From accf756b02280db4c83df14cb02e8ef8f47dc0ef Mon Sep 17 00:00:00 2001 From: David Anderson Date: Thu, 21 Apr 2022 12:53:49 -0700 Subject: [PATCH] - remote job submission: clean up permissions checking --- html/inc/submit_util.inc | 24 +++++++++++++++++++++--- html/user/job_file.php | 6 +++--- html/user/sandbox.php | 11 +++++------ html/user/submit.php | 4 ++-- html/user/submit_rpc_handler.php | 26 +++++++++++++------------- 5 files changed, 44 insertions(+), 27 deletions(-) diff --git a/html/inc/submit_util.inc b/html/inc/submit_util.inc index 34f11eae03..281bede8d1 100644 --- a/html/inc/submit_util.inc +++ b/html/inc/submit_util.inc @@ -54,7 +54,25 @@ function job_file_name($md5) { return "jf_$md5"; } -function authenticate_user($r, $app) { +// does user have submit permissions? +// +function submit_permissions($user) { + return BoincUserSubmit::lookup_userid($user->id); +} + +// does user have submit permissions for given app? +// +function submit_permissions_app($user, $app) { + return BoincUserSubmitApp::lookup("user_id=$user->id and app_id=$app->id"); +} + +// check whether user has permissions for a remote job submission +// or job file request. +// $r is a request message that includes an 'authenticator' field +// $app is the app being submitted to (or null if file op) +// returns [user, UserSubmit], or give XML error +// +function check_remote_submit_permissions($r, $app) { $auth = (string)$r->authenticator; if (!$auth) { log_write("no authenticator"); @@ -66,13 +84,13 @@ function authenticate_user($r, $app) { log_write("bad authenticator"); xml_error(-1, "bad authenticator"); } - $user_submit = BoincUserSubmit::lookup_userid($user->id); + $user_submit = submit_permissions($user); if (!$user_submit) { log_write("no submit access"); xml_error(-1, "no submit access"); } if ($app && !$user_submit->submit_all) { - $usa = BoincUserSubmitApp::lookup("user_id=$user->id and app_id=$app->id"); + $usa = submit_permissions_app($user, $app); if (!$usa) { log_write("no app submit access"); xml_error(-1, "no app submit access"); diff --git a/html/user/job_file.php b/html/user/job_file.php index e8c711edb1..630bf442da 100644 --- a/html/user/job_file.php +++ b/html/user/job_file.php @@ -16,7 +16,7 @@ // You should have received a copy of the GNU Lesser General Public License // along with BOINC. If not, see . -// Web RPCs for managing job input files on the server. +// Web RPCs for managing input files for remote job submission // // Issues: // @@ -99,7 +99,7 @@ function upload_error_description($errno) { function query_files($r) { xml_start_tag("query_files"); - list($user, $user_submit) = authenticate_user($r, null); + list($user, $user_submit) = check_remote_submit_permissions($r, null); $absent_files = array(); $now = time(); $delete_time = (int)$r->delete_time; @@ -175,7 +175,7 @@ function delete_uploaded_files() { function upload_files($r) { xml_start_tag("upload_files"); - list($user, $user_submit) = authenticate_user($r, null); + list($user, $user_submit) = check_remote_submit_permissions($r, null); $fanout = parse_config(get_config(), ""); $delete_time = (int)$r->delete_time; $batch_id = (int)$r->batch_id; diff --git a/html/user/sandbox.php b/html/user/sandbox.php index b648b15f53..536793e1bb 100644 --- a/html/user/sandbox.php +++ b/html/user/sandbox.php @@ -37,16 +37,17 @@ ini_set('display_startup_errors', true); require_once("../inc/sandbox.inc"); require_once("../inc/submit_db.inc"); +require_once("../inc/submit_util.inc"); function list_files($user, $err_msg) { $dir = sandbox_dir($user); $d = opendir($dir); if (!$d) error_page("Can't open sandbox directory"); - page_head("File sandbox for $user->name"); + page_head("File sandbox"); echo "
- Upload a file to your sandbox: + Upload files to your sandbox:

@@ -131,7 +132,7 @@ function upload_file($user) { $dir = sandbox_dir($user); $link_path = "$dir/$name"; sandbox_write_link_file($link_path, $size, $md5); - $notice .= "Successfully uploaded file $name!
"; + $notice .= "Uploaded file $name
"; } } list_files($user, $notice); @@ -186,9 +187,7 @@ function view_file($user) { } $user = get_logged_in_user(); -//print_r($user); -$user_submit = BoincUserSubmit::lookup_userid($user->id); -if (!$user_submit) error_page("no job submission access"); +if (!submit_permissions($user)) error_page("no job submission access"); $action = get_str('action', true); if (!$action) $action = post_str('action', true); diff --git a/html/user/submit.php b/html/user/submit.php index 9e59616320..1ea17f4c26 100644 --- a/html/user/submit.php +++ b/html/user/submit.php @@ -206,7 +206,7 @@ function handle_main($user) { if (isset($submit_urls)) { // show links to per-app job submission pages // - echo "

Submit jobs

+ echo "

Submit jobs

    "; foreach ($submit_urls as $appname=>$submit_url) { @@ -232,7 +232,7 @@ function handle_main($user) { } } if ($user_submit->manage_all || $app_admin) { - echo "

    Administrative functions

      \n"; + echo "

      Administrative functions

        \n"; if ($user_submit->manage_all) { echo "
      • All applications
        Batches diff --git a/html/user/submit_rpc_handler.php b/html/user/submit_rpc_handler.php index 0f8bb7c98c..f026c84bb3 100644 --- a/html/user/submit_rpc_handler.php +++ b/html/user/submit_rpc_handler.php @@ -128,7 +128,7 @@ function check_max_jobs_in_progress($r, $user_submit) { function estimate_batch($r) { xml_start_tag("estimate_batch"); $app = get_submit_app((string)($r->batch->app_name)); - list($user, $user_submit) = authenticate_user($r, $app); + list($user, $user_submit) = check_remote_submit_permissions($r, $app); $template = read_input_template($app, $r); $e = est_elapsed_time($r, $template); @@ -444,7 +444,7 @@ function logical_end_time($r, $jobs, $user, $app) { function submit_batch($r) { xml_start_tag("submit_batch"); $app = get_submit_app((string)($r->batch->app_name)); - list($user, $user_submit) = authenticate_user($r, $app); + list($user, $user_submit) = check_remote_submit_permissions($r, $app); $jobs = xml_get_jobs($r); $template = read_input_template($app, $r); if ($template) { @@ -546,7 +546,7 @@ function submit_batch($r) { function create_batch($r) { xml_start_tag("create_batch"); $app = get_submit_app((string)($r->app_name)); - list($user, $user_submit) = authenticate_user($r, $app); + list($user, $user_submit) = check_remote_submit_permissions($r, $app); $now = time(); $batch_name = (string)($r->batch_name); $batch_name = BoincDb::escape_string($batch_name); @@ -589,7 +589,7 @@ function print_batch_params($batch, $get_cpu_time) { function query_batches($r) { xml_start_tag("query_batches"); - list($user, $user_submit) = authenticate_user($r, null); + list($user, $user_submit) = check_remote_submit_permissions($r, null); $batches = BoincBatch::enum("user_id = $user->id"); $get_cpu_time = (int)($r->get_cpu_time); foreach ($batches as $batch) { @@ -691,7 +691,7 @@ function get_batch($r) { function query_batch($r) { xml_start_tag("query_batch"); - list($user, $user_submit) = authenticate_user($r, null); + list($user, $user_submit) = check_remote_submit_permissions($r, null); $batch = get_batch($r); if ($batch->user_id != $user->id) { log_write("not owner of batch"); @@ -733,7 +733,7 @@ function results_sent($wu) { // function query_batch2($r) { xml_start_tag("query_batch2"); - list($user, $user_submit) = authenticate_user($r, null); + list($user, $user_submit) = check_remote_submit_permissions($r, null); $batch_names = $r->batch_name; $batches = array(); foreach ($batch_names as $b) { @@ -792,7 +792,7 @@ function query_batch2($r) { function query_job($r) { xml_start_tag("query_job"); - list($user, $user_submit) = authenticate_user($r, null); + list($user, $user_submit) = check_remote_submit_permissions($r, null); $job_id = (int)($r->job_id); $wu = BoincWorkunit::lookup_id($job_id); if (!$wu) { @@ -835,7 +835,7 @@ function query_job($r) { // function query_completed_job($r) { xml_start_tag("query_completed_job"); - list($user, $user_submit) = authenticate_user($r, null); + list($user, $user_submit) = check_remote_submit_permissions($r, null); $job_name = (string)($r->job_name); $job_name = BoincDb::escape_string($job_name); $wu = BoincWorkunit::lookup("name='$job_name'"); @@ -884,7 +884,7 @@ function query_completed_job($r) { function handle_abort_batch($r) { xml_start_tag("abort_batch"); - list($user, $user_submit) = authenticate_user($r, null); + list($user, $user_submit) = check_remote_submit_permissions($r, null); $batch = get_batch($r); if ($batch->user_id != $user->id) { log_write("not owner"); @@ -900,7 +900,7 @@ function handle_abort_batch($r) { // function handle_abort_jobs($r) { xml_start_tag("abort_jobs"); - list($user, $user_submit) = authenticate_user($r, null); + list($user, $user_submit) = check_remote_submit_permissions($r, null); $batch = null; foreach ($r->job_name as $job_name) { $job_name = BoincDb::escape_string($job_name); @@ -930,7 +930,7 @@ function handle_abort_jobs($r) { function handle_retire_batch($r) { xml_start_tag("retire_batch"); - list($user, $user_submit) = authenticate_user($r, null); + list($user, $user_submit) = check_remote_submit_permissions($r, null); $batch = get_batch($r); if ($batch->user_id != $user->id) { log_write("not owner of batch"); @@ -944,7 +944,7 @@ function handle_retire_batch($r) { function handle_set_expire_time($r) { xml_start_tag("set_expire_time"); - list($user, $user_submit) = authenticate_user($r, null); + list($user, $user_submit) = check_remote_submit_permissions($r, null); $batch = get_batch($r); if ($batch->user_id != $user->id) { log_write("not owner of batch"); @@ -971,7 +971,7 @@ function get_templates($r) { $app = BoincApp::lookup_id($wu->appid); } - list($user, $user_submit) = authenticate_user($r, $app); + list($user, $user_submit) = check_remote_submit_permissions($r, $app); $in = file_get_contents(project_dir() . "/templates/".$app->name."_in"); $out = file_get_contents(project_dir() . "/templates/".$app->name."_out"); if ($in === false || $out === false) {