rbac/save_user.cgi

   1 #!/usr/local/bin/perl
   2 # Create, update or delete one RBAC user
   3
   4 require './rbac-lib.pl';
   5 &ReadParse();
   6 &error_setup($text{'user_err'});
   7
   8 &lock_rbac_files();
   9 $users = &list_user_attrs();
  10 if (!$in{'new'}) {
  11         $user = $users->[$in{'idx'}];
  12         &can_edit_user($user) || &error($text{'user_ecannot'});
  13         $loguser = $user->{'user'};
  14         @oldroles = split(/,/, $user->{'attr'}->{'roles'});
  15         @oldprofs = split(/,/, $user->{'attr'}->{'profiles'});
  16         }
  17 else {
  18         $access{'users'} || $access{'roles'} || &error($text{'user_ecannot'});
  19         $user = { 'attr' => { } };
  20         $loguser = $in{'user'};
  21         }
  22
  23 if (!$in{'new'}) {
  24         # Find users of this role
  25         foreach $u (@$users) {
  26                 local @roles =
  27                     split(/,/, $u->{'attr'}->{'roles'});
  28                 $idx = &indexof($loguser, @roles);
  29                 if ($idx >= 0) {
  30                         push(@roleusers, [ $u, $idx, \@roles ]);
  31                         }
  32                 }
  33         }
  34
  35 if ($in{'delete'}) {
  36         # Just delete this user
  37         @roleusers && &error(&text('user_einuse',
  38                                    $roleusers[0]->[0]->{'user'}));
  39         &delete_user_attr($user);
  40         }
  41 else {
  42         # Check for clash
  43         if ($in{'new'} || $loguser ne $in{'user'}) {
  44                 ($clash) = grep { $_->{'user'} eq $in{'user'} } @$users;
  45                 $clash && &error($text{'user_eclash'});
  46                 }
  47
  48         # Validate and store inputs
  49         $in{'user'} =~ /^[^ :]+$/ || &error($text{'user_euser'});
  50         $user->{'user'} = $in{'user'};
  51         if (!$access{'users'}) {
  52                 # Type must be role
  53                 $user->{'attr'}->{'type'} = 'role';
  54                 }
  55         elsif (!$access{'roles'}) {
  56                 # Type must be user
  57                 $user->{'attr'}->{'type'} = 'normal';
  58                 }
  59         elsif ($in{'type'}) {
  60                 # A type was selected
  61                 $user->{'attr'}->{'type'} = $in{'type'};
  62                 }
  63         else {
  64                 # Default type chosen
  65                 delete($user->{'attr'}->{'type'});
  66                 }
  67         $profiles = &profiles_parse("profiles");
  68         if ($profiles) {
  69                 @profiles = split(/,/, $profiles);
  70                 foreach $p (@profiles) {
  71                         if (!&can_assign_profile($p) &&
  72                             &indexof($p, @oldprofs) == -1) {
  73                                 &error(&text('user_eprof', $p));
  74                                 }
  75                         }
  76                 $user->{'attr'}->{'profiles'} = $profiles;
  77                 }
  78         else {
  79                 delete($user->{'attr'}->{'profiles'});
  80                 }
  81         if ($access{'authassign'}) {
  82                 $auths = &auths_parse("auths");
  83                 if ($auths) {
  84                         $user->{'attr'}->{'auths'} = $auths;
  85                         }
  86                 else {
  87                         delete($user->{'attr'}->{'auths'});
  88                         }
  89                 }
  90         $roles = &attr_parse("roles");
  91         if ($roles) {
  92                 @roles = split(/,/, $roles);
  93                 &indexof($in{'user'}, @roles) < 0 ||
  94                         &error($text{'user_esub'});
  95                 foreach $r (@roles) {
  96                         if (!&can_assign_role($r) &&
  97                             &indexof($r, @oldroles) == -1) {
  98                                 &error(&text('user_erole', $r));
  99                                 }
 100                         }
 101                 $user->{'attr'}->{'roles'} = $roles;
 102                 }
 103         else {
 104                 delete($user->{'attr'}->{'roles'});
 105                 }
 106         if ($in{'project_def'}) {
 107                 delete($user->{'attr'}->{'project'});
 108                 }
 109         else {
 110                 $user->{'attr'}->{'project'} = $in{'project'};
 111                 }
 112         if ($in{'lock'}) {
 113                 $user->{'attr'}->{'lock_after_retries'} = $in{'lock'};
 114                 }
 115         else {
 116                 delete($user->{'attr'}->{'lock_after_retries'});
 117                 }
 118
 119         # Save or update user
 120         if ($in{'new'}) {
 121                 &create_user_attr($user);
 122                 }
 123         else {
 124                 &modify_user_attr($user);
 125
 126                 # Update other users of this role, if renamed
 127                 if ($loguser ne $in{'user'}) {
 128                         foreach $ru (@roleusers) {
 129                                 $ru->[2]->[$ru->[1]] = $in{'user'};
 130                                 $ru->[0]->{'attr'}->{'roles'} =
 131                                         join(",", @{$ru->[2]});
 132                                 &modify_user_attr($ru->[0]);
 133                                 }
 134                         }
 135                 }
 136         }
 137
 138 &unlock_rbac_files();
 139 &webmin_log($in{'delete'} ? "delete" : $in{'new'} ? "create" : "modify",
 140             "user", $loguser, $user);
 141 &redirect("list_users.cgi");
 142