Author: jfthomps
Date: Wed Jun 17 17:07:20 2009
New Revision: 785731

URL: http://svn.apache.org/viewvc?rev=785731&view=rev
Log:
VCL-78

added a quick and dirty fix for authorization of XML RPC API calls to block 
reservation stuff - added $xmlrpcBlockAPIUsers to conf.php that is an array of 
userids that have access to call XMLRPCblockAllocation and 
XMLRPCprocessBlockTime; added conditional to begenning of those functions to 
make sure calling user is in the array

Modified:
    incubator/vcl/trunk/web/.ht-inc/conf.php
    incubator/vcl/trunk/web/.ht-inc/xmlrpcWrappers.php

Modified: incubator/vcl/trunk/web/.ht-inc/conf.php
URL: 
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/conf.php?rev=785731&r1=785730&r2=785731&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/conf.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/conf.php Wed Jun 17 17:07:20 2009
@@ -55,6 +55,9 @@
 $userlookupUsers = array(1, # admin
 );
 
+$xmlrpcBlockAPIUsers = array(3, # vclsystem
+);
+
 $clickThroughText =
 "<center><h2>Installer Agreement</h2></center>
 <p>As the creator of the VCL image, you are responsible for understanding and 

Modified: incubator/vcl/trunk/web/.ht-inc/xmlrpcWrappers.php
URL: 
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/xmlrpcWrappers.php?rev=785731&r1=785730&r2=785731&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/xmlrpcWrappers.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/xmlrpcWrappers.php Wed Jun 17 17:07:20 2009
@@ -505,6 +505,12 @@
 
////////////////////////////////////////////////////////////////////////////////
 function XMLRPCblockAllocation($imageid, $start, $end, $requestcount,
                                $usergroupid, $ignoreprivileges=0) {
+       global $user, $xmlrpcBlockAPIUsers;
+       if(! in_array($user['id'], $xmlrpcBlockAPIUsers)) {
+               return array('status' => 'error',
+                            'errorcode' => 34,
+                            'errormsg' => 'access denied for managing block 
allocations');
+       }
        $ownerid = getUserlistID('vclrel...@local');
        $name = "API:$start";
        $managementnodes = getManagementNodes('future');
@@ -592,7 +598,12 @@
 ///
 
////////////////////////////////////////////////////////////////////////////////
 function XMLRPCprocessBlockTime($blockTimesid, $ignoreprivileges=0) {
-       global $requestInfo;
+       global $requestInfo, $user, $xmlrpcBlockAPIUsers;
+       if(! in_array($user['id'], $xmlrpcBlockAPIUsers)) {
+               return array('status' => 'error',
+                            'errorcode' => 34,
+                            'errormsg' => 'access denied for managing block 
allocations');
+       }
        $return = array('status' => 'success');
        $query = "SELECT bt.start, "
               .        "bt.end, "


Reply via email to