static void formDisplayUser(webs_t wp, char_t *path, char_t *query) { char_t *userid, *ok, *temp; bool_t enabled; a_assert(wp); userid = websGetVar(wp, T("user"), T("")); ok = websGetVar(wp, T("ok"), T("")); websHeader(wp); websWrite(wp, T("<body>")); if (gstricmp(ok, T("ok")) != 0) { websWrite(wp, T("Display User Cancelled")); } else if (umUserExists(userid) == FALSE) { websWrite(wp, T("ERROR: User <b>%s</b> not found.\n"), userid); } else { websWrite(wp, T("<h2>User ID: <b>%s</b></h2>\n"), userid); temp = umGetUserGroup(userid); websWrite(wp, T("<h3>User Group: <b>%s</b></h3>\n"), temp); enabled = umGetUserEnabled(userid); websWrite(wp, T("<h3>Enabled: <b>%d</b></h3>\n"), enabled); } websWrite(wp, T("</body>\n")); websFooter(wp); websDone(wp, 200); }
static void formDeleteUser(webs_t wp, char_t *path, char_t *query) { char_t *userid, *ok; a_assert(wp); userid = websGetVar(wp, T("user"), T("")); ok = websGetVar(wp, T("ok"), T("")); websHeader(wp); websMsgStart(wp); if (gstricmp(ok, T("ok")) != 0) { websWrite(wp, T("Delete User Cancelled")); } else if (umUserExists(userid) == FALSE) { websWrite(wp, T("ERROR: User \"%s\" not found"), userid); } else if (umGetUserProtected(userid)) { websWrite(wp, T("ERROR: User, \"%s\" is delete-protected."), userid); } else if (umDeleteUser(userid) != 0) { websWrite(wp, T("ERROR: Unable to delete user, \"%s\" "), userid); } else { websWrite(wp, T("User, \"%s\" was successfully deleted."), userid); } websMsgEnd(wp); websFooter(wp); websDone(wp, 200); }
int umAddUser(char_t *user, char_t *pass, char_t *group, bool_t prot, bool_t disabled) { int row; char_t *password; a_assert(user && *user); a_assert(pass && *pass); a_assert(group && *group); trace(3, T("UM: Adding User <%s>\n"), user); /* * Do not allow duplicates */ if (umUserExists(user)) { return UM_ERR_DUPLICATE; } /* * Make sure user name and password contain valid characters */ if (!umCheckName(user)) { return UM_ERR_BAD_NAME; } if (!umCheckName(pass)) { return UM_ERR_BAD_PASSWORD; } /* * Make sure group exists */ if (!umGroupExists(group)) { return UM_ERR_NOT_FOUND; } /* * Now create the user record */ row = dbAddRow(didUM, UM_USER_TABLENAME); if (row < 0) { return UM_ERR_GENERAL; } if (dbWriteStr(didUM, UM_USER_TABLENAME, UM_NAME, row, user) != 0) { return UM_ERR_GENERAL; } password = bstrdup(B_L, pass); umEncryptString(password); dbWriteStr(didUM, UM_USER_TABLENAME, UM_PASS, row, password); bfree(B_L, password); dbWriteStr(didUM, UM_USER_TABLENAME, UM_GROUP, row, group); dbWriteInt(didUM, UM_USER_TABLENAME, UM_PROT, row, prot); dbWriteInt(didUM, UM_USER_TABLENAME, UM_DISABLE, row, disabled); return 0; }
bool_t umUserCanAccessURL(char_t *user, char_t *url) { accessMeth_t amURL; char_t *group, *usergroup, *urlHavingLimit; short priv; a_assert(user && *user); a_assert(url && *url); /* * Make sure user exists */ if (!umUserExists(user)) { return FALSE; } /* * Make sure user is enabled */ if (!umGetUserEnabled(user)) { return FALSE; } /* * Make sure user has sufficient privileges (any will do) */ usergroup = umGetUserGroup(user); priv = umGetGroupPrivilege(usergroup); if (priv == 0) { return FALSE; } /* * Make sure user's group is enabled */ if (!umGetGroupEnabled(usergroup)) { return FALSE; } /* * The access method of the user group must not be AM_NONE */ if (umGetGroupAccessMethod(usergroup) == AM_NONE) { return FALSE; } /* * Check to see if there is an Access Limit for this URL */ urlHavingLimit = umGetAccessLimit(url); if (urlHavingLimit) { amURL = umGetAccessLimitMethod(urlHavingLimit); group = umGetAccessLimitGroup(urlHavingLimit); bfree(B_L, urlHavingLimit); } else { /* * If there isn't an access limit for the URL, user has full access */ return TRUE; } /* * If the access method for the URL is AM_NONE then * the file "doesn't exist". */ if (amURL == AM_NONE) { return FALSE; } /* * If Access Limit has a group specified, then the user must be a * member of that group */ if (group && *group) { if (usergroup && (gstrcmp(group, usergroup) != 0)) { return FALSE; } } /* * Otherwise, user can access the URL */ return TRUE; }
bool_t umUserCanAccessURL(char_t *user, char_t *url) { accessMeth_t amURL; char_t *group, *usergroup, *urlHavingLimit; short priv; a_assert(user && *user); a_assert(url && *url); /* * Make sure user exists */ if (!umUserExists(user)) { return FALSE; } /* * Make sure user is enabled */ if (!umGetUserEnabled(user)) { return FALSE; } /* * Make sure user has sufficient privileges (any will do) */ usergroup = umGetUserGroup(user); priv = umGetGroupPrivilege(usergroup); if (priv == 0) { return FALSE; } /* * Make sure user's group is enabled */ if (!umGetGroupEnabled(usergroup)) { return FALSE; } /* * The access method of the user group must not be AM_NONE */ if (umGetGroupAccessMethod(usergroup) == AM_NONE) { return FALSE; } /* * Check to see if there is an Access Limit for this URL */ urlHavingLimit = umGetAccessLimit(url); if (urlHavingLimit) { amURL = umGetAccessLimitMethod(urlHavingLimit); group = umGetAccessLimitGroup(urlHavingLimit); bfree(B_L, urlHavingLimit); } else { /* * If there isn't an access limit for the URL, user has full access */ return TRUE; } /* * If the access method for the URL is AM_NONE then * the file "doesn't exist". */ if (amURL == AM_NONE) { return FALSE; } /* * If Access Limit has a group specified, then the user must be a * member of that group */ if (group && *group) { #ifdef qHierarchicalAccess /* * If we are compiling with the hierarchical access extensions, we * instead call the user-provided function that checks to see whether * the current user's access level is greater than or equal to the * access level required for this URL. */ return dmfCanAccess(usergroup, group); #else if (usergroup && (gstrcmp(group, usergroup) != 0)) { return FALSE; } #endif } /* * Otherwise, user can access the URL */ return TRUE; }
int websSecurityHandler(webs_t wp, char_t *urlPrefix, char_t *webDir, int arg, char_t *url, char_t *path, char_t *query) { char_t *type, *userid, *password, *accessLimit; int flags, nRet; accessMeth_t am; a_assert(websValid(wp)); a_assert(url && *url); a_assert(path && *path); /* * Get the critical request details */ type = websGetRequestType(wp); password = websGetRequestPassword(wp); userid = websGetRequestUserName(wp); flags = websGetRequestFlags(wp); /* * Get the access limit for the URL. Exit if none found. */ accessLimit = umGetAccessLimit(path); if (accessLimit == NULL) { return 0; } /* * Check to see if URL must be encrypted */ #ifdef WEBS_SSL_SUPPORT nRet = umGetAccessLimitSecure(accessLimit); if (nRet && ((flags & WEBS_SECURE) == 0)) { websStats.access++; websError(wp, 405, T("Access Denied\nSecure access is required.")); trace(3, T("SEC: Non-secure access attempted on <%s>\n"), path); /* bugfix 5/24/02 -- we were leaking the memory pointed to by * 'accessLimit'. Thanks to Simon Byholm. */ bfree(B_L, accessLimit); return 1; } #endif /* * Get the access limit for the URL */ am = umGetAccessMethodForURL(accessLimit); nRet = 0; if ((flags & WEBS_LOCAL_REQUEST) && (debugSecurity == 0)) { /* * Local access is always allowed (defeat when debugging) */ } else if (am == AM_NONE) { /* * URL is supposed to be hidden! Make like it wasn't found. */ websStats.access++; websError(wp, 404, T("Page Not Found")); nRet = 1; } else if (userid && *userid) { if (!umUserExists(userid)) { websStats.access++; websError(wp, 401, T("Access Denied\nUnknown User")); trace(3, T("SEC: Unknown user <%s> attempted to access <%s>\n"), userid, path); nRet = 1; } else if (!umUserCanAccessURL(userid, accessLimit)) { websStats.access++; websError(wp, 403, T("Access Denied\nProhibited User")); nRet = 1; } else if (password && * password) { char_t * userpass = umGetUserPassword(userid); if (userpass) { if (gstrcmp(password, userpass) != 0) { websStats.access++; websError(wp, 401, T("Access Denied\nWrong Password")); trace(3, T("SEC: Password fail for user <%s>") T("attempt to access <%s>\n"), userid, path); nRet = 1; } else { /* * User and password check out. */ } bfree (B_L, userpass); } #ifdef DIGEST_ACCESS_SUPPORT } else if (flags & WEBS_AUTH_DIGEST) { char_t *digestCalc; /* * Check digest for equivalence */ wp->password = umGetUserPassword(userid); a_assert(wp->digest); a_assert(wp->nonce); a_assert(wp->password); digestCalc = websCalcDigest(wp); a_assert(digestCalc); if (gstrcmp(wp->digest, digestCalc) != 0) { bfree (B_L, digestCalc); digestCalc = websCalcUrlDigest(wp); a_assert(digestCalc); if (gstrcmp(wp->digest, digestCalc) != 0) { websStats.access++; websError(wp, 401, T("Access Denied\nWrong Password")); nRet = 1; } } bfree (B_L, digestCalc); #endif } else { /* * No password has been specified */ #ifdef DIGEST_ACCESS_SUPPORT if (am == AM_DIGEST) { wp->flags |= WEBS_AUTH_DIGEST; } #endif websStats.errors++; websError(wp, 401, T("Access to this document requires a password")); nRet = 1; } } else if (am != AM_FULL) { /* * This will cause the browser to display a password / username * dialog */ #ifdef DIGEST_ACCESS_SUPPORT if (am == AM_DIGEST) { wp->flags |= WEBS_AUTH_DIGEST; } #endif websStats.errors++; websError(wp, 401, T("Access to this document requires a User ID")); nRet = 1; } bfree(B_L, accessLimit); return nRet; }