if ($flag && ($permissions{admin} || $permissions{user_edit} ||
     1102        ($permissions{self_edit} && $webvar{id} == $session->param('uid')) )) {
    10921103      my $stat = userStatus($dbh,$webvar{id},$webvar{userstatus});
    10931104      $page->param(resultmsg => $DNSDB::resultstr);
     
    12021213      } else {
    12031214        changepage(page => "useradmin", errmsg => "You do not have permission to edit users")
    1204                 unless $permissions{admin} || $permissions{user_edit};
     1215                unless $permissions{admin} || $permissions{user_edit} ||
     1216                        ($permissions{self_edit} && $session->param('uid') == $webvar{uid});
    12051217        # security check - does the user have permission to access this entity?
    12061218        if (!check_scope(id => $webvar{user}, type => 'user')) {
     
    12591271
    12601272    changepage(page => "useradmin", errmsg => "You do not have permission to edit users")
    1261         unless $permissions{admin} || $permissions{user_edit};
     1273        unless $permissions{admin} || $permissions{user_edit} ||
     1274                ($permissions{self_edit} && $session->param('uid') == $webvar{user});
    12621275
    12631276    # security check - does the user have permission to access this entity?
     
    20822095    $row{bg} = ($rownum++)%2;
    20832096    $row{sid} = $sid;
    2084     $row{eduser} = ($permissions{admin} || $permissions{user_edit});
    2085     $row{deluser} = ($permissions{admin} || $permissions{user_delete});
     2097    $row{eduser} = ($permissions{admin} ||
     2098        ($permissions{user_edit} && $data[3] ne 'S') ||
     2099        ($permissions{self_edit} && $data[0] == $session->param('uid')) );
     2100    $row{deluser} = ($permissions{admin} || ($permissions{user_delete} && $data[3] ne 'S'));
    20862101    push @userlist, \%row;
    20872102  }
Note: See TracChangeset for help on using the changeset viewer.