Commit 0a5c280c authored by IKEDA Soji's avatar IKEDA Soji
Browse files

Bug: Normal (non-super) listmasters can edit site templates (#1224)

parent 9d31cceb
......@@ -203,6 +203,9 @@
[%~ ELSIF report_entry == 'action_privileged_owner' ~%]
[%|loc%]This action is restricted to privileged list owners.[%END%]
[%~ ELSIF report_entry == 'action_super_listmaster' ~%]
[%|loc%]This action is restricted to super-listmasters.[%END%]
[%~ ELSIF report_entry == 'edit_right' ~%]
[%|loc(role,right)%]Rights to this action are '%2' for a '%1'.[%END%]
......
......@@ -35,8 +35,21 @@
<label for="template_name_out">[%|loc%]New template name: [%END%] </label><input id="template_name_out" type="text" name="template_name_out" value="[% template_name %]" /><br />
<label for="scope_out">[%|loc%]Scope: [%END%] </label>
<select id="scope_out" name="scope_out">
<option value="site" [% IF scope == 'site' %]selected[% END %]>[%|loc%]site[%END%]</option>
[% UNLESS default_robot %]<option value="robot" [% IF scope == 'robot' %]selected[% END %]>[%|loc%]robot[%END%]</option>[%END%]
[% IF is_super_listmaster ~%]
<option value="site"
[%~ IF scope == 'site' %] selected[% END %]>
[%|loc%]site[%END%]
</option>
<option value="robot"
[%~ IF scope == 'robot' %] selected[% END %]>
[%|loc%]robot[%END%]
</option>
[%~ ELSE ~%]
<option value="robot"
[%~ IF scope == 'robot' || scope == 'site' %] selected[% END %]>
[%|loc%]robot[%END%]
</option>
[%~ END %]
<option value="list" [% IF scope == 'list' %]selected[% END %]>[%|loc%]list[%END%]</option>
</select><br />
<label for="tpl_lang_out">[%|loc%]Language: [%END%] </label>
......
......@@ -99,7 +99,7 @@
[% FOREACH lang = file.value.distrib %]
<td class="text_center">
[% IF lang.value %]
<form action="[% 'edit_template' | url_rel %]" method="post">
<form action="[% path_cgi %]" method="post">
<fieldset>
<input type="hidden" name="template_path" value="[% lang.value %]" />
<input type="hidden" name="template_name" value="[% file.key %]" />
......@@ -118,19 +118,26 @@
[% FOREACH lang = file.value.site %]
<td class="text_center">
[% IF lang.value %]
<form action="[% 'edit_template' | url_rel %]" method="post">
<form action="[% path_cgi %]" method="post">
<fieldset>
<input type="hidden" name="template_name" value="[% file.key %]" />
<input type="hidden" name="template_path" value="[% lang.value %]" />
<input type="hidden" name="scope" value="site" />
<input type="hidden" name="tpl_lang" value="[% lang.key %]" />
<input type="hidden" name="webormail" value="[% webormail %]" />
<input class="MainMenuLinks" type="submit" name="action_edit_template"
value="[%|loc%]edit[% END %]" />
<input class="MainMenuLinks" type="submit" name="action_copy_template"
value="[%|loc%]cp[% END %]" />
<input class="MainMenuLinks" type="submit" name="action_remove_template"
value="[%|loc%]rm[% END %]" />
[% IF is_super_listmaster ~%]
<input class="MainMenuLinks" type="submit" name="action_edit_template"
value="[%|loc%]edit[% END %]" />
<input class="MainMenuLinks" type="submit" name="action_copy_template"
value="[%|loc%]cp[% END %]" />
<input class="MainMenuLinks" type="submit" name="action_remove_template"
value="[%|loc%]rm[% END %]" />
[%~ ELSE ~%]
<input class="MainMenuLinks" type="submit" name="action_view_template"
value="[%|loc%]view[% END %]" />
<input class="MainMenuLinks" type="submit" name="action_copy_template"
value="[%|loc%]cp[% END %]" />
[%~ END %]
</fieldset>
</form>
[% END %]
......@@ -143,7 +150,7 @@
[% FOREACH lang = file.value.robot %]
<td class="text_center">
[% IF lang.value %]
<form action="[% 'edit_template' | url_rel %]" method="post">
<form action="[% path_cgi %]" method="post">
<fieldset>
<input type="hidden" name="template_name" value="[% file.key %]" />
<input type="hidden" name="template_path" value="[% lang.value %]" />
......@@ -167,7 +174,7 @@
[% FOREACH lang = file.value.list %]
<td class="text_center">
[% IF lang.value %]
<form action="[% 'edit_template' | url_rel %]" method="post">
<form action="[% path_cgi %]" method="post">
<fieldset>
<input type="hidden" name="template_name" value="[% file.key %]" />
<input type="hidden" name="template_path" value="[% lang.value %]" />
......
......@@ -2571,9 +2571,10 @@ sub check_param_in {
$param->{'last_login_host'} = delete $session->{'last_login_host'};
 
# listmaster has owner and editor privileges for the list.
if (Sympa::is_listmaster($robot, $param->{'user'}{'email'})) {
$param->{'is_listmaster'} = 1;
}
$param->{'is_listmaster'} =
Sympa::is_listmaster($robot, $param->{'user'}{'email'}) ? 1 : undef;
$param->{'is_super_listmaster'} =
Sympa::is_listmaster('*', $param->{'user'}{'email'}) ? 1 : undef;
 
unless (ref $list eq 'Sympa::List') {
$param->{'domain'} = $robot;
......@@ -2822,12 +2823,11 @@ sub check_param_out {
localtime $start_time);
$param->{'process_id'} = $PID;
 
## listmaster has owner and editor privileges for the list
if (Sympa::is_listmaster($robot, $param->{'user'}{'email'})) {
$param->{'is_listmaster'} = 1;
} else {
undef $param->{'is_listmaster'};
}
# listmaster has owner and editor privileges for the list.
$param->{'is_listmaster'} =
Sympa::is_listmaster($robot, $param->{'user'}{'email'}) ? 1 : undef;
$param->{'is_super_listmaster'} =
Sympa::is_listmaster('*', $param->{'user'}{'email'}) ? 1 : undef;
 
## Reset $list variable if it is not expected for the current action
## To prevent the list panel from being printed in a non list context
......@@ -6426,6 +6426,15 @@ sub do_ls_templates {
sub do_remove_template {
wwslog('info', '');
 
# Only super-listmasters can remove the templates on site level.
if ($in{'scope'} eq 'site'
and not Sympa::is_listmaster('*', $param->{'user'}{'email'})) {
Sympa::WWW::Report::reject_report_web('auth',
'action_super_listmaster', {}, $param->{'action'});
wwslog('info', 'Authorization failed, insufficient privileges');
web_db_log({status => 'error', error_type => 'authorization'});
return 1;
}
if ($in{'scope'} eq 'list' and ref $list ne 'Sympa::List') {
Sympa::WWW::Report::reject_report_web('user', 'missing_arg',
{'argument' => 'list'},
......@@ -6557,6 +6566,16 @@ sub do_copy_template {
return 1;
}
 
# Only super-listmasters can create the templates on site level.
if ($in{'scope_out'} eq 'site'
and not Sympa::is_listmaster('*', $param->{'user'}{'email'})) {
Sympa::WWW::Report::reject_report_web('auth',
'action_super_listmaster', {}, $param->{'action'});
wwslog('info', 'Authorization failed, insufficient privileges');
web_db_log({status => 'error', error_type => 'authorization'});
return 1;
}
# one of these parameters is commit from the form submission
if ($in{'scope_out'} eq 'list') {
if ($in{'list_out'}) {
......@@ -7007,6 +7026,17 @@ sub do_edit_template {
unless ($in{'content'}) {
return 1;
}
# Only super-listmasters can edit the templates on site level.
if ($in{'scope'} eq 'site'
and not Sympa::is_listmaster('*', $param->{'user'}{'email'})) {
Sympa::WWW::Report::reject_report_web('auth',
'action_super_listmaster', {}, $param->{'action'});
wwslog('info', 'Authorization failed, insufficient privileges');
web_db_log({status => 'error', error_type => 'authorization'});
return 1;
}
if ($in{'scope'} eq 'list' and ref $list ne 'Sympa::List') {
Sympa::WWW::Report::reject_report_web('user', 'listname_needed', {},
$param->{'action'});
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment