Commit 28603260 authored by Leigh Stoller's avatar Leigh Stoller

Fix up permission checks for selection of profiles to show user. We are

going to ignore the listed flag, and show users (guest or logged in) those
profiles they are allowed to instantiate.
parent 8cb05e32
......@@ -48,12 +48,9 @@ function Do_GetProfile()
SPITAJAX_ERROR(1, "No such profile $uuid");
return;
}
#
# On this path, we do not do any permissions checks since
# knowing the uuid of the profile means you are allowed to
# access it, regardless of the privacy settings. Not sure
# I like this ...
# Knowing the UUID means the user can instantiate it,
# so no permission checks on the profile.
#
SPITAJAX_RESPONSE(array('rspec' => $profile->rspec(),
'name' => $profile->name()));
......
......@@ -116,7 +116,8 @@ if (isset($profile)) {
# Must be public or belong to user.
#
if (! ($obj->ispublic() ||
$obj->creator_idx() == $this_user->uid_idx())) {
(isset($this_user) &&
$obj->creator_idx() == $this_user->uid_idx()))) {
SPITUSERERROR("No permission to use profile: $profile");
exit();
}
......@@ -125,31 +126,40 @@ if (isset($profile)) {
$profilename = $obj->name();
}
}
#
# Find all the public and user profiles. We use the UUID instead of
# indicies cause we do not want to leak internal DB state to guest
# users.
#
$query_result =
DBQueryFatal("select * from apt_profiles as p ".
"left join apt_profile_versions as v on ".
" v.profileid=p.profileid and ".
" v.version=p.version ".
"where locked is null and (public=1 " .
($this_user ? "or creator_idx=" . $this_user->uid_idx() : "").
")");
while ($row = mysql_fetch_array($query_result)) {
$profile_array[$row["uuid"]] = $row["name"];
if ($row["pid"] == $TBOPSPID && $row["name"] == $profile_default) {
$profile_default = $row["uuid"];
}
if (isset($profile)) {
# Look for the profile by project/name and switch to uuid.
if (isset($project) &&
$row["pid"] == $project->pid() &&
$row["name"] == $profile) {
$profile = $row["uuid"];
else {
#
# Find all the public and user profiles. We use the UUID instead of
# indicies cause we do not want to leak internal DB state to guest
# users. Need to decide on what clause to use, depending on whether
# a guest user or not.
#
$joinclause = "";
$whereclause = "";
if (!isset($this_user)) {
$whereclause = "p.public=1";
}
else {
$this_idx = $this_user->uid_idx();
$joinclause =
"left join group_membership as g on ".
" g.uid_idx='$this_idx' and ".
" g.pid_idx=v.pid_idx and g.pid_idx=g.gid_idx";
$whereclause =
"p.public=1 or p.shared=1 or v.creator_idx='$this_idx' or ".
"g.uid_idx is not null ";
}
$query_result =
DBQueryFatal("select p.*,v.* from apt_profiles as p ".
"left join apt_profile_versions as v on ".
" v.profileid=p.profileid and ".
" v.version=p.version ".
"$joinclause ".
"where locked is null and ($whereclause)");
while ($row = mysql_fetch_array($query_result)) {
$profile_array[$row["uuid"]] = $row["name"];
if ($row["pid"] == $TBOPSPID && $row["name"] == $profile_default) {
$profile_default = $row["uuid"];
}
}
}
......
......@@ -260,6 +260,8 @@ if (! isset($create)) {
if (isset($_SESSION["notifyupdate"])) {
$notifyupdate = 1;
unset($_SESSION["notifyupdate"]);
session_destroy();
session_commit();
}
#
......
......@@ -362,5 +362,31 @@ class Profile
}
return 0;
}
#
# Permission check; does user have permission to instantiate the
# profile. At the moment, view/instantiate are the same.
#
function CanInstantiate($user) {
$profileid = $this->profileid();
if ($profile->shared() || $profile->ispublic() ||
$profile->creator_idx() == $user->uid_idx()) {
return 1;
}
# Otherwise a project membership test.
$project = Project::Lookup($profile->pid_idx());
if (!$project) {
return 0;
}
$isapproved = 0;
if ($project->IsMember($user, $isapproved) && $isapproved) {
return 1;
}
return 0;
}
function CanView($user) {
return $this->CanInstantiate($user);
}
}
?>
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment