[bpt/portal.git] / sec.mlt

<% val you = Init.getUserId ();
val yourname = Init.getUserName ();

val nodeNum = case $"node" of
		  "" => 2
		| node => Web.stoi node;
val nodeName = Init.nodeName nodeNum;

val uname = case $"uname" of
	  "" => yourname
	| uname => uname;

val socks = Sec.socketPerms {node = nodeNum, uname = uname};
val tpe = Sec.isTpe {node = nodeNum, uname = uname};
val cron = Sec.cronAllowed {node = nodeNum, uname = uname};
val ftp = Sec.ftpAllowed {node = nodeNum, uname = uname};

ref showNormal = true;

@header [("title", ["Security settings"])];

if $"cmd" = "socks" then
	showNormal := false;
	val socks = $"socks";
	%>Are you sure you want to request that socket permissions for <b><% Web.html uname %></b> on <b><% Web.html nodeName %></b> be changed to <b><% Web.html socks %></b>?<br>
	<a href="sec?cmd=socks2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&socks=<% Web.urlEncode socks %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
elseif $"cmd" = "socks2" then
	val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat [uname, ": change socket permissions to ", $"socks"], msg = $"msg"};
	if not (Sec.Req.notifyNew id) then
		%><h3>Error sending e-mail notification</h3><%
	end
	%><h3>Request added</h3><%

elseif $"cmd" = "tpe" then
	showNormal := false;
	val tpe = iff $"tpe" = "yes" then "on" else "off";
	%>Are you sure you want to request that trusted-path-executables-only for <b><% Web.html uname %></b> on <b><% Web.html nodeName %></b> be turned <b><% tpe %></b>?<br>
	<a href="sec?cmd=tpe2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&tpe=<% tpe %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
elseif $"cmd" = "tpe2" then
	val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat [uname, ": turn tpe ", $"tpe"], msg = $"msg"};
	if not (Sec.Req.notifyNew id) then
		%><h3>Error sending e-mail notification</h3><%
	end
	%><h3>Request added</h3><%

elseif $"cmd" = "cron" then
	showNormal := false;
	val cron = iff $"cron" = "yes" then "enabled" else "disabled";
	%>Are you sure you want to request that <tt>cron</tt> permissions for <b><% Web.html uname %></b> on <b><% Web.html nodeName %></b> be <b><% cron %></b>?<br>
	<a href="sec?cmd=cron2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&cron=<% cron %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
elseif $"cmd" = "cron2" then
	val cron = iff $"cron" = "enabled" then "enable" else "disable";
	val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat [uname, ": ", cron, " cron access"], msg = $"msg"};
	if not (Sec.Req.notifyNew id) then
		%><h3>Error sending e-mail notification</h3><%
	end
	%><h3>Request added</h3><%

elseif $"cmd" = "ftp" then
	showNormal := false;
	val ftp = iff $"ftp" = "yes" then "enabled" else "disabled";
	%>Are you sure you want to request that FTP permissions for <b><% Web.html uname %></b> on <b><% Web.html nodeName %></b> be <b><% ftp %></b>?<br>
	<a href="sec?cmd=ftp2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&ftp=<% ftp %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
elseif $"cmd" = "ftp2" then
	val ftp = iff $"ftp" = "enabled" then "enable" else "disable";
	val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat [uname, ": ", ftp, " FTP access"], msg = $"msg"};
	if not (Sec.Req.notifyNew id) then
		%><h3>Error sending e-mail notification</h3><%
	end
	%><h3>Request added</h3><%

elseif $"cmd" = "rule" then
	showNormal := false;
	val rule = $"rule";

	if Sec.validRule rule then
		%>Are you sure you want to request the firewall rule <b><% Web.html uname %>&nbsp;<% Web.html rule %></b> on <b><% Web.html nodeName %></b>?<br>
	<a href="sec?cmd=rule2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&rule=<% Web.urlEncode rule %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
	else
		%>"<% Web.html rule %>" is not a valid firewall rule! Please reread <a href="http://wiki.hcoop.net/wiki/FirewallRules">the instructions</a>, and remember to leave off the initial username portion.<%
	end

elseif $"cmd" = "rule2" then
	val rule = $"rule";

	if Sec.validRule rule then
		val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat ["Add firewall rule \"", uname, " ", rule, "\""], msg = $"msg"};
		if not (Sec.Req.notifyNew id) then
			%><h3>Error sending e-mail notification</h3><%
		end
		%><h3>Request added</h3><%
	else
		%>"<% Web.html rule %>" is not a valid firewall rule! Please reread <a href="http://wiki.hcoop.net/wiki/FirewallRules">the instructions</a>, and remember to leave off the initial username portion.<%
	end

elseif $"modRule" <> "" then
	showNormal := false;
	val oldRule = $"modRule";
	val rule = $"rule"
	if oldRule = rule then
		%>You didn't modify the textbox for this rule before clicking the button, so there is no request to be made.<%
	else
		%>Are you sure you want to request that firewall rule <b><% Web.html uname %>&nbsp;<% Web.html oldRule %></b> be replaced by <b><% Web.html uname %>&nbsp;<% Web.html rule %></b> on <b><% Web.html nodeName %></b>?<br>
		<a href="sec?node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&modRule2=<% Web.urlEncode oldRule %>&rule=<% Web.urlEncode rule %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
	end
elseif $"modRule2" <> "" then
	val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat ["Change firewall rule \"", uname, " ", $"modRule2", "\" to \"", uname, " ", $"rule", "\""], msg = $"msg"};
	if not (Sec.Req.notifyNew id) then
		%><h3>Error sending e-mail notification</h3><%
	end
	%><h3>Request added</h3><%

elseif $"delRule" <> "" then
	showNormal := false;
	val oldRule = $"delRule";
	%>Are you sure you want to request that firewall rule <b><% Web.html uname %>&nbsp;<% Web.html oldRule %></b> on <b><% Web.html nodeName %></b> be <b>deleted</bD>?<br>
	<a href="sec?node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&delRule2=<% Web.urlEncode oldRule %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
elseif $"delRule2" <> "" then
	val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat ["Delete firewall rule \"", uname, " ", $"delRule2", "\""], msg = $"msg"};
	if not (Sec.Req.notifyNew id) then
		%><h3>Error sending e-mail notification</h3><%
	end
	%><h3>Request added</h3><%

elseif $"cmd" = "open" then
	showNormal := false;
	Group.requireGroupName "server";
	%><h3>Open requests</h3>
	<a href="sec?cmd=list">List all requests</a><%

	foreach (name, req) in Sec.Req.listOpen () do %>
<br><hr><br>
<table class="blanks">
<tr> <td>By:</td> <td><a href="user?id=<% #usr req %>"><% name %></a></td> </tr>
<tr> <td>Time:</td> <td><% #stamp req %> (<% Util.diffFromNow (#stamp req) %> ago)</td></tr>
<tr> <td>Node:</td> <td><% Web.html (Init.nodeName (#node req)) %></td> </tr>
<tr> <td>Request:</td> <td><% #data req %></td> </tr>
<tr> <td>Msg:</td> <td colspan="2"><% Web.html (#msg req) %></td> </tr>
</table>

<br>
<a href="sec?mod=<% #id req %>">[Modify]</a>
<a href="sec?del=<% #id req %>">[Delete]</a><br>

<%	end

elseif $"cmd" = "list" then
	showNormal := false;
	Group.requireGroupName "server"
	%><h3>All requests</h3><%

	foreach (name, req) in Sec.Req.list () do %>
<br><hr><br>
<table class="blanks">
<tr> <td>By:</td> <td colspan="2"><a href="user?id=<% #usr req %>"><% name %></a></td> </tr>
<tr> <td>Time:</td> <td colspan="2"><% #stamp req %> (<% Util.diffFromNow (#stamp req) %> ago)</td></tr>
<tr> <td>Node:</td> <td><% Web.html (Init.nodeName (#node req)) %></td> </tr>
<tr> <td>Request:</td> <td><% #data req %></td> </tr>
<tr> <td>Reason:</td> <td colspan="2"><% Web.html (#msg req) %></td> </tr>
</table>

<br>
<a href="sec?mod=<% #id req %>">[Modify]</a>
<a href="sec?del=<% #id req %>">[Delete]</a>

<%	end

elseif $"mod" <> "" then
	showNormal := false;
	Group.requireGroupName "server";
	val id = Web.stoi ($"mod");
	val req = Sec.Req.lookup id;
	val user = Init.lookupUser (#usr req) %>
<h3>Handle request</h3>

<form action="sec" method="post">
<input type="hidden" name="save" value="<% id %>">
<table class="blanks">
<tr> <td>Requestor:</td> <td><a href="user?id=<% #usr req %>"><% #name user %></a></td> </tr>
<tr> <td>Time:</td> <td><% #stamp req %> (<% Util.diffFromNow (#stamp req) %> ago)</td></tr>
<tr> <td>Status:</td> <td><select name="status">
	<option value="0"<% if #status req = Sec.Req.NEW then %> selected<% end %>>New</option>
	<option value="1"<% if #status req = Sec.Req.INSTALLED then %> selected<% end %>>Installed</option>
	<option value="2"<% if #status req = Sec.Req.REJECTED then %> selected<% end %>>Rejected</option>
</select></td> </tr>
<tr> <td>Node:</td> <td><select name="node">
<% foreach node in Init.listNodes () do %>
	<option value="<% #id node %>"<% if nodeNum = #node req then %> selected<% end %>><% Web.html (#name node) %> (<% Web.html (#descr node) %>)</option>
<% end %></select></td> </tr>
<tr> <td>Request:</td> <td><input name="req" value="<% #data req %>"></td> </tr>
<tr> <td>Message:</td> <td><textarea name="msg" rows="10" cols="80" wrap="soft"><% Web.html (#msg req) %></textarea></td> </tr>
<tr> <td><input type="submit" value="Save"></td> </tr>
</table>
</form>

<% elseif $"save" <> "" then
	showNormal := false;
	Group.requireGroupName "server";
	val id = Web.stoi ($"save");
	val req = Sec.Req.lookup id;
	val oldStatus = #status req;
	val newStatus = Sec.Req.statusFromInt (Web.stoi ($"status"));
	Sec.Req.modify {req with node = nodeNum, data = $"req", msg = $"msg", status = newStatus};
	if not (Sec.Req.notifyMod {old = oldStatus, new = newStatus, changer = Init.getUserName(), req = id}) then
		%><h3>Error sending e-mail notification</h3><%
	end
	%><h3>Request modified</h3>
	Back to: <a href="sec?cmd=open">open requests</a>, <a href="sec?cmd=list">all requests</a>

<% elseif $"del" <> "" then
	showNormal := false;
	Group.requireGroupName "server";
	val id = Web.stoi ($"del");
	val req = Sec.Req.lookup id;
	val user = Init.lookupUser (#usr req)
	%><h3>Are you sure you want to delete request by <% #name user %> for "<% #data req %>" on <% Web.html (Init.nodeName (#node req)) %>?</h3>
	<a href="sec?del2=<% id %>">Yes, I'm sure!</a>

<% elseif $"del2" <> "" then
	showNormal := false;
	Group.requireGroupName "server";
	val id = Web.stoi ($"del2");
	Sec.Req.delete id
	%><h3>Request deleted</b><h3>
	Back to: <a href="sec?cmd=open">open requests</a>, <a href="sec?cmd=list">all requests</a>

<% end;

if showNormal then %>

<table class="blanks">
<form action="sec" method="post">
<input type="hidden" name="uname" value="<% Web.html uname %>">
<tr> <td>Machines:</td> <td><select name="node">
<% foreach node in Init.listNodes () do %>
	<option value="<% #id node %>"<% if nodeNum = #id node then %> selected<% end %>><% Web.html (#name node) %> (<% Web.html (#descr node) %>)</option>
<% end %></select></td>
<td><input type="submit" value="Switch"></td> </tr>
</form>
<form action="sec" method="post">
<input type="hidden" name="node" value="<% nodeNum %>">
<tr> <td>Your users:</td> <td><select name="uname">
<% foreach name in (yourname :: Sec.findSubusers yourname) do %>
	<option value="<% name %>"<% if uname = name then %> selected<% end %>><% name %></option>
<% end %></select></td>
<td><input type="submit" value="Switch"></td> </tr>
</form>
</table>

<!--h3>Request socket permissions change</h3>

<p>You need to request socket permissions before you are able to open any network connections. While you will be limited by firewall rules even then, any requests for firewall rules you enter in the "Reason" blank here <b>will be ignored</b>. Please use the separate form at the bottom of this page for that. There is no need to wait until a request for socket permissions has been granted before starting to request firewall rules.</p>

<p>Keep in mind that, if your request is granted, it will never apply to existing log-in sessions. Close them and re-connect to take advantage of your new privileges.</p>

<form action="sec" method="post">
<input type="hidden" name="node" value="<% nodeNum %>">
<input type="hidden" name="uname" value="<% uname %>">
<input type="hidden" name="cmd" value="socks">
<table class="blanks">
<tr> <td>New permissions:</td> <td><select name="socks">
	<option value="none"<% if socks = Sec.NADA then %> selected<% end %>>None</option>
	<option value="any"<% if socks = Sec.ANY then %> selected<% end %>>Any</option>
	<option value="client"<% if socks = Sec.CLIENT_ONLY then %> selected<% end %>>Client only</option>
	<option value="server"<% if socks = Sec.SERVER_ONLY then %> selected<% end %>>Server only</option>
</select></td> </tr>
<tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
<tr> <td><input type="submit" value="Request"></td> </tr>
</table>
</form>

<h3>Request change to your execute permissions</h3>

<form action="sec" method="post">
<input type="hidden" name="node" value="<% nodeNum %>">
<input type="hidden" name="uname" value="<% uname %>">
<input type="hidden" name="cmd" value="tpe">
<table class="blanks">
<tr> <td>Trusted path executables only?</td> <td><select name="tpe">
	<option value="no"<% if not tpe then %> selected<% end %>>No</option>
	<option value="yes"<% if tpe then %> selected<% end %>>Yes</option>
</select></td> </tr>
<tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
<tr> <td><input type="submit" value="Request"></td> </tr>
</table>
</form-->

<h3>Request change to your <tt>cron</tt> permissions</h3>

<form action="sec" method="post">
<input type="hidden" name="node" value="<% nodeNum %>">
<input type="hidden" name="uname" value="<% uname %>">
<input type="hidden" name="cmd" value="cron">
<table class="blanks">
<tr> <td>Allowed to use cron?</td> <td><select name="cron">
	<option value="no"<% if not cron then %> selected<% end %>>No</option>
	<option value="yes"<% if cron then %> selected<% end %>>Yes</option>
</select></td> </tr>
<tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
<tr> <td><input type="submit" value="Request"></td> </tr>
</table>
</form>

<h3>Request change to your FTP permissions</h3>

<p>Please read <a href="http://wiki.hcoop.net/wiki/FileTransfer">our wiki instructions on file transfer</a> before requesting FTP access. Almost everyone should use alternative protocols to FTP that provide superior security benefits.</p>

<form action="sec" method="post">
<input type="hidden" name="node" value="<% nodeNum %>">
<input type="hidden" name="uname" value="<% uname %>">
<input type="hidden" name="cmd" value="ftp">
<table class="blanks">
<tr> <td>Allowed to use FTP?</td> <td><select name="ftp">
	<option value="no"<% if not ftp then %> selected<% end %>>No</option>
	<option value="yes"<% if ftp then %> selected<% end %>>Yes</option>
</select></td> </tr>
<tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
<tr> <td><input type="submit" value="Request"></td> </tr>
</table>
</form>

<% val rules = Sec.findFirewallRules {node = nodeNum, uname = uname};
switch rules of
  _::_ => %>
<h3>Your firewall rules</h3>

<% foreach rule in rules do %>
<form action="sec" method="post">
<input type="hidden" name="node" value="<% nodeNum %>">
<input type="hidden" name="uname" value="<% uname %>">
<input type="hidden" name="modRule" value="<% Web.html rule %>">
<input name="rule" value="<% Web.html rule %>">
<a href="sec?delRule=<% Web.urlEncode rule %>">[Request deletion]</a>
<input type="submit" value="Request change">
</form><br>
<% end
end%>

<h3>Request a new firewall rule</h3>

<p><b>This form isn't needed yet to allow you to use any port.  However, if you request a rule here, you can be sure it will be added when we first implement firewalls on our new servers.  Otherwise, your custom services may stop working.</b></p>

<p>You can find a description of rule formats <a href="http://wiki.hcoop.net/wiki/FirewallRules">on our wiki</a>. Enter here the rule you want, without the initial <tt>user</tt> portion.</p>

<p>Please note that <b>your firewall rule will be useless</b> if you don't first request the corresponding socket privileges at the top of this page. Also, common ports like 80 (HTTP) are open to everyone with socket permissions. Verify that you can't access a port after socket permissions have been granted before requesting a special rule here.</p>

<p>We very rarely grant requests for Client rules that don't include remote host whitelists. For example, important security concerns make it a bad idea for us to give anybody blanket IRC permissions. Instead, request specific servers. We will refuse such requests that include networks that are popularly considered fronts for illegal activity.</p>

<form action="sec" method="post">
<input type="hidden" name="node" value="<% nodeNum %>">
<input type="hidden" name="uname" value="<% uname %>">
<input type="hidden" name="cmd" value="rule">
<table class="blanks">
<tr> <td>Rule</td> <td><input name="rule" size="80"></td> </tr>
<tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
<tr> <td><input type="submit" value="Request"></td> </tr>
</table>
</form>

<% end %>

<% @footer[] %>
Commit	Line	Data
dfb0d0d7 AC	1	<% val you = Init.getUserId ();
	2	val yourname = Init.getUserName ();
	3
3d2ed222 AC	4	val nodeNum = case $"node" of
	5	"" => 2
	6	\| node => Web.stoi node;
	7	val nodeName = Init.nodeName nodeNum;
	8
dfb0d0d7 AC	9	val uname = case $"uname" of
	10	"" => yourname
	11	\| uname => uname;
	12
3d2ed222 AC	13	val socks = Sec.socketPerms {node = nodeNum, uname = uname};
	14	val tpe = Sec.isTpe {node = nodeNum, uname = uname};
	15	val cron = Sec.cronAllowed {node = nodeNum, uname = uname};
	16	val ftp = Sec.ftpAllowed {node = nodeNum, uname = uname};
dfb0d0d7 AC	17
	18	ref showNormal = true;
	19
	20	@header [("title", ["Security settings"])];
	21
	22	if $"cmd" = "socks" then
	23	showNormal := false;
	24	val socks = $"socks";
3d2ed222 AC	25	%>Are you sure you want to request that socket permissions for <b><% Web.html uname %></b> on <b><% Web.html nodeName %></b> be changed to <b><% Web.html socks %></b>?<br>
3d2ed222 AC	26	<a href="sec?cmd=socks2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&socks=<% Web.urlEncode socks %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
dfb0d0d7	27	elseif $"cmd" = "socks2" then
3d2ed222	28	val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat [uname, ": change socket permissions to ", $"socks"], msg = $"msg"};
dfb0d0d7	29	if not (Sec.Req.notifyNew id) then
b6dd1aaf	30	%><h3>Error sending e-mail notification</h3><%
dfb0d0d7	31	end
b6dd1aaf	32	%><h3>Request added</h3><%
dfb0d0d7 AC	33
	34	elseif $"cmd" = "tpe" then
	35	showNormal := false;
	36	val tpe = iff $"tpe" = "yes" then "on" else "off";
3d2ed222 AC	37	%>Are you sure you want to request that trusted-path-executables-only for <b><% Web.html uname %></b> on <b><% Web.html nodeName %></b> be turned <b><% tpe %></b>?<br>
3d2ed222 AC	38	<a href="sec?cmd=tpe2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&tpe=<% tpe %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
dfb0d0d7	39	elseif $"cmd" = "tpe2" then
3d2ed222	40	val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat [uname, ": turn tpe ", $"tpe"], msg = $"msg"};
dfb0d0d7	41	if not (Sec.Req.notifyNew id) then
b6dd1aaf	42	%><h3>Error sending e-mail notification</h3><%
dfb0d0d7	43	end
b6dd1aaf	44	%><h3>Request added</h3><%
dfb0d0d7	45
e510b9bd AC	46	elseif $"cmd" = "cron" then
	47	showNormal := false;
	48	val cron = iff $"cron" = "yes" then "enabled" else "disabled";
3d2ed222 AC	49	%>Are you sure you want to request that <tt>cron</tt> permissions for <b><% Web.html uname %></b> on <b><% Web.html nodeName %></b> be <b><% cron %></b>?<br>
3d2ed222 AC	50	<a href="sec?cmd=cron2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&cron=<% cron %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
e510b9bd AC	51	elseif $"cmd" = "cron2" then
e510b9bd AC	52	val cron = iff $"cron" = "enabled" then "enable" else "disable";
3d2ed222	53	val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat [uname, ": ", cron, " cron access"], msg = $"msg"};
e510b9bd	54	if not (Sec.Req.notifyNew id) then
b6dd1aaf	55	%><h3>Error sending e-mail notification</h3><%
e510b9bd	56	end
b6dd1aaf	57	%><h3>Request added</h3><%
e510b9bd	58
f432bce2 AC	59	elseif $"cmd" = "ftp" then
	60	showNormal := false;
	61	val ftp = iff $"ftp" = "yes" then "enabled" else "disabled";
3d2ed222 AC	62	%>Are you sure you want to request that FTP permissions for <b><% Web.html uname %></b> on <b><% Web.html nodeName %></b> be <b><% ftp %></b>?<br>
3d2ed222 AC	63	<a href="sec?cmd=ftp2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&ftp=<% ftp %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
f432bce2 AC	64	elseif $"cmd" = "ftp2" then
f432bce2 AC	65	val ftp = iff $"ftp" = "enabled" then "enable" else "disable";
3d2ed222	66	val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat [uname, ": ", ftp, " FTP access"], msg = $"msg"};
f432bce2	67	if not (Sec.Req.notifyNew id) then
b6dd1aaf	68	%><h3>Error sending e-mail notification</h3><%
f432bce2	69	end
b6dd1aaf	70	%><h3>Request added</h3><%
f432bce2	71
e510b9bd AC	72	elseif $"cmd" = "rule" then
	73	showNormal := false;
	74	val rule = $"rule";
308f44e7 AC	75
	76	if Sec.validRule rule then
	77	%>Are you sure you want to request the firewall rule <b><% Web.html uname %> <% Web.html rule %></b> on <b><% Web.html nodeName %></b>?<br>
3d2ed222	78	<a href="sec?cmd=rule2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&rule=<% Web.urlEncode rule %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
308f44e7 AC	79	else
	80	%>"<% Web.html rule %>" is not a valid firewall rule! Please reread <a href="http://wiki.hcoop.net/wiki/FirewallRules">the instructions</a>, and remember to leave off the initial username portion.<%
	81	end
	82
e510b9bd	83	elseif $"cmd" = "rule2" then
308f44e7 AC	84	val rule = $"rule";
	85
	86	if Sec.validRule rule then
	87	val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat ["Add firewall rule \"", uname, " ", rule, "\""], msg = $"msg"};
	88	if not (Sec.Req.notifyNew id) then
	89	%><h3>Error sending e-mail notification</h3><%
	90	end
	91	%><h3>Request added</h3><%
	92	else
	93	%>"<% Web.html rule %>" is not a valid firewall rule! Please reread <a href="http://wiki.hcoop.net/wiki/FirewallRules">the instructions</a>, and remember to leave off the initial username portion.<%
e510b9bd	94	end
e510b9bd AC	95
	96	elseif $"modRule" <> "" then
	97	showNormal := false;
	98	val oldRule = $"modRule";
	99	val rule = $"rule"
	100	if oldRule = rule then
	101	%>You didn't modify the textbox for this rule before clicking the button, so there is no request to be made.<%
	102	else
3d2ed222 AC	103	%>Are you sure you want to request that firewall rule <b><% Web.html uname %> <% Web.html oldRule %></b> be replaced by <b><% Web.html uname %> <% Web.html rule %></b> on <b><% Web.html nodeName %></b>?<br>
3d2ed222 AC	104	<a href="sec?node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&modRule2=<% Web.urlEncode oldRule %>&rule=<% Web.urlEncode rule %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
e510b9bd AC	105	end
e510b9bd AC	106	elseif $"modRule2" <> "" then
3d2ed222	107	val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat ["Change firewall rule \"", uname, " ", $"modRule2", "\" to \"", uname, " ", $"rule", "\""], msg = $"msg"};
e510b9bd	108	if not (Sec.Req.notifyNew id) then
b6dd1aaf	109	%><h3>Error sending e-mail notification</h3><%
e510b9bd	110	end
b6dd1aaf	111	%><h3>Request added</h3><%
e510b9bd AC	112
	113	elseif $"delRule" <> "" then
	114	showNormal := false;
	115	val oldRule = $"delRule";
3d2ed222 AC	116	%>Are you sure you want to request that firewall rule <b><% Web.html uname %> <% Web.html oldRule %></b> on <b><% Web.html nodeName %></b> be <b>deleted</bD>?<br>
3d2ed222 AC	117	<a href="sec?node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&delRule2=<% Web.urlEncode oldRule %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
e510b9bd	118	elseif $"delRule2" <> "" then
3d2ed222	119	val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat ["Delete firewall rule \"", uname, " ", $"delRule2", "\""], msg = $"msg"};
e510b9bd	120	if not (Sec.Req.notifyNew id) then
b6dd1aaf	121	%><h3>Error sending e-mail notification</h3><%
e510b9bd	122	end
b6dd1aaf	123	%><h3>Request added</h3><%
e510b9bd	124
dfb0d0d7 AC	125	elseif $"cmd" = "open" then
	126	showNormal := false;
	127	Group.requireGroupName "server";
b6dd1aaf	128	%><h3>Open requests</h3>
dfb0d0d7 AC	129	<a href="sec?cmd=list">List all requests</a><%
	130
	131	foreach (name, req) in Sec.Req.listOpen () do %>
	132	<br><hr><br>
b6dd1aaf AC	133	<table class="blanks">
b6dd1aaf AC	134	<tr> <td>By:</td> <td><a href="user?id=<% #usr req %>"><% name %></a></td> </tr>
6b8b767b	135	<tr> <td>Time:</td> <td><% #stamp req %> (<% Util.diffFromNow (#stamp req) %> ago)</td></tr>
3d2ed222	136	<tr> <td>Node:</td> <td><% Web.html (Init.nodeName (#node req)) %></td> </tr>
b6dd1aaf AC	137	<tr> <td>Request:</td> <td><% #data req %></td> </tr>
b6dd1aaf AC	138	<tr> <td>Msg:</td> <td colspan="2"><% Web.html (#msg req) %></td> </tr>
dfb0d0d7 AC	139	</table>
	140
	141	<br>
	142	<a href="sec?mod=<% #id req %>">[Modify]</a>
	143	<a href="sec?del=<% #id req %>">[Delete]</a><br>
	144
	145	<% end
	146
	147	elseif $"cmd" = "list" then
	148	showNormal := false;
	149	Group.requireGroupName "server"
b6dd1aaf	150	%><h3>All requests</h3><%
dfb0d0d7 AC	151
	152	foreach (name, req) in Sec.Req.list () do %>
	153	<br><hr><br>
b6dd1aaf AC	154	<table class="blanks">
b6dd1aaf AC	155	<tr> <td>By:</td> <td colspan="2"><a href="user?id=<% #usr req %>"><% name %></a></td> </tr>
6b8b767b	156	<tr> <td>Time:</td> <td colspan="2"><% #stamp req %> (<% Util.diffFromNow (#stamp req) %> ago)</td></tr>
3d2ed222	157	<tr> <td>Node:</td> <td><% Web.html (Init.nodeName (#node req)) %></td> </tr>
b6dd1aaf AC	158	<tr> <td>Request:</td> <td><% #data req %></td> </tr>
b6dd1aaf AC	159	<tr> <td>Reason:</td> <td colspan="2"><% Web.html (#msg req) %></td> </tr>
dfb0d0d7 AC	160	</table>
	161
	162	<br>
	163	<a href="sec?mod=<% #id req %>">[Modify]</a>
	164	<a href="sec?del=<% #id req %>">[Delete]</a>
	165
	166	<% end
	167
	168	elseif $"mod" <> "" then
	169	showNormal := false;
	170	Group.requireGroupName "server";
	171	val id = Web.stoi ($"mod");
	172	val req = Sec.Req.lookup id;
	173	val user = Init.lookupUser (#usr req) %>
b6dd1aaf	174	<h3>Handle request</h3>
dfb0d0d7 AC	175
	176	<form action="sec" method="post">
	177	<input type="hidden" name="save" value="<% id %>">
b6dd1aaf AC	178	<table class="blanks">
b6dd1aaf AC	179	<tr> <td>Requestor:</td> <td><a href="user?id=<% #usr req %>"><% #name user %></a></td> </tr>
6b8b767b	180	<tr> <td>Time:</td> <td><% #stamp req %> (<% Util.diffFromNow (#stamp req) %> ago)</td></tr>
b6dd1aaf	181	<tr> <td>Status:</td> <td><select name="status">
dfb0d0d7 AC	182	<option value="0"<% if #status req = Sec.Req.NEW then %> selected<% end %>>New</option>
	183	<option value="1"<% if #status req = Sec.Req.INSTALLED then %> selected<% end %>>Installed</option>
	184	<option value="2"<% if #status req = Sec.Req.REJECTED then %> selected<% end %>>Rejected</option>
	185	</select></td> </tr>
3d2ed222 AC	186	<tr> <td>Node:</td> <td><select name="node">
	187	<% foreach node in Init.listNodes () do %>
	188	<option value="<% #id node %>"<% if nodeNum = #node req then %> selected<% end %>><% Web.html (#name node) %> (<% Web.html (#descr node) %>)</option>
	189	<% end %></select></td> </tr>
b6dd1aaf AC	190	<tr> <td>Request:</td> <td><input name="req" value="<% #data req %>"></td> </tr>
b6dd1aaf AC	191	<tr> <td>Message:</td> <td><textarea name="msg" rows="10" cols="80" wrap="soft"><% Web.html (#msg req) %></textarea></td> </tr>
dfb0d0d7 AC	192	<tr> <td><input type="submit" value="Save"></td> </tr>
	193	</table>
	194	</form>
	195
	196	<% elseif $"save" <> "" then
	197	showNormal := false;
	198	Group.requireGroupName "server";
	199	val id = Web.stoi ($"save");
	200	val req = Sec.Req.lookup id;
	201	val oldStatus = #status req;
	202	val newStatus = Sec.Req.statusFromInt (Web.stoi ($"status"));
3d2ed222	203	Sec.Req.modify {req with node = nodeNum, data = $"req", msg = $"msg", status = newStatus};
8812fb4d AC	204	if not (Sec.Req.notifyMod {old = oldStatus, new = newStatus, changer = Init.getUserName(), req = id}) then
8812fb4d AC	205	%><h3>Error sending e-mail notification</h3><%
dfb0d0d7	206	end
b6dd1aaf	207	%><h3>Request modified</h3>
dfb0d0d7 AC	208	Back to: <a href="sec?cmd=open">open requests</a>, <a href="sec?cmd=list">all requests</a>
	209
	210	<% elseif $"del" <> "" then
	211	showNormal := false;
	212	Group.requireGroupName "server";
	213	val id = Web.stoi ($"del");
	214	val req = Sec.Req.lookup id;
	215	val user = Init.lookupUser (#usr req)
3d2ed222	216	%><h3>Are you sure you want to delete request by <% #name user %> for "<% #data req %>" on <% Web.html (Init.nodeName (#node req)) %>?</h3>
dfb0d0d7 AC	217	<a href="sec?del2=<% id %>">Yes, I'm sure!</a>
	218
	219	<% elseif $"del2" <> "" then
	220	showNormal := false;
	221	Group.requireGroupName "server";
	222	val id = Web.stoi ($"del2");
	223	Sec.Req.delete id
b6dd1aaf	224	%><h3>Request deleted</b><h3>
dfb0d0d7 AC	225	Back to: <a href="sec?cmd=open">open requests</a>, <a href="sec?cmd=list">all requests</a>
	226
	227	<% end;
	228
	229	if showNormal then %>
	230
3d2ed222 AC	231	<table class="blanks">
	232	<form action="sec" method="post">
	233	<input type="hidden" name="uname" value="<% Web.html uname %>">
	234	<tr> <td>Machines:</td> <td><select name="node">
	235	<% foreach node in Init.listNodes () do %>
	236	<option value="<% #id node %>"<% if nodeNum = #id node then %> selected<% end %>><% Web.html (#name node) %> (<% Web.html (#descr node) %>)</option>
	237	<% end %></select></td>
	238	<td><input type="submit" value="Switch"></td> </tr>
	239	</form>
dfb0d0d7	240	<form action="sec" method="post">
3d2ed222 AC	241	<input type="hidden" name="node" value="<% nodeNum %>">
3d2ed222 AC	242	<tr> <td>Your users:</td> <td><select name="uname">
dfb0d0d7 AC	243	<% foreach name in (yourname :: Sec.findSubusers yourname) do %>
dfb0d0d7 AC	244	<option value="<% name %>"<% if uname = name then %> selected<% end %>><% name %></option>
3d2ed222 AC	245	<% end %></select></td>
	246	<td><input type="submit" value="Switch"></td> </tr>
	247	</form>
	248	</table>
dfb0d0d7	249
a4adbfb9	250	<!--h3>Request socket permissions change</h3>
dfb0d0d7	251
2d7faa73 AC	252	<p>You need to request socket permissions before you are able to open any network connections. While you will be limited by firewall rules even then, any requests for firewall rules you enter in the "Reason" blank here <b>will be ignored</b>. Please use the separate form at the bottom of this page for that. There is no need to wait until a request for socket permissions has been granted before starting to request firewall rules.</p>
2d7faa73 AC	253
4d46d3eb AC	254	<p>Keep in mind that, if your request is granted, it will never apply to existing log-in sessions. Close them and re-connect to take advantage of your new privileges.</p>
4d46d3eb AC	255
dfb0d0d7	256	<form action="sec" method="post">
3d2ed222	257	<input type="hidden" name="node" value="<% nodeNum %>">
dfb0d0d7 AC	258	<input type="hidden" name="uname" value="<% uname %>">
dfb0d0d7 AC	259	<input type="hidden" name="cmd" value="socks">
b6dd1aaf AC	260	<table class="blanks">
b6dd1aaf AC	261	<tr> <td>New permissions:</td> <td><select name="socks">
dfb0d0d7 AC	262	<option value="none"<% if socks = Sec.NADA then %> selected<% end %>>None</option>
	263	<option value="any"<% if socks = Sec.ANY then %> selected<% end %>>Any</option>
	264	<option value="client"<% if socks = Sec.CLIENT_ONLY then %> selected<% end %>>Client only</option>
	265	<option value="server"<% if socks = Sec.SERVER_ONLY then %> selected<% end %>>Server only</option>
	266	</select></td> </tr>
b6dd1aaf	267	<tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
dfb0d0d7 AC	268	<tr> <td><input type="submit" value="Request"></td> </tr>
	269	</table>
	270	</form>
	271
b6dd1aaf	272	<h3>Request change to your execute permissions</h3>
dfb0d0d7 AC	273
dfb0d0d7 AC	274	<form action="sec" method="post">
3d2ed222	275	<input type="hidden" name="node" value="<% nodeNum %>">
dfb0d0d7 AC	276	<input type="hidden" name="uname" value="<% uname %>">
dfb0d0d7 AC	277	<input type="hidden" name="cmd" value="tpe">
b6dd1aaf AC	278	<table class="blanks">
b6dd1aaf AC	279	<tr> <td>Trusted path executables only?</td> <td><select name="tpe">
dfb0d0d7 AC	280	<option value="no"<% if not tpe then %> selected<% end %>>No</option>
	281	<option value="yes"<% if tpe then %> selected<% end %>>Yes</option>
	282	</select></td> </tr>
b6dd1aaf	283	<tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
dfb0d0d7 AC	284	<tr> <td><input type="submit" value="Request"></td> </tr>
dfb0d0d7 AC	285	</table>
a4adbfb9	286	</form-->
dfb0d0d7	287
b6dd1aaf	288	<h3>Request change to your <tt>cron</tt> permissions</h3>
e510b9bd AC	289
e510b9bd AC	290	<form action="sec" method="post">
3d2ed222	291	<input type="hidden" name="node" value="<% nodeNum %>">
e510b9bd AC	292	<input type="hidden" name="uname" value="<% uname %>">
e510b9bd AC	293	<input type="hidden" name="cmd" value="cron">
b6dd1aaf AC	294	<table class="blanks">
b6dd1aaf AC	295	<tr> <td>Allowed to use cron?</td> <td><select name="cron">
18eeb749	296	<option value="no"<% if not cron then %> selected<% end %>>No</option>
e510b9bd AC	297	<option value="yes"<% if cron then %> selected<% end %>>Yes</option>
e510b9bd AC	298	</select></td> </tr>
b6dd1aaf	299	<tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
e510b9bd AC	300	<tr> <td><input type="submit" value="Request"></td> </tr>
	301	</table>
	302	</form>
	303
b6dd1aaf	304	<h3>Request change to your FTP permissions</h3>
f432bce2	305
18eeb749 AC	306	<p>Please read <a href="http://wiki.hcoop.net/wiki/FileTransfer">our wiki instructions on file transfer</a> before requesting FTP access. Almost everyone should use alternative protocols to FTP that provide superior security benefits.</p>
18eeb749 AC	307
f432bce2	308	<form action="sec" method="post">
3d2ed222	309	<input type="hidden" name="node" value="<% nodeNum %>">
f432bce2 AC	310	<input type="hidden" name="uname" value="<% uname %>">
f432bce2 AC	311	<input type="hidden" name="cmd" value="ftp">
b6dd1aaf AC	312	<table class="blanks">
b6dd1aaf AC	313	<tr> <td>Allowed to use FTP?</td> <td><select name="ftp">
f432bce2 AC	314	<option value="no"<% if not ftp then %> selected<% end %>>No</option>
	315	<option value="yes"<% if ftp then %> selected<% end %>>Yes</option>
	316	</select></td> </tr>
b6dd1aaf	317	<tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
f432bce2 AC	318	<tr> <td><input type="submit" value="Request"></td> </tr>
	319	</table>
	320	</form>
	321
3d2ed222	322	<% val rules = Sec.findFirewallRules {node = nodeNum, uname = uname};
e510b9bd AC	323	switch rules of
e510b9bd AC	324	_::_ => %>
b6dd1aaf	325	<h3>Your firewall rules</h3>
e510b9bd AC	326
	327	<% foreach rule in rules do %>
	328	<form action="sec" method="post">
3d2ed222	329	<input type="hidden" name="node" value="<% nodeNum %>">
e510b9bd AC	330	<input type="hidden" name="uname" value="<% uname %>">
	331	<input type="hidden" name="modRule" value="<% Web.html rule %>">
	332	<input name="rule" value="<% Web.html rule %>">
	333	<a href="sec?delRule=<% Web.urlEncode rule %>">[Request deletion]</a>
	334	<input type="submit" value="Request change">
	335	</form><br>
	336	<% end
	337	end%>
	338
1bb18394 AC	339	<h3>Request a new firewall rule</h3>
1bb18394 AC	340
99061f22	341	<p><b>This form isn't needed yet to allow you to use any port. However, if you request a rule here, you can be sure it will be added when we first implement firewalls on our new servers. Otherwise, your custom services may stop working.</b></p>
e510b9bd AC	342
	343	<p>You can find a description of rule formats <a href="http://wiki.hcoop.net/wiki/FirewallRules">on our wiki</a>. Enter here the rule you want, without the initial <tt>user</tt> portion.</p>
	344
4d46d3eb	345	<p>Please note that <b>your firewall rule will be useless</b> if you don't first request the corresponding socket privileges at the top of this page. Also, common ports like 80 (HTTP) are open to everyone with socket permissions. Verify that you can't access a port after socket permissions have been granted before requesting a special rule here.</p>
18eeb749	346
b986395e AC	347	<p>We very rarely grant requests for Client rules that don't include remote host whitelists. For example, important security concerns make it a bad idea for us to give anybody blanket IRC permissions. Instead, request specific servers. We will refuse such requests that include networks that are popularly considered fronts for illegal activity.</p>
b986395e AC	348
e510b9bd	349	<form action="sec" method="post">
3d2ed222	350	<input type="hidden" name="node" value="<% nodeNum %>">
e510b9bd AC	351	<input type="hidden" name="uname" value="<% uname %>">
e510b9bd AC	352	<input type="hidden" name="cmd" value="rule">
b6dd1aaf AC	353	<table class="blanks">
	354	<tr> <td>Rule</td> <td><input name="rule" size="80"></td> </tr>
	355	<tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
e510b9bd AC	356	<tr> <td><input type="submit" value="Request"></td> </tr>
e510b9bd AC	357	</table>
1bb18394	358	</form>
e510b9bd	359
dfb0d0d7 AC	360	<% end %>
	361
	362	<% @footer[] %>