Rooba
/
boinc
mirror of https://github.com/BOINC/boinc.git
1
0
Fork 0
Code Issues 1 Packages Projects Releases Wiki Activity

Merge pull request #4722 from BOINC/dpa_remote_perm 

Remote job submission: clean up permissions checking
This commit is contained in:
Vitalii Koshura 2022-04-22 12:17:31 +02:00 committed by GitHub
parent bcf4961799 accf756b02
commit afd08ef3d8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 44 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
html/inc/submit_util.inc
View File

@ -54,7 +54,25 @@ function job_file_name($md5) {
return "jf_$md5";
}
function authenticate_user($r, $app) {
// does user have submit permissions?
//
function submit_permissions($user) {
return BoincUserSubmit::lookup_userid($user->id);
}
// does user have submit permissions for given app?
//
function submit_permissions_app($user, $app) {
return BoincUserSubmitApp::lookup("user_id=$user->id and app_id=$app->id");
}
// check whether user has permissions for a remote job submission
// or job file request.
// $r is a request message that includes an 'authenticator' field
// $app is the app being submitted to (or null if file op)
// returns [user, UserSubmit], or give XML error
//
function check_remote_submit_permissions($r, $app) {
$auth = (string)$r->authenticator;
if (!$auth) {
log_write("no authenticator");
@ -66,13 +84,13 @@ function authenticate_user($r, $app) {
log_write("bad authenticator");
xml_error(-1, "bad authenticator");
}
$user_submit = BoincUserSubmit::lookup_userid($user->id);
$user_submit = submit_permissions($user);
if (!$user_submit) {
log_write("no submit access");
xml_error(-1, "no submit access");
}
if ($app && !$user_submit->submit_all) {
$usa = BoincUserSubmitApp::lookup("user_id=$user->id and app_id=$app->id");
$usa = submit_permissions_app($user, $app);
if (!$usa) {
log_write("no app submit access");
xml_error(-1, "no app submit access");

6
html/user/job_file.php
View File

@ -16,7 +16,7 @@
// You should have received a copy of the GNU Lesser General Public License
// along with BOINC. If not, see <http://www.gnu.org/licenses/>.
// Web RPCs for managing job input files on the server.
// Web RPCs for managing input files for remote job submission
//
// Issues:
//
@ -99,7 +99,7 @@ function upload_error_description($errno) {
function query_files($r) {
xml_start_tag("query_files");
list($user, $user_submit) = authenticate_user($r, null);
list($user, $user_submit) = check_remote_submit_permissions($r, null);
$absent_files = array();
$now = time();
$delete_time = (int)$r->delete_time;
@ -175,7 +175,7 @@ function delete_uploaded_files() {
function upload_files($r) {
xml_start_tag("upload_files");
list($user, $user_submit) = authenticate_user($r, null);
list($user, $user_submit) = check_remote_submit_permissions($r, null);
$fanout = parse_config(get_config(), "<uldl_dir_fanout>");
$delete_time = (int)$r->delete_time;
$batch_id = (int)$r->batch_id;

11
html/user/sandbox.php
View File

@ -37,16 +37,17 @@ ini_set('display_startup_errors', true);
require_once("../inc/sandbox.inc");
require_once("../inc/submit_db.inc");
require_once("../inc/submit_util.inc");
function list_files($user, $err_msg) {
$dir = sandbox_dir($user);
$d = opendir($dir);
if (!$d) error_page("Can't open sandbox directory");
page_head("File sandbox for $user->name");
page_head("File sandbox");
echo "
<form action=sandbox.php method=post ENCTYPE=\"multipart/form-data\">
<input type=hidden name=action value=upload_file>
Upload a file to your sandbox:
Upload files to your sandbox:
<p><input size=80 type=file name=\"new_file[]\" multiple=\"multiple\">
<p> <input class=\"btn btn-default\" type=submit value=Upload>
</form>
@ -131,7 +132,7 @@ function upload_file($user) {
$dir = sandbox_dir($user);
$link_path = "$dir/$name";
sandbox_write_link_file($link_path, $size, $md5);
$notice .= "Successfully uploaded file <strong>$name</strong>!<br/>";
$notice .= "Uploaded file <strong>$name</strong><br/>";
}
}
list_files($user, $notice);
@ -186,9 +187,7 @@ function view_file($user) {
}
$user = get_logged_in_user();
//print_r($user);
$user_submit = BoincUserSubmit::lookup_userid($user->id);
if (!$user_submit) error_page("no job submission access");
if (!submit_permissions($user)) error_page("no job submission access");
$action = get_str('action', true);
if (!$action) $action = post_str('action', true);

4
html/user/submit.php
View File

@ -206,7 +206,7 @@ function handle_main($user) {
if (isset($submit_urls)) {
// show links to per-app job submission pages
//
echo "<h2>Submit jobs</h2>
echo "<h3>Submit jobs</h3>
<ul>
";
foreach ($submit_urls as $appname=>$submit_url) {
@ -232,7 +232,7 @@ function handle_main($user) {
}
}
if ($user_submit->manage_all || $app_admin) {
echo "<h2>Administrative functions</h2><ul>\n";
echo "<h3>Administrative functions</h3><ul>\n";
if ($user_submit->manage_all) {
echo "<li>All applications<br>
<a href=submit.php?action=admin&app_id=0>Batches</a>

26
html/user/submit_rpc_handler.php
View File

@ -128,7 +128,7 @@ function check_max_jobs_in_progress($r, $user_submit) {
function estimate_batch($r) {
xml_start_tag("estimate_batch");
$app = get_submit_app((string)($r->batch->app_name));
list($user, $user_submit) = authenticate_user($r, $app);
list($user, $user_submit) = check_remote_submit_permissions($r, $app);
$template = read_input_template($app, $r);
$e = est_elapsed_time($r, $template);
@ -444,7 +444,7 @@ function logical_end_time($r, $jobs, $user, $app) {
function submit_batch($r) {
xml_start_tag("submit_batch");
$app = get_submit_app((string)($r->batch->app_name));
list($user, $user_submit) = authenticate_user($r, $app);
list($user, $user_submit) = check_remote_submit_permissions($r, $app);
$jobs = xml_get_jobs($r);
$template = read_input_template($app, $r);
if ($template) {
@ -546,7 +546,7 @@ function submit_batch($r) {
function create_batch($r) {
xml_start_tag("create_batch");
$app = get_submit_app((string)($r->app_name));
list($user, $user_submit) = authenticate_user($r, $app);
list($user, $user_submit) = check_remote_submit_permissions($r, $app);
$now = time();
$batch_name = (string)($r->batch_name);
$batch_name = BoincDb::escape_string($batch_name);
@ -589,7 +589,7 @@ function print_batch_params($batch, $get_cpu_time) {
function query_batches($r) {
xml_start_tag("query_batches");
list($user, $user_submit) = authenticate_user($r, null);
list($user, $user_submit) = check_remote_submit_permissions($r, null);
$batches = BoincBatch::enum("user_id = $user->id");
$get_cpu_time = (int)($r->get_cpu_time);
foreach ($batches as $batch) {
@ -691,7 +691,7 @@ function get_batch($r) {
function query_batch($r) {
xml_start_tag("query_batch");
list($user, $user_submit) = authenticate_user($r, null);
list($user, $user_submit) = check_remote_submit_permissions($r, null);
$batch = get_batch($r);
if ($batch->user_id != $user->id) {
log_write("not owner of batch");
@ -733,7 +733,7 @@ function results_sent($wu) {
//
function query_batch2($r) {
xml_start_tag("query_batch2");
list($user, $user_submit) = authenticate_user($r, null);
list($user, $user_submit) = check_remote_submit_permissions($r, null);
$batch_names = $r->batch_name;
$batches = array();
foreach ($batch_names as $b) {
@ -792,7 +792,7 @@ function query_batch2($r) {
function query_job($r) {
xml_start_tag("query_job");
list($user, $user_submit) = authenticate_user($r, null);
list($user, $user_submit) = check_remote_submit_permissions($r, null);
$job_id = (int)($r->job_id);
$wu = BoincWorkunit::lookup_id($job_id);
if (!$wu) {
@ -835,7 +835,7 @@ function query_job($r) {
//
function query_completed_job($r) {
xml_start_tag("query_completed_job");
list($user, $user_submit) = authenticate_user($r, null);
list($user, $user_submit) = check_remote_submit_permissions($r, null);
$job_name = (string)($r->job_name);
$job_name = BoincDb::escape_string($job_name);
$wu = BoincWorkunit::lookup("name='$job_name'");
@ -884,7 +884,7 @@ function query_completed_job($r) {
function handle_abort_batch($r) {
xml_start_tag("abort_batch");
list($user, $user_submit) = authenticate_user($r, null);
list($user, $user_submit) = check_remote_submit_permissions($r, null);
$batch = get_batch($r);
if ($batch->user_id != $user->id) {
log_write("not owner");
@ -900,7 +900,7 @@ function handle_abort_batch($r) {
//
function handle_abort_jobs($r) {
xml_start_tag("abort_jobs");
list($user, $user_submit) = authenticate_user($r, null);
list($user, $user_submit) = check_remote_submit_permissions($r, null);
$batch = null;
foreach ($r->job_name as $job_name) {
$job_name = BoincDb::escape_string($job_name);
@ -930,7 +930,7 @@ function handle_abort_jobs($r) {
function handle_retire_batch($r) {
xml_start_tag("retire_batch");
list($user, $user_submit) = authenticate_user($r, null);
list($user, $user_submit) = check_remote_submit_permissions($r, null);
$batch = get_batch($r);
if ($batch->user_id != $user->id) {
log_write("not owner of batch");
@ -944,7 +944,7 @@ function handle_retire_batch($r) {
function handle_set_expire_time($r) {
xml_start_tag("set_expire_time");
list($user, $user_submit) = authenticate_user($r, null);
list($user, $user_submit) = check_remote_submit_permissions($r, null);
$batch = get_batch($r);
if ($batch->user_id != $user->id) {
log_write("not owner of batch");
@ -971,7 +971,7 @@ function get_templates($r) {
$app = BoincApp::lookup_id($wu->appid);
}
list($user, $user_submit) = authenticate_user($r, $app);
list($user, $user_submit) = check_remote_submit_permissions($r, $app);
$in = file_get_contents(project_dir() . "/templates/".$app->name."_in");
$out = file_get_contents(project_dir() . "/templates/".$app->name."_out");
if ($in === false || $out === false) {