[pve-devel] r5525 - in pve-access-control/trunk: . PVE

[svn-commits at proxmox.com]

Author: dietmar
Date: 2011-02-15 12:07:34 +0100 (Tue, 15 Feb 2011)
New Revision: 5525

Modified:
   pve-access-control/trunk/ChangeLog
   pve-access-control/trunk/PVE/ACLCache.pm
   pve-access-control/trunk/PVE/AccessControl.pm
Log:


Modified: pve-access-control/trunk/ChangeLog
===================================================================
--- pve-access-control/trunk/ChangeLog	2011-02-15 10:20:29 UTC (rev 5524)
+++ pve-access-control/trunk/ChangeLog	2011-02-15 11:07:34 UTC (rev 5525)
@@ -1,5 +1,8 @@
 2011-02-15  Proxmox Support Team  <support at proxmox.com>
 
+	* PVE/AccessControl.pm (verify_username): restrict user names to
+	64 charachters.
+
 	* PVE/ACLCache.pm: move code into new file.
 
 	* test/perm-test1.pl: modified to use new PVE::ACLCache class.

Modified: pve-access-control/trunk/PVE/ACLCache.pm
===================================================================
--- pve-access-control/trunk/PVE/ACLCache.pm	2011-02-15 10:20:29 UTC (rev 5524)
+++ pve-access-control/trunk/PVE/ACLCache.pm	2011-02-15 11:07:34 UTC (rev 5525)
@@ -17,7 +17,7 @@
     return $self;
 }
 
-sub compile {
+my $compile_acl = sub {
     my ($self, $user) = @_;
 
     if ($user eq 'root') { # root can do anything
@@ -43,17 +43,20 @@
     }
 
     return $res;
-}
+};
 
 sub permissions {
     my ($self, $user, $path) = @_;
 
+    $user = PVE::AccessControl::verify_username($user, 1);
+    return {} if !$user;
+
     my $cache = $self->{cache};
 
     my $acl = $cache->{$user};
 
     if (!$acl) {
-	$acl = $cache->{$user} = $self->compile($user);
+	$acl = $cache->{$user} = &$compile_acl($self, $user);
     }
 
     my $perm;
@@ -85,4 +88,11 @@
     return 1;
 };
 
+sub user_enabled {
+    my ($self, $user) = @_;
+    
+    my $cfg = $self->{cfg};
+    return PVE::AccessControl::user_enabled($cfg, $user);
+}
+
 1;

Modified: pve-access-control/trunk/PVE/AccessControl.pm
===================================================================
--- pve-access-control/trunk/PVE/AccessControl.pm	2011-02-15 10:20:29 UTC (rev 5524)
+++ pve-access-control/trunk/PVE/AccessControl.pm	2011-02-15 11:07:34 UTC (rev 5525)
@@ -298,7 +298,8 @@
 sub user_enabled {
     my ($usercfg, $username) = @_;
 
-    return undef if !verify_username($username, 1);
+    $username = verify_username($username, 1);
+    return undef if !$username;
  
     return 1 if $usercfg && $usercfg->{users}->{$username} &&
 	$usercfg->{users}->{$username}->{enabled};
@@ -520,10 +521,15 @@
     my ($username, $noerr) = @_;
 
     $username = '' if !$username;
-    if (length($username) < 3) {
+    my $len = length($username);
+    if ($len < 3) {
 	die "user name '$username' is too short\n" if !$noerr;
 	return undef;
     }
+    if ($len > 64) {
+	die "user name '$username' is too long ($len > 64)\n" if !$noerr;
+	return undef;
+    }
 
     $username =~ s/root\@localhost/root/;
 
@@ -1023,6 +1029,9 @@
 sub permission {
     my ($cfg, $user, $path) = @_;
 
+    $user = verify_username($user, 1);
+    return {} if !$user;
+
     my @ra = roles($cfg, $user, $path);
     
     my $privs = {};