Changeset 87

Timestamp:

03/31/11 18:01:43 (13 years ago)

Author:

Kris Deugau

Message:

/trunk

Checkpoint. Permissions manipulation should be complete.
Still need to set up permissions *checking*.

Location:

trunk

Files:

• DNSDB.pm (modified) (12 diffs)
• dns.cgi (modified) (16 diffs)
• dns.sql (modified) (1 diff)
• templates/fpnla.tmpl (modified) (1 diff)
• templates/record.tmpl (modified) (1 diff)

trunk/DNSDB.pm

@@ -240 +240 @@
 # Update an ACL entry
 # Takes a db handle, type, owner-id, and hashref for the changed permissions.
-##fixme: Must handle case of changing object's permissions from inherited to custom
+##fixme: Must handle case of changing object's permissions from custom to inherited
 sub changePermissions {
   my $dbh = shift;
@@ -246 +246 @@
   my $id = shift;
   my $newperms = shift;
+  my $inherit = shift || 0;
 
   my $failmsg = '';
 
-  # see if we're switching from inherited to custom
-  my $sth = $dbh->prepare("SELECT (u.permission_id=g.permission_id) AS was_inherited,u.permission_id".
+  # see if we're switching from inherited to custom.  for bonus points,
+  # snag the permid and parent permid anyway, since we'll need the permid
+  # to set/alter custom perms, and both if we're switching from custom to
+  # inherited.
+  my $sth = $dbh->prepare("SELECT (u.permission_id=g.permission_id) AS was_inherited,u.permission_id,g.permission_id".
         " FROM ".($type eq 'user' ? 'users' : 'groups')." u ".
         " JOIN groups g ON u.".($type eq 'user' ? '' : 'parent_')."group_id=g.group_id ".
@@ -256 +260 @@
   $sth->execute($id);
 
-  my ($wasinherited,$permid) = $sth->fetchrow_array;
+  my ($wasinherited,$permid,$parpermid) = $sth->fetchrow_array;
 
 # hack phtoui
@@ -268 +272 @@
   # Wrap all the SQL in a transaction
   eval {
-    if ($wasinherited) {
+    if ($inherit) {
+
+      $dbh->do("UPDATE ".($type eq 'user' ? 'users' : 'groups')." SET inherit_perm='t',permission_id=? ".
+        "WHERE ".($type eq 'user' ? 'user' : 'group')."_id=?", undef, ($parpermid, $id) );
+      $dbh->do("DELETE FROM permissions WHERE permission_id=?", undef, ($permid) );
+
+    } else {
+
+      if ($wasinherited) {      # munge new permission entry in if we're switching from inherited perms
 ##fixme: need to add semirecursive bit to properly munge inherited permission ID on subgroups and users
-      $dbh->do("INSERT INTO permissions ($permlist) ".
-        "SELECT $permlist FROM permissions WHERE permission_id=?", undef, ($permid) );
-      #$sth = $dbh->prepare($sql);
-      #$sth->execute($permid);
-      $sth = $dbh->prepare("SELECT permission_id FROM ".($type eq 'user' ? 'users' : 'groups').
-        " WHERE ".($type eq 'user' ? 'user' : 'group')."_id=?");
-      $sth->execute($id);
-      ($permid) = $sth->fetchrow_array;
-      $dbh->do("UPDATE permissions SET ".($type eq 'user' ? 'user' : 'group')."_id=? ".
-        "WHERE permission_id=?", undef, ($id,$permid) );
-      $dbh->do("UPDATE ".($type eq 'user' ? 'users' : 'groups')." SET permission_id=? ".
-        "WHERE ".($type eq 'user' ? 'user' : 'group')."_id=?", undef, ($permid,$id) );
-    }
-    foreach (@permtypes) {
-      if (defined ($newperms->{$_})) {
-        $dbh->do("UPDATE permissions SET $_=? WHERE permission_id=?", undef, ($newperms->{$_},$permid) );
-        #$sth->execute($newperms->{$_},$permid);
+# ... if'n'when we have groups with fully inherited permissions.
+        # SQL is coo
+        $dbh->do("INSERT INTO permissions ($permlist,".($type eq 'user' ? 'user' : 'group')."_id) ".
+                "SELECT $permlist,? FROM permissions WHERE permission_id=?", undef, ($id,$permid) );
+        ($permid) = $dbh->selectrow_array("SELECT permission_id FROM permissions ".
+                "WHERE ".($type eq 'user' ? 'user' : 'group')."_id=?", undef, ($id) );
+        $dbh->do("UPDATE ".($type eq 'user' ? 'users' : 'groups')." SET inherit_perm='f',permission_id=? ".
+                "WHERE ".($type eq 'user' ? 'user' : 'group')."_id=?", undef, ($permid, $id) );
       }
-    }
+
+      # and now set the permissions we were passed
+      foreach (@permtypes) {
+        if (defined ($newperms->{$_})) {
+          $dbh->do("UPDATE permissions SET $_=? WHERE permission_id=?", undef, ($newperms->{$_},$permid) );
+        }
+      }
+
+    } # (inherited->)? custom
 
     $dbh->commit;
@@ -295 +306 @@
     my $msg = $@;
     eval { $dbh->rollback; };
-    return ('FAIL',"$failmsg: $msg");
+    return ('FAIL',"$failmsg: $msg ($permid)");
   } else {
     return ('OK',$permid);
@@ -533 +544 @@
         "VALUES ($groupid,?,?,?,?,?,?,?)");
     if ($inherit) {
-##fixme:  fixme!
+      # Duplicate records from parent.  Actually relying on inherited records feels
+      # very fragile, and it would be problematic to roll over at a later time.
       my $sth2 = $dbh->prepare("SELECT host,type,val,distance,weight,port,ttl FROM default_records WHERE group_id=?");
+      $sth2->execute($pargroup);
       while (my @clonedata = $sth2->fetchrow_array) {
         $sth->execute(@clonedata);
@@ -665 +678 @@
 
 ## DNSDB::addUser()
-#
+# Add a user.
+# Takes a DB handle, username, group ID, password, state (active/inactive).
+# Optionally accepts:
+#   user type (user/admin)      - defaults to user
+#   permissions string          - defaults to inherit from group
+#      three valid forms:
+#       i                    - Inherit permissions
+#       c:<user_id>          - Clone permissions from <user_id>
+#       C:<permission list>  - Set these specific permissions
+#   first name                  - defaults to username
+#   last name                   - defaults to blank
+#   phone                       - defaults to blank (could put other data within column def)
+# Returns (OK,OK) on success, (FAIL,<message>) on failure
 sub addUser {
   $errstr = '';
   my $dbh = shift;
-  return ('FAIL',"Need database handle") if !$dbh;
   my $username = shift;
-  return ('FAIL',"Missing username") if !defined($username);
   my $group = shift;
-  return ('FAIL',"Missing group") if !defined($group);
   my $pass = shift;
-  return ('FAIL',"Missing password") if !defined($pass);
   my $state = shift;
-  return ('FAIL',"Need account status") if !defined($state);
+
+  return ('FAIL',"Missing one or more required entries") if !defined($state);
 
   my $type = shift || 'u';      # create limited users by default - fwiw, not sure yet how this will interact with ACLs
@@ -701 +723 @@
   local $dbh->{RaiseError} = 1;
 
+my $failmsg;
   # Wrap all the SQL in a transaction
   eval {
-    # insert the user...
-    my $sth = $dbh->prepare("INSERT INTO users (group_id,username,password,firstname,lastname,phone,type,status) ".
-        "VALUES (?,?,?,?,?,?,?,?)");
-    $sth->execute($group,$username,unix_md5_crypt($pass),$fname,$lname,$phone,$type,$state);
+    # insert the user...  note we set inherited perms by default since
+    # it's simple and cleans up some other bits of state
+    my $sth = $dbh->prepare("INSERT INTO users ".
+        "(group_id,username,password,firstname,lastname,phone,type,status,permission_id,inherit_perm) ".
+        "VALUES (?,?,?,?,?,?,?,?,(SELECT permission_id FROM permissions WHERE group_id=?),'t')");
+    $sth->execute($group,$username,unix_md5_crypt($pass),$fname,$lname,$phone,$type,$state,$group);
 
     # get the ID...
@@ -713 +738 @@
     ($user_id) = $sth->fetchrow_array();
 
+# Permissions!  Gotta set'em all!
+    die "Invalid permission string $permstring"
+        if $permstring !~ /^(?:
+                i       # inherit
+                |c:\d+  # clone
+                        # custom.  no, the leading , is not a typo
+                |C:(?:,(?:group|user|domain|record|self)_(?:edit|create|delete))+
+                )$/x;
+# bleh.  I'd call another function to do my dirty work, but we're in the middle of a transaction already.
+    if ($permstring ne 'i') {
+      # for cloned or custom permissions, we have to create a new permissions entry.
+      my $clonesrc = $group;
+      if ($permstring =~ /^c:(\d+)/) { $clonesrc = $1; }
+      $dbh->do("INSERT INTO permissions ($permlist,user_id) ".
+        "SELECT $permlist,? FROM permissions WHERE permission_id=".
+        "(SELECT permission_id FROM permissions WHERE ".($permstring =~ /^c:/ ? 'user' : 'group')."_id=?)",
+        undef, ($user_id,$clonesrc) );
+      $dbh->do("UPDATE users SET permission_id=".
+        "(SELECT permission_id FROM permissions WHERE user_id=?) ".
+        "WHERE user_id=?", undef, ($user_id, $user_id) );
+    }
+    if ($permstring =~ /^C:/) {
+      # finally for custom permissions, we set the passed-in permissions (and unset
+      # any that might have been brought in by the clone operation above)
+      my ($permid) = $dbh->selectrow_array("SELECT permission_id FROM permissions WHERE user_id=?",
+        undef, ($user_id) );
+      foreach (@permtypes) {
+        if ($permstring =~ /,$_/) {
+          $dbh->do("UPDATE permissions SET $_='t' WHERE permission_id=?", undef, ($permid) );
+        } else {
+          $dbh->do("UPDATE permissions SET $_='f' WHERE permission_id=?", undef, ($permid) );
+        }
+      }
+    }
+
+    $dbh->do("UPDATE users SET inherit_perm='n' WHERE user_id=?", undef, ($user_id) );
+
 ##fixme: add another table to hold name/email for log table?
-die "dying horribly\n";
+#die "dying horribly ($permstring, $user_id)";
 
     # once we get here, we should have suceeded.
@@ -723 +785 @@
     my $msg = $@;
     eval { $dbh->rollback; };
-    return ('FAIL',$msg);
+    return ('FAIL',$msg." $failmsg");
   } else {
     return ('OK',$user_id);
@@ -762 +824 @@
   my $pass = shift;
   my $state = shift;
-  my $type = shift;
+  my $type = shift || 'u';
   my $fname = shift || $username;
   my $lname = shift || '';
@@ -1136 +1198 @@
   my $id = shift;
 
-return "FAIL", "wakka wakka";
   my $sth = $dbh->prepare("DELETE FROM ".($defrec eq 'y' ? 'default_' : '')."records WHERE record_id=?");
   $sth->execute($id);

trunk/dns.cgi

@@ -7 +7 @@
 # Last update by $Author$
 ###
-# Copyright (C) 2008,2009 - Kris Deugau <kdeugau@deepnet.cx>
+# Copyright (C) 2008-2011 - Kris Deugau <kdeugau@deepnet.cx>
 
 use strict;
@@ -261 +261 @@
   $sortorder = $session->param($webvar{page}.'order');
 
-##work
 # set up the headers
   my @cols = ('host', 'type', 'val', 'distance', 'weight', 'port', 'ttl');
@@ -275 +274 @@
   $page->param(defrec => $webvar{defrec});
   if ($webvar{defrec} eq 'y') {
-##fixme: hardcoded group
     showdomain('y',$curgroup);
   } else {
@@ -291 +289 @@
   if ($webvar{recact} eq 'new') {
 
-    $page->param(todo => "Add record to");
+    $page->param(todo => "Add record");
     $page->param(recact => "add");
     $page->param(parentid => $webvar{parentid});
@@ -324 +322 @@
       $page->param(errmsg       => $msg);
       $page->param(wastrying    => "adding");
-      $page->param(todo         => "Add record to");
+      $page->param(todo         => "Add record");
       $page->param(recact       => "add");
       $page->param(parentid     => $webvar{parentid});
@@ -613 +611 @@
 
     my $alterperms = 0; # flag iff we need to force custom permissions due to user's current access limits
-    my %newperms;
+
+    my %newperms;       # we're going to prefill the existing permissions, so we can change them.
+    getPermissions($dbh, 'user', $webvar{uid}, \%newperms);
 
     if ($webvar{pass1} ne $webvar{pass2}) {
@@ -642 +642 @@
         $permstring = 'C:';
         foreach (@permtypes) {
-          $newperms{$_} = 0;
-          $newperms{$_} = 1 if $webvar{$_} eq 'on';
-          if ($permissions{admin}) {
+          if ($permissions{admin} || $permissions{$_}) {
             $permstring .= ",$_" if defined($webvar{$_}) && $webvar{$_} eq 'on';
-          } else {
-            $permstring .= ",$_" if $permissions{$_} && defined($webvar{$_}) && $webvar{$_} eq 'on';
+            $newperms{$_} = (defined($webvar{$_}) && $webvar{$_} eq 'on' ? 1 : 0);
           }
         }
@@ -653 +650 @@
       } elsif ($permissions{admin} && $webvar{perms_type} eq 'clone') {
         $permstring = "c:$webvar{clonesrc}";
+        getPermissions($dbh, 'user', $webvar{clonesrc}, \%newperms);
         $page->param(perm_clone => 1);
       } else {
@@ -671 +669 @@
 ##fixme - need to actually get a correct permission set to pass in here,
 # also a flag to revert custom permissions to inherited
-##work
-          ($code,$msg) = changePermissions($dbh, 'user', $webvar{uid}, \%newperms);
+          ($code,$msg) = changePermissions($dbh, 'user', $webvar{uid}, \%newperms, ($permstring eq 'i'));
         }
       }
@@ -694 +691 @@
       $page->param(action => $webvar{action});
       $page->param(set_permgroup => 1);
+      if ($webvar{perms_type} eq 'inherit') {   # set permission class radio
+        $page->param(perm_inherit => 1);
+      } elsif ($webvar{perms_type} eq 'clone') {
+        $page->param(perm_clone => 1);
+      } else {
+        $page->param(perm_custom => 1);
+      }
       $page->param(uname => $webvar{uname});
       $page->param(fname => $webvar{fname});
@@ -724 +728 @@
     $page->param(fname => $userinfo->{firstname});
     $page->param(lname => $userinfo->{lastname});
+    $page->param(set_permgroup => 1);
     if ($userinfo->{inherit_perm}) {
       $page->param(perm_inherit => 1);
@@ -729 +734 @@
       $page->param(perm_custom => 1);
     }
-
+##work
 #  } elsif ($webvar{action} eq 'update') {
   } else {
@@ -1043 +1048 @@
 }
 
+print "<pre>\n";
 foreach (@debugbits) { print; }
+print "</pre>\n";
 
 # spit it out
@@ -1239 +1246 @@
   $sth->execute;
 
+  # shut up some warnings, but don't stomp on caller's state
+  local $webvar{clonesrc} = 0 if !defined($webvar{clonesrc});
+
   my @clonesrc;
   while (my ($username,$uid) = $sth->fetchrow_array) {
@@ -1276 +1286 @@
         $page->param(lastoffs => int (($count-1)/$perpage));
       }
+    } else {
+      $page->param(onepage => 1);
     }
   }
@@ -1374 +1386 @@
 } # end listdomains()
 
+
 sub listgroups {
 

trunk/dns.sql

@@ -251 +251 @@
 SELECT pg_catalog.setval('default_records_record_id_seq', 8, true);
 SELECT pg_catalog.setval('domains_domain_id_seq', 1, false);
-SELECT pg_catalog.setval('groups_group_id_seq', 2, true);
-SELECT pg_catalog.setval('permissions_permission_id_seq', 3, true);
+SELECT pg_catalog.setval('groups_group_id_seq', 1, true);
+SELECT pg_catalog.setval('permissions_permission_id_seq', 2, true);
 SELECT pg_catalog.setval('records_record_id_seq', 1, false);
 SELECT pg_catalog.setval('users_user_id_seq', 2, false);

trunk/templates/fpnla.tmpl

@@ -3 +3 @@
 <TMPL_IF navnext><a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=<TMPL_VAR NAME=curpage>&amp;offset=<TMPL_VAR NAME=nextoffs><TMPL_IF id>&amp;id=<TMPL_VAR NAME=id></TMPL_IF><TMPL_IF defrec>&amp;defrec=<TMPL_VAR NAME=defrec></TMPL_IF>">Next<img src="images/fwd.png" alt="[ Next ]" /></a><TMPL_ELSE>Next<img src="images/fwd.png" alt="[ Next ]" /></TMPL_IF>&nbsp;
 <TMPL_IF navlast><a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=<TMPL_VAR NAME=curpage>&amp;offset=<TMPL_VAR NAME=lastoffs><TMPL_IF id>&amp;id=<TMPL_VAR NAME=id></TMPL_IF><TMPL_IF defrec>&amp;defrec=<TMPL_VAR NAME=defrec></TMPL_IF>">Last<img src="images/ffwd.png" alt="[ Last ]" /></a><TMPL_ELSE>Last<img src="images/ffwd.png" alt="[ Last ]" /></TMPL_IF>&nbsp;
-<TMPL_IF navall><a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=<TMPL_VAR NAME=curpage>&amp;offset=all<TMPL_IF id>&amp;id=<TMPL_VAR NAME=id></TMPL_IF><TMPL_IF defrec>&amp;defrec=<TMPL_VAR NAME=defrec></TMPL_IF>">All</a><TMPL_ELSE><a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=<TMPL_VAR NAME=curpage>&amp;offset=0<TMPL_IF id>&amp;id=<TMPL_VAR NAME=id></TMPL_IF><TMPL_IF defrec>&amp;defrec=<TMPL_VAR NAME=defrec></TMPL_IF>"><TMPL_VAR NAME=perpage> per page</a></TMPL_IF>
+<TMPL_IF navall><a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=<TMPL_VAR NAME=curpage>&amp;offset=all<TMPL_IF id>&amp;id=<TMPL_VAR NAME=id></TMPL_IF><TMPL_IF defrec>&amp;defrec=<TMPL_VAR NAME=defrec></TMPL_IF>">All</a><TMPL_ELSE><TMPL_UNLESS onepage><a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=<TMPL_VAR NAME=curpage>&amp;offset=0<TMPL_IF id>&amp;id=<TMPL_VAR NAME=id></TMPL_IF><TMPL_IF defrec>&amp;defrec=<TMPL_VAR NAME=defrec></TMPL_IF>"><TMPL_VAR NAME=perpage> per page</a></TMPL_UNLESS></TMPL_IF>

trunk/templates/record.tmpl

@@ -54 +54 @@
         </tr>
         <tr class="datalinelight">
-                <td colspan="2" align="center"><input type="submit" value=" Add record " /></td>
+                <td colspan="2" align="center"><input type="submit" value=" <TMPL_VAR NAME=todo> " /></td>
         </tr>
         </table>