oqapi/webgui
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Added new feature to validate groups against external databases

Browse source
This commit is contained in:
Andy Grundman 2003-07-03 05:11:40 +00:00
parent 075c6d4e24
commit 2788250eeb
8 changed files with 725 additions and 475 deletions
Download patch file Download diff file Expand all files Collapse all files

98
lib/WebGUI/DatabaseLink.pm
View file

@ -34,6 +34,10 @@ This package contains utility methods for WebGUI's database link system.
%links = WebGUI::DatabaseLink::getHash();
%databaseLink = WebGUI::DatabaseLink::get($databaseLinkId);
%using = WebGUI::Databaselink::whatIsUsing($databaseLinkId);
$dbLink = WebGUI::DatabaseLink->new($databaseLinkId);
$dbh = $dbLink->dbh;
$dbLink->disconnect;
=head1 METHODS
@ -75,7 +79,8 @@ sub get {
#-------------------------------------------------------------------
=head2 whatIsUsing ( databaseLinkId )
Returns an array of hashrefs containing wobjects which use a database link.
Returns an array of hashrefs containing items which use a database link. This method will
need to be updated any time a new item starts using Database Links.
=over
@ -88,6 +93,7 @@ A valid databaseLinkId
=cut
sub whatIsUsing {
# get list of SQLReports
my $sql = 'select wobject.wobjectId, wobject.title, page.menuTitle, page.urlizedTitle from wobject, SQLReport, page '.
'where SQLReport.databaseLinkId = '.$_[0].' and SQLReport.wobjectId = wobject.wobjectId '.
'and wobject.pageId = page.pageId';
@ -97,8 +103,98 @@ sub whatIsUsing {
push @using, $data;
}
$sth->finish;
# get list of groups
$sql = 'select groupId, groupName from groups where databaseLinkId = '.$_[0];
$sth = WebGUI::SQL->read($sql);
while (my $data = $sth->hashRef()) {
push @using, $data;
}
$sth->finish;
return @using;
}
#-------------------------------------------------------------------
=head2 disconnect ( )
Disconnect cleanly from the current databaseLink.
=cut
sub disconnect {
my ($class, $value);
$class = shift;
$value = shift;
if (defined $class->{_dbh}) {
$class->{_dbh}->disconnect() unless ($class->{_databaseLink}{DSN} eq $session{config}{dsn});
}
}
#-------------------------------------------------------------------
=head2 dbh ( )
Return a DBI handle for the current databaseLink, connecting if necessary.
=cut
sub dbh {
my ($class, $value);
my ($dsn, $username, $identifier);
$class = shift;
$value = shift;
if (defined $class->{_dbh}) {
return $class->{_dbh};
}
$dsn = $class->{_databaseLink}{DSN};
$username = $class->{_databaseLink}{username};
$identifier = $class->{_databaseLink}{identifier};
if ($dsn eq $session{config}{dsn}) {
$class->{_dbh} = $session{dbh};
return $session{dbh};
} elsif ($dsn =~ /\DBI\:\w+\:\w+/i) {
eval{
$class->{_dbh} = DBI->connect($dsn,$username,$identifier);
};
if ($@) {
WebGUI::ErrorHandler::warn("DatabaseLink [".$_[0]."] ".$@);
} else {
return $class->{_dbh};
}
} else {
WebGUI::ErrorHandler::warn("DatabaseLink [".$_[0]."] The DSN specified is of an improper format.");
}
return undef;
}
#-------------------------------------------------------------------
=head2 new ( databaseLinkId )
Constructor.
=over
=item databaseLinkId
The databaseLinkId of the databaseLink you're creating an object reference for.
=back
=cut
sub new {
my ($class, $databaseLinkId, %databaseLink);
tie %databaseLink, 'Tie::CPHash';
$class = shift;
$databaseLinkId = shift;
unless ($databaseLinkId eq "") {
%databaseLink = WebGUI::SQL->quickHash("select * from databaseLink where databaseLinkId='$databaseLinkId'");
}
bless {_databaseLinkId => $databaseLinkId, _databaseLink => \%databaseLink }, $class;
}
1;

85
lib/WebGUI/Group.pm
View file

@ -535,6 +535,7 @@ sub new {
$group{expireNotifyOffset} = -14;
$group{deleteOffset} = 14;
$group{expireNotify} = 0;
$group{dbCacheTimeout} = 3600;
} else {
%group = WebGUI::SQL->quickHash("select * from groups where groupId='$groupId'");
}
@ -569,6 +570,90 @@ sub scratchFilter {
return $class->{_group}{"scratchFilter"};
}
#-------------------------------------------------------------------
=head2 dbQuery ( [ value ] )
Returns the dbQuery for this group.
=over
=item value
If specified, the dbQuery is set to this value.
=back
=cut
sub dbQuery {
my ($class, $value);
$class = shift;
$value = shift;
if (defined $value) {
$class->{_group}{"dbQuery"} = $value;
WebGUI::SQL->write("update groups set dbQuery=".quote($value).",
lastUpdated=".time()." where groupId=$class->{_groupId}");
}
return $class->{_group}{"dbQuery"};
}
#-------------------------------------------------------------------
=head2 databaseLinkId ( [ value ] )
Returns the databaseLinkId for this group.
=over
=item value
If specified, the databaseLinkId is set to this value.
=back
=cut
sub databaseLinkId {
my ($class, $value);
$class = shift;
$value = shift;
if (defined $value) {
$class->{_group}{"databaseLinkId"} = $value;
WebGUI::SQL->write("update groups set databaseLinkId=".quote($value).",
lastUpdated=".time()." where groupId=$class->{_groupId}");
}
return $class->{_group}{"databaseLinkId"};
}
#-------------------------------------------------------------------
=head2 dbCacheTimeout ( [ value ] )
Returns the dbCacheTimeout for this group.
=over
=item value
If specified, the dbCacheTimeout is set to this value.
=back
=cut
sub dbCacheTimeout {
my ($class, $value);
$class = shift;
$value = shift;
if (defined $value) {
$class->{_group}{"dbCacheTimeout"} = $value;
WebGUI::SQL->write("update groups set dbCacheTimeout=".quote($value).",
lastUpdated=".time()." where groupId=$class->{_groupId}");
}
return $class->{_group}{"dbCacheTimeout"};
}
1;

8
lib/WebGUI/Operation/DatabaseLink.pm
View file

@ -60,8 +60,12 @@ sub www_deleteDatabaseLink {
$output .= '<h1>'.WebGUI::International::get(987).'</h1>';
$output .= WebGUI::International::get(988).'<p>';
foreach my $using (WebGUI::DatabaseLink::whatIsUsing($session{form}{dlid})) {
$output .= '<li>'.WebGUI::International::get(1,'SQL Report').' <a href="'.WebGUI::URL::page('func=edit&wid='.$using->{wobjectId},$using->{urlizedTitle}).'">'
.$using->{title}.'</a> '.WebGUI::International::get(989).' <a href="'.WebGUI::URL::gateway($using->{urlizedTitle}).'">'.$using->{menuTitle}.'</a>.</li>';
if ($using->{title}) {
$output .= '<li>'.WebGUI::International::get(1,'SQLReport').' <a href="'.WebGUI::URL::page('func=edit&wid='.$using->{wobjectId},$using->{urlizedTitle}).'">'
.$using->{title}.'</a> '.WebGUI::International::get(989).' <a href="'.WebGUI::URL::gateway($using->{urlizedTitle}).'">'.$using->{menuTitle}.'</a>.</li>';
} else {
$output .= '<li>'.'Group'.' <a href="'.WebGUI::URL::page('op=editGroup&gid='.$using->{groupId}).'">'.$using->{groupName}.'</a>.</li>';
}
}
$output .= '<p><div align="center"><a href="'.
WebGUI::URL::page('op=deleteDatabaseLinkConfirm&dlid='.$session{form}{dlid})

20
lib/WebGUI/Operation/Group.pm
View file

@ -13,6 +13,7 @@ package WebGUI::Operation::Group;
use Exporter;
use strict;
use Tie::CPHash;
use WebGUI::DatabaseLink;
use WebGUI::DateTime;
use WebGUI::Group;
use WebGUI::Grouping;
@ -216,6 +217,22 @@ sub www_editGroup {
-value=>$g->autoDelete,
-label=>WebGUI::International::get(975)
);
$f->selectList(
-name=>"databaseLinkId",
-options=>{
"0"=>WebGUI::International::get(19,'SQLReport'),
WebGUI::DatabaseLink::getHash(),
},
-label=>WebGUI::International::get(20,'SQLReport'),
-value=>[$g->databaseLinkId],
-subtext=>(WebGUI::Privilege::isInGroup(3)) ? '<a href="'.WebGUI::URL::page("op=listDatabaseLinks").'">'.WebGUI::International::get(981).'</a>' : ""
);
$f->textarea(
-name=>"dbQuery",
-value=>$g->dbQuery,
-label=>WebGUI::International::get(1005)
);
$f->interval("dbCacheTimeout",WebGUI::International::get(1004), WebGUI::DateTime::secondsToInterval($g->dbCacheTimeout));
$f->submit;
$output .= $f->print;
return _submenu($output);
@ -237,6 +254,9 @@ sub www_editGroupSave {
$g->deleteOffset($session{form}{deleteOffset});
$g->autoAdd(WebGUI::FormProcessor::yesNo("autoAdd"));
$g->autoDelete(WebGUI::FormProcessor::yesNo("autoDelete"));
$g->databaseLinkId($session{form}{databaseLinkId});
$g->dbQuery($session{form}{dbQuery});
$g->dbCacheTimeout(WebGUI::FormProcessor::interval("dbCacheTimeout"));
return www_listGroups();
}

932
lib/WebGUI/Privilege.pm
View file

@ -1,447 +1,485 @@
package WebGUI::Privilege;
=head1 LEGAL
-------------------------------------------------------------------
WebGUI is Copyright 2001-2003 Plain Black LLC.
-------------------------------------------------------------------
Please read the legal notices (docs/legal.txt) and the license
(docs/license.txt) that came with this distribution before using
this software.
-------------------------------------------------------------------
http://www.plainblack.com info@plainblack.com
-------------------------------------------------------------------
=cut
use strict;
use Tie::CPHash;
use WebGUI::DateTime;
use WebGUI::Group;
use WebGUI::Grouping;
use WebGUI::International;
use WebGUI::Operation::Account ();
use WebGUI::Session;
use WebGUI::SQL;
use WebGUI::URL;
=head1 NAME
Package WebGUI::Privilege
=head1 DESCRIPTION
This package provides access to the WebGUI security system and security messages.
=head1 SYNOPSIS
use WebGUI::Privilege;
$html = WebGUI::Privilege::adminOnly();
$boolean = WebGUI::Privilege::canEditPage();
$boolean = WebGUI::Privilege::canViewPage();
$html = WebGUI::Privilege::insufficient();
$boolean = WebGUI::Privilege::isInGroup($groupId);
$html = WebGUI::Privilege::noAccess();
$html = WebGUI::Privilege::notMember();
$html = WebGUI::Privilege::vitalComponent();
=head1 METHODS
These functions are available from this package:
=cut
#-------------------------------------------------------------------
=head2 adminOnly ( )
Returns a message stating that this functionality can only be used by administrators. This method also sets the HTTP header status to 401.
=cut
sub adminOnly {
if($session{env}{MOD_PERL}) {
my $r = Apache->request;
if(defined($r)) {
$r->custom_response(401, '<!--Admin Only-->' );
$r->status(401);
}
} else {
$session{header}{status} = 401;
}
my ($output, $sth, @data);
$output = '<h1>'.WebGUI::International::get(35).'</h1>';
$output .= WebGUI::International::get(36);
$output .= '<ul>';
$sth = WebGUI::SQL->read("select users.username,users.userId from users,groupings where users.userId=groupings.userId and groupings.groupId=3 order by users.username");
while (@data = $sth->array) {
$output .= '<li><a href="'.WebGUI::URL::page('op=viewProfile&uid='.$data[1]).'">'.$data[0].'</a>';
}
$sth->finish;
$output .= '</ul><p>';
return $output;
}
#-------------------------------------------------------------------
=head2 canEditPage ( [ pageId ] )
Returns a boolean (0|1) value signifying that the user has the required privileges.
=over
=item pageId
The unique identifier for the page that you wish to check the privileges on. Defaults to the current page id.
=back
=cut
sub canEditPage {
my (%page);
tie %page, 'Tie::CPHash';
if ($_[0] ne "") {
%page = WebGUI::SQL->quickHash("select ownerId,groupIdEdit from page where pageId=$_[0]");
} else {
%page = %{$session{page}};
}
if ($session{user}{userId} == $page{ownerId}) {
return 1;
} elsif (isInGroup($page{groupIdEdit})) {
return 1;
} else {
return 0;
}
}
#Added by Frank Dillon. Wobject API not used due to possible performance issues
#-------------------------------------------------------------------
=head2 canEditWobject ( wobjectId )
Returns a boolean (0|1) value signifying that the user has the required privileges.
=over
=item wobjectId
The unique identifier for the wobject that you wish to check the privileges on.
=back
=cut
sub canEditWobject {
my (%wobject);
tie %wobject, 'Tie::CPHash';
return canEditPage() unless ($session{setting}{wobjectPrivileges} == 1);
%wobject = WebGUI::SQL->quickHash("select ownerId,groupIdEdit from wobject where wobjectId=".quote($_[0]));
if ($session{user}{userId} == $wobject{ownerId}) {
return 1;
} elsif (isInGroup($wobject{groupIdEdit})) {
return 1;
} else {
return 0;
}
}
#-------------------------------------------------------------------
=head2 canViewPage ( [ pageId ] )
Returns a boolean (0|1) value signifying that the user has the required privileges. Always returns true for Admins and users that have the rights to edit this page.
=over
=item pageId
The unique identifier for the page that you wish to check the privileges on. Defaults to the current page id.
=back
=cut
sub canViewPage {
my (%page, $inDateRange);
tie %page, 'Tie::CPHash';
if ($_[0] eq "") {
%page = %{$session{page}};
} else {
%page = WebGUI::SQL->quickHash("select ownerId,groupIdView,startDate,endDate from page where pageId=$_[0]");
}
if ($page{startDate} < time() && $page{endDate} > time()) {
$inDateRange = 1;
}
if ($session{user}{userId} == $page{ownerId}) {
return 1;
} elsif (isInGroup($page{groupIdView}) && $inDateRange) {
return 1;
} elsif (canEditPage($_[0])) {
return 1;
} else {
return 0;
}
}
#Added by Frank Dillon. Wobject API not used due to possible performance issues
#-------------------------------------------------------------------
=head2 canViewWobject ( wobjectId )
Returns a boolean (0|1) value signifying that the user has the required privileges. Always returns true for Admins and users that have the rights to edit this wobject.
=over
=item wobjectId
The unique identifier for the wobject that you wish to check the privileges on.
=back
=cut
sub canViewWobject {
my (%wobject);
tie %wobject, 'Tie::CPHash';
return canViewPage() unless ($session{setting}{wobjectPrivileges} == 1);
%wobject = WebGUI::SQL->quickHash("select ownerId,groupIdView,startDate,endDate from wobject where wobjectId=".quote($_[0]));
if ($wobject{startDate} < time() && $wobject{endDate} > time()) {
if ($session{user}{userId} == $wobject{ownerId}) {
return 1;
} elsif (isInGroup($wobject{groupIdView})) {
return 1;
} elsif (canEditWobject($_[0])) {
return 1;
} else {
return 0;
}
}else{
return 0;
}
}
#-------------------------------------------------------------------
=head2 insufficient ( )
Returns a message stating that the user does not have the required privileges to perform the operation they requested. This method also sets the HTTP header status to 401.
=cut
sub insufficient {
if($session{env}{MOD_PERL}) {
my $r = Apache->request;
if(defined($r)) {
$r->custom_response(401, '<!--Insufficient Privileges-->' );
$r->status(401);
}
} else {
$session{header}{status} = 401;
}
my ($output);
$output = '<h1>'.WebGUI::International::get(37).'</h1>';
$output .= WebGUI::International::get(38);
$output .= '<p>';
return $output;
}
#-------------------------------------------------------------------
=head2 isInGroup ( groupId [ , userId ] )
Returns a boolean (0|1) value signifying that the user has the required privileges. Always returns true for Admins.
=over
=item groupId
The group that you wish to verify against the user.
=item userId
The user that you wish to verify against the group. Defaults to the currently logged in user.
=back
=cut
sub isInGroup {
my ($gid, $uid, @data, %group, $groupId);
($gid, $uid) = @_;
$uid = $session{user}{userId} if ($uid eq "");
### The "Everyone" group automatically returns true.
if ($gid == 7) {
return 1;
}
### The "Visitor" group returns false, unless the user is visitor.
if ($gid == 1) {
if ($uid == 1) {
return 1;
} else {
return 0;
}
}
### The "Registered Users" group returns true if user is not visitor.
if ($gid==2 && $uid != 1) {
return 1;
}
### Use session to cache multiple lookups of the same group.
if ($session{isInGroup}{$gid}{$uid} || $session{isInGroup}{3}{$uid}) {
return 1;
} elsif ($session{isInGroup}{$gid}{$uid} eq "0") {
return 0;
}
### Lookup the actual groupings.
my $groups = WebGUI::Grouping::getGroupsForUser($uid,1);
foreach (@{$groups}) {
$session{isInGroup}{$_}{$uid} = 1;
}
if ($session{isInGroup}{$gid}{$uid} || $session{isInGroup}{3}{$uid}) {
return 1;
}
### Get data for auxillary checks.
tie %group, 'Tie::CPHash';
%group = WebGUI::SQL->quickHash("select karmaThreshold,ipFilter,scratchFilter from groups where groupId='$gid'");
### Check IP Address
if ($group{ipFilter} ne "") {
$group{ipFilter} =~ s/\t//g;
$group{ipFilter} =~ s/\r//g;
$group{ipFilter} =~ s/\n//g;
$group{ipFilter} =~ s/\s//g;
$group{ipFilter} =~ s/\./\\\./g;
my @ips = split(";",$group{ipFilter});
foreach my $ip (@ips) {
if ($session{env}{REMOTE_ADDR} =~ /^$ip/) {
$session{isInGroup}{$gid}{$uid} = 1;
return 1;
}
}
}
### Check Scratch Variables
if ($group{scratchFilter} ne "") {
$group{scratchFilter} =~ s/\t//g;
$group{scratchFilter} =~ s/\r//g;
$group{scratchFilter} =~ s/\n//g;
$group{scratchFilter} =~ s/\s//g;
my @vars = split(";",$group{scratchFilter});
foreach my $var (@vars) {
my ($name, $value) = split(/\=/,$var);
if ($session{scratch}{$name} eq $value) {
$session{isInGroup}{$gid}{$uid} = 1;
return 1;
}
}
}
### Check karma levels.
if ($session{setting}{useKarma}) {
my $karma;
if ($uid == $session{user}{userId}) {
$karma = $session{user}{karma};
} else {
($karma) = WebGUI::SQL->quickHash("select karma from users where userId='$uid'");
}
if ($karma >= $group{karmaThreshold}) {
$session{isInGroup}{$gid}{$uid} = 1;
return 1;
}
}
### Check for groups of groups.
$groups = WebGUI::Grouping::getGroupsInGroup($gid,1);
foreach (@{$groups}) {
$session{isInGroup}{$_}{$uid} = isInGroup($_, $uid);
if ($session{isInGroup}{$_}{$uid}) {
$session{isInGroup}{$gid}{$uid} = 1;
return 1;
}
}
$session{isInGroup}{$gid}{$uid} = 0;
return 0;
}
#-------------------------------------------------------------------
=head2 noAccess ( )
Returns a message stating that the user does not have the privileges necessary to access this page. This method also sets the HTTP header status to 401.
=cut
sub noAccess {
if($session{env}{MOD_PERL}) {
my $r = Apache->request;
if(defined($r)) {
$r->custom_response(401, '<!--No Access-->' );
$r->status(401);
}
} else {
$session{header}{status} = 401;
}
my ($output);
if ($session{user}{userId} <= 1) {
$output = WebGUI::Operation::Account::www_displayAccount();
} else {
$output = '<h1>'.WebGUI::International::get(37).'</h1>';
$output .= WebGUI::International::get(39);
$output .= '<p>';
}
return $output;
}
#-------------------------------------------------------------------
=head2 notMember ( )
Returns a message stating that the user they requested information about is no longer active on this server. This method also sets the HTTP header status to 400.
=cut
sub notMember {
if($session{env}{MOD_PERL}) {
my $r = Apache->request;
if(defined($r)) {
$r->custom_response(400, '<!--Not A Member-->' );
$r->status(400);
}
} else {
$session{header}{status} = 400;
}
my ($output);
$output = '<h1>'.WebGUI::International::get(345).'</h1>';
$output .= WebGUI::International::get(346);
$output .= '<p>';
return $output;
}
#-------------------------------------------------------------------
=head2 vitalComponent ( )
Returns a message stating that the user made a request to delete something that should never delete. This method also sets the HTTP header status to 403.
=cut
sub vitalComponent {
if($session{env}{MOD_PERL}) {
my $r = Apache->request;
if(defined($r)) {
$r->custom_response(403, '<!--Vital Component-->' );
$r->status(403);
}
} else {
$session{header}{status} = 403;
}
my ($output);
$output = '<h1>'.WebGUI::International::get(40).'</h1>';
$output .= WebGUI::International::get(41);
$output .= '<p>';
return $output;
}
1;
package WebGUI::Privilege;
=head1 LEGAL
-------------------------------------------------------------------
WebGUI is Copyright 2001-2003 Plain Black LLC.
-------------------------------------------------------------------
Please read the legal notices (docs/legal.txt) and the license
(docs/license.txt) that came with this distribution before using
this software.
-------------------------------------------------------------------
http://www.plainblack.com info@plainblack.com
-------------------------------------------------------------------
=cut
use strict;
use Tie::CPHash;
use WebGUI::DatabaseLink;
use WebGUI::DateTime;
use WebGUI::Group;
use WebGUI::Grouping;
use WebGUI::International;
use WebGUI::Macro;
use WebGUI::Operation::Account ();
use WebGUI::Session;
use WebGUI::SQL;
use WebGUI::URL;
=head1 NAME
Package WebGUI::Privilege
=head1 DESCRIPTION
This package provides access to the WebGUI security system and security messages.
=head1 SYNOPSIS
use WebGUI::Privilege;
$html = WebGUI::Privilege::adminOnly();
$boolean = WebGUI::Privilege::canEditPage();
$boolean = WebGUI::Privilege::canViewPage();
$html = WebGUI::Privilege::insufficient();
$boolean = WebGUI::Privilege::isInGroup($groupId);
$html = WebGUI::Privilege::noAccess();
$html = WebGUI::Privilege::notMember();
$html = WebGUI::Privilege::vitalComponent();
=head1 METHODS
These functions are available from this package:
=cut
#-------------------------------------------------------------------
=head2 adminOnly ( )
Returns a message stating that this functionality can only be used by administrators. This method also sets the HTTP header status to 401.
=cut
sub adminOnly {
if($session{env}{MOD_PERL}) {
my $r = Apache->request;
if(defined($r)) {
$r->custom_response(401, '<!--Admin Only-->' );
$r->status(401);
}
} else {
$session{header}{status} = 401;
}
my ($output, $sth, @data);
$output = '<h1>'.WebGUI::International::get(35).'</h1>';
$output .= WebGUI::International::get(36);
$output .= '<ul>';
$sth = WebGUI::SQL->read("select users.username,users.userId from users,groupings where users.userId=groupings.userId and groupings.groupId=3 order by users.username");
while (@data = $sth->array) {
$output .= '<li><a href="'.WebGUI::URL::page('op=viewProfile&uid='.$data[1]).'">'.$data[0].'</a>';
}
$sth->finish;
$output .= '</ul><p>';
return $output;
}
#-------------------------------------------------------------------
=head2 canEditPage ( [ pageId ] )
Returns a boolean (0|1) value signifying that the user has the required privileges.
=over
=item pageId
The unique identifier for the page that you wish to check the privileges on. Defaults to the current page id.
=back
=cut
sub canEditPage {
my (%page);
tie %page, 'Tie::CPHash';
if ($_[0] ne "") {
%page = WebGUI::SQL->quickHash("select ownerId,groupIdEdit from page where pageId=$_[0]");
} else {
%page = %{$session{page}};
}
if ($session{user}{userId} == $page{ownerId}) {
return 1;
} elsif (isInGroup($page{groupIdEdit})) {
return 1;
} else {
return 0;
}
}
#Added by Frank Dillon. Wobject API not used due to possible performance issues
#-------------------------------------------------------------------
=head2 canEditWobject ( wobjectId )
Returns a boolean (0|1) value signifying that the user has the required privileges.
=over
=item wobjectId
The unique identifier for the wobject that you wish to check the privileges on.
=back
=cut
sub canEditWobject {
my (%wobject);
tie %wobject, 'Tie::CPHash';
return canEditPage() unless ($session{setting}{wobjectPrivileges} == 1);
%wobject = WebGUI::SQL->quickHash("select ownerId,groupIdEdit from wobject where wobjectId=".quote($_[0]));
if ($session{user}{userId} == $wobject{ownerId}) {
return 1;
} elsif (isInGroup($wobject{groupIdEdit})) {
return 1;
} else {
return 0;
}
}
#-------------------------------------------------------------------
=head2 canViewPage ( [ pageId ] )
Returns a boolean (0|1) value signifying that the user has the required privileges. Always returns true for Admins and users that have the rights to edit this page.
=over
=item pageId
The unique identifier for the page that you wish to check the privileges on. Defaults to the current page id.
=back
=cut
sub canViewPage {
my (%page, $inDateRange);
tie %page, 'Tie::CPHash';
if ($_[0] eq "") {
%page = %{$session{page}};
} else {
%page = WebGUI::SQL->quickHash("select ownerId,groupIdView,startDate,endDate from page where pageId=$_[0]");
}
if ($page{startDate} < time() && $page{endDate} > time()) {
$inDateRange = 1;
}
if ($session{user}{userId} == $page{ownerId}) {
return 1;
} elsif (isInGroup($page{groupIdView}) && $inDateRange) {
return 1;
} elsif (canEditPage($_[0])) {
return 1;
} else {
return 0;
}
}
#Added by Frank Dillon. Wobject API not used due to possible performance issues
#-------------------------------------------------------------------
=head2 canViewWobject ( wobjectId )
Returns a boolean (0|1) value signifying that the user has the required privileges. Always returns true for Admins and users that have the rights to edit this wobject.
=over
=item wobjectId
The unique identifier for the wobject that you wish to check the privileges on.
=back
=cut
sub canViewWobject {
my (%wobject);
tie %wobject, 'Tie::CPHash';
return canViewPage() unless ($session{setting}{wobjectPrivileges} == 1);
%wobject = WebGUI::SQL->quickHash("select ownerId,groupIdView,startDate,endDate from wobject where wobjectId=".quote($_[0]));
if ($wobject{startDate} < time() && $wobject{endDate} > time()) {
if ($session{user}{userId} == $wobject{ownerId}) {
return 1;
} elsif (isInGroup($wobject{groupIdView})) {
return 1;
} elsif (canEditWobject($_[0])) {
return 1;
} else {
return 0;
}
}else{
return 0;
}
}
#-------------------------------------------------------------------
=head2 insufficient ( )
Returns a message stating that the user does not have the required privileges to perform the operation they requested. This method also sets the HTTP header status to 401.
=cut
sub insufficient {
if($session{env}{MOD_PERL}) {
my $r = Apache->request;
if(defined($r)) {
$r->custom_response(401, '<!--Insufficient Privileges-->' );
$r->status(401);
}
} else {
$session{header}{status} = 401;
}
my ($output);
$output = '<h1>'.WebGUI::International::get(37).'</h1>';
$output .= WebGUI::International::get(38);
$output .= '<p>';
return $output;
}
#-------------------------------------------------------------------
=head2 isInGroup ( groupId [ , userId ] )
Returns a boolean (0|1) value signifying that the user has the required privileges. Always returns true for Admins.
=over
=item groupId
The group that you wish to verify against the user.
=item userId
The user that you wish to verify against the group. Defaults to the currently logged in user.
=back
=cut
sub isInGroup {
my ($gid, $uid, @data, %group, $groupId);
($gid, $uid) = @_;
$uid = $session{user}{userId} if ($uid eq "");
### The "Everyone" group automatically returns true.
if ($gid == 7) {
return 1;
}
### The "Visitor" group returns false, unless the user is visitor.
if ($gid == 1) {
if ($uid == 1) {
return 1;
} else {
return 0;
}
}
### The "Registered Users" group returns true if user is not visitor.
if ($gid==2 && $uid != 1) {
return 1;
}
### Use session to cache multiple lookups of the same group.
if ($session{isInGroup}{$gid}{$uid} || $session{isInGroup}{3}{$uid}) {
return 1;
} elsif ($session{isInGroup}{$gid}{$uid} eq "0") {
return 0;
}
### Lookup the actual groupings.
my $groups = WebGUI::Grouping::getGroupsForUser($uid,1);
foreach (@{$groups}) {
$session{isInGroup}{$_}{$uid} = 1;
}
if ($session{isInGroup}{$gid}{$uid} || $session{isInGroup}{3}{$uid}) {
return 1;
}
### Get data for auxillary checks.
tie %group, 'Tie::CPHash';
%group = WebGUI::SQL->quickHash("select karmaThreshold,ipFilter,scratchFilter,databaseLinkId,dbQuery,dbCacheTimeout from groups where groupId='$gid'");
### Check IP Address
if ($group{ipFilter} ne "") {
$group{ipFilter} =~ s/\t//g;
$group{ipFilter} =~ s/\r//g;
$group{ipFilter} =~ s/\n//g;
$group{ipFilter} =~ s/\s//g;
$group{ipFilter} =~ s/\./\\\./g;
my @ips = split(";",$group{ipFilter});
foreach my $ip (@ips) {
if ($session{env}{REMOTE_ADDR} =~ /^$ip/) {
$session{isInGroup}{$gid}{$uid} = 1;
return 1;
}
}
}
### Check Scratch Variables
if ($group{scratchFilter} ne "") {
$group{scratchFilter} =~ s/\t//g;
$group{scratchFilter} =~ s/\r//g;
$group{scratchFilter} =~ s/\n//g;
$group{scratchFilter} =~ s/\s//g;
my @vars = split(";",$group{scratchFilter});
foreach my $var (@vars) {
my ($name, $value) = split(/\=/,$var);
if ($session{scratch}{$name} eq $value) {
$session{isInGroup}{$gid}{$uid} = 1;
return 1;
}
}
}
### Check karma levels.
if ($session{setting}{useKarma}) {
my $karma;
if ($uid == $session{user}{userId}) {
$karma = $session{user}{karma};
} else {
($karma) = WebGUI::SQL->quickHash("select karma from users where userId='$uid'");
}
if ($karma >= $group{karmaThreshold}) {
$session{isInGroup}{$gid}{$uid} = 1;
return 1;
}
}
### Check external database
if ($group{dbQuery} ne "" && $group{databaseLinkId}) {
# skip if not logged in and query contains a User macro
unless ($group{dbQuery} =~ /\^User/i && $uid == 1) {
my $dbLink = WebGUI::DatabaseLink->new($group{databaseLinkId});
my $dbh = $dbLink->dbh;
if (defined $dbh) {
if ($group{dbQuery} =~ /select 1/i) {
$group{dbQuery} = WebGUI::Macro::process($group{dbQuery});
my $sth = WebGUI::SQL->unconditionalRead($group{dbQuery},$dbh);
unless ($sth->errorCode < 1) {
WebGUI::ErrorHandler::warn("There was a problem with the database query for group ID $gid.");
} else {
my ($result) = $sth->array;
if ($result == 1) {
$session{isInGroup}{$gid}{$uid} = 1;
if ($group{dbCacheTimeout} > 0) {
WebGUI::Grouping::deleteUsersFromGroups([$uid],[$gid]);
WebGUI::Grouping::addUsersToGroups([$uid],[$gid],$group{dbCacheTimeout});
}
} else {
$session{isInGroup}{$gid}{$uid} = 0;
WebGUI::Grouping::deleteUsersFromGroups([$uid],[$gid]) if ($group{dbCacheTimeout} > 0);
}
}
$sth->finish;
} else {
WebGUI::ErrorHandler::warn("Database query for group ID $gid must use 'select 1'");
}
$dbLink->disconnect;
return 1 if ($session{isInGroup}{$gid}{$uid});
}
}
}
### Check for groups of groups.
$groups = WebGUI::Grouping::getGroupsInGroup($gid,1);
foreach (@{$groups}) {
$session{isInGroup}{$_}{$uid} = isInGroup($_, $uid);
if ($session{isInGroup}{$_}{$uid}) {
$session{isInGroup}{$gid}{$uid} = 1;
return 1;
}
}
$session{isInGroup}{$gid}{$uid} = 0;
return 0;
}
#-------------------------------------------------------------------
=head2 noAccess ( )
Returns a message stating that the user does not have the privileges necessary to access this page. This method also sets the HTTP header status to 401.
=cut
sub noAccess {
if($session{env}{MOD_PERL}) {
my $r = Apache->request;
if(defined($r)) {
$r->custom_response(401, '<!--No Access-->' );
$r->status(401);
}
} else {
$session{header}{status} = 401;
}
my ($output);
if ($session{user}{userId} <= 1) {
$output = WebGUI::Operation::Account::www_displayAccount();
} else {
$output = '<h1>'.WebGUI::International::get(37).'</h1>';
$output .= WebGUI::International::get(39);
$output .= '<p>';
}
return $output;
}
#-------------------------------------------------------------------
=head2 notMember ( )
Returns a message stating that the user they requested information about is no longer active on this server. This method also sets the HTTP header status to 400.
=cut
sub notMember {
if($session{env}{MOD_PERL}) {
my $r = Apache->request;
if(defined($r)) {
$r->custom_response(400, '<!--Not A Member-->' );
$r->status(400);
}
} else {
$session{header}{status} = 400;
}
my ($output);
$output = '<h1>'.WebGUI::International::get(345).'</h1>';
$output .= WebGUI::International::get(346);
$output .= '<p>';
return $output;
}
#-------------------------------------------------------------------
=head2 vitalComponent ( )
Returns a message stating that the user made a request to delete something that should never delete. This method also sets the HTTP header status to 403.
=cut
sub vitalComponent {
if($session{env}{MOD_PERL}) {
my $r = Apache->request;
if(defined($r)) {
$r->custom_response(403, '<!--Vital Component-->' );
$r->status(403);
}
} else {
$session{header}{status} = 403;
}
my ($output);
$output = '<h1>'.WebGUI::International::get(40).'</h1>';
$output .= WebGUI::International::get(41);
$output .= '<p>';
return $output;
}
1;

43
lib/WebGUI/Wobject/SQLReport.pm
View file

@ -148,7 +148,7 @@ sub www_edit {
#-------------------------------------------------------------------
sub www_view {
my ($dsn, $username, $identifier, $query, @row, $i, $rownum, $p, $ouch, $output, $sth, $dbh, @result, @template, $temp, $col, $errorMessage, $url);
my ($dsn, $username, $identifier, $dbLink, $query, @row, $i, $rownum, $p, $ouch, $output, $sth, $dbh, @result, @template, $temp, $col, $errorMessage, $url);
if ($_[0]->get("preprocessMacros")) {
$query = WebGUI::Macro::process($_[0]->get("dbQuery"));
} else {
@ -161,29 +161,24 @@ sub www_view {
$output .= $_[0]->description;
$output .= WebGUI::International::get(17,$_[0]->get("namespace"))." ".$query."<p>" if ($_[0]->get("debugMode"));
# pull database link info if selected
# connect to external database if used
if ($_[0]->get("databaseLinkId")) {
my %databaseLink = WebGUI::DatabaseLink::get($_[0]->get("databaseLinkId"));
# failsafe check in case the link gets deleted
if ($databaseLink{DSN}) {
$dsn = $databaseLink{DSN};
$username = $databaseLink{username};
$identifier = $databaseLink{identifier};
$dbLink = WebGUI::DatabaseLink->new($_[0]->get("databaseLinkId"));
$dbh = $dbLink->dbh;
} else {
if ($dsn eq $session{config}{dsn}) {
$dbh = $session{dbh};
} elsif ($dsn =~ /\DBI\:\w+\:\w+/i) {
eval{$dbh = DBI->connect($dsn,$username,$identifier)};
if ($@) {
WebGUI::ErrorHandler::warn("SQL Report [".$_[0]->get("wobjectId")."] ".$@);
undef $dbh;
}
} else {
$output .= WebGUI::International::get(9,$_[0]->get("namespace")).'<p>' if ($_[0]->get("debugMode"));
WebGUI::ErrorHandler::warn("SQLReport [".$_[0]->get("wobjectId")."] The DSN specified is of an improper format.");
}
}
if ($dsn eq $session{config}{dsn}) {
$dbh = $session{dbh};
} elsif ($dsn =~ /\DBI\:\w+\:\w+/) {
eval{$dbh = DBI->connect($dsn,$username,$identifier)};
if ($@) {
WebGUI::ErrorHandler::warn("SQL Report [".$_[0]->get("wobjectId")."] ".$@);
undef $dbh;
}
} else {
$output .= WebGUI::International::get(9,$_[0]->get("namespace")).'<p>' if ($_[0]->get("debugMode"));
WebGUI::ErrorHandler::warn("SQLReport [".$_[0]->get("wobjectId")."] The DSN specified is of an improper format.");
}
if (defined $dbh) {
if ($query =~ /^select/i || $query =~ /^show/i || $query =~ /^describe/i) {
$sth = WebGUI::SQL->unconditionalRead($query,$dbh);
@ -242,7 +237,11 @@ sub www_view {
$output .= WebGUI::International::get(10,$_[0]->get("namespace")).'<p>' if ($_[0]->get("debugMode"));
WebGUI::ErrorHandler::warn("SQLReport [".$_[0]->get("wobjectId")."] The SQL query is improperly formatted.");
}
$dbh->disconnect() unless ($dsn eq $session{config}{dsn});
if ($dbLink) {
$dbLink->disconnect;
} else {
$dbh->disconnect() unless ($dsn eq $session{config}{dsn});
}
} else {
$output .= WebGUI::International::get(12,$_[0]->get("namespace")).'<p>' if ($_[0]->get("debugMode"));
WebGUI::ErrorHandler::warn("SQLReport [".$_[0]->get("wobjectId")."] Could not connect to database.");