cgi-bin

Eelco Dolstra Fri, 03 Feb 2012 09:15:28 -0800

Author: eelco
Date: Fri Feb  3 17:15:18 2012
New Revision: 31994
URL: https://nixos.org/websvn/nix/?rev=31994&sc=1


Log:
* Add more fine-grained access control.  It is now possible to specify
  per user whether the user can create repositories, create users,
  edit other people's repositories or edit other users.  This removes
  the need for a special "root" account.

Modified:
   services/trunk/subversion/default.nix
   services/trunk/subversion/src/scripts/bin/svn-server-create-user.pl
   services/trunk/subversion/src/scripts/bin/svn-server-startup-hook.sh
   services/trunk/subversion/src/scripts/cgi-bin/repoman.pl

Modified: services/trunk/subversion/default.nix
==============================================================================
--- services/trunk/subversion/default.nix       Fri Feb  3 16:16:18 2012        
(r31993)
+++ services/trunk/subversion/default.nix       Fri Feb  3 17:15:18 2012        
(r31994)
@@ -209,10 +209,12 @@
     </Location>
 
     <Location ${urlPrefix}/repoman/adduser>
-        Order deny,allow
-        Deny from all
-        Allow from 127.0.0.1
-        Allow from ${config.userCreationDomain}
+        ${commonAuth}    
+        Require valid-user
+        #Order deny,allow
+        #Deny from all
+        #Allow from 127.0.0.1
+        #Allow from ${config.userCreationDomain}
     </Location>
 
     <Location ${urlPrefix}/repoman/edituser>
@@ -223,10 +225,10 @@
     <Location ${urlPrefix}/repoman/create>
         ${commonAuth}    
         Require valid-user
-        Order deny,allow
-        Deny from all
-        Allow from 127.0.0.1
-        Allow from ${config.userCreationDomain}
+        #Order deny,allow
+        #Deny from all
+        #Allow from 127.0.0.1
+        #Allow from ${config.userCreationDomain}
     </Location>
 
     <Location ${urlPrefix}/repoman/update>

Modified: services/trunk/subversion/src/scripts/bin/svn-server-create-user.pl
==============================================================================
--- services/trunk/subversion/src/scripts/bin/svn-server-create-user.pl Fri Feb 
 3 16:16:18 2012        (r31993)
+++ services/trunk/subversion/src/scripts/bin/svn-server-create-user.pl Fri Feb 
 3 17:15:18 2012        (r31994)
@@ -12,11 +12,15 @@
 my $userdb = "$dbdir/svn-users";
 my $contactdb = "$dbdir/svn-contact";
 my $fullnamedb = "$dbdir/svn-fullnames";
+my $rightsdb = "$dbdir/svn-rights";
 
-die "syntax: $0 USER MAIL-ADDRESS \"FULLNAME\"\n" if scalar @ARGV != 3;
+die "Syntax: $0 USER 'MAIL-ADDRESS' 'FULLNAME' \"RIGHTS\"\n\n" .
+    "Valid rights are create-users, create-repos, edit-all-users and 
edit-all-repos.\n\n" .
+    "Example: $0 foobar 'foobar\@example.org' 'Nkrumah Foobar' 
'create-users,create-repos'\n" if scalar @ARGV != 4;
 my $userName = shift @ARGV;
 my $address = shift @ARGV;
 my $fullName = shift @ARGV;
+my $rights = shift @ARGV;
 
 
 # !!! cut and pasted from repoman.pl.in - share this.
@@ -78,6 +82,7 @@
 setDB($userdb, $userName, $crypted);
 setDB($contactdb, $userName, $address);
 setDB($fullnamedb, $userName, $fullName);
+setDB($rights, $userName, $rights);
 
 
 # Send email to the user.

Modified: services/trunk/subversion/src/scripts/bin/svn-server-startup-hook.sh
==============================================================================
--- services/trunk/subversion/src/scripts/bin/svn-server-startup-hook.sh        
Fri Feb  3 16:16:18 2012        (r31993)
+++ services/trunk/subversion/src/scripts/bin/svn-server-startup-hook.sh        
Fri Feb  3 17:15:18 2012        (r31994)
@@ -22,11 +22,7 @@
 echo | @db4@/bin/db_load -t hash -T "@dbDir@/svn-readers"
 echo | @db4@/bin/db_load -t hash -T "@dbDir@/svn-writers"
 echo | @db4@/bin/db_load -t hash -T "@dbDir@/svn-users"
-
-# Create a root account with an impossible password (if the account
-# doesn't exist already).
-(echo root; echo "*") | @db4@/bin/db_load -n -t hash -T "@dbDir@/svn-users" 2> 
/dev/null || true
-(echo root; echo "Subversion Server Admin") | @db4@/bin/db_load -n -t hash -T 
"@dbDir@/svn-fullnames" 2> /dev/null || true
+echo | @db4@/bin/db_load -t hash -T "@dbDir@/svn-rights"
 
 if test "$(id -u)" = 0; then
     chown @user@.@group@ @dbDir@/*

Modified: services/trunk/subversion/src/scripts/cgi-bin/repoman.pl
==============================================================================
--- services/trunk/subversion/src/scripts/cgi-bin/repoman.pl    Fri Feb  3 
16:16:18 2012        (r31993)
+++ services/trunk/subversion/src/scripts/cgi-bin/repoman.pl    Fri Feb  3 
17:15:18 2012        (r31994)
@@ -27,6 +27,7 @@
 my $contactdb = "$dbdir/svn-contact";
 my $fullnamedb = "$dbdir/svn-fullnames";
 my $hiddenreposdb = "$dbdir/svn-hidden-repos";
+my $rightsdb = "$dbdir/svn-rights";
 
 my $base = script_name();
 
@@ -61,7 +62,8 @@
 sub end {
     #print br;
     print hr;
-    print a({href => $base}, "Start"), " / Admin: ", $admin;
+    print a({href => $base}, "Start page"), ". The administrator is ", 
tt(escapeHTML($admin)), ". ";
+    print "You are logged in as ", tt(escapeHTML($userName)), "." if defined 
$userName;
     print end_html;
     exit;
 }
@@ -155,6 +157,26 @@
 }
 
 
+# Check whether the user has the given right.
+sub hasRight {
+    my ($right) = @_;
+    my $rights = getDB($rightsdb, $userName);
+    foreach my $r (split /[, ]+/, $rights) {
+        return 1 if $r eq $right;
+    }
+    return 0;
+}
+
+
+sub requireRight {
+    my ($right) = @_;
+    unless (hasRight($right)) {
+       print p, "Only privileged users can do this.";
+       end();
+    }
+}
+
+
 # Print a partial page that gives information about the repository
 # $repo.
 sub printRepoInfo {
@@ -226,8 +248,7 @@
 
 # Processes add user and edit user forms.
 sub editUserInfo {
-
-    my $create = shift;
+    my ($create, $name) = @_;
 
     my $password = param("password");
     my $password_again = param("password_again");
@@ -258,11 +279,15 @@
 
     if ($password ne "") {
        my $crypted = apache_md5_crypt($password);
-       setDB($userdb, $userName, $crypted);
+       setDB($userdb, $name, $crypted);
     }
 
-    setDB($contactdb, $userName, $address);
-    setDB($fullnamedb, $userName, $fullname);
+    setDB($contactdb, $name, $address);
+    setDB($fullnamedb, $name, $fullname);
+
+    my $rights = hasRight("edit-all-users") ? param("rights") : 
getDB($rightsdb, $name, "");
+    
+    setDB($rightsdb, $name, $rights);
 }
 
 
@@ -289,10 +314,7 @@
 
     my $listDetails = $action eq "listdetails";
 
-    if ($listDetails && $userName ne "root") {
-       print p, "Only root can do this.";
-       end();
-    }
+    requireRight("edit-all-users") if $listDetails;
 
     print h1("Subversion Server");
 
@@ -312,6 +334,10 @@
     print "You can ";
     print a({href => $base . "/edituser"}, "edit your user information"), ".";
     print end_li;
+    print start_li;
+    print "You can ";
+    print a({href => $base . "/listdetails"}, "edit other users"), ".";
+    print end_li;
     print end_ul;
 
     print h2("Online information");
@@ -408,6 +434,8 @@
 
     die unless defined $userName;
 
+    requireRight("create-repos");
+
     print h1("Create a Repository");
 
     print start_form("post", $base . "/create");
@@ -431,6 +459,8 @@
 
     die unless defined $userName;
 
+    requireRight("create-repos");
+
     checkRepo();
 
     my $description = param("description");
@@ -495,7 +525,7 @@
     repoExists();
 
     my $owner = getDB($ownerdb, $repo);
-    if ($owner ne $userName && $userName ne "root") {
+    if ($owner ne $userName && !hasRight("edit-all-repos")) {
        print p, "You are not authorised to update this repository.";
        end();
     }
@@ -551,6 +581,8 @@
 
 elsif ($action eq "adduser" && !defined(param("username"))) {
 
+    requireRight("create-users");
+
     print h1("Add a User");
 
     print start_form("post", $base . "/adduser");
@@ -567,22 +599,24 @@
 
 elsif ($action eq "adduser" && defined(param("username"))) {
 
-    $userName = param("username");
+    requireRight("create-users");
+
+    my $name = param("username");
 
-    unless ($userName =~ /^\w+$/ && !($userName eq "all")) {
+    unless ($name =~ /^\w+$/ && $name ne "all") {
        print p, "Invalid user name.";
        end();
     }
 
-    if (defined(getDB($userdb, $userName))) {
+    if (defined(getDB($userdb, $name))) {
        print p, "User already exists.";
        end();
     }
 
-    editUserInfo(1);
+    editUserInfo(1, $name);
 
     print h1("User added!");
-    print p, "The user ", tt($userName), " has been added succesfully.";
+    print p, "The user ", tt($name), " has been added succesfully.";
 }
 
 
@@ -592,23 +626,26 @@
 
     print h1("Edit User Information");
 
-    # Root is allowed to change other users.
-    if ($userName eq "root" && defined(param("username"))) {
-       $userName = param("username");
-    }
-
-    print p, "You are about to edit user ", tt($userName), ".";
+    my $name = defined(param("username")) && hasRight("edit-all-users") ? 
param("username") : $userName;
+    
+    print p, "You are about to edit user ", tt($name), ".";
     print start_form("post", $base . "/edituser");
     print p, "E-mail address: ", textfield({
-        -default => getDB($contactdb, $userName, ""), 
+        -value => getDB($contactdb, $name, ""), 
        -override => 1, -name => "address"});
     print p, "Full name: ", textfield({
-        -default => getDB($fullnamedb, $userName, ""), 
+        -value => getDB($fullnamedb, $name, ""),
        -override => 1, -name => "fullname"});
+    if (hasRight("edit-all-users")) {
+        print p, "Access rights: ", textfield({
+            -value => getDB($rightsdb, $name, ""),
+            -override => 1, -name => "rights"});
+        print p, "Valid rights are <tt>create-users</tt>, 
<tt>create-repos</tt>, <tt>edit-all-users</tt> and <tt>edit-all-repos</tt>.";
+    }
     print p, "Leave the password fields empty to leave your password 
unchanged.";
     print p, "Password: ", password_field("password", "");
     print p, "Password (again): ", password_field("password_again", "");
-    print hidden(-name => "username", -default => "$userName");
+    print hidden(-name => "username", -default => "$name");
     print p, submit(-label => 'Change!');
     print end_form;
 }
@@ -616,19 +653,17 @@
 
 elsif ($action eq "edituser" && defined(param("password"))) {
 
-    if ($userName eq "root" && defined(param("username"))) {
-       $userName = param("username");
-    }
+    my $name = defined(param("username")) && hasRight("edit-all-users") ? 
param("username") : $userName;
 
-    if (!defined(getDB($userdb, $userName))) {
+    if (!defined(getDB($userdb, $name))) {
        print p, "You don't exist, go away.";
        end();
     }
 
-    editUserInfo(0);
+    editUserInfo(0, $name);
 
     print h1("User Information Edited!");
-    print p, "Information for user ", tt($userName), 
+    print p, "Information for user ", tt($name), 
         " has been changed succesfully.";
 }
 
_______________________________________________
nix-commits mailing list
[email protected]
http://lists.science.uu.nl/mailman/listinfo/nix-commits

[Nix-commits] SVN commit: nix - r31994 - in services/trunk/subversion: . src/scripts/bin src/scripts/cgi-bin

Reply via email to