Security review

[Kris Deugau]

XSS/input validation:
Reading back on VegaDNS' history I poked into the CVE issues reported with VegaDNS 0.9.9.1 and 1.1.4. I realized the same message-reporting vulnerability would bite here.

Access scoping:
Check to make sure a user can't access any entity outside of their group tree

[Kris Deugau]

(In [173]) /trunk

Security audit (see #30)

• remove a stale global
• catch and handle bad page parameter

[Kris Deugau]

(In [174]) /trunk

Security review (See #30)

• convert error-message-passing via changepage to use the session to store the message so it can't be fiddled with in transit

[Kris Deugau]

(In [176]) /trunk

Remove some more stale commented code
Remove redundant call to initialze $searchsubs
Security review (see #30)

• set $webvar{page} a little earlier so we don't clutter the session with unusable data
• tweak initialization of $searchsubs. Improved but will still behave a bit strangely if extra data is deliberately or accidentally added to $webvar{searchsubs} (see #31)

[Kris Deugau]

(In [177]) /trunk

Security review (see #30)

• convert resultmsg and warnmsg message-passing to use the session as a data store

[Kris Deugau]

(In [178]) /trunk

Security review (See #30)

• fix up ACL handling in group modification; as with user editing, the user may not make any change that includes access that user does not already have. This may mean removing a permission previously set but which the user doesn't have.

[Kris Deugau]

Change ticket info to cover all security-review changes