Ignore:
Timestamp:
04/14/05 15:45:44 (20 years ago)
Author:
Kris Deugau
Message:

/branches/acl

All access to change or "delete" (static IPs aren't actually
deleted unless the whole pool is) should be ACL-ified. Users
without the "c" ACL cannot make changes to existing allocations.
Users without the "d" ACL cannot delete netblocks, routing
allocations, or master netblocks; they also may not deallocate
static IPs. Checks are also done later in the processing to
make sure that a crafted URL can't get around the restrictions.

editDisplay.html required updates to remove form elements from
the static HTML; users that cannot modify content will still
receive a page with some hidden form elements but no submit
button(s) to change or delete content (as determined by their
ACL).

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/acl/cgi-bin/main.cgi

    r223 r225  
    550550    print qq(<hr width="60%"><center><div class="heading">No allocations in ).
    551551        qq($master.</div>\n).
    552         qq(<form action="/ip/cgi-bin/main.cgi" method=POST>\n).
    553         qq(<input type=hidden name=action value="delete">\n).
    554         qq(<input type=hidden name=block value="$master">\n).
    555         qq(<input type=hidden name=alloctype value="mm">\n).
    556         qq(<input type=submit value=" Remove this master ">\n).
    557         qq(</form></center>\n);
     552        ($IPDBacl{$authuser} =~ /d/ ?
     553                qq(<form action="/ip/cgi-bin/main.cgi" method=POST>\n).
     554                qq(<input type=hidden name=action value="delete">\n).
     555                qq(<input type=hidden name=block value="$master">\n).
     556                qq(<input type=hidden name=alloctype value="mm">\n).
     557                qq(<input type=submit value=" Remove this master ">\n).
     558                qq(</form></center>\n) :
     559                '');
    558560
    559561  } # end check for existence of routed blocks in master
     
    636638    print qq(<hr width="60%"><center><div class="heading">No allocations in ).
    637639        qq($master.</div></center>\n).
    638         qq(<form action="/ip/cgi-bin/main.cgi" method=POST>\n).
    639         qq(<input type=hidden name=action value="delete">\n).
    640         qq(<input type=hidden name=block value="$master">\n).
    641         qq(<input type=hidden name=alloctype value="rm">\n).
    642         qq(<input type=submit value=" Remove this block ">\n).
    643         qq(</form>\n);
     640        ($IPDBacl{$authuser} =~ /d/ ?
     641                qq(<form action="/ip/cgi-bin/main.cgi" method=POST>\n).
     642                qq(<input type=hidden name=action value="delete">\n).
     643                qq(<input type=hidden name=block value="$master">\n).
     644                qq(<input type=hidden name=alloctype value="rm">\n).
     645                qq(<input type=submit value=" Remove this block ">\n).
     646                qq(</form>\n) :
     647                '');
    644648  }
    645649
     
    718722    my @row = ( qq(<a href="/ip/cgi-bin/main.cgi?action=edit&block=$data[0]">$data[0]</a>),
    719723        $data[1],$data[2],$data[3],
    720         ( ($data[2] eq 'n') ?
     724        ( (($data[2] eq 'n') && ($IPDBacl{$authuser} =~ /d/)) ?
    721725          ("<a href=\"/ip/cgi-bin/main.cgi?action=delete&block=$data[0]&".
    722726           "alloctype=$data[4]\">Unassign this IP</a>") :
     
    11001104  $data[2] =~ s/\s//;
    11011105
    1102 ##fixme LEGACY CODE
    1103   # Postfix "i" on pool IP types
    1104   if ($data[2] =~ /^[cdsmw]$/) {
    1105     $data[2] .= "i";
    1106   }
    1107 
    11081106  open (HTML, "../editDisplay.html")
    11091107        or croak "Could not open editDisplay.html :$!";
     
    11161114# Needs thinking.  Have to allow changes to city to correct errors, no?
    11171115  $html =~ s/\$\$BLOCK\$\$/$webvar{block}/g;
    1118   $html =~ s/\$\$CITY\$\$/$data[3]/g;
     1116
     1117  if ($IPDBacl{$authuser} =~ /c/) {
     1118    $html =~ s/\$\$CUSTID\$\$/<input type=text name=custid value="$data[1]" maxlength=15 class="regular">/;
    11191119
    11201120# Screw it.  Changing allocation types gets very ugly VERY quickly- especially
     
    11251125
    11261126##fixme The check here should be built from the database
    1127   if ($data[2] =~ /^.[ne]$/) {
    1128     # Block that can be changed
    1129     my $blockoptions = "<select name=alloctype><option".
     1127    if ($data[2] =~ /^.[ne]$/) {
     1128      # Block that can be changed
     1129      my $blockoptions = "<select name=alloctype><option".
    11301130        (($data[2] eq 'me') ? ' selected' : '') ." value='me'>Dialup netblock</option>\n<option".
    11311131        (($data[2] eq 'de') ? ' selected' : '') ." value='de'>Dynamic DSL netblock</option>\n<option".  (($data[2] eq 'dc') ? ' selected' : '') ." value='dc'>Dynamic cable netblock</option>\n<option".
     
    11361136        (($data[2] eq 'in') ? ' selected' : '') ." value='in'>Internal netblock</option>\n".
    11371137        "</select>\n";
    1138     $html =~ s/\$\$TYPESELECT\$\$/$blockoptions/g;
     1138      $html =~ s/\$\$TYPESELECT\$\$/$blockoptions/g;
     1139    } else {
     1140      $html =~ s/\$\$TYPESELECT\$\$/$disp_alloctypes{$data[2]}<input type=hidden name=alloctype value="$data[2]">/g;
     1141    }
     1142    $html =~ s/\$\$CITY\$\$/<input type=text name=city value="$data[3]">/g;
     1143    $html =~ s/\$\$CIRCID\$\$/<input type="text" name="circid" value="$data[4]" maxlength=64 size=64 class="regular">/g;
     1144    $html =~ s/\$\$DESC\$\$/<input type="text" name="desc" value="$data[5]" maxlength=64 size=64 class="regular">/g;
     1145    $html =~ s|\$\$NOTES\$\$|<textarea rows="8" cols="64" name="notes" class="regular">$data[6]</textarea>|g;
    11391146  } else {
    1140     $html =~ s/\$\$TYPESELECT\$\$/$disp_alloctypes{$data[2]}<input type=hidden name=alloctype value="$data[2]">/g;
    1141   }
    1142 
    1143   # These can be modified, although CustID changes may get ignored.
    1144   $html =~ s/\$\$CUSTID\$\$/$data[1]/g;
    1145   $html =~ s/\$\$TYPE\$\$/$data[2]/g;
    1146   $html =~ s/\$\$CIRCID\$\$/$data[4]/g;
    1147   $html =~ s/\$\$DESC\$\$/$data[5]/g;
    1148   $html =~ s/\$\$NOTES\$\$/$data[6]/g;
     1147    $html =~ s/\$\$CUSTID\$\$/$data[1]/g;
     1148    $html =~ s/\$\$TYPESELECT\$\$/$disp_alloctypes{$data[2]}/g;
     1149    $html =~ s/\$\$CITY\$\$/$data[3]/g;
     1150    $html =~ s/\$\$CIRCID\$\$/$data[4]/g;
     1151    $html =~ s/\$\$DESC\$\$/$data[5]/g;
     1152    $html =~ s/\$\$NOTES\$\$/$data[6]/g;
     1153  }
     1154
     1155  # More ACL trickery - we can live with forms that don't submit,
     1156  # but we can't leave the extra table rows there, and we *really*
     1157  # can't leave the submit buttons there.
     1158  my $updok = '';
     1159  my $i=2;
     1160  if ($IPDBacl{$authuser} =~ /c/) {
     1161    $updok = qq(<tr class="color$i"><td colspan=2 class=regular><div class="center">).
     1162        qq(<input type="submit" value=" Update this block " class="regular">).
     1163        "</div></td></tr></form>\n";
     1164    $i--;
     1165  }
     1166  $html =~ s/\$\$UPDOK\$\$/$updok/g;
     1167
     1168  my $delok = '';
     1169  if ($IPDBacl{$authuser} =~ /d/) {
     1170    $delok = qq(<form method="POST" action="main.cgi">
     1171        <tr class="color$i"><td colspan=2 class="regular"><div class=center>
     1172        <input type="hidden" name="action" value="delete">
     1173        <input type="hidden" name="block" value="$webvar{block}">
     1174        <input type="hidden" name="alloctype" value="$data[2]">
     1175        <input type=submit value=" Delete this block ">
     1176        </div></td></tr>);
     1177  }
     1178  $html =~ s/\$\$DELOK\$\$/$delok/;
    11491179
    11501180  print $html;
     
    12161246# Delete an allocation.
    12171247sub remove {
     1248  if ($IPDBacl{$authuser} !~ /d/) {
     1249    printError("You shouldn't have been able to get here.  Access denied.");
     1250    return;
     1251  }
     1252
    12181253  #show confirm screen.
    12191254  open HTML, "../confirmRemove.html"
     
    13051340# Remove IPs from pool listing if necessary
    13061341sub finalDelete {
     1342  if ($IPDBacl{$authuser} !~ /d/) {
     1343    printError("You shouldn't have been able to get here.  Access denied.");
     1344    return;
     1345  }
    13071346
    13081347  my ($code,$msg) = deleteBlock($ip_dbh, $webvar{block}, $webvar{alloctype});
Note: See TracChangeset for help on using the changeset viewer.