mirror of https://github.com/BOINC/boinc.git
Merge pull request #4722 from BOINC/dpa_remote_perm
Remote job submission: clean up permissions checking
This commit is contained in:
commit
afd08ef3d8
|
@ -54,7 +54,25 @@ function job_file_name($md5) {
|
||||||
return "jf_$md5";
|
return "jf_$md5";
|
||||||
}
|
}
|
||||||
|
|
||||||
function authenticate_user($r, $app) {
|
// does user have submit permissions?
|
||||||
|
//
|
||||||
|
function submit_permissions($user) {
|
||||||
|
return BoincUserSubmit::lookup_userid($user->id);
|
||||||
|
}
|
||||||
|
|
||||||
|
// does user have submit permissions for given app?
|
||||||
|
//
|
||||||
|
function submit_permissions_app($user, $app) {
|
||||||
|
return BoincUserSubmitApp::lookup("user_id=$user->id and app_id=$app->id");
|
||||||
|
}
|
||||||
|
|
||||||
|
// check whether user has permissions for a remote job submission
|
||||||
|
// or job file request.
|
||||||
|
// $r is a request message that includes an 'authenticator' field
|
||||||
|
// $app is the app being submitted to (or null if file op)
|
||||||
|
// returns [user, UserSubmit], or give XML error
|
||||||
|
//
|
||||||
|
function check_remote_submit_permissions($r, $app) {
|
||||||
$auth = (string)$r->authenticator;
|
$auth = (string)$r->authenticator;
|
||||||
if (!$auth) {
|
if (!$auth) {
|
||||||
log_write("no authenticator");
|
log_write("no authenticator");
|
||||||
|
@ -66,13 +84,13 @@ function authenticate_user($r, $app) {
|
||||||
log_write("bad authenticator");
|
log_write("bad authenticator");
|
||||||
xml_error(-1, "bad authenticator");
|
xml_error(-1, "bad authenticator");
|
||||||
}
|
}
|
||||||
$user_submit = BoincUserSubmit::lookup_userid($user->id);
|
$user_submit = submit_permissions($user);
|
||||||
if (!$user_submit) {
|
if (!$user_submit) {
|
||||||
log_write("no submit access");
|
log_write("no submit access");
|
||||||
xml_error(-1, "no submit access");
|
xml_error(-1, "no submit access");
|
||||||
}
|
}
|
||||||
if ($app && !$user_submit->submit_all) {
|
if ($app && !$user_submit->submit_all) {
|
||||||
$usa = BoincUserSubmitApp::lookup("user_id=$user->id and app_id=$app->id");
|
$usa = submit_permissions_app($user, $app);
|
||||||
if (!$usa) {
|
if (!$usa) {
|
||||||
log_write("no app submit access");
|
log_write("no app submit access");
|
||||||
xml_error(-1, "no app submit access");
|
xml_error(-1, "no app submit access");
|
||||||
|
|
|
@ -16,7 +16,7 @@
|
||||||
// You should have received a copy of the GNU Lesser General Public License
|
// You should have received a copy of the GNU Lesser General Public License
|
||||||
// along with BOINC. If not, see <http://www.gnu.org/licenses/>.
|
// along with BOINC. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
// Web RPCs for managing job input files on the server.
|
// Web RPCs for managing input files for remote job submission
|
||||||
//
|
//
|
||||||
// Issues:
|
// Issues:
|
||||||
//
|
//
|
||||||
|
@ -99,7 +99,7 @@ function upload_error_description($errno) {
|
||||||
|
|
||||||
function query_files($r) {
|
function query_files($r) {
|
||||||
xml_start_tag("query_files");
|
xml_start_tag("query_files");
|
||||||
list($user, $user_submit) = authenticate_user($r, null);
|
list($user, $user_submit) = check_remote_submit_permissions($r, null);
|
||||||
$absent_files = array();
|
$absent_files = array();
|
||||||
$now = time();
|
$now = time();
|
||||||
$delete_time = (int)$r->delete_time;
|
$delete_time = (int)$r->delete_time;
|
||||||
|
@ -175,7 +175,7 @@ function delete_uploaded_files() {
|
||||||
|
|
||||||
function upload_files($r) {
|
function upload_files($r) {
|
||||||
xml_start_tag("upload_files");
|
xml_start_tag("upload_files");
|
||||||
list($user, $user_submit) = authenticate_user($r, null);
|
list($user, $user_submit) = check_remote_submit_permissions($r, null);
|
||||||
$fanout = parse_config(get_config(), "<uldl_dir_fanout>");
|
$fanout = parse_config(get_config(), "<uldl_dir_fanout>");
|
||||||
$delete_time = (int)$r->delete_time;
|
$delete_time = (int)$r->delete_time;
|
||||||
$batch_id = (int)$r->batch_id;
|
$batch_id = (int)$r->batch_id;
|
||||||
|
|
|
@ -37,16 +37,17 @@ ini_set('display_startup_errors', true);
|
||||||
|
|
||||||
require_once("../inc/sandbox.inc");
|
require_once("../inc/sandbox.inc");
|
||||||
require_once("../inc/submit_db.inc");
|
require_once("../inc/submit_db.inc");
|
||||||
|
require_once("../inc/submit_util.inc");
|
||||||
|
|
||||||
function list_files($user, $err_msg) {
|
function list_files($user, $err_msg) {
|
||||||
$dir = sandbox_dir($user);
|
$dir = sandbox_dir($user);
|
||||||
$d = opendir($dir);
|
$d = opendir($dir);
|
||||||
if (!$d) error_page("Can't open sandbox directory");
|
if (!$d) error_page("Can't open sandbox directory");
|
||||||
page_head("File sandbox for $user->name");
|
page_head("File sandbox");
|
||||||
echo "
|
echo "
|
||||||
<form action=sandbox.php method=post ENCTYPE=\"multipart/form-data\">
|
<form action=sandbox.php method=post ENCTYPE=\"multipart/form-data\">
|
||||||
<input type=hidden name=action value=upload_file>
|
<input type=hidden name=action value=upload_file>
|
||||||
Upload a file to your sandbox:
|
Upload files to your sandbox:
|
||||||
<p><input size=80 type=file name=\"new_file[]\" multiple=\"multiple\">
|
<p><input size=80 type=file name=\"new_file[]\" multiple=\"multiple\">
|
||||||
<p> <input class=\"btn btn-default\" type=submit value=Upload>
|
<p> <input class=\"btn btn-default\" type=submit value=Upload>
|
||||||
</form>
|
</form>
|
||||||
|
@ -131,7 +132,7 @@ function upload_file($user) {
|
||||||
$dir = sandbox_dir($user);
|
$dir = sandbox_dir($user);
|
||||||
$link_path = "$dir/$name";
|
$link_path = "$dir/$name";
|
||||||
sandbox_write_link_file($link_path, $size, $md5);
|
sandbox_write_link_file($link_path, $size, $md5);
|
||||||
$notice .= "Successfully uploaded file <strong>$name</strong>!<br/>";
|
$notice .= "Uploaded file <strong>$name</strong><br/>";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
list_files($user, $notice);
|
list_files($user, $notice);
|
||||||
|
@ -186,9 +187,7 @@ function view_file($user) {
|
||||||
}
|
}
|
||||||
|
|
||||||
$user = get_logged_in_user();
|
$user = get_logged_in_user();
|
||||||
//print_r($user);
|
if (!submit_permissions($user)) error_page("no job submission access");
|
||||||
$user_submit = BoincUserSubmit::lookup_userid($user->id);
|
|
||||||
if (!$user_submit) error_page("no job submission access");
|
|
||||||
|
|
||||||
$action = get_str('action', true);
|
$action = get_str('action', true);
|
||||||
if (!$action) $action = post_str('action', true);
|
if (!$action) $action = post_str('action', true);
|
||||||
|
|
|
@ -206,7 +206,7 @@ function handle_main($user) {
|
||||||
if (isset($submit_urls)) {
|
if (isset($submit_urls)) {
|
||||||
// show links to per-app job submission pages
|
// show links to per-app job submission pages
|
||||||
//
|
//
|
||||||
echo "<h2>Submit jobs</h2>
|
echo "<h3>Submit jobs</h3>
|
||||||
<ul>
|
<ul>
|
||||||
";
|
";
|
||||||
foreach ($submit_urls as $appname=>$submit_url) {
|
foreach ($submit_urls as $appname=>$submit_url) {
|
||||||
|
@ -232,7 +232,7 @@ function handle_main($user) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if ($user_submit->manage_all || $app_admin) {
|
if ($user_submit->manage_all || $app_admin) {
|
||||||
echo "<h2>Administrative functions</h2><ul>\n";
|
echo "<h3>Administrative functions</h3><ul>\n";
|
||||||
if ($user_submit->manage_all) {
|
if ($user_submit->manage_all) {
|
||||||
echo "<li>All applications<br>
|
echo "<li>All applications<br>
|
||||||
<a href=submit.php?action=admin&app_id=0>Batches</a>
|
<a href=submit.php?action=admin&app_id=0>Batches</a>
|
||||||
|
|
|
@ -128,7 +128,7 @@ function check_max_jobs_in_progress($r, $user_submit) {
|
||||||
function estimate_batch($r) {
|
function estimate_batch($r) {
|
||||||
xml_start_tag("estimate_batch");
|
xml_start_tag("estimate_batch");
|
||||||
$app = get_submit_app((string)($r->batch->app_name));
|
$app = get_submit_app((string)($r->batch->app_name));
|
||||||
list($user, $user_submit) = authenticate_user($r, $app);
|
list($user, $user_submit) = check_remote_submit_permissions($r, $app);
|
||||||
|
|
||||||
$template = read_input_template($app, $r);
|
$template = read_input_template($app, $r);
|
||||||
$e = est_elapsed_time($r, $template);
|
$e = est_elapsed_time($r, $template);
|
||||||
|
@ -444,7 +444,7 @@ function logical_end_time($r, $jobs, $user, $app) {
|
||||||
function submit_batch($r) {
|
function submit_batch($r) {
|
||||||
xml_start_tag("submit_batch");
|
xml_start_tag("submit_batch");
|
||||||
$app = get_submit_app((string)($r->batch->app_name));
|
$app = get_submit_app((string)($r->batch->app_name));
|
||||||
list($user, $user_submit) = authenticate_user($r, $app);
|
list($user, $user_submit) = check_remote_submit_permissions($r, $app);
|
||||||
$jobs = xml_get_jobs($r);
|
$jobs = xml_get_jobs($r);
|
||||||
$template = read_input_template($app, $r);
|
$template = read_input_template($app, $r);
|
||||||
if ($template) {
|
if ($template) {
|
||||||
|
@ -546,7 +546,7 @@ function submit_batch($r) {
|
||||||
function create_batch($r) {
|
function create_batch($r) {
|
||||||
xml_start_tag("create_batch");
|
xml_start_tag("create_batch");
|
||||||
$app = get_submit_app((string)($r->app_name));
|
$app = get_submit_app((string)($r->app_name));
|
||||||
list($user, $user_submit) = authenticate_user($r, $app);
|
list($user, $user_submit) = check_remote_submit_permissions($r, $app);
|
||||||
$now = time();
|
$now = time();
|
||||||
$batch_name = (string)($r->batch_name);
|
$batch_name = (string)($r->batch_name);
|
||||||
$batch_name = BoincDb::escape_string($batch_name);
|
$batch_name = BoincDb::escape_string($batch_name);
|
||||||
|
@ -589,7 +589,7 @@ function print_batch_params($batch, $get_cpu_time) {
|
||||||
|
|
||||||
function query_batches($r) {
|
function query_batches($r) {
|
||||||
xml_start_tag("query_batches");
|
xml_start_tag("query_batches");
|
||||||
list($user, $user_submit) = authenticate_user($r, null);
|
list($user, $user_submit) = check_remote_submit_permissions($r, null);
|
||||||
$batches = BoincBatch::enum("user_id = $user->id");
|
$batches = BoincBatch::enum("user_id = $user->id");
|
||||||
$get_cpu_time = (int)($r->get_cpu_time);
|
$get_cpu_time = (int)($r->get_cpu_time);
|
||||||
foreach ($batches as $batch) {
|
foreach ($batches as $batch) {
|
||||||
|
@ -691,7 +691,7 @@ function get_batch($r) {
|
||||||
|
|
||||||
function query_batch($r) {
|
function query_batch($r) {
|
||||||
xml_start_tag("query_batch");
|
xml_start_tag("query_batch");
|
||||||
list($user, $user_submit) = authenticate_user($r, null);
|
list($user, $user_submit) = check_remote_submit_permissions($r, null);
|
||||||
$batch = get_batch($r);
|
$batch = get_batch($r);
|
||||||
if ($batch->user_id != $user->id) {
|
if ($batch->user_id != $user->id) {
|
||||||
log_write("not owner of batch");
|
log_write("not owner of batch");
|
||||||
|
@ -733,7 +733,7 @@ function results_sent($wu) {
|
||||||
//
|
//
|
||||||
function query_batch2($r) {
|
function query_batch2($r) {
|
||||||
xml_start_tag("query_batch2");
|
xml_start_tag("query_batch2");
|
||||||
list($user, $user_submit) = authenticate_user($r, null);
|
list($user, $user_submit) = check_remote_submit_permissions($r, null);
|
||||||
$batch_names = $r->batch_name;
|
$batch_names = $r->batch_name;
|
||||||
$batches = array();
|
$batches = array();
|
||||||
foreach ($batch_names as $b) {
|
foreach ($batch_names as $b) {
|
||||||
|
@ -792,7 +792,7 @@ function query_batch2($r) {
|
||||||
|
|
||||||
function query_job($r) {
|
function query_job($r) {
|
||||||
xml_start_tag("query_job");
|
xml_start_tag("query_job");
|
||||||
list($user, $user_submit) = authenticate_user($r, null);
|
list($user, $user_submit) = check_remote_submit_permissions($r, null);
|
||||||
$job_id = (int)($r->job_id);
|
$job_id = (int)($r->job_id);
|
||||||
$wu = BoincWorkunit::lookup_id($job_id);
|
$wu = BoincWorkunit::lookup_id($job_id);
|
||||||
if (!$wu) {
|
if (!$wu) {
|
||||||
|
@ -835,7 +835,7 @@ function query_job($r) {
|
||||||
//
|
//
|
||||||
function query_completed_job($r) {
|
function query_completed_job($r) {
|
||||||
xml_start_tag("query_completed_job");
|
xml_start_tag("query_completed_job");
|
||||||
list($user, $user_submit) = authenticate_user($r, null);
|
list($user, $user_submit) = check_remote_submit_permissions($r, null);
|
||||||
$job_name = (string)($r->job_name);
|
$job_name = (string)($r->job_name);
|
||||||
$job_name = BoincDb::escape_string($job_name);
|
$job_name = BoincDb::escape_string($job_name);
|
||||||
$wu = BoincWorkunit::lookup("name='$job_name'");
|
$wu = BoincWorkunit::lookup("name='$job_name'");
|
||||||
|
@ -884,7 +884,7 @@ function query_completed_job($r) {
|
||||||
|
|
||||||
function handle_abort_batch($r) {
|
function handle_abort_batch($r) {
|
||||||
xml_start_tag("abort_batch");
|
xml_start_tag("abort_batch");
|
||||||
list($user, $user_submit) = authenticate_user($r, null);
|
list($user, $user_submit) = check_remote_submit_permissions($r, null);
|
||||||
$batch = get_batch($r);
|
$batch = get_batch($r);
|
||||||
if ($batch->user_id != $user->id) {
|
if ($batch->user_id != $user->id) {
|
||||||
log_write("not owner");
|
log_write("not owner");
|
||||||
|
@ -900,7 +900,7 @@ function handle_abort_batch($r) {
|
||||||
//
|
//
|
||||||
function handle_abort_jobs($r) {
|
function handle_abort_jobs($r) {
|
||||||
xml_start_tag("abort_jobs");
|
xml_start_tag("abort_jobs");
|
||||||
list($user, $user_submit) = authenticate_user($r, null);
|
list($user, $user_submit) = check_remote_submit_permissions($r, null);
|
||||||
$batch = null;
|
$batch = null;
|
||||||
foreach ($r->job_name as $job_name) {
|
foreach ($r->job_name as $job_name) {
|
||||||
$job_name = BoincDb::escape_string($job_name);
|
$job_name = BoincDb::escape_string($job_name);
|
||||||
|
@ -930,7 +930,7 @@ function handle_abort_jobs($r) {
|
||||||
|
|
||||||
function handle_retire_batch($r) {
|
function handle_retire_batch($r) {
|
||||||
xml_start_tag("retire_batch");
|
xml_start_tag("retire_batch");
|
||||||
list($user, $user_submit) = authenticate_user($r, null);
|
list($user, $user_submit) = check_remote_submit_permissions($r, null);
|
||||||
$batch = get_batch($r);
|
$batch = get_batch($r);
|
||||||
if ($batch->user_id != $user->id) {
|
if ($batch->user_id != $user->id) {
|
||||||
log_write("not owner of batch");
|
log_write("not owner of batch");
|
||||||
|
@ -944,7 +944,7 @@ function handle_retire_batch($r) {
|
||||||
|
|
||||||
function handle_set_expire_time($r) {
|
function handle_set_expire_time($r) {
|
||||||
xml_start_tag("set_expire_time");
|
xml_start_tag("set_expire_time");
|
||||||
list($user, $user_submit) = authenticate_user($r, null);
|
list($user, $user_submit) = check_remote_submit_permissions($r, null);
|
||||||
$batch = get_batch($r);
|
$batch = get_batch($r);
|
||||||
if ($batch->user_id != $user->id) {
|
if ($batch->user_id != $user->id) {
|
||||||
log_write("not owner of batch");
|
log_write("not owner of batch");
|
||||||
|
@ -971,7 +971,7 @@ function get_templates($r) {
|
||||||
$app = BoincApp::lookup_id($wu->appid);
|
$app = BoincApp::lookup_id($wu->appid);
|
||||||
}
|
}
|
||||||
|
|
||||||
list($user, $user_submit) = authenticate_user($r, $app);
|
list($user, $user_submit) = check_remote_submit_permissions($r, $app);
|
||||||
$in = file_get_contents(project_dir() . "/templates/".$app->name."_in");
|
$in = file_get_contents(project_dir() . "/templates/".$app->name."_in");
|
||||||
$out = file_get_contents(project_dir() . "/templates/".$app->name."_out");
|
$out = file_get_contents(project_dir() . "/templates/".$app->name."_out");
|
||||||
if ($in === false || $out === false) {
|
if ($in === false || $out === false) {
|
||||||
|
|
Loading…
Reference in New Issue