Ignore:
Timestamp:
04/13/05 17:23:47 (20 years ago)
Author:
Kris Deugau
Message:

/branches/acl

All access to add new records should be ACL-ified. Users without
the "a" ACL option cannot add a new master block, or click the
"Add new assignment" link; the links aren't there to click.
They cannot assign existing free blocks; the link has been
removed. Checks are also done later in the processing to make
sure that a crafted URL can't get around the restrictions.

printHeader() in CommonWeb.pm has been updated to allow replacement
of arbitrary elements in the header.inc file. It is now called
*once* at the beginning of main.cgi to allow the "Add new assignment"
link to be disabled.

A new sub, exitError(), has been added to deal with the (rare)
case where the code must exit with an error before anything (like
HTTP headers, as required for CGI) has been printed.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/acl/cgi-bin/main.cgi

    r221 r223  
    2222openlog "IPDB","pid","local2";
    2323
    24 # Present HTTP AUTH headers, as well as opening content-type.
    25 #print 'WWW-Authenticate: Basic realm="ViaNet IP Database"\n';
    26 # Collect the username from HTTP auth.  If undefined, we're in a test environment.
     24# Collect the username from HTTP auth.  If undefined, we're in
     25# a test environment, or called without a username.
    2726my $authuser;
    2827if (!defined($ENV{'REMOTE_USER'})) {
     
    4140($ip_dbh,$errstr) = connectDB_My;
    4241if (!$ip_dbh) {
    43   printAndExit("Database error: $errstr\n");
     42  exitError("Database error: $errstr\n");
    4443}
    4544initIPDBGlobals($ip_dbh);
     45
     46# Headerize!  Make sure we replace the $$EXTRA0$$ bit as needed.
     47printHeader('', ($IPDBacl{$authuser} =~ /a/ ?
     48        '<a href="/ip/cgi-bin/main.cgi?action=assign">Add new assignment</a>' : ''
     49        ));
     50
    4651
    4752#prototypes
     
    6671if($webvar{action} eq 'index') {
    6772  showSummary();
     73} elsif ($webvar{action} eq 'addmaster') {
     74  if ($IPDBacl{$authuser} !~ /a/) {
     75    printError("You shouldn't have been able to get here.  Access denied.");
     76  } else {
     77    open HTML, "<../addmaster.html";
     78    print while <HTML>;
     79  }
    6880} elsif ($webvar{action} eq 'newmaster') {
    69   printHeader('');
    70 
    71   my $cidr = new NetAddr::IP $webvar{cidr};
    72 
    73   print "<div type=heading align=center>Adding $cidr as master block....</div>\n";
    74 
    75   # Allow transactions, and raise an exception on errors so we can catch it later.
    76   # Use local to make sure these get "reset" properly on exiting this block
    77   local $ip_dbh->{AutoCommit} = 0;
    78   local $ip_dbh->{RaiseError} = 1;
    79 
    80   # Wrap the SQL in a transaction
    81   eval {
    82     $sth = $ip_dbh->prepare("insert into masterblocks values ('$webvar{cidr}')");
    83     $sth->execute;
     81
     82  if ($IPDBacl{$authuser} !~ /a/) {
     83    printError("You shouldn't have been able to get here.  Access denied.");
     84  } else {
     85
     86    my $cidr = new NetAddr::IP $webvar{cidr};
     87
     88    print "<div type=heading align=center>Adding $cidr as master block....</div>\n";
     89
     90    # Allow transactions, and raise an exception on errors so we can catch it later.
     91    # Use local to make sure these get "reset" properly on exiting this block
     92    local $ip_dbh->{AutoCommit} = 0;
     93    local $ip_dbh->{RaiseError} = 1;
     94
     95    # Wrap the SQL in a transaction
     96    eval {
     97      $sth = $ip_dbh->prepare("insert into masterblocks values ('$webvar{cidr}')");
     98      $sth->execute;
    8499
    85100# Unrouted blocks aren't associated with a city (yet).  We don't rely on this
     
    87102# Thus the "routed" flag.
    88103
    89     $sth = $ip_dbh->prepare("insert into freeblocks (cidr,maskbits,city,routed)".
     104      $sth = $ip_dbh->prepare("insert into freeblocks (cidr,maskbits,city,routed)".
    90105        " values ('$webvar{cidr}',".$cidr->masklen.",'<NULL>','n')");
    91     $sth->execute;
    92 
    93     # If we get here, everything is happy.  Commit changes.
    94     $ip_dbh->commit;
    95   }; # end eval
    96 
    97   if ($@) {
    98     carp "Transaction aborted because $@";
    99     eval { $ip_dbh->rollback; };
    100     syslog "err", "Could not add master block '$webvar{cidr}' to database: '$@'";
    101     printError("Could not add master block $webvar{cidr} to database: $@");
    102   } else {
    103     print "<div type=heading align=center>Success!</div>\n";
    104     syslog "info", "$authuser added master block $webvar{cidr}";
    105   }
     106      $sth->execute;
     107
     108      # If we get here, everything is happy.  Commit changes.
     109      $ip_dbh->commit;
     110    }; # end eval
     111
     112    if ($@) {
     113      carp "Transaction aborted because $@";
     114      eval { $ip_dbh->rollback; };
     115      syslog "err", "Could not add master block '$webvar{cidr}' to database: '$@'";
     116      printError("Could not add master block $webvar{cidr} to database: $@");
     117    } else {
     118      print "<div type=heading align=center>Success!</div>\n";
     119      syslog "info", "$authuser added master block $webvar{cidr}";
     120    }
     121
     122  } # ACL check
    106123
    107124} # end add new master
     
    117134}
    118135elsif($webvar{action} eq 'search') {
    119   printHeader('');
    120136  if (!$webvar{input}) {
    121137    # No search term.  Display everything.
     
    155171# which is not in any way guaranteed to provide anything useful.
    156172else {
    157   printHeader('');
    158173  my $rnd = rand 500;
    159174  my $boing = sprintf("%.2f", rand 500);
     
    394409# Initial display:  Show master blocks with total allocated subnets, total free subnets
    395410sub showSummary {
    396   # this is horrible-ugly-bad and will Go Away real soon now(TM)
    397   print "Content-type: text/html\n\n";
    398411
    399412  startTable('Master netblock', 'Routed netblocks', 'Allocated netblocks',
     
    451464  print "</table>\n";
    452465  if ($IPDBacl{$authuser} =~ /a/) {
    453     print qq(<a href="/ip/addmaster.shtml">Add new master block</a><br><br>\n);
     466    print qq(<a href="/ip/cgi-bin/main.cgi?action=addmaster">Add new master block</a><br><br>\n);
    454467  }
    455468  print "Note:  Free blocks noted here include both routed and unrouted blocks.\n";
     
    464477# else should follow.  YMMV.)
    465478sub showMaster {
    466   printHeader('');
    467479
    468480  print qq(<center><div class="heading">Summarizing routed blocks for ).
     
    577589# not have anything useful to spew.
    578590sub showRBlock {
    579   printHeader('');
    580591
    581592  my $master = new NetAddr::IP $webvar{block};
     
    649660    # Include some HairyPerl(TM) to prefix subblocks with "Sub "
    650661    my @row = ((($data[1] ne 'y' && $data[1] ne 'n') ? 'Sub ' : '').
    651         qq(<a href="/ip/cgi-bin/main.cgi?action=assign&block=$cidr&fbtype=$data[1]">$cidr</a>),
     662        ($IPDBacl{$authuser} =~ /a/ ? qq(<a href="/ip/cgi-bin/main.cgi?action=assign&block=$cidr&fbtype=$data[1]">$cidr</a>) : $cidr),
    652663        $cidr->range);
    653664    printRow(\@row, 'color1') if ($count%2 == 0);
     
    662673# List the IPs used in a pool
    663674sub listPool {
    664   printHeader('');
    665675
    666676  my $cidr = new NetAddr::IP $webvar{pool};
     
    725735# be one of two templates, and the lists come from the database.
    726736sub assignBlock {
    727   printHeader('');
     737
     738  if ($IPDBacl{$authuser} !~ /a/) {
     739    printError("You shouldn't have been able to get here.  Access denied.");
     740    return;
     741  }
    728742
    729743  my $html;
     
    803817# Take info on requested IP assignment and see what we can provide.
    804818sub confirmAssign {
    805   printHeader('');
     819  if ($IPDBacl{$authuser} !~ /a/) {
     820    printError("You shouldn't have been able to get here.  Access denied.");
     821    return;
     822  }
    806823
    807824  my $cidr;
     
    962979# Do the work of actually inserting a block in the database.
    963980sub insertAssign {
     981  if ($IPDBacl{$authuser} !~ /a/) {
     982    printError("You shouldn't have been able to get here.  Access denied.");
     983    return;
     984  }
    964985  # Some things are done more than once.
    965   printHeader('');
    966986  return if !validateInput();
    967987
     
    10611081# action=edit
    10621082sub edit {
    1063   printHeader('');
    10641083
    10651084  my $sql;
     
    11371156# action=update
    11381157sub update {
    1139   printHeader('');
    11401158
    11411159  # Make sure incoming data is in correct format - custID among other things.
     
    11981216# Delete an allocation.
    11991217sub remove {
    1200   printHeader('');
    12011218  #show confirm screen.
    12021219  open HTML, "../confirmRemove.html"
     
    12881305# Remove IPs from pool listing if necessary
    12891306sub finalDelete {
    1290   printHeader('');
    12911307
    12921308  my ($code,$msg) = deleteBlock($ip_dbh, $webvar{block}, $webvar{alloctype});
     
    13111327
    13121328
     1329sub exitError {
     1330  my $errStr = $_[0];
     1331  printHeader('','');
     1332  print qq(<center><p class="regular"> $errStr </p>
     1333<input type="button" value="Back" onclick="history.go(-1)">
     1334</center>
     1335);
     1336  printFooter();
     1337  exit;
     1338} # errorExit
     1339
     1340
    13131341# Just in case we manage to get here.
    13141342exit 0;
Note: See TracChangeset for help on using the changeset viewer.