Commit f858cf7b authored by Leigh B Stoller's avatar Leigh B Stoller

Fix permission checks. Note that red dot can do anything, including

ssh in as the user. Maybe change that?
parent efc655dc
......@@ -100,12 +100,16 @@ if (!$creator) {
return;
}
#
# We do not enforce strict permissions on a guest created instance,
# but we do if it was created by a real user.
# Only logged in admins can access an experiment created by someone else.
#
if (get_class($creator) == "User") {
if (! (isset($this_user) &&
($creator->uuid() == $this_user->uuid() || ISADMIN()))) {
if (! (isset($this_user) && ISADMIN())) {
# An experiment created by a real user, can be accessed by that user only.
# Ditto a guest user; must be the same guest.
if (! ((get_class($creator) == "User" &&
isset($this_user) && $creator->uuid() == $this_user->uuid()) ||
(get_class($creator) == "GeniUser" &&
isset($_COOKIE['quickvm_user']) &&
$_COOKIE['quickvm_user'] == $creator->uuid()))) {
if ($ajax_request) {
SPITAJAX_ERROR(1, "You do not have permission!");
exit();
......@@ -131,6 +135,9 @@ if (isset($ajax_request)) {
SPITAJAX_RESPONSE($instance->manifest());
}
elseif ($ajax_method == "ssh_authobject") {
#
#
#
SPITAJAX_RESPONSE(SSHAuthObject($creator->uid(), $ajax_argument));
}
elseif ($ajax_method == "request_extension") {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment