diff options
author | Ted Trask <ttrask01@yahoo.com> | 2008-05-01 20:49:59 +0000 |
---|---|---|
committer | Ted Trask <ttrask01@yahoo.com> | 2008-05-01 20:49:59 +0000 |
commit | fbda79f377ffbad71b38d2ddf273913dc95ab177 (patch) | |
tree | cac8faf1dc9d33aa5044140b32f0eba8d2cea3b2 | |
parent | 21b0abee37316cd578a984c3de0ec878a8b41f72 (diff) | |
download | acf-core-fbda79f377ffbad71b38d2ddf273913dc95ab177.tar.bz2 acf-core-fbda79f377ffbad71b38d2ddf273913dc95ab177.tar.xz |
Modified roles, logon, and authenticator
git-svn-id: svn://svn.alpinelinux.org/acf/core/trunk@1095 ab2d0c66-481e-0410-8bed-d214d4d58bed
-rw-r--r-- | app/Makefile | 3 | ||||
-rw-r--r-- | app/acf-util/logon-html.lsp | 5 | ||||
-rw-r--r-- | app/acf-util/logon-model.lua | 3 | ||||
-rw-r--r-- | app/acf-util/roles-controller.lua | 33 | ||||
-rw-r--r-- | app/acf-util/roles-getlist-html.lsp | 13 | ||||
-rw-r--r-- | app/acf-util/roles-html.lsp | 38 | ||||
-rw-r--r-- | app/acf-util/roles-model.lua | 9 | ||||
-rw-r--r-- | app/acf-util/roles-read-html.lsp | 28 | ||||
-rw-r--r-- | lib/authenticator-plaintext.lua | 137 | ||||
-rw-r--r-- | lib/roles.lua | 33 | ||||
-rw-r--r-- | roles | 5 |
11 files changed, 173 insertions, 134 deletions
diff --git a/app/Makefile b/app/Makefile index cdd42bb..f7e42dc 100644 --- a/app/Makefile +++ b/app/Makefile @@ -6,9 +6,8 @@ APP_DIST= \ acf-util/logon-model.lua \ acf-util/logon-status-html.lsp \ acf-util/roles-controller.lua \ - acf-util/roles-getlist-html.lsp \ acf-util/roles-model.lua \ - acf-util/roles-read-html.lsp \ + acf-util/roles-html.lsp \ acf-util/password-controller.lua \ acf-util/password-html.lsp \ acf-util/password-model.lua \ diff --git a/app/acf-util/logon-html.lsp b/app/acf-util/logon-html.lsp index f503a9b..c4d4bd3 100644 --- a/app/acf-util/logon-html.lsp +++ b/app/acf-util/logon-html.lsp @@ -4,11 +4,6 @@ io.write(html.cfe_unpack(form)) --]] ?> -<? if form.errtxt then ?> -<h1>Command Result</h1> -<p class='error'> <?= form.errtxt ?></p> -<? end ?> - <h1><?= form.label ?></h1> <? form.action = "logon" diff --git a/app/acf-util/logon-model.lua b/app/acf-util/logon-model.lua index 16e9f7f..8fa9e12 100644 --- a/app/acf-util/logon-model.lua +++ b/app/acf-util/logon-model.lua @@ -42,8 +42,7 @@ logon = function (self, clientdata, ip_addr, sessiondir, sessiondata) end if false == countevent and clientdata.userid and clientdata.password then - local password_user_md5 = fs.md5sum_string(clientdata.password) - if auth.authenticate (self, clientdata.userid, password_user_md5) then + if auth.authenticate (self, clientdata.userid, clientdata.password) then -- We have a successful login, change sessiondata -- for some reason, can't call this function or it skips rest of logon -- logout(sessiondir, sessiondata) diff --git a/app/acf-util/roles-controller.lua b/app/acf-util/roles-controller.lua index b868924..4363cb6 100644 --- a/app/acf-util/roles-controller.lua +++ b/app/acf-util/roles-controller.lua @@ -2,12 +2,41 @@ module (..., package.seeall) +auth = require("authenticator-plaintext") +roll = require("roles") + default_action = "read" +-- Return your own roles/permissions read = function(self) - return ( { userid = self.sessiondata.userinfo.userid, roles = self.sessiondata.userinfo.roles, permissions = self.sessiondata.permissions } ) + userid = cfe({ value=self.sessiondata.userinfo.userid, label="User Id" }) + roles = cfe({ type="list", value=self.sessiondata.userinfo.roles, label="Roles" }) + permissions = cfe({ type="table", value = self.sessiondata.permissions, label="Permissions" }) + return cfe({ type="group", value={userid=userid, roles=roles, permissions=permissions} }) +end + +-- Return roles/permissions for specified user +viewroles = function(self) + if not (self.clientdata.userid) then + redirect(self) + end + userid = cfe({ value=self.clientdata.userid, label="User Id" }) + roles = cfe({ type="list", value=auth.get_userinfo_roles(self, userid.value), label="Roles" }) + permissions = cfe({ type="table", value=roll.get_roles_perm(self.conf.appdir, roles.value), label="Permissions" }) + return cfe({ type="group", value={userid=userid, roles=roles, permissions=permissions} }) +end + +-- Return permissions for specified role +viewperms = function(self) + if not (self.clientdata.role) then + redirect(self, "getlist") + end + role = cfe({ value=self.clientdata.role, label="Role" }) + permissions = cfe({ type="table", value=roll.get_role_perm(self.conf.appdir, role.value), label="Permissions" }) + return cfe({ type="group", value={role=role, permissions=permissions} }) end +-- Return list of all permissions getlist = function(self) - return( { contlist = self.model:getcont(self)}) + return cfe({ type="group", value={permissions=self.model:getcont(self)} }) end diff --git a/app/acf-util/roles-getlist-html.lsp b/app/acf-util/roles-getlist-html.lsp deleted file mode 100644 index 25d8d62..0000000 --- a/app/acf-util/roles-getlist-html.lsp +++ /dev/null @@ -1,13 +0,0 @@ -<? local view= ... ?> -<? --[[ - io.write(html.cfe_unpack(view)) ---]] ?> - -<h1>Controller Status</h1> -<? ---[[ -for a,b in pairs(view.contlist) do - print("<b>",a,"</b>") - for k,v in pairs(b) do print(v) end - print("<br>") -end ---]] ?> diff --git a/app/acf-util/roles-html.lsp b/app/acf-util/roles-html.lsp new file mode 100644 index 0000000..4a23c25 --- /dev/null +++ b/app/acf-util/roles-html.lsp @@ -0,0 +1,38 @@ +<? local view= ... ?> +<? --[[ + io.write(html.cfe_unpack(view)) +--]] ?> + +<? ---[[ ?> +<? if view.value.userid then ?> + <H1>Roles/Permission list for <?= view.value.userid.value ?>:</H1> +<? elseif view.value.role then ?> + <H1>Permission list for <?= view.value.role.value ?>:</H1> +<? else ?> + <H1>Complete permission list:</H1> +<? end ?> + +<? if view.value.roles then ?> + <H2><?= view.value.userid.value ?> is valid in these roles</H2> + <? for a,b in pairs(view.value.roles.value) do + print("<li>",b,"</li>") + end ?> +<? end ?> +<? --]] ?> + +<? ---[[ ?> +<? if view.value.permissions then ?> + <? if view.value.userid then ?> + <H2><?= view.value.userid.value ?>'s full permissions are</H2> + <? elseif view.value.role then ?> + <H2><?= view.value.role.value ?>'s full permissions are</H2> + <? end ?> + <? for x,cont in pairs(view.value.permissions.value) do + print("<b>",x,"</b>") + for y,act in pairs(cont) do + print(y) + end + print("<br>") + end ?> +<? end ?> +<? --]] ?> diff --git a/app/acf-util/roles-model.lua b/app/acf-util/roles-model.lua index c3ce2c7..b6e95fd 100644 --- a/app/acf-util/roles-model.lua +++ b/app/acf-util/roles-model.lua @@ -9,9 +9,12 @@ getcont = function(self) controllers = roles.get_controllers(self) local table_m = {} for a,b in pairs(controllers) do - temp = roles.get_controllers_func(self,b) - table_m[b.sname] = temp + table_m[b.sname] = {} + temp = roles.get_controllers_func(self,b) + for x,y in ipairs(temp) do + table_m[b.sname][y] = {} + end end - return (table_m) + return cfe({ type="table", value=table_m, label="All permissions" }) end diff --git a/app/acf-util/roles-read-html.lsp b/app/acf-util/roles-read-html.lsp deleted file mode 100644 index ddda93a..0000000 --- a/app/acf-util/roles-read-html.lsp +++ /dev/null @@ -1,28 +0,0 @@ -<? local view= ... ?> -<? --[[ - io.write(html.cfe_unpack(view)) ---]] ?> - -<? ---[[ ?> -<H1>Roles/Permission list for <?= view.userid ?>:</H1> - -<? if view.roles then ?> - <H2>You are valid in these roles</H2> - <? for a,b in pairs(view.roles) do - print("<li>",b,"</li>") - end ?> -<? end ?> -<? --]] ?> - -<? ---[[ ?> -<? if view.permissions then ?> - <H2>Your full permissions are</H2> - <? for x,cont in pairs(view.permissions) do - print("<b>",x,"</b>") - for y,act in pairs(cont) do - print(y) - end - print("<br>") - end ?> -<? end ?> -<? --]] ?> diff --git a/lib/authenticator-plaintext.lua b/lib/authenticator-plaintext.lua index b8cf598..c68ec2b 100644 --- a/lib/authenticator-plaintext.lua +++ b/lib/authenticator-plaintext.lua @@ -57,39 +57,6 @@ pvt.get_id = function(userid, authstruct) return nil end ---- public methods - --- This function returns true or false, and --- if false: the reason for failure -authenticate = function ( self, userid, password ) - password = password or "" - userid = userid or "" - - local t = pvt.parse_authfile(self.conf.confdir .. "/passwd") - - if t == false then - return false, "password file is missing" - else - if userid ~= nil then - local id = pvt.get_id (userid, t) - if id == false or id == nil then - return false, "Userid not found" - end - if id.password ~= password then - return false, "Invalid password" - end - else - return false - end - return true - end -end - -pvt.permission_to_change = function() - --FIXME: Check if user is allowed to change things - return true -end - pvt.weak_password = function(password) -- If password is too short, return false if (#password < 4) then @@ -149,6 +116,35 @@ local validate_settings = function (self, userid, username, password, password_c return true, errormessage end +--- public methods + +-- This function returns true or false, and +-- if false: the reason for failure +authenticate = function ( self, userid, password ) + password = password or "" + userid = userid or "" + + local t = pvt.parse_authfile(self.conf.confdir .. "/passwd") + + if t == false then + return false, "password file is missing" + end + + if userid ~= nil then + local id = pvt.get_id (userid, t) + if id == false or id == nil then + return false, "Userid not found" + end + if id.password ~= fs.md5sum_string(password) then + return false, "Invalid password" + end + else + return false + end + + return true +end + -- This function returns the username and roles -- or false on an error get_userinfo = function ( self, userid ) @@ -183,18 +179,27 @@ list_users = function (self) end end + list_roles = function (self) local output = {"CREATE","UPDATE","DELETE","READ"} return output end -change_settings = function (self, userid, parameter, value) +change_setting = function (self, userid, parameter, value) + local result = true local errormessage = {} - local passwd_path = self.conf.confdir .. "/passwd" - -- We start by checking if user is allowed to do changes - if not (pvt.permission_to_change) then - errormessage.permissions = "No permission to change!" + -- Get the current user info + local userinfo = get_userinfo(self, userid) + if userinfo == nil then + errormessage.userid = "This userid does not exist!" + result = false + end + + -- Check if user entered available commands + if not (userid) or not (parameter) or not (pvt.availablefields(parameter)) or not (value) then + errormessage.userid = "You need to enter valid userid, parameter and value!" + result = false end -- Check if userid already used @@ -202,52 +207,34 @@ change_settings = function (self, userid, parameter, value) for k,v in pairs(list_users(self)) do if (v == value) then errormessage.userid = "This userid already exists!" + result = false end end end - -- Check if user entered available commands - if not (userid) or not (parameter) or not (pvt.availablefields(parameter)) then - errormessage.userid = "You need to enter valid userid, parameter and value!" - end - - -- Check if password is weak - if (parameter == "password") then - local weak_password_result, weak_password_errormessage = pvt.weak_password(value) - if (weak_password_result) then - errormessage.password = weak_password_errormessage + if result == true then + -- Validate parameter + userinfo[parameter] = value + local password, password_confirm + if (parameter == "password") then + userinfo.password = fs.md5sum_string(value) + password = value + password_confirm = value end + result, errormessage = validate_settings(self, username.userid, userinfo.username, password, password_confirm, userinfo.roles) end - -- Return false if some errormessages is set - for k,v in pairs(errormessage) do - return false, errormessage - end - - -- If the parameter is password, then scramble the password - if (parameter == "password") then - value = fs.md5sum_string(value) - end + -- Write the updated user + if (result == true) then + delete_user(self, userid) - local passwdfilecontent = fs.read_file_as_array(passwd_path) - local changes - for k,v in pairs(passwdfilecontent) do - if ( string.match(v, "^".. userid .. ":") ) then - changes = {} - -- Get current values - changes.userid, changes.password, changes.username, changes.roles = - string.match(v, "([^:]*):([^:]*):([^:]*):(.*)") - -- Actually change the value (remove all ':') - changes[parameter] = string.gsub(value, ":", "") - -- Update the table with the new values - passwdfilecontent[k] = changes.userid .. ":" .. changes.password .. ":".. changes.username .. ":" .. changes.roles - end + -- Set path to passwordfile + local passwd_path = self.conf.confdir .. "/passwd" + -- Write the newline into the file + fs.write_line_file(passwd_path, userinfo.userid .. ":" .. userinfo.password .. ":" .. userinfo.username .. ":" .. table.concat(userinfo.roles,",") ) end - - --Write changes to file - fs.write_file(passwd_path, table.concat(passwdfilecontent,"\n")) - return true + return result, errormessage end -- For an existing user, change the settings that are non-nil @@ -278,7 +265,7 @@ change_settings = function (self, userid, username, password, password_confirm, end userinfo.roles = roles or userinfo.roles - -- write the updated user + -- Write the updated user delete_user(self, userid) -- Set path to passwordfile diff --git a/lib/roles.lua b/lib/roles.lua index 806be67..768e96f 100644 --- a/lib/roles.lua +++ b/lib/roles.lua @@ -48,7 +48,7 @@ get_controllers_func = function(self,controller_info) temp1 = {} for a,b in pairs(temp) do local c = string.match(a,"mvc") or string.match(a,"^_") - if c == nil then + if c == nil and type(temp[a])=="function" then temp1[#temp1 +1] = a end end @@ -106,3 +106,34 @@ get_roles_perm = function(startdir,roles) return permissions end +-- Go through the roles files and determine the permissions for the specified role +get_role_perm = function(startdir,role) + permissions = {} + + -- find all of the roles files and add in the master file + local rolesfiles = get_roles_candidates(startdir) + rolesfiles[#rolesfiles + 1] = "/etc/acf/roles" + + for x,file in ipairs(rolesfiles) do + f = fs.read_file_as_array(file) + for y,line in pairs(f) do + if role == string.match(line,"^[%a]+") then + temp = format.string_to_table(string.match(line,"[,%a:]+$"),",") + for z,perm in pairs(temp) do + local control,action = string.match(perm,"(%a+):(%a+)") + if control then + if nil == permissions[control] then + permissions[control] = {} + end + if action and nil == permissions[control][action] then + permissions[control][action] = {} + end + end + end + end + end + end + + return permissions +end + @@ -1,4 +1,3 @@ ALL=welcome:read,logon:logon,logon:logout,logon:status -CREATE=password:status,password:edituser,password:newuser,password:deleteuser -READ=password:editme -NONE=roles:read,roles:getlist +CREATE=password:status,password:edituser,password:newuser,password:deleteuser,roles:getlist,roles:viewroles,roles:viewperms +READ=password:editme,roles:read |