diff options
-rw-r--r-- | app/Makefile | 1 | ||||
-rw-r--r-- | app/acf-util/acf-util.roles | 4 | ||||
-rw-r--r-- | app/acf-util/roles-editrole-html.lsp | 62 | ||||
-rw-r--r-- | app/acf-util/roles-model.lua | 7 | ||||
-rw-r--r-- | app/acf-util/roles-viewroles-html.lsp | 5 | ||||
-rw-r--r-- | lib/authenticator.lua | 2 | ||||
-rw-r--r-- | lib/roles.lua | 69 | ||||
-rw-r--r-- | passwd | 4 | ||||
-rw-r--r-- | roles | 3 |
9 files changed, 111 insertions, 46 deletions
diff --git a/app/Makefile b/app/Makefile index b840e75..49f3ec0 100644 --- a/app/Makefile +++ b/app/Makefile @@ -1,6 +1,7 @@ include ../config.mk APP_DIST= \ + acf-util/acf-util.roles \ acf-util/logon-controller.lua \ acf-util/logon-html.lsp \ acf-util/logon-model.lua \ diff --git a/app/acf-util/acf-util.roles b/app/acf-util/acf-util.roles new file mode 100644 index 0000000..b31297c --- /dev/null +++ b/app/acf-util/acf-util.roles @@ -0,0 +1,4 @@ +GUEST=logon:logon,logon:logout,logon:status,welcome:read +USER=password:editme,roles:read +EXPERT= +ADMIN=logon:logon,logon:logout,logon:status,password:editme,password:status,password:edituser,password:newuser,password:deleteuser,roles:read,roles:getpermslist,roles:viewuserroles,roles:viewroleperms,roles:viewroles,roles:editrole,roles:deleterole,roles:newrole,welcome:read,password:status,password:edituser,password:newuser,password:deleteuser,roles:getpermslist,roles:viewuserroles,roles:viewroleperms,roles:viewroles,roles:editrole,roles:deleterole,roles:newrole diff --git a/app/acf-util/roles-editrole-html.lsp b/app/acf-util/roles-editrole-html.lsp index 5f106fc..0a32839 100644 --- a/app/acf-util/roles-editrole-html.lsp +++ b/app/acf-util/roles-editrole-html.lsp @@ -7,11 +7,67 @@ <H1><%= form.label %></H1> <% - form.action = page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action + displayformstart(form, page_info) -- If editing existing role, disable role if page_info.action ~= "newrole" then form.value.role.contenteditable = false end - local order = { "role", "permissions" } - displayform(form, order) + io.write("<DL>\n") + displayformitem(form.value.role, "role") + + -- copied this code from viewfunctions so we can disable the default boxes + local myitem = form.value.permissions + myitem.name = "permissions" + io.write("<DT") + if myitem.errtxt then + myitem.class = "error" + io.write(' class="error"') + end + io.write(">" .. myitem.label .. "</DT>\n") + io.write("<DD>") + -- FIXME multiple select doesn't work in haserl, so use series of checkboxes + myitem.class = nil + local tempname = myitem.name + local tempval = myitem.value or {} + local reversedefault = {} + for x,val in ipairs(myitem.default or {}) do + reversedefault[val] = x + end + local reverseval = {} + for x,val in ipairs(tempval) do + reverseval[val] = x + end + local reverseopt = {} + for x,val in ipairs(myitem.option) do + reverseopt[val] = x + myitem.value = val + myitem.checked = reverseval[val] + if reversedefault[val] then myitem.disabled = true else myitem.disabled = nil end + myitem.name = tempname .. "." .. x + io.write(html.form.checkbox(myitem) .. val .. "<br>\n") + end + -- Check for values not in options + if myitem.errtxt then + myitem.class = "error" + io.write('<p class="error">\n') + end + for x,val in ipairs(tempval) do + if not reverseopt[val] then + myitem.value = val + myitem.checked = true + io.write(html.form.checkbox(myitem) .. val .. "<br>\n") + end + end + if myitem.errtxt then + io.write('</p>\n') + end + myitem.name = tempname + myitem.value = tempval + + if myitem.descr then io.write('<P CLASS="descr">' .. string.gsub(myitem.descr, "\n", "<BR>") .. "</P>\n") end + if myitem.errtxt then io.write('<P CLASS="error">' .. string.gsub(myitem.errtxt, "\n", "<BR>") .. "</P>\n") end + io.write("</DD>\n") + + io.write("</DL>\n") + displayformend(form) %> diff --git a/app/acf-util/roles-model.lua b/app/acf-util/roles-model.lua index bdfe20d..79c1b14 100644 --- a/app/acf-util/roles-model.lua +++ b/app/acf-util/roles-model.lua @@ -58,10 +58,13 @@ end getpermissions = function(self, role) local my_perms = {} + local default_perms = {} if role then - tmp, my_perms = roles.get_role_perm(self, role) + local tmp + tmp, my_perms, default_perms = roles.get_role_perm(self, role) my_perms = my_perms or {} + default_perms = default_perms or {} else role = "" end @@ -69,7 +72,7 @@ getpermissions = function(self, role) local tmp, all_perms = get_all_permissions(self) table.sort(all_perms) - local permissions_cfe = cfe({ type="multi", value=my_perms, option=all_perms, label="Role permissions" }) + local permissions_cfe = cfe({ type="multi", value=my_perms, option=all_perms, label="Role permissions", default=default_perms }) local role_cfe = cfe({ value=role, label="Role" }) return cfe({ type="table", value={role=role_cfe, permissions=permissions_cfe} }) diff --git a/app/acf-util/roles-viewroles-html.lsp b/app/acf-util/roles-viewroles-html.lsp index 8b9a10f..0334499 100644 --- a/app/acf-util/roles-viewroles-html.lsp +++ b/app/acf-util/roles-viewroles-html.lsp @@ -18,9 +18,10 @@ <% if view.value.default_roles then %> <dl> <% for x,role in pairs(view.value.default_roles.value) do %> - <dt><img src='/static/tango/16x16/categories/applications-system.png' height='16' width='16'> <%= role %></dt> + <dt><img src='/skins/static/tango/16x16/categories/applications-system.png' height='16' width='16'> <%= role %></dt> <dd> [<a href='viewroleperms?role=<%= role %>'>View this role</a>] + [<a href='editrole?role=<%= role %>&redir=<%= page_info.orig_action %>'>Edit this role</a>] </dd> <% end %> </dl> @@ -29,7 +30,7 @@ <dl> <% table.sort(view.value.defined_roles.value) %> <% for x,role in pairs(view.value.defined_roles.value) do %> - <dt><img src='/static/tango/16x16/apps/system-users.png' height='16' width='16'> <%= role %></dt> + <dt><img src='/skins/static/tango/16x16/apps/system-users.png' height='16' width='16'> <%= role %></dt> <dd> [<a href='viewroleperms?role=<%= role %>'>View this role</a>] [<a href='editrole?role=<%= role %>&redir=<%= page_info.orig_action %>'>Edit this role</a>] diff --git a/lib/authenticator.lua b/lib/authenticator.lua index 1b55150..941e19f 100644 --- a/lib/authenticator.lua +++ b/lib/authenticator.lua @@ -171,7 +171,7 @@ get_userinfo_roles = function(self, userid) if rol then local avail_roles = rol.list_all_roles(self) for x,role in ipairs(avail_roles) do - if role=="ALL" then + if role==rol.guest_role then table.remove(avail_roles,x) break end diff --git a/lib/roles.lua b/lib/roles.lua index ecd9798..85f59da 100644 --- a/lib/roles.lua +++ b/lib/roles.lua @@ -6,7 +6,7 @@ require ("format") module (..., package.seeall) -local default_roles = { "CREATE", "UPDATE", "DELETE", "READ", "ALL" } +guest_role = "GUEST" -- returns a table of the *.roles files -- startdir should be the app dir @@ -81,16 +81,29 @@ get_controllers_view = function(self,controller_info) return temp end -list_default_roles = function() - return default_roles +list_default_roles = function(self) + local default_roles = {} + local reverseroles = {} + + -- find all of the default roles files and parse them + local rolesfiles = get_roles_candidates(self.conf.appdir) + + for x,file in ipairs(rolesfiles) do + f = fs.read_file_as_array(file) + for y,line in pairs(f) do + if not reverseroles[string.match(line,"^[%w_]+")] then + default_roles[#default_roles+1] = string.match(line,"^[%w_]+") + reverseroles[default_roles[#default_roles]] = #default_roles + end + end + end + + return default_roles, reverseroles end list_roles = function(self) local defined_roles = {} - local reverseroles = {} - for x,role in ipairs(default_roles) do - reverseroles[role] = x - end + local default_roles, reverseroles = list_default_roles(self) -- Open the roles file and parse for defined roles local entries = authenticator.auth.read_field(self, authenticator.roletable, "") or {} @@ -111,19 +124,19 @@ list_all_roles = function(self) return default_roles end --- Go through the roles files and determine the permissions for the specified roles +-- Go through the roles files and determine the permissions for the specified list of roles (including guest) get_roles_perm = function(self,roles) permissions = {} permissions_array = {} - -- find all of the roles files and add in the master file - local rolesfiles = get_roles_candidates(self.conf.appdir) - local reverseroles = {} for x,role in ipairs(roles) do - reverseroles[role] = {} + reverseroles[role] = x end - reverseroles["ALL"] = {} -- always include ALL role + reverseroles[guest_role] = 0 -- always include guest role + + -- find all of the default roles files and parse them + local rolesfiles = get_roles_candidates(self.conf.appdir) for x,file in ipairs(rolesfiles) do f = fs.read_file_as_array(file) @@ -137,7 +150,7 @@ get_roles_perm = function(self,roles) permissions[control] = {} end if action then - permissions[control][action] = {} + permissions[control][action] = {file} permissions_array[#permissions_array + 1] = control .. ":" .. action end end @@ -146,6 +159,7 @@ get_roles_perm = function(self,roles) end end + -- then look in the user-editable roles local entries = authenticator.auth.read_field(self, authenticator.roletable, "") or {} for x,entry in ipairs(entries) do if reverseroles[entry.id] then @@ -172,8 +186,9 @@ end get_role_perm = function(self,role) permissions = {} permissions_array = {} + default_permissions_array = {} - -- find all of the roles files and add in the master file + -- find all of the default roles files and parse them local rolesfiles = get_roles_candidates(self.conf.appdir) for x,file in ipairs(rolesfiles) do @@ -188,15 +203,17 @@ get_role_perm = function(self,role) permissions[control] = {} end if action then - permissions[control][action] = {} + permissions[control][action] = {file} permissions_array[#permissions_array + 1] = control .. ":" .. action + default_permissions_array[#default_permissions_array + 1] = control .. ":" .. action end end end end end end - + + -- then look in the user-editable roles local entry = authenticator.auth.read_entry(self, authenticator.roletable, "", role) if entry then temp = format.string_to_table(entry, ",") @@ -214,17 +231,11 @@ get_role_perm = function(self,role) end end - return permissions, permissions_array + return permissions, permissions_array, default_permissions_array end -- Delete a role from role file delete_role = function(self, role) - for x,ro in ipairs(default_roles) do - if role==ro then - return false, "Cannot delete default roles" - end - end - local result = authenticator.auth.delete_entry(self, authenticator.roletable, "", role) local cmdresult = "Role entry not found" if result then cmdresult = "Role deleted" end @@ -237,11 +248,6 @@ set_role_perm = function(self, role, permissions, permissions_array) if role==nil or role=="" then return false, "Invalid Role" end - for x,ro in ipairs(default_roles) do - if role==ro then - return false, "Cannot modify default roles" - end - end if string.find(role, '[^%w_]') then return false, "Role can only contain letters, numbers, and '_'" end @@ -253,9 +259,6 @@ set_role_perm = function(self, role, permissions, permissions_array) end end end - if permissions_array==nil or #permissions_array==0 then - return false, "No permissions set" - end - return authenticator.auth.write_entry(self, authenticator.roletable, "", role, table.concat(permissions_array,",")) + return authenticator.auth.write_entry(self, authenticator.roletable, "", role, table.concat(permissions_array or {},",")) end @@ -1,2 +1,2 @@ -alpine:cc03e747a6afbbcbf8be7668acfebee5:Test Account:CREATE,UPDATE,DELETE,READ -foo:cc03e747a6afbbcbf8be7668acfebee5:Test Account:CREATE,DELETE +alpine:cc03e747a6afbbcbf8be7668acfebee5:Test Account:ADMIN +foo:cc03e747a6afbbcbf8be7668acfebee5:Test Account:USER @@ -1,3 +0,0 @@ -ALL=welcome:read,logon:logon,logon:logout,logon:status -CREATE=password:status,password:edituser,password:newuser,password:deleteuser,roles:getpermslist,roles:viewuserroles,roles:viewroleperms,roles:viewroles,roles:editrole,roles:deleterole,roles:newrole -READ=password:editme,roles:read |