Changeset 592 for trunk/DNSDB.pm


Ignore:
Timestamp:
02/13/14 17:43:02 (10 years ago)
Author:
Kris Deugau
Message:

/trunk

Review, fix, tweak, and fine-tune user permission add/update handling.

Confirm that it now correctly limits a user to granting only those
permissions they already hold, and only warns when the requested
permissions are really greater or mismatched.

Also catch a possible malicious escalation to superuser/admin status.

Confirm it *should* be impossible to generate this warning via normal
web UI actions; someone would have to manually construct a URL or POST
request with the appropriate fields.

See #30.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/DNSDB.pm

    r586 r592  
    17351735# Returns '>', '<', '=', '!'
    17361736sub comparePermissions {
     1737  my $self = shift;
    17371738  my $p1 = shift;
    17381739  my $p2 = shift;
     
    28162817    # insert the user...  note we set inherited perms by default since
    28172818    # it's simple and cleans up some other bits of state
     2819##fixme:  need better handling of case of inherited or missing (!!) permissions entries
    28182820    my $sth = $dbh->prepare("INSERT INTO users ".
    28192821        "(group_id,username,password,firstname,lastname,phone,type,status,permission_id,inherit_perm) ".
Note: See TracChangeset for help on using the changeset viewer.