prepare("SELECT prlid, privcode, privname, des, is_public, scope FROM priv_list ORDER BY privcode"); $sth->execute; while ($_ = $sth->fetchrow_hashref) { push @privs, $_; $priv{$_->{'prlid'}} = $_; $pcode2id{$_->{'privcode'}} = $_->{'prlid'}; } if (LJ::did_post()) { return "

ERROR: Invalid form submission" unless LJ::check_form_auth(); } unless ($mode) { if ($FORM{'user'}) { $mode = "viewuser"; } elsif ($FORM{'priv'}) { $mode = "viewpriv"; } } if ($FORM{'devmode'}) { return "not in dev mode" unless $LJ::IS_DEV_SERVER; my $userid = $remote->{userid}; if ($dbh->do("INSERT INTO priv_map (userid, prlid, arg) SELECT ?, prlid, ? FROM priv_list WHERE privcode=?", undef, $userid, $FORM{arg}, $FORM{priv})) { LJ::statushistory_add($dbh, $userid, $userid, "privadd", "DEVMODE Granting: \"$FORM{priv}\" with arg \"$FORM{arg}\""); return "done."; } else { return "fail."; } } unless ($mode) { $ret .= "

Privilege Management

\n"; $ret .= "
"; $ret .= "

View all privileges of user

"; $ret .= "

Or, show all users with privilege:

"; foreach my $priv (@privs) { my ($des, $args) = split(/arg=/, $priv->{'des'}); $ret .= "
$priv->{'privcode'}: $priv->{'privname'}"; $ret .= " (Site Specific)" if $priv->{'scope'} eq 'local'; $ret .= "
"; $ret .= "
$des\n"; $ret .= "
Argument: $args" if $args; $ret .= "
"; } $ret .= "
"; return $ret; } # Returns true if the remote user can grant the given priv sub remote_can_grant { my ($remote, $priv, $arg) = @_; return 0 unless defined $priv; return LJ::check_priv($remote, 'admin', $priv) || LJ::check_priv($remote, 'admin', '*') || LJ::check_priv($remote, 'admin', "$priv/$arg"); } if ($mode eq "userchange" || $mode eq "privchange") { unless (LJ::did_post()) { return "

Error: requires post

"; } unless ($FORM{'submit:refresh'}) { foreach my $key (keys %FORM) { if ($key =~ /^revoke:(\d+):(\d+)$/) { my $prmid = $1; my $del_userid1 = $2; my $sth = $dbh->prepare("SELECT userid, prlid, arg FROM priv_map WHERE prmid=$prmid"); $sth->execute; my ($del_userid2, $prlid, $arg) = $sth->fetchrow_array; unless (remote_can_grant($remote, $priv{$prlid}->{'privcode'}, $arg)) { $ret .= "ERROR: Invalid access to remove priv $priv{$prlid}->{'privcode'}.
"; } else { if ($del_userid1 && $del_userid1 == $del_userid2) { $dbh->do("DELETE FROM priv_map WHERE prmid=$prmid"); my $privcode = $priv{$prlid}->{'privcode'}; LJ::statushistory_add($dbh, $del_userid1, $remote->{'userid'}, "privdel", "Denying: \"$privcode\" with arg \"$arg\""); $ret .= "Privilege removed.
\n"; } } } } if ($FORM{'grantpriv'}) { my $u = LJ::load_user($FORM{'user'}); return "ERROR: Invalid user." unless $u; my $userid = $u->{'userid'}; my $qpriv = $FORM{'grantpriv'}+0; my $privcode = $priv{$qpriv}->{'privcode'}; my $arg = $FORM{'arg'}; if ($privcode) { if (remote_can_grant($remote, $privcode, $arg)) { if (LJ::check_priv($u, $privcode, $arg)) { $ret .= "ERROR: User already has specified priv $privcode $arg.
"; } else { my $qarg = $dbh->quote($arg); $dbh->do("INSERT INTO priv_map (prmid, userid, prlid, arg) VALUES (NULL, $userid, $qpriv, $qarg)"); LJ::statushistory_add($dbh, $userid, $remote->{'userid'}, "privadd", "Granting: \"$privcode\" with arg \"$arg\""); $ret .= "Privilege $privcode $arg granted.
\n"; } } else { $ret .= "ERROR: You don't have access to grant $privcode $arg.
\n"; } } else { $ret .= "ERROR: Unknown privilege.
\n"; } } if ($FORM{'grantuser'}) { my $u = LJ::load_user($FORM{'grantuser'}); return "ERROR: Invalid user." unless $u; my $userid = $u->{'userid'}; my $privid = $pcode2id{$FORM{'priv'}}; my $arg = $FORM{'arg'}; my $qarg = $dbh->quote($arg); my $privcode = $priv{$privid}->{'privcode'}; if ($privcode) { if (remote_can_grant($remote, $privcode, $arg)) { if (LJ::check_priv($u, $privcode, $arg)) { $ret .= "ERROR: User already has specified priv $privcode $arg.
"; } elsif ($userid && $privid) { my $qarg = $dbh->quote($FORM{'arg'}); $dbh->do("INSERT INTO priv_map (prmid, userid, prlid, arg) VALUES (NULL, $userid, $privid, $qarg)"); LJ::statushistory_add($dbh, $userid, $remote->{'userid'}, "privadd", "Granting: \"$privcode\" with arg \"$FORM{'arg'}\""); $ret .= "Privilege added.
\n"; } else { my $euser = LJ::ehtml($FORM{'grantuser'}); unless ($userid) { $ret .= "ERROR: cannot grant priv to non-existent user $euser
"; } else { $ret .= "privid is 0!
"; } } } else { $ret .= "ERROR: You don't have access to grant $privcode with argument '$arg'.
\n"; } } else { $ret .= "ERROR: Unknown privilege.
\n"; } } # end if grantuser } if ($mode eq "userchange") { $mode = "viewuser"; } if ($mode eq "privchange") { $mode = "viewpriv"; } } if ($mode eq "viewuser") { my $user = LJ::canonical_username($FORM{'user'}); my $userid = LJ::get_userid($user); $ret .= "

<< view user \"$user\"

\n"; unless ($userid) { $ret .= "Error: non-existent user\n"; return $ret; } $ret .= "
\n"; $ret .= LJ::form_auth(); $ret .= "\n"; $ret .= "\n"; $sth = $dbh->prepare("SELECT pm.prmid, pm.prlid, pm.arg FROM priv_map pm, priv_list pl WHERE pm.prlid=pl.prlid AND pm.userid=$userid ORDER BY pl.privcode,pm.arg"); $sth->execute; $ret .= "\n"; while (my ($prmid, $prlid, $arg) = $sth->fetchrow_array) { my $prec = $priv{$prlid}; my $pcode = $priv{$prlid}->{'privcode'}; my $can_grant = remote_can_grant($remote, $pcode, $arg); next unless ($prec->{'is_public'} || ($remote && $remote->{'userid'} == $userid) || $can_grant); $ret .= ""; if ($arg) { $ret .= "\n"; } else { $ret .= "\n"; } } $ret .= "
RevokePrivilegeArg
"; if ($can_grant) { $ret .= ""; } else { $ret .= "--"; } $ret .= "$pcode$arg
 
"; if (LJ::check_priv($remote, 'admin')) { $ret .= "

Grant $user privilege:

\n"; $ret .= "\n"; $ret .= "Arg:
\n"; } else { $ret .= "

(you do not have access to grant any privileges)

\n"; } $ret .= "

\n"; if (LJ::check_priv($remote, 'admin')) { $ret .= ""; } $ret .= " "; $ret .= "

"; return $ret; } if ($mode eq "viewpriv") { my $priv = $pcode2id{$FORM{'priv'}}; my $prec = $priv{$priv}; my $pcode = $prec->{'privcode'}; my $skip = $FORM{'skip'} + 0; my $limit = 100; my $viewarg; if ($FORM{'viewarg'}) { $viewarg = " AND pm.arg=" . $dbh->quote($FORM{'viewarg'}); } my $privname = join(' ', grep { $_ } $priv{$priv}->{'privcode'}, $FORM{'viewarg'}); $ret .= "

<< view priv \"$privname\"

\n"; $ret .= "

Privilege Name: $priv{$priv}->{'privname'}"; my ($des, $args) = split(/arg=/, $priv{$priv}->{'des'}); $ret .= "
Description: $des" if $des; $ret .= "
Argument: $args" if $args; $ret .= "

"; my ($check_priv, $check_arg) = split("/", $FORM{'viewarg'}); unless ($prec->{'is_public'} || remote_can_grant($remote, $check_priv, $check_arg)) { $ret .= "

ERROR: This privilege's access list is not public.

\n"; return $ret; } $ret .= "
\n"; $ret .= LJ::form_auth(); $ret .= "

View only privs with arg: "; $ret .= " "; $ret .= "

\n"; $ret .= "\n"; $ret .= ""; $sth = $dbh->prepare("SELECT pm.prmid, u.user, u.userid, pm.arg ". "FROM priv_map pm, useridmap u WHERE pm.prlid=$priv AND pm.userid=u.userid$viewarg ". "ORDER BY u.user,pm.arg LIMIT $skip,$limit"); $sth->execute; $ret .= "\n"; my $showgrant = remote_can_grant($remote, $pcode, $FORM{'viewarg'}); my $foundcount = 0; while ($_ = $sth->fetchrow_hashref) { $foundcount++; $ret .= ""; if ($_->{'arg'} ne "") { $ret .= "\n"; } else { $ret .= "\n"; } } $ret .= "\n"; $ret .= "
RevokeUserArg
"; if (remote_can_grant($remote, $priv{$priv}->{'privcode'}, $_->{'arg'})) { $ret .= "{'prmid'}:$_->{'userid'}\" />"; } else { $ret .= "--"; } $ret .= "{'user'}\">$_->{'user'}{'privcode'}&viewarg=$_->{'arg'}\">$_->{'arg'}
 
$foundcount users
"; if ($foundcount >= $limit) { $ret .= "($skip +$limit)}) . "'>See more...\n"; } if ($showgrant) { $ret .= "

Grant $privname privilege to:

\n"; } else { $ret .= "

(you don't have access to grant this privilege to other users)

\n"; } if ($showgrant) { $ret .= "\n"; } $ret .= "
\n"; $ret .= "
\n"; $ret .= LJ::form_auth(); $ret .= LJ::html_hidden('mode', 'privchange', 'priv', $pcode, 'viewarg', $FORM{'viewarg'}) . "\n"; $ret .= "\n"; $ret .= "
\n"; return $ret; } return "Unknown mode."; _code?> lib: cgi-bin/ljlib.pl link: htdocs/admin/priv/index.bml post: htdocs/admin/priv/index.bml