Changeset 95 for trunk

Timestamp:

04/15/11 17:53:45 (14 years ago)

Author:

Kris Deugau

Message:

/trunk

Add commented attempt to autolocate the script's full base path

for use lib; commented bits fail due to taint mode. *sigh*

Add ACL checks for domain edit, create, and delete. Generalize

error message handling so that we don't get "Error deleting
domain: You don't have permission to add a domain"-ish messages.

Trim some code after a changepage() call (since it issues a 302

redirect and exits...)

Add ACL checks for record edit, create, and delete. Apply similar

error-message handling fixups as done with domain processing.

Location:

trunk

Files:

• dns.cgi (modified) (15 diffs)
• templates/domlist.tmpl (modified) (4 diffs)
• templates/reclist.tmpl (modified) (4 diffs)

trunk/dns.cgi

@@ -22 +22 @@
 use Data::Dumper;
 
+#sub is_tainted {
+#  # from perldoc perlsec
+#  return ! eval { eval("#" . substr(join("", @_), 0, 0)); 1 };
+#}
+#use Cwd 'abs_path';
+#use File::Basename;
+#use lib dirname( abs_path $0 );
+#die "argh!  tainted!" if is_tainted($0);
+#die "argh! \@INC got tainted!" if is_tainted(@INC);
+
+# custom modules
 use lib '.';
-# custom modules
 use DNSDB qw(:ALL);
 
@@ -185 +195 @@
 
   $page->param(curpage => $webvar{page});
-  if ($webvar{del_failed}) {
-    $page->param(del_failed => 1);
-    $page->param(errmsg => $webvar{errmsg});
-  }
+  $page->param(errmsg => $webvar{errmsg}) if $webvar{errmsg};
+#  if ($webvar{del_failed}) {
+#    $page->param(del_failed => 1);
+#    $page->param(errmsg => $webvar{errmsg});
+#  }
 
   listdomains();
 
 } elsif ($webvar{page} eq 'newdomain') {
+
+  changepage(page => "domlist", errmsg => "You are not permitted to add domains")
+        unless ($permissions{admin} || $permissions{domain_create});
 
   # hmm.  nothing to do here?
@@ -204 +218 @@
 } elsif ($webvar{page} eq 'adddomain') {
 
+  changepage(page => "domlist", errmsg => "You are not permitted to add domains")
+        unless ($permissions{admin} || $permissions{domain_create});
+
   my ($code,$msg) = addDomain($dbh,$webvar{domain},$webvar{group},($webvar{makeactive} eq 'on' ? 1 : 0));
 
@@ -216 +233 @@
 } elsif ($webvar{page} eq 'deldom') {
 
+  changepage(page => "domlist", errmsg => "You are not permitted to delete domains")
+        unless ($permissions{admin} || $permissions{domain_delete});
+
   $page->param(id => $webvar{id});
 
@@ -232 +252 @@
 # need to find failure mode
       logaction($webvar{id}, $session->param("username"), $pargroup, "Failed to delete domain $dom ($msg)");
-      changepage(page => "domlist", del_failed => 1, errmsg => $msg);
+      changepage(page => "domlist", errmsg => "Error deleting domain $dom: $msg");
     } else {
       logaction($webvar{id}, $session->param("username"), $pargroup, "Deleted domain $dom");
@@ -244 +264 @@
 
 } elsif ($webvar{page} eq 'reclist') {
+
+##fixme:  ACL needs pondering.  Does "edit domain" interact with record add/remove/etc?
+# Note this seems to be answered "no" in Vega.
+# ACLs
+  $page->param(record_create    => ($permissions{admin} || $permissions{record_create}) );
+#  $page->param(record_edit     => ($permissions{admin} || $permissions{record_edit}) );
+  $page->param(record_delete    => ($permissions{admin} || $permissions{record_delete}) );
 
   # Handle record list for both default records (per-group) and live domain records
@@ -280 +307 @@
   }
 
-  if ($webvar{del_failed}) {
-    $page->param(del_failed => 1);
-    $page->param(errmsg => $webvar{errmsg});
-  }
+  $page->param(errmsg => $webvar{errmsg}) if $webvar{errmsg};
 
 } elsif ($webvar{page} eq 'record') {
 
   if ($webvar{recact} eq 'new') {
+
+    changepage(page => "reclist", errmsg => "You are not permitted to add records", id => $webvar{parentid})
+        unless ($permissions{admin} || $permissions{record_create});
 
     $page->param(todo => "Add record");
@@ -297 +324 @@
 
   } elsif ($webvar{recact} eq 'add') {
+
+    changepage(page => "reclist", errmsg => "You are not permitted to add records", id => $webvar{parentid})
+        unless ($permissions{admin} || $permissions{record_create});
 
     my @recargs = ($dbh,$webvar{defrec},$webvar{parentid},$webvar{name},$webvar{type},$webvar{address},$webvar{ttl});
@@ -339 +369 @@
   } elsif ($webvar{recact} eq 'edit') {
 
+    changepage(page => "reclist", errmsg => "You are not permitted to edit records", id => $webvar{parentid})
+        unless ($permissions{admin} || $permissions{record_edit});
+
     $page->param(todo           => "Update record");
     $page->param(recact         => "update");
@@ -354 +387 @@
 
   } elsif ($webvar{recact} eq 'update') {
+
+    changepage(page => "reclist", errmsg => "You are not permitted to edit records", id => $webvar{parentid})
+        unless ($permissions{admin} || $permissions{record_edit});
 
     my ($code,$msg) = updateRec($dbh,$webvar{defrec},$webvar{id},
@@ -402 +438 @@
 
 } elsif ($webvar{page} eq 'delrec') {
+
+  changepage(page => "reclist", errmsg => "You are not permitted to delete records", id => $webvar{parentid})
+        unless ($permissions{admin} || $permissions{record_delete});
 
   $page->param(id => $webvar{id});
@@ -427 +466 @@
       }
       changepage(page => "reclist", id => $webvar{parentid}, defrec => $webvar{defrec},
-                del_failed => 1, errmsg => $msg);
-      $page->param(del_failed => 1);
-      $page->param(errmsg => $msg);
-      showdomain($webvar{defrec}, $webvar{parentid});
+                errmsg => "Error deleting record: $msg");
+#      $page->param(del_failed => 1);
+#      $page->param(errmsg => $msg);
+#      showdomain($webvar{defrec}, $webvar{parentid});
     } else {
       if ($webvar{defrec} eq 'y') {
@@ -1195 +1234 @@
     $rec->{port} = 'n/a' unless ($rec->{type} eq 'SRV');
     $row++;
+# ACLs
+    $rec->{record_edit} = ($permissions{admin} || $permissions{record_edit});
+    $rec->{record_delete} = ($permissions{admin} || $permissions{record_delete});
   }
   $page->param(reclist => $foo2);
@@ -1319 +1361 @@
   $filter = $session->param($webvar{page}.'filter');
   $searchsubs = $session->param($webvar{page}.'searchsubs');
+
+# ACLs
+  $page->param(domain_create    => ($permissions{admin} || $permissions{domain_create}) );
+  $page->param(domain_edit      => ($permissions{admin} || $permissions{domain_edit}) );
+  $page->param(domain_delete    => ($permissions{admin} || $permissions{domain_delete}) );
 
 ##fixme:  $logingroup or $curgroup?
@@ -1387 +1434 @@
     $row{sid} = $sid;
     $row{offset} = $offset;
+# ACLs
+    $row{domain_edit} = ($permissions{admin} || $permissions{domain_edit});
+    $row{domain_delete} = ($permissions{admin} || $permissions{domain_delete});
 ##fixme:  need to clean up status indicator/usage/inversion
     push @domlist, \%row;

trunk/templates/domlist.tmpl

@@ -5 +5 @@
 <td align="center">
 
- <TMPL_IF del_failed>
-  <div class='errmsg'>Error deleting domain <TMPL_VAR NAME=domain>: <TMPL_VAR NAME=errmsg></div>
+ <TMPL_IF errmsg>
+  <div class='errmsg'><TMPL_VAR NAME=errmsg></div>
  </TMPL_IF>
 
@@ -19 +19 @@
 </tr>
 <tr><td colspan="3" align="center"><TMPL_INCLUDE NAME="lettsearch.tmpl"></td></tr>
-<tr><td colspan="3" align="right"><a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=newdomain">New Domain</a></td></tr>
+<tr><td colspan="3" align="right"><TMPL_IF domain_create><a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=newdomain">New Domain</a></TMPL_IF></td></tr>
 </table>
 
@@ -31 +31 @@
 src="images/<TMPL_VAR NAME=sortorder>.png" /></TMPL_IF></td>
 </TMPL_LOOP>
-        <td class="datahead_s">Change Status</td>
-        <td class="datahead_s">Delete</td>
+<TMPL_IF domain_edit>   <td class="datahead_s">Change Status</td></TMPL_IF>
+<TMPL_IF domain_delete> <td class="datahead_s">Delete</td></TMPL_IF>
 </tr>
 <TMPL_IF name=domtable>
@@ -40 +40 @@
         <td><TMPL_VAR name=status></td>
         <td><TMPL_VAR name=group></td>
-        <td align="center"><a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=domlist<TMPL_IF NAME=offset>&amp;offset=<TMPL_VAR NAME=offset></TMPL_IF>&amp;id=<TMPL_VAR NAME=domainid>&amp;action=<TMPL_IF NAME=mkactive>domon<TMPL_ELSE>domoff</TMPL_IF>"><TMPL_IF NAME=mkactive>activate<TMPL_ELSE>deactivate</TMPL_IF></a></td>
-        <td align="center"><a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=deldom&amp;id=<TMPL_VAR NAME=domainid>"><img src="images/trash2.png" alt="[ Delete ]" /></a></td>
+<TMPL_IF domain_edit>   <td align="center"><a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=domlist<TMPL_IF NAME=offset>&amp;offset=<TMPL_VAR NAME=offset></TMPL_IF>&amp;id=<TMPL_VAR NAME=domainid>&amp;action=<TMPL_IF NAME=mkactive>domon<TMPL_ELSE>domoff</TMPL_IF>"><TMPL_IF NAME=mkactive>activate<TMPL_ELSE>deactivate</TMPL_IF></a></td></TMPL_IF>
+<TMPL_IF domain_delete> <td align="center"><a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=deldom&amp;id=<TMPL_VAR NAME=domainid>"><img src="images/trash2.png" alt="[ Delete ]" /></a></td></TMPL_IF>
 </tr>
 </TMPL_LOOP>

trunk/templates/reclist.tmpl

@@ -5 +5 @@
 <td align="center" valign="top">
 
- <TMPL_IF del_failed>
-  <div class='errmsg'>Error deleting record: <TMPL_VAR NAME=errmsg></div>
+ <TMPL_IF errmsg>
+  <div class='errmsg'><TMPL_VAR NAME=errmsg></div>
  </TMPL_IF>
 
@@ -41 +41 @@
 <tr class="darkrowheader">
         <td colspan="4">Records</td>
-        <td align="right"><a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=record&amp;parentid=<TMPL_VAR NAME=id>&amp;defrec=<TMPL_VAR NAME=defrec>&amp;recact=new">Add record</a></td>
+<TMPL_IF record_create> <td align="right"><a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=record&amp;parentid=<TMPL_VAR NAME=id>&amp;defrec=<TMPL_VAR NAME=defrec>&amp;recact=new">Add record</a></td></TMPL_IF>
         <td align="right"><a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=log&amp;id=<TMPL_VAR NAME=id><TMPL_IF logdom>&amp;ltype=dom</TMPL_IF>">View log</a></td>
 </tr>
@@ -56 +56 @@
  NAME=defrec>"><TMPL_VAR NAME=colname></a><TMPL_IF NAME=sortorder>&nbsp;<img alt="<TMPL_VAR
  NAME=sortorder>" src="images/<TMPL_VAR NAME=sortorder>.png" /></TMPL_IF></td></TMPL_LOOP>
-        <td>Delete</td>
+<TMPL_IF record_delete> <td>Delete</td></TMPL_IF>
 </tr>
 <TMPL_LOOP NAME=reclist>
 <tr class="row<TMPL_VAR NAME=row>">
-        <td><a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=record&amp;parentid=<TMPL_VAR NAME=id>&amp;defrec=<TMPL_VAR NAME=defrec>&amp;recact=edit&amp;id=<TMPL_VAR NAME=record_id>"><TMPL_VAR NAME=host></a></td>
+        <td><TMPL_IF record_edit><a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=record&amp;parentid=<TMPL_VAR NAME=id>&amp;defrec=<TMPL_VAR NAME=defrec>&amp;recact=edit&amp;id=<TMPL_VAR NAME=record_id>"><TMPL_VAR NAME=host></a><TMPL_ELSE><TMPL_VAR NAME=host></TMPL_IF></td>
         <td><TMPL_VAR NAME=type></td>
         <td><TMPL_VAR NAME=val></td>
@@ -67 +67 @@
         <td><TMPL_VAR NAME=port></td>
         <td><TMPL_VAR NAME=ttl></td>
-        <td align="center"><a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=delrec&amp;id=<TMPL_VAR NAME=record_id>&amp;defrec=<TMPL_VAR NAME=defrec>&amp;parentid=<TMPL_VAR NAME=id>"><img src="images/trash2.png" alt="[ Delete ]" /></a></td>
+<TMPL_IF record_delete> <td align="center"><a href="dns.cgi?sid=<TMPL_VAR NAME=sid>&amp;page=delrec&amp;id=<TMPL_VAR NAME=record_id>&amp;defrec=<TMPL_VAR NAME=defrec>&amp;parentid=<TMPL_VAR NAME=id>"><img src="images/trash2.png" alt="[ Delete ]" /></a></td></TMPL_IF>
 </tr>
 </TMPL_LOOP>