Index: /trunk/DNSDB.pm =================================================================== --- /trunk/DNSDB.pm (revision 66) +++ /trunk/DNSDB.pm (revision 67) @@ -25,5 +25,6 @@ @ISA = qw(Exporter); @EXPORT_OK = qw( - &initGlobals &initPermissions &getPermissions &changePermissions + &initGlobals + &initPermissions &getPermissions &changePermissions &comparePermissions &connectDB &finish &addDomain &delDomain &domainName @@ -39,5 +40,6 @@ @EXPORT = (); # Export nothing by default. %EXPORT_TAGS = ( ALL => [qw( - &initGlobals &initPermissions &getPermissions &changePermissions + &initGlobals + &initPermissions &getPermissions &changePermissions &comparePermissions &connectDB &finish &addDomain &delDomain &domainName @@ -294,4 +296,36 @@ +## DNSDB::comparePermissions() +# Compare two permission hashes +# Returns '>', '<', '=', '!' +sub comparePermissions { + my $p1 = shift; + my $p2 = shift; + + my $retval = '='; # assume equality until proven otherwise + + no warnings "uninitialized"; + + foreach (@permtypes) { + next if $p1->{$_} == $p2->{$_}; # equal is good + if ($p1->{$_} && !$p2->{$_}) { + if ($retval eq '<') { # if we've already found an unequal pair where + $retval = '!'; # $p2 has more access, and we now find a pair + last; # where $p1 has more access, the overall access + } # is neither greater or lesser, it's unequal. + $retval = '>'; + } + if (!$p1->{$_} && $p2->{$_}) { + if ($retval eq '>') { # if we've already found an unequal pair where + $retval = '!'; # $p1 has more access, and we now find a pair + last; # where $p2 has more access, the overall access + } # is neither greater or lesser, it's unequal. + $retval = '<'; + } + } + return $retval; +} # end comparePermissions() + + ## DNSDB::_log() # Log an action @@ -640,4 +674,6 @@ my $type = shift || 'u'; # create limited users by default - fwiw, not sure yet how this will interact with ACLs + my $permstring = shift || 'i'; # default is to inhert permissions from group + my $fname = shift || $username; my $lname = shift || ''; Index: /trunk/dns.cgi =================================================================== --- /trunk/dns.cgi (revision 66) +++ /trunk/dns.cgi (revision 67) @@ -571,4 +571,102 @@ list_users(); +} elsif ($webvar{page} eq 'user') { + + fill_actypelist(); + fill_clonemelist(); + my %grpperms; + getPermissions($dbh, 'group', $curgroup, \%grpperms); + fill_permissions($page, \%grpperms); + my $grppermlist = new HTML::Template(filename => "$templatedir/permlist.tmpl"); + my %noaccess; + fill_permissions($grppermlist, \%grpperms, \%noaccess); + $grppermlist->param(info => 1); + $page->param(grpperms => $grppermlist->output); + $page->param(is_admin => $permissions{admin}); + +# if ($webvar{action} eq 'new') { +# } els + if ($webvar{action} eq 'add') { + + my ($code,$msg); + + my $alterperms = 0; # flag iff we need to force custom permissions due to user's current access limits + + if ($webvar{pass1} ne $webvar{pass2}) { + $code = 'FAIL'; + $msg = "Passwords don't match"; + } else { +# assemble a permission string - far simpler than trying to pass an +# indeterminate set of permission flags individually + +# ooooh. +# OOOOH. +# We have to see if the user can add any particular permissions; otherwise we have a priviledge escalation. Whee. + +if (!$permissions{admin}) { + my %grpperms; + getPermissions($dbh, 'group', $curgroup, \%grpperms); + my $ret = comparePermissions(\%permissions, \%grpperms); + if ($ret ne '<' && $ret ne '!') { + # User's permissions are not a superset or equivalent to group. Can't inherit + # (and include access user doesn't currently have), so we force custom. + $webvar{perms_type} = 'custom'; + $alterperms = 1; + } +} +##work + my $permstring; + if ($webvar{perms_type} eq 'custom') { + $permstring = 'C:'; + foreach (@permtypes) { + if ($permissions{admin}) { + $permstring .= ",$_" if defined($webvar{$_}) && $webvar{$_} eq 'on'; + } else { + $permstring .= ",$_" if $permissions{$_} && defined($webvar{$_}) && $webvar{$_} eq 'on'; + } + } + $page->param(perm_custom => 1); + } elsif ($permissions{admin} && $webvar{perms_type} eq 'clone') { + $permstring = "c:$webvar{clonesrc}"; + $page->param(perm_clone => 1); + } else { + $permstring = 'i'; + } + ($code,$msg) = addUser($dbh,$webvar{uname}, $curgroup, $webvar{pass1}, + ($webvar{makeactive} eq 'on' ? 1 : 0), $webvar{accttype}, $permstring, + $webvar{fname}, $webvar{lname}, $webvar{phone}); + } + +# hokay, a bit of magic to decide which page we hit. + if ($code eq 'OK') { +##log + logaction(0, $session->param("username"), $webvar{group}, + "Added user $webvar{uname} ($webvar{fname} $webvar{lname})"); + if ($alterperms) { + changepage(page => "useradmin", warnmsg => + "You can only grant permissions you hold. $webvar{uname} added with reduced access."); + } else { + changepage(page => "useradmin"); + } +id => $webvar{id}, defrec => $webvar{defrec} + } else { +# oddity - apparently, xhtml 1.0 strict swallows username as an HTML::Template var. O_o + $page->param(add_failed => 1); + $page->param(uname => $webvar{uname}); + $page->param(fname => $webvar{fname}); + $page->param(lname => $webvar{lname}); + $page->param(pass1 => $webvar{pass1}); + $page->param(pass2 => $webvar{pass2}); + $page->param(errmsg => $msg); + fill_actypelist(); + fill_clonemelist(); + } + + } elsif ($webvar{action} eq 'edit') { + } elsif ($webvar{action} eq 'update') { + } else { + # default is "new" + } + } elsif ($webvar{page} eq 'newuser') { @@ -576,4 +674,14 @@ fill_actypelist(); fill_clonemelist(); + + my %grpperms; + getPermissions($dbh, 'group', $curgroup, \%grpperms); + fill_permissions($page, \%grpperms); + + my $grppermlist = new HTML::Template(filename => "$templatedir/permlist.tmpl"); + my %noaccess; + fill_permissions($grppermlist, \%grpperms, \%noaccess); + $grppermlist->param(info => 1); + $page->param(grpperms => $grppermlist->output); } elsif ($webvar{page} eq 'adduser') { @@ -1451,7 +1559,8 @@ my $template = shift; # may need to do several sets on a single page my $permset = shift; # hashref to permissions on object + my $usercan = shift || \%permissions; # allow alternate user-is-allowed permission block foreach (@permtypes) { - $template->param("may_$_" => ($permissions{admin} || $permissions{$_})); + $template->param("may_$_" => ($usercan->{admin} || $usercan->{$_})); $template->param($_ => $permset->{$_}); } Index: unk/templates/newuser.tmpl =================================================================== --- /trunk/templates/newuser.tmpl (revision 66) +++ (revision ) @@ -1,131 +1,0 @@ - - - - - -
- -
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Error adding user :
Add User
Username:
First Name:
Last Name:
Password:
Confirm Password:
Account Type:
Add user in group:
Create as active user
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- checked="checked"checked="checked"/> Inherit permissions from group -
Group: checked="checked" disabled="disabled" /> Edit checked="checked" disabled="disabled" /> Create checked="checked" disabled="disabled" /> Delete
User: checked="checked" disabled="disabled" /> Edit checked="checked" disabled="disabled" /> Create checked="checked" disabled="disabled" /> Delete
Domain: checked="checked" disabled="disabled" /> Edit checked="checked" disabled="disabled" /> Create checked="checked" disabled="disabled" /> Delete
Domain Record: checked="checked" disabled="disabled" /> Edit checked="checked" disabled="disabled" /> Create checked="checked" disabled="disabled" /> Delete
Self: checked="checked" disabled="disabled" /> Edit
- checked="checked"/> Clone permissions from an existing user -
- Note: Only users in the current group may be cloned
- -
- checked="checked"/> Specify permissions -
- -
tmp note: radio button select "group template" vs "clone user"?
- -
-
- -
Index: /trunk/templates/permlist.tmpl =================================================================== --- /trunk/templates/permlist.tmpl (revision 66) +++ /trunk/templates/permlist.tmpl (revision 67) @@ -1,30 +1,30 @@ Group: - class="noaccess"> checked="checked" disabled="disabled" /> Edit - class="noaccess"> checked="checked" disabled="disabled" /> Create - class="noaccess"> checked="checked" disabled="disabled" /> Delete + class="noaccessinfo"> name="group_edit" checked="checked" disabled="disabled" /> Edit + class="noaccessinfo"> name="group_create" checked="checked" disabled="disabled" /> Create + class="noaccessinfo"> name="group_delete" checked="checked" disabled="disabled" /> Delete User: - class="noaccess"> checked="checked" disabled="disabled" /> Edit - class="noaccess"> checked="checked" disabled="disabled" /> Create - class="noaccess"> checked="checked" disabled="disabled" /> Delete + class="noaccessinfo"> name="user_edit" checked="checked" disabled="disabled" /> Edit + class="noaccessinfo"> name="user_create" checked="checked" disabled="disabled" /> Create + class="noaccessinfo"> name="user_delete" checked="checked" disabled="disabled" /> Delete Domain: - class="noaccess"> checked="checked" disabled="disabled" /> Edit - class="noaccess"> checked="checked" disabled="disabled" /> Create - class="noaccess"> checked="checked" disabled="disabled" /> Delete + class="noaccessinfo"> name="domain_edit" checked="checked" disabled="disabled" /> Edit + class="noaccessinfo"> name="domain_create" checked="checked" disabled="disabled" /> Create + class="noaccessinfo"> name="domain_delete" checked="checked" disabled="disabled" /> Delete Domain Record: - class="noaccess"> checked="checked" disabled="disabled" /> Edit - class="noaccess"> checked="checked" disabled="disabled" /> Create - class="noaccess"> checked="checked" disabled="disabled" /> Delete + class="noaccessinfo"> name="record_edit" checked="checked" disabled="disabled" /> Edit + class="noaccessinfo"> name="record_create" checked="checked" disabled="disabled" /> Create + class="noaccessinfo"> name="record_delete" checked="checked" disabled="disabled" /> Delete Self: - class="noaccess"> checked="checked" disabled="disabled" /> Edit + class="noaccessinfo"> name="self_edit" checked="checked" disabled="disabled" /> Edit Index: /trunk/templates/user.tmpl =================================================================== --- /trunk/templates/user.tmpl (revision 67) +++ /trunk/templates/user.tmpl (revision 67) @@ -0,0 +1,103 @@ + + + + + +
+ +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Error addingupdating user :
Add User
Username:
First Name:
Last Name:
Password:
Confirm Password:
Account Type:User
Create as active user
+ + + + + + + + + + + + + + + + + + + + + +
+ checked="checked"checked="checked"/> Inherit permissions from group +
+ checked="checked"/> Clone permissions from an existing user +
+ Note: Only users in the current group may be cloned
+ +
+ checked="checked"/> Specify permissions +
+ +
tmp note: radio button select "group template" vs "clone user"?
+ +
+
+ +
Index: /trunk/templates/useradmin.tmpl =================================================================== --- /trunk/templates/useradmin.tmpl (revision 66) +++ /trunk/templates/useradmin.tmpl (revision 67) @@ -5,4 +5,7 @@ + +
Warning:
+
Error deleting user :
@@ -19,5 +22,5 @@ -New User +New User @@ -31,5 +34,5 @@ - +