HCoop / hcoop / zz_old / portal.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
cvsimport
[hcoop/zz_old/portal.git] / sec.mlt
CommitLineData
3ad30cf6 1<% val you = Init.getUserId ();
2val yourname = Init.getUserName ();
3
08e839b2 4val nodeNum = case $"node" of
5 "" => 2
6 | node => Web.stoi node;
7val nodeName = Init.nodeName nodeNum;
8
3ad30cf6 9val uname = case $"uname" of
10 "" => yourname
11 | uname => uname;
12
08e839b2 13val socks = Sec.socketPerms {node = nodeNum, uname = uname};
14val tpe = Sec.isTpe {node = nodeNum, uname = uname};
15val cron = Sec.cronAllowed {node = nodeNum, uname = uname};
16val ftp = Sec.ftpAllowed {node = nodeNum, uname = uname};
3ad30cf6 17
18ref showNormal = true;
19
20@header [("title", ["Security settings"])];
21
22if $"cmd" = "socks" then
23 showNormal := false;
24 val socks = $"socks";
08e839b2 25 %>Are you sure you want to request that socket permissions for <b><% Web.html uname %></b> on <b><% Web.html nodeName %></b> be changed to <b><% Web.html socks %></b>?<br>
26 <a href="sec?cmd=socks2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&socks=<% Web.urlEncode socks %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
3ad30cf6 27elseif $"cmd" = "socks2" then
08e839b2 28 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat [uname, ": change socket permissions to ", $"socks"], msg = $"msg"};
3ad30cf6 29 if not (Sec.Req.notifyNew id) then
1fe415e0 30 %><h3>Error sending e-mail notification</h3><%
3ad30cf6 31 end
1fe415e0 32 %><h3>Request added</h3><%
3ad30cf6 33
34elseif $"cmd" = "tpe" then
35 showNormal := false;
36 val tpe = iff $"tpe" = "yes" then "on" else "off";
08e839b2 37 %>Are you sure you want to request that trusted-path-executables-only for <b><% Web.html uname %></b> on <b><% Web.html nodeName %></b> be turned <b><% tpe %></b>?<br>
38 <a href="sec?cmd=tpe2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&tpe=<% tpe %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
3ad30cf6 39elseif $"cmd" = "tpe2" then
08e839b2 40 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat [uname, ": turn tpe ", $"tpe"], msg = $"msg"};
3ad30cf6 41 if not (Sec.Req.notifyNew id) then
1fe415e0 42 %><h3>Error sending e-mail notification</h3><%
3ad30cf6 43 end
1fe415e0 44 %><h3>Request added</h3><%
3ad30cf6 45
f971918d 46elseif $"cmd" = "cron" then
47 showNormal := false;
48 val cron = iff $"cron" = "yes" then "enabled" else "disabled";
08e839b2 49 %>Are you sure you want to request that <tt>cron</tt> permissions for <b><% Web.html uname %></b> on <b><% Web.html nodeName %></b> be <b><% cron %></b>?<br>
50 <a href="sec?cmd=cron2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&cron=<% cron %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
f971918d 51elseif $"cmd" = "cron2" then
52 val cron = iff $"cron" = "enabled" then "enable" else "disable";
08e839b2 53 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat [uname, ": ", cron, " cron access"], msg = $"msg"};
f971918d 54 if not (Sec.Req.notifyNew id) then
1fe415e0 55 %><h3>Error sending e-mail notification</h3><%
f971918d 56 end
1fe415e0 57 %><h3>Request added</h3><%
f971918d 58
8c4dc06e 59elseif $"cmd" = "ftp" then
60 showNormal := false;
61 val ftp = iff $"ftp" = "yes" then "enabled" else "disabled";
08e839b2 62 %>Are you sure you want to request that FTP permissions for <b><% Web.html uname %></b> on <b><% Web.html nodeName %></b> be <b><% ftp %></b>?<br>
63 <a href="sec?cmd=ftp2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&ftp=<% ftp %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
8c4dc06e 64elseif $"cmd" = "ftp2" then
65 val ftp = iff $"ftp" = "enabled" then "enable" else "disable";
08e839b2 66 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat [uname, ": ", ftp, " FTP access"], msg = $"msg"};
8c4dc06e 67 if not (Sec.Req.notifyNew id) then
1fe415e0 68 %><h3>Error sending e-mail notification</h3><%
8c4dc06e 69 end
1fe415e0 70 %><h3>Request added</h3><%
8c4dc06e 71
f971918d 72elseif $"cmd" = "rule" then
73 showNormal := false;
74 val rule = $"rule";
9396e2cf 75
76 if Sec.validRule rule then
77 %>Are you sure you want to request the firewall rule <b><% Web.html uname %>&nbsp;<% Web.html rule %></b> on <b><% Web.html nodeName %></b>?<br>
08e839b2 78 <a href="sec?cmd=rule2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&rule=<% Web.urlEncode rule %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
9396e2cf 79 else
80 %>"<% Web.html rule %>" is not a valid firewall rule! Please reread <a href="http://wiki.hcoop.net/wiki/FirewallRules">the instructions</a>, and remember to leave off the initial username portion.<%
81 end
82
f971918d 83elseif $"cmd" = "rule2" then
9396e2cf 84 val rule = $"rule";
85
86 if Sec.validRule rule then
87 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat ["Add firewall rule \"", uname, " ", rule, "\""], msg = $"msg"};
88 if not (Sec.Req.notifyNew id) then
89 %><h3>Error sending e-mail notification</h3><%
90 end
91 %><h3>Request added</h3><%
92 else
93 %>"<% Web.html rule %>" is not a valid firewall rule! Please reread <a href="http://wiki.hcoop.net/wiki/FirewallRules">the instructions</a>, and remember to leave off the initial username portion.<%
f971918d 94 end
f971918d 95
96elseif $"modRule" <> "" then
97 showNormal := false;
98 val oldRule = $"modRule";
99 val rule = $"rule"
100 if oldRule = rule then
101 %>You didn't modify the textbox for this rule before clicking the button, so there is no request to be made.<%
102 else
08e839b2 103 %>Are you sure you want to request that firewall rule <b><% Web.html uname %>&nbsp;<% Web.html oldRule %></b> be replaced by <b><% Web.html uname %>&nbsp;<% Web.html rule %></b> on <b><% Web.html nodeName %></b>?<br>
104 <a href="sec?node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&modRule2=<% Web.urlEncode oldRule %>&rule=<% Web.urlEncode rule %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
f971918d 105 end
106elseif $"modRule2" <> "" then
08e839b2 107 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat ["Change firewall rule \"", uname, " ", $"modRule2", "\" to \"", uname, " ", $"rule", "\""], msg = $"msg"};
f971918d 108 if not (Sec.Req.notifyNew id) then
1fe415e0 109 %><h3>Error sending e-mail notification</h3><%
f971918d 110 end
1fe415e0 111 %><h3>Request added</h3><%
f971918d 112
113elseif $"delRule" <> "" then
114 showNormal := false;
115 val oldRule = $"delRule";
08e839b2 116 %>Are you sure you want to request that firewall rule <b><% Web.html uname %>&nbsp;<% Web.html oldRule %></b> on <b><% Web.html nodeName %></b> be <b>deleted</bD>?<br>
117 <a href="sec?node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&delRule2=<% Web.urlEncode oldRule %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
f971918d 118elseif $"delRule2" <> "" then
08e839b2 119 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat ["Delete firewall rule \"", uname, " ", $"delRule2", "\""], msg = $"msg"};
f971918d 120 if not (Sec.Req.notifyNew id) then
1fe415e0 121 %><h3>Error sending e-mail notification</h3><%
f971918d 122 end
1fe415e0 123 %><h3>Request added</h3><%
f971918d 124
3ad30cf6 125elseif $"cmd" = "open" then
126 showNormal := false;
127 Group.requireGroupName "server";
1fe415e0 128 %><h3>Open requests</h3>
3ad30cf6 129 <a href="sec?cmd=list">List all requests</a><%
130
131 foreach (name, req) in Sec.Req.listOpen () do %>
132<br><hr><br>
1fe415e0 133<table class="blanks">
134<tr> <td>By:</td> <td><a href="user?id=<% #usr req %>"><% name %></a></td> </tr>
135<tr> <td>Time:</td> <td><% #stamp req %></td> </tr>
08e839b2 136<tr> <td>Node:</td> <td><% Web.html (Init.nodeName (#node req)) %></td> </tr>
1fe415e0 137<tr> <td>Request:</td> <td><% #data req %></td> </tr>
138<tr> <td>Msg:</td> <td colspan="2"><% Web.html (#msg req) %></td> </tr>
3ad30cf6 139</table>
140
141<br>
142<a href="sec?mod=<% #id req %>">[Modify]</a>
143<a href="sec?del=<% #id req %>">[Delete]</a><br>
144
145<% end
146
147elseif $"cmd" = "list" then
148 showNormal := false;
149 Group.requireGroupName "server"
1fe415e0 150 %><h3>All requests</h3><%
3ad30cf6 151
152 foreach (name, req) in Sec.Req.list () do %>
153<br><hr><br>
1fe415e0 154<table class="blanks">
155<tr> <td>By:</td> <td colspan="2"><a href="user?id=<% #usr req %>"><% name %></a></td> </tr>
156<tr> <td>Time:</td> <td colspan="2"><% #stamp req %></td> </tr>
08e839b2 157<tr> <td>Node:</td> <td><% Web.html (Init.nodeName (#node req)) %></td> </tr>
1fe415e0 158<tr> <td>Request:</td> <td><% #data req %></td> </tr>
159<tr> <td>Reason:</td> <td colspan="2"><% Web.html (#msg req) %></td> </tr>
3ad30cf6 160</table>
161
162<br>
163<a href="sec?mod=<% #id req %>">[Modify]</a>
164<a href="sec?del=<% #id req %>">[Delete]</a>
165
166<% end
167
168elseif $"mod" <> "" then
169 showNormal := false;
170 Group.requireGroupName "server";
171 val id = Web.stoi ($"mod");
172 val req = Sec.Req.lookup id;
173 val user = Init.lookupUser (#usr req) %>
1fe415e0 174<h3>Handle request</h3>
3ad30cf6 175
176<form action="sec" method="post">
177<input type="hidden" name="save" value="<% id %>">
1fe415e0 178<table class="blanks">
179<tr> <td>Requestor:</td> <td><a href="user?id=<% #usr req %>"><% #name user %></a></td> </tr>
180<tr> <td>Time:</td> <td><% #stamp req %></td> </tr>
181<tr> <td>Status:</td> <td><select name="status">
3ad30cf6 182 <option value="0"<% if #status req = Sec.Req.NEW then %> selected<% end %>>New</option>
183 <option value="1"<% if #status req = Sec.Req.INSTALLED then %> selected<% end %>>Installed</option>
184 <option value="2"<% if #status req = Sec.Req.REJECTED then %> selected<% end %>>Rejected</option>
185</select></td> </tr>
08e839b2 186<tr> <td>Node:</td> <td><select name="node">
187<% foreach node in Init.listNodes () do %>
188 <option value="<% #id node %>"<% if nodeNum = #node req then %> selected<% end %>><% Web.html (#name node) %> (<% Web.html (#descr node) %>)</option>
189<% end %></select></td> </tr>
1fe415e0 190<tr> <td>Request:</td> <td><input name="req" value="<% #data req %>"></td> </tr>
191<tr> <td>Message:</td> <td><textarea name="msg" rows="10" cols="80" wrap="soft"><% Web.html (#msg req) %></textarea></td> </tr>
3ad30cf6 192<tr> <td><input type="submit" value="Save"></td> </tr>
193</table>
194</form>
195
196<% elseif $"save" <> "" then
197 showNormal := false;
198 Group.requireGroupName "server";
199 val id = Web.stoi ($"save");
200 val req = Sec.Req.lookup id;
201 val oldStatus = #status req;
202 val newStatus = Sec.Req.statusFromInt (Web.stoi ($"status"));
08e839b2 203 Sec.Req.modify {req with node = nodeNum, data = $"req", msg = $"msg", status = newStatus};
3ad30cf6 204 if oldStatus <> newStatus then
08e839b2 205 if not (Sec.Req.notifyMod {old = oldStatus, new = newStatus, changer = Init.getUserName(), req = id}) then
1fe415e0 206 %><h3>Error sending e-mail notification</h3><%
3ad30cf6 207 end
208 end
1fe415e0 209 %><h3>Request modified</h3>
3ad30cf6 210 Back to: <a href="sec?cmd=open">open requests</a>, <a href="sec?cmd=list">all requests</a>
211
212<% elseif $"del" <> "" then
213 showNormal := false;
214 Group.requireGroupName "server";
215 val id = Web.stoi ($"del");
216 val req = Sec.Req.lookup id;
217 val user = Init.lookupUser (#usr req)
08e839b2 218 %><h3>Are you sure you want to delete request by <% #name user %> for "<% #data req %>" on <% Web.html (Init.nodeName (#node req)) %>?</h3>
3ad30cf6 219 <a href="sec?del2=<% id %>">Yes, I'm sure!</a>
220
221<% elseif $"del2" <> "" then
222 showNormal := false;
223 Group.requireGroupName "server";
224 val id = Web.stoi ($"del2");
225 Sec.Req.delete id
1fe415e0 226 %><h3>Request deleted</b><h3>
3ad30cf6 227 Back to: <a href="sec?cmd=open">open requests</a>, <a href="sec?cmd=list">all requests</a>
228
229<% end;
230
231if showNormal then %>
232
08e839b2 233<table class="blanks">
234<form action="sec" method="post">
235<input type="hidden" name="uname" value="<% Web.html uname %>">
236<tr> <td>Machines:</td> <td><select name="node">
237<% foreach node in Init.listNodes () do %>
238 <option value="<% #id node %>"<% if nodeNum = #id node then %> selected<% end %>><% Web.html (#name node) %> (<% Web.html (#descr node) %>)</option>
239<% end %></select></td>
240<td><input type="submit" value="Switch"></td> </tr>
241</form>
3ad30cf6 242<form action="sec" method="post">
08e839b2 243<input type="hidden" name="node" value="<% nodeNum %>">
244<tr> <td>Your users:</td> <td><select name="uname">
3ad30cf6 245<% foreach name in (yourname :: Sec.findSubusers yourname) do %>
246 <option value="<% name %>"<% if uname = name then %> selected<% end %>><% name %></option>
08e839b2 247<% end %></select></td>
248<td><input type="submit" value="Switch"></td> </tr>
249</form>
250</table>
3ad30cf6 251
061ce47a 252<!--h3>Request socket permissions change</h3>
3ad30cf6 253
66db411c 254<p>You need to request socket permissions before you are able to open any network connections. While you will be limited by firewall rules even then, any requests for firewall rules you enter in the "Reason" blank here <b>will be ignored</b>. Please use the separate form at the bottom of this page for that. There is no need to wait until a request for socket permissions has been granted before starting to request firewall rules.</p>
255
1365f9a0 256<p>Keep in mind that, if your request is granted, it will never apply to existing log-in sessions. Close them and re-connect to take advantage of your new privileges.</p>
257
3ad30cf6 258<form action="sec" method="post">
08e839b2 259<input type="hidden" name="node" value="<% nodeNum %>">
3ad30cf6 260<input type="hidden" name="uname" value="<% uname %>">
261<input type="hidden" name="cmd" value="socks">
1fe415e0 262<table class="blanks">
263<tr> <td>New permissions:</td> <td><select name="socks">
3ad30cf6 264 <option value="none"<% if socks = Sec.NADA then %> selected<% end %>>None</option>
265 <option value="any"<% if socks = Sec.ANY then %> selected<% end %>>Any</option>
266 <option value="client"<% if socks = Sec.CLIENT_ONLY then %> selected<% end %>>Client only</option>
267 <option value="server"<% if socks = Sec.SERVER_ONLY then %> selected<% end %>>Server only</option>
268</select></td> </tr>
1fe415e0 269<tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
3ad30cf6 270<tr> <td><input type="submit" value="Request"></td> </tr>
271</table>
272</form>
273
1fe415e0 274<h3>Request change to your execute permissions</h3>
3ad30cf6 275
276<form action="sec" method="post">
08e839b2 277<input type="hidden" name="node" value="<% nodeNum %>">
3ad30cf6 278<input type="hidden" name="uname" value="<% uname %>">
279<input type="hidden" name="cmd" value="tpe">
1fe415e0 280<table class="blanks">
281<tr> <td>Trusted path executables only?</td> <td><select name="tpe">
3ad30cf6 282 <option value="no"<% if not tpe then %> selected<% end %>>No</option>
283 <option value="yes"<% if tpe then %> selected<% end %>>Yes</option>
284</select></td> </tr>
1fe415e0 285<tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
3ad30cf6 286<tr> <td><input type="submit" value="Request"></td> </tr>
287</table>
061ce47a 288</form-->
3ad30cf6 289
1fe415e0 290<h3>Request change to your <tt>cron</tt> permissions</h3>
f971918d 291
292<form action="sec" method="post">
08e839b2 293<input type="hidden" name="node" value="<% nodeNum %>">
f971918d 294<input type="hidden" name="uname" value="<% uname %>">
295<input type="hidden" name="cmd" value="cron">
1fe415e0 296<table class="blanks">
297<tr> <td>Allowed to use cron?</td> <td><select name="cron">
8023de7b 298 <option value="no"<% if not cron then %> selected<% end %>>No</option>
f971918d 299 <option value="yes"<% if cron then %> selected<% end %>>Yes</option>
300</select></td> </tr>
1fe415e0 301<tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
f971918d 302<tr> <td><input type="submit" value="Request"></td> </tr>
303</table>
304</form>
305
1fe415e0 306<h3>Request change to your FTP permissions</h3>
8c4dc06e 307
8023de7b 308<p>Please read <a href="http://wiki.hcoop.net/wiki/FileTransfer">our wiki instructions on file transfer</a> before requesting FTP access. Almost everyone should use alternative protocols to FTP that provide superior security benefits.</p>
309
8c4dc06e 310<form action="sec" method="post">
08e839b2 311<input type="hidden" name="node" value="<% nodeNum %>">
8c4dc06e 312<input type="hidden" name="uname" value="<% uname %>">
313<input type="hidden" name="cmd" value="ftp">
1fe415e0 314<table class="blanks">
315<tr> <td>Allowed to use FTP?</td> <td><select name="ftp">
8c4dc06e 316 <option value="no"<% if not ftp then %> selected<% end %>>No</option>
317 <option value="yes"<% if ftp then %> selected<% end %>>Yes</option>
318</select></td> </tr>
1fe415e0 319<tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
8c4dc06e 320<tr> <td><input type="submit" value="Request"></td> </tr>
321</table>
322</form>
323
08e839b2 324<% val rules = Sec.findFirewallRules {node = nodeNum, uname = uname};
f971918d 325switch rules of
326 _::_ => %>
1fe415e0 327<h3>Your firewall rules</h3>
f971918d 328
329<% foreach rule in rules do %>
330<form action="sec" method="post">
08e839b2 331<input type="hidden" name="node" value="<% nodeNum %>">
f971918d 332<input type="hidden" name="uname" value="<% uname %>">
333<input type="hidden" name="modRule" value="<% Web.html rule %>">
334<input name="rule" value="<% Web.html rule %>">
335<a href="sec?delRule=<% Web.urlEncode rule %>">[Request deletion]</a>
336<input type="submit" value="Request change">
337</form><br>
338<% end
339end%>
340
061ce47a 341<!--h3>Request a new firewall rule</h3>
f971918d 342
343<p>You can find a description of rule formats <a href="http://wiki.hcoop.net/wiki/FirewallRules">on our wiki</a>. Enter here the rule you want, without the initial <tt>user</tt> portion.</p>
344
1365f9a0 345<p>Please note that <b>your firewall rule will be useless</b> if you don't first request the corresponding socket privileges at the top of this page. Also, common ports like 80 (HTTP) are open to everyone with socket permissions. Verify that you can't access a port after socket permissions have been granted before requesting a special rule here.</p>
8023de7b 346
2cc9c359 347<p>We very rarely grant requests for Client rules that don't include remote host whitelists. For example, important security concerns make it a bad idea for us to give anybody blanket IRC permissions. Instead, request specific servers. We will refuse such requests that include networks that are popularly considered fronts for illegal activity.</p>
348
f971918d 349<form action="sec" method="post">
08e839b2 350<input type="hidden" name="node" value="<% nodeNum %>">
f971918d 351<input type="hidden" name="uname" value="<% uname %>">
352<input type="hidden" name="cmd" value="rule">
1fe415e0 353<table class="blanks">
354<tr> <td>Rule</td> <td><input name="rule" size="80"></td> </tr>
355<tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
f971918d 356<tr> <td><input type="submit" value="Request"></td> </tr>
357</table>
061ce47a 358</form-->
f971918d 359
3ad30cf6 360<% end %>
361
362<% @footer[] %>
The HCoop web portal.