oqapi/webgui
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

enhance format of .wgaccess files to provide security for Gallery files

Browse source
This commit is contained in:
Graham Knop 2010-02-16 10:42:56 -06:00
parent 1cd7d8fbc7
commit 8206aeaec5
5 changed files with 121 additions and 42 deletions
Download patch file Download diff file Expand all files Collapse all files

11
lib/WebGUI/Asset/File.pm
View file

@ -78,10 +78,19 @@ A hash reference of optional parameters. None at this time.
sub applyConstraints {
my $self = shift;
$self->getStorageLocation->setPrivileges($self->get('ownerUserId'), $self->get('groupIdView'), $self->get('groupIdEdit'));
$self->setPrivileges;
$self->setSize;
}
sub setPrivileges {
my $self = shift;
$self->getStorageLocation->setPrivileges(
$self->get('ownerUserId'),
$self->get('groupIdView'),
$self->get('groupIdEdit'),
);
}
#-------------------------------------------------------------------

5
lib/WebGUI/Asset/File/GalleryFile.pm
View file

@ -1196,5 +1196,10 @@ sub www_view {
return "chunked";
}
sub setPrivileges {
my $self = shift;
$self->getStorageLocation->setPrivileges($self);
}
1; # Who knew the truth would be so obvious?

45
lib/WebGUI/Storage.pm
View file

@ -26,6 +26,7 @@ use Image::Magick;
use Path::Class::Dir;
use Storable ();
use WebGUI::Utility qw(isIn);
use JSON ();
=head1 NAME
@ -1665,10 +1666,42 @@ The groupId that is allowed to edit the files in this storage location.
=cut
sub setPrivileges {
my $self = shift;
my $owner = shift;
my $viewGroup = shift;
my $editGroup = shift;
my $self = shift;
my %privs = (
users => [],
groups => [],
assets => [],
);
if (@_ == 3 && !ref $_[0] && !ref $_[1] && !ref $_[0]) {
push @{ $privs{users} }, $_[0];
push @{ $privs{groups} }, @_[1,2];
}
else {
for my $object (@_) {
if ($object->isa('WebGUI::User')) {
push @{ $privs{users} }, $object->getId;
}
elsif ($object->isa('WebGUI::Group')) {
push @{ $privs{groups} }, $object->getId;
}
elsif ($object->isa('WebGUI::Asset')) {
push @{ $privs{assets} }, $object->getId;
}
}
}
my $public;
for my $user (@{ $privs{users} }) {
if ($user eq '1') {
$public = 1;
}
}
for my $group (@{ $privs{groups} }) {
if ($group eq '1' || $group eq '7') {
$public = 1;
}
}
my $accessFile = JSON->new->encode( \%privs );
my $dirObj = $self->getPathClassDir();
return undef if ! defined $dirObj;
@ -1678,11 +1711,11 @@ sub setPrivileges {
return unless $obj->is_dir;
my $rel = $obj->relative($dirObj);
if ($owner eq '1' || $viewGroup eq '1' || $viewGroup eq '7' || $editGroup eq '1' || $editGroup eq '7') {
if ($public) {
$self->deleteFile($rel->file('.wgaccess')->stringify);
}
else {
$self->addFileFromScalar($rel->file('.wgaccess')->stringify,$owner."\n".$viewGroup."\n".$editGroup);
$self->addFileFromScalar($rel->file('.wgaccess')->stringify, $accessFile);
}
}
);

82
lib/WebGUI/URL/Uploads.pm
View file

@ -47,38 +47,58 @@ The Apache request handler for this package.
sub handler {
my ($request, $server, $config) = @_;
$request->push_handlers(PerlAccessHandler => sub {
if (-e $request->filename) {
my $path = $request->filename;
$path =~ s/^(\/.*\/).*$/$1/;
if (-e $path.".wgaccess") {
my $fileContents;
open(my $FILE, "<" ,$path.".wgaccess");
while (my $line = <$FILE>) {
$fileContents .= $line;
}
close($FILE);
my @privs = split("\n", $fileContents);
unless ($privs[1] eq "7" || $privs[1] eq "1") {
my $session = $request->pnotes('wgSession');
unless (defined $session) {
$session = WebGUI::Session->open($server->dir_config('WebguiRoot'), $config->getFilename, $request, $server);
}
my $hasPrivs = ($session->var->get("userId") eq $privs[0] || $session->user->isInGroup($privs[1]) || $session->user->isInGroup($privs[2]));
$session->close();
if ($hasPrivs) {
return Apache2::Const::OK;
}
else {
return Apache2::Const::AUTH_REQUIRED;
}
}
}
return Apache2::Const::OK;
}
$request->push_handlers(PerlAccessHandler => sub {
my $path = $request->filename;
return Apache2::Const::NOT_FOUND
unless -e $path;
$path =~ s{[^/]*$}{};
return Apache2::Const::OK
unless -e $path . '.wgaccess';
my $fileContents;
open my $FILE, '<' , $path . '.wgaccess';
my $fileContents = do { local $/; <$FILE> };
close($FILE);
my @users;
my @groups;
my @assets;
if ($fileContents =~ /\A(?:\d+|[A-Za-z0-9_-]{22})\n(?:\d+|[A-Za-z0-9_-]{22})\n(?:\d+|[A-Za-z0-9_-]{22})/) {
my @privs = split("\n", $fileContents);
push @users, $privs[0];
push @groups, @privs[1,2];
}
else {
return Apache2::Const::NOT_FOUND;
}
my $privs = JSON->new->decode($fileContents);
@users = @{ $privs->{users} };
@groups = @{ $privs->{groups} };
@assets = @{ $privs->{assets} };
}
return Apache2::Const::OK
if grep { $_ eq '1' } @users;
return Apache2::Const::OK
if grep { $_ eq '1' || $_ eq '7' } @groups;
my $session = $request->pnotes('wgSession');
unless (defined $session) {
$session = WebGUI::Session->open($server->dir_config('WebguiRoot'), $config->getFilename, $request, $server);
}
my $userId = $session->var->get('userId');
return Apache2::Const::OK
if grep { $_ eq $userId } @users;
my $user = $session->user;
return Apache2::Const::OK
if grep { $user->isInGroup($_) } @groups;
return Apache2::Const::OK
if grep { WebGUI::Asset->new($session, $_)->canView } @assets;
return Apache2::Const::AUTH_REQUIRED;
} );
return Apache2::Const::OK;
}

20
t/Storage.t
View file

@ -32,7 +32,7 @@ my $cwd = Cwd::cwd();
my ($extensionTests, $fileIconTests) = setupDataDrivenTests($session);
my $numTests = 134; # increment this value for each test you create
my $numTests = 136; # increment this value for each test you create
plan tests => $numTests + scalar @{ $extensionTests } + scalar @{ $fileIconTests };
my $uploadDir = $session->config->get('uploadsPath');
@ -508,7 +508,7 @@ my $shallowDir = $shallowStorage->getPathClassDir();
ok(-e $shallowDir->file('.wgaccess')->stringify, 'setPrivilege: .wgaccess file created in shallow storage');
my $privs;
$privs = $shallowStorage->getFileContentsAsScalar('.wgaccess');
is ($privs, "3\n3\n3", '... correct group contents');
is ($privs, '{"assets":[],"groups":["3","3"],"users":["3"]}', '... correct group contents');
$shallowStorage->deleteFile('.wgaccess');
my $deepStorage = WebGUI::Storage->create($session);
@ -524,9 +524,21 @@ ok(-e $deepDir->file('.wgaccess')->stringify, '.wgaccess file created in dee
ok(-e $deepDeepDir->file('.wgaccess')->stringify, '.wgaccess file created in deep storage subdir');
$privs = $deepStorage->getFileContentsAsScalar('.wgaccess');
is ($privs, "3\n3\n3", '... correct group contents, deep storage');
is ($privs, '{"assets":[],"groups":["3","3"],"users":["3"]}', '... correct group contents, deep storage');
$privs = $deepStorage->getFileContentsAsScalar('deep/.wgaccess');
is ($privs, "3\n3\n3", '... correct group contents, deep storage subdir');
is ($privs, '{"assets":[],"groups":["3","3"],"users":["3"]}', '... correct group contents, deep storage subdir');
{
my $storage = WebGUI::Storage->create($session);
addToCleanup($storage);
my $asset = WebGUI::Asset->getRoot($session);
$storage->setPrivileges( $asset );
my $accessFile = $storage->getPathClassDir->file('.wgaccess');
ok(-e $accessFile, 'setPrivilege: .wgaccess file created for asset permissions');
my $privs = $accessFile->slurp;
is ($privs, '{"assets":["' . $asset->getId . '"],"groups":[],"users":[]}', '... correct asset contents');
}
####################################################
#