Three things: allow allow_nonadmin_ssl to be set to 2 to allow

subscribers as well as admins into SSL servers; pull some expensive moderatorlog SELECTs out from a metamod.pl call into a task so they get called only twice an hour; and add "isbanned" key to accesslist.
scc · Jan 14, 2003 · 6e397ad · 6e397ad
1 parent 650e469
commit 6e397ad
Show file tree

Hide file tree

Showing 5 changed files with 99 additions and 24 deletions.
diff --git a/Slash/Apache/User/User.pm b/Slash/Apache/User/User.pm
@@ -78,7 +78,7 @@ sub handler {
 		createCurrentUser();
 		createCurrentForm();
 		createCurrentCookie();
-		if (!$constants->{allow_nonadmin_ssl}
+		if ($constants->{allow_nonadmin_ssl} != 1
 			&& Slash::Apache::ConnectionIsSSL() ) {
 			# Accessing non-dynamic URL on SSL webserver; redirect
 			# to the non-SSL URL.
@@ -230,25 +230,60 @@ EOT
 	$user->{state}{_dynamic_page} = 1;
 	createCurrentUser($user);
 	createCurrentForm($form);
-	if ( ($user->{seclev} <= 1 && !$user->{state}{lostprivs})
-		&& !$constants->{allow_nonadmin_ssl}
-		&& Slash::Apache::ConnectionIsSSL()
+
+	# If the user is connecting over SSL, make sure this is allowed.
+	# If allow_nonadmin_ssl is 0, then only admins are allowed in.
+	# If allow_nonadmin_ssl is 1, then anyone is allowed in.
+	# If allow_nonadmin_ssl is 2, then admins and subscribers are allowed in.
+	my $redirect_to_nonssl = 0;
+	if (Slash::Apache::ConnectionIsSSL()
 		&& !(
-			# If the user is trying to log in, they are allowed
-			# to do so on the SSL server.  Logging in means the
-			# users.pl script and either an empty op or the
-			# 'userlogin' op.
-			$uri =~ m{^/users\.pl}
-			&& (!$form->{op} || $form->{op} eq 'userlogin')
-		) ) {                             
-		# User is not an admin but is trying to connect to an admin-only
-		# webserver.  Redirect them to the non-SSL URL.
+                        # If the user is trying to log in, they are always
+			# allowed to make the attempt on the SSL server.
+			# Logging in means the users.pl script and either
+			# an empty op or the 'userlogin' op.
+                        $uri =~ m{^/users\.pl}
+                        && (!$form->{op} || $form->{op} eq 'userlogin')
+                )
+	) {
+		my $ans = $constants->{allow_nonadmin_ssl};
+		     if ($ans == 1) {
+			# It's OK, anyone is allowed to use the SSL server.
+		} elsif ($ans == 0) {
+			# Only admins are allowed in -- but note the special
+			# case where this is an admin who has lost privs due
+			# to a cleartext password having been sent.  Those
+			# admin accounts are allowed in over SSL even though
+			# the rest of the system might not consider them
+			# "admins" right now.
+			if ($user->{seclev} > 1 || $user->{state}{lostprivs}) {
+				# It's an admin, this is fine.
+			} else {
+				# Not an admin, SSL access forbidden.
+				$redirect_to_nonssl = 1;
+			}
+		} elsif ($ans == 2) {
+			# Admins are allowed in, per the above case, but
+			# also subscribers are allowed in.
+			if ($user->{seclev} > 1 || $user->{state}{lostprivs}
+				|| $user->{is_subscriber}) {
+                                # It's an admin or a subscriber, this is fine.
+                        } else {
+                                # Not an admin or subscriber, SSL access forbidden.
+                                $redirect_to_nonssl = 1;
+                        }
+		}
+	}
+	if ($redirect_to_nonssl) {                             
+		# User is not authorized to connect to the SSL webserver.
+		# Redirect them to the non-SSL URL.
 		my $newloc = $uri;
 		$newloc .= "?" . $r->args if $r->args;
 		$r->err_header_out(Location =>
 			URI->new_abs($newloc, $constants->{absolutedir}));
 		return REDIRECT;
 	}
+
 	createCurrentCookie($cookies);
 	createEnv($r) if $cfg->{env};
 	authors($r) if $form->{'slashcode_authors'};

diff --git a/Slash/DB/MySQL/MySQL.pm b/Slash/DB/MySQL/MySQL.pm
@@ -718,16 +718,10 @@ sub getMetamodsForUserRaw {
 	# run tests on changes like this before and there's almost no
 	# way to predict accurately what it will do on a live site
 	# without doing it... -Jamie 2002/11/16
-	my($min_old) = $self->sqlSelect("MIN(id)", "moderatorlog");
-	my($max_old) = $self->sqlSelect("MAX(id)", "moderatorlog",
-		"ts < DATE_SUB(NOW(), INTERVAL $days_back DAY)");
-	$min_old = 0 if !$min_old;
-	$max_old = 0 if !$max_old;
-	my($min_new) = $self->sqlSelect("MIN(id)", "moderatorlog",
-		"ts >= DATE_SUB(NOW(), INTERVAL $days_back_cushion DAY)");
-	my($max_new) = $self->sqlSelect("MAX(id)", "moderatorlog");
-	$min_new = 0 if !$min_new;
-	$max_new = 0 if !$max_new;
+	my $min_old = $self->getVar('m2_modlogid_min_old', 'value', 1) || 0;
+	my $max_old = $self->getVar('m2_modlogid_max_old', 'value', 1) || 0;
+	my $min_new = $self->getVar('m2_modlogid_min_new', 'value', 1) || 0;
+	my $max_new = $self->getVar('m2_modlogid_max_new', 'value', 1) || 0;
 	my $min_mid = $max_old+1;
 	my $max_mid = $min_new-1;
 	my $old_range = $max_old-$min_old; $old_range = 1 if $old_range < 1;

diff --git a/sql/mysql/defaults.sql b/sql/mysql/defaults.sql
@@ -614,7 +614,7 @@ INSERT INTO vars (name, value, description) VALUES ('adminmail_mod','admin@examp
 INSERT INTO vars (name, value, description) VALUES ('adminmail_post','admin@example.com','All admin mail about comment posting goes here');
 INSERT INTO vars (name, value, description) VALUES ('allow_anonymous','1','allow anonymous posters');
 INSERT INTO vars (name, value, description) VALUES ('allow_moderation','1','allows use of the moderation system');
-INSERT INTO vars (name, value, description) VALUES ('allow_nonadmin_ssl','0','Allows users with seclev <= 1 to access the site over Secure HTTP');
+INSERT INTO vars (name, value, description) VALUES ('allow_nonadmin_ssl','0','0=users with seclev <= 1 cannot access the site over Secure HTTP; 1=they all can; 2=only if they are subscribers');
 INSERT INTO vars (name, value, description) VALUES ('anonymous_coward_uid', '1', 'UID to use for anonymous coward');
 INSERT INTO vars (name, value, description) VALUES ('anon_name_alt','An anonymous coward','Name of anonymous user to be displayed in stories');
 INSERT INTO vars (name, value, description) VALUES ('apache_cache', '3600', 'Default times for the getCurrentCache().');

diff --git a/sql/mysql/upgrades b/sql/mysql/upgrades
@@ -1143,3 +1143,12 @@ ALTER TABLE moderatorlog ADD INDEX m2stat_act (m2status, active);
 
 ALTER TABLE accesslist ADD wasbanned tinyint unsigned DEFAULT 0 NOT NULL;
 ALTER TABLE accesslist ADD wasreadonly tinyint unsigned DEFAULT 0 NOT NULL;
+ALTER TABLE accesslist ADD INDEX isbanned (isbanned);
+
+REPLACE INTO vars (name, value, description) VALUES ('allow_nonadmin_ssl','0','0=users with seclev <= 1 cannot access the site over Secure HTTP; 1=they all can; 2=only if they are subscribers');
+
+INSERT INTO vars (name, value, description) VALUES ('m2_modlogid_min_old','0','Approximate min moderatorlog id');
+INSERT INTO vars (name, value, description) VALUES ('m2_modlogid_max_old','0','Approximate max moderatorlog id that counts as old');
+INSERT INTO vars (name, value, description) VALUES ('m2_modlogid_min_new','0','Approximate min moderatorlog id that counts as new');
+INSERT INTO vars (name, value, description) VALUES ('m2_modlogid_max_new','0','Approximate max moderatorlog id');
+
diff --git a/themes/slashcode/tasks/run_moderatord.pl b/themes/slashcode/tasks/run_moderatord.pl
@@ -32,8 +32,10 @@
 
 #	doLogInit('moderatord');
 
+	update_modlog_ids($virtual_user, $constants, $slashdb, $user);
 	give_out_points($virtual_user, $constants, $slashdb, $user);
 	reconcile_m2($virtual_user, $constants, $slashdb, $user);
+	update_modlog_ids($virtual_user, $constants, $slashdb, $user);
 
 #	doLogExit('moderatord');
 
@@ -47,6 +49,41 @@ sub moderatordLog {
 	doLog('slashd', \@_);
 }
 
+sub update_modlog_ids {
+	my($virtual_user, $constants, $slashdb, $user) = @_;
+
+	my $days_back = $constants->{archive_delay_mod};
+	my $days_back_cushion = int($days_back/10);
+	$days_back_cushion = $constants->{m2_min_daysbackcushion} || 2
+		if $days_back_cushion < ($constants->{m2_min_daysbackcushion} || 2);
+	$days_back -= $days_back_cushion;
+
+	# XXX I'm considering adding a 'WHERE m2status=0' clause to the
+	# MIN/MAX selects below.  This might help choose mods more
+	# smoothly and make failure (as archive_delay_mod is approached)
+	# less dramatic too.  On the other hand it might screw things
+	# up, making older mods at N-1 M2's never make it to N.  I've
+	# run tests on changes like this before and there's almost no
+	# way to predict accurately what it will do on a live site
+	# without doing it... -Jamie 2002/11/16
+
+	my($min_old) = $slashdb->sqlSelect("MIN(id)", "moderatorlog");
+	my($max_old) = $slashdb->sqlSelect("MAX(id)", "moderatorlog",
+		"ts < DATE_SUB(NOW(), INTERVAL $days_back DAY)");
+	$min_old = 0 if !$min_old;
+	$max_old = 0 if !$max_old;
+	my($min_new) = $slashdb->sqlSelect("MIN(id)", "moderatorlog",
+		"ts >= DATE_SUB(NOW(), INTERVAL $days_back_cushion DAY)");
+	my($max_new) = $slashdb->sqlSelect("MAX(id)", "moderatorlog");
+	$min_new = 0 if !$min_new;
+	$max_new = 0 if !$max_new;
+
+	$slashdb->setVar("m2_modlogid_min_old", $min_old);
+	$slashdb->setVar("m2_modlogid_max_old", $max_old);
+	$slashdb->setVar("m2_modlogid_min_new", $min_new);
+	$slashdb->setVar("m2_modlogid_max_new", $max_new);
+}
+
 sub give_out_points {
 
 	my($virtual_user, $constants, $slashdb, $user) = @_;