ezmlm-web/ezmlm-web
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

web interface code:

Browse source 
* avoid direct usage of $WEBUSERS_FILE for authorization checks
This commit is contained in:
lars 2008-09-30 02:47:11 +00:00
parent be4ffc74a3
commit 0861a14f93
1 changed files with 42 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

71
ezmlm-web.cgi
View file

@ -243,6 +243,12 @@ $DEFAULT_INTERFACE_TYPE = 'normal' unless defined($DEFAULT_INTERFACE_TYPE);
$GPG_KEYRING_DEFAULT_LOCATION = ".gnupg" $GPG_KEYRING_DEFAULT_LOCATION = ".gnupg"
unless defined($GPG_KEYRING_DEFAULT_LOCATION); unless defined($GPG_KEYRING_DEFAULT_LOCATION);
# undef CURRENT_DOMAIN if it is invalid
if (%DOMAINS) {
undef $CURRENT_DOMAIN
if (defined($CURRENT_DOMAIN) && ($CURRENT_DOMAIN eq ''));
}
# determine MAIL_DOMAIN # determine MAIL_DOMAIN
unless (defined($MAIL_DOMAIN) && ($MAIL_DOMAIN ne '')) { unless (defined($MAIL_DOMAIN) && ($MAIL_DOMAIN ne '')) {
if ((-e "$QMAIL_BASE/virtualdomains") if ((-e "$QMAIL_BASE/virtualdomains")
@ -308,8 +314,8 @@ if (defined($q->param('list'))) {
if (defined($action) && ($action eq 'show_mime_examples')) { if (defined($action) && ($action eq 'show_mime_examples')) {
&output_mime_examples(); &output_mime_examples();
exit 0; exit 0;
} elsif (%DOMAINS && (!defined($CURRENT_DOMAIN) || ($CURRENT_DOMAIN eq '') } elsif (%DOMAINS
|| ($action eq 'domain_select'))) { && (!defined($CURRENT_DOMAIN) || ($action eq 'domain_select'))) {
# domain support is enabled, but no domain is selected # domain support is enabled, but no domain is selected
$pagename = 'domain_select'; $pagename = 'domain_select';
# undef the currently selected domain # undef the currently selected domain
@ -317,7 +323,7 @@ if (defined($action) && ($action eq 'show_mime_examples')) {
} elsif (!&check_permission_for_action()) { } elsif (!&check_permission_for_action()) {
$pagename = 'list_select'; $pagename = 'list_select';
$error = 'Forbidden'; $error = 'Forbidden';
} elsif ($action eq '' || $action eq 'list_select') { } elsif (defined($action) && ($action eq '' || $action eq 'list_select')) {
# Default action. Present a list of available lists to the user ... # Default action. Present a list of available lists to the user ...
$pagename = 'list_select'; $pagename = 'list_select';
} elsif ($action eq 'show_page') { } elsif ($action eq 'show_page') {
@ -596,9 +602,8 @@ if (defined($action) && ($action eq 'show_mime_examples')) {
# set default action, if there is no list available and the user is # set default action, if there is no list available and the user is
# allowed to create a new one # allowed to create a new one
if (((!defined($action)) || ($action eq '')) if (((!defined($action)) || ($action eq ''))
&& ((%DOMAINS && defined($CURRENT_DOMAIN) and && ((%DOMAINS && defined($CURRENT_DOMAIN)) || (!%DOMAINS))
($CURRENT_DOMAIN ne '')) || (!%DOMAINS)) && &webauth_create_allowed($WEBUSERS_FILE)
&& (&webauth_create_allowed())
&& ($pagedata->getValue('Data.Lists.0','') eq '')) { && ($pagedata->getValue('Data.Lists.0','') eq '')) {
$pagename = 'list_create'; $pagename = 'list_create';
} }
@ -746,7 +751,7 @@ sub get_list_object {
for $one_module (@module_order) { for $one_module (@module_order) {
$list = $one_module->new("$LIST_DIR/$listname"); $list = $one_module->new("$LIST_DIR/$listname");
# invalid lists are undef # invalid lists are undef
return $list if defined($list); return $list if (defined($list) && (defined($list->thislist())));
} }
return undef; return undef;
@ -873,8 +878,7 @@ sub set_pagedata_list_of_lists {
# for a multi-domain setup there are no lists available if no domain # for a multi-domain setup there are no lists available if no domain
# is selected # is selected
return (0==0) if (%DOMAINS && return (0==0) if (%DOMAINS && !defined($CURRENT_DOMAIN));
(!defined($CURRENT_DOMAIN) || ($CURRENT_DOMAIN eq '')));
# undefined $LIST_DIR? # undefined $LIST_DIR?
return (0==0) if (!defined($LIST_DIR) || ($LIST_DIR eq '')); return (0==0) if (!defined($LIST_DIR) || ($LIST_DIR eq ''));
@ -888,7 +892,8 @@ sub set_pagedata_list_of_lists {
$num = 0; $num = 0;
# Check that they actually are lists and add good ones to pagedata ... # Check that they actually are lists and add good ones to pagedata ...
foreach $i (0 .. $#files) { foreach $i (0 .. $#files) {
if ((-e "$LIST_DIR/$files[$i]/lock") && (&webauth($files[$i]))) { if ((-e "$LIST_DIR/$files[$i]/lock") &&
(&webauth_access_allowed($files[$i], $WEBUSERS_FILE))) {
$pagedata->setValue("Data.Lists." . $num, "$files[$i]"); $pagedata->setValue("Data.Lists." . $num, "$files[$i]");
$num++; $num++;
} }
@ -916,9 +921,18 @@ sub set_pagedata {
($Mail::Ezmlm::MYSQL_BASE)? 1 : 0); ($Mail::Ezmlm::MYSQL_BASE)? 1 : 0);
# permissions # permission for list creation
$pagedata->setValue("Data.Permissions.Create", my $create_allowed;
(&webauth_create_allowed)? 1 : 0 ); # for a multi-domain setup we disallow list creation until a domain
# is selected
if (%DOMAINS && (!defined($CURRENT_DOMAIN) || ($CURRENT_DOMAIN eq ''))) {
$create_allowed = (0==1);
} else {
$create_allowed = &webauth_create_allowed($WEBUSERS_FILE);
}
$pagedata->setValue("Data.Permissions.Create", $create_allowed ? 1 : 0);
# file upload permission
$pagedata->setValue("Data.Permissions.FileUpload", ($FILE_UPLOAD)? 1 : 0); $pagedata->setValue("Data.Permissions.FileUpload", ($FILE_UPLOAD)? 1 : 0);
@ -1645,9 +1659,9 @@ sub check_permission_for_action {
my $ret; my $ret;
if (defined($action) && if (defined($action) &&
(($action eq 'list_create_ask' || $action eq 'list_create_do'))) { (($action eq 'list_create_ask' || $action eq 'list_create_do'))) {
$ret = &webauth_create_allowed(); $ret = &webauth_create_allowed($WEBUSERS_FILE);
} elsif (defined($q->param('list'))) { } elsif (defined($q->param('list'))) {
$ret = &webauth($q->param('list')); $ret = &webauth_access_allowed($q->param('list'), $WEBUSERS_FILE);
} else { } else {
$ret = (0==0); $ret = (0==0);
} }
@ -2567,23 +2581,25 @@ sub save_text {
# ------------------------------------------------------------------------ # ------------------------------------------------------------------------
sub webauth { # check if the currently logged in user is allowed to access a list
sub webauth_access_allowed {
my $listname = shift; my $listname = shift;
my $webusers_file = shift;
# if there was no user authentication, then everything is allowed # if there was no user authentication, then everything is allowed
return (0==0) if (!$LOGIN_NAME); return (0==0) if (!$LOGIN_NAME);
# Check if webusers file exists - if not, then access is granted # Check if webusers file exists - if not, then access is granted
if (! -e "$WEBUSERS_FILE") { unless (-e "$webusers_file") {
warn "[ezmlm-web] no 'webusers' file found ('$WEBUSERS_FILE'): " warn "[ezmlm-web] no 'webusers' file found ('$webusers_file'): "
. "access denied."; . "access denied.";
return (1==0); return (1==0);
} }
# Read authentication level from webusers file. Format of this file is # Read authentication level from webusers file. Format of this file is
# somewhat similar to the unix groups file # somewhat similar to the unix groups file
unless (open (USERS, "<$WEBUSERS_FILE")) { unless (open (USERS, "<$webusers_file")) {
warn "Unable to read webusers file ($WEBUSERS_FILE): $!"; warn "Unable to read webusers file ($webusers_file): $!";
$warning = 'WebUsersRead'; $warning = 'WebUsersRead';
return (1==0); return (1==0);
} }
@ -2609,11 +2625,8 @@ sub webauth {
# --------------------------------------------------------------------------- # ---------------------------------------------------------------------------
sub webauth_create_allowed { sub webauth_create_allowed {
my $webusers_file = shift;
# for a multi-domain setup we disallow list creation until a domain
# is selected
return (1==0) if (%DOMAINS &&
(!defined($CURRENT_DOMAIN) || ($CURRENT_DOMAIN eq '')));
# Check if we were called with the deprecated # Check if we were called with the deprecated
# argument "-c" (allow to create lists) # argument "-c" (allow to create lists)
@ -2623,16 +2636,16 @@ sub webauth_create_allowed {
return (0==0) if (!$LOGIN_NAME); return (0==0) if (!$LOGIN_NAME);
# Check if webusers file exists - if not, then access is granted # Check if webusers file exists - if not, then access is granted
if (! -e "$WEBUSERS_FILE") { if (! -e "$webusers_file") {
warn "[ezmlm-web] no 'webusers' file found ('$WEBUSERS_FILE'): " warn "[ezmlm-web] no 'webusers' file found ('$webusers_file'): "
. "access denied."; . "access denied.";
return (1==0); return (1==0);
} }
# Read create-permission from webusers file. # Read create-permission from webusers file.
# the special listname "ALLOW_CREATE" controls, who is allowed to do it # the special listname "ALLOW_CREATE" controls, who is allowed to do it
unless (open (USERS, "<$WEBUSERS_FILE")) { unless (open (USERS, "<$webusers_file")) {
warn "Unable to read webusers file ($WEBUSERS_FILE): $!"; warn "Unable to read webusers file ($webusers_file): $!";
$warning = 'WebUsersRead'; $warning = 'WebUsersRead';
return (1==0); return (1==0);
} }