Mercurial > avadmin > converted
changeset 456:8649b836b7ff
Use securitycheck()
(Logical change 1.133)
author | home!jeffpc |
---|---|
date | Thu, 01 Jan 2004 20:46:28 +0000 |
parents | b60f8e4f7c79 |
children | c113e7b720fd |
files | eq_edit.py eq_image.py eq_log.py eq_ls.py eq_rm.py eq_view.py eq_vimg.py log.py log_pdf.py mess_ls.py mess_read.py mess_rm.py room_edit.py room_ls.py rules_ls.py rules_rm.py sec_log.py settings_edit.py settings_ls.py sys_log.py template.py user_log.py user_ls.py work_log.py |
diffstat | 24 files changed, 124 insertions(+), 111 deletions(-) [+] |
line wrap: on
line diff
--- a/eq_edit.py Thu Jan 01 20:46:28 2004 +0000 +++ b/eq_edit.py Thu Jan 01 20:46:28 2004 +0000 @@ -40,11 +40,8 @@ print conn.html.header(prefix + "Equipment") print conn.html.heading(prefix + "Equipment") -if ((not conn.user.getPERM()["eq"]) and ((not(conn.user.getPERM()["eqm"]) and (conn.validatestring(eqn,caps=0,lower=0))) or (not(conn.user.getPERM()["eqa"]) and (add)) or (not(conn.user.getPERM()["eqr"]) and (conn.validatestring(eqn,caps=0,lower=0))))): - print "Sorry, but you don't have the necesarry priveledges to view this page." - print conn.html.footer() - av_log.seclog(conn,"User \"" + conn.user.UID2User() + "\" tried to access " + conn.currentscript() + " but lacks the necessary priv.") - conn.exit() +conn.securitycheck((conn.user.getPERM()["eq"] and ((conn.user.getPERM()["eqm"]) or (conn.user.getPERM()["eqa"] and add))) +,loglevel=av_log.SECLOG) eqv = {"featid": 1, "name": "", "sn": "", "func": 0, "note": "", "submit": "Add"}
--- a/eq_image.py Thu Jan 01 20:46:28 2004 +0000 +++ b/eq_image.py Thu Jan 01 20:46:28 2004 +0000 @@ -29,12 +29,7 @@ eqn = conn.getparam("eqn") # FIXME: Validate this number -if (not(conn.user.getPERM()["eq"])): - print conn.html.content("text/plain") - print "Sorry, but you don't have the necesarry priveledges to view this page." - print conn.html.footer() - av_log.seclog(conn,"User \"" + conn.user.UID2User() + "\" tried to access " + conn.currentscript() + " but lacks the necessary priv.") - conn.exit() +conn.securitycheck(conn.user.getPERM()["eq"],loglevel=av_log.SECLOG) dbid = conn.db.newid() dbid.execute("SELECT `imagetype`, `image` FROM `equip` WHERE `id` = " + str(eqn) + ";")
--- a/eq_log.py Thu Jan 01 20:46:28 2004 +0000 +++ b/eq_log.py Thu Jan 01 20:46:28 2004 +0000 @@ -31,11 +31,7 @@ print conn.html.header("Equipment Log") print conn.html.heading("Equipment Log") -if (not(conn.user.getPERM()["eql"])): - print "Sorry, but you don't have the necesarry priveledges to view this page." - print conn.html.footer() - av_log.seclog(conn,"User \"" + conn.user.UID2User() + "\" tried to access " + conn.currentscript() + " but lacks the necessary priv.") - conn.exit() +conn.securitycheck(conn.user.getPERM()["eql"],loglevel=av_log.SECLOG) print "This page does not do anything, yet."
--- a/eq_ls.py Thu Jan 01 20:46:28 2004 +0000 +++ b/eq_ls.py Thu Jan 01 20:46:28 2004 +0000 @@ -32,11 +32,7 @@ print conn.html.header("Equipment") print conn.html.heading("Equipment") -if (not(conn.user.getPERM()["eq"])): - print "Sorry, but you don't have the necesarry priveledges to view this page." - print conn.html.footer() - av_log.seclog(conn,"User \"" + conn.user.UID2User() + "\" tried to access " + conn.currentscript() + " but lacks the necessary priv.") - conn.exit() +conn.securitycheck(conn.user.getPERM()["eq"],loglevel=av_log.SECLOG) # FIXME: make me pretty looking
--- a/eq_rm.py Thu Jan 01 20:46:28 2004 +0000 +++ b/eq_rm.py Thu Jan 01 20:46:28 2004 +0000 @@ -35,11 +35,7 @@ print conn.html.header("Remove Equipment") print conn.html.heading("Remove Equipment") -if (not(conn.user.getPERM()["eqr"])): - print "Sorry, but you don't have the necesarry priveledges to view this page." - print conn.html.footer() - av_log.seclog(conn,"User \"" + conn.user.UID2User() + "\" tried to access " + conn.currentscript() + " but lacks the necessary priv.") - conn.exit() +conn.securitycheck(conn.user.getPERM()["eqr"],loglevel=av_log.SECLOG) eq = av_eq.Equip(conn,eqn)
--- a/eq_view.py Thu Jan 01 20:46:28 2004 +0000 +++ b/eq_view.py Thu Jan 01 20:46:28 2004 +0000 @@ -36,11 +36,7 @@ print conn.html.header("View Equipment") print conn.html.heading("View Equipment") -if (not conn.user.getPERM()["eq"]): - print "Sorry, but you don't have the necesarry priveledges to view this page." - print conn.html.footer() - av_log.seclog(conn,"User \"" + conn.user.UID2User() + "\" tried to access " + conn.currentscript() + " but lacks the necessary priv.") - conn.exit() +conn.securitycheck(conn.user.getPERM()["eq"],loglevel=av_log.SECLOG) eq = av_eq.Equip(conn,eqn)
--- a/eq_vimg.py Thu Jan 01 20:46:28 2004 +0000 +++ b/eq_vimg.py Thu Jan 01 20:46:28 2004 +0000 @@ -0,0 +1,49 @@ +#!/usr/bin/python + +#/* +# * AV Admin - Helps to manage an AV department +# * +# * Copyright (C) 2003 Josef "Jeff" Sipek +# * +# * This program is free software; you can redistribute it and/or modify +# * it under the terms of the GNU General Public License as published by +# * the Free Software Foundation; either version 2 of the License, or +# * (at your option) any later version. +# * +# * This program is distributed in the hope that it will be useful, +# * but WITHOUT ANY WARRANTY; without even the implied warranty of +# * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# * GNU General Public License for more details. +# * +# * You should have received a copy of the GNU General Public License +# * along with this program; if not, write to the Free Software +# * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# * +# * $Id$ +# */ + + +import av_conn +import av_eq +import av_room +import av_log + +conn = av_conn.Conn() + +eqn = conn.getparam("eqn") # FIXME: Validate this number + +print conn.html.content("text/html") +print conn.html.header("Equipment Image") +print conn.html.heading("Equipment Image") + +conn.securitycheck(conn.user.getPERM()["eq"],loglevel=av_log.SECLOG) + +eq = av_eq.Equip(conn,eqn) + +# Image size work-around; FIXME: make this nicer +if (eq.getImgT().__len__()): + print "<img src=\"" + conn.makeURL("eq_image.py",params={"eqn":eqn}) + "\" alt=\"[photo of " + eq.getName() + "]\" />\n" +else: + print eq.getName() + " does not have a photo." + +print conn.html.footer()
--- a/log.py Thu Jan 01 20:46:28 2004 +0000 +++ b/log.py Thu Jan 01 20:46:28 2004 +0000 @@ -31,11 +31,7 @@ print conn.html.header("Logs") print conn.html.heading("Logs") -if (not(conn.user.getPERM()["eql"] and conn.user.getPERM()["userl"] and conn.user.getPERM()["workl"] and conn.user.getPERM()["secl"] and conn.user.getPERM()["sysl"])): - print "Sorry, but you don't have the necesarry priveledges to view this page." - print conn.html.footer() - av_log.seclog(conn,"User \"" + conn.user.UID2User() + "\" tried to access " + conn.currentscript() + " but lacks the necessary priv.") - conn.exit() +conn.securitycheck((conn.user.getPERM()["eql"] and conn.user.getPERM()["userl"] and conn.user.getPERM()["workl"] and conn.user.getPERM()["secl"] and conn.user.getPERM()["sysl"]),loglevel=av_log.SECLOG) # FIXME: make me pretty looking
--- a/log_pdf.py Thu Jan 01 20:46:28 2004 +0000 +++ b/log_pdf.py Thu Jan 01 20:46:28 2004 +0000 @@ -34,11 +34,7 @@ print conn.html.header("Logs - PDF") print conn.html.heading("Logs - PDF") -if (not(conn.user.getPERM()["eql"] and conn.user.getPERM()["userl"] and conn.user.getPERM()["workl"] and conn.user.getPERM()["secl"] and conn.user.getPERM()["sysl"])): - print "Sorry, but you don't have the necesarry priveledges to view this page." - print conn.html.footer() - av_log.seclog(conn,"User \"" + conn.user.UID2User() + "\" tried to access " + conn.currentscript() + " but lacks the necessary priv.") - conn.exit() +conn.securitycheck((conn.user.getPERM()["eql"] and conn.user.getPERM()["userl"] and conn.user.getPERM()["workl"] and conn.user.getPERM()["secl"] and conn.user.getPERM()["sysl"]),loglevel=av_log.SECLOG) # FIXME: make me pretty looking # FIXME: need exception handling in many places
--- a/mess_ls.py Thu Jan 01 20:46:28 2004 +0000 +++ b/mess_ls.py Thu Jan 01 20:46:28 2004 +0000 @@ -32,11 +32,7 @@ print conn.html.header("Messages") print conn.html.heading("Messages") -if (not(conn.user.getPERM()["mess"])): - print "Sorry, but you don't have the necesarry priveledges to view this page." - print conn.html.footer() - av_log.seclog(conn,"User \"" + conn.user.UID2User() + "\" tried to access " + conn.currentscript() + " but lacks the necessary priv.") - conn.exit() +conn.securitycheck(conn.user.getPERM()["mess"],loglevel=av_log.SECLOG) if (av_message.totalMessages(conn)): print "<table class=\"plain\">\n"
--- a/mess_read.py Thu Jan 01 20:46:28 2004 +0000 +++ b/mess_read.py Thu Jan 01 20:46:28 2004 +0000 @@ -32,11 +32,7 @@ print conn.html.header("Read Message") print conn.html.heading("Read Message") -if (not(conn.user.getPERM()["mess"])): - print "Sorry, but you don't have the necesarry priveledges to view this page." - print conn.html.footer() - av_log.seclog(conn,"User \"" + conn.user.UID2User() + "\" tried to access " + conn.currentscript() + " but lacks the necessary priv.") - conn.exit() +conn.securitycheck(conn.user.getPERM()["mess"],loglevel=av_log.SECLOG) messid = conn.getparam("messid") # FIXME: check this number
--- a/mess_rm.py Thu Jan 01 20:46:28 2004 +0000 +++ b/mess_rm.py Thu Jan 01 20:46:28 2004 +0000 @@ -32,11 +32,7 @@ print conn.html.header("Delete Message") print conn.html.heading("Delete Message") -if (not(conn.user.getPERM()["mess"])): - print "Sorry, but you don't have the necesarry priveledges to view this page." - print conn.html.footer() - av_log.seclog(conn,"User \"" + conn.user.UID2User() + "\" tried to access " + conn.currentscript() + " but lacks the necessary priv.") - conn.exit() +conn.securitycheck(conn.user.getPERM()["mess"],loglevel=av_log.SECLOG) messid = conn.getparam("messid") # FIXME: check this number conf = conn.getparam("confirmed") # FIXME: Validate this
--- a/room_edit.py Thu Jan 01 20:46:28 2004 +0000 +++ b/room_edit.py Thu Jan 01 20:46:28 2004 +0000 @@ -31,11 +31,7 @@ print conn.html.header("Room Editor") print conn.html.heading("Room Editor") -if (not(conn.user.getPERM()["room"])): - print "Sorry, but you don't have the necesarry priveledges to view this page." - print conn.html.footer() - av_log.seclog(conn,"User \"" + conn.user.UID2User() + "\" tried to access " + conn.currentscript() + " but lacks the necessary priv.") - conn.exit() +conn.securitycheck(conn.user.getPERM()["room"],loglevel=av_log.SECLOG) room = conn.getparam("room")
--- a/room_ls.py Thu Jan 01 20:46:28 2004 +0000 +++ b/room_ls.py Thu Jan 01 20:46:28 2004 +0000 @@ -33,11 +33,7 @@ print conn.html.header("Rooms") print conn.html.heading("Rooms") -if (not(conn.user.getPERM()["room"])): - print "Sorry, but you don't have the necesarry priveledges to view this page." - print conn.html.footer() - av_log.seclog(conn,"User \"" + conn.user.UID2User() + "\" tried to access " + conn.currentscript() + " but lacks the necessary priv.") - conn.exit() +conn.securitycheck(conn.user.getPERM()["room"],loglevel=av_log.SECLOG) # FIXME: make me pretty looking
--- a/rules_ls.py Thu Jan 01 20:46:28 2004 +0000 +++ b/rules_ls.py Thu Jan 01 20:46:28 2004 +0000 @@ -32,11 +32,7 @@ print conn.html.header("Rules") print conn.html.heading("Rules") -if ((not av_settings.getSetting(conn,"showrules")) and (not conn.user.getPERM()["rules"])): - print "Sorry, but the rules cannot be displayed." - print conn.html.footer() - av_log.seclog(conn,"User \"" + conn.user.UID2User() + "\" tried to access " + conn.currentscript() + " but rules have been deactivated") - conn.exit() +conn.securitycheck((av_settings.getSetting(conn,"showrules") or conn.user.getPERM()["rules"]),loglevel=av_log.SECLOG,printtext="Sorry, but the rules cannot be displayed.",logmessage="User \"" + conn.user.UID2User() + "\" tried to access " + conn.currentscript() + " but rules have been deactivated") if (not int(av_settings.getSetting(conn,"showrules"))): print "<b>Warning!</b> Rules are deactivated.<br /><br />"
--- a/rules_rm.py Thu Jan 01 20:46:28 2004 +0000 +++ b/rules_rm.py Thu Jan 01 20:46:28 2004 +0000 @@ -0,0 +1,52 @@ +#!/usr/bin/python + +#/* +# * AV Admin - Helps to manage an AV department +# * +# * Copyright (C) 2003 Josef "Jeff" Sipek +# * +# * This program is free software; you can redistribute it and/or modify +# * it under the terms of the GNU General Public License as published by +# * the Free Software Foundation; either version 2 of the License, or +# * (at your option) any later version. +# * +# * This program is distributed in the hope that it will be useful, +# * but WITHOUT ANY WARRANTY; without even the implied warranty of +# * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# * GNU General Public License for more details. +# * +# * You should have received a copy of the GNU General Public License +# * along with this program; if not, write to the Free Software +# * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# * +# * $Id$ +# */ + +import av_conn +import av_settings +import av_log + +conn = av_conn.Conn() + +print conn.html.content("text/html") +print conn.html.header("Rules") +print conn.html.heading("Rules") + +conn.securitycheck((av_settings.getSetting(conn,"showrules") or conn.user.getPERM()["rules"]),loglevel=av_log.SECLOG,printtext="Sorry, but the rules cannot be displayed.",logmessage="User \"" + conn.user.UID2User() + "\" tried to access " + conn.currentscript() + " but rules have been deactivated") + +conf = conn.getparam("confirmed") # FIXME: Validate these +rulen = conn.getparam("rulen") + +recs = conn.db.execSQL("SELECT `rule`, `ruleid` FROM `rules` WHERE `id` = " + str(rulen) + ";") +# FIXME: make sure we get only one + +rule = recs[0][0] +ruleid = recs[0][1] + +if (not conf): + print conn.html.areyousure((conn.makeURL("rules_rm.py",params={"rulen":rulen,"confirmed":"1"}),conn.makeURL("rules_ls.py",)),"Are you sure you want to delete rule #" + str(ruleid) + " ("" + rule + "")?") +else: + conn.db.execSQL("DELETE FROM `rules` WHERE `id` = " + str(rulen) + ";") # FIXME: add error checking + print "Rule # " + str(ruleid) + " has been successfully removed!" + +print conn.html.footer()
--- a/sec_log.py Thu Jan 01 20:46:28 2004 +0000 +++ b/sec_log.py Thu Jan 01 20:46:28 2004 +0000 @@ -31,11 +31,7 @@ print conn.html.header("Security Log") print conn.html.heading("Security Log") -if (not(conn.user.getPERM()["secl"])): - print "Sorry, but you don't have the necesarry priveledges to view this page." - print conn.html.footer() - av_log.seclog(conn,"User \"" + conn.user.UID2User() + "\" tried to access " + conn.currentscript() + " but lacks the necessary priv.") - conn.exit() +conn.securitycheck(conn.user.getPERM()["secl"],loglevel=av_log.SECLOG) print "This page does not do anything, yet."
--- a/settings_edit.py Thu Jan 01 20:46:28 2004 +0000 +++ b/settings_edit.py Thu Jan 01 20:46:28 2004 +0000 @@ -37,11 +37,7 @@ print conn.html.header("Edit Settings") print conn.html.heading("Edit Settings") -if (not(conn.user.getPERM()["settings"])): - print "Sorry, but you don't have the necesarry priveledges to view this page." - print conn.html.footer() - av_log.seclog(conn,"User \"" + conn.user.UID2User() + "\" tried to access " + conn.currentscript() + " but lacks the necessary priv.") - conn.exit() +conn.securitycheck(conn.user.getPERM()["settings"],loglevel=av_log.SECLOG) setid = conn.getparam("setid") # FIXME: check this for validity
--- a/settings_ls.py Thu Jan 01 20:46:28 2004 +0000 +++ b/settings_ls.py Thu Jan 01 20:46:28 2004 +0000 @@ -31,11 +31,7 @@ print conn.html.header("Settings") print conn.html.heading("Settings") -if (not(conn.user.getPERM()["settings"])): - print "Sorry, but you don't have the necesarry priveledges to view this page." - print conn.html.footer() - av_log.seclog(conn,"User \"" + conn.user.UID2User() + "\" tried to access " + conn.currentscript() + " but lacks the necessary priv.") - conn.exit() +conn.securitycheck(conn.user.getPERM()["settings"],loglevel=av_log.SECLOG) # FIXME: log access to this page
--- a/sys_log.py Thu Jan 01 20:46:28 2004 +0000 +++ b/sys_log.py Thu Jan 01 20:46:28 2004 +0000 @@ -31,11 +31,7 @@ print conn.html.header("System Log") print conn.html.heading("System Log") -if (not(conn.user.getPERM()["sysl"])): - print "Sorry, but you don't have the necesarry priveledges to view this page." - print conn.html.footer() - av_log.seclog(conn,"User \"" + conn.user.UID2User() + "\" tried to access " + conn.currentscript() + " but lacks the necessary priv.") - conn.exit() +conn.securitycheck(conn.user.getPERM()["sysl"],loglevel=av_log.SECLOG) print "This page does not do anything, yet."
--- a/template.py Thu Jan 01 20:46:28 2004 +0000 +++ b/template.py Thu Jan 01 20:46:28 2004 +0000 @@ -31,11 +31,7 @@ print conn.html.header("Template") print conn.html.heading("Template") -if (not(conn.user.getPERM()["userl"])): - print "Sorry, but you don't have the necesarry priveledges to view this page." - print conn.html.footer() - av_log.seclog(conn,"User \"" + conn.user.UID2User() + "\" tried to access " + conn.currentscript() + " but lacks the necessary priv.") - conn.exit() +conn.securitycheck(conn.user.getPERM()["userl"],loglevel=av_log.SECLOG) print "This page does not do anything, yet."
--- a/user_log.py Thu Jan 01 20:46:28 2004 +0000 +++ b/user_log.py Thu Jan 01 20:46:28 2004 +0000 @@ -31,11 +31,7 @@ print conn.html.header("User Log") print conn.html.heading("User Log") -if (not(conn.user.getPERM()["userl"])): - print "Sorry, but you don't have the necesarry priveledges to view this page." - print conn.html.footer() - av_log.seclog(conn,"User \"" + conn.user.UID2User() + "\" tried to access " + conn.currentscript() + " but lacks the necessary priv.") - conn.exit() +conn.securitycheck(conn.user.getPERM()["userl"],loglevel=av_log.SECLOG) print "This page does not do anything, yet."
--- a/user_ls.py Thu Jan 01 20:46:28 2004 +0000 +++ b/user_ls.py Thu Jan 01 20:46:28 2004 +0000 @@ -31,11 +31,7 @@ print conn.html.header("Users") print conn.html.heading("Users") -if (not(conn.user.getPERM()["user"])): - print "Sorry, but you don't have the necesarry priveledges to view this page." - print conn.html.footer() - av_log.seclog(conn,"User \"" + conn.user.UID2User() + "\" tried to access " + conn.currentscript() + " but lacks the necessary priv.") - conn.exit() +conn.securitycheck(conn.user.getPERM()["user"],loglevel=av_log.SECLOG) # FIXME: make me pretty looking
--- a/work_log.py Thu Jan 01 20:46:28 2004 +0000 +++ b/work_log.py Thu Jan 01 20:46:28 2004 +0000 @@ -31,11 +31,7 @@ print conn.html.header("Work Log") print conn.html.heading("Work Log") -if (not(conn.user.getPERM()["workl"])): - print "Sorry, but you don't have the necesarry priveledges to view this page." - print conn.html.footer() - av_log.seclog(conn,"User \"" + conn.user.UID2User() + "\" tried to access " + conn.currentscript() + " but lacks the necessary priv.") - conn.exit() +conn.securitycheck(conn.user.getPERM()["workl"],loglevel=av_log.SECLOG) print "This page does not do anything, yet."