Context Navigation

← Previous Changeset
Next Changeset →

Changeset 65

Timestamp:

11/25/10 16:26:08 (13 years ago)

Author:

Kris Deugau

Message:

/trunk

checkpoint, adding permissions/ACL support

Location:

Files:

: 3 added
: 9 edited

DNSDB.pm (modified) (7 diffs)
dns.cgi (modified) (13 diffs)
dns.sql (modified) (6 diffs)
templates/dns.css (modified) (5 diffs)
templates/edgroup.tmpl (added)
templates/grpman.tmpl (modified) (1 diff)
templates/grptree.tmpl (modified) (1 diff)
templates/menu.tmpl (modified) (1 diff)
templates/newuser.tmpl (modified) (2 diffs)
templates/permlist_enabled.tmpl (added)
templates/template.tmpl (added)
templates/useradmin.tmpl (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/DNSDB.pm

-              r62
+              r65
 use DBI;
 use Net::DNS;
+use Crypt::PasswdMD5;
 #use Net::SMTP;
 #use NetAddr::IP qw( Compact );
 …
 @ISA            = qw(Exporter);
 @EXPORT_OK      = qw(
+        &initGlobals &connectDB &finish
+        &initGlobals &initPermissions &getPermissions
+        &connectDB &finish
         &addDomain &delDomain &domainName
         &addGroup &delGroup &getChildren &groupName
 …
         &domStatus &importAXFR
         %typemap %reverse_typemap
+        %permissions
         );
 @EXPORT         = (); # Export nothing by default.
 %EXPORT_TAGS    = ( ALL => [qw(
+                &initGlobals &connectDB &finish
+                &initGlobals &initPermissions &getPermissions
+                &connectDB &finish
                 &addDomain &delDomain &domainName
                 &addGroup &delGroup &getChildren &groupName
 …
                 &domStatus &importAXFR
                 %typemap %reverse_typemap
+                %permissions
                 )]
         );
 …
 our %reverse_typemap;
+our %permissions;
 ##
 …
+  }
 } # end initGlobals
+## DNSDB::initPermissions()
+# Set up permissions global
+# Takes database handle and UID
+sub initPermissions {
+  my $dbh = shift;
+  my $uid = shift;
+#  %permissions = $(getPermissions($dbh,'user',$uid));
+  getPermissions($dbh, 'user', $uid, \%permissions);
+} # end initPermissions()
+## DNSDB::getPermissions()
+# Get permissions from DB
+# Requires DB handle, group or user flag, ID, and hashref.
+sub getPermissions {
+  my $dbh = shift;
+  my $type = shift;
+  my $id = shift;
+  my $hash = shift;
+  my $sql = qq(
+        SELECT
+        p.admin,p.self_edit,
+        p.group_create,p.group_edit,p.group_delete,
+        p.user_create,p.user_edit,p.user_delete,
+        p.domain_create,p.domain_edit,p.domain_delete,
+        p.record_create,p.record_edit,p.record_delete
+        FROM permissions p
+        );
+  if ($type eq 'group') {
+    $sql .= qq(
+        JOIN groups g ON g.permission_id=p.permission_id
+        WHERE g.group_id=?
+        );
+  } else {
+    $sql .= qq(
+        JOIN users u ON u.permission_id=p.permission_id
+        WHERE u.user_id=?
+        );
+  }
+  my $sth = $dbh->prepare($sql);
+  $sth->execute($id) or die "argh: ".$sth->errstr;
+#  my $permref = $sth->fetchrow_hashref;
+#  return $permref;
+#  $hash = $permref;
+# Eww.  Need to learn how to forcibly drop a hashref onto an existing hash.
+  ($hash->{admin},$hash->{self_edit},
+        $hash->{group_create},$hash->{group_edit},$hash->{group_delete},
+        $hash->{user_create},$hash->{user_edit},$hash->{user_delete},
+        $hash->{domain_create},$hash->{domain_edit},$hash->{domain_delete},
+        $hash->{record_create},$hash->{record_edit},$hash->{record_delete})
+        = $sth->fetchrow_array;
+} # end getPermissions()
+## DNSDB::changePermissions()
+# Update an ACL entry
+# Takes a db handle, type, owner-id, and hashref for the changed permissions.
+##fixme: Must handle case of changing object's permissions from inherited to custom
+sub changePermissions {
+  my $dbh = shift;
+  my $type = shift;
+  my $id = shift;
+  my $newperms = shift;
+  # see if we're switching from inherited to custom
+  my $sth = $dbh->prepare("SELECT (u.permission_id=g.permission_id) AS was_inherited".
+        " FROM ".($type eq 'user' ? 'users' : 'groups')." u ".
+        " JOIN groups g ON u.group_id=g.group_id ".
+        " WHERE u.".($type eq 'user' ? 'user' : 'group')."_id=?");
+  $sth->execute($id);
+} # end changePermissions()
 …
 ##fixme: add another table to hold name/email for log table?
+die "dying horribly\n";
     # once we get here, we should have suceeded.

trunk/dns.cgi

-              r64
+              r65
 if ($webvar{action}) {
   if ($webvar{action} eq 'login') {
+    # Snag ACL/permissions here too
     my $sth = $dbh->prepare("SELECT user_id,group_id,password,firstname,lastname FROM users WHERE username=?");
     $sth->execute($webvar{username});
 …
     $session->param('logingroup',$gid);
     $session->param('curgroup',$gid);
+    $session->param('uid',$uid);
     $session->param('username',$webvar{username});
 …
 } # handle global webvar{action}s
+initPermissions($dbh,$session->param('uid'));
 ## Default page is a login page
 …
   $page->param(delgroupname => groupName($dbh, $webvar{id}));
+} elsif ($webvar{page} eq 'edgroup') {
+  if ($webvar{action} eq 'updperms') {
+    # extra safety check;  make sure user can't construct a URL to bypass ACLs
+    my %curperms;
+    getPermissions($dbh, 'group', $webvar{gid}, \%curperms);
+    foreach (('group_edit','group_create','group_delete',
+                'user_edit','user_create','user_delete',
+                'domain_edit','domain_create','domain_delete',
+                'record_edit','record_create','record_delete',
+                'self_edit')
+                ) {
+      $webvar{$_} = 0 if !defined($webvar{$_});
+      $webvar{$_} = 1 if $webvar{$_} eq 'on';
+push @debugbits, "$_ has changed: '$curperms{$_}' => '$webvar{$_}'<br>\n" if $curperms{$_} ne $webvar{$_};
+      if ($permissions{admin} || $permissions{$_}) {
+        if (($webvar{$_} eq 'on' && !$curperms{$_}) or
+                (!$webvar{$_} && $curperms{$_})) {
+          push @debugbits, '&nbsp;&nbsp;'."may update $_<br>\n";
+        }
+      }
+    }
+  }
+  $page->param(gid => $webvar{gid});
+  $page->param(grpmeddle => groupName($dbh, $webvar{gid}));
+  my %grpperms;
+  getPermissions($dbh, 'group', $webvar{gid}, \%grpperms);
+#  unless (0) {
+  foreach (('group_edit','group_create','group_delete',
+                'user_edit','user_create','user_delete',
+                'domain_edit','domain_create','domain_delete',
+                'record_edit','record_create','record_delete',
+                'self_edit')
+                ) {
+#push @debugbits, "$_ => admin? '$permissions{admin}' may_$_? '$permissions{$_}' group? '$grpperms{$_}'<br>\n";
+    $page->param("may_$_" => ($permissions{admin} || $permissions{$_}));
+    $page->param($_ => $grpperms{$_});
+  }
+#  }
+#  my %grpperms = getPermissions('group',$webvar{group});
 } elsif ($webvar{page} eq 'useradmin') {
 …
   # foo?
   fill_actypelist();
+  fill_clonemelist();
 } elsif ($webvar{page} eq 'adduser') {
 …
     $msg = "Passwords don't match";
   } else {
+# assemble a permission string - far simpler than trying to pass an
+# indeterminate set of permission flags individually
+my $permstring;
+if ($webvar{perms_type} eq 'custom') {
+  $permstring = 'C:,g:,u:,d:,r:';
+  $page->param(perm_custom => 1);
+} elsif ($webvar{perms_type} eq 'clone') {
+  $permstring = 'c:';
+  $page->param(perm_clone => 1);
+} else {
+  $permstring = 'i';
+#  $page->param(perm_inherit => 1);
+}
     ($code,$msg) = addUser($dbh,$webvar{uname}, $webvar{group}, $webvar{pass1},
         ($webvar{makeactive} eq 'on' ? 1 : 0), $webvar{accttype},
 …
     $page->param(errmsg => $msg);
     fill_actypelist();
+    fill_clonemelist();
+  }
 …
       list_users($curgroup);
     } else {
       # success.  go back to the domain list, do not pass "GO"
+      # success.  go back to the user list, do not pass "GO"
 ##log
       logaction(0, $session->param("username"), $webvar{group}, "Added domain $webvar{domain}");
 …
     changepage(page => "useradmin");
+  }
+} elsif ($webvar{page} eq 'edituser') {
 } elsif ($webvar{page} eq 'dnsq') {
 …
   my $tmpgrplist = fill_grptree($logingroup,$curgroup);
   $page->param(grptree => $tmpgrplist);
+  $page->param(subs => ($tmpgrplist ? 1 : 0));  # probably not useful to pass gobs of data in for a boolean
   $page->param(inlogingrp => $curgroup == $logingroup);
 …
   return if $#childlist == -1;
   my @grouplist;
+  my $foome = 0;
   foreach (@childlist) {
     my %row;
 …
     $row{grpname} = "<b>$row{grpname}</b>" if $_ == $cur;
     $row{subs} = fill_grptree($_,$cur);
+    $row{last} = 1 if ++$foome > $#childlist;
     push @grouplist, \%row;
+  }
 …
   $page->param(actypelist       => \@actypes);
+}
+sub fill_clonemelist {
+  my $sth = $dbh->prepare("SELECT username,user_id FROM users WHERE group_id=$curgroup");
+  $sth->execute;
+  my @clonesrc;
+  while (my ($username,$uid) = $sth->fetchrow_array) {
+    my %row = (
+        username => $username,
+        uid => $uid,
+        selected => ($webvar{clonesrc} == $uid ? 1 : 0)
+        );
+    push @clonesrc, \%row;
+  }
+  $page->param(clonesrc => \@clonesrc);
+}

trunk/dns.sql

-              r50
+              r65
 -- tabledefs and preloaded data bits
+CREATE TABLE permissions (
+    permission_id SERIAL NOT NULL,
+    admin boolean DEFAULT 'n' NOT NULL,
+    self_edit boolean DEFAULT 'n' NOT NULL,
+    group_create boolean DEFAULT 'n' NOT NULL,
+    group_edit boolean DEFAULT 'n' NOT NULL,
+    group_delete boolean DEFAULT 'n' NOT NULL,
+    user_create boolean DEFAULT 'n' NOT NULL,
+    user_edit boolean DEFAULT 'n' NOT NULL,
+    user_delete boolean DEFAULT 'n' NOT NULL,
+    domain_create boolean DEFAULT 'n' NOT NULL,
+    domain_edit boolean DEFAULT 'n' NOT NULL,
+    domain_delete boolean DEFAULT 'n' NOT NULL,
+    record_create boolean DEFAULT 'n' NOT NULL,
+    record_edit boolean DEFAULT 'n' NOT NULL,
+    record_delete boolean DEFAULT 'n' NOT NULL
+);
+-- Need *two* basic permissions;  one for the initial group, one for the default admin user
+COPY permissions (permission_id, admin, self_edit, group_create, group_edit group_delete, user_create, user_edit, user_delete, domain_create, domain_edit, domain_delete, record_create, record_edit, record_delete) FROM stdin;
+       n       n       n       n       n       n       n       n       n       n       n       n       n       n
+       y       n       n       n       n       n       n       n       n       n       n       n       n       n
+\.
 CREATE TABLE groups (
     group_id serial NOT NULL,
     parent_group_id integer DEFAULT 1 NOT NULL,
+    permission_id integer DEFAULT 1 NOT NULL,
     group_name character varying(255) DEFAULT ''::character varying NOT NULL
 );
 …
 -- Provide a basic default group
 COPY groups (group_id, parent_group_id, group_name) FROM stdin;
        1       default
+       1       1       default
 \.
 …
     "type" character(1) DEFAULT 'S'::bpchar NOT NULL,
     status integer DEFAULT 1 NOT NULL,
+    acl character varying(40) DEFAULT 'b'::character varying NOT NULL
+    acl character varying(40) DEFAULT 'b'::character varying NOT NULL,
+    permission_id DEFAULT 1 NOT NULL,
 );
 -- create initial default user?  may be better to create an "initialize" script or something
 COPY users (user_id, group_id, username, "password", firstname, lastname, phone, "type", status, acl) FROM stdin;
        1       test@test       $1$BByge8u2$48AaGX3YeHplfErX5Tlqa1      \N      \N      \N      S       1       A
+       1       test@test       $1$BByge8u2$48AaGX3YeHplfErX5Tlqa1      \N      \N      \N      S       1       A       2
 \.
 …
 -- primary keys
+ALTER TABLE ONLY permissions
+    ADD CONSTRAINT permissions_permission_id_key UNIQUE (permission_id);
 ALTER TABLE ONLY groups
     ADD CONSTRAINT groups_group_id_key UNIQUE (group_id);
 …
 -- foreign keys
+-- fixme: permissions FK refs
 ALTER TABLE ONLY domains
     ADD CONSTRAINT "$1" FOREIGN KEY (group_id) REFERENCES groups(group_id);
 …
 -- set sequence start values - make sure we don't screw up adding
 -- records to tables that already have a few entries
+SELECT pg_catalog.setval('permissions_permission_id_seq', 2, true);
 SELECT pg_catalog.setval('groups_group_id_seq', 52, true);

trunk/templates/dns.css

-              r59
+              r65
         width: 100%;
+}
+table.border {
+        border: thin solid #000000;
+}
 tr.row0 {
 …
         background-color: #F0F0F0;
         text-align: left;
+}
+th {
+        background-color: #F0F0F0;
+        font-size: 1.1em;
+        font-weight:normal;
+        padding: 4px;
+}
 …
         text-align: right;
+}
+td.border {
+        background-color: #e0e0e0;
+        border: solid 1px #101010;
+        padding: 2px;
+}
+td.noaccess {
+        background-color: #ffe8e8;
+        color: #2f0000;
+}
 .meat {
 …
         font-size: 10px;
+}
 ul {
         margin-left: 10px;
 …
 /* F*** ME BUT THIS LOOKS LIKE CRAP! */
 /* Need to find a way to vertically centre the plus image on the text.  >:(  */
+/*li.hassub {
+        list-style: none outside url('../images/plus.gif');
+li.hassub {
+        background-image: url('../images/fwd.png');
+        background-repeat: no-repeat;
+        background-position: 0px 1px;
+        padding-left: 10px;
+        //list-style: none outside url('../images/fwd.png');
+        margin-left: 0px;
+}
 li.leaf {
+        list-style: none outside none;
+} */
+        //list-style: none outside none;
+        //margin-left: 0px;
+}
+li.lastinlvl {
+        background-image: url('../images/ASC.png');
+        background-repeat: no-repeat;
+        background-position: 0px 1px;
+        padding-left: 10px;
+        //list-style: none outside url('../images/fwd.png');
+        margin-left: 0px;
+}
+ul.grptree {
+        list-style-type: none;
+        padding: 0px;
+        margin: 0px;
+}
 #grptree {
         //margin-left: 15px;
+        //margin-left: 10px;
+}
 /* general classes */

trunk/templates/grpman.tmpl

r44	r65
31	31	<TMPL_LOOP name=grouptable>
32	32	<tr class="row<TMPL_VAR name=bg>">
33		<td align="left"><a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&page=~~grpman&action=chgroup&group~~=<TMPL_VAR NAME=groupid>"><TMPL_VAR NAME=groupname></a></td>
	33	<td align="left"><a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&page=edgroup&gid=<TMPL_VAR NAME=groupid>"><TMPL_VAR NAME=groupname></a></td>
34	34	<td><TMPL_VAR name=pgroup></td>
35	35	<td><TMPL_VAR name=nusers></td>

trunk/templates/grptree.tmpl

r41	r65
1	1	<ul>
2		<TMPL_LOOP NAME=treelvl><li class="<TMPL_IF NAME=subs>hassub<TMPL_ELSE>leaf</TMPL_IF>"><TMPL_VAR NAME=grpname>
	2	<TMPL_LOOP NAME=treelvl><li class="<TMPL_IF NAME=subs>hassub<TMPL_ELSE>leaf</TMPL_IF><TMPL_IF last> lastinlvl</TMPL_IF>"><TMPL_VAR NAME=grpname>
3	3	<TMPL_VAR NAME=subs></li>
4	4	</TMPL_LOOP></ul>

trunk/templates/menu.tmpl

-              r43
+              r65
 <a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=grpman">Manage groups</a><br />
 <div id="grptree">
 <ul>
 <li><TMPL_IF inlogingrp><b><TMPL_VAR NAME=logingrp></b><TMPL_ELSE><TMPL_VAR NAME=logingrp></TMPL_IF>
+<ul class="grptree">
+<li class="<TMPL_IF NAME=subs>hassub<TMPL_ELSE>leaf</TMPL_IF>"><TMPL_IF inlogingrp><b><TMPL_VAR NAME=logingrp></b><TMPL_ELSE><TMPL_VAR NAME=logingrp></TMPL_IF>
 <TMPL_VAR NAME=grptree>
 </li>

trunk/templates/newuser.tmpl

-              r38
+              r65
 <input type="hidden" name="newuser" value="yes" />
 <table class="container" width="450">
 <tr><td>
     <table border="0" cellspacing="2" cellpadding="2" width="100%">
 <TMPL_IF add_failed>    <tr><td class="errhead" colspan="2">Error adding user <TMPL_VAR NAME=uname>: <TMPL_VAR NAME=errmsg></td></tr></TMPL_IF>
+<table border="0" cellspacing="2" cellpadding="2" width="450">
+<TMPL_IF add_failed>    <tr>
+                <td class="errhead" colspan="2">Error adding user <TMPL_VAR NAME=uname>: <TMPL_VAR NAME=errmsg></td>
+        </tr></TMPL_IF>
         <tr class="darkrowheader"><td colspan="2" align="center">Add User</td></tr>
 …
                 <td>Create as active user</td><td><input type="checkbox" name="makeactive" checked="checked" /></td>
         </tr>
+        <tr>
+                <td colspan="2">
+<table style="border: thin solid #000000;" border="0" cellspacing="5" cellpadding="0" width="100%">
+<tr class="tableheader">
+        <td align="center" colspan="5">
+        <input type="radio" name="perms_type" value="inherit" <TMPL_IF add_failed><TMPL_IF perm_inherit>checked="checked"</TMPL_IF><TMPL_ELSE>checked="checked"</TMPL_IF>/> Inherit permissions from group
+        </td>
+</tr>
+<tr>
+        <td align="right">Group:</td>
+        <td><input type="checkbox"<TMPL_IF i_grped> checked="checked"</TMPL_IF> disabled="disabled" /> Edit</td>
+        <td><input type="checkbox"<TMPL_IF i_grpcreate> checked="checked"</TMPL_IF> disabled="disabled" /> Create</td>
+        <td><input type="checkbox"<TMPL_IF i_grpdel> checked="checked"</TMPL_IF> disabled="disabled" /> Delete</td>
+</tr>
+<tr>
+        <td align="right">User:</td>
+        <td><input type="checkbox"<TMPL_IF i_usered> checked="checked"</TMPL_IF> disabled="disabled" /> Edit</td>
+        <td><input type="checkbox"<TMPL_IF i_usercreate> checked="checked"</TMPL_IF> disabled="disabled" /> Create</td>
+        <td><input type="checkbox"<TMPL_IF i_userdel> checked="checked"</TMPL_IF> disabled="disabled" /> Delete</td>
+</tr>
+<tr>
+        <td align="right">Domain:</td>
+        <td><input type="checkbox"<TMPL_IF i_domed> checked="checked"</TMPL_IF> disabled="disabled" /> Edit</td>
+        <td><input type="checkbox"<TMPL_IF i_domcreate> checked="checked"</TMPL_IF> disabled="disabled" /> Create</td>
+        <td><input type="checkbox"<TMPL_IF i_domdel> checked="checked"</TMPL_IF> disabled="disabled" /> Delete</td>
+        <!-- td>+ Delegate</td -->
+</tr>
+<tr>
+        <td align="right">Domain Record:</td>
+        <td><input type="checkbox"<TMPL_IF i_reced> checked="checked"</TMPL_IF> disabled="disabled" /> Edit</td>
+        <td><input type="checkbox"<TMPL_IF i_reccreate> checked="checked"</TMPL_IF> disabled="disabled" /> Create</td>
+        <td><input type="checkbox"<TMPL_IF i_recdel> checked="checked"</TMPL_IF> disabled="disabled" /> Delete</td>
+        <!-- td>+ Delegate</td -->
+</tr>
+<tr>
+        <td align="right">Self:</td>
+        <td><input type="checkbox"<TMPL_IF i_edself> checked="checked"</TMPL_IF> disabled="disabled" /> Edit</td>
+</tr>
+<tr class="tableheader">
+        <td align="center" colspan="5">
+        <input type="radio" name="perms_type" value="clone" <TMPL_IF add_failed><TMPL_IF perm_clone> checked="checked"</TMPL_IF></TMPL_IF>/> Clone permissions from an existing user
+        </td>
+</tr>
+<tr>
+        <td align="center" colspan="5">
+        Note: Only users in the current group may be cloned<br>
+        <select name="clonesrc">
+        <option>-</option>
+        <TMPL_LOOP name=clonesrc><option value="<TMPL_VAR NAME=uid>"<TMPL_IF selected> selected</TMPL_IF>><TMPL_VAR NAME=username></option>
+        </TMPL_LOOP></select>
+        </td>
+</tr>
+<tr class="tableheader">
+        <td align="center" colspan="5">
+                <input type="radio" name="perms_type" value="custom" <TMPL_IF add_failed><TMPL_IF perm_custom> checked="checked"</TMPL_IF></TMPL_IF>/> Specify permissions
+        </td>
+</tr>
+<TMPL_INCLUDE name="permlist_enabled.tmpl">
+</table>
+                </td>
+        </tr>
         <tr><td colspan="2" class="tblsubmit"><input type="submit" value="Add user" /></td></tr>
 <tr><td colspan="2">tmp note:  radio button select "group template" vs "clone user"?</td></tr>
     </table>
-    </td>
-</tr>
-</table>
 </fieldset>

trunk/templates/useradmin.tmpl

r59	r65
31	31	<TMPL_LOOP name=usertable>
32	32	<tr class="row<TMPL_VAR name=bg>">
33		<td align="left"><a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&page=~~useradmin&action=ch~~user&user=<TMPL_VAR NAME=userid>"><TMPL_VAR NAME=username></a></td>
	33	<td align="left"><a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&page=edituser&user=<TMPL_VAR NAME=userid>"><TMPL_VAR NAME=username></a></td>
34	34	<td class="data_nowrap"><TMPL_VAR name=userfull></td>
35	35	<td><TMPL_VAR name=usertype></td>

Note: See TracChangeset for help on using the changeset viewer.

Download in other formats: