Merge pull request #1230 from ikedas/issue-1224 by ikedas

Bug: Normal (non-super) listmasters can edit site templates (#1224)

Merge pull request #1230 from ikedas/issue-1224 by ikedas
Bug: Normal (non-super) listmasters can edit site templates (#1224)
e816a043 · IKEDA Soji · GitHub · 8d21112b · c3bcf86f · e816a043
Unverified Commit e816a043 authored Aug 30, 2021 by IKEDA Soji Committed by GitHub Aug 30, 2021
--- a/default/mail_tt2/report.tt2
+++ b/default/mail_tt2/report.tt2
@@ -206,6 +206,9 @@
 [%~ ELSIF report_entry == 'action_privileged_owner' ~%]
 [%|loc%]This action is restricted to privileged list owners.[%END%]

+[%~ ELSIF report_entry == 'action_super_listmaster' ~%]
+[%|loc%]This action is restricted to super-listmasters.[%END%]
+
 [%~ ELSIF report_entry == 'edit_right' ~%]
 [%|loc(role,right)%]Rights to this action are '%2' for a '%1'.[%END%]


--- a/default/web_tt2/copy_template.tt2
+++ b/default/web_tt2/copy_template.tt2
@@ -49,10 +49,21 @@
            <br />
            <label for="scope_out">[%|loc%]Scope: [%END%] </label>
            <select id="scope_out" name="scope_out">
-                <option value="site" [% IF scope == 'site' %]selected[% END %]>[%|loc%]site[%END%]</option>
-                [% UNLESS default_robot %]
-                    <option value="robot" [% IF scope == 'robot' %]selected[% END %]>[%|loc%]robot[%END%]</option>
-                [%END%]
+                [% IF is_super_listmaster ~%]
+                    <option value="site"
+                     [%~ IF scope == 'site' %] selected[% END %]>
+                        [%|loc%]site[%END%]
+                    </option>
+                    <option value="robot"
+                     [%~ IF scope == 'robot' %] selected[% END %]>
+                        [%|loc%]robot[%END%]
+                    </option>
+                [%~ ELSE ~%]
+                    <option value="robot"
+                     [%~ IF scope == 'robot' || scope == 'site' %] selected[% END %]>
+                        [%|loc%]robot[%END%]
+                    </option>
+                [%~ END %]
                <option value="list" [% IF scope == 'list' %]selected[% END %]>[%|loc%]list[%END%]</option>
            </select>
            <br />

--- a/default/web_tt2/ls_templates.tt2
+++ b/default/web_tt2/ls_templates.tt2
@@ -133,9 +133,19 @@
                                            <input type="hidden" name="scope"         value="site" />
                                            <input type="hidden" name="tpl_lang"      value="[% lang.key %]" />
                                            <input type="hidden" name="webormail"     value="[% webormail %]" />
-                                            <input class="MainMenuLinks" type="submit" name="action_edit_template"   value="[%|loc%]edit[% END %]" />
-                                            <input class="MainMenuLinks" type="submit" name="action_copy_template"   value="[%|loc%]cp[% END %]" />
-                                            <input class="MainMenuLinks" type="submit" name="action_remove_template" value="[%|loc%]rm[% END %]" />
+                                            [% IF is_super_listmaster ~%]
+                                              <input class="MainMenuLinks" type="submit" name="action_edit_template"
+                                                value="[%|loc%]edit[% END %]" />
+                                              <input class="MainMenuLinks" type="submit" name="action_copy_template"
+                                                value="[%|loc%]cp[% END %]" />
+                                              <input class="MainMenuLinks" type="submit" name="action_remove_template"
+                                                value="[%|loc%]rm[% END %]" />
+                                            [%~ ELSE ~%]
+                                              <input class="MainMenuLinks" type="submit" name="action_view_template"
+                                                value="[%|loc%]view[% END %]" />
+                                              <input class="MainMenuLinks" type="submit" name="action_copy_template"
+                                                value="[%|loc%]cp[% END %]" />
+                                            [%~ END %]
                                        </fieldset>
                                    </form>
                                [% END %]

--- a/src/cgi/wwsympa.fcgi.in
+++ b/src/cgi/wwsympa.fcgi.in
@@ -2510,9 +2510,10 @@ sub check_param_in {
    $param->{'last_login_host'}  = delete $session->{'last_login_host'};
  
    # listmaster has owner and editor privileges for the list.
-    if (Sympa::is_listmaster($robot, $param->{'user'}{'email'})) {
-        $param->{'is_listmaster'} = 1;
-    }
+    $param->{'is_listmaster'} =
+        Sympa::is_listmaster($robot, $param->{'user'}{'email'}) ? 1 : undef;
+    $param->{'is_super_listmaster'} =
+        Sympa::is_listmaster('*', $param->{'user'}{'email'}) ? 1 : undef;
  
    unless (ref $list eq 'Sympa::List') {
        $param->{'domain'} = $robot;
@@ -2754,12 +2755,11 @@ sub check_param_out {
        localtime $start_time);
    $param->{'process_id'} = $PID;
  
-    ## listmaster has owner and editor privileges for the list
-    if (Sympa::is_listmaster($robot, $param->{'user'}{'email'})) {
-        $param->{'is_listmaster'} = 1;
-    } else {
-        undef $param->{'is_listmaster'};
-    }
+    # listmaster has owner and editor privileges for the list.
+    $param->{'is_listmaster'} =
+        Sympa::is_listmaster($robot, $param->{'user'}{'email'}) ? 1 : undef;
+    $param->{'is_super_listmaster'} =
+        Sympa::is_listmaster('*', $param->{'user'}{'email'}) ? 1 : undef;
  
    ## Reset $list variable if it is not expected for the current action
    ## To prevent the list panel from being printed in a non list context
@@ -6302,6 +6302,15 @@ sub do_ls_templates {
 sub do_remove_template {
    wwslog('info', '');
  
+    # Only super-listmasters can remove the templates on site level.
+    if ($in{'scope'} eq 'site'
+        and not Sympa::is_listmaster('*', $param->{'user'}{'email'})) {
+        Sympa::WWW::Report::reject_report_web('auth',
+            'action_super_listmaster', {}, $param->{'action'});
+        wwslog('info', 'Authorization failed, insufficient privileges');
+        web_db_log({status => 'error', error_type => 'authorization'});
+        return 1;
+    }
    if ($in{'scope'} eq 'list' and ref $list ne 'Sympa::List') {
        Sympa::WWW::Report::reject_report_web('user', 'missing_arg',
            {'argument' => 'list'},
@@ -6433,6 +6442,16 @@ sub do_copy_template {
        return 1;
    }
  
+    # Only super-listmasters can create the templates on site level.
+    if ($in{'scope_out'} eq 'site'
+        and not Sympa::is_listmaster('*', $param->{'user'}{'email'})) {
+        Sympa::WWW::Report::reject_report_web('auth',
+            'action_super_listmaster', {}, $param->{'action'});
+        wwslog('info', 'Authorization failed, insufficient privileges');
+        web_db_log({status => 'error', error_type => 'authorization'});
+        return 1;
+    }
+
    # one of these parameters is commit from the form submission
    if ($in{'scope_out'} eq 'list') {
        if ($in{'list_out'}) {
@@ -6883,6 +6902,17 @@ sub do_edit_template {
    unless ($in{'content'}) {
        return 1;
    }
+
+    # Only super-listmasters can edit the templates on site level.
+    if ($in{'scope'} eq 'site'
+        and not Sympa::is_listmaster('*', $param->{'user'}{'email'})) {
+        Sympa::WWW::Report::reject_report_web('auth',
+            'action_super_listmaster', {}, $param->{'action'});
+        wwslog('info', 'Authorization failed, insufficient privileges');
+        web_db_log({status => 'error', error_type => 'authorization'});
+        return 1;
+    }
+
    if ($in{'scope'} eq 'list' and ref $list ne 'Sympa::List') {
        Sympa::WWW::Report::reject_report_web('user', 'listname_needed', {},
            $param->{'action'});