Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Add the cgi_referer() utility function. Use it to cause the setup_uedit page to always go back to the page it came from. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
59a51b8267da45846820295f3148b6fa |
| User & Date: | drh 2017-07-01 22:38:10 |
Context
|
2017-07-01
| ||
| 22:43 | Fix a minor problem with Write-Unver reporting on the security audit report. (check-in: 5c999558 user: drh tags: trunk) | |
| 22:38 | Add the cgi_referer() utility function. Use it to cause the setup_uedit page to always go back to the page it came from. (check-in: 59a51b82 user: drh tags: trunk) | |
| 22:17 | More checking of user permissions on the Security Audit page. (check-in: 564e42df user: drh tags: trunk) | |
Changes
Changes to src/cgi.c.
435 436 437 438 439 440 441 442 443 444 445 446 447 448 |
}
NORETURN void cgi_redirectf(const char *zFormat, ...){
va_list ap;
va_start(ap, zFormat);
cgi_redirect(vmprintf(zFormat, ap));
va_end(ap);
}
/*
** Information about all query parameters and cookies are stored
** in these variables.
*/
static int nAllocQP = 0; /* Space allocated for aParamQP[] */
static int nUsedQP = 0; /* Space actually used in aParamQP[] */
|
> > > > > > > > > > > > > > |
435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 |
}
NORETURN void cgi_redirectf(const char *zFormat, ...){
va_list ap;
va_start(ap, zFormat);
cgi_redirect(vmprintf(zFormat, ap));
va_end(ap);
}
/*
** Return the URL for the caller. This is obtained from either the
** referer CGI parameter, if it exists, or the HTTP_REFERER HTTP parameter.
** If neither exist, return zDefault.
*/
const char *cgi_referer(const char *zDefault){
const char *zRef = P("referer");
if( zRef==0 ){
zRef = P("HTTP_REFERER");
if( zRef==0 ) zRef = zDefault;
}
return zRef;
}
/*
** Information about all query parameters and cookies are stored
** in these variables.
*/
static int nAllocQP = 0; /* Space allocated for aParamQP[] */
static int nUsedQP = 0; /* Space actually used in aParamQP[] */
|
Changes to src/setup.c.
438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 ... 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 ... 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 ... 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 ... 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 |
char *zOldCaps;
zOldCaps = db_text(0, "SELECT cap FROM user WHERE uid=%d",uid);
higherUser = zOldCaps && strchr(zOldCaps,'s');
}
if( P("can") ){
/* User pressed the cancel button */
cgi_redirect("setup_ulist");
return;
}
/* If we have all the necessary information, write the new or
** modified user record. After writing the user record, redirect
** to the page that displays a list of users.
*/
................................................................................
zCap[i] = 0;
zPw = P("pw");
zLogin = P("login");
if( strlen(zLogin)==0 ){
style_header("User Creation Error");
@ <span class="loginError">Empty login not allowed.</span>
@
@ <p><a href="setup_uedit?id=%d(uid)">[Bummer]</a></p>
style_footer();
return;
}
if( isValidPwString(zPw) ){
zPw = sha1_shared_secret(zPw, zLogin, 0);
}else{
zPw = db_text(0, "SELECT pw FROM user WHERE uid=%d", uid);
................................................................................
}
zOldLogin = db_text(0, "SELECT login FROM user WHERE uid=%d", uid);
if( db_exists("SELECT 1 FROM user WHERE login=%Q AND uid!=%d", zLogin, uid) ){
style_header("User Creation Error");
@ <span class="loginError">Login "%h(zLogin)" is already used by
@ a different user.</span>
@
@ <p><a href="setup_uedit?id=%d(uid)">[Bummer]</a></p>
style_footer();
return;
}
login_verify_csrf_secret();
db_multi_exec(
"REPLACE INTO user(uid,login,info,pw,cap,mtime) "
"VALUES(nullif(%d,0),%Q,%Q,%Q,%Q,now())",
................................................................................
"with capabilities [%q].",
zLogin, zCap );
if( zErr ){
style_header("User Change Error");
admin_log( "Error updating user '%q': %s'.", zLogin, zErr );
@ <span class="loginError">%h(zErr)</span>
@
@ <p><a href="setup_uedit?id=%d(uid)">[Bummer]</a></p>
style_footer();
return;
}
}
cgi_redirect("setup_ulist");
return;
}
/* Load the existing information about the user, if any
*/
zLogin = "";
zInfo = "";
................................................................................
"<span class=\"ueditInheritNobody\"><sub>[N]</sub></span>";
}
free(z2);
}
/* Begin generating the page
*/
style_submenu_element("Cancel", "setup_ulist");
if( uid ){
style_header("Edit User %h", zLogin);
}else{
style_header("Add A New User");
}
@ <div class="ueditCapBox">
@ <form action="%s(g.zPath)" method="post"><div>
login_insert_csrf_secret();
if( login_is_special(zLogin) ){
@ <input type="hidden" name="login" value="%s(zLogin)">
@ <input type="hidden" name="info" value="">
@ <input type="hidden" name="pw" value="*">
}
@ <script>
@ function updateCapabilityString(){
@ /*
@ ** This function updates the "#usetupEditCapability" span content
@ ** with the capabilities selected by the interactive user, based
@ ** upon the state of the capability checkboxes.
@ */
|
| | > | > | > | | > |
438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 ... 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 ... 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 ... 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 ... 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 |
char *zOldCaps;
zOldCaps = db_text(0, "SELECT cap FROM user WHERE uid=%d",uid);
higherUser = zOldCaps && strchr(zOldCaps,'s');
}
if( P("can") ){
/* User pressed the cancel button */
cgi_redirect(cgi_referer("setup_ulist"));
return;
}
/* If we have all the necessary information, write the new or
** modified user record. After writing the user record, redirect
** to the page that displays a list of users.
*/
................................................................................
zCap[i] = 0;
zPw = P("pw");
zLogin = P("login");
if( strlen(zLogin)==0 ){
style_header("User Creation Error");
@ <span class="loginError">Empty login not allowed.</span>
@
@ <p><a href="setup_uedit?id=%d(uid)&referer=%T(cgi_referer("setup_ulist"))">
@ [Bummer]</a></p>
style_footer();
return;
}
if( isValidPwString(zPw) ){
zPw = sha1_shared_secret(zPw, zLogin, 0);
}else{
zPw = db_text(0, "SELECT pw FROM user WHERE uid=%d", uid);
................................................................................
}
zOldLogin = db_text(0, "SELECT login FROM user WHERE uid=%d", uid);
if( db_exists("SELECT 1 FROM user WHERE login=%Q AND uid!=%d", zLogin, uid) ){
style_header("User Creation Error");
@ <span class="loginError">Login "%h(zLogin)" is already used by
@ a different user.</span>
@
@ <p><a href="setup_uedit?id=%d(uid)&referer=%T(cgi_referer("setup_ulist"))">
@ [Bummer]</a></p>
style_footer();
return;
}
login_verify_csrf_secret();
db_multi_exec(
"REPLACE INTO user(uid,login,info,pw,cap,mtime) "
"VALUES(nullif(%d,0),%Q,%Q,%Q,%Q,now())",
................................................................................
"with capabilities [%q].",
zLogin, zCap );
if( zErr ){
style_header("User Change Error");
admin_log( "Error updating user '%q': %s'.", zLogin, zErr );
@ <span class="loginError">%h(zErr)</span>
@
@ <p><a href="setup_uedit?id=%d(uid)&referer=%T(cgi_referer("setup_ulist"))">
@ [Bummer]</a></p>
style_footer();
return;
}
}
cgi_redirect(cgi_referer("setup_ulist"));
return;
}
/* Load the existing information about the user, if any
*/
zLogin = "";
zInfo = "";
................................................................................
"<span class=\"ueditInheritNobody\"><sub>[N]</sub></span>";
}
free(z2);
}
/* Begin generating the page
*/
style_submenu_element("Cancel", cgi_referer("setup_ulist"));
if( uid ){
style_header("Edit User %h", zLogin);
}else{
style_header("Add A New User");
}
@ <div class="ueditCapBox">
@ <form action="%s(g.zPath)" method="post"><div>
login_insert_csrf_secret();
if( login_is_special(zLogin) ){
@ <input type="hidden" name="login" value="%s(zLogin)">
@ <input type="hidden" name="info" value="">
@ <input type="hidden" name="pw" value="*">
}
@ <input type="hidden" name="referer" value="%h(cgi_referer("setup_ulist"))">
@ <script>
@ function updateCapabilityString(){
@ /*
@ ** This function updates the "#usetupEditCapability" span content
@ ** with the capabilities selected by the interactive user, based
@ ** upon the state of the capability checkboxes.
@ */
|