web interface code:
* avoid direct usage of $WEBUSERS_FILE for authorization checks
This commit is contained in:
parent
be4ffc74a3
commit
0861a14f93
|
@ -243,6 +243,12 @@ $DEFAULT_INTERFACE_TYPE = 'normal' unless defined($DEFAULT_INTERFACE_TYPE);
|
||||||
$GPG_KEYRING_DEFAULT_LOCATION = ".gnupg"
|
$GPG_KEYRING_DEFAULT_LOCATION = ".gnupg"
|
||||||
unless defined($GPG_KEYRING_DEFAULT_LOCATION);
|
unless defined($GPG_KEYRING_DEFAULT_LOCATION);
|
||||||
|
|
||||||
|
# undef CURRENT_DOMAIN if it is invalid
|
||||||
|
if (%DOMAINS) {
|
||||||
|
undef $CURRENT_DOMAIN
|
||||||
|
if (defined($CURRENT_DOMAIN) && ($CURRENT_DOMAIN eq ''));
|
||||||
|
}
|
||||||
|
|
||||||
# determine MAIL_DOMAIN
|
# determine MAIL_DOMAIN
|
||||||
unless (defined($MAIL_DOMAIN) && ($MAIL_DOMAIN ne '')) {
|
unless (defined($MAIL_DOMAIN) && ($MAIL_DOMAIN ne '')) {
|
||||||
if ((-e "$QMAIL_BASE/virtualdomains")
|
if ((-e "$QMAIL_BASE/virtualdomains")
|
||||||
|
@ -308,8 +314,8 @@ if (defined($q->param('list'))) {
|
||||||
if (defined($action) && ($action eq 'show_mime_examples')) {
|
if (defined($action) && ($action eq 'show_mime_examples')) {
|
||||||
&output_mime_examples();
|
&output_mime_examples();
|
||||||
exit 0;
|
exit 0;
|
||||||
} elsif (%DOMAINS && (!defined($CURRENT_DOMAIN) || ($CURRENT_DOMAIN eq '')
|
} elsif (%DOMAINS
|
||||||
|| ($action eq 'domain_select'))) {
|
&& (!defined($CURRENT_DOMAIN) || ($action eq 'domain_select'))) {
|
||||||
# domain support is enabled, but no domain is selected
|
# domain support is enabled, but no domain is selected
|
||||||
$pagename = 'domain_select';
|
$pagename = 'domain_select';
|
||||||
# undef the currently selected domain
|
# undef the currently selected domain
|
||||||
|
@ -317,7 +323,7 @@ if (defined($action) && ($action eq 'show_mime_examples')) {
|
||||||
} elsif (!&check_permission_for_action()) {
|
} elsif (!&check_permission_for_action()) {
|
||||||
$pagename = 'list_select';
|
$pagename = 'list_select';
|
||||||
$error = 'Forbidden';
|
$error = 'Forbidden';
|
||||||
} elsif ($action eq '' || $action eq 'list_select') {
|
} elsif (defined($action) && ($action eq '' || $action eq 'list_select')) {
|
||||||
# Default action. Present a list of available lists to the user ...
|
# Default action. Present a list of available lists to the user ...
|
||||||
$pagename = 'list_select';
|
$pagename = 'list_select';
|
||||||
} elsif ($action eq 'show_page') {
|
} elsif ($action eq 'show_page') {
|
||||||
|
@ -596,9 +602,8 @@ if (defined($action) && ($action eq 'show_mime_examples')) {
|
||||||
# set default action, if there is no list available and the user is
|
# set default action, if there is no list available and the user is
|
||||||
# allowed to create a new one
|
# allowed to create a new one
|
||||||
if (((!defined($action)) || ($action eq ''))
|
if (((!defined($action)) || ($action eq ''))
|
||||||
&& ((%DOMAINS && defined($CURRENT_DOMAIN) and
|
&& ((%DOMAINS && defined($CURRENT_DOMAIN)) || (!%DOMAINS))
|
||||||
($CURRENT_DOMAIN ne '')) || (!%DOMAINS))
|
&& &webauth_create_allowed($WEBUSERS_FILE)
|
||||||
&& (&webauth_create_allowed())
|
|
||||||
&& ($pagedata->getValue('Data.Lists.0','') eq '')) {
|
&& ($pagedata->getValue('Data.Lists.0','') eq '')) {
|
||||||
$pagename = 'list_create';
|
$pagename = 'list_create';
|
||||||
}
|
}
|
||||||
|
@ -746,7 +751,7 @@ sub get_list_object {
|
||||||
for $one_module (@module_order) {
|
for $one_module (@module_order) {
|
||||||
$list = $one_module->new("$LIST_DIR/$listname");
|
$list = $one_module->new("$LIST_DIR/$listname");
|
||||||
# invalid lists are undef
|
# invalid lists are undef
|
||||||
return $list if defined($list);
|
return $list if (defined($list) && (defined($list->thislist())));
|
||||||
}
|
}
|
||||||
|
|
||||||
return undef;
|
return undef;
|
||||||
|
@ -873,8 +878,7 @@ sub set_pagedata_list_of_lists {
|
||||||
|
|
||||||
# for a multi-domain setup there are no lists available if no domain
|
# for a multi-domain setup there are no lists available if no domain
|
||||||
# is selected
|
# is selected
|
||||||
return (0==0) if (%DOMAINS &&
|
return (0==0) if (%DOMAINS && !defined($CURRENT_DOMAIN));
|
||||||
(!defined($CURRENT_DOMAIN) || ($CURRENT_DOMAIN eq '')));
|
|
||||||
|
|
||||||
# undefined $LIST_DIR?
|
# undefined $LIST_DIR?
|
||||||
return (0==0) if (!defined($LIST_DIR) || ($LIST_DIR eq ''));
|
return (0==0) if (!defined($LIST_DIR) || ($LIST_DIR eq ''));
|
||||||
|
@ -888,7 +892,8 @@ sub set_pagedata_list_of_lists {
|
||||||
$num = 0;
|
$num = 0;
|
||||||
# Check that they actually are lists and add good ones to pagedata ...
|
# Check that they actually are lists and add good ones to pagedata ...
|
||||||
foreach $i (0 .. $#files) {
|
foreach $i (0 .. $#files) {
|
||||||
if ((-e "$LIST_DIR/$files[$i]/lock") && (&webauth($files[$i]))) {
|
if ((-e "$LIST_DIR/$files[$i]/lock") &&
|
||||||
|
(&webauth_access_allowed($files[$i], $WEBUSERS_FILE))) {
|
||||||
$pagedata->setValue("Data.Lists." . $num, "$files[$i]");
|
$pagedata->setValue("Data.Lists." . $num, "$files[$i]");
|
||||||
$num++;
|
$num++;
|
||||||
}
|
}
|
||||||
|
@ -916,9 +921,18 @@ sub set_pagedata {
|
||||||
($Mail::Ezmlm::MYSQL_BASE)? 1 : 0);
|
($Mail::Ezmlm::MYSQL_BASE)? 1 : 0);
|
||||||
|
|
||||||
|
|
||||||
# permissions
|
# permission for list creation
|
||||||
$pagedata->setValue("Data.Permissions.Create",
|
my $create_allowed;
|
||||||
(&webauth_create_allowed)? 1 : 0 );
|
# for a multi-domain setup we disallow list creation until a domain
|
||||||
|
# is selected
|
||||||
|
if (%DOMAINS && (!defined($CURRENT_DOMAIN) || ($CURRENT_DOMAIN eq ''))) {
|
||||||
|
$create_allowed = (0==1);
|
||||||
|
} else {
|
||||||
|
$create_allowed = &webauth_create_allowed($WEBUSERS_FILE);
|
||||||
|
}
|
||||||
|
$pagedata->setValue("Data.Permissions.Create", $create_allowed ? 1 : 0);
|
||||||
|
|
||||||
|
# file upload permission
|
||||||
$pagedata->setValue("Data.Permissions.FileUpload", ($FILE_UPLOAD)? 1 : 0);
|
$pagedata->setValue("Data.Permissions.FileUpload", ($FILE_UPLOAD)? 1 : 0);
|
||||||
|
|
||||||
|
|
||||||
|
@ -1645,9 +1659,9 @@ sub check_permission_for_action {
|
||||||
my $ret;
|
my $ret;
|
||||||
if (defined($action) &&
|
if (defined($action) &&
|
||||||
(($action eq 'list_create_ask' || $action eq 'list_create_do'))) {
|
(($action eq 'list_create_ask' || $action eq 'list_create_do'))) {
|
||||||
$ret = &webauth_create_allowed();
|
$ret = &webauth_create_allowed($WEBUSERS_FILE);
|
||||||
} elsif (defined($q->param('list'))) {
|
} elsif (defined($q->param('list'))) {
|
||||||
$ret = &webauth($q->param('list'));
|
$ret = &webauth_access_allowed($q->param('list'), $WEBUSERS_FILE);
|
||||||
} else {
|
} else {
|
||||||
$ret = (0==0);
|
$ret = (0==0);
|
||||||
}
|
}
|
||||||
|
@ -2567,23 +2581,25 @@ sub save_text {
|
||||||
|
|
||||||
# ------------------------------------------------------------------------
|
# ------------------------------------------------------------------------
|
||||||
|
|
||||||
sub webauth {
|
# check if the currently logged in user is allowed to access a list
|
||||||
|
sub webauth_access_allowed {
|
||||||
my $listname = shift;
|
my $listname = shift;
|
||||||
|
my $webusers_file = shift;
|
||||||
|
|
||||||
# if there was no user authentication, then everything is allowed
|
# if there was no user authentication, then everything is allowed
|
||||||
return (0==0) if (!$LOGIN_NAME);
|
return (0==0) if (!$LOGIN_NAME);
|
||||||
|
|
||||||
# Check if webusers file exists - if not, then access is granted
|
# Check if webusers file exists - if not, then access is granted
|
||||||
if (! -e "$WEBUSERS_FILE") {
|
unless (-e "$webusers_file") {
|
||||||
warn "[ezmlm-web] no 'webusers' file found ('$WEBUSERS_FILE'): "
|
warn "[ezmlm-web] no 'webusers' file found ('$webusers_file'): "
|
||||||
. "access denied.";
|
. "access denied.";
|
||||||
return (1==0);
|
return (1==0);
|
||||||
}
|
}
|
||||||
|
|
||||||
# Read authentication level from webusers file. Format of this file is
|
# Read authentication level from webusers file. Format of this file is
|
||||||
# somewhat similar to the unix groups file
|
# somewhat similar to the unix groups file
|
||||||
unless (open (USERS, "<$WEBUSERS_FILE")) {
|
unless (open (USERS, "<$webusers_file")) {
|
||||||
warn "Unable to read webusers file ($WEBUSERS_FILE): $!";
|
warn "Unable to read webusers file ($webusers_file): $!";
|
||||||
$warning = 'WebUsersRead';
|
$warning = 'WebUsersRead';
|
||||||
return (1==0);
|
return (1==0);
|
||||||
}
|
}
|
||||||
|
@ -2609,11 +2625,8 @@ sub webauth {
|
||||||
# ---------------------------------------------------------------------------
|
# ---------------------------------------------------------------------------
|
||||||
|
|
||||||
sub webauth_create_allowed {
|
sub webauth_create_allowed {
|
||||||
|
my $webusers_file = shift;
|
||||||
|
|
||||||
# for a multi-domain setup we disallow list creation until a domain
|
|
||||||
# is selected
|
|
||||||
return (1==0) if (%DOMAINS &&
|
|
||||||
(!defined($CURRENT_DOMAIN) || ($CURRENT_DOMAIN eq '')));
|
|
||||||
|
|
||||||
# Check if we were called with the deprecated
|
# Check if we were called with the deprecated
|
||||||
# argument "-c" (allow to create lists)
|
# argument "-c" (allow to create lists)
|
||||||
|
@ -2623,16 +2636,16 @@ sub webauth_create_allowed {
|
||||||
return (0==0) if (!$LOGIN_NAME);
|
return (0==0) if (!$LOGIN_NAME);
|
||||||
|
|
||||||
# Check if webusers file exists - if not, then access is granted
|
# Check if webusers file exists - if not, then access is granted
|
||||||
if (! -e "$WEBUSERS_FILE") {
|
if (! -e "$webusers_file") {
|
||||||
warn "[ezmlm-web] no 'webusers' file found ('$WEBUSERS_FILE'): "
|
warn "[ezmlm-web] no 'webusers' file found ('$webusers_file'): "
|
||||||
. "access denied.";
|
. "access denied.";
|
||||||
return (1==0);
|
return (1==0);
|
||||||
}
|
}
|
||||||
|
|
||||||
# Read create-permission from webusers file.
|
# Read create-permission from webusers file.
|
||||||
# the special listname "ALLOW_CREATE" controls, who is allowed to do it
|
# the special listname "ALLOW_CREATE" controls, who is allowed to do it
|
||||||
unless (open (USERS, "<$WEBUSERS_FILE")) {
|
unless (open (USERS, "<$webusers_file")) {
|
||||||
warn "Unable to read webusers file ($WEBUSERS_FILE): $!";
|
warn "Unable to read webusers file ($webusers_file): $!";
|
||||||
$warning = 'WebUsersRead';
|
$warning = 'WebUsersRead';
|
||||||
return (1==0);
|
return (1==0);
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue