Changeset 488

Timestamp:

10/04/09 17:11:58 (15 years ago)

Author:

nanardon

Message:

• check ACL for object creation/deletion

Location:

LATMOS-Accounts/lib/LATMOS/Accounts

Files:

• Acls.pm (modified) (1 diff)
• Bases.pm (modified) (3 diffs)
• Bases/Mail.pm (modified) (1 diff)
• Bases/Sql/User.pm (modified) (3 diffs)
• Bases/Unix.pm (modified) (1 diff)
• Synchro.pm (modified) (1 diff)

LATMOS-Accounts/lib/LATMOS/Accounts/Acls.pm

@@ -34 +34 @@
 
 Special keyword C<@CREATE> and C<@DELETE> can be used to allow or deny object
-creation and deletion. In this case USER in form C<$...> and read permission
-have no effect (see below). C<*> do not include C<@CREATE> and C<@DELETE> action.
+creation and deletion. In this case read permission and USER in form C<$...> for
+C<@CREATE> have no effect (see below). C<*> do not include C<@CREATE> and
+C<@DELETE> action.
 
 =item USER can be

LATMOS-Accounts/lib/LATMOS/Accounts/Bases.pm

@@ -226 +226 @@
 sub create_c_object {
     my ($self, $otype, $id, %cdata) = @_;
+    $self->check_acl($otype, '@CREATE', 'w') or do {
+        $self->log(LA_WARN, 'permission denied to create object type %s',
+            $otype);
+        return;
+    };
+    $self->_create_c_object($otype, $id, %cdata);
+}
+
+sub _create_c_object {
+    my ($self, $otype, $id, %cdata) = @_;
 
     # populating default value
@@ -258 +268 @@
 
 sub delete_object {
+    my ($self, $otype, $id) = @_;
+    my $obj = $self->get_object($otype, $id) or do {
+        $self->log(LA_WARN, 'Cannot delete %s/%s: no such object',
+            $otype, $id);
+        return;
+    };
+    $self->check_acl($obj, '@DELETE', 'w') or do {
+        $self->log(LA_WARN, 'permission denied to delete %s/%s',
+            $otype, $id);
+        return;
+    };
+    $self->_delete_object($otype, $id);
+}
+
+sub _delete_object {
     my ($self, $otype, $id) = @_;
     my $pclass = $self->_load_obj_class($otype);
@@ -384 +409 @@
         }
     } elsif(!$options{nocreate}) {
-        if ($self->create_c_object($srcobj->type, $srcobj->id, %data)) {
+        if ($self->_create_c_object($srcobj->type, $srcobj->id, %data)) {
             return 'CREATE'
         } else {

LATMOS-Accounts/lib/LATMOS/Accounts/Bases/Mail.pm

@@ -122 +122 @@
 }
 
-sub delete_object {
+sub _delete_object {
     my ($self, $otype, $id) = @_;
     

LATMOS-Accounts/lib/LATMOS/Accounts/Bases/Sql/User.pm

@@ -278 +278 @@
                     $res += $f->set_c_fields(forward => $data{$attr});
                 } else {
-                    if ($self->base->create_c_object('aliases', $self->id,
+                    if ($self->base->_create_c_object('aliases', $self->id,
                         forward => $data{$attr})) {
                         $res++;
@@ -287 +287 @@
                 }
             } else {
-                if ($self->base->delete_object('aliases', $self->id)) {
+                if ($self->base->_delete_object('aliases', $self->id)) {
                     $res++;
                 } else {
@@ -301 +301 @@
                 $fmainaddress = $self->id . '-' . join('', map { ('a'..'z')[rand(26)] }
                 (0..4));
-                $self->base->create_c_object(
+                $self->base->_create_c_object(
                     'address', $fmainaddress,
                     user => $self->id,

LATMOS-Accounts/lib/LATMOS/Accounts/Bases/Unix.pm

@@ -333 +333 @@
 }
 
-sub delete_object {
+sub _delete_object {
     my ($self, $otype, $id, %data) = @_;
 

LATMOS-Accounts/lib/LATMOS/Accounts/Synchro.pm

@@ -177 +177 @@
             foreach (keys %exists) {
                 if (!$srcexists{$_}) {
-                    if ($destbase->delete_object($otype, $_)) {
+                    if ($destbase->_delete_object($otype, $_)) {
                         print "delete " . $destbase->label . '::' . $otype . '::' . "$_\n";
                     } else {