Modify passwd actions to detect readonly files and prevent modification

If you edit the file with editfile, the permissions will be changed to readwrite, making the file editable

2 files changed, 34 insertions, 3 deletions

diff --git a/freeradius3-model.lua b/freeradius3-model.lua
index 4ec9037..83764c7 100644
--- a/freeradius3-model.lua
+++ b/freeradius3-model.lua
@@ -181,6 +181,8 @@ local get_passwd_file = function(self, clientdata, readonly)
 				if f == retval.value.filename.value then
 					retval.value.filename.errtxt = nil
 					if readonly then retval.value.filename.readonly = true end
+					local stat = posix.stat(retval.value.filename.value)
+					retval.value.mode = cfe({ label="Permissions", value=stat.mode, seq=2, readonly=true })
 					passwdconfig = parse_passwd_config(configs[i])
 					break
 				end
@@ -195,6 +197,11 @@ end
 local get_passwd_entry_private = function(self, clientdata, create)
 	local retval,passwdconfig = get_passwd_file(self, clientdata, true)
 	retval.label = "Freeradius passwd entry"
+	if retval.value.mode and string.find(retval.value.mode.value, "^.%-") then
+		retval.value.filename.errtxt = "Readonly file"
+		return retval
+	end
+	retval.value.mode = nil
 	local entry = 0
 	local entryline = {}
 	if not create then
@@ -483,13 +490,18 @@ end
 function mymodule.get_delete_passwd_entry(self, clientdata)
 	local retval,passwdconfig = get_passwd_file(self, clientdata)
 	retval.label = "Delete Freeradius passwd entry"
-	retval.value.filename.key = nil
+	if retval.value.mode and string.find(retval.value.mode.value, "^.%-") then
+		retval.value.filename.errtxt = "Readonly file"
+		return retval
+	end
+	retval.value.mode = nil
 	retval.value.entry = cfe({ label="Entry index", seq=2 })
 	return retval
 end
 
 function mymodule.delete_passwd_entry(self, entry)
-	local success = modelfunctions.validateselect(entry.value.filename)
+	local success = (nil ~= entry.value.entry)
+	success = modelfunctions.validateselect(entry.value.filename) and success
 	if success then
 		local contenttable = fs.read_file_as_array(entry.value.filename.value) or {}
 		if contenttable[tonumber(entry.value.entry.value) or 0] then
@@ -509,6 +521,11 @@ end
 function mymodule.get_passwd(self, clientdata)
 	local retval,passwdconfig = get_passwd_file(self, clientdata, true)
 	retval.label = "Freeradius password"
+	if retval.value.mode and string.find(retval.value.mode.value, "^.%-") then
+		retval.value.filename.errtxt = "Readonly file"
+		return retval
+	end
+	retval.value.mode = nil
 	retval.value.entry = cfe({ label="Entry index", key=true, seq=2 })
 	self.handle_clientdata(retval, clientdata)
 	if passwdconfig then
@@ -559,6 +576,10 @@ function mymodule.get_passwd(self, clientdata)
 end
 
 function mymodule.update_passwd(self, passwd)
+	if not passwd.value.entry then
+		passwd.errtxt = "Failed to set password"
+		return passwd
+	end
 	-- The password/index fields have already been validated
 	if not passwd.value.password then
 		passwd.errtxt = "Invalid passwd entry"
diff --git a/freeradius3-viewpasswdfile-html.lsp b/freeradius3-viewpasswdfile-html.lsp
index 5e6ad7f..fe28b28 100644
--- a/freeradius3-viewpasswdfile-html.lsp
+++ b/freeradius3-viewpasswdfile-html.lsp
@@ -30,8 +30,16 @@ html = require("acf.html")
 redir.value = redir.value.."?filename="..html.url_encode(view.value.filename.value)
 %>
 
+<%
+local editable = false
+if view.value.mode and string.match(view.value.mode.value, "^.w") then
+	editable = true
+end
+%>
+
 <% local header_level = htmlviewfunctions.displaysectionstart(view, page_info) %>
 <% htmlviewfunctions.displayitem(view.value.filename) %>
+<% if view.value.mode then htmlviewfunctions.displayitem(view.value.mode) end %>
 <% if view.value.data then %>
 <% local containspasswd = 0 %>
 <table id="list" class="tablesorter"><thead>
@@ -48,6 +56,7 @@ redir.value = redir.value.."?filename="..html.url_encode(view.value.filename.val
 <% for i,r in ipairs( view.value.data.value ) do %>
 	<tr>
 		<td>
+<% if editable then %>
 		<% entry.value = i %>
 		<% if viewlibrary.check_permission("editpasswdentry") then %>
 			<% htmlviewfunctions.displayitem(cfe({type="link", value={filename=filename, entry=entry, redir=redir}, label="", option="Edit", action="editpasswdentry"}), page_info, -1) %>
@@ -58,6 +67,7 @@ redir.value = redir.value.."?filename="..html.url_encode(view.value.filename.val
 		<% if 0 < containspasswd and r[containspasswd] ~= "" and viewlibrary.check_permission("editpasswd") then %>
 			<% htmlviewfunctions.displayitem(cfe({type="link", value={filename=filename, entry=entry, redir=redir}, label="", option="Change Pass", action="editpasswd"}), page_info, -1) %>
 		<% end %>
+<% end %>
 		</td>
 <% for j,f in ipairs(r) do %>
 		<td><% if (j == containspasswd) and (f ~= "") then io.write("********") else io.write(html.html_escape(f)) end %></td>
@@ -67,7 +77,7 @@ redir.value = redir.value.."?filename="..html.url_encode(view.value.filename.val
 </tbody></table>
 <% end %>
 
-<% if view.value.data and viewlibrary and viewlibrary.dispatch_component and viewlibrary.check_permission("createpasswdentry") then
+<% if editable and view.value.data and viewlibrary and viewlibrary.dispatch_component and viewlibrary.check_permission("createpasswdentry") then
 	local createform = viewlibrary.dispatch_component("createpasswdentry", {filename=view.value.filename.value, redir=redir.value}, true)
 	createform.action = page_info.script .. page_info.prefix .. page_info.controller .. "/createpasswdentry"
 	htmlviewfunctions.displayitem(createform, page_info, htmlviewfunctions.incrementheader(header_level))