From c6744aac063482c4c48ed3a98d5cd8857e1261e6 Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Sun, 4 Mar 2018 16:41:50 +0100 Subject: [sysconfig] Add permissions --- modules-available/sysconfig/page.inc.php | 38 ++++++++++++++++++++++++++------ 1 file changed, 31 insertions(+), 7 deletions(-) (limited to 'modules-available/sysconfig/page.inc.php') diff --git a/modules-available/sysconfig/page.inc.php b/modules-available/sysconfig/page.inc.php index 30271514..7bb3e599 100644 --- a/modules-available/sysconfig/page.inc.php +++ b/modules-available/sysconfig/page.inc.php @@ -59,7 +59,7 @@ class Page_SysConfig extends Page { User::load(); - if (!User::hasPermission('superadmin')) { + if (!User::isLoggedIn()) { Message::addError('main.no-permission'); Util::redirect('?do=Main'); } @@ -90,6 +90,7 @@ class Page_SysConfig extends Page // Action: "addmodule" (upload new module) if ($action === 'addmodule') { + User::assertPermission('module.edit'); $this->initAddModule(); AddModule_Base::preprocess(); } @@ -97,18 +98,22 @@ class Page_SysConfig extends Page if ($action === 'module') { // Action: "delmodule" (delete module) if (Request::post('del', 'no') !== 'no') { + User::assertPermission('module.edit'); $this->delModule(); } if (Request::post('download', 'no') !== 'no') { + User::assertPermission('module.download'); $this->downloadModule(); } if (Request::post('rebuild', 'no') !== 'no') { + User::assertPermission('module.edit'); $this->rebuildModule(); } } // Action: "addconfig" (compose config from one or more modules) if ($action === 'addconfig') { + User::assertPermission('config.edit'); $this->initAddConfig(); AddConfig_Base::preprocess(); } @@ -116,14 +121,17 @@ class Page_SysConfig extends Page if ($action === 'config') { // Action: "delconfig" (delete config) if (Request::post('del', 'no') !== 'no') { + User::assertPermission('config.edit'); $this->delConfig(); } // Action "activate" (set sysconfig as active) if (Request::post('activate', 'no') !== 'no') { + User::assertPermission('config.assign', $this->currentLoc); $this->activateConfig(); } // Action "rebuild" (rebuild config.tgz from its modules) if (Request::post('rebuild', 'no') !== 'no') { + User::assertPermission('config.edit'); $this->rebuildConfig(); } } @@ -141,15 +149,24 @@ class Page_SysConfig extends Page $action = Request::any('action', 'list'); switch ($action) { case 'addmodule': + User::assertPermission('module.edit'); AddModule_Base::render(); return; case 'addconfig': + User::assertPermission('config.edit'); AddConfig_Base::render(); return; case 'list': + $pMods = User::hasPermission('module.view-list'); + $pConfs = User::hasPermission('config.view-list'); + if (!($pMods || $pConfs)) { + Message::addError('main.no-permission'); + } Render::openTag('div', array('class' => 'row')); - $this->listConfigs(); - if ($this->currentLoc === 0) { + if ($pConfs) { + $this->listConfigs(); + } + if ($this->currentLoc === 0 && $pMods) { $this->listModules(); } Render::closeTag('div'); @@ -159,6 +176,7 @@ class Page_SysConfig extends Page Render::addTemplate('js'); // Make this js snippet a template so i18n works return; case 'module': + User::assertPermission('module.view-list'); $listid = Request::post('list'); if ($listid !== false) { $this->listModuleContents($listid); @@ -166,6 +184,7 @@ class Page_SysConfig extends Page } break; case 'config': + User::assertPermission('config.view-list'); $listid = Request::post('list'); if ($listid !== false) { $this->listConfigContents($listid); @@ -238,13 +257,16 @@ class Page_SysConfig extends Page 'needrebuild' => ($row['status'] !== 'OK') ); } - Render::addTemplate('list-configs', array( + $data = array( 'locationid' => $this->currentLoc, 'locationname' => $locationName, 'havelocations' => Module::isAvailable('locations'), 'configs' => $configs, 'inheritConfig' => !$hasDefault, - )); + ); + Permission::addGlobalTags($data['perms'], null, ['config.edit']); + Permission::addGlobalTags($data['perms'], $this->currentLoc, ['config.assign']); + Render::addTemplate('list-configs', $data); } private function listModules() @@ -254,10 +276,12 @@ class Page_SysConfig extends Page $types = array_map(function ($mod) { return $mod->moduleType(); }, $modules); $titles = array_map(function ($mod) { return $mod->title(); }, $modules); array_multisort($types, SORT_ASC, $titles, SORT_ASC, $modules); - Render::addTemplate('list-modules', array( + $data = array( 'modules' => $modules, 'havemodules' => (count($modules) > 0) - )); + ); + Permission::addGlobalTags($data['perms'], null, ['module.edit', 'module.download']); + Render::addTemplate('list-modules', $data); } private function listModuleContents($moduleid) -- cgit v1.2.3-55-g7522 From 24815e16087b4b1b64e9f380d45d411af32daf42 Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Mon, 9 Apr 2018 16:56:04 +0200 Subject: Permissions: Consistency: Make all pages require at least one permission to be accessible Closes #3340 --- modules-available/backup/page.inc.php | 1 + modules-available/exams/page.inc.php | 9 +-------- modules-available/locations/page.inc.php | 19 +++++++++++++++---- modules-available/news/page.inc.php | 10 ++-------- modules-available/news/permissions/permissions.json | 3 +++ modules-available/rebootcontrol/page.inc.php | 9 ++++++--- modules-available/serversetup-bwlp/page.inc.php | 6 ++++++ .../serversetup-bwlp/permissions/permissions.json | 3 +++ modules-available/statistics_reporting/page.inc.php | 1 + modules-available/sysconfig/page.inc.php | 2 +- modules-available/syslog/page.inc.php | 1 + modules-available/systemstatus/page.inc.php | 1 + modules-available/webinterface/page.inc.php | 4 ++++ .../webinterface/permissions/permissions.json | 3 +++ 14 files changed, 48 insertions(+), 24 deletions(-) (limited to 'modules-available/sysconfig/page.inc.php') diff --git a/modules-available/backup/page.inc.php b/modules-available/backup/page.inc.php index 14522734..985f39ee 100644 --- a/modules-available/backup/page.inc.php +++ b/modules-available/backup/page.inc.php @@ -23,6 +23,7 @@ class Page_Backup extends Page User::assertPermission("restore"); $this->restore(); } + User::assertPermission('*'); } protected function doRender() diff --git a/modules-available/exams/page.inc.php b/modules-available/exams/page.inc.php index 51975052..15640a73 100644 --- a/modules-available/exams/page.inc.php +++ b/modules-available/exams/page.inc.php @@ -441,16 +441,9 @@ class Page_Exams extends Page protected function doRender() { - if (Request::isPost()) { - $examid = Request::post('examid', 0, 'int'); - } else if (Request::isGet()) { - $examid = Request::get('examid', 0, 'int'); - } else { - die('Neither Post nor Get Request send.'); - } - if ($this->action === "show") { + User::assertPermission('exams.view'); // General title and description Render::addTemplate('page-main-heading'); // List of defined exam periods diff --git a/modules-available/locations/page.inc.php b/modules-available/locations/page.inc.php index 80a8076b..4d5c6628 100644 --- a/modules-available/locations/page.inc.php +++ b/modules-available/locations/page.inc.php @@ -24,6 +24,9 @@ class Page_Locations extends Page } elseif ($this->action === 'updatesubnets') { $this->updateSubnets(); } + if (Request::isPost()) { + Util::redirect('?do=locations'); + } } private function updateSubnets() @@ -306,10 +309,16 @@ class Page_Locations extends Page protected function doRender() { - $getAction = Request::get('action'); - if (empty($getAction)) { - // Until we have a main landing page? - Util::redirect('?do=Locations&action=showlocations'); + $getAction = Request::get('action', false, 'string'); + if ($getAction === false) { + if (User::hasPermission('location.view')) { + Util::redirect('?do=locations&action=showlocations'); + } elseif (User::hasPermission('subnets.edit')) { + Util::redirect('?do=locations&action=showsubnets'); + } else { + // Trigger permission denied by asserting non-existent permission + User::assertPermission('location.view'); + } } if ($getAction === 'showsubnets') { User::assertPermission('subnets.edit', NULL, '?do=locations'); @@ -324,6 +333,8 @@ class Page_Locations extends Page Render::addTemplate('subnets', array('list' => $rows)); } elseif ($getAction === 'showlocations') { $this->showLocationList(); + } else { + Util::redirect('?do=locations'); } } diff --git a/modules-available/news/page.inc.php b/modules-available/news/page.inc.php index e7b70c0f..1e2e3eef 100644 --- a/modules-available/news/page.inc.php +++ b/modules-available/news/page.inc.php @@ -46,14 +46,8 @@ class Page_News extends Page // check which action we need to do $action = Request::any('action', 'show'); - if ($action === 'clear') { - // clear news input fields - // TODO: is this the right way? - $this->newsId = false; - $this->newsTitle = false; - $this->newsContent = false; - $this->newsDate = false; - } elseif ($action === 'show') { + if ($action === 'show') { + User::assertPermission('access-page'); /* load latest things */ $this->loadLatest('help'); $this->loadLatest('news'); diff --git a/modules-available/news/permissions/permissions.json b/modules-available/news/permissions/permissions.json index 0d9435d7..953599df 100644 --- a/modules-available/news/permissions/permissions.json +++ b/modules-available/news/permissions/permissions.json @@ -1,4 +1,7 @@ { + "access-page": { + "location-aware": false + }, "help.delete": { "location-aware": false }, diff --git a/modules-available/rebootcontrol/page.inc.php b/modules-available/rebootcontrol/page.inc.php index abbdb2c3..041ae74f 100644 --- a/modules-available/rebootcontrol/page.inc.php +++ b/modules-available/rebootcontrol/page.inc.php @@ -79,11 +79,14 @@ class Page_RebootControl extends Page //location you want to see, default are "not assigned" clients $requestedLocation = Request::get('location', false, 'int'); $allowedLocs = User::getAllowedLocations("action.*"); + if (empty($allowedLocs)) { + User::assertPermission('action.*'); + } if ($requestedLocation === false) { if (in_array(0, $allowedLocs)) { $requestedLocation = 0; - } elseif (!empty($allowedLocs)) { + } else { $requestedLocation = reset($allowedLocs); } } @@ -105,8 +108,8 @@ class Page_RebootControl extends Page Render::addTemplate('header', $data); // only fill table if user has at least one permission for the location - if ($requestedLocation === false) { - Message::addError('main.no-permission'); + if (!in_array($requestedLocation, $allowedLocs)) { + Message::addError('locations.no-permission-location', $requestedLocation); } else { $data['data'] = RebootQueries::getMachineTable($requestedLocation); Render::addTemplate('_page', $data); diff --git a/modules-available/serversetup-bwlp/page.inc.php b/modules-available/serversetup-bwlp/page.inc.php index ae709da7..78096d7b 100644 --- a/modules-available/serversetup-bwlp/page.inc.php +++ b/modules-available/serversetup-bwlp/page.inc.php @@ -43,6 +43,12 @@ class Page_ServerSetup extends Page // iPXE stuff changes $this->updatePxeMenu(); } + + if (Request::isPost()) { + Util::redirect('?do=serversetup'); + } + + User::assertPermission('access-page'); } protected function doRender() diff --git a/modules-available/serversetup-bwlp/permissions/permissions.json b/modules-available/serversetup-bwlp/permissions/permissions.json index 6bae5422..44927506 100644 --- a/modules-available/serversetup-bwlp/permissions/permissions.json +++ b/modules-available/serversetup-bwlp/permissions/permissions.json @@ -1,4 +1,7 @@ { + "access-page": { + "location-aware": false + }, "download": { "location-aware": false }, diff --git a/modules-available/statistics_reporting/page.inc.php b/modules-available/statistics_reporting/page.inc.php index af4b2b12..cc03e4d8 100644 --- a/modules-available/statistics_reporting/page.inc.php +++ b/modules-available/statistics_reporting/page.inc.php @@ -84,6 +84,7 @@ class Page_Statistics_Reporting extends Page die(json_encode($report)); } } + User::assertPermission('*'); } /** diff --git a/modules-available/sysconfig/page.inc.php b/modules-available/sysconfig/page.inc.php index 7bb3e599..8d1799af 100644 --- a/modules-available/sysconfig/page.inc.php +++ b/modules-available/sysconfig/page.inc.php @@ -160,7 +160,7 @@ class Page_SysConfig extends Page $pMods = User::hasPermission('module.view-list'); $pConfs = User::hasPermission('config.view-list'); if (!($pMods || $pConfs)) { - Message::addError('main.no-permission'); + User::assertPermission('config.view-list'); } Render::openTag('div', array('class' => 'row')); if ($pConfs) { diff --git a/modules-available/syslog/page.inc.php b/modules-available/syslog/page.inc.php index 3a7513b5..00c55a3f 100644 --- a/modules-available/syslog/page.inc.php +++ b/modules-available/syslog/page.inc.php @@ -25,6 +25,7 @@ class Page_SysLog extends Page } Util::redirect('?do=syslog'); } + User::assertPermission('*'); } protected function doRender() diff --git a/modules-available/systemstatus/page.inc.php b/modules-available/systemstatus/page.inc.php index 816caa05..66b30bcf 100644 --- a/modules-available/systemstatus/page.inc.php +++ b/modules-available/systemstatus/page.inc.php @@ -18,6 +18,7 @@ class Page_SystemStatus extends Page User::assertPermission("serverreboot"); $this->rebootTask = Taskmanager::submit('Reboot'); } + User::assertPermission('*'); } protected function doRender() diff --git a/modules-available/webinterface/page.inc.php b/modules-available/webinterface/page.inc.php index 806ffd59..ca52c2ab 100644 --- a/modules-available/webinterface/page.inc.php +++ b/modules-available/webinterface/page.inc.php @@ -28,6 +28,10 @@ class Page_WebInterface extends Page $this->actionCustomization(); break; } + if (Request::isPost()) { + Util::redirect('?do=webinterface'); + } + User::assertPermission('access-page'); } private function actionConfigureHttps() diff --git a/modules-available/webinterface/permissions/permissions.json b/modules-available/webinterface/permissions/permissions.json index fa6f493f..ed81602a 100644 --- a/modules-available/webinterface/permissions/permissions.json +++ b/modules-available/webinterface/permissions/permissions.json @@ -1,4 +1,7 @@ { + "access-page": { + "location-aware": false + }, "edit.design": { "location-aware": false }, -- cgit v1.2.3-55-g7522 From 5e786faa6c577abfd48976a6839f61d08b0a6e5e Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Thu, 24 May 2018 15:35:46 +0200 Subject: Introduce proper constants for taskmanager status --- inc/property.inc.php | 2 +- inc/taskmanager.inc.php | 27 ++++++++++++---------- .../sysconfig/addmodule_custommodule.inc.php | 4 ++-- .../sysconfig/inc/configmodule.inc.php | 2 +- modules-available/sysconfig/inc/configtgz.inc.php | 2 +- modules-available/sysconfig/page.inc.php | 6 ++--- 6 files changed, 23 insertions(+), 20 deletions(-) (limited to 'modules-available/sysconfig/page.inc.php') diff --git a/inc/property.inc.php b/inc/property.inc.php index 56adb823..b69be1f8 100644 --- a/inc/property.inc.php +++ b/inc/property.inc.php @@ -168,7 +168,7 @@ class Property if (!Taskmanager::isFinished($task)) { $task = Taskmanager::waitComplete($task['id'], 5000); } - if ($task['statusCode'] !== TASK_FINISHED || !isset($task['data']['content'])) { + if ($task['statusCode'] !== Taskmanager::TASK_FINISHED || !isset($task['data']['content'])) { return isset($task['data']['error']) ? $task['data']['error'] : 'Timeout'; } $data = json_decode($task['data']['content'], true); diff --git a/inc/taskmanager.inc.php b/inc/taskmanager.inc.php index 54821e59..dab950ed 100644 --- a/inc/taskmanager.inc.php +++ b/inc/taskmanager.inc.php @@ -6,6 +6,13 @@ class Taskmanager { + const NO_SUCH_TASK = 'NO_SUCH_TASK'; + const TASK_FINISHED = 'TASK_FINISHED'; + const TASK_ERROR = 'TASK_ERROR'; + const TASK_WAITING = 'TASK_WAITING'; + const NO_SUCH_INSTANCE = 'NO_SUCH_INSTANCE'; + const TASK_PROCESSING = 'TASK_PROCESSING'; + /** * UDP socket used for communication with the task manager * @var resource @@ -49,7 +56,7 @@ class Taskmanager if ($async) return true; $reply = self::readReply($seq); - if ($reply === false || !is_array($reply) || !isset($reply['id']) || (isset($reply['statusCode']) && $reply['statusCode'] === NO_SUCH_TASK)) { + if ($reply === false || !is_array($reply) || !isset($reply['id']) || (isset($reply['statusCode']) && $reply['statusCode'] === Taskmanager::NO_SUCH_TASK)) { self::addErrorMessage($reply); return false; } @@ -82,7 +89,7 @@ class Taskmanager /** * Checks whether the given task id corresponds to a known task in the taskmanager. * Returns true iff the taskmanager is reachable and the status of the task - * is different from NO_SUCH_INSTANCE/_TASK. + * is different from Taskmanager::NO_SUCH_INSTANCE/_TASK. * If you pass an array it is assumed that it was already queried and is evaluated * directly. * @@ -96,8 +103,8 @@ class Taskmanager if (is_string($task)) { $task = self::status($task); } - return isset($task['statusCode']) && $task['statusCode'] !== NO_SUCH_INSTANCE - && $task['statusCode'] !== NO_SUCH_TASK; + return isset($task['statusCode']) && $task['statusCode'] !== Taskmanager::NO_SUCH_INSTANCE + && $task['statusCode'] !== Taskmanager::NO_SUCH_TASK; } /** @@ -110,7 +117,7 @@ class Taskmanager public static function waitComplete($task, $timeout = 2500) { if (is_array($task) && isset($task['id'])) { - if ($task['statusCode'] !== TASK_PROCESSING && $task['statusCode'] !== TASK_WAITING) { + if ($task['statusCode'] !== Taskmanager::TASK_PROCESSING && $task['statusCode'] !== Taskmanager::TASK_WAITING) { self::release($task['id']); return $task; } @@ -124,7 +131,7 @@ class Taskmanager $status = self::status($task); if (!isset($status['statusCode'])) break; - if ($status['statusCode'] !== TASK_PROCESSING && $status['statusCode'] !== TASK_WAITING) { + if ($status['statusCode'] !== Taskmanager::TASK_PROCESSING && $status['statusCode'] !== Taskmanager::TASK_WAITING) { $done = true; break; } @@ -147,7 +154,7 @@ class Taskmanager { if (!is_array($task) || !isset($task['statusCode']) || !isset($task['id'])) return true; - if ($task['statusCode'] !== TASK_WAITING && $task['statusCode'] !== TASK_PROCESSING && $task['statusCode'] !== TASK_FINISHED) + if ($task['statusCode'] !== Taskmanager::TASK_WAITING && $task['statusCode'] !== Taskmanager::TASK_PROCESSING && $task['statusCode'] !== Taskmanager::TASK_FINISHED) return true; return false; } @@ -163,7 +170,7 @@ class Taskmanager { if (!is_array($task) || !isset($task['statusCode']) || !isset($task['id'])) return false; - if ($task['statusCode'] !== TASK_WAITING && $task['statusCode'] !== TASK_PROCESSING) + if ($task['statusCode'] !== Taskmanager::TASK_WAITING && $task['statusCode'] !== Taskmanager::TASK_PROCESSING) return true; return false; } @@ -244,7 +251,3 @@ class Taskmanager } } - -foreach (array('TASK_FINISHED', 'TASK_ERROR', 'TASK_WAITING', 'NO_SUCH_TASK', 'NO_SUCH_INSTANCE', 'TASK_PROCESSING') as $i) { - define($i, $i); -} diff --git a/modules-available/sysconfig/addmodule_custommodule.inc.php b/modules-available/sysconfig/addmodule_custommodule.inc.php index 8c24a071..c234f765 100644 --- a/modules-available/sysconfig/addmodule_custommodule.inc.php +++ b/modules-available/sysconfig/addmodule_custommodule.inc.php @@ -62,7 +62,7 @@ class CustomModule_ProcessUpload extends AddModule_Base unlink($tempfile); $this->tmError(); } - if ($status['statusCode'] != TASK_FINISHED) { + if ($status['statusCode'] != Taskmanager::TASK_FINISHED) { unlink($tempfile); $this->taskError($status); } @@ -128,7 +128,7 @@ class CustomModule_CompressModule extends AddModule_Base if (!isset($status['statusCode'])) { $this->tmError(); } - if ($status['statusCode'] != TASK_FINISHED) { + if ($status['statusCode'] != Taskmanager::TASK_FINISHED) { $this->taskError($status); } // Seems ok, create entry diff --git a/modules-available/sysconfig/inc/configmodule.inc.php b/modules-available/sysconfig/inc/configmodule.inc.php index 2cee37a9..b6db9c4f 100644 --- a/modules-available/sysconfig/inc/configmodule.inc.php +++ b/modules-available/sysconfig/inc/configmodule.inc.php @@ -354,7 +354,7 @@ abstract class ConfigModule // Wait for generation if requested if ($timeoutMs > 0 && isset($ret['id']) && !Taskmanager::isFinished($ret)) $ret = Taskmanager::waitComplete($ret, $timeoutMs); - if ($ret === true || (isset($ret['statusCode']) && $ret['statusCode'] === TASK_FINISHED)) { + if ($ret === true || (isset($ret['statusCode']) && $ret['statusCode'] === Taskmanager::TASK_FINISHED)) { // Already Finished if (file_exists($this->moduleArchive) && !file_exists($tmpTgz)) $tmpTgz = false; // If generateInternal succeeded and there's no tmpTgz, it means the file didn't have to be updated diff --git a/modules-available/sysconfig/inc/configtgz.inc.php b/modules-available/sysconfig/inc/configtgz.inc.php index 5b459a2e..7b042cdb 100644 --- a/modules-available/sysconfig/inc/configtgz.inc.php +++ b/modules-available/sysconfig/inc/configtgz.inc.php @@ -112,7 +112,7 @@ class ConfigTgz // Wait for completion if ($timeoutMs > 0 && !Taskmanager::isFailed($task) && !Taskmanager::isFinished($task)) $task = Taskmanager::waitComplete($task, $timeoutMs); - if ($task === true || (isset($task['statusCode']) && $task['statusCode'] === TASK_FINISHED)) { + if ($task === true || (isset($task['statusCode']) && $task['statusCode'] === Taskmanager::TASK_FINISHED)) { // Success! $this->markUpdated(); return true; diff --git a/modules-available/sysconfig/page.inc.php b/modules-available/sysconfig/page.inc.php index 8d1799af..515d432c 100644 --- a/modules-available/sysconfig/page.inc.php +++ b/modules-available/sysconfig/page.inc.php @@ -425,12 +425,12 @@ class Page_SysConfig extends Page $task = Taskmanager::submit('DeleteFile', array( 'file' => $row['filepath'] )); - if (isset($task['statusCode']) && $task['statusCode'] === TASK_WAITING) { + if (isset($task['statusCode']) && $task['statusCode'] === Taskmanager::TASK_WAITING) { $task = Taskmanager::waitComplete($task['id']); } - if (!isset($task['statusCode']) || $task['statusCode'] === TASK_ERROR) { + if (!isset($task['statusCode']) || $task['statusCode'] === Taskmanager::TASK_ERROR) { Message::addWarning('main.task-error', $task['data']['error']); - } elseif ($task['statusCode'] === TASK_FINISHED) { + } elseif ($task['statusCode'] === Taskmanager::TASK_FINISHED) { Message::addSuccess('module-deleted', $row['title']); } Database::exec("DELETE FROM configtgz_module WHERE moduleid = :moduleid LIMIT 1", array('moduleid' => $moduleid)); -- cgit v1.2.3-55-g7522