static void formDisplayUser(webs_t wp, char_t *path, char_t *query)
{
char_t *userid, *ok, *temp;
bool_t enabled;
a_assert(wp);
userid = websGetVar(wp, T("user"), T(""));
ok = websGetVar(wp, T("ok"), T(""));
websHeader(wp);
websWrite(wp, T("<body>"));
if (gstricmp(ok, T("ok")) != 0) {
websWrite(wp, T("Display User Cancelled"));
} else if (umUserExists(userid) == FALSE) {
websWrite(wp, T("ERROR: User <b>%s</b> not found.\n"), userid);
} else {
websWrite(wp, T("<h2>User ID: <b>%s</b></h2>\n"), userid);
temp = umGetUserGroup(userid);
websWrite(wp, T("<h3>User Group: <b>%s</b></h3>\n"), temp);
enabled = umGetUserEnabled(userid);
websWrite(wp, T("<h3>Enabled: <b>%d</b></h3>\n"), enabled);
}
websWrite(wp, T("</body>\n"));
websFooter(wp);
websDone(wp, 200);
}
static void formDeleteUser(webs_t wp, char_t *path, char_t *query)
{
char_t *userid, *ok;
a_assert(wp);
userid = websGetVar(wp, T("user"), T(""));
ok = websGetVar(wp, T("ok"), T(""));
websHeader(wp);
websMsgStart(wp);
if (gstricmp(ok, T("ok")) != 0) {
websWrite(wp, T("Delete User Cancelled"));
} else if (umUserExists(userid) == FALSE) {
websWrite(wp, T("ERROR: User \"%s\" not found"), userid);
} else if (umGetUserProtected(userid)) {
websWrite(wp, T("ERROR: User, \"%s\" is delete-protected."), userid);
} else if (umDeleteUser(userid) != 0) {
websWrite(wp, T("ERROR: Unable to delete user, \"%s\" "), userid);
} else {
websWrite(wp, T("User, \"%s\" was successfully deleted."), userid);
}
websMsgEnd(wp);
websFooter(wp);
websDone(wp, 200);
}
int umAddUser(char_t *user, char_t *pass, char_t *group,
bool_t prot, bool_t disabled)
{
int row;
char_t *password;
a_assert(user && *user);
a_assert(pass && *pass);
a_assert(group && *group);
trace(3, T("UM: Adding User <%s>\n"), user);
/*
* Do not allow duplicates
*/
if (umUserExists(user)) {
return UM_ERR_DUPLICATE;
}
/*
* Make sure user name and password contain valid characters
*/
if (!umCheckName(user)) {
return UM_ERR_BAD_NAME;
}
if (!umCheckName(pass)) {
return UM_ERR_BAD_PASSWORD;
}
/*
* Make sure group exists
*/
if (!umGroupExists(group)) {
return UM_ERR_NOT_FOUND;
}
/*
* Now create the user record
*/
row = dbAddRow(didUM, UM_USER_TABLENAME);
if (row < 0) {
return UM_ERR_GENERAL;
}
if (dbWriteStr(didUM, UM_USER_TABLENAME, UM_NAME, row, user) != 0) {
return UM_ERR_GENERAL;
}
password = bstrdup(B_L, pass);
umEncryptString(password);
dbWriteStr(didUM, UM_USER_TABLENAME, UM_PASS, row, password);
bfree(B_L, password);
dbWriteStr(didUM, UM_USER_TABLENAME, UM_GROUP, row, group);
dbWriteInt(didUM, UM_USER_TABLENAME, UM_PROT, row, prot);
dbWriteInt(didUM, UM_USER_TABLENAME, UM_DISABLE, row, disabled);
return 0;
}
bool_t umUserCanAccessURL(char_t *user, char_t *url)
{
accessMeth_t amURL;
char_t *group, *usergroup, *urlHavingLimit;
short priv;
a_assert(user && *user);
a_assert(url && *url);
/*
* Make sure user exists
*/
if (!umUserExists(user)) {
return FALSE;
}
/*
* Make sure user is enabled
*/
if (!umGetUserEnabled(user)) {
return FALSE;
}
/*
* Make sure user has sufficient privileges (any will do)
*/
usergroup = umGetUserGroup(user);
priv = umGetGroupPrivilege(usergroup);
if (priv == 0) {
return FALSE;
}
/*
* Make sure user's group is enabled
*/
if (!umGetGroupEnabled(usergroup)) {
return FALSE;
}
/*
* The access method of the user group must not be AM_NONE
*/
if (umGetGroupAccessMethod(usergroup) == AM_NONE) {
return FALSE;
}
/*
* Check to see if there is an Access Limit for this URL
*/
urlHavingLimit = umGetAccessLimit(url);
if (urlHavingLimit) {
amURL = umGetAccessLimitMethod(urlHavingLimit);
group = umGetAccessLimitGroup(urlHavingLimit);
bfree(B_L, urlHavingLimit);
} else {
/*
* If there isn't an access limit for the URL, user has full access
*/
return TRUE;
}
/*
* If the access method for the URL is AM_NONE then
* the file "doesn't exist".
*/
if (amURL == AM_NONE) {
return FALSE;
}
/*
* If Access Limit has a group specified, then the user must be a
* member of that group
*/
if (group && *group) {
if (usergroup && (gstrcmp(group, usergroup) != 0)) {
return FALSE;
}
}
/*
* Otherwise, user can access the URL
*/
return TRUE;
}
bool_t umUserCanAccessURL(char_t *user, char_t *url)
{
accessMeth_t amURL;
char_t *group, *usergroup, *urlHavingLimit;
short priv;
a_assert(user && *user);
a_assert(url && *url);
/*
* Make sure user exists
*/
if (!umUserExists(user)) {
return FALSE;
}
/*
* Make sure user is enabled
*/
if (!umGetUserEnabled(user)) {
return FALSE;
}
/*
* Make sure user has sufficient privileges (any will do)
*/
usergroup = umGetUserGroup(user);
priv = umGetGroupPrivilege(usergroup);
if (priv == 0) {
return FALSE;
}
/*
* Make sure user's group is enabled
*/
if (!umGetGroupEnabled(usergroup)) {
return FALSE;
}
/*
* The access method of the user group must not be AM_NONE
*/
if (umGetGroupAccessMethod(usergroup) == AM_NONE) {
return FALSE;
}
/*
* Check to see if there is an Access Limit for this URL
*/
urlHavingLimit = umGetAccessLimit(url);
if (urlHavingLimit) {
amURL = umGetAccessLimitMethod(urlHavingLimit);
group = umGetAccessLimitGroup(urlHavingLimit);
bfree(B_L, urlHavingLimit);
} else {
/*
* If there isn't an access limit for the URL, user has full access
*/
return TRUE;
}
/*
* If the access method for the URL is AM_NONE then
* the file "doesn't exist".
*/
if (amURL == AM_NONE) {
return FALSE;
}
/*
* If Access Limit has a group specified, then the user must be a
* member of that group
*/
if (group && *group) {
#ifdef qHierarchicalAccess
/*
* If we are compiling with the hierarchical access extensions, we
* instead call the user-provided function that checks to see whether
* the current user's access level is greater than or equal to the
* access level required for this URL.
*/
return dmfCanAccess(usergroup, group);
#else
if (usergroup && (gstrcmp(group, usergroup) != 0)) {
return FALSE;
}
#endif
}
/*
* Otherwise, user can access the URL
*/
return TRUE;
}
int websSecurityHandler(webs_t wp, char_t *urlPrefix, char_t *webDir, int arg,
char_t *url, char_t *path, char_t *query)
{
char_t *type, *userid, *password, *accessLimit;
int flags, nRet;
accessMeth_t am;
a_assert(websValid(wp));
a_assert(url && *url);
a_assert(path && *path);
/*
* Get the critical request details
*/
type = websGetRequestType(wp);
password = websGetRequestPassword(wp);
userid = websGetRequestUserName(wp);
flags = websGetRequestFlags(wp);
/*
* Get the access limit for the URL. Exit if none found.
*/
accessLimit = umGetAccessLimit(path);
if (accessLimit == NULL) {
return 0;
}
/*
* Check to see if URL must be encrypted
*/
#ifdef WEBS_SSL_SUPPORT
nRet = umGetAccessLimitSecure(accessLimit);
if (nRet && ((flags & WEBS_SECURE) == 0)) {
websStats.access++;
websError(wp, 405, T("Access Denied\nSecure access is required."));
trace(3, T("SEC: Non-secure access attempted on <%s>\n"), path);
/* bugfix 5/24/02 -- we were leaking the memory pointed to by
* 'accessLimit'. Thanks to Simon Byholm.
*/
bfree(B_L, accessLimit);
return 1;
}
#endif
/*
* Get the access limit for the URL
*/
am = umGetAccessMethodForURL(accessLimit);
nRet = 0;
if ((flags & WEBS_LOCAL_REQUEST) && (debugSecurity == 0)) {
/*
* Local access is always allowed (defeat when debugging)
*/
} else if (am == AM_NONE) {
/*
* URL is supposed to be hidden! Make like it wasn't found.
*/
websStats.access++;
websError(wp, 404, T("Page Not Found"));
nRet = 1;
} else if (userid && *userid) {
if (!umUserExists(userid)) {
websStats.access++;
websError(wp, 401, T("Access Denied\nUnknown User"));
trace(3, T("SEC: Unknown user <%s> attempted to access <%s>\n"),
userid, path);
nRet = 1;
} else if (!umUserCanAccessURL(userid, accessLimit)) {
websStats.access++;
websError(wp, 403, T("Access Denied\nProhibited User"));
nRet = 1;
} else if (password && * password) {
char_t * userpass = umGetUserPassword(userid);
if (userpass) {
if (gstrcmp(password, userpass) != 0) {
websStats.access++;
websError(wp, 401, T("Access Denied\nWrong Password"));
trace(3, T("SEC: Password fail for user <%s>")
T("attempt to access <%s>\n"), userid, path);
nRet = 1;
} else {
/*
* User and password check out.
*/
}
bfree (B_L, userpass);
}
#ifdef DIGEST_ACCESS_SUPPORT
} else if (flags & WEBS_AUTH_DIGEST) {
char_t *digestCalc;
/*
* Check digest for equivalence
*/
wp->password = umGetUserPassword(userid);
a_assert(wp->digest);
a_assert(wp->nonce);
a_assert(wp->password);
digestCalc = websCalcDigest(wp);
a_assert(digestCalc);
if (gstrcmp(wp->digest, digestCalc) != 0) {
bfree (B_L, digestCalc);
digestCalc = websCalcUrlDigest(wp);
a_assert(digestCalc);
if (gstrcmp(wp->digest, digestCalc) != 0) {
websStats.access++;
websError(wp, 401, T("Access Denied\nWrong Password"));
nRet = 1;
}
}
bfree (B_L, digestCalc);
#endif
} else {
/*
* No password has been specified
*/
#ifdef DIGEST_ACCESS_SUPPORT
if (am == AM_DIGEST) {
wp->flags |= WEBS_AUTH_DIGEST;
}
#endif
websStats.errors++;
websError(wp, 401,
T("Access to this document requires a password"));
nRet = 1;
}
} else if (am != AM_FULL) {
/*
* This will cause the browser to display a password / username
* dialog
*/
#ifdef DIGEST_ACCESS_SUPPORT
if (am == AM_DIGEST) {
wp->flags |= WEBS_AUTH_DIGEST;
}
#endif
websStats.errors++;
websError(wp, 401, T("Access to this document requires a User ID"));
nRet = 1;
}
bfree(B_L, accessLimit);
return nRet;
}
