You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@vcl.apache.org by jf...@apache.org on 2013/02/06 21:47:11 UTC
svn commit: r1443205 [1/2] - in /vcl/branches/vcl-2.3-bugfixes/web/.ht-inc:
groups.php privileges.php utils.php xmlrpcWrappers.php
Author: jfthomps
Date: Wed Feb 6 20:47:10 2013
New Revision: 1443205
URL: http://svn.apache.org/viewvc?rev=1443205&view=rev
Log:
xmlrpcWrappers.php:
many updates, mostly addition of parameter checking - specific details for each function will be listed in an email message to the private@ list
-added option to supply name of reservation to XMLRPCdeployServer
-XMLRPCremoveUserGroup and XMLRPCdeleteUserGroup did the same thing; made XMLRPCdeleteUserGroup just call XMLRPCremoveUserGroup - kept both so that scripts would not have to change because one was dropped
-did some updates to headers to provide better documentation generation
-changed some whitespace formatting
-modified XMLRPCgetRequestIds - added OS, isserver, state, and if it is a server, servername to returned data-modified XMLRPCgetUserGroupAttributes - added overlapResCount to returned data; modified error return code to not be duplicated with an different error
-modified XMLRPCremoveUserGroup - added ability to delete federated groups if user has access; added check for group being in use before deleting it and return error if it is in use
-modified XMLRPCeditUserGroup - added ability to modify federated groups if user has access; do not attempt to update name and affiliation if they are not changed (resulted in an duplicate group name error)
-modified XMLRPCgetUserGroupMembers - added ability to modify federated groups if user has access
privileges.php:
-additional parameter checking
-modified viewNodes - added serverProfileAdmin to $privs array used to determine which resource groups can be added at the node
-modified AJsubmitAddChildNode - moved updateUserOrGroupPrivs to inside if conditional (no need to call it if no changes)
-modified getNodeCascadePrivileges - located problem where blocking cascaded privileges does not continue to child nodes; added fix and commented it out until can properly prepare users for change
utils.php:
-modified getResourceGroups - optional argument of $id to limit returned data to just a specified resource group
-modified getUserGroupID - added optional argument of $noadd that causes the function to return NULL instead of adding the group if it does not already exist
-modified getTypes - removed conditional that checks for 'block' and 'cascade' with resource groups - type here is computer, image, etc.
groups.php:
-modified addGroup - moved conditional for editgroupid to inside 'user' section
Modified:
vcl/branches/vcl-2.3-bugfixes/web/.ht-inc/groups.php
vcl/branches/vcl-2.3-bugfixes/web/.ht-inc/privileges.php
vcl/branches/vcl-2.3-bugfixes/web/.ht-inc/utils.php
vcl/branches/vcl-2.3-bugfixes/web/.ht-inc/xmlrpcWrappers.php
Modified: vcl/branches/vcl-2.3-bugfixes/web/.ht-inc/groups.php
URL: http://svn.apache.org/viewvc/vcl/branches/vcl-2.3-bugfixes/web/.ht-inc/groups.php?rev=1443205&r1=1443204&r2=1443205&view=diff
==============================================================================
--- vcl/branches/vcl-2.3-bugfixes/web/.ht-inc/groups.php (original)
+++ vcl/branches/vcl-2.3-bugfixes/web/.ht-inc/groups.php Wed Feb 6 20:47:10 2013
@@ -1016,6 +1016,7 @@ function processGroupInput($checks=1) {
///
////////////////////////////////////////////////////////////////////////////////
function checkForGroupName($name, $type, $id, $extraid) {
+ $name = mysql_real_escape_string($name);
if($type == "user")
$query = "SELECT id FROM usergroup "
. "WHERE name = '$name' AND "
@@ -1090,9 +1091,9 @@ function updateGroup($data) {
///
////////////////////////////////////////////////////////////////////////////////
function addGroup($data) {
- if($data['editgroupid'] == 0 || $data['editgroupid'] == '')
- $data['editgroupid'] = 'NULL';
if($data['type'] == "user") {
+ if($data['editgroupid'] == 0 || $data['editgroupid'] == '')
+ $data['editgroupid'] = 'NULL';
if(! array_key_exists('custom', $data))
$data['custom'] = 1;
elseif($data['custom'] == 0) {
Modified: vcl/branches/vcl-2.3-bugfixes/web/.ht-inc/privileges.php
URL: http://svn.apache.org/viewvc/vcl/branches/vcl-2.3-bugfixes/web/.ht-inc/privileges.php?rev=1443205&r1=1443204&r2=1443205&view=diff
==============================================================================
--- vcl/branches/vcl-2.3-bugfixes/web/.ht-inc/privileges.php (original)
+++ vcl/branches/vcl-2.3-bugfixes/web/.ht-inc/privileges.php Wed Feb 6 20:47:10 2013
@@ -100,7 +100,7 @@ function viewNodes() {
print " <TD><FORM action=\"" . BASEURL . SCRIPT . "\" method=post>\n";
print " <button id=addNodeBtn dojoType=\"dijit.form.Button\">\n";
print " Add Child\n";
- print " <script type=\"dojo/method\" event=onClick>\n";
+ print " <script type=\"dojo/method\" event=onClick>\n";
print " showPrivPane('addNodePane');\n";
print " return false;\n";
print " </script>\n";
@@ -109,7 +109,7 @@ function viewNodes() {
print " <TD><FORM action=\"" . BASEURL . SCRIPT . "\" method=post>\n";
print " <button id=deleteNodeBtn dojoType=\"dijit.form.Button\">\n";
print " Delete Node and Children\n";
- print " <script type=\"dojo/method\" event=onClick>\n";
+ print " <script type=\"dojo/method\" event=onClick>\n";
print " dijit.byId('deleteDialog').show();\n";
print " return false;\n";
print " </script>\n";
@@ -118,7 +118,7 @@ function viewNodes() {
print " <TD><FORM action=\"" . BASEURL . SCRIPT . "\" method=post>\n";
print " <button id=renameNodeBtn dojoType=\"dijit.form.Button\">\n";
print " Rename Node\n";
- print " <script type=\"dojo/method\" event=onClick>\n";
+ print " <script type=\"dojo/method\" event=onClick>\n";
print " dijit.byId('renameDialog').show();\n";
print " return false;\n";
print " </script>\n";
@@ -186,7 +186,7 @@ function viewNodes() {
if($hasUserGrant) {
print "<button id=addUserBtn dojoType=\"dijit.form.Button\">\n";
print " Add User\n";
- print " <script type=\"dojo/method\" event=onClick>\n";
+ print " <script type=\"dojo/method\" event=onClick>\n";
print " showPrivPane('addUserPane');\n";
print " return false;\n";
print " </script>\n";
@@ -236,7 +236,7 @@ function viewNodes() {
if($hasUserGrant) {
print "<button id=addGroupBtn dojoType=\"dijit.form.Button\">\n";
print " Add Group\n";
- print " <script type=\"dojo/method\" event=onClick>\n";
+ print " <script type=\"dojo/method\" event=onClick>\n";
print " showPrivPane('addUserGroupPane');\n";
print " return false;\n";
print " </script>\n";
@@ -296,7 +296,7 @@ function viewNodes() {
if($hasResourceGrant) {
print "<button id=addResourceBtn dojoType=\"dijit.form.Button\">\n";
print " Add Resource Group\n";
- print " <script type=\"dojo/method\" event=onClick>\n";
+ print " <script type=\"dojo/method\" event=onClick>\n";
print " showPrivPane('addResourceGroupPane');\n";
print " return false;\n";
print " </script>\n";
@@ -312,7 +312,7 @@ function viewNodes() {
print " title=\"Add User Permission\"\n";
print " duration=250\n";
print " draggable=true>\n";
- print " <script type=\"dojo/connect\" event=onCancel>\n";
+ print " <script type=\"dojo/connect\" event=onCancel>\n";
print " addUserPaneHide();\n";
print " </script>\n";
print "<H2>Add User</H2>\n";
@@ -355,7 +355,7 @@ function viewNodes() {
print "<TD>\n";
print " <button id=submitAddUserBtn dojoType=\"dijit.form.Button\">\n";
print " Submit New User\n";
- print " <script type=\"dojo/method\" event=onClick>\n";
+ print " <script type=\"dojo/method\" event=onClick>\n";
print " submitAddUser();\n";
print " </script>\n";
print " </button>\n";
@@ -363,7 +363,7 @@ function viewNodes() {
print "<TD>\n";
print " <button id=cancelAddUserBtn dojoType=\"dijit.form.Button\">\n";
print " Cancel\n";
- print " <script type=\"dojo/method\" event=onClick>\n";
+ print " <script type=\"dojo/method\" event=onClick>\n";
print " addUserPaneHide();\n";
print " </script>\n";
print " </button>\n";
@@ -378,7 +378,7 @@ function viewNodes() {
print " title=\"Add User Group Permission\"\n";
print " duration=250\n";
print " draggable=true>\n";
- print " <script type=\"dojo/connect\" event=onCancel>\n";
+ print " <script type=\"dojo/connect\" event=onCancel>\n";
print " addUserGroupPaneHide();\n";
print " </script>\n";
print "<H2>Add User Group</H2>\n";
@@ -423,7 +423,7 @@ function viewNodes() {
print "<TD>\n";
print " <button id=submitAddGroupBtn dojoType=\"dijit.form.Button\">\n";
print " Submit New User Group\n";
- print " <script type=\"dojo/method\" event=onClick>\n";
+ print " <script type=\"dojo/method\" event=onClick>\n";
print " submitAddUserGroup();\n";
print " </script>\n";
print " </button>\n";
@@ -431,7 +431,7 @@ function viewNodes() {
print "<TD>\n";
print " <button id=cancelAddGroupBtn dojoType=\"dijit.form.Button\">\n";
print " Cancel\n";
- print " <script type=\"dojo/method\" event=onClick>\n";
+ print " <script type=\"dojo/method\" event=onClick>\n";
print " addUserGroupPaneHide();\n";
print " </script>\n";
print " </button>\n";
@@ -446,7 +446,7 @@ function viewNodes() {
print " title=\"Add Resource Group Permission\"\n";
print " duration=250\n";
print " draggable=true>\n";
- print " <script type=\"dojo/connect\" event=onCancel>\n";
+ print " <script type=\"dojo/connect\" event=onCancel>\n";
print " addResourceGroupPaneHide();\n";
print " </script>\n";
print "<H2>Add Resource Group</H2>\n";
@@ -466,7 +466,8 @@ function viewNodes() {
print " <TR>\n";
print " <TD>\n";
$resources = array();
- $privs = array("computerAdmin","mgmtNodeAdmin", "imageAdmin", "scheduleAdmin");
+ $privs = array("computerAdmin", "mgmtNodeAdmin", "imageAdmin",
+ "scheduleAdmin", "serverProfileAdmin");
$resourcesgroups = getUserResources($privs, array("manageGroup"), 1);
foreach(array_keys($resourcesgroups) as $type) {
foreach($resourcesgroups[$type] as $id => $group) {
@@ -501,7 +502,7 @@ function viewNodes() {
print "<TD>\n";
print " <button dojoType=\"dijit.form.Button\">\n";
print " Submit New Resource Group\n";
- print " <script type=\"dojo/method\" event=onClick>\n";
+ print " <script type=\"dojo/method\" event=onClick>\n";
print " submitAddResourceGroup();\n";
print " </script>\n";
print " </button>\n";
@@ -509,7 +510,7 @@ function viewNodes() {
print "<TD>\n";
print " <button dojoType=\"dijit.form.Button\">\n";
print " Cancel\n";
- print " <script type=\"dojo/method\" event=onClick>\n";
+ print " <script type=\"dojo/method\" event=onClick>\n";
print " addResourceGroupPaneHide();\n";
print " </script>\n";
print " </button>\n";
@@ -528,7 +529,7 @@ function viewNodes() {
print "<div id=addChildNodeName></div>\n";
print "<strong>New Node:</strong>\n";
print "<input type=text id=childNodeName dojoType=dijit.form.TextBox>\n";
- print " <script type=\"dojo/connect\" event=onKeyPress args=\"e\">\n";
+ print " <script type=\"dojo/connect\" event=onKeyPress args=\"e\">\n";
print " if(e.keyCode == dojo.keys.ENTER) {\n";
print " submitAddChildNode();\n";
print " }\n";
@@ -539,7 +540,7 @@ function viewNodes() {
print "<TD>\n";
print " <button id=submitAddNodeBtn dojoType=\"dijit.form.Button\">\n";
print " Create Child\n";
- print " <script type=\"dojo/method\" event=onClick>\n";
+ print " <script type=\"dojo/method\" event=onClick>\n";
print " submitAddChildNode();\n";
print " </script>\n";
print " </button>\n";
@@ -547,7 +548,7 @@ function viewNodes() {
print "<TD>\n";
print " <button id=cancelAddNodeBtn dojoType=\"dijit.form.Button\">\n";
print " Cancel\n";
- print " <script type=\"dojo/method\" event=onClick>\n";
+ print " <script type=\"dojo/method\" event=onClick>\n";
print " dojo.byId('childNodeName').value = '';\n";
print " dojo.byId('addChildNodeStatus').innerHTML = '';\n";
print " dijit.byId('addNodePane').hide();\n";
@@ -571,7 +572,7 @@ function viewNodes() {
print "<TD>\n";
print " <button id=submitDeleteNodeBtn dojoType=\"dijit.form.Button\">\n";
print " Delete Nodes\n";
- print " <script type=\"dojo/method\" event=onClick>\n";
+ print " <script type=\"dojo/method\" event=onClick>\n";
print " deleteNodes();\n";
print " </script>\n";
print " </button>\n";
@@ -579,7 +580,7 @@ function viewNodes() {
print "<TD>\n";
print " <button id=cancelDeleteNodeBtn dojoType=\"dijit.form.Button\">\n";
print " Cancel\n";
- print " <script type=\"dojo/method\" event=onClick>\n";
+ print " <script type=\"dojo/method\" event=onClick>\n";
print " dijit.byId('deleteDialog').hide();\n";
print " </script>\n";
print " </button>\n";
@@ -599,7 +600,7 @@ function viewNodes() {
print "<div id=renameNodeName></div><br>\n";
print "<strong>New Name:</strong>\n";
print "<input type=text id=newNodeName dojoType=dijit.form.TextBox>\n";
- print " <script type=\"dojo/connect\" event=onKeyPress args=\"e\">\n";
+ print " <script type=\"dojo/connect\" event=onKeyPress args=\"e\">\n";
print " if(e.keyCode == dojo.keys.ENTER) {\n";
print " renameNode();\n";
print " }\n";
@@ -611,7 +612,7 @@ function viewNodes() {
print "<TD>\n";
print " <button id=submitRenameNodeBtn dojoType=\"dijit.form.Button\">\n";
print " Rename Node\n";
- print " <script type=\"dojo/method\" event=onClick>\n";
+ print " <script type=\"dojo/method\" event=onClick>\n";
print " renameNode();\n";
print " </script>\n";
print " </button>\n";
@@ -619,7 +620,7 @@ function viewNodes() {
print "<TD>\n";
print " <button id=cancelRenameNodeBtn dojoType=\"dijit.form.Button\">\n";
print " Cancel\n";
- print " <script type=\"dojo/method\" event=onClick>\n";
+ print " <script type=\"dojo/method\" event=onClick>\n";
print " dijit.byId('renameDialog').hide();\n";
print " </script>\n";
print " </button>\n";
@@ -632,7 +633,7 @@ function viewNodes() {
print "<div dojoType=dijit.Dialog id=workingDialog duration=250 refocus=False>\n";
print "Loading...\n";
- print " <script type=\"dojo/connect\" event=_setup>\n";
+ print " <script type=\"dojo/connect\" event=_setup>\n";
print " dojo.addClass(dijit.byId('workingDialog').titleBar, 'hidden');\n";
print " </script>\n";
print "</div>\n";
@@ -648,10 +649,10 @@ function viewNodes() {
printSelectInput("editusergroupid", $groups, -1, 0, 0, 'editusergroupid', 'onChange="hideUserGroupPrivs();"');
$cont = addContinuationsEntry('AJpermSelectUserGroup');
print "<button dojoType=\"dijit.form.Button\">\n";
- print " Manage User Group Permissions\n";
- print " <script type=\"dojo/method\" event=onClick>\n";
- print " selectUserGroup('$cont');\n";
- print " </script>\n";
+ print " Manage User Group Permissions\n";
+ print " <script type=\"dojo/method\" event=onClick>\n";
+ print " selectUserGroup('$cont');\n";
+ print " </script>\n";
print "</button>\n";
print "<div id=\"extrapermsdiv\">\n";
print "<table summary=\"\">\n";
@@ -680,17 +681,17 @@ function viewNodes() {
printSelectInput("copyusergroupid", $groups, -1, 0, 0, 'copyusergroupid');
$cont = addContinuationsEntry('AJpermSelectUserGroup');
print "<button dojoType=\"dijit.form.Button\" id=\"usergroupcopyprivsbtn\" disabled>\n";
- print " Copy Permissions\n";
- print " <script type=\"dojo/method\" event=onClick>\n";
- print " copyUserGroupPrivs('$cont');\n";
- print " </script>\n";
+ print " Copy Permissions\n";
+ print " <script type=\"dojo/method\" event=onClick>\n";
+ print " copyUserGroupPrivs('$cont');\n";
+ print " </script>\n";
print "</button><br><br>\n";
$cont = addContinuationsEntry('AJsaveUserGroupPrivs');
print "<button dojoType=\"dijit.form.Button\" id=\"usergroupsaveprivsbtn\" disabled>\n";
- print " Save Selected Permissions\n";
- print " <script type=\"dojo/method\" event=onClick>\n";
- print " saveUserGroupPrivs('$cont');\n";
- print " </script>\n";
+ print " Save Selected Permissions\n";
+ print " <script type=\"dojo/method\" event=onClick>\n";
+ print " saveUserGroupPrivs('$cont');\n";
+ print " </script>\n";
print "</button><br>\n";
print "<span id=\"userpermsubmitstatus\"></span>\n";
print "</div>\n";
@@ -732,7 +733,7 @@ function selectNode() {
$text .= " <TD><FORM action=\"" . BASEURL . SCRIPT . "\" method=post>";
$text .= " <button id=addNodeBtn dojoType=\"dijit.form.Button\">";
$text .= " Add Child";
- $text .= " <script type=\"dojo/method\" event=onClick>";
+ $text .= " <script type=\"dojo/method\" event=onClick>";
$text .= " showPrivPane(\"addNodePane\");";
$text .= " return false;";
$text .= " </script>";
@@ -741,7 +742,7 @@ function selectNode() {
$text .= " <TD><FORM action=\"" . BASEURL . SCRIPT . "\" method=post>";
$text .= " <button id=deleteNodeBtn dojoType=\"dijit.form.Button\">";
$text .= " Delete Node and Children";
- $text .= " <script type=\"dojo/method\" event=onClick>";
+ $text .= " <script type=\"dojo/method\" event=onClick>";
$text .= " dijit.byId(\"deleteDialog\").show();";
$text .= " return false;";
$text .= " </script>";
@@ -750,7 +751,7 @@ function selectNode() {
$text .= " <TD><FORM action=\"" . BASEURL . SCRIPT . "\" method=post>";
$text .= " <button id=renameNodeBtn dojoType=\"dijit.form.Button\">";
$text .= " Rename Node";
- $text .= " <script type=\"dojo/method\" event=onClick>";
+ $text .= " <script type=\"dojo/method\" event=onClick>";
$text .= " dijit.byId(\"renameDialog\").show();";
$text .= " return false;";
$text .= " </script>";
@@ -859,7 +860,7 @@ function selectNode() {
if($hasUserGrant) {
$text .= "<button id=addGroupBtn dojoType=\"dijit.form.Button\">";
$text .= " Add Group";
- $text .= " <script type=\"dojo/method\" event=onClick>";
+ $text .= " <script type=\"dojo/method\" event=onClick>";
$text .= " showPrivPane(\"addUserGroupPane\");";
$text .= " return false;";
$text .= " </script>";
@@ -919,7 +920,7 @@ function selectNode() {
if($hasResourceGrant) {
$text .= "<button id=addResourceBtn dojoType=\"dijit.form.Button\">";
$text .= " Add Resource Group";
- $text .= " <script type=\"dojo/method\" event=onClick>";
+ $text .= " <script type=\"dojo/method\" event=onClick>";
$text .= " showPrivPane(\"addResourceGroupPane\");";
$text .= " return false;";
$text .= " </script>";
@@ -994,15 +995,15 @@ function AJsubmitAddChildNode() {
print "alert('$text');";
return;
}
- $nodeInfo = getNodeInfo($parent);
$newnode = processInputVar("newnode", ARG_STRING);
- if(! preg_match('/^[-A-Za-z0-9_. ]+$/', $newnode)) {
- $text = "You can only use letters, numbers, spaces,<br>"
- . "dashes(-), dots(.), and underscores(_).";
- print "dojo.byId('addChildNodeStatus').innerHTML = '$text';";
+ $errmsg = '';
+ if(! validateNodeName($newnode, $errmsg)) {
+ print "dojo.byId('addChildNodeStatus').innerHTML = '$errmsg';";
return;
}
+ $nodeInfo = getNodeInfo($parent);
+
# check to see if a node with the submitted name already exists
$query = "SELECT id "
. "FROM privnode "
@@ -1033,9 +1034,10 @@ function AJsubmitAddChildNode() {
if(! checkUserHasPriv($type, $user["id"], $nodeid))
array_push($privs, $type);
}
- if(count($privs))
+ if(count($privs)) {
array_push($privs, "cascade");
- updateUserOrGroupPrivs($user["id"], $nodeid, $privs, array(), "user");
+ updateUserOrGroupPrivs($user["id"], $nodeid, $privs, array(), "user");
+ }
print "addChildNode('$newnode', $nodeid);";
}
@@ -1061,6 +1063,27 @@ function nodeExists($node) {
////////////////////////////////////////////////////////////////////////////////
///
+/// \fn validateNodeName($name, &$errmsg)
+///
+/// \param $name - name for a node
+/// \param $errmsg - variable into which an error message will be placed if
+/// $name is not valid
+///
+/// \return 1 if name is okay, 0 if not; if 0, $errmsg is populated with an
+/// error message
+///
+/// \brief validates that a name for a node is okay
+///
+////////////////////////////////////////////////////////////////////////////////
+function validateNodeName($name, &$errmsg) {
+ if(preg_match('/^[-A-Za-z0-9_\. ]+$/', $name))
+ return 1;
+ $errmsg = _("Node names can only contain letters, numbers, spaces,<br>dashes(-), dots(.), and underscores(_).");
+ return 0;
+}
+
+////////////////////////////////////////////////////////////////////////////////
+///
/// \fn AJsubmitDeleteNode()
///
/// \brief deletes a node and its children; calls viewNodes when finished
@@ -1110,22 +1133,29 @@ function AJsubmitRenameNode() {
sendJSON($arr);
return;
}
- # check if node matching new name already exists at parent
$newname = processInputVar('newname', ARG_STRING);
+ $errmsg = '';
+ if(! validateNodeName($newname, $errmsg)) {
+ $arr = array('error' => 2, 'message' => $errmsg);
+ sendJSON($arr);
+ return;
+ }
+ # check if node matching new name already exists at parent
+ $_newname = mysql_real_escape_string($newname);
$query = "SELECT id "
. "FROM privnode "
. "WHERE parent = (SELECT parent FROM privnode WHERE id = $activeNode) AND "
- . "name = '$newname'";
+ . "name = '$_newname'";
$qh = doQuery($query, 101);
if(mysql_num_rows($qh)) {
- $msg = "A sibling node of that name currently exists";
+ $msg = _("A sibling node of that name currently exists");
$arr = array('error' => 2, 'message' => $msg);
sendJSON($arr);
return;
}
$query = "UPDATE privnode "
- . "SET name = '$newname' "
+ . "SET name = '$_newname' "
. "WHERE id = $activeNode";
doQuery($query, 101);
$arr = array('newname' => $newname, 'node' => $activeNode);
@@ -1234,7 +1264,7 @@ function userLookup() {
if(is_null($userdata)) {
$userdata = getUserInfo($esc_userid, 1);
if(is_null($userdata)) {
- print "<font color=red>$userid not found in any known systems</font><br>\n";
+ print "<font color=red>$userid not found</font><br>\n";
return;
}
}
@@ -1602,7 +1632,7 @@ function printUserPrivRow($privname, $ro
if(array_key_exists($privname, $privs) &&
(($usergroup == 1 &&
in_array("cascade", $privs[$privname])) ||
- ($usergroup == 2 &&
+ ($usergroup == 2 &&
in_array("cascade", $privs[$privname]['privs']))))
$checked = "checked";
else
@@ -1740,7 +1770,7 @@ function getUserPrivRowHTML($privname, $
if(array_key_exists($privname, $privs) &&
(($usergroup == 1 &&
in_array("cascade", $privs[$privname])) ||
- ($usergroup == 2 &&
+ ($usergroup == 2 &&
in_array("cascade", $privs[$privname]['privs']))))
$checked = "checked";
else
@@ -2173,7 +2203,7 @@ function getNodePrivileges($node, $type=
/// \param $node - id of node
/// \param $type - (optional) resources, users, usergroups, or all
/// \param $privs - (optional) privilege array as returned by this function or
-/// getNodeCascadePrivileges
+/// getNodePrivileges
///
/// \return an array of privileges cascaded to the node:\n
///Array\n
@@ -2223,7 +2253,8 @@ function getNodeCascadePrivileges($node,
# get all block data
static $allblockdata = array();
if(empty($allblockdata)) {
- $query = "SELECT g.name AS name, "
+ $query = "SELECT g.id, "
+ . "g.name, "
. "t.name AS type, "
. "p.privnodeid "
. "FROM resourcepriv p, "
@@ -2233,10 +2264,15 @@ function getNodeCascadePrivileges($node,
. "g.resourcetypeid = t.id AND "
. "p.type = 'block'";
$qh = doQuery($query);
- while($row = mysql_fetch_assoc($qh))
+ while($row = mysql_fetch_assoc($qh)) {
if(! array_key_exists($row['privnodeid'], $allblockdata))
$allblockdata[$row['privnodeid']] = array();
+ # TODO adding the id at the end will fix the bug where blocking cascaded resource
+ # privileges are only blocked at the node and the block is not cascaded to
+ # child nodes
$allblockdata[$row['privnodeid']][] = "{$row["type"]}/{$row["name"]}";
+ #$allblockdata[$row['privnodeid']][] = "{$row["type"]}/{$row["name"]}/{$row['id']}";
+ }
}
# get resource group block data
@@ -2440,14 +2476,25 @@ function AJchangeUserPrivs() {
$newuser = processInputVar("item", ARG_STRING);
$newpriv = processInputVar('priv', ARG_STRING);
$newprivval = processInputVar('value', ARG_STRING);
- //print "alert('node: $node; newuser: $newuser; newpriv: $newpriv; newprivval: $newprivval');";
+
+ if(! validateUserid($newuser)) {
+ $text = "Invalid user submitted.";
+ print "alert('$text');";
+ return;
+ }
+
+ $privid = getUserPrivTypeID($newpriv);
+ if(is_null($privid)) {
+ $text = "Invalid user privilege submitted.";
+ print "alert('$text');";
+ return;
+ }
# get cascade privs at this node
$cascadePrivs = getNodeCascadePrivileges($node, "users");
- // if $newprivval is true and $newuser already has $newpriv
- // cascaded to it, do nothing
if($newprivval == 'true') {
+ // if $newuser already has $newpriv cascaded to it, do nothing
if(array_key_exists($newuser, $cascadePrivs['users']) &&
in_array($newpriv, $cascadePrivs['users'][$newuser]))
return;
@@ -2481,17 +2528,28 @@ function AJchangeUserGroupPrivs() {
return;
}
$newusergrpid = processInputVar("item", ARG_NUMERIC);
- $newusergrp = getUserGroupName($newusergrpid);
$newpriv = processInputVar('priv', ARG_STRING);
$newprivval = processInputVar('value', ARG_STRING);
- //print "alert('node: $node; newuser:grp $newuser;grp newpriv: $newpriv; newprivval: $newprivval');";
+
+ $newusergrp = getUserGroupName($newusergrpid);
+ if($newusergrp === 0) {
+ $text = "Invalid user group submitted.";
+ print "alert('$text');";
+ return;
+ }
+
+ $privid = getUserPrivTypeID($newpriv);
+ if(is_null($privid)) {
+ $text = "Invalid user privilege submitted.";
+ print "alert('$text');";
+ return;
+ }
# get cascade privs at this node
$cascadePrivs = getNodeCascadePrivileges($node, "usergroups");
- // if $newprivval is true and $newusergrp already has $newpriv
- // cascaded to it, do nothing
if($newprivval == 'true') {
+ // if $newusergrp already has $newpriv cascaded to it, do nothing
if(array_key_exists($newusergrp, $cascadePrivs['usergroups']) &&
in_array($newpriv, $cascadePrivs['usergroups'][$newusergrp]['privs']))
return;
@@ -2527,14 +2585,47 @@ function AJchangeResourcePrivs() {
$resourcegrp = processInputVar("item", ARG_STRING);
$newpriv = processInputVar('priv', ARG_STRING);
$newprivval = processInputVar('value', ARG_STRING);
- //print "alert('node: $node; resourcegrp: $resourcegrp; newpriv: $newpriv; newprivval: $newprivval');";
+
+ $allprivs = getResourcePrivs();
+ if(! in_array($newpriv, $allprivs)) {
+ $text = "Invalid resource privilege submitted.";
+ print "alert('$text');";
+ return;
+ }
+
+ $resourcetypes = getTypes('resources');
+ $types = implode('|', $resourcetypes['resources']);
+ if(! preg_match("@($types)/([^/]+)/([0-9]+)@", $resourcegrp, $matches)) {
+ $text = "Invalid resource group submitted.";
+ print "alert('$text');";
+ return;
+ }
+
+ $type = $matches[1];
+ $groupid = $matches[3];
+
+ $groupdata = getResourceGroups($type, $groupid);
+ if(empty($groupdata)) {
+ $text = "Invalid resource group submitted.";
+ print "alert('$text');";
+ return;
+ }
+
+ // if $type is administer, manageGroup, or manageMapping, and it is not
+ # checked, and the user is not in the resource owner group, don't allow
+ # the change
+ if($newpriv != "block" && $newpriv != "cascade" && $newpriv != "available" &&
+ ! array_key_exists($groupdata[$groupid]["ownerid"], $user["groups"])) {
+ $text = "You do not have rights to modify the submitted privilege for the submitted group.";
+ print "alert('$text');";
+ return;
+ }
# get cascade privs at this node
$cascadePrivs = getNodeCascadePrivileges($node, "resources");
- // if $newprivval is true and $resourcegrp already has $newpriv
- // cascaded to it, do nothing
if($newprivval == 'true') {
+ // if $resourcegrp already has $newpriv cascaded to it, do nothing
if(array_key_exists($resourcegrp, $cascadePrivs['resources']) &&
in_array($newpriv, $cascadePrivs['resources'][$resourcegrp]))
return;
@@ -2547,8 +2638,7 @@ function AJchangeResourcePrivs() {
$adds = array();
$removes = array($newpriv);
}
- $tmpArr = explode('/', $resourcegrp);
- updateResourcePrivs($tmpArr[2], $node, $adds, $removes);
+ updateResourcePrivs($groupid, $node, $adds, $removes);
$_SESSION['dirtyprivs'] = 1;
}
@@ -2616,9 +2706,16 @@ function AJsubmitAddUserGroupPriv() {
return;
}
$newgroupid = processInputVar("newgroupid", ARG_NUMERIC);
- # FIXME validate newgroupid
+
+ $newgroup = getUserGroupName($newgroupid);
+ if($newgroup === 0) {
+ $text = "Invalid user group submitted.";
+ print "alert('$text');";
+ return;
+ }
$perms = explode(':', processInputVar('perms', ARG_STRING));
+
$usertypes = getTypes("users");
array_push($usertypes["users"], "block");
array_push($usertypes["users"], "cascade");
@@ -2660,13 +2757,19 @@ function AJsubmitAddResourcePriv() {
$newgroupid = processInputVar("newgroupid", ARG_NUMERIC);
$privs = array("computerAdmin", "mgmtNodeAdmin", "imageAdmin",
"scheduleAdmin", "serverProfileAdmin");
- $resourcesgroups = getUserResources($privs, array("manageGroup"), 1);
+ $resourcegroups = getUserResources($privs, array("manageGroup"), 1);
+
+ $groupdata = getResourceGroups('', $newgroupid);
+
+ if(empty($groupdata)) {
+ $text = "Invalid resource group submitted.";
+ print "addResourceGroupPaneHide(); ";
+ print "alert('$text');";
+ return;
+ }
- if(! array_key_exists($newgroupid, $resourcesgroups['image']) &&
- ! array_key_exists($newgroupid, $resourcesgroups['computer']) &&
- ! array_key_exists($newgroupid, $resourcesgroups['managementnode']) &&
- ! array_key_exists($newgroupid, $resourcesgroups['schedule']) &&
- ! array_key_exists($newgroupid, $resourcesgroups['serverprofile'])) {
+ list($newtype, $tmp) = explode('/', $groupdata[$newgroupid]['name']);
+ if(! array_key_exists($newgroupid, $resourcegroups[$newtype])) {
$text = "You do not have rights to manage the specified resource group.";
print "addResourceGroupPaneHide(); ";
print "alert('$text');";
@@ -2754,7 +2857,7 @@ function checkUserHasPriv($priv, $uid, $
$groupid == $cascadePrivs['usergroups'][$groupname]['id'] &&
in_array($priv, $cascadePrivs["usergroups"][$groupname]['privs'])) &&
(! array_key_exists($groupname, $privs["usergroups"]) ||
- (! in_array("block", $privs["usergroups"][$groupname]['privs']) &&
+ (! in_array("block", $privs["usergroups"][$groupname]['privs']) &&
$groupid == $privs['usergroups'][$groupname]['id'])))) {
$_SESSION['userhaspriv'][$key] = 1;
return 1;
Modified: vcl/branches/vcl-2.3-bugfixes/web/.ht-inc/utils.php
URL: http://svn.apache.org/viewvc/vcl/branches/vcl-2.3-bugfixes/web/.ht-inc/utils.php?rev=1443205&r1=1443204&r2=1443205&view=diff
==============================================================================
--- vcl/branches/vcl-2.3-bugfixes/web/.ht-inc/utils.php (original)
+++ vcl/branches/vcl-2.3-bugfixes/web/.ht-inc/utils.php Wed Feb 6 20:47:10 2013
@@ -2274,6 +2274,7 @@ function updateResourcePrivs($group, $no
else
$groupid = getResourceGroupID($group);
foreach($adds as $type) {
+ $type = mysql_real_escape_string($type);
$query = "INSERT IGNORE INTO resourcepriv ("
. "resourcegroupid, "
. "privnodeid, "
@@ -2285,6 +2286,7 @@ function updateResourcePrivs($group, $no
doQuery($query, 377);
}
foreach($removes as $type) {
+ $type = mysql_real_escape_string($type);
$query = "DELETE FROM resourcepriv "
. "WHERE resourcegroupid = $groupid AND "
. "privnodeid = $node AND "
@@ -2600,18 +2602,22 @@ function getUserGroupPrivTypes() {
////////////////////////////////////////////////////////////////////////////////
///
-/// \fn getResourceGroups($type)
+/// \fn getResourceGroups($type, $id)
///
/// \param $type - (optional) a name from the resourcetype table, defaults to
/// be empty
+/// \param $id - (optional) id of a resource group
///
-/// \return an array of resource group names whose index values are the ids;
-/// the names are the resource type and group name combined as 'type/name'
+/// \return an array of resource groups where each key is a group id and each
+/// value is an array with these elements:\n
+/// \b name - type and name of group combined as type/name\n
+/// \b ownerid - id of owning user group\n
+/// \b owner - name of owning user group
///
/// \brief builds list of resource groups
///
////////////////////////////////////////////////////////////////////////////////
-function getResourceGroups($type="") {
+function getResourceGroups($type='', $id='') {
$return = array();
$query = "SELECT g.id AS id, "
. "g.name AS name, "
@@ -2629,6 +2635,9 @@ function getResourceGroups($type="") {
if(! empty($type))
$query .= "AND t.name = '$type' ";
+ if(! empty($id))
+ $query .= "AND g.id = $id ";
+
$query .= "ORDER BY t.name, g.name";
$qh = doQuery($query, 281);
while($row = mysql_fetch_assoc($qh)) {
@@ -3283,7 +3292,7 @@ function processInputData($data, $type,
if(! is_string($value))
$return[$index] = $defaultvalue;
elseif($addslashes)
- $return[$index] = addslashes($value);
+ $return[$index] = mysql_real_escape_string($value);
}
return $return;
}
@@ -3292,7 +3301,7 @@ function processInputData($data, $type,
if(strlen($return) == 0)
$return = $defaultvalue;
elseif($addslashes)
- $return = addslashes($return);
+ $return = mysql_real_escape_string($return);
}
return $return;
@@ -8183,11 +8192,13 @@ function updateGroups($newusergroups, $u
////////////////////////////////////////////////////////////////////////////////
///
-/// \fn getUserGroupID($name, $affilid)
+/// \fn getUserGroupID($name, $affilid, $noadd)
///
/// \param $name - a group name
/// \param $affilid - (optional, defaults to DEFAULT_AFFILID) affiliation id
/// for $name
+/// \param $noadd - (optional, defaults to 0) set to 1 to return NULL if group
+/// does not exist instead of adding it to table
///
/// \return id for $name from group table
///
@@ -8195,15 +8206,16 @@ function updateGroups($newusergroups, $u
/// not currently in the table, adds it and returns the new id
///
////////////////////////////////////////////////////////////////////////////////
-function getUserGroupID($name, $affilid=DEFAULT_AFFILID) {
+function getUserGroupID($name, $affilid=DEFAULT_AFFILID, $noadd=0) {
$query = "SELECT id "
. "FROM usergroup "
. "WHERE name = '$name' AND "
. "affiliationid = $affilid";
$qh = doQuery($query, 300);
- if($row = mysql_fetch_row($qh)) {
+ if($row = mysql_fetch_row($qh))
return $row[0];
- }
+ elseif($noadd)
+ return NULL;
$query = "INSERT INTO usergroup "
. "(name, "
. "affiliationid, "
@@ -8760,11 +8772,8 @@ function getTypes($subtype="both") {
if($subtype == "resources" || $subtype == "both") {
$query = "SELECT id, name FROM resourcetype";
$qh = doQuery($query, 366);
- while($row = mysql_fetch_assoc($qh)) {
- if($row["name"] == "block" || $row["name"] == "cascade")
- continue;
+ while($row = mysql_fetch_assoc($qh))
$types["resources"][$row["id"]] = $row["name"];
- }
}
return $types;
}
@@ -8943,8 +8952,10 @@ function getReservationLengthCeiling($le
/// \brief gets the id from the resourcegroup table for $groupname
///
////////////////////////////////////////////////////////////////////////////////
-function getResourceGroupID($groupdname) {
- list($type, $name) = explode('/', $groupdname);
+function getResourceGroupID($groupname) {
+ list($type, $name) = explode('/', $groupname);
+ $type = mysql_real_escape_string($type);
+ $name = mysql_real_escape_string($name);
$query = "SELECT g.id "
. "FROM resourcegroup g, "
. "resourcetype t "
@@ -8970,6 +8981,7 @@ function getResourceGroupID($groupdname)
///
////////////////////////////////////////////////////////////////////////////////
function getResourceTypeID($name) {
+ $name = mysql_real_escape_string($name);
$query = "SELECT id "
. "FROM resourcetype "
. "WHERE name = '$name'";
@@ -9782,24 +9794,24 @@ function xmlrpccall() {
xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCdeployServer", "xmlRPChandler");
xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCgetNodes", "xmlRPChandler");
xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCaddNode", "xmlRPChandler");
- xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCremoveNode", "xmlRPChandler");
- xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCnodeExists", "xmlRPChandler");
- xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCaddResourceGroupPriv", "xmlRPChandler");
- xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCremoveResourceGroupPriv", "xmlRPChandler");
- xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCgetResourceGroupPrivs", "xmlRPChandler");
- xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCaddUserGroupPriv", "xmlRPChandler");
- xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCremoveUserGroupPriv", "xmlRPChandler");
- xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCgetUserGroupPrivs", "xmlRPChandler");
- xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCaddResourceGroup", "xmlRPChandler");
- xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCgetResourceGroups", "xmlRPChandler");
- xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCremoveResourceGroup", "xmlRPChandler");
+ xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCremoveNode", "xmlRPChandler");
+ xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCnodeExists", "xmlRPChandler");
+ xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCaddResourceGroupPriv", "xmlRPChandler");
+ xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCremoveResourceGroupPriv", "xmlRPChandler");
+ xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCgetResourceGroupPrivs", "xmlRPChandler");
+ xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCaddUserGroupPriv", "xmlRPChandler");
+ xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCremoveUserGroupPriv", "xmlRPChandler");
+ xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCgetUserGroupPrivs", "xmlRPChandler");
+ xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCaddResourceGroup", "xmlRPChandler");
+ xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCgetResourceGroups", "xmlRPChandler");
+ xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCremoveResourceGroup", "xmlRPChandler");
xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCgetUserGroups", "xmlRPChandler");
- xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCremoveUserGroup", "xmlRPChandler");
+ xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCremoveUserGroup", "xmlRPChandler");
xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCaddImageToGroup", "xmlRPChandler");
- xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCremoveImageFromGroup", "xmlRPChandler");
- xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCgetGroupImages", "xmlRPChandler");
- xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCaddImageGroupToComputerGroup", "xmlRPChandler");
- xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCremoveImageGroupFromComputerGroup", "xmlRPChandler");
+ xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCremoveImageFromGroup", "xmlRPChandler");
+ xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCgetGroupImages", "xmlRPChandler");
+ xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCaddImageGroupToComputerGroup", "xmlRPChandler");
+ xmlrpc_server_register_method($xmlrpc_handle, "XMLRPCremoveImageGroupFromComputerGroup", "xmlRPChandler");
print xmlrpc_server_call_method($xmlrpc_handle, $HTTP_RAW_POST_DATA, '');
xmlrpc_server_destroy($xmlrpc_handle);
@@ -9941,7 +9953,7 @@ function xmlRPCabort($errcode, $query=''
////////////////////////////////////////////////////////////////////////////////
function printXMLRPCerror($errcode) {
global $XMLRPCERRORS;
- print "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>\n";
+ print "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?" . ">\n"; # splitting the ? and > makes vim syntax highlighting work correctly
print "<methodResponse>\n";
print "<fault>\n";
print " <value>\n";
@@ -9979,7 +9991,7 @@ function printXMLRPCerror($errcode) {
/// \b totalMaxTime \n
/// \b maxExtendTime
/// \param $exists - 1 to check if $name\@$affiliation exists, 0 to check that
-/// they it does not exist
+/// it does not exist
///
/// \return an array to be returned as an error status or $items with these
/// extra keys:\n
@@ -10029,8 +10041,7 @@ function validateAPIgroupInput($items, $
}
# affiliation
if(array_key_exists('affiliation', $items)) {
- $esc_affiliation = mysql_real_escape_string($items['affiliation']);
- $affilid = getAffiliationID($esc_affiliation);
+ $affilid = getAffiliationID($items['affiliation']);
if(is_null($affilid)) {
return array('status' => 'error',
'errorcode' => 17,
@@ -10047,8 +10058,7 @@ function validateAPIgroupInput($items, $
. 'and can only contain letters, numbers, and '
. 'these characters: - _ . :');
}
- $esc_name = mysql_real_escape_string($items['name']);
- $doesexist = checkForGroupName($esc_name, 'user', '', $affilid);
+ $doesexist = checkForGroupName($items['name'], 'user', '', $affilid);
if($exists && ! $doesexist) {
return array('status' => 'error',
'errorcode' => 18,
@@ -10060,12 +10070,13 @@ function validateAPIgroupInput($items, $
'errormsg' => 'existing user group with submitted name and affiliation');
}
elseif($exists && $doesexist) {
+ $esc_name = mysql_real_escape_string($items['name']);
$items['id'] = getUserGroupID($esc_name, $affilid);
}
}
# owner
if($custom && array_key_exists('owner', $items)) {
- if(! validateUserid(mysql_real_escape_string($items['owner']))) {
+ if(! validateUserid($items['owner'])) {
return array('status' => 'error',
'errorcode' => 20,
'errormsg' => 'submitted owner is invalid');
@@ -10079,15 +10090,14 @@ function validateAPIgroupInput($items, $
'errorcode' => 24,
'errormsg' => 'submitted managingGroup is invalid');
}
- $esc_mgName = mysql_real_escape_string($parts[0]);
- $esc_mgAffil = mysql_real_escape_string($parts[1]);
- $mgaffilid = getAffiliationID($esc_mgAffil);
- if(! checkForGroupName($esc_mgName, 'user', '', $mgaffilid)) {
+ $mgaffilid = getAffiliationID($parts[1]);
+ if(is_null($mgaffilid) ||
+ ! checkForGroupName($parts[0], 'user', '', $mgaffilid)) {
return array('status' => 'error',
'errorcode' => 25,
'errormsg' => 'submitted managingGroup does not exist');
}
- $items['managingGroupID'] = getUserGroupID($esc_mgName, $mgaffilid);
+ $items['managingGroupID'] = getUserGroupID($parts[0], $mgaffilid);
$items['managingGroupName'] = $parts[0];
$items['managingGroupAffilid'] = $mgaffilid;
}