summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatthew Grooms <mgrooms@pfsense.org>2008-09-03 17:52:15 +0000
committerMatthew Grooms <mgrooms@pfsense.org>2008-09-03 17:52:15 +0000
commitbfea87fff2d41c97720970ac8ad4861cd743bf57 (patch)
treeea38abf4173ca09cc1e148901ccc79ce1254b44d
parent89c1777a0b5840c64af7a4105c520656c0bed077 (diff)
downloadpfsense-bfea87fff2d41c97720970ac8ad4861cd743bf57.zip
pfsense-bfea87fff2d41c97720970ac8ad4861cd743bf57.tar.gz
Remove the page locking privileges after discussion with Scott on IRC. The
feature was confusing and offered little utility that I could see. If we really need to provide serialized access to sections of the webui, IMO it should be a global lock option and enabled or disabled manually and not a privilege that is on all the time.
-rw-r--r--cf/conf/config.xml2
-rw-r--r--conf.default/config.xml2
-rw-r--r--etc/inc/auth.inc80
-rw-r--r--etc/inc/config.inc6
-rw-r--r--etc/inc/priv.inc12
-rwxr-xr-xetc/rc.initial.password6
6 files changed, 2 insertions, 106 deletions
diff --git a/cf/conf/config.xml b/cf/conf/config.xml
index 719f16f..21c53c0 100644
--- a/cf/conf/config.xml
+++ b/cf/conf/config.xml
@@ -154,8 +154,6 @@
<groupname>admins</groupname>
<password>$1$dSJImFph$GvZ7.1UbuWu.Yb8etC0re.</password>
<uid>0</uid>
- <priv>user-lock-webcfg</priv>
- <priv>user-lock-ipages</priv>
<priv>user-shell-access</priv>
</user>
<nextuid>2000</nextuid>
diff --git a/conf.default/config.xml b/conf.default/config.xml
index f4e372b..7f3e867 100644
--- a/conf.default/config.xml
+++ b/conf.default/config.xml
@@ -154,8 +154,6 @@
<groupname>admins</groupname>
<password>$1$dSJImFph$GvZ7.1UbuWu.Yb8etC0re.</password>
<uid>0</uid>
- <priv>user-lock-webcfg</priv>
- <priv>user-lock-ipages</priv>
<priv>user-shell-access</priv>
</user>
<nextuid>2000</nextuid>
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc
index e9129cf..0d69505 100644
--- a/etc/inc/auth.inc
+++ b/etc/inc/auth.inc
@@ -814,9 +814,6 @@ function session_auth($backing) {
else
log_error("User logged out for user '{$_SESSION['Username']}' from: {$_SERVER['REMOTE_ADDR']}");
- if (hasPrivilegeLock($user))
- unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
-
/* wipe out $_SESSION */
$_SESSION = array();
@@ -840,34 +837,6 @@ function session_auth($backing) {
}
/*
- * user wants to explicitely delete the lock file.
- * Requires a particular privilege.
- */
- if ($_GET['deletelock'] && hasPrivilegeLock($user)) {
- unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
- $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
- return true;
- }
-
- /*
- * user wants to explicitely create a lock.
- * Requires a particular privilege.
- */
- if ($_GET['createlock'] && hasPrivilegeLock($user)) {
- $fd = fopen("{$g['tmp_path']}/webconfigurator.lock", "w");
- fputs($fd, "{$_SERVER['REMOTE_ADDR']}.{$_SESSION['Username']}");
- fclose($fd);
-
- /*
- * if the user did delete the lock manually, do not
- * re-create it while the session is valide.
- */
- $_SESSION['Lock_Created'] = "True";
- $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
- return true;
- }
-
- /*
* this is for debugging purpose if you do not want to use Ajax
* to submit a HTML form. It basically diables the observation
* of the submit event and hence does not trigger Ajax.
@@ -887,55 +856,6 @@ function session_auth($backing) {
return true;
}
- /*
- * is the user is allowed to create a lock
- */
- if (hasPrivilegeLock($user)) {
-
- /*
- * create a lock once per session
- */
- if (!isset($_SESSION['Lock_Created'])) {
-
- $fd = fopen("{$g['tmp_path']}/webconfigurator.lock", "w");
- fputs($fd, "{$_SERVER['REMOTE_ADDR']}.{$_SESSION['Username']}");
- fclose($fd);
-
- /*
- * if the user did delete the lock manually, do not
- * re-create it while the session is valide.
- */
- $_SESSION['Lock_Created'] = "True";
- }
-
- } else {
-
- /*
- * give regular users a chance to automatically invalidate
- * a lock if its older than a particular time.
- */
- if (file_exists("{$g['tmp_path']}/webconfigurator.lock")) {
-
- $offset = 12; //hours
- $mtime = filemtime("{$g['tmp_path']}/webconfigurator.lock");
- $now_minus_offset = mktime(date("H") - $offset, 0, 0,
- date("m"), date("d"), date("Y"));
-
- if (($mtime - $now_minus_offset) < $mtime) {
- require_once("authgui.inc");
- display_login_form();
- return false;
- }
-
- /*
- * file is older than mtime + offset which may
- * indicate a stale lockfile, hence we are going
- * to remove it.
- */
- unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock");
- }
- }
-
$HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username'];
return true;
}
diff --git a/etc/inc/config.inc b/etc/inc/config.inc
index 56cea76..5a52611 100644
--- a/etc/inc/config.inc
+++ b/etc/inc/config.inc
@@ -1621,12 +1621,6 @@ endif;
}
foreach ($user['priv'] as $priv) {
switch($priv['id']) {
- case "lockwc":
- $privs[] = "user-lock-webcfg";
- break;
- case "lock-ipages":
- $privs[] = "user-lock-ipages";
- break;
case "hasshell":
$privs[] = "user-shell-access";
break;
diff --git a/etc/inc/priv.inc b/etc/inc/priv.inc
index e03e160..89701aa 100644
--- a/etc/inc/priv.inc
+++ b/etc/inc/priv.inc
@@ -47,18 +47,6 @@ require_once("priv.defs.inc");
* USER PRIVILEGE DEFINITIONS
*/
-$priv_list['user-lock-webcfg'] = array();
-$priv_list['user-lock-webcfg']['name'] = "User - Locks webConfigurator";
-$priv_list['user-lock-webcfg']['descr'] = "Indicates whether the user will lock access to ".
- "the webConfigurator for other users";
-
-$priv_list['user-lock-ipages'] = array();
-$priv_list['user-lock-ipages']['name'] = "User - Locks individual pages";
-$priv_list['user-lock-ipages']['descr'] = "Indicates whether the user will lock individual ".
- "HTML pages after having accessed a particular page".
- "(the lock will be freed if the user leaves or ".
- "saves the page form).";
-
$priv_list['user-shell-access'] = array();
$priv_list['user-shell-access']['name'] = "User - Shell account access";
$priv_list['user-shell-access']['descr'] = "Indicates whether the user is able to login for ".
diff --git a/etc/rc.initial.password b/etc/rc.initial.password
index fd27b77..1c865d8 100755
--- a/etc/rc.initial.password
+++ b/etc/rc.initial.password
@@ -37,7 +37,7 @@
$fp = fopen('php://stdin', 'r');
echo "\n" . gettext('
-The webConfigurator password will be reset to the default (which is "' . strtolower($g['product_name']) . '").') . "\n" .
+The webConfigurator admin password and privileges will be reset to the default (which is "' . strtolower($g['product_name']) . '").') . "\n" .
gettext('Do you want to proceed [y|n]?');
if (strcasecmp(chop(fgets($fp)), "y") == 0) {
@@ -53,9 +53,7 @@ The webConfigurator password will be reset to the default (which is "' . strtolo
$admin_user['name'] = "admin";
$admin_user['scope'] = "system";
-
- if (!is_array($admin_user['priv']))
- $admin_user['priv'] = explode(",", "user-lock-webcfg,user-lock-ipages,user-shell-access");
+ $admin_user['priv'] = array("user-shell-access");
local_user_set_password($admin_user, strtolower($g['product_name']));
local_user_set($admin_user);
OpenPOWER on IntegriCloud