Index: trunk/dns.cgi =================================================================== --- trunk/dns.cgi (revision 93) +++ trunk/dns.cgi (revision 95) @@ -22,6 +22,16 @@ use Data::Dumper; +#sub is_tainted { +# # from perldoc perlsec +# return ! eval { eval("#" . substr(join("", @_), 0, 0)); 1 }; +#} +#use Cwd 'abs_path'; +#use File::Basename; +#use lib dirname( abs_path $0 ); +#die "argh! tainted!" if is_tainted($0); +#die "argh! \@INC got tainted!" if is_tainted(@INC); + +# custom modules use lib '.'; -# custom modules use DNSDB qw(:ALL); @@ -185,12 +195,16 @@ $page->param(curpage => $webvar{page}); - if ($webvar{del_failed}) { - $page->param(del_failed => 1); - $page->param(errmsg => $webvar{errmsg}); - } + $page->param(errmsg => $webvar{errmsg}) if $webvar{errmsg}; +# if ($webvar{del_failed}) { +# $page->param(del_failed => 1); +# $page->param(errmsg => $webvar{errmsg}); +# } listdomains(); } elsif ($webvar{page} eq 'newdomain') { + + changepage(page => "domlist", errmsg => "You are not permitted to add domains") + unless ($permissions{admin} || $permissions{domain_create}); # hmm. nothing to do here? @@ -204,4 +218,7 @@ } elsif ($webvar{page} eq 'adddomain') { + changepage(page => "domlist", errmsg => "You are not permitted to add domains") + unless ($permissions{admin} || $permissions{domain_create}); + my ($code,$msg) = addDomain($dbh,$webvar{domain},$webvar{group},($webvar{makeactive} eq 'on' ? 1 : 0)); @@ -216,4 +233,7 @@ } elsif ($webvar{page} eq 'deldom') { + changepage(page => "domlist", errmsg => "You are not permitted to delete domains") + unless ($permissions{admin} || $permissions{domain_delete}); + $page->param(id => $webvar{id}); @@ -232,5 +252,5 @@ # need to find failure mode logaction($webvar{id}, $session->param("username"), $pargroup, "Failed to delete domain $dom ($msg)"); - changepage(page => "domlist", del_failed => 1, errmsg => $msg); + changepage(page => "domlist", errmsg => "Error deleting domain $dom: $msg"); } else { logaction($webvar{id}, $session->param("username"), $pargroup, "Deleted domain $dom"); @@ -244,4 +264,11 @@ } elsif ($webvar{page} eq 'reclist') { + +##fixme: ACL needs pondering. Does "edit domain" interact with record add/remove/etc? +# Note this seems to be answered "no" in Vega. +# ACLs + $page->param(record_create => ($permissions{admin} || $permissions{record_create}) ); +# $page->param(record_edit => ($permissions{admin} || $permissions{record_edit}) ); + $page->param(record_delete => ($permissions{admin} || $permissions{record_delete}) ); # Handle record list for both default records (per-group) and live domain records @@ -280,12 +307,12 @@ } - if ($webvar{del_failed}) { - $page->param(del_failed => 1); - $page->param(errmsg => $webvar{errmsg}); - } + $page->param(errmsg => $webvar{errmsg}) if $webvar{errmsg}; } elsif ($webvar{page} eq 'record') { if ($webvar{recact} eq 'new') { + + changepage(page => "reclist", errmsg => "You are not permitted to add records", id => $webvar{parentid}) + unless ($permissions{admin} || $permissions{record_create}); $page->param(todo => "Add record"); @@ -297,4 +324,7 @@ } elsif ($webvar{recact} eq 'add') { + + changepage(page => "reclist", errmsg => "You are not permitted to add records", id => $webvar{parentid}) + unless ($permissions{admin} || $permissions{record_create}); my @recargs = ($dbh,$webvar{defrec},$webvar{parentid},$webvar{name},$webvar{type},$webvar{address},$webvar{ttl}); @@ -339,4 +369,7 @@ } elsif ($webvar{recact} eq 'edit') { + changepage(page => "reclist", errmsg => "You are not permitted to edit records", id => $webvar{parentid}) + unless ($permissions{admin} || $permissions{record_edit}); + $page->param(todo => "Update record"); $page->param(recact => "update"); @@ -354,4 +387,7 @@ } elsif ($webvar{recact} eq 'update') { + + changepage(page => "reclist", errmsg => "You are not permitted to edit records", id => $webvar{parentid}) + unless ($permissions{admin} || $permissions{record_edit}); my ($code,$msg) = updateRec($dbh,$webvar{defrec},$webvar{id}, @@ -402,4 +438,7 @@ } elsif ($webvar{page} eq 'delrec') { + + changepage(page => "reclist", errmsg => "You are not permitted to delete records", id => $webvar{parentid}) + unless ($permissions{admin} || $permissions{record_delete}); $page->param(id => $webvar{id}); @@ -427,8 +466,8 @@ } changepage(page => "reclist", id => $webvar{parentid}, defrec => $webvar{defrec}, - del_failed => 1, errmsg => $msg); - $page->param(del_failed => 1); - $page->param(errmsg => $msg); - showdomain($webvar{defrec}, $webvar{parentid}); + errmsg => "Error deleting record: $msg"); +# $page->param(del_failed => 1); +# $page->param(errmsg => $msg); +# showdomain($webvar{defrec}, $webvar{parentid}); } else { if ($webvar{defrec} eq 'y') { @@ -1195,4 +1234,7 @@ $rec->{port} = 'n/a' unless ($rec->{type} eq 'SRV'); $row++; +# ACLs + $rec->{record_edit} = ($permissions{admin} || $permissions{record_edit}); + $rec->{record_delete} = ($permissions{admin} || $permissions{record_delete}); } $page->param(reclist => $foo2); @@ -1319,4 +1361,9 @@ $filter = $session->param($webvar{page}.'filter'); $searchsubs = $session->param($webvar{page}.'searchsubs'); + +# ACLs + $page->param(domain_create => ($permissions{admin} || $permissions{domain_create}) ); + $page->param(domain_edit => ($permissions{admin} || $permissions{domain_edit}) ); + $page->param(domain_delete => ($permissions{admin} || $permissions{domain_delete}) ); ##fixme: $logingroup or $curgroup? @@ -1387,4 +1434,7 @@ $row{sid} = $sid; $row{offset} = $offset; +# ACLs + $row{domain_edit} = ($permissions{admin} || $permissions{domain_edit}); + $row{domain_delete} = ($permissions{admin} || $permissions{domain_delete}); ##fixme: need to clean up status indicator/usage/inversion push @domlist, \%row;