Skip to content

Commit

Permalink
Bug: Normal (non-super) listmasters can edit site templates (sympa-co…
Browse files Browse the repository at this point in the history 
…mmunity#1224)
  • Loading branch information
@ikedas
ikedas committed Aug 26, 2021
1 parent 9d31cce commit 0a5c280
Show file tree
Hide file tree
Showing 4 changed files with 74 additions and 21 deletions.
3 changes: 3 additions & 0 deletions default/mail_tt2/report.tt2
View file
Expand Up @@ -203,6 +203,9 @@
[%~ ELSIF report_entry == 'action_privileged_owner' ~%]
[%|loc%]This action is restricted to privileged list owners.[%END%]

[%~ ELSIF report_entry == 'action_super_listmaster' ~%]
[%|loc%]This action is restricted to super-listmasters.[%END%]

[%~ ELSIF report_entry == 'edit_right' ~%]
[%|loc(role,right)%]Rights to this action are '%2' for a '%1'.[%END%]

Expand Down
17 changes: 15 additions & 2 deletions default/web_tt2/copy_template.tt2
View file
Expand Up @@ -35,8 +35,21 @@
<label for="template_name_out">[%|loc%]New template name: [%END%] </label><input id="template_name_out" type="text" name="template_name_out" value="[% template_name %]" /><br />
<label for="scope_out">[%|loc%]Scope: [%END%] </label>
<select id="scope_out" name="scope_out">
<option value="site" [% IF scope == 'site' %]selected[% END %]>[%|loc%]site[%END%]</option>
[% UNLESS default_robot %]<option value="robot" [% IF scope == 'robot' %]selected[% END %]>[%|loc%]robot[%END%]</option>[%END%]
[% IF is_super_listmaster ~%]
<option value="site"
[%~ IF scope == 'site' %] selected[% END %]>
[%|loc%]site[%END%]
</option>
<option value="robot"
[%~ IF scope == 'robot' %] selected[% END %]>
[%|loc%]robot[%END%]
</option>
[%~ ELSE ~%]
<option value="robot"
[%~ IF scope == 'robot' || scope == 'site' %] selected[% END %]>
[%|loc%]robot[%END%]
</option>
[%~ END %]
<option value="list" [% IF scope == 'list' %]selected[% END %]>[%|loc%]list[%END%]</option>
</select><br />
<label for="tpl_lang_out">[%|loc%]Language: [%END%] </label>
Expand Down
27 changes: 17 additions & 10 deletions default/web_tt2/ls_templates.tt2
View file
Expand Up @@ -99,7 +99,7 @@
[% FOREACH lang = file.value.distrib %]
<td class="text_center">
[% IF lang.value %]
<form action="[% 'edit_template' | url_rel %]" method="post">
<form action="[% path_cgi %]" method="post">
<fieldset>
<input type="hidden" name="template_path" value="[% lang.value %]" />
<input type="hidden" name="template_name" value="[% file.key %]" />
Expand All @@ -118,19 +118,26 @@
[% FOREACH lang = file.value.site %]
<td class="text_center">
[% IF lang.value %]
<form action="[% 'edit_template' | url_rel %]" method="post">
<form action="[% path_cgi %]" method="post">
<fieldset>
<input type="hidden" name="template_name" value="[% file.key %]" />
<input type="hidden" name="template_path" value="[% lang.value %]" />
<input type="hidden" name="scope" value="site" />
<input type="hidden" name="tpl_lang" value="[% lang.key %]" />
<input type="hidden" name="webormail" value="[% webormail %]" />
<input class="MainMenuLinks" type="submit" name="action_edit_template"
value="[%|loc%]edit[% END %]" />
<input class="MainMenuLinks" type="submit" name="action_copy_template"
value="[%|loc%]cp[% END %]" />
<input class="MainMenuLinks" type="submit" name="action_remove_template"
value="[%|loc%]rm[% END %]" />
[% IF is_super_listmaster ~%]
<input class="MainMenuLinks" type="submit" name="action_edit_template"
value="[%|loc%]edit[% END %]" />
<input class="MainMenuLinks" type="submit" name="action_copy_template"
value="[%|loc%]cp[% END %]" />
<input class="MainMenuLinks" type="submit" name="action_remove_template"
value="[%|loc%]rm[% END %]" />
[%~ ELSE ~%]
<input class="MainMenuLinks" type="submit" name="action_view_template"
value="[%|loc%]view[% END %]" />
<input class="MainMenuLinks" type="submit" name="action_copy_template"
value="[%|loc%]cp[% END %]" />
[%~ END %]
</fieldset>
</form>
[% END %]
Expand All @@ -143,7 +150,7 @@
[% FOREACH lang = file.value.robot %]
<td class="text_center">
[% IF lang.value %]
<form action="[% 'edit_template' | url_rel %]" method="post">
<form action="[% path_cgi %]" method="post">
<fieldset>
<input type="hidden" name="template_name" value="[% file.key %]" />
<input type="hidden" name="template_path" value="[% lang.value %]" />
Expand All @@ -167,7 +174,7 @@
[% FOREACH lang = file.value.list %]
<td class="text_center">
[% IF lang.value %]
<form action="[% 'edit_template' | url_rel %]" method="post">
<form action="[% path_cgi %]" method="post">
<fieldset>
<input type="hidden" name="template_name" value="[% file.key %]" />
<input type="hidden" name="template_path" value="[% lang.value %]" />
Expand Down
48 changes: 39 additions & 9 deletions src/cgi/wwsympa.fcgi.in
View file
Expand Up @@ -2571,9 +2571,10 @@ sub check_param_in {
$param->{'last_login_host'} = delete $session->{'last_login_host'};

# listmaster has owner and editor privileges for the list.
if (Sympa::is_listmaster($robot, $param->{'user'}{'email'})) {
$param->{'is_listmaster'} = 1;
}
$param->{'is_listmaster'} =
Sympa::is_listmaster($robot, $param->{'user'}{'email'}) ? 1 : undef;
$param->{'is_super_listmaster'} =
Sympa::is_listmaster('*', $param->{'user'}{'email'}) ? 1 : undef;

unless (ref $list eq 'Sympa::List') {
$param->{'domain'} = $robot;
Expand Down Expand Up @@ -2822,12 +2823,11 @@ sub check_param_out {
localtime $start_time);
$param->{'process_id'} = $PID;

## listmaster has owner and editor privileges for the list
if (Sympa::is_listmaster($robot, $param->{'user'}{'email'})) {
$param->{'is_listmaster'} = 1;
} else {
undef $param->{'is_listmaster'};
}
# listmaster has owner and editor privileges for the list.
$param->{'is_listmaster'} =
Sympa::is_listmaster($robot, $param->{'user'}{'email'}) ? 1 : undef;
$param->{'is_super_listmaster'} =
Sympa::is_listmaster('*', $param->{'user'}{'email'}) ? 1 : undef;

## Reset $list variable if it is not expected for the current action
## To prevent the list panel from being printed in a non list context
Expand Down Expand Up @@ -6426,6 +6426,15 @@ sub do_ls_templates {
sub do_remove_template {
wwslog('info', '');

# Only super-listmasters can remove the templates on site level.
if ($in{'scope'} eq 'site'
and not Sympa::is_listmaster('*', $param->{'user'}{'email'})) {
Sympa::WWW::Report::reject_report_web('auth',
'action_super_listmaster', {}, $param->{'action'});
wwslog('info', 'Authorization failed, insufficient privileges');
web_db_log({status => 'error', error_type => 'authorization'});
return 1;
}
if ($in{'scope'} eq 'list' and ref $list ne 'Sympa::List') {
Sympa::WWW::Report::reject_report_web('user', 'missing_arg',
{'argument' => 'list'},
Expand Down Expand Up @@ -6557,6 +6566,16 @@ sub do_copy_template {
return 1;
}

# Only super-listmasters can create the templates on site level.
if ($in{'scope_out'} eq 'site'
and not Sympa::is_listmaster('*', $param->{'user'}{'email'})) {
Sympa::WWW::Report::reject_report_web('auth',
'action_super_listmaster', {}, $param->{'action'});
wwslog('info', 'Authorization failed, insufficient privileges');
web_db_log({status => 'error', error_type => 'authorization'});
return 1;
}

# one of these parameters is commit from the form submission
if ($in{'scope_out'} eq 'list') {
if ($in{'list_out'}) {
Expand Down Expand Up @@ -7007,6 +7026,17 @@ sub do_edit_template {
unless ($in{'content'}) {
return 1;
}

# Only super-listmasters can edit the templates on site level.
if ($in{'scope'} eq 'site'
and not Sympa::is_listmaster('*', $param->{'user'}{'email'})) {
Sympa::WWW::Report::reject_report_web('auth',
'action_super_listmaster', {}, $param->{'action'});
wwslog('info', 'Authorization failed, insufficient privileges');
web_db_log({status => 'error', error_type => 'authorization'});
return 1;
}

if ($in{'scope'} eq 'list' and ref $list ne 'Sympa::List') {
Sympa::WWW::Report::reject_report_web('user', 'listname_needed', {},
$param->{'action'});
Expand Down

0 comments on commit 0a5c280

Please sign in to comment.