Changeset 493 for trunk/dns.cgi

Timestamp:

04/30/13 18:00:29 (12 years ago)

Author:

Kris Deugau

Message:

/trunk

Overhaul session handling; pure URL-based sessions are subject to
copy-paste session-stealing. Convert to cookie-based session tracking
instead. This also provides bonuses in terms of inlinks from other
utilities or copy-paste links.
While session-handling was in pieces, add "pick-up-where-I-left-off"
login handling so that logins don't always end up only on the initial
domain list. This is especially handy for copy-paste links.

Also clean up some of the docucomments, use the CGI::Simple object to
do 302 redirects, and bring the revzone default sort field setup into
line with other thing-lists.

File:

• trunk/dns.cgi (modified) (18 diffs)

trunk/dns.cgi

@@ -65 +65 @@
 $webvar{revrec} = 'n' if !$webvar{revrec};      # non-reverse (domain) records
 
-# load some local system defaults (mainly DB connect info)
-# note this is not *absolutely* fatal, since there's a default dbname/user/pass in DNSDB.pm
-# we'll catch a bad DB connect string once we get to trying that
-##fixme:  pass params to loadConfig, and use them there, to allow one codebase to support multiple sites
+# create a DNSDB object.  this loads some local system defaults and connects to the DB
+# with the credentials configured
+##fixme:  pass params for loadConfig, and use them there, to allow one codebase to support multiple sites
 my $dnsdb = new DNSDB;
 
@@ -75 +74 @@
 $footer->param(version => $DNSDB::VERSION);
 
+##fixme:  slim chance this could be triggered on errors other than DB failure?
 if (!$dnsdb) {
   print "Content-type: text/html\n\n";
@@ -87 +87 @@
 $header->param(orgname => $dnsdb->{orgname}) if $dnsdb->{orgname} ne 'Example Corp';
 
-# persistent stuff needed on most/all pages
-my $sid = ($webvar{sid} ? $webvar{sid} : undef);
-my $session = new CGI::Session("driver:File", $sid, {Directory => $dnsdb->{sessiondir}})
+my $logingroup;
+my $curgroup;
+my @viewablegroups;
+
+# retrieve the session ID from our cookie, if possible
+my $sid = $q->cookie('dnsadmin_session');
+
+# see if the session loads
+my $session = CGI::Session->load("driver:File", $sid, {Directory => $dnsdb->{sessiondir}})
         or die CGI::Session->errstr();
-#$sid = $session->id() if !$sid;
+
 if (!$sid) {
-  # init stuff.  can probably axe this down to just above if'n'when user manipulation happens
-  $sid = $session->id();
-  $session->expire($dnsdb->{timeout});
-# need to know the "upper" group the user can deal with;  may as well
-# stick this in the session rather than calling out to the DB every time.
-  $session->param('logingroup',1);
-  $session->param('curgroup',1);        # yes, we *do* need to track this too.  er, probably.
-  $session->param('domlistsortby','domain');
-  $session->param('domlistorder','ASC');
-  $session->param('revzonessortby','revnet');
-  $session->param('revzonesorder','ASC');
-  $session->param('useradminsortby','user');
-  $session->param('useradminorder','ASC');
-  $session->param('grpmansortby','group');
-  $session->param('grpmanorder','ASC');
-  $session->param('reclistsortby','host');
-  $session->param('reclistorder','ASC');
-  $session->param('loclistsortby','description');
-  $session->param('loclistorder','ASC');
-  $session->param('logsortby','stamp');
-  $session->param('logorder','DESC');
+  $webvar{page} = 'login';
+} else {
+  # we have a session to load from, maybe
+  $logingroup = ($session->param('logingroup') ? $session->param('logingroup') : 1);
+  $curgroup = ($session->param('curgroup') ? $session->param('curgroup') : $logingroup);
+  # security check - does the user have permission to view this entity?
+  # this is a prep step used "many" places
+  $dnsdb->getChildren($logingroup, \@viewablegroups, 'all');
+  push @viewablegroups, $logingroup;
+##fixme: make sessions persist through closing the site?
+# this even bridges browser close too.  hmm...
+  $webvar{page} = 'domlist' if !$webvar{page};
 }
 
-# Just In Case.  Stale sessions should not be resurrectable.
-if ($sid ne $session->id()) {
-  $sid = '';
-  changepage(page=> "login", sessexpired => 1);
-}
-
-# normal expiry, more or less
-if ($session->is_expired) {
-  $sid = '';
-  changepage(page=> "login", sessexpired => 1);
-}
-
-my $logingroup = ($session->param('logingroup') ? $session->param('logingroup') : 1);
-my $curgroup = ($session->param('curgroup') ? $session->param('curgroup') : $logingroup);
-
-# decide which page to spit out...
-# also set $webvar{page} before we try to use it.
+# set $webvar{page} before we try to use it.
 $webvar{page} = 'login' if !$webvar{page};
 
-# per-page startwith, filter, searchsubs
+## per-page startwith, filter, searchsubs
 
 ##fixme:  complain-munge-and-continue with non-"[a-z0-9-.]" filter and startwith
@@ -163 +144 @@
 push @filterargs, $filter if $filter;
 
-## set up "URL to self"
+## set up "URL to self" (whereami edition)
 # @#$%@%@#% XHTML - & in a URL must be escaped.  >:(
 my $uri_self = $ENV{REQUEST_URI};
@@ -181 +162 @@
 
 # Fix up $uri_self so we don't lose the session/page
-$uri_self .= "?sid=$sid&page=$webvar{page}" if $uri_self =~ m{/dns.cgi$};
-$uri_self = "$ENV{SCRIPT_NAME}?sid=$sid&page=$webvar{page}$1" if $uri_self =~ m{/dns.cgi\&(.+)$};
+$uri_self .= "?page=$webvar{page}" if $uri_self =~ m{/dns.cgi$};
+$uri_self = "$ENV{SCRIPT_NAME}?page=$webvar{page}$1" if $uri_self =~ m{/dns.cgi\&(.+)$};
+
+## end uri_self monkeying
 
 # pagination
-my $perpage = 15;
+my $perpage = 15;  # Just In Case
 $perpage = $dnsdb->{perpage} if $dnsdb->{perpage};
 my $offset = ($webvar{offset} ? $webvar{offset} : 0);
 
 # NB:  these must match the field name and SQL ascend/descend syntax respectively
+# sortby is reset to a suitable "default", then re-reset to whatever the user has
+# clicked on last in the record=listing subs, but best to put a default here.
 my $sortby = "domain";
 my $sortorder = "ASC";
 
-# security check - does the user have permission to view this entity?
-# this is a prep step used "many" places
-my @viewablegroups;
-$dnsdb->getChildren($logingroup, \@viewablegroups, 'all');
-push @viewablegroups, $logingroup;
-
+# Create the page template object.  Display a reasonable error page and whine if the template doesn't exist.
 my $page;
 eval {
@@ -217 +197 @@
 }
 
-# handle login redirect
+my $sesscookie;
+
+# handle can-happen-on-(almost)-any-page actions
 if ($webvar{action}) {
+
   if ($webvar{action} eq 'login') {
     # Snag ACL/permissions here too
@@ -226 +209 @@
     if ($userdata) {
 
+      # (re)create the session
+      $session = new CGI::Session("driver:File", $sid, {Directory => $dnsdb->{sessiondir}})
+        or die CGI::Session->errstr();
+      $sid = $session->id();
+
+      $sesscookie = $q->cookie( -name => 'dnsadmin_session',
+        -value => $sid,
+        -expires => "+".$dnsdb->{timeout},
+        -secure => 0,
+## fixme:  need to extract root path for cookie, so as to limit cookie to dnsadmin instance
+#        -path => $url
+        );
+
       # set session bits
+      $session->expire($dnsdb->{timeout});
       $session->param('logingroup',$userdata->{group_id});
       $session->param('curgroup',$userdata->{group_id});
@@ -232 +229 @@
       $session->param('username',$webvar{username});
 
-      changepage(page => "domlist");
+# for reference.  seems we don't need to set these on login any more.
+#  $session->param('domlistsortby','domain');
+#  $session->param('domlistorder','ASC');
+#  $session->param('revzonessortby','revnet');
+#  $session->param('revzonesorder','ASC');
+#  $session->param('useradminsortby','user');
+#  $session->param('useradminorder','ASC');
+#  $session->param('grpmansortby','group');
+#  $session->param('grpmanorder','ASC');
+#  $session->param('reclistsortby','host');
+#  $session->param('reclistorder','ASC');
+#  $session->param('loclistsortby','description');
+#  $session->param('loclistorder','ASC');
+#  $session->param('logsortby','stamp');
+#  $session->param('logorder','DESC');
+
+      ## "recover my link" - tack on request bits and use requested page instead of hardcoding domlist
+      # this could possibly be compacted by munging changepage a little so we don't have to deconstruct
+      # and reconstruct the URI argument list.
+      my %target = (page => "domlist");
+      if ($webvar{target}) {
+        my $tmp = (split /\?/, $webvar{target})[1];
+        $tmp =~ s/^\&//;
+        my @targs = split /\&/, $tmp;
+        foreach (@targs) {
+          my ($k,$v) = split /=/;
+          $target{$k} = $v if $k;
+          # if we're going through a "session expired" login, we may have a different
+          # "current group" than the login group.
+          $session->param('curgroup', $v) if $k eq 'curgroup';
+##fixme:  page=record goes "FOOM", sometimes - cause/fix?
+        }
+      }
+      changepage(%target);
 
     } else {
@@ -243 +273 @@
     $session->flush();
 
+    my $sesscookie = $q->cookie( -name => 'dnsadmin_session',
+      -value => $sid,
+      -expires => "-1",
+      -secure => 0,
+## fixme:  need to extract root path for cookie, so as to limit cookie to dnsadmin instance
+#      -path => $url
+      );
+
     my $newurl = "http://$ENV{HTTP_HOST}$ENV{SCRIPT_NAME}";
     $newurl =~ s|/[^/]+$|/|;
-    print "Status: 302\nLocation: $newurl\n\n";
+    print $q->redirect( -uri => $newurl, -cookie => $sesscookie);
     exit;
 
-  } elsif ($webvar{action} eq 'chgroup') {
+  } elsif ($webvar{action} eq 'chgroup' && $webvar{page} ne 'login') {
     # fiddle session-stored group data
     # magic incantation to... uhhh...
@@ -280 +318 @@
 } # handle global webvar{action}s
 
+
 # finally check if the user was disabled.  we could just leave this for logout/session expiry,
 # but if they keep the session active they'll continue to have access long after being disabled.  :/
@@ -295 +334 @@
 $dnsdb->initActionLog($session->param('uid'));
 
-$page->param(sid => $sid) unless $webvar{page} eq 'login';      # no session ID on the login page
+##
+## Per-page processing
+##
 
 if ($webvar{page} eq 'login') {
 
-  $page->param(loginfailed => 1) if $webvar{loginfailed};
-  $page->param(sessexpired => 1) if $webvar{sessexpired};
+  my $target = $ENV{REQUEST_URI};
+  $target =~ s/\&/\&/g;
+  $page->param(target => $target); # needs to be trimmed a little, maybe?
+
+  $page->param(sessexpired => 1) if (!$sid && $target !~ m|/$|);
+
+  if ($webvar{loginfailed}) {
+    $page->param(loginfailed => 1);
+    $webvar{target} =~ s/\&/\&/g;   # XHTML we do (not) love you so
+    $page->param(target => $webvar{target}) if $webvar{target};
+  }
+#  if $webvar{sessexpired};      # or this with below?
+  if ($session->is_expired) {
+    $page->param(sessexpired => 1);
+    $session->delete();   # Just to make sure
+    $session->flush();
+  }
   $page->param(version => $DNSDB::VERSION);
+  $page->param(script_self => ($ENV{SCRIPT_NAME} =~ m|/([^/]+)$|)[0]);
 
 } elsif ($webvar{page} eq 'domlist' or $webvar{page} eq 'index') {
@@ -1693 +1750 @@
 
 # start output here so we can redirect pages.
-print "Content-type: text/html\n\n", $header->output;
+print $q->header( -cookie => $sesscookie);
+print $header->output;
 
 ##common bits
@@ -1722 +1780 @@
   $page->param(inlogingrp => $curgroup == $logingroup);
 
-# fill in the URL-to-self
+# fill in the URL-to-self for the group tree and search-by-letter
   $page->param(whereami => $uri_self);
+# fill in general URL-to-self
+  $page->param(script_self => "$ENV{SCRIPT_NAME}?".($curgroup ? "curgroup=$curgroup" : ''));
 }
 
@@ -1805 +1865 @@
 
   # handle user check
-  my $newurl = "http://$ENV{HTTP_HOST}$ENV{SCRIPT_NAME}?sid=$sid";
+  my $newurl = "http://$ENV{HTTP_HOST}$ENV{SCRIPT_NAME}?";
   foreach (sort keys %params) {
 ## fixme:  something is undefined here on add location
@@ -1814 +1874 @@
   $session->flush();
 
-  print "Status: 302\nLocation: $newurl\n\n";
+  print $q->redirect ( -url => $newurl, -cookie => $sesscookie);
   exit;
 } # end changepage
@@ -1906 +1966 @@
   foreach my $rec (@$foo2) {
     $rec->{type} = $typemap{$rec->{type}};
-    $rec->{sid} = $webvar{sid};
     $rec->{fwdzone} = $rev eq 'n';
     $rec->{distance} = 'n/a' unless ($rec->{type} eq 'MX' || $rec->{type} eq 'SRV'); 
@@ -2044 +2103 @@
   fill_fpnla($count);
 
+  $sortby = ($webvar{revrec} eq 'n' ? 'domain' : 'revnet');
 # sort/order
   $session->param($webvar{page}.'sortby', $webvar{sortby}) if $webvar{sortby};
@@ -2292 +2352 @@
   foreach my $col (@$cols) {
     my %coldata;
-    $coldata{sid} = $sid;
     $coldata{page} = $webvar{page};
     $coldata{offset} = $webvar{offset} if $webvar{offset};