changeset 448:45924beef130

user.isSuperUser() check, require cfg.superuser being a list or tuple imported from: moin--main--1.5--patch-452
author Thomas Waldmann <tw@waldmann-edv.de>
date Sat, 18 Feb 2006 15:31:50 +0000
parents e0e016a553bd
children 8ec16f62e989
files ChangeLog MoinMoin/action/AttachFile.py MoinMoin/action/Despam.py MoinMoin/macro/SystemAdmin.py MoinMoin/user.py MoinMoin/userform.py docs/CHANGES
diffstat 7 files changed, 34 insertions(+), 7 deletions(-) [+]
line wrap: on
line diff
--- a/ChangeLog	Sat Feb 18 14:21:40 2006 +0000
+++ b/ChangeLog	Sat Feb 18 15:31:50 2006 +0000
@@ -2,6 +2,22 @@
 # arch-tag: automatic-ChangeLog--arch@arch.thinkmo.de--2003-archives/moin--main--1.5
 #
 
+2006-02-18 16:31:50 GMT	Thomas Waldmann <tw@waldmann-edv.de>	patch-452
+
+    Summary:
+      user.isSuperUser() check, require cfg.superuser being a list or tuple
+    Revision:
+      moin--main--1.5--patch-452
+
+    user.isSuperUser() check, require cfg.superuser being a list or tuple
+    
+
+    modified files:
+     ChangeLog MoinMoin/action/AttachFile.py
+     MoinMoin/action/Despam.py MoinMoin/macro/SystemAdmin.py
+     MoinMoin/user.py MoinMoin/userform.py docs/CHANGES
+
+
 2006-02-18 15:21:40 GMT	Thomas Waldmann <tw@waldmann-edv.de>	patch-451
 
     Summary:
--- a/MoinMoin/action/AttachFile.py	Sat Feb 18 14:21:40 2006 +0000
+++ b/MoinMoin/action/AttachFile.py	Sat Feb 18 15:31:50 2006 +0000
@@ -259,7 +259,7 @@
                 viewlink = '<a href="%(baseurl)s/%(urlpagename)s?action=%(action)s&amp;do=view&amp;target=%(urlfile)s">%(label_view)s</a>' % parmdict
 
             if (packages.ZipPackage(request, os.path.join(attach_dir, file).encode(config.charset)).isPackage() and
-                request.user.name in request.cfg.superuser):
+                request.user.isSuperUser()):
                 viewlink += ' | <a href="%(baseurl)s/%(urlpagename)s?action=%(action)s&amp;do=install&amp;target=%(urlfile)s">%(label_install)s</a>' % parmdict
             elif (zipfile.is_zipfile(os.path.join(attach_dir,file).encode(config.charset)) and
                 request.user.may.read(pagename) and request.user.may.delete(pagename)
@@ -480,7 +480,7 @@
          else:
             msg = _('You are not allowed to unzip attachments of this page.')
     elif request.form['do'][0] == 'install':
-         if request.user.name in request.cfg.superuser:
+         if request.user.isSuperUser():
             install_package(pagename, request)
          else:
             msg = _('You are not allowed to install files.')
--- a/MoinMoin/action/Despam.py	Sat Feb 18 14:21:40 2006 +0000
+++ b/MoinMoin/action/Despam.py	Sat Feb 18 15:31:50 2006 +0000
@@ -161,7 +161,7 @@
     # be extra paranoid in dangerous actions
     actname = __name__.split('.')[-1]
     if actname in request.cfg.actions_excluded or \
-       request.user.name not in request.cfg.superuser:
+       not request.user.isSuperUser():
         return Page.Page(request, pagename).send_page(request,
             msg = _('You are not allowed to use this action.'))
 
--- a/MoinMoin/macro/SystemAdmin.py	Sat Feb 18 14:21:40 2006 +0000
+++ b/MoinMoin/macro/SystemAdmin.py	Sat Feb 18 15:31:50 2006 +0000
@@ -20,7 +20,7 @@
     request = macro.request
     
     # do not show system admin to users not in superuser list
-    if not request.user.name in request.cfg.superuser:
+    if not request.user.isSuperUser():
         return ''
 
     result = []
--- a/MoinMoin/user.py	Sat Feb 18 14:21:40 2006 +0000
+++ b/MoinMoin/user.py	Sat Feb 18 15:31:50 2006 +0000
@@ -900,6 +900,14 @@
     def isCurrentUser(self):
         return self._request.user.name == self.name
 
+    def isSuperUser(self):
+        superusers = self._request.cfg.superuser
+        # some people managed to WRONGLY assign a string instead of a list and
+        # then dumb things may happen when username is a substring of cfg.superuser
+        islisttype = isinstance(superusers, (list, tuple))
+        return self.valid and self.name and \
+                islisttype and self.name in superusers
+
     def host(self):
         """ Return user host """
         _ = self._request.getText
--- a/MoinMoin/userform.py	Sat Feb 18 14:21:40 2006 +0000
+++ b/MoinMoin/userform.py	Sat Feb 18 15:31:50 2006 +0000
@@ -160,8 +160,8 @@
             
         if form.has_key('select_user'): # Select user profile (su user)
             if (wikiutil.checkTicket(self.request.form['ticket'][0]) and
-                self.request.user.name in self.request.cfg.superuser and
-                self.request.request_method == 'POST'):
+                self.request.request_method == 'POST' and
+                self.request.user.isSuperUser()):
                 su_user = form.get('selected_user', [''])[0]
                 uid = user.getUserId(self.request, su_user)
                 theuser = user.User(self.request, uid)
@@ -471,7 +471,7 @@
         _ = self._
         self.make_form()
 
-        if self.request.user.name in self.request.cfg.superuser:
+        if self.request.user.isSuperUser():
             ticket = wikiutil.createTicket()
             self.make_row(_('Select User'), [self._user_select()])
             self._form.append(html.INPUT(type="hidden", name="ticket", value="%s" % ticket))
--- a/docs/CHANGES	Sat Feb 18 14:21:40 2006 +0000
+++ b/docs/CHANGES	Sat Feb 18 15:31:50 2006 +0000
@@ -41,6 +41,9 @@
       There are not many filters yet, so most is handled by the "binary"
       filter, a very simple ASCII-only filter.
       Feel free to contribute more filter plugins!
+    * We check cfg.superuser to be a list of user names (as documented) and
+      deny superuser access if it is not. This avoids security issues by
+      wrong configuration.
 
   Bugfixes:
     * cookie_lifetime didn't work comfortable for low values. The cookie was