Changeset 66


Ignore:
Timestamp:
11/26/10 17:43:34 (14 years ago)
Author:
Kris Deugau
Message:

/trunk

Basic group permissions editing functional - enforcing is trivial

  • add group now adds the permissions entry. TBD: permission inheritance
  • edit group Does The Right Thing(TM) - either editing the existing entry, or converting an inherited permission group to a separate one. still needs to rewrite subgroup and contained user inherited permissions
  • the HTML permissions table rows have been moved. edit-user should pick this up, and will require calling the template explicitly so as to show both the default and custom permissions.
  • the list of individual permissions have been moved to a list in DNSDB.pm code that refers to this should not assume any given length - this makes adding new permission types (somewhat) easier

Tweak menu group-tree CSS (again) add some (broken) images

  • this should probalby revert to an earlier setup that uses an image as the <li> bullet point rather than pushing the text to the right, since many (most?) nodes will usually be leaf nodes

HTML changes not validated

Location:
trunk
Files:
4 added
7 edited

Legend:

Unmodified
Added
Removed
  • trunk/DNSDB.pm

    r65 r66  
    2525@ISA            = qw(Exporter);
    2626@EXPORT_OK      = qw(
    27         &initGlobals &initPermissions &getPermissions
     27        &initGlobals &initPermissions &getPermissions &changePermissions
    2828        &connectDB &finish
    2929        &addDomain &delDomain &domainName
     
    3434        &domStatus &importAXFR
    3535        %typemap %reverse_typemap
    36         %permissions
     36        %permissions @permtypes $permlist
    3737        );
    3838
    3939@EXPORT         = (); # Export nothing by default.
    4040%EXPORT_TAGS    = ( ALL => [qw(
    41                 &initGlobals &initPermissions &getPermissions
     41                &initGlobals &initPermissions &getPermissions &changePermissions
    4242                &connectDB &finish
    4343                &addDomain &delDomain &domainName
     
    4848                &domStatus &importAXFR
    4949                %typemap %reverse_typemap
    50                 %permissions
     50                %permissions @permtypes $permlist
    5151                )]
    5252        );
     
    6666        ttl     10800
    6767);
     68
     69# Arguably defined wholly in the db, but little reason to change without supporting code changes
     70our @permtypes = qw (
     71        group_edit      group_create    group_delete
     72        user_edit       user_create     user_delete
     73        domain_edit     domain_create   domain_delete
     74        record_edit     record_create   record_delete
     75        self_edit       admin
     76);
     77our $permlist = join(',',@permtypes);
    6878
    6979# DNS record type map and reverse map.
     
    235245  my $newperms = shift;
    236246
     247my $failmsg = '';
     248
    237249  # see if we're switching from inherited to custom
    238   my $sth = $dbh->prepare("SELECT (u.permission_id=g.permission_id) AS was_inherited".
     250  my $sth = $dbh->prepare("SELECT (u.permission_id=g.permission_id) AS was_inherited,u.permission_id".
    239251        " FROM ".($type eq 'user' ? 'users' : 'groups')." u ".
    240         " JOIN groups g ON u.group_id=g.group_id ".
     252        " JOIN groups g ON u.".($type eq 'user' ? '' : 'parent_')."group_id=g.group_id ".
    241253        " WHERE u.".($type eq 'user' ? 'user' : 'group')."_id=?");
    242254  $sth->execute($id);
     255
     256  my ($wasinherited,$permid) = $sth->fetchrow_array;
     257
     258  local $dbh->{AutoCommit} = 0;
     259  local $dbh->{RaiseError} = 1;
     260
     261  # Wrap all the SQL in a transaction
     262  eval {
     263    if ($wasinherited) {
     264$failmsg = "wasinherited: '$wasinherited'";
     265die "don't wanna add perms where we don't need to";
     266##fixme: need to add semirecursive bit to properly munge inherited permission ID on subgroups and users
     267## FIXME:  need to fiddle permissions table to track back to users or groups table
     268      my $sql = "INSERT INTO permissions ($permlist) ".
     269        "SELECT $permlist FROM permissions WHERE permission_id=?";
     270      $sth = $dbh->prepare($sql);
     271      $sth->execute($permid);
     272      $sth = $dbh->prepare("SELECT permission_id FROM ".($type eq 'user' ? 'users' : 'groups').
     273        " WHERE ".($type eq 'user' ? 'user' : 'group')."_id=?");
     274      $sth->execute($id);
     275      ($permid) = $sth->fetchrow_array;
     276    }
     277    foreach (@permtypes) {
     278      if (defined ($newperms->{$_})) {
     279        $sth = $dbh->prepare("UPDATE permissions SET $_=? WHERE permission_id=?");
     280        $sth->execute($newperms->{$_},$permid);
     281      }
     282    }
     283    $dbh->commit;
     284  }; # end eval
     285  if ($@) {
     286    my $msg = $@;
     287    eval { $dbh->rollback; };
     288    return ('FAIL',"$failmsg: $msg");
     289  } else {
     290    return ('OK',$permid);
     291  }
    243292
    244293} # end changePermissions()
     
    379428## DNSDB::addGroup()
    380429# Add a group
    381 # Takes a database handle, group name, parent group, and template-vs-cloneme flag
     430# Takes a database handle, group name, parent group, hashref for permissions,
     431# and optional template-vs-cloneme flag
    382432# Returns a status code and message
    383433sub addGroup {
     
    386436  my $groupname = shift;
    387437  my $pargroup = shift;
    388 
    389   # 0 indicates "template", hardcoded.
     438  my $permissions = shift;
     439
     440  # 0 indicates "custom", hardcoded.
    390441  # Any other value clones that group's default records, if it exists.
    391   my $torc = shift || 0;       
     442  my $inherit = shift || 0;     
     443##fixme:  need a flag to indicate clone records or <?> ?
    392444
    393445  # Allow transactions, and raise an exception on errors so we can catch it later.
     
    414466    my ($groupid) = $sth->fetchrow_array();
    415467
     468# Permissions
     469    if ($inherit) {
     470    } else {
     471      my @permvals;
     472      foreach (@permtypes) {
     473        if (!defined ($permissions->{$_})) {
     474          push @permvals, 0;
     475        } else {
     476          push @permvals, $permissions->{$_};
     477        }
     478      }
     479
     480      $sth = $dbh->prepare("INSERT INTO permissions (group_id,$permlist) values (?".',?'x($#permtypes+1).")");
     481      $sth->execute($groupid,@permvals);
     482
     483      $sth = $dbh->prepare("SELECT permission_id FROM permissions WHERE group_id=?");
     484      $sth->execute($groupid);
     485      my ($permid) = $sth->fetchrow_array();
     486
     487      $dbh->do("UPDATE groups SET permission_id=$permid WHERE group_id=$groupid");
     488    } # done permission fiddling
     489
     490# Default records
    416491    $sth = $dbh->prepare("INSERT INTO default_records (group_id,host,type,val,distance,weight,port,ttl) ".
    417492        "VALUES ($groupid,?,?,?,?,?,?,?)");
    418     if ($torc) {
     493    if ($inherit) {
     494##fixme:  fixme!
    419495      my $sth2 = $dbh->prepare("SELECT host,type,val,distance,weight,port,ttl FROM default_records WHERE group_id=?");
    420496      while (my @clonedata = $sth2->fetchrow_array) {
     
    422498      }
    423499    } else {
     500##fixme: Hardcoding is Bad, mmmmkaaaay?
    424501      # reasonable basic defaults for SOA, MX, NS, and minimal hosting
    425502      # could load from a config file, but somewhere along the line we need hardcoded bits.
  • trunk/dns.cgi

    r65 r66  
    476476  if ($webvar{action} && $webvar{action} eq 'add') {
    477477        # not gonna provide the 4th param: template-or-clone flag, just yet
    478     my ($code,$msg) = addGroup($dbh, $webvar{newgroup}, $webvar{pargroup});
     478    my %newperms;
     479    foreach (@permtypes) {
     480      $newperms{$_} = 0;
     481      $newperms{$_} = 1 if $webvar{$_} eq 'on';
     482    }
     483    my ($code,$msg) = addGroup($dbh, $webvar{newgroup}, $webvar{pargroup}, \%newperms);
    479484    if ($code eq 'OK') {
    480485      logaction(0, $session->param("username"), $webvar{pargroup}, "Added group $webvar{newgroup}");
    481486      changepage(page => "grpman");
    482487    }
     488    # no point in doing extra work
     489    fill_permissions($page, \%newperms);
    483490    $page->param(add_failed => 1);
    484491    $page->param(errmsg => $msg);
    485492    $page->param(newgroup => $webvar{newgroup});
    486      fill_grouplist('pargroup',$webvar{pargroup});
     493    fill_grouplist('pargroup',$webvar{pargroup});
    487494  } else {
    488495#    $page->param
    489      fill_grouplist('pargroup',$curgroup);
    490 
     496    fill_grouplist('pargroup',$curgroup);
     497  # fill default permissions with immediate parent's current ones
     498    my %parperms;
     499    getPermissions($dbh, 'group', $curgroup, \%parperms);
     500    fill_permissions($page, \%parperms);
    491501  }
    492502
     
    530540    my %curperms;
    531541    getPermissions($dbh, 'group', $webvar{gid}, \%curperms);
    532     foreach (('group_edit','group_create','group_delete',
    533                 'user_edit','user_create','user_delete',
    534                 'domain_edit','domain_create','domain_delete',
    535                 'record_edit','record_create','record_delete',
    536                 'self_edit')
    537                 ) {
     542    my %chperms;
     543    foreach (@permtypes) {
    538544      $webvar{$_} = 0 if !defined($webvar{$_});
    539545      $webvar{$_} = 1 if $webvar{$_} eq 'on';
    540 push @debugbits, "$_ has changed: '$curperms{$_}' => '$webvar{$_}'<br>\n" if $curperms{$_} ne $webvar{$_};
    541       if ($permissions{admin} || $permissions{$_}) {
    542         if (($webvar{$_} eq 'on' && !$curperms{$_}) or
    543                 (!$webvar{$_} && $curperms{$_})) {
    544           push @debugbits, '&nbsp;&nbsp;'."may update $_<br>\n";
    545         }
    546       }
    547     }
     546      $chperms{$_} = $webvar{$_} if $curperms{$_} ne $webvar{$_};
     547    }
     548    my ($code,$msg) = changePermissions($dbh, 'group', $webvar{gid}, \%chperms);
     549    if ($code eq 'OK') {
     550      logaction(0, $session->param("username"), $webvar{gid}, "Changed default permissions in group $webvar{gid}");
     551      changepage(page => "grpman");
     552    }
     553    # no point in doing extra work
     554    fill_permissions($page, \%chperms);
     555    $page->param(errmsg => $msg);
    548556  }
    549557  $page->param(gid => $webvar{gid});
     
    551559  my %grpperms;
    552560  getPermissions($dbh, 'group', $webvar{gid}, \%grpperms);
    553 #  unless (0) {
    554   foreach (('group_edit','group_create','group_delete',
    555                 'user_edit','user_create','user_delete',
    556                 'domain_edit','domain_create','domain_delete',
    557                 'record_edit','record_create','record_delete',
    558                 'self_edit')
    559                 ) {
    560 #push @debugbits, "$_ => admin? '$permissions{admin}' may_$_? '$permissions{$_}' group? '$grpperms{$_}'<br>\n";
    561     $page->param("may_$_" => ($permissions{admin} || $permissions{$_}));
    562     $page->param($_ => $grpperms{$_});
    563   }
    564 #  }
    565 #  my %grpperms = getPermissions('group',$webvar{group});
     561  fill_permissions($page, \%grpperms);
    566562
    567563} elsif ($webvar{page} eq 'useradmin') {
     
    14501446  ##fixme:  really need to do a little more error handling, I think
    14511447} # end parentID()
     1448
     1449# we have to do this in a variety of places;  let's make it consistent
     1450sub fill_permissions {
     1451  my $template = shift; # may need to do several sets on a single page
     1452  my $permset = shift;  # hashref to permissions on object
     1453
     1454  foreach (@permtypes) {
     1455    $template->param("may_$_" => ($permissions{admin} || $permissions{$_}));
     1456    $template->param($_ => $permset->{$_});
     1457  }
     1458}
  • trunk/templates/addgroup.tmpl

    r18 r66  
    11<TMPL_IF add_failed>
    2 <TMPL_INCLUDE NAME="newdomain.tmpl">
     2<TMPL_INCLUDE NAME="newgrp.tmpl">
    33<TMPL_ELSE>
    44<TMPL_INCLUDE NAME="grpman.tmpl">
  • trunk/templates/dns.css

    r65 r66  
    164164/* Need to find a way to vertically centre the plus image on the text.  >:(  */
    165165li.hassub {
    166         background-image: url('../images/fwd.png');
     166        background-image: url('../images/plus.png');
    167167        background-repeat: no-repeat;
    168168        background-position: 0px 1px;
    169         padding-left: 10px;
     169        padding-left: 14px;
    170170        //list-style: none outside url('../images/fwd.png');
    171         margin-left: 0px;
     171        margin-left: -12px;
    172172}
    173173li.leaf {
    174174        //list-style: none outside none;
    175175        //margin-left: 0px;
    176 }
    177 li.lastinlvl {
    178         background-image: url('../images/ASC.png');
     176        background-image: url('../images/midleaf.png');
    179177        background-repeat: no-repeat;
    180178        background-position: 0px 1px;
    181         padding-left: 10px;
    182         //list-style: none outside url('../images/fwd.png');
    183         margin-left: 0px;
     179        padding-left: 14px;
     180        margin-left: -12px;
     181}
     182li.lastinlvl {
     183        background-image: url('../images/lastleaf.png');
     184        background-repeat: no-repeat;
     185        background-position: 0px 1px;
     186        padding-left: 14px;
     187        //list-style: none outside url('../images/lastleaf.png');
     188        margin-left: -12px;
    184189}
    185190ul.grptree {
    186191        list-style-type: none;
    187192        padding: 0px;
    188         margin: 0px;
     193        margin-left: 14px;
    189194}
    190195#grptree {
     
    246251        border-right: thin solid #000000;
    247252        margin-right: 5px;
    248         padding: 3px;
     253        padding: 5px;
    249254}
    250255#soadetail {
  • trunk/templates/edgroup.tmpl

    r65 r66  
    44
    55<td align="center">
    6 
    7 <TMPL_IF msg>
    8 </TMPL_IF>
    96
    107<form action="dns.cgi" method="post">
     
    1613
    1714<table class="border" border="0" cellspacing="5" cellpadding="0">
     15<TMPL_IF errmsg><tr>
     16        <td class="errhead" colspan="4">Error updating group <TMPL_VAR NAME=grpmeddle>: <TMPL_VAR NAME=errmsg></td>
     17</tr></TMPL_IF>
    1818<tr>
    1919        <th align="center" colspan="5">Default permissions for group <TMPL_VAR NAME=grpmeddle></th>
     
    2222        <td align="center" colspan="5" class="border">By default, users of this group will inherit the following privileges:</td>
    2323</tr>
    24 <tr>
    25         <td align="right">Group:</td>
    26         <td<TMPL_UNLESS may_group_edit> class="noaccess"</TMPL_UNLESS>><input type="checkbox" name="group_edit"<TMPL_IF group_edit> checked="checked"</TMPL_IF><TMPL_UNLESS may_group_edit> disabled="disabled"</TMPL_UNLESS> /> Edit</td>
    27         <td<TMPL_UNLESS may_group_create> class="noaccess"</TMPL_UNLESS>><input type="checkbox" name="group_create"<TMPL_IF group_create> checked="checked"</TMPL_IF><TMPL_UNLESS may_group_create> disabled="disabled"</TMPL_UNLESS> /> Create</td>
    28         <td<TMPL_UNLESS may_group_delete> class="noaccess"</TMPL_UNLESS>><input type="checkbox" name="group_delete"<TMPL_IF group_delete> checked="checked"</TMPL_IF><TMPL_UNLESS may_group_delete> disabled="disabled"</TMPL_UNLESS> /> Delete</td> </tr>
    29 <tr>
    30         <td align="right">User:</td>
    31         <td<TMPL_UNLESS may_user_edit> class="noaccess"</TMPL_UNLESS>><input type="checkbox" name="user_edit"<TMPL_IF user_edit> checked="checked"</TMPL_IF><TMPL_UNLESS may_user_edit> disabled="disabled"</TMPL_UNLESS> /> Edit</td>
    32         <td<TMPL_UNLESS may_user_create> class="noaccess"</TMPL_UNLESS>><input type="checkbox" name="user_create"<TMPL_IF user_create> checked="checked"</TMPL_IF><TMPL_UNLESS may_user_create> disabled="disabled"</TMPL_UNLESS> /> Create</td>
    33         <td<TMPL_UNLESS may_user_delete> class="noaccess"</TMPL_UNLESS>><input type="checkbox" name="user_delete"<TMPL_IF user_delete> checked="checked"</TMPL_IF><TMPL_UNLESS may_user_delete> disabled="disabled"</TMPL_UNLESS> /> Delete</td>
    34 </tr>
    35 <tr>
    36         <td align="right">Domain:</td>
    37         <td<TMPL_UNLESS may_domain_edit> class="noaccess"</TMPL_UNLESS>><input type="checkbox" name="domain_edit"<TMPL_IF domain_edit> checked="checked"</TMPL_IF><TMPL_UNLESS may_domain_edit> disabled="disabled"</TMPL_UNLESS> /> Edit</td>
    38         <td<TMPL_UNLESS may_domain_create> class="noaccess"</TMPL_UNLESS>><input type="checkbox" name="domain_create"<TMPL_IF domain_create> checked="checked"</TMPL_IF><TMPL_UNLESS may_domain_create> disabled="disabled"</TMPL_UNLESS> /> Create</td>
    39         <td<TMPL_UNLESS may_domain_delete> class="noaccess"</TMPL_UNLESS>><input type="checkbox" name="domain_delete"<TMPL_IF domain_delete> checked="checked"</TMPL_IF><TMPL_UNLESS may_domain_delete> disabled="disabled"</TMPL_UNLESS> /> Delete</td>
    40         <!-- td class="noaccess"> - Delegate [fixme: WTF?]</td -->
    41 </tr>
    42 <tr>
    43         <td align="right">Domain Record:</td>
    44         <td<TMPL_UNLESS may_record_edit> class="noaccess"</TMPL_UNLESS>><input type="checkbox" name="record_edit"<TMPL_IF record_edit> checked="checked"</TMPL_IF><TMPL_UNLESS may_record_edit> disabled="disabled"</TMPL_UNLESS> /> Edit</td>
    45         <td<TMPL_UNLESS may_record_create> class="noaccess"</TMPL_UNLESS>><input type="checkbox" name="record_create"<TMPL_IF record_create> checked="checked"</TMPL_IF><TMPL_UNLESS may_record_create> disabled="disabled"</TMPL_UNLESS> /> Create</td>
    46         <td<TMPL_UNLESS may_record_delete> class="noaccess"</TMPL_UNLESS>><input type="checkbox" name="record_delete"<TMPL_IF record_delete> checked="checked"</TMPL_IF><TMPL_UNLESS may_record_delete> disabled="disabled"</TMPL_UNLESS> /> Delete</td>
    47         <!-- td class="noaccess"> - Delegate</td -->
    48 </tr>
    49 <tr>
    50         <td align="right">Self:</td>
    51         <td<TMPL_UNLESS may_self_edit> class="noaccess"</TMPL_UNLESS>><input type="checkbox" name="self_edit"<TMPL_IF self_edit> checked="checked"</TMPL_IF><TMPL_UNLESS may_self_edit> disabled="disabled"</TMPL_UNLESS> /> Edit</td>
    52 </tr>
     24<TMPL_INCLUDE name="permlist.tmpl">
    5325<tr>
    5426        <td colspan="6" align="center"><input type="submit" value="edit" /></td>
  • trunk/templates/grptree.tmpl

    r65 r66  
    11<ul>
    2 <TMPL_LOOP NAME=treelvl><li class="<TMPL_IF NAME=subs>hassub<TMPL_ELSE>leaf</TMPL_IF><TMPL_IF last> lastinlvl</TMPL_IF>"><TMPL_VAR NAME=grpname>
     2<TMPL_LOOP NAME=treelvl><li class="<TMPL_IF last>lastinlvl </TMPL_IF><TMPL_IF NAME=subs>hassub<TMPL_ELSE>leaf</TMPL_IF>"><TMPL_VAR NAME=grpname>
    33<TMPL_VAR NAME=subs></li>
    44</TMPL_LOOP></ul>
  • trunk/templates/newgrp.tmpl

    r38 r66  
    1515<tr><td>
    1616    <table border="0" cellspacing="2" cellpadding="2" width="100%">
    17 <TMPL_IF add_failed>    <tr><td class="errhead" colspan="2">Error adding group <TMPL_VAR NAME=newgroup>: <TMPL_VAR NAME=errmsg></td></tr></TMPL_IF>
    18         <tr class="darkrowheader"><td colspan="2" align="center">Add Group</td></tr>
     17<TMPL_IF add_failed>    <tr><td class="errhead" colspan="4">Error adding group <TMPL_VAR NAME=newgroup>: <TMPL_VAR NAME=errmsg></td></tr></TMPL_IF>
     18        <tr class="darkrowheader"><td colspan="4" align="center">Add Group</td></tr>
    1919
    2020        <tr class="datalinelight">
    21                 <td>Group Name:</td>
    22                 <td align="left"><input type="text" name="newgroup" value="<TMPL_VAR NAME=newgroup>" /></td>
     21                <td colspan=2>Group Name:</td>
     22                <td align="left" colspan=2><input type="text" name="newgroup" value="<TMPL_VAR NAME=newgroup>" /></td>
    2323        </tr>
    2424        <tr class="datalinelight">
    25                 <td>Add as subgroup of:</td>
    26                 <td><select name="pargroup">
     25                <td colspan=2>Add as subgroup of:</td>
     26                <td colspan=2><select name="pargroup">
    2727<TMPL_LOOP name=pargroup>               <option value="<TMPL_VAR NAME=groupval>"<TMPL_IF groupactive> selected="selected"</TMPL_IF>><TMPL_VAR name=groupname></option>
    2828</TMPL_LOOP>
    2929                </select></td>
    3030        </tr>
    31         <tr><td colspan="2" align="center"><input type="submit" value="Add group" /></td></tr>
    32 <tr><td colspan="2">tmp note:  radio button select "group template" vs "clone group"?</td></tr>
     31        <tr class="darkrowheader border">
     32                <td colspan="4" align="center">Default permissions for users created in this group:</td>
     33        </tr>
     34<TMPL_INCLUDE name="permlist.tmpl">
     35        <tr class="darkrowheader">
     36                <td colspan="4" align="center"><input type="submit" value="Add group" /></td>
     37        </tr>
     38<tr><td colspan="4">tmp note:  radio button select "group template" vs "clone group"?</td></tr>
    3339    </table>
    3440    </td>
Note: See TracChangeset for help on using the changeset viewer.