added privilege access handler to storage system

2004-12-31 04:00:24 +00:00 · 2004-12-31 04:00:24 +00:00 · de282a98b5
commit de282a98b5
parent 8c77e3dfb7
10 changed files with 124 additions and 10 deletions
--- a/docs/changelog/6.x.x.txt
+++ b/docs/changelog/6.x.x.txt
@ -51,7 +51,9 @@
   feature. 
 - Added new asset type: File Pile. This allows you to do a mass upload of
   files and images.
- - Added CDG Commerce iTransact payment plugin. (Martin Kamerbeek)
+ - Added a privilege access handler to the uploads file system.
+ - Added CDG Commerce iTransact payment plugin.
+

 6.2.9
 - bugfix [ 1058105 ] input tag has to be closed with /
--- a/docs/gotcha.txt
+++ b/docs/gotcha.txt
@ -56,13 +56,29 @@ save you many hours of grief.

 * The default path for WebGUI backups is now /tmp/backups rather than
 	/data/backups
- 
+
+ * You may add optional protection for your uploaded WebGUI files. This
+	will check the privileges of the files from the WebGUI database
+	before sending them to the browser. To enable this you must use
+	these directives:
+
+	SetPerlVar WebguiRoot /data/WebGUI
+	PerlRequire /data/WebGUI/sbin/uploadAccessHandler.perl
+
+	And then add this to each virtual host you wish to protect:
+
+	PerlSetEnv WebguiConfig www.example.com.conf
+	<Location /uploads>
+		PerlAccessHandler WebGUI::UploadsAccessHandler
+	</Location>
+
 * In order to use the CDG Commerce iTransact payment plugin you'll have to 
 	make sure that the following modules are installed:
 		- XML::Simple
 		- LWP::UserAgent
 		- HTTP::Cookies

+
 6.2.8
 --------------------------------------------------------------------
 * Due to a bug in the theme system, if you created any themes in any
--- a/docs/install.txt
+++ b/docs/install.txt
@ -6,11 +6,11 @@ The following is a rough overview of how to install WebGUI. For
 more detailed instructions read the WebGUI installation 
 documentation.
   
-   http://plainblack.com/installation
+   http://www.plainblack.com/installing_webgui

 QnD INSTALL INSTRUCTIONS:

-1. Install Perl 5.6.x or greater.
+1. Install Perl 5.6.x or greater. (5.8.x recommended)

 2. Install the following Perl modules:

--- a/lib/WebGUI.pm
+++ b/lib/WebGUI.pm
@ -1,6 +1,6 @@
 package WebGUI;
-our $VERSION = "6.2.7";
-our $STATUS = "gamma";
+our $VERSION = "6.3.0";
+our $STATUS = "beta";

 #-------------------------------------------------------------------
 # WebGUI is Copyright 2001-2004 Plain Black Corporation.
--- a/lib/WebGUI/Asset.pm
+++ b/lib/WebGUI/Asset.pm
@ -878,12 +878,12 @@ sub setRank {
 		if (isBetween($sibling->getRank, $newRank, $currentRank)) {
 			$sibling->cascadeLineage($previous);
 			$previous = $sibling->get("lineage");
-			$sibling->updateHistory("changed rank");
 		}
 	}
 	$self->cascadeLineage($previous,$temp);
 	$self->{_properties}{lineage} = $previous;
 	WebGUI::SQL->commit;
+	$self->updateHistory("changed rank");
 	return 1;
 }

--- a/lib/WebGUI/Asset/File.pm
+++ b/lib/WebGUI/Asset/File.pm
@ -160,8 +160,11 @@ sub processPropertiesFromFormPost {
 		$data{url} = $self->getParent->getUrl.'/'.$filename unless ($session{form}{url});
 		$self->update(\%data);
 		$self->setSize($storage->getFileSize($filename));
+		$storage->setPrivileges($self->get("ownerUserId"), $self->get("groupIdView"), $self->get("groupIdEdit"));
 	} else {
 		$storage->delete;
+		my $storage = WebGUI::Storage->get($self->get("storageId"));
+		$storage->setPrivileges($self->get("ownerUserId"), $self->get("groupIdView"), $self->get("groupIdEdit"));
 	}
 }

--- a/lib/WebGUI/Session.pm
+++ b/lib/WebGUI/Session.pm
@ -25,6 +25,7 @@ use WebGUI::Config;
 use WebGUI::ErrorHandler;
 use WebGUI::SQL;
 use WebGUI::Utility;
+use URI::Escape;

 our @ISA = qw(Exporter);
 our @EXPORT = qw(%session);
@ -344,7 +345,7 @@ sub open {
 	###----------------------------
 	### cookies
 	foreach ($session{cgi}->cookie) {
-		$session{cookie}{$_} = $session{cgi}->cookie($_);
+			$session{cookie}{$_} = $session{cgi}->cookie($_);
 	}
 	###----------------------------
 	### session variables 
--- a/lib/WebGUI/Storage.pm
+++ b/lib/WebGUI/Storage.pm
@ -65,6 +65,7 @@ This package provides a mechanism for storing and retrieving files that are not
 $store->delete;
 $store->deleteFile($filename);
 $store->rename($filename, $newFilename);
+ $store->setPrivileges($userId, $groupIdView, $groupIdEdit);

 =head1 METHODS

@ -603,6 +604,36 @@ sub renameFile {
 }


+#-------------------------------------------------------------------
+
+=head2 setPrivileges ( ownerUserId, groupIdView, groupIdEdit )
+
+Set filesystem level privileges for this file. Used with the uploads access handler.
+
+=head3 ownerUserId
+
+The userId of the owner of this storage location.
+
+=head3 groupIdView
+
+The groupId that is allowed to view the files in this storage location.
+
+=head3 groupIdEdit
+
+The groupId that is allowed to edit the files in this storage location.
+
+=cut
+
+sub setPrivileges {
+	my $self = shift;
+	my $owner = shift;
+	my $viewGroup = shift;
+	my $editGroup = shift;
+	$self->addFileFromScalar(".wgaccess",$owner."\n".$viewGroup."\n".$editGroup);
+}
+
+
+
 #-------------------------------------------------------------------

 =head2 tar ( filename )
--- a/sbin/preload.perl
+++ b/sbin/preload.perl
@ -1,15 +1,15 @@
 #!/usr/bin/perl
-use strict;

 my $webguiRoot;

 BEGIN {
-        $webguiRoot = "/data/WebGUI"; # Edit to match your WebGUI installation directory.
+        $webguiRoot = "/data/WebGUI";
        unshift (@INC, $webguiRoot."/lib");
 }

 $|=1;

+use strict;
 print "\nStarting WebGUI ".$WebGUI::VERSION."\n";
 $ENV{GATEWAY_INTERFACE} =~ /^CGI-Perl/ or die "GATEWAY_INTERFACE not Perl!";

--- a/sbin/uploadsAccessHandler.perl
+++ b/sbin/uploadsAccessHandler.perl
@ -0,0 +1,61 @@
+package WebGUI::UploadsAccessHandler;
+
+#-------------------------------------------------------------------
+# WebGUI is Copyright 2001-2004 Plain Black Corporation.
+#-------------------------------------------------------------------
+# Please read the legal notices (docs/legal.txt) and the license
+# (docs/license.txt) that came with this distribution before using
+# this software.
+#-------------------------------------------------------------------
+# http://www.plainblack.com                     info@plainblack.com
+#-------------------------------------------------------------------
+
+our $webguiRoot;
+
+BEGIN {
+	use Apache;
+	my $s = Apache->server;
+        $webguiRoot = $s->dir_config('WebguiRoot');
+        unshift (@INC, $webguiRoot."/lib");
+}
+
+print "Starting WebGUI Uploads Access Handler\n";
+
+use strict;
+use Apache::Constants qw(:common);
+use CGI::Util qw/escape/;
+use WebGUI::Grouping;
+use WebGUI::Session;
+use WebGUI::URL;
+
+sub handler {
+	my $r = shift;
+	if (-e $r->filename) {
+		my $path = $r->filename;
+		$path =~ s/^(\/.*\/).*$/$1/;
+		if (-e $path.".wgaccess") {
+		 	my $fileContents;	
+			open(FILE,"<".$path.".wgaccess");
+			while (<FILE>) {
+				$fileContents .= $_;
+			}
+			close(FILE);
+			my @privs = split("\n",$fileContents);
+			unless ($privs[1] eq "7" || $privs[1] eq "1") {
+				WebGUI::Session::open($webguiRoot, $r->dir_config('WebguiConfig'));
+				my $cookie = $r->header_in('Cookie');
+				$cookie =~ s/wgSession\=(.*)/$1/;
+				$cookie = WebGUI::URL::unescape($cookie);
+				WebGUI::Session::refreshSessionVars($cookie);
+				return OK if ($session{user}{userId} eq $privs[0] || WebGUI::Grouping::isInGroup($privs[1]) || WebGUI::Grouping::isInGroup($privs[2]));	
+				WebGUI::Session::close();
+				return 401;
+			}
+		}
+		return OK;
+	} else {
+		return NOT_FOUND;
+	}
+}
+
+1;