Changeset 649 for branches/stable/dns.cgi

Timestamp:

06/23/14 17:52:37 (11 years ago)

Author:

Kris Deugau

Message:

/branches/stable

Subtle bugfix merge! All changes from /trunk r589 through r648 merged.

Location:

branches/stable

Files:

• . (modified) (1 prop)
• dns.cgi (modified) (20 diffs)

branches/stable/dns.cgi

@@ -97 +97 @@
         or die CGI::Session->errstr();
 
-if (!$sid || $session->is_expired) {
+if (!$sid || $session->is_expired || !$session->param('uid') || !$dnsdb->userStatus($session->param('uid')) ) {
   $webvar{page} = 'login';
 } else {
@@ -219 +219 @@
 my $sesscookie = $q->cookie( -name => 'dnsadmin_session',
         -value => $sid,
-#        -expires => "+".$dnsdb->{timeout},
+        -expires => "+".$dnsdb->{timeout},
         -secure => 0,
 ## fixme:  need to extract root path for cookie, so as to limit cookie to dnsadmin instance
@@ -242 +242 @@
       $sesscookie = $q->cookie( -name => 'dnsadmin_session',
         -value => $sid,
-#        -expires => "+".$dnsdb->{timeout},
+        -expires => "+".$dnsdb->{timeout},
         -secure => 0,
 ## fixme:  need to extract root path for cookie, so as to limit cookie to dnsadmin instance
@@ -254 +254 @@
       $session->param('uid',$userdata->{user_id});
       $session->param('username',$webvar{username});
+      $curgroup = $userdata->{group_id};
 
 # for reference.  seems we don't need to set these on login any more.
@@ -742 +743 @@
       my %pageparams = (page => "reclist", id => $webvar{parentid},
         defrec => $webvar{defrec}, revrec => $webvar{revrec});
-      $pageparams{warnmsg} = $msg."<br><br>\n".$DNSDB::resultstr if $code eq 'WARN';
+      $pageparams{warnmsg} = $msg."<br />\n".$DNSDB::resultstr if $code eq 'WARN';
       $pageparams{resultmsg} = $DNSDB::resultstr if $code eq 'OK';
       changepage(%pageparams);
@@ -801 +802 @@
       my %pageparams = (page => "reclist", id => $webvar{parentid},
         defrec => $webvar{defrec}, revrec => $webvar{revrec});
-      $pageparams{warnmsg} = $msg."<br><br>\n".$DNSDB::resultstr if $code eq 'WARN';
+      $pageparams{warnmsg} = $msg."<br />\n".$DNSDB::resultstr if $code eq 'WARN';
       $pageparams{resultmsg} = $DNSDB::resultstr if $code eq 'OK';
       changepage(%pageparams);
@@ -1076 +1077 @@
   fill_permissions($page, \%grpperms);
 
-} elsif ($webvar{page} eq 'bulkdomain') {
+} elsif ($webvar{page} eq 'bulkdomain' || $webvar{page} eq 'bulkrev') {
   # Bulk operations on domains.  Note all but group move are available on the domain list.
-##fixme:  do we care about bulk operations on revzones?  Move-to-group, activate, deactivate,
-# and delete should all be much rarer for revzones than for domains.
-
-  changepage(page => "domlist", errmsg => "You are not permitted to make bulk domain changes")
+
+  changepage(page => "domlist", errmsg => "You are not permitted to make bulk zone changes")
         unless ($permissions{admin} || $permissions{domain_edit} || $permissions{domain_create} || $permissions{domain_delete});
 
   fill_grouplist("grouplist");
 
-  my $count = $dnsdb->getZoneCount(revrec => 'n', curgroup => $curgroup);
+  $page->param(fwdzone => $webvar{page} eq 'bulkdomain');
+
+  my $count = $dnsdb->getZoneCount(revrec => ($webvar{page} eq 'bulkdomain' ? 'n' : 'y'),
+        curgroup => $curgroup);
 
   $page->param(curpage => $webvar{page});
@@ -1093 +1095 @@
   $page->param(perpage => $perpage);
 
-  my $domlist = $dnsdb->getZoneList(revrec => 'n', curgroup => $curgroup, offset => $offset);
+  my $domlist = $dnsdb->getZoneList(revrec => ($webvar{page} eq 'bulkdomain' ? 'n' : 'y'),
+        curgroup => $curgroup, offset => $offset);
   my $rownum = 0;
   foreach my $dom (@{$domlist}) {
     delete $dom->{status};
     delete $dom->{group};
-    $dom->{newrow} = (++$rownum) % 5 == 0;
+    $dom->{newrow} = (++$rownum) % 5 == 0 && $rownum != $perpage;
   }
 
@@ -1107 +1110 @@
   $page->param(maydelete => $permissions{admin} || $permissions{domain_delete});
 
+#} elsif ($webvar{page} eq 'confirmbulkdom' || $webvar{page} eq 'confirmbulkrev') {
+} elsif ($webvar{page} eq 'confirmbulk') {
+
+  changepage(page => "domlist", errmsg => "You are not permitted to make bulk zone changes")
+        unless ($permissions{admin} || $permissions{domain_edit} || $permissions{domain_create} || $permissions{domain_delete});
+
+  $page->param(bulkaction => $webvar{bulkaction});
+  $page->param(destgroup => $webvar{destgroup});
+  my @zlist;
+  my $rownum = 0;
+
+##fixme: this could probably be made more efficient, since this looks up 2 zone names for
+# each comparison during sort rather than slurping them in bulk once before doing the sort
+  # sort zones by zone name, not ID
+  sub zsort {
+    my $tmpa = ($a =~ /^dom/ ? $dnsdb->domainName($webvar{$a}) : $dnsdb->revName($webvar{$a}) );
+    my $tmpb = ($b =~ /^dom/ ? $dnsdb->domainName($webvar{$b}) : $dnsdb->revName($webvar{$b}) );
+    return $tmpa cmp $tmpb;
+  }
+  # eugh.  can't see a handy way to sort this mess by zone name the way it is on the submitting page.  :(
+  foreach my $input (sort zsort grep(/^(?:dom|rev)_/, keys %webvar) ) {
+    next unless $input =~ /^(dom|rev)_\d+$/;
+    my $fr = $1;
+    my %row = (zoneid => $webvar{$input},
+        zone => ($fr eq 'dom' ? $dnsdb->domainName($webvar{$input}) : $dnsdb->revName($webvar{$input}) ),
+        zvarname => $input,
+        newrow => ( (++$rownum) % 5 == 0 && $rownum != $perpage),
+        );
+    push @zlist, \%row;
+  }
+  $page->param(domtable => \@zlist);
+
 } elsif ($webvar{page} eq 'bulkchange') {
 
@@ -1115 +1150 @@
   }
 
+  # skip the changes if user did not confirm
+  my $wasrev = grep /^rev_/, keys %webvar;
+  changepage(page => ($wasrev ? "bulkrev" : "bulkdomain")) unless $webvar{okdel} eq 'y';
+
+  changepage(page => "domlist", errmsg => "You are not permitted to make bulk zone changes")
+        unless ($permissions{admin} || $permissions{domain_edit} || $permissions{domain_create} || $permissions{domain_delete});
+
   # per-action scope checks
   if ($webvar{bulkaction} eq 'move') {
-    changepage(page => "domlist", errmsg => "You are not permitted to bulk-move domains")
+    changepage(page => "domlist", errmsg => "You are not permitted to bulk-move zones")
         unless ($permissions{admin} || ($permissions{domain_edit} && $permissions{domain_create} && $permissions{domain_delete}));
     my $newgname = $dnsdb->groupName($webvar{destgroup});
     $page->param(action => "Move to group $newgname");
   } elsif ($webvar{bulkaction} eq 'deactivate' || $webvar{bulkaction} eq 'activate') {
-    changepage(page => "domlist", errmsg => "You are not permitted to bulk-$webvar{bulkaction} domains")
+    changepage(page => "domlist", errmsg => "You are not permitted to bulk-$webvar{bulkaction} zones")
         unless ($permissions{admin} || $permissions{domain_edit});
-    $page->param(action => "$webvar{bulkaction} domains");
+    $page->param(action => "$webvar{bulkaction} zones");
   } elsif ($webvar{bulkaction} eq 'delete') {
-    changepage(page => "domlist", errmsg => "You are not permitted to bulk-delete domains")
+    changepage(page => "domlist", errmsg => "You are not permitted to bulk-delete zones")
         unless ($permissions{admin} || $permissions{domain_delete});
-    $page->param(action => "$webvar{bulkaction} domains");
+    $page->param(action => "$webvar{bulkaction} zones");
   } else {
     # unknown action, bypass actually doing anything.  it should not be possible in
@@ -1139 +1181 @@
   # order here, and since we don't have the domain names until we go around this
   # loop, we can't alpha-sort them here.  :(
-  foreach (keys %webvar) {
+  foreach my $input (keys %webvar) {
     my %row;
-    next unless $_ =~ /^dom_\d+$/;
+    next unless $input =~ /^(dom|rev)_\d+$/;
+    my $fr = $1;
     # second security check - does the user have permission to meddle with this domain?
-    if (!check_scope(id => $webvar{$_}, type => 'domain')) {
-      $row{domerr} = "You are not permitted to make changes to the requested domain";
-      $row{domain} = $webvar{$_};
+    if (!check_scope(id => $webvar{$input}, type => ($fr eq 'dom' ? 'domain' : 'revzone'))) {
+      $row{domerr} = "You are not permitted to make changes to the requested zone";
+      $row{domain} = $webvar{$input};
       push @bulkresults, \%row;
       next;
     }
-    $row{domain} = $dnsdb->domainName($webvar{$_});
+    $row{domain} = ($fr eq 'dom' ? $dnsdb->domainName($webvar{$input}) : $dnsdb->revName($webvar{$input}));
 
     # Do the $webvar{bulkaction}
     my ($code, $msg);
-    ($code, $msg) = $dnsdb->changeGroup('domain', $webvar{$_}, $webvar{destgroup})
+    ($code, $msg) = $dnsdb->changeGroup(($fr eq 'dom' ? 'domain' : 'revzone'), $webvar{$input}, $webvar{destgroup})
         if $webvar{bulkaction} eq 'move';
     if ($webvar{bulkaction} eq 'deactivate' || $webvar{bulkaction} eq 'activate') {
-      my $stat = $dnsdb->zoneStatus($webvar{$_}, 'n', ($webvar{bulkaction} eq 'activate' ? 'domon' : 'domoff'));
+      my $stat = $dnsdb->zoneStatus($webvar{$input}, ($fr eq 'dom' ? 'n' : 'y'),
+        ($webvar{bulkaction} eq 'activate' ? 'domon' : 'domoff'));
       $code = (defined($stat) ? 'OK' : 'FAIL');
       $msg = (defined($stat) ? $DNSDB::resultstr : $DNSDB::errstr);
     }
-    ($code, $msg) = $dnsdb->delZone($webvar{$_}, 'n')
+    ($code, $msg) = $dnsdb->delZone($webvar{$input}, ($fr eq 'dom' ? 'n' : 'y'))
         if $webvar{bulkaction} eq 'delete';
 
@@ -1190 +1234 @@
         ($permissions{self_edit} && $webvar{id} == $session->param('uid')) )) {
       my $stat = $dnsdb->userStatus($webvar{id}, $webvar{userstatus});
+      # kick user out if user disabled self
+      # arguably there should be a more specific error message for this case
+      changepage(page=> 'login', sessexpired => 1) if $webvar{id} == $session->param('uid');
       $page->param(resultmsg => $DNSDB::resultstr);
     } else {
@@ -1246 +1293 @@
     } else {
 
-      # assemble a permission string - far simpler than trying to pass an
-      # indeterminate set of permission flags individually
-
-      # But first, we have to see if the user can add any particular
-      # permissions;  otherwise we have a priviledge escalation.  Whee.
-
+      my $permstring = 'i';     # start with "inherit"
+
+      # Remap passed checkbox states from webvar to integer/boolean values in %newperms
+      foreach (@permtypes) {
+        $newperms{$_} = (defined($webvar{$_}) && $webvar{$_} eq 'on' ? 1 : 0);
+      }
+
+      # Check for chained permissions.  Some permissions imply others;  make sure they get set.
+      foreach (keys %permchains) {
+        if ($newperms{$_} && !$newperms{$permchains{$_}}) {
+          $newperms{$permchains{$_}} = 1;
+        }
+      }
+
+      # check for possible priviledge escalations
       if (!$permissions{admin}) {
-        my %grpperms;
-        $dnsdb->getPermissions('group', $curgroup, \%grpperms);
-        my $ret = comparePermissions(\%permissions, \%grpperms);
-        if ($ret eq '<' || $ret eq '!') {
-          # User's permissions are not a superset or equivalent to group.  Can't inherit
-          # (and include access user doesn't currently have), so we force custom.
+        if ($webvar{perms_type} eq 'inherit') {
+          # Group permissions are only relevant if inheriting
+          my %grpperms;
+          $dnsdb->getPermissions('group', $curgroup, \%grpperms);
+          my $ret = $dnsdb->comparePermissions(\%permissions, \%grpperms);
+          if ($ret eq '<' || $ret eq '!') {
+            # User's permissions are not a superset or equivalent to group.  Can't inherit
+            # (and include access user doesn't currently have), so we force custom.
+            $webvar{perms_type} = 'custom';
+            $alterperms = 1;
+          }
+        }
+        my $ret = $dnsdb->comparePermissions(\%newperms, \%permissions);
+        if ($ret eq '>' || $ret eq '!') {
+          # User's new permissions are not a subset or equivalent to previous.  Can't add
+          # permissions user doesn't currently have, so we force custom.
           $webvar{perms_type} = 'custom';
           $alterperms = 1;
@@ -1264 +1330 @@
       }
 
-      my $permstring;
+##fixme:
+# could possibly factor building the meat of the permstring out of this if/elsif set, so
+# as to avoid running around @permtypes quite so many times
       if ($webvar{perms_type} eq 'custom') {
         $permstring = 'C:';
@@ -1270 +1338 @@
           if ($permissions{admin} || $permissions{$_}) {
             $permstring .= ",$_" if defined($webvar{$_}) && $webvar{$_} eq 'on';
-            $newperms{$_} = (defined($webvar{$_}) && $webvar{$_} eq 'on' ? 1 : 0);
+          } else {
+            $newperms{$_} = 0;  # remove permissions user doesn't currently have
           }
         }
@@ -1278 +1347 @@
         $dnsdb->getPermissions('user', $webvar{clonesrc}, \%newperms);
         $page->param(perm_clone => 1);
-      } else {
-        $permstring = 'i';
       }
-      # "Chained" permissions.  Some permissions imply others;  make sure they get set.
+      # Recheck chained permissions, in the supposedly impossible case that the removals
+      # above mangled one of them.  This *should* be impossible via normal web UI operations.
       foreach (keys %permchains) {
         if ($newperms{$_} && !$newperms{$permchains{$_}}) {
@@ -1311 +1379 @@
                 $webvar{fname}, $webvar{lname}, $webvar{phone});
         if ($code eq 'OK') {
-          $newperms{admin} = 1 if $webvar{accttype} eq 'S';
+          $newperms{admin} = 1 if $permissions{admin} && $webvar{accttype} eq 'S';
           ($code2,$msg2) = $dnsdb->changePermissions('user', $webvar{uid}, \%newperms, ($permstring eq 'i'));
         }
@@ -1461 +1529 @@
       my %pageparams = (page => "loclist", id => $webvar{parentid},
         defrec => $webvar{defrec}, revrec => $webvar{revrec});
-      $pageparams{warnmsg} = $msg."<br><br>\n".$DNSDB::resultstr if $code eq 'WARN';
+      $pageparams{warnmsg} = $msg."<br />\n".$DNSDB::resultstr if $code eq 'WARN';
       $pageparams{resultmsg} = $DNSDB::resultstr if $code eq 'OK';
       changepage(%pageparams);
@@ -1818 +1886 @@
   $page->param(whereami => $uri_self);
 # fill in general URL-to-self
-  $page->param(script_self => "$ENV{SCRIPT_NAME}?".($curgroup ? "curgroup=$curgroup" : ''));
+  $page->param(script_self => "$ENV{SCRIPT_NAME}?");
 }
 
@@ -2047 +2115 @@
     $page->param(name   => ($webvar{name} ? $webvar{name} : $domroot));
     my $zname = ($webvar{defrec} eq 'y' ? 'ZONE' : $dnsdb->revName($webvar{parentid}, 'y'));
-    my $cidr = new NetAddr::IP $zname;
     $zname =~ s|\d*/\d+$||;
     $page->param(address        => ($webvar{address} ? $webvar{address} : $zname));
     $page->param(typelist => $dnsdb->getTypelist($webvar{revrec},
-        $webvar{type} || ($cidr->{isv6} ? $reverse_typemap{'AAAA+PTR'} : $reverse_typemap{'A+PTR'})));
+        $webvar{type} || ($zname =~ /:/ ? $reverse_typemap{'AAAA+PTR'} : $reverse_typemap{'A+PTR'})));
   }
 # retrieve the right ttl instead of falling (way) back to the hardcoded system default