Changeset 225

Timestamp:

04/14/05 15:45:44 (19 years ago)

Author:

Kris Deugau

Message:

/branches/acl

All access to change or "delete" (static IPs aren't actually
deleted unless the whole pool is) should be ACL-ified. Users
without the "c" ACL cannot make changes to existing allocations.
Users without the "d" ACL cannot delete netblocks, routing
allocations, or master netblocks; they also may not deallocate
static IPs. Checks are also done later in the processing to
make sure that a crafted URL can't get around the restrictions.

editDisplay.html required updates to remove form elements from
the static HTML; users that cannot modify content will still
receive a page with some hidden form elements but no submit
button(s) to change or delete content (as determined by their
ACL).

Location:

branches/acl

Files:

• cgi-bin/main.cgi (modified) (9 diffs)
• editDisplay.html (modified) (1 diff)

branches/acl/cgi-bin/main.cgi

@@ -550 +550 @@
     print qq(<hr width="60%"><center><div class="heading">No allocations in ).
         qq($master.</div>\n).
-        qq(<form action="/ip/cgi-bin/main.cgi" method=POST>\n).
-        qq(<input type=hidden name=action value="delete">\n).
-        qq(<input type=hidden name=block value="$master">\n).
-        qq(<input type=hidden name=alloctype value="mm">\n).
-        qq(<input type=submit value=" Remove this master ">\n).
-        qq(</form></center>\n);
+        ($IPDBacl{$authuser} =~ /d/ ?
+                qq(<form action="/ip/cgi-bin/main.cgi" method=POST>\n).
+                qq(<input type=hidden name=action value="delete">\n).
+                qq(<input type=hidden name=block value="$master">\n).
+                qq(<input type=hidden name=alloctype value="mm">\n).
+                qq(<input type=submit value=" Remove this master ">\n).
+                qq(</form></center>\n) :
+                '');
 
   } # end check for existence of routed blocks in master
@@ -636 +638 @@
     print qq(<hr width="60%"><center><div class="heading">No allocations in ).
         qq($master.</div></center>\n).
-        qq(<form action="/ip/cgi-bin/main.cgi" method=POST>\n).
-        qq(<input type=hidden name=action value="delete">\n).
-        qq(<input type=hidden name=block value="$master">\n).
-        qq(<input type=hidden name=alloctype value="rm">\n).
-        qq(<input type=submit value=" Remove this block ">\n).
-        qq(</form>\n);
+        ($IPDBacl{$authuser} =~ /d/ ?
+                qq(<form action="/ip/cgi-bin/main.cgi" method=POST>\n).
+                qq(<input type=hidden name=action value="delete">\n).
+                qq(<input type=hidden name=block value="$master">\n).
+                qq(<input type=hidden name=alloctype value="rm">\n).
+                qq(<input type=submit value=" Remove this block ">\n).
+                qq(</form>\n) :
+                '');
   }
 
@@ -718 +722 @@
     my @row = ( qq(<a href="/ip/cgi-bin/main.cgi?action=edit&block=$data[0]">$data[0]</a>),
         $data[1],$data[2],$data[3],
-        ( ($data[2] eq 'n') ?
+        ( (($data[2] eq 'n') && ($IPDBacl{$authuser} =~ /d/)) ?
           ("<a href=\"/ip/cgi-bin/main.cgi?action=delete&block=$data[0]&".
            "alloctype=$data[4]\">Unassign this IP</a>") :
@@ -1100 +1104 @@
   $data[2] =~ s/\s//;
 
-##fixme LEGACY CODE
-  # Postfix "i" on pool IP types
-  if ($data[2] =~ /^[cdsmw]$/) {
-    $data[2] .= "i";
-  }
-
   open (HTML, "../editDisplay.html")
         or croak "Could not open editDisplay.html :$!";
@@ -1116 +1114 @@
 # Needs thinking.  Have to allow changes to city to correct errors, no?
   $html =~ s/\$\$BLOCK\$\$/$webvar{block}/g;
-  $html =~ s/\$\$CITY\$\$/$data[3]/g;
+
+  if ($IPDBacl{$authuser} =~ /c/) {
+    $html =~ s/\$\$CUSTID\$\$/<input type=text name=custid value="$data[1]" maxlength=15 class="regular">/;
 
 # Screw it.  Changing allocation types gets very ugly VERY quickly- especially
@@ -1125 +1125 @@
 
 ##fixme The check here should be built from the database
-  if ($data[2] =~ /^.[ne]$/) {
-    # Block that can be changed
-    my $blockoptions = "<select name=alloctype><option".
+    if ($data[2] =~ /^.[ne]$/) {
+      # Block that can be changed
+      my $blockoptions = "<select name=alloctype><option".
         (($data[2] eq 'me') ? ' selected' : '') ." value='me'>Dialup netblock</option>\n<option".
         (($data[2] eq 'de') ? ' selected' : '') ." value='de'>Dynamic DSL netblock</option>\n<option".  (($data[2] eq 'dc') ? ' selected' : '') ." value='dc'>Dynamic cable netblock</option>\n<option".
@@ -1136 +1136 @@
         (($data[2] eq 'in') ? ' selected' : '') ." value='in'>Internal netblock</option>\n".
         "</select>\n";
-    $html =~ s/\$\$TYPESELECT\$\$/$blockoptions/g;
+      $html =~ s/\$\$TYPESELECT\$\$/$blockoptions/g;
+    } else {
+      $html =~ s/\$\$TYPESELECT\$\$/$disp_alloctypes{$data[2]}<input type=hidden name=alloctype value="$data[2]">/g;
+    }
+    $html =~ s/\$\$CITY\$\$/<input type=text name=city value="$data[3]">/g;
+    $html =~ s/\$\$CIRCID\$\$/<input type="text" name="circid" value="$data[4]" maxlength=64 size=64 class="regular">/g;
+    $html =~ s/\$\$DESC\$\$/<input type="text" name="desc" value="$data[5]" maxlength=64 size=64 class="regular">/g;
+    $html =~ s|\$\$NOTES\$\$|<textarea rows="8" cols="64" name="notes" class="regular">$data[6]</textarea>|g;
   } else {
-    $html =~ s/\$\$TYPESELECT\$\$/$disp_alloctypes{$data[2]}<input type=hidden name=alloctype value="$data[2]">/g;
-  }
-
-  # These can be modified, although CustID changes may get ignored.
-  $html =~ s/\$\$CUSTID\$\$/$data[1]/g;
-  $html =~ s/\$\$TYPE\$\$/$data[2]/g;
-  $html =~ s/\$\$CIRCID\$\$/$data[4]/g;
-  $html =~ s/\$\$DESC\$\$/$data[5]/g;
-  $html =~ s/\$\$NOTES\$\$/$data[6]/g;
+    $html =~ s/\$\$CUSTID\$\$/$data[1]/g;
+    $html =~ s/\$\$TYPESELECT\$\$/$disp_alloctypes{$data[2]}/g;
+    $html =~ s/\$\$CITY\$\$/$data[3]/g;
+    $html =~ s/\$\$CIRCID\$\$/$data[4]/g;
+    $html =~ s/\$\$DESC\$\$/$data[5]/g;
+    $html =~ s/\$\$NOTES\$\$/$data[6]/g;
+  }
+
+  # More ACL trickery - we can live with forms that don't submit,
+  # but we can't leave the extra table rows there, and we *really*
+  # can't leave the submit buttons there.
+  my $updok = '';
+  my $i=2;
+  if ($IPDBacl{$authuser} =~ /c/) {
+    $updok = qq(<tr class="color$i"><td colspan=2 class=regular><div class="center">).
+        qq(<input type="submit" value=" Update this block " class="regular">).
+        "</div></td></tr></form>\n";
+    $i--;
+  }
+  $html =~ s/\$\$UPDOK\$\$/$updok/g;
+
+  my $delok = '';
+  if ($IPDBacl{$authuser} =~ /d/) {
+    $delok = qq(<form method="POST" action="main.cgi">
+        <tr class="color$i"><td colspan=2 class="regular"><div class=center>
+        <input type="hidden" name="action" value="delete">
+        <input type="hidden" name="block" value="$webvar{block}">
+        <input type="hidden" name="alloctype" value="$data[2]">
+        <input type=submit value=" Delete this block ">
+        </div></td></tr>);
+  }
+  $html =~ s/\$\$DELOK\$\$/$delok/;
 
   print $html;
@@ -1216 +1246 @@
 # Delete an allocation.
 sub remove {
+  if ($IPDBacl{$authuser} !~ /d/) {
+    printError("You shouldn't have been able to get here.  Access denied.");
+    return;
+  }
+
   #show confirm screen.
   open HTML, "../confirmRemove.html"
@@ -1305 +1340 @@
 # Remove IPs from pool listing if necessary
 sub finalDelete {
+  if ($IPDBacl{$authuser} !~ /d/) {
+    printError("You shouldn't have been able to get here.  Access denied.");
+    return;
+  }
 
   my ($code,$msg) = deleteBlock($ip_dbh, $webvar{block}, $webvar{alloctype});

branches/acl/editDisplay.html

@@ -8 +8 @@
 <tr class="color1"><td class=heading>IP block:</td><td class="regular">$$BLOCK$$</td></tr>
 
-<tr class="color2"><td class=heading>City:</td><td class="regular">
-<input type=text name=city value="$$CITY$$"></td></tr>
+<tr class="color2"><td class=heading>City:</td><td class="regular">$$CITY$$</td></tr>
 
 <tr class="color1"><td class=heading>Type:</td><td class=regular>$$TYPESELECT$$</td></tr>
 
-<tr class="color2"><td class=heading>CustID:</td><td class="regular">
-<input type=text name=custid value="$$CUSTID$$" maxlength=15 class="regular"></td></tr>
+<tr class="color2"><td class=heading>CustID:</td><td class="regular">$$CUSTID$$</td></tr>
 
-<tr class="color1"><td class="heading">Circuit ID:</td><td class="regular">
-<input type="text" name="circid" value="$$CIRCID$$" maxlength=64 size=64 class="regular"></td></tr>
+<tr class="color1"><td class="heading">Circuit ID:</td><td class="regular">$$CIRCID$$</td></tr>
 
-<tr class="color2"><td class="heading">Description/Name:</td><td class="regular">
-<input type="text" name="desc" value="$$DESC$$" maxlength=64 size=64 class="regular"></td></tr>
+<tr class="color2"><td class="heading">Description/Name:</td><td class="regular">$$DESC$$</td></tr>
 
-<tr class="color1"><td class="heading" valign="top">Notes:</td><td class="regular">
-<textarea rows="8" cols="64" name="notes" class="regular">$$NOTES$$</textarea></td></tr>
+<tr class="color1"><td class="heading" valign="top">Notes:</td><td class="regular">$$NOTES$$</td></tr>
 
-<tr class="color2"><td colspan=2 class=regular><div class="center">
-<input type="submit" value=" Update this block " class="regular">
-</div></td></tr></form>
-<form method="POST" action="main.cgi">
-<tr class="color1"><td colspan=2 class="regular"><div class=center>
-<input type="hidden" name="action" value="delete">
-<input type="hidden" name="block" value="$$BLOCK$$">
-<input type="hidden" name="alloctype" value="$$TYPE$$">
-<input type=submit value=" Delete this block ">
-</div></td></tr>
+$$UPDOK$$
+$$DELOK$$
 </form>