From bf1c0558f7afb4a6bf1716d533b901f51f60fa4d Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Tue, 27 Feb 2018 14:35:01 +0100 Subject: [dnbd3] Implement permissions --- modules-available/dnbd3/hooks/runmode/config.json | 3 +- modules-available/dnbd3/page.inc.php | 78 +++++++++++++++------- .../dnbd3/permissions/permissions.json | 2 +- .../dnbd3/templates/page-serverlist.html | 9 +-- 4 files changed, 61 insertions(+), 31 deletions(-) diff --git a/modules-available/dnbd3/hooks/runmode/config.json b/modules-available/dnbd3/hooks/runmode/config.json index a3f6d01f..683e0280 100644 --- a/modules-available/dnbd3/hooks/runmode/config.json +++ b/modules-available/dnbd3/hooks/runmode/config.json @@ -4,5 +4,6 @@ "noSysconfig": true, "systemdDefaultTarget": "dnbd3-proxy", "allowGenericEditor": true, - "deleteUrlSnippet": "dummyparam=" + "deleteUrlSnippet": "dummyparam=", + "permission": ".dnbd3.configure.proxy" } \ No newline at end of file diff --git a/modules-available/dnbd3/page.inc.php b/modules-available/dnbd3/page.inc.php index d27afe01..afcb9b2c 100644 --- a/modules-available/dnbd3/page.inc.php +++ b/modules-available/dnbd3/page.inc.php @@ -39,7 +39,7 @@ class Page_Dnbd3 extends Page Message::addError('not-automatic-server', $server['ip']); return; } - User::assertPermission('configure.proxy'); + $this->assertPermission($server); $bgr = Request::post('bgr', false, 'bool'); $firewall = Request::post('firewall', false, 'bool'); $overrideIp = false; @@ -87,11 +87,7 @@ class Page_Dnbd3 extends Page private function saveServerLocations() { $server = $this->getServerById(); - if (isset($server['machineuuid'])) { - User::assertPermission('configure.proxy'); - } else { - User::assertPermission('configure.external'); - } + $this->assertPermission($server); $locids = Request::post('location', [], 'array'); if (empty($locids)) { Database::exec('DELETE FROM dnbd3_server_x_location WHERE serverid = :serverid', @@ -136,13 +132,11 @@ class Page_Dnbd3 extends Page private function deleteServer() { $server = $this->getServerById(); + $this->assertPermission($server); if ($server['fixedip'] === '') return; if (!is_null($server['machineuuid'])) { - User::assertPermission('configure.proxy'); RunMode::setRunMode($server['machineuuid'], 'dnbd3', null, null, null); - } else { - User::assertPermission('configure.external'); } Database::exec('DELETE FROM dnbd3_server WHERE serverid = :serverid', array('serverid' => $server['serverid'])); @@ -172,7 +166,7 @@ class Page_Dnbd3 extends Page User::assertPermission('view.list'); $dynClients = RunMode::getForMode(Page::getModule(), 'proxy', true, true); $res = Database::simpleQuery('SELECT s.serverid, s.machineuuid, s.fixedip, s.lastseen AS dnbd3lastseen, - s.uptime, s.totalup, s.totaldown, s.clientcount, s.disktotal, s.diskfree, Count(sxl.locationid) AS locations, + s.uptime, s.totalup, s.totaldown, s.clientcount, s.disktotal, s.diskfree, GROUP_CONCAT(sxl.locationid) AS locations, s.errormsg FROM dnbd3_server s LEFT JOIN dnbd3_server_x_location sxl USING (serverid) @@ -180,10 +174,22 @@ class Page_Dnbd3 extends Page $servers = array(); $sort = array(); $NOW = time(); - $permExt = User::hasPermission('configure.external'); - $permRunmode = User::hasPermission('configure.proxy'); + $externalAllowed = User::hasPermission('configure.external'); + $locsRunmode = User::getAllowedLocations('configure.proxy'); while ($server = $res->fetch(PDO::FETCH_ASSOC)) { - if (isset($dynClients[$server['machineuuid']])) { + if (!is_null($server['machineuuid'])) { + // Auto proxy + if (!isset($dynClients[$server['machineuuid']])) { + // Not in runmode dnbd3!? + if ($NOW - $server['dnbd3lastseen'] > 660) { + // Also seems to be down - delete + Database::exec('DELETE FROM dnbd3_server WHERE serverid = :serverid', + array('serverid' => $server['serverid'])); + continue; + } + // Not in runmode but (still?) up -- show + $server += ['locationid' => null, 'hostname' => '']; + } $server += $dynClients[$server['machineuuid']]; unset($dynClients[$server['machineuuid']]); } @@ -211,21 +217,35 @@ class Page_Dnbd3 extends Page $server['slxOk'] = true; } } + if (is_null($server['locations'])) { + $server['locations'] = 0; + } else { + $locations = explode(',', $server['locations']); + $server['locations'] = count($locations); + } + // Permission to edit + if (is_null($server['machineuuid'])) { + if (!$externalAllowed) { + $server['edit_disabled'] = 'disabled'; + } + } else { + if (!array_key_exists('locationid', $server) || !in_array($server['locationid'], $locsRunmode)) { + $server['edit_disabled'] = 'disabled'; + } + } + // Array for sorting if ($server['self']) { $sort[] = '---'; } else { $sort[] = $server['fixedip'] . '.' . $server['machineuuid']; } - // Permission to edit - if (!($permExt && is_null($server['machineuuid'])) && !($permRunmode && !is_null($server['machineuuid']))) { - $server['edit_disabled'] = 'disabled'; - } $servers[] = $server; } foreach ($dynClients as $server) { + $server['edit_disabled'] = 'disabled'; $servers[] = $server; $sort[] = '-' . $server['machineuuid']; - Database::exec('INSERT INTO dnbd3_server (machineuuid) VALUES (:uuid)', array('uuid' => $server['machineuuid'])); + Database::exec('INSERT IGNORE INTO dnbd3_server (machineuuid) VALUES (:uuid)', array('uuid' => $server['machineuuid'])); } array_multisort($sort, SORT_ASC, $servers); $data = array( @@ -316,11 +336,7 @@ class Page_Dnbd3 extends Page private function showServerLocationEdit() { $server = $this->getServerById(); - if (isset($server['machineuuid'])) { - User::assertPermission('configure.proxy'); - } else { - User::assertPermission('configure.external'); - } + $this->assertPermission($server); // Get selected ones $res = Database::simpleQuery('SELECT locationid FROM dnbd3_server_x_location WHERE serverid = :serverid', array('serverid' => $server['serverid'])); @@ -356,14 +372,14 @@ class Page_Dnbd3 extends Page Message::addError('main.parameter-missing', 'server'); Util::redirect('?do=dnbd3'); } - $server = Database::queryFirst('SELECT s.serverid, s.machineuuid, s.fixedip, m.clientip, m.hostname + $server = Database::queryFirst('SELECT s.serverid, s.machineuuid, s.fixedip, m.clientip, m.hostname, m.locationid FROM dnbd3_server s LEFT JOIN machine m USING (machineuuid) WHERE s.serverid = :serverId', compact('serverId')); if ($server === false) { if (AJAX) die('Invalid server id'); - Message::addError('server-non-existent', 'server'); + Message::addError('server-non-existent', $serverId); Util::redirect('?do=dnbd3'); } if (!is_null($server['fixedip'])) { @@ -376,6 +392,15 @@ class Page_Dnbd3 extends Page return $server; } + private function assertPermission($server) + { + if (isset($server['machineuuid'])) { + User::assertPermission('configure.proxy', $server['locationid'], '?do=dnbd3'); + } else { + User::assertPermission('configure.external', null, '?do=dnbd3'); + } + } + /* * AJAX */ @@ -399,6 +424,7 @@ class Page_Dnbd3 extends Page private function ajaxServerTest() { + User::assertPermission('configure.external'); Header('Content-Type: application/json; charset=utf-8'); $ip = Request::post('ip', false, 'string'); if ($ip === false) @@ -435,6 +461,7 @@ class Page_Dnbd3 extends Page echo 'Not automatic server.'; return; } + $this->assertPermission($server); $rm = RunMode::getForMode(Page::getModule(), 'proxy', false, true); if (!isset($rm[$server['machineuuid']])) { echo 'Error: RunMode entry missing.'; @@ -451,6 +478,7 @@ class Page_Dnbd3 extends Page if (!isset($server['machineuuid'])) { die('Not automatic server.'); } + $this->assertPermission($server); if (!Module::isAvailable('rebootcontrol')) { die('No rebootcontrol'); } diff --git a/modules-available/dnbd3/permissions/permissions.json b/modules-available/dnbd3/permissions/permissions.json index 5e16b290..1939e32a 100644 --- a/modules-available/dnbd3/permissions/permissions.json +++ b/modules-available/dnbd3/permissions/permissions.json @@ -12,7 +12,7 @@ "location-aware": false }, "configure.proxy": { - "location-aware": false + "location-aware": true }, "configure.external": { "location-aware": false diff --git a/modules-available/dnbd3/templates/page-serverlist.html b/modules-available/dnbd3/templates/page-serverlist.html index 118da8d2..a51e9723 100644 --- a/modules-available/dnbd3/templates/page-serverlist.html +++ b/modules-available/dnbd3/templates/page-serverlist.html @@ -36,8 +36,9 @@

{{lang_serverList}} -

@@ -139,18 +140,18 @@ {{#rebootcontrol}} {{/rebootcontrol}} {{/machineuuid}} {{^self}} - -- cgit v1.2.3-55-g7522