Fix permission checks. Note that red dot can do anything, including

ssh in as the user. Maybe change that?

Fix permission checks. Note that red dot can do anything, including
ssh in as the user. Maybe change that?
f858cf7b · Leigh B Stoller · efc655dc · f858cf7b
Commit f858cf7b authored Feb 28, 2014 by Leigh B Stoller
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 5 deletions

www/aptui/status.php www/aptui/status.php +12 -5

No files found.
--- a/www/aptui/status.php
+++ b/www/aptui/status.php
@@ -100,12 +100,16 @@ if (!$creator) {
    return;
 }
 #
-# We do not enforce strict permissions on a guest created instance,
-# but we do if it was created by a real user.
+# Only logged in admins can access an experiment created by someone else.
 #
-if (get_class($creator) == "User") {
-    if (! (isset($this_user) &&
-	   ($creator->uuid() == $this_user->uuid() || ISADMIN()))) {
+if (! (isset($this_user) && ISADMIN())) {
+    # An experiment created by a real user, can be accessed by that user only.
+    # Ditto a guest user; must be the same guest.
+    if (! ((get_class($creator) == "User" &&
+	    isset($this_user) && $creator->uuid() == $this_user->uuid()) ||
+	   (get_class($creator) == "GeniUser" &&
+	    isset($_COOKIE['quickvm_user']) &&
+	    $_COOKIE['quickvm_user'] == $creator->uuid()))) {
 	if ($ajax_request) {
 	    SPITAJAX_ERROR(1, "You do not have permission!");
 	    exit();
@@ -131,6 +135,9 @@ if (isset($ajax_request)) {
 	SPITAJAX_RESPONSE($instance->manifest());
    }
    elseif ($ajax_method == "ssh_authobject") {
+	#
+	#
+	#
 	SPITAJAX_RESPONSE(SSHAuthObject($creator->uid(), $ajax_argument));
    }
    elseif ($ajax_method == "request_extension") {