Add unobtrusive way to test if user is privileged; separate RPC
This commit is contained in:
Ilia
parent
9477ea298d
commit
26fa48623c
File diff suppressed because one or more lines are too long
@ -13,7 +13,7 @@ $force_lang = $default_lang;
|
|||||||
print "Content-type: text/plain\n\n";
|
print "Content-type: text/plain\n\n";
|
||||||
|
|
||||||
# Can this user make remote calls?
|
# Can this user make remote calls?
|
||||||
if (!&webmin_user_is_admin()) {
|
if (!&webmin_user_can_rpc()) {
|
||||||
print "0 Invalid user for RPC\n";
|
print "0 Invalid user for RPC\n";
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|||||||
2
rpc.cgi
2
rpc.cgi
@ -27,7 +27,7 @@ $| = 1;
|
|||||||
print "Content-type: text/plain\n\n";
|
print "Content-type: text/plain\n\n";
|
||||||
|
|
||||||
# Can this user make remote calls?
|
# Can this user make remote calls?
|
||||||
if (!&webmin_user_is_admin()) {
|
if (!&webmin_user_can_rpc()) {
|
||||||
print &serialise_variable( { 'status' => 0 } );
|
print &serialise_variable( { 'status' => 0 } );
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -12118,18 +12118,61 @@ my ($variable, $scope) = @_;
|
|||||||
return &globals('delete', $variable, $scope);
|
return &globals('delete', $variable, $scope);
|
||||||
}
|
}
|
||||||
|
|
||||||
# webmin_user_is_admin([username])
|
# webmin_user_can_rpc()
|
||||||
# Returns 1 if the given user should be considered fully trusted
|
# Returns 1 if the given user can make remote calls
|
||||||
sub webmin_user_is_admin
|
sub webmin_user_can_rpc
|
||||||
{
|
{
|
||||||
my ($user) = @_;
|
my %access = &get_module_acl($base_remote_user, "");
|
||||||
$user ||= $base_remote_user;
|
|
||||||
my %access = &get_module_acl($user, "");
|
|
||||||
return 1 if ($access{'rpc'} == 1); # Can make arbitary RPC calls
|
return 1 if ($access{'rpc'} == 1); # Can make arbitary RPC calls
|
||||||
return 0 if ($access{'rpc'} == 0); # Cannot make RPCs
|
return 0 if ($access{'rpc'} == 0); # Cannot make RPCs
|
||||||
|
}
|
||||||
|
|
||||||
# Assume that standard admin usernames are root-capable as a fallback
|
# webmin_user_login_mode()
|
||||||
return $user eq 'admin' || $user eq 'root' || $user eq 'sysadm';
|
# Returns currently logged in user mode
|
||||||
|
sub webmin_user_login_mode
|
||||||
|
{
|
||||||
|
# Default mode
|
||||||
|
my $mode = 'root';
|
||||||
|
my $prod = &get_product_name();
|
||||||
|
|
||||||
|
# Check for foreign modules
|
||||||
|
my $foreign_virtual_server
|
||||||
|
= &foreign_available("virtual-server");
|
||||||
|
&foreign_require("virtual-server")
|
||||||
|
if ($foreign_virtual_server);
|
||||||
|
my $foreign_server_manager
|
||||||
|
= &foreign_available("server-manager");
|
||||||
|
&foreign_require("server-manager")
|
||||||
|
if ($foreign_server_manager);
|
||||||
|
|
||||||
|
# Get current user and base user global permissions
|
||||||
|
my %uaccess = &get_module_acl($remote_user, "");
|
||||||
|
my %access = &get_module_acl($base_remote_user, "");
|
||||||
|
|
||||||
|
# Check if mode must be restricted
|
||||||
|
if ($uaccess{'_safe'} == 1 || $access{'_safe'} == 1 ||
|
||||||
|
$uaccess{'rpc'} == 0 || $access{'rpc'} == 0 ||
|
||||||
|
$prod ne "webmin") {
|
||||||
|
$mode = 'user';
|
||||||
|
}
|
||||||
|
if ($foreign_server_manager) {
|
||||||
|
$mode = 'cloud-owner'
|
||||||
|
if ($server_manager::access{'owner'});
|
||||||
|
}
|
||||||
|
elsif ($foreign_virtual_server) {
|
||||||
|
$mode =
|
||||||
|
&virtual_server::reseller_admin() ?
|
||||||
|
'virtual-reseller' : 'virtual-owner'
|
||||||
|
if (!&virtual_server::master_admin());
|
||||||
|
}
|
||||||
|
return $mode;
|
||||||
|
}
|
||||||
|
|
||||||
|
# webmin_user_is_admin()
|
||||||
|
# Returns 1 if currently logged in user is an admin
|
||||||
|
sub webmin_user_is_admin
|
||||||
|
{
|
||||||
|
return &webmin_user_login_mode() eq 'root';
|
||||||
}
|
}
|
||||||
|
|
||||||
$done_web_lib_funcs = 1;
|
$done_web_lib_funcs = 1;
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user