Changeset 95 for trunk/dns.cgi


Ignore:
Timestamp:
04/15/11 17:53:45 (14 years ago)
Author:
Kris Deugau
Message:

/trunk

Add commented attempt to autolocate the script's full base path

for use lib; commented bits fail due to taint mode. *sigh*

Add ACL checks for domain edit, create, and delete. Generalize

error message handling so that we don't get "Error deleting
domain: You don't have permission to add a domain"-ish messages.

Trim some code after a changepage() call (since it issues a 302

redirect and exits...)

Add ACL checks for record edit, create, and delete. Apply similar

error-message handling fixups as done with domain processing.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/dns.cgi

    r93 r95  
    2222use Data::Dumper;
    2323
     24#sub is_tainted {
     25#  # from perldoc perlsec
     26#  return ! eval { eval("#" . substr(join("", @_), 0, 0)); 1 };
     27#}
     28#use Cwd 'abs_path';
     29#use File::Basename;
     30#use lib dirname( abs_path $0 );
     31#die "argh!  tainted!" if is_tainted($0);
     32#die "argh! \@INC got tainted!" if is_tainted(@INC);
     33
     34# custom modules
    2435use lib '.';
    25 # custom modules
    2636use DNSDB qw(:ALL);
    2737
     
    185195
    186196  $page->param(curpage => $webvar{page});
    187   if ($webvar{del_failed}) {
    188     $page->param(del_failed => 1);
    189     $page->param(errmsg => $webvar{errmsg});
    190   }
     197  $page->param(errmsg => $webvar{errmsg}) if $webvar{errmsg};
     198#  if ($webvar{del_failed}) {
     199#    $page->param(del_failed => 1);
     200#    $page->param(errmsg => $webvar{errmsg});
     201#  }
    191202
    192203  listdomains();
    193204
    194205} elsif ($webvar{page} eq 'newdomain') {
     206
     207  changepage(page => "domlist", errmsg => "You are not permitted to add domains")
     208        unless ($permissions{admin} || $permissions{domain_create});
    195209
    196210  # hmm.  nothing to do here?
     
    204218} elsif ($webvar{page} eq 'adddomain') {
    205219
     220  changepage(page => "domlist", errmsg => "You are not permitted to add domains")
     221        unless ($permissions{admin} || $permissions{domain_create});
     222
    206223  my ($code,$msg) = addDomain($dbh,$webvar{domain},$webvar{group},($webvar{makeactive} eq 'on' ? 1 : 0));
    207224
     
    216233} elsif ($webvar{page} eq 'deldom') {
    217234
     235  changepage(page => "domlist", errmsg => "You are not permitted to delete domains")
     236        unless ($permissions{admin} || $permissions{domain_delete});
     237
    218238  $page->param(id => $webvar{id});
    219239
     
    232252# need to find failure mode
    233253      logaction($webvar{id}, $session->param("username"), $pargroup, "Failed to delete domain $dom ($msg)");
    234       changepage(page => "domlist", del_failed => 1, errmsg => $msg);
     254      changepage(page => "domlist", errmsg => "Error deleting domain $dom: $msg");
    235255    } else {
    236256      logaction($webvar{id}, $session->param("username"), $pargroup, "Deleted domain $dom");
     
    244264
    245265} elsif ($webvar{page} eq 'reclist') {
     266
     267##fixme:  ACL needs pondering.  Does "edit domain" interact with record add/remove/etc?
     268# Note this seems to be answered "no" in Vega.
     269# ACLs
     270  $page->param(record_create    => ($permissions{admin} || $permissions{record_create}) );
     271#  $page->param(record_edit     => ($permissions{admin} || $permissions{record_edit}) );
     272  $page->param(record_delete    => ($permissions{admin} || $permissions{record_delete}) );
    246273
    247274  # Handle record list for both default records (per-group) and live domain records
     
    280307  }
    281308
    282   if ($webvar{del_failed}) {
    283     $page->param(del_failed => 1);
    284     $page->param(errmsg => $webvar{errmsg});
    285   }
     309  $page->param(errmsg => $webvar{errmsg}) if $webvar{errmsg};
    286310
    287311} elsif ($webvar{page} eq 'record') {
    288312
    289313  if ($webvar{recact} eq 'new') {
     314
     315    changepage(page => "reclist", errmsg => "You are not permitted to add records", id => $webvar{parentid})
     316        unless ($permissions{admin} || $permissions{record_create});
    290317
    291318    $page->param(todo => "Add record");
     
    297324
    298325  } elsif ($webvar{recact} eq 'add') {
     326
     327    changepage(page => "reclist", errmsg => "You are not permitted to add records", id => $webvar{parentid})
     328        unless ($permissions{admin} || $permissions{record_create});
    299329
    300330    my @recargs = ($dbh,$webvar{defrec},$webvar{parentid},$webvar{name},$webvar{type},$webvar{address},$webvar{ttl});
     
    339369  } elsif ($webvar{recact} eq 'edit') {
    340370
     371    changepage(page => "reclist", errmsg => "You are not permitted to edit records", id => $webvar{parentid})
     372        unless ($permissions{admin} || $permissions{record_edit});
     373
    341374    $page->param(todo           => "Update record");
    342375    $page->param(recact         => "update");
     
    354387
    355388  } elsif ($webvar{recact} eq 'update') {
     389
     390    changepage(page => "reclist", errmsg => "You are not permitted to edit records", id => $webvar{parentid})
     391        unless ($permissions{admin} || $permissions{record_edit});
    356392
    357393    my ($code,$msg) = updateRec($dbh,$webvar{defrec},$webvar{id},
     
    402438
    403439} elsif ($webvar{page} eq 'delrec') {
     440
     441  changepage(page => "reclist", errmsg => "You are not permitted to delete records", id => $webvar{parentid})
     442        unless ($permissions{admin} || $permissions{record_delete});
    404443
    405444  $page->param(id => $webvar{id});
     
    427466      }
    428467      changepage(page => "reclist", id => $webvar{parentid}, defrec => $webvar{defrec},
    429                 del_failed => 1, errmsg => $msg);
    430       $page->param(del_failed => 1);
    431       $page->param(errmsg => $msg);
    432       showdomain($webvar{defrec}, $webvar{parentid});
     468                errmsg => "Error deleting record: $msg");
     469#      $page->param(del_failed => 1);
     470#      $page->param(errmsg => $msg);
     471#      showdomain($webvar{defrec}, $webvar{parentid});
    433472    } else {
    434473      if ($webvar{defrec} eq 'y') {
     
    11951234    $rec->{port} = 'n/a' unless ($rec->{type} eq 'SRV');
    11961235    $row++;
     1236# ACLs
     1237    $rec->{record_edit} = ($permissions{admin} || $permissions{record_edit});
     1238    $rec->{record_delete} = ($permissions{admin} || $permissions{record_delete});
    11971239  }
    11981240  $page->param(reclist => $foo2);
     
    13191361  $filter = $session->param($webvar{page}.'filter');
    13201362  $searchsubs = $session->param($webvar{page}.'searchsubs');
     1363
     1364# ACLs
     1365  $page->param(domain_create    => ($permissions{admin} || $permissions{domain_create}) );
     1366  $page->param(domain_edit      => ($permissions{admin} || $permissions{domain_edit}) );
     1367  $page->param(domain_delete    => ($permissions{admin} || $permissions{domain_delete}) );
    13211368
    13221369##fixme:  $logingroup or $curgroup?
     
    13871434    $row{sid} = $sid;
    13881435    $row{offset} = $offset;
     1436# ACLs
     1437    $row{domain_edit} = ($permissions{admin} || $permissions{domain_edit});
     1438    $row{domain_delete} = ($permissions{admin} || $permissions{domain_delete});
    13891439##fixme:  need to clean up status indicator/usage/inversion
    13901440    push @domlist, \%row;
Note: See TracChangeset for help on using the changeset viewer.