HCoop / bpt / portal.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Join script should rule out retired usernames
[bpt/portal.git] / sec.mlt
1 <% val you = Init.getUserId ();
2 val yourname = Init.getUserName ();
3
4 val nodeNum = case $"node" of
5 "" => 2
6 | node => Web.stoi node;
7 val nodeName = Init.nodeName nodeNum;
8
9 val uname = case $"uname" of
10 "" => yourname
11 | uname => uname;
12
13 val socks = Sec.socketPerms {node = nodeNum, uname = uname};
14 val tpe = Sec.isTpe {node = nodeNum, uname = uname};
15 val cron = Sec.cronAllowed {node = nodeNum, uname = uname};
16 val ftp = Sec.ftpAllowed {node = nodeNum, uname = uname};
17
18 ref showNormal = true;
19
20 @header [("title", ["Security settings"])];
21
22 if $"cmd" = "socks" then
23 showNormal := false;
24 val socks = $"socks";
25 %>Are you sure you want to request that socket permissions for <b><% Web.html uname %></b> on <b><% Web.html nodeName %></b> be changed to <b><% Web.html socks %></b>?<br>
26 <a href="sec?cmd=socks2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&socks=<% Web.urlEncode socks %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
27 elseif $"cmd" = "socks2" then
28 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat [uname, ": change socket permissions to ", $"socks"], msg = $"msg"};
29 if not (Sec.Req.notifyNew id) then
30 %><h3>Error sending e-mail notification</h3><%
31 end
32 %><h3>Request added</h3><%
33
34 elseif $"cmd" = "tpe" then
35 showNormal := false;
36 val tpe = iff $"tpe" = "yes" then "on" else "off";
37 %>Are you sure you want to request that trusted-path-executables-only for <b><% Web.html uname %></b> on <b><% Web.html nodeName %></b> be turned <b><% tpe %></b>?<br>
38 <a href="sec?cmd=tpe2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&tpe=<% tpe %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
39 elseif $"cmd" = "tpe2" then
40 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat [uname, ": turn tpe ", $"tpe"], msg = $"msg"};
41 if not (Sec.Req.notifyNew id) then
42 %><h3>Error sending e-mail notification</h3><%
43 end
44 %><h3>Request added</h3><%
45
46 elseif $"cmd" = "cron" then
47 showNormal := false;
48 val cron = iff $"cron" = "yes" then "enabled" else "disabled";
49 %>Are you sure you want to request that <tt>cron</tt> permissions for <b><% Web.html uname %></b> on <b><% Web.html nodeName %></b> be <b><% cron %></b>?<br>
50 <a href="sec?cmd=cron2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&cron=<% cron %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
51 elseif $"cmd" = "cron2" then
52 val cron = iff $"cron" = "enabled" then "enable" else "disable";
53 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat [uname, ": ", cron, " cron access"], msg = $"msg"};
54 if not (Sec.Req.notifyNew id) then
55 %><h3>Error sending e-mail notification</h3><%
56 end
57 %><h3>Request added</h3><%
58
59 elseif $"cmd" = "ftp" then
60 showNormal := false;
61 val ftp = iff $"ftp" = "yes" then "enabled" else "disabled";
62 %>Are you sure you want to request that FTP permissions for <b><% Web.html uname %></b> on <b><% Web.html nodeName %></b> be <b><% ftp %></b>?<br>
63 <a href="sec?cmd=ftp2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&ftp=<% ftp %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
64 elseif $"cmd" = "ftp2" then
65 val ftp = iff $"ftp" = "enabled" then "enable" else "disable";
66 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat [uname, ": ", ftp, " FTP access"], msg = $"msg"};
67 if not (Sec.Req.notifyNew id) then
68 %><h3>Error sending e-mail notification</h3><%
69 end
70 %><h3>Request added</h3><%
71
72 elseif $"cmd" = "rule" then
73 showNormal := false;
74 val rule = $"rule";
75
76 if Sec.validRule rule then
77 %>Are you sure you want to request the firewall rule <b><% Web.html uname %>&nbsp;<% Web.html rule %></b> on <b><% Web.html nodeName %></b>?<br>
78 <a href="sec?cmd=rule2&node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&rule=<% Web.urlEncode rule %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
79 else
80 %>"<% Web.html rule %>" is not a valid firewall rule! Please reread <a href="http://wiki.hcoop.net/wiki/FirewallRules">the instructions</a>, and remember to leave off the initial username portion.<%
81 end
82
83 elseif $"cmd" = "rule2" then
84 val rule = $"rule";
85
86 if Sec.validRule rule then
87 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat ["Add firewall rule \"", uname, " ", rule, "\""], msg = $"msg"};
88 if not (Sec.Req.notifyNew id) then
89 %><h3>Error sending e-mail notification</h3><%
90 end
91 %><h3>Request added</h3><%
92 else
93 %>"<% Web.html rule %>" is not a valid firewall rule! Please reread <a href="http://wiki.hcoop.net/wiki/FirewallRules">the instructions</a>, and remember to leave off the initial username portion.<%
94 end
95
96 elseif $"modRule" <> "" then
97 showNormal := false;
98 val oldRule = $"modRule";
99 val rule = $"rule"
100 if oldRule = rule then
101 %>You didn't modify the textbox for this rule before clicking the button, so there is no request to be made.<%
102 else
103 %>Are you sure you want to request that firewall rule <b><% Web.html uname %>&nbsp;<% Web.html oldRule %></b> be replaced by <b><% Web.html uname %>&nbsp;<% Web.html rule %></b> on <b><% Web.html nodeName %></b>?<br>
104 <a href="sec?node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&modRule2=<% Web.urlEncode oldRule %>&rule=<% Web.urlEncode rule %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
105 end
106 elseif $"modRule2" <> "" then
107 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat ["Change firewall rule \"", uname, " ", $"modRule2", "\" to \"", uname, " ", $"rule", "\""], msg = $"msg"};
108 if not (Sec.Req.notifyNew id) then
109 %><h3>Error sending e-mail notification</h3><%
110 end
111 %><h3>Request added</h3><%
112
113 elseif $"delRule" <> "" then
114 showNormal := false;
115 val oldRule = $"delRule";
116 %>Are you sure you want to request that firewall rule <b><% Web.html uname %>&nbsp;<% Web.html oldRule %></b> on <b><% Web.html nodeName %></b> be <b>deleted</bD>?<br>
117 <a href="sec?node=<% nodeNum %>&uname=<% Web.urlEncode uname %>&delRule2=<% Web.urlEncode oldRule %>&msg=<% Web.urlEncode ($"msg") %>">Yes, place the request!</a><%
118 elseif $"delRule2" <> "" then
119 val id = Sec.Req.add {usr = you, node = nodeNum, data = String.concat ["Delete firewall rule \"", uname, " ", $"delRule2", "\""], msg = $"msg"};
120 if not (Sec.Req.notifyNew id) then
121 %><h3>Error sending e-mail notification</h3><%
122 end
123 %><h3>Request added</h3><%
124
125 elseif $"cmd" = "open" then
126 showNormal := false;
127 Group.requireGroupName "server";
128 %><h3>Open requests</h3>
129 <a href="sec?cmd=list">List all requests</a><%
130
131 foreach (name, req) in Sec.Req.listOpen () do %>
132 <br><hr><br>
133 <table class="blanks">
134 <tr> <td>By:</td> <td><a href="user?id=<% #usr req %>"><% name %></a></td> </tr>
135 <tr> <td>Time:</td> <td><% #stamp req %> (<% Util.diffFromNow (#stamp req) %> ago)</td></tr>
136 <tr> <td>Node:</td> <td><% Web.html (Init.nodeName (#node req)) %></td> </tr>
137 <tr> <td>Request:</td> <td><% #data req %></td> </tr>
138 <tr> <td>Msg:</td> <td colspan="2"><% Web.html (#msg req) %></td> </tr>
139 </table>
140
141 <br>
142 <a href="sec?mod=<% #id req %>">[Modify]</a>
143 <a href="sec?del=<% #id req %>">[Delete]</a><br>
144
145 <% end
146
147 elseif $"cmd" = "list" then
148 showNormal := false;
149 Group.requireGroupName "server"
150 %><h3>All requests</h3><%
151
152 foreach (name, req) in Sec.Req.list () do %>
153 <br><hr><br>
154 <table class="blanks">
155 <tr> <td>By:</td> <td colspan="2"><a href="user?id=<% #usr req %>"><% name %></a></td> </tr>
156 <tr> <td>Time:</td> <td colspan="2"><% #stamp req %> (<% Util.diffFromNow (#stamp req) %> ago)</td></tr>
157 <tr> <td>Node:</td> <td><% Web.html (Init.nodeName (#node req)) %></td> </tr>
158 <tr> <td>Request:</td> <td><% #data req %></td> </tr>
159 <tr> <td>Reason:</td> <td colspan="2"><% Web.html (#msg req) %></td> </tr>
160 </table>
161
162 <br>
163 <a href="sec?mod=<% #id req %>">[Modify]</a>
164 <a href="sec?del=<% #id req %>">[Delete]</a>
165
166 <% end
167
168 elseif $"mod" <> "" then
169 showNormal := false;
170 Group.requireGroupName "server";
171 val id = Web.stoi ($"mod");
172 val req = Sec.Req.lookup id;
173 val user = Init.lookupUser (#usr req) %>
174 <h3>Handle request</h3>
175
176 <form action="sec" method="post">
177 <input type="hidden" name="save" value="<% id %>">
178 <table class="blanks">
179 <tr> <td>Requestor:</td> <td><a href="user?id=<% #usr req %>"><% #name user %></a></td> </tr>
180 <tr> <td>Time:</td> <td><% #stamp req %> (<% Util.diffFromNow (#stamp req) %> ago)</td></tr>
181 <tr> <td>Status:</td> <td><select name="status">
182 <option value="0"<% if #status req = Sec.Req.NEW then %> selected<% end %>>New</option>
183 <option value="1"<% if #status req = Sec.Req.INSTALLED then %> selected<% end %>>Installed</option>
184 <option value="2"<% if #status req = Sec.Req.REJECTED then %> selected<% end %>>Rejected</option>
185 </select></td> </tr>
186 <tr> <td>Node:</td> <td><select name="node">
187 <% foreach node in Init.listNodes () do %>
188 <option value="<% #id node %>"<% if nodeNum = #node req then %> selected<% end %>><% Web.html (#name node) %> (<% Web.html (#descr node) %>)</option>
189 <% end %></select></td> </tr>
190 <tr> <td>Request:</td> <td><input name="req" value="<% #data req %>"></td> </tr>
191 <tr> <td>Message:</td> <td><textarea name="msg" rows="10" cols="80" wrap="soft"><% Web.html (#msg req) %></textarea></td> </tr>
192 <tr> <td><input type="submit" value="Save"></td> </tr>
193 </table>
194 </form>
195
196 <% elseif $"save" <> "" then
197 showNormal := false;
198 Group.requireGroupName "server";
199 val id = Web.stoi ($"save");
200 val req = Sec.Req.lookup id;
201 val oldStatus = #status req;
202 val newStatus = Sec.Req.statusFromInt (Web.stoi ($"status"));
203 Sec.Req.modify {req with node = nodeNum, data = $"req", msg = $"msg", status = newStatus};
204 if not (Sec.Req.notifyMod {old = oldStatus, new = newStatus, changer = Init.getUserName(), req = id}) then
205 %><h3>Error sending e-mail notification</h3><%
206 end
207 %><h3>Request modified</h3>
208 Back to: <a href="sec?cmd=open">open requests</a>, <a href="sec?cmd=list">all requests</a>
209
210 <% elseif $"del" <> "" then
211 showNormal := false;
212 Group.requireGroupName "server";
213 val id = Web.stoi ($"del");
214 val req = Sec.Req.lookup id;
215 val user = Init.lookupUser (#usr req)
216 %><h3>Are you sure you want to delete request by <% #name user %> for "<% #data req %>" on <% Web.html (Init.nodeName (#node req)) %>?</h3>
217 <a href="sec?del2=<% id %>">Yes, I'm sure!</a>
218
219 <% elseif $"del2" <> "" then
220 showNormal := false;
221 Group.requireGroupName "server";
222 val id = Web.stoi ($"del2");
223 Sec.Req.delete id
224 %><h3>Request deleted</b><h3>
225 Back to: <a href="sec?cmd=open">open requests</a>, <a href="sec?cmd=list">all requests</a>
226
227 <% end;
228
229 if showNormal then %>
230
231 <table class="blanks">
232 <form action="sec" method="post">
233 <input type="hidden" name="uname" value="<% Web.html uname %>">
234 <tr> <td>Machines:</td> <td><select name="node">
235 <% foreach node in Init.listNodes () do %>
236 <option value="<% #id node %>"<% if nodeNum = #id node then %> selected<% end %>><% Web.html (#name node) %> (<% Web.html (#descr node) %>)</option>
237 <% end %></select></td>
238 <td><input type="submit" value="Switch"></td> </tr>
239 </form>
240 <form action="sec" method="post">
241 <input type="hidden" name="node" value="<% nodeNum %>">
242 <tr> <td>Your users:</td> <td><select name="uname">
243 <% foreach name in (yourname :: Sec.findSubusers yourname) do %>
244 <option value="<% name %>"<% if uname = name then %> selected<% end %>><% name %></option>
245 <% end %></select></td>
246 <td><input type="submit" value="Switch"></td> </tr>
247 </form>
248 </table>
249
250 <!--h3>Request socket permissions change</h3>
251
252 <p>You need to request socket permissions before you are able to open any network connections. While you will be limited by firewall rules even then, any requests for firewall rules you enter in the "Reason" blank here <b>will be ignored</b>. Please use the separate form at the bottom of this page for that. There is no need to wait until a request for socket permissions has been granted before starting to request firewall rules.</p>
253
254 <p>Keep in mind that, if your request is granted, it will never apply to existing log-in sessions. Close them and re-connect to take advantage of your new privileges.</p>
255
256 <form action="sec" method="post">
257 <input type="hidden" name="node" value="<% nodeNum %>">
258 <input type="hidden" name="uname" value="<% uname %>">
259 <input type="hidden" name="cmd" value="socks">
260 <table class="blanks">
261 <tr> <td>New permissions:</td> <td><select name="socks">
262 <option value="none"<% if socks = Sec.NADA then %> selected<% end %>>None</option>
263 <option value="any"<% if socks = Sec.ANY then %> selected<% end %>>Any</option>
264 <option value="client"<% if socks = Sec.CLIENT_ONLY then %> selected<% end %>>Client only</option>
265 <option value="server"<% if socks = Sec.SERVER_ONLY then %> selected<% end %>>Server only</option>
266 </select></td> </tr>
267 <tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
268 <tr> <td><input type="submit" value="Request"></td> </tr>
269 </table>
270 </form>
271
272 <h3>Request change to your execute permissions</h3>
273
274 <form action="sec" method="post">
275 <input type="hidden" name="node" value="<% nodeNum %>">
276 <input type="hidden" name="uname" value="<% uname %>">
277 <input type="hidden" name="cmd" value="tpe">
278 <table class="blanks">
279 <tr> <td>Trusted path executables only?</td> <td><select name="tpe">
280 <option value="no"<% if not tpe then %> selected<% end %>>No</option>
281 <option value="yes"<% if tpe then %> selected<% end %>>Yes</option>
282 </select></td> </tr>
283 <tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
284 <tr> <td><input type="submit" value="Request"></td> </tr>
285 </table>
286 </form-->
287
288 <h3>Request change to your <tt>cron</tt> permissions</h3>
289
290 <form action="sec" method="post">
291 <input type="hidden" name="node" value="<% nodeNum %>">
292 <input type="hidden" name="uname" value="<% uname %>">
293 <input type="hidden" name="cmd" value="cron">
294 <table class="blanks">
295 <tr> <td>Allowed to use cron?</td> <td><select name="cron">
296 <option value="no"<% if not cron then %> selected<% end %>>No</option>
297 <option value="yes"<% if cron then %> selected<% end %>>Yes</option>
298 </select></td> </tr>
299 <tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
300 <tr> <td><input type="submit" value="Request"></td> </tr>
301 </table>
302 </form>
303
304 <h3>Request change to your FTP permissions</h3>
305
306 <p>Please read <a href="http://wiki.hcoop.net/wiki/FileTransfer">our wiki instructions on file transfer</a> before requesting FTP access. Almost everyone should use alternative protocols to FTP that provide superior security benefits.</p>
307
308 <form action="sec" method="post">
309 <input type="hidden" name="node" value="<% nodeNum %>">
310 <input type="hidden" name="uname" value="<% uname %>">
311 <input type="hidden" name="cmd" value="ftp">
312 <table class="blanks">
313 <tr> <td>Allowed to use FTP?</td> <td><select name="ftp">
314 <option value="no"<% if not ftp then %> selected<% end %>>No</option>
315 <option value="yes"<% if ftp then %> selected<% end %>>Yes</option>
316 </select></td> </tr>
317 <tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
318 <tr> <td><input type="submit" value="Request"></td> </tr>
319 </table>
320 </form>
321
322 <% val rules = Sec.findFirewallRules {node = nodeNum, uname = uname};
323 switch rules of
324 _::_ => %>
325 <h3>Your firewall rules</h3>
326
327 <% foreach rule in rules do %>
328 <form action="sec" method="post">
329 <input type="hidden" name="node" value="<% nodeNum %>">
330 <input type="hidden" name="uname" value="<% uname %>">
331 <input type="hidden" name="modRule" value="<% Web.html rule %>">
332 <input name="rule" value="<% Web.html rule %>">
333 <a href="sec?delRule=<% Web.urlEncode rule %>">[Request deletion]</a>
334 <input type="submit" value="Request change">
335 </form><br>
336 <% end
337 end%>
338
339 <h3>Request a new firewall rule</h3>
340
341 <p><b>This form isn't needed yet to allow you to use any port. However, if you request a rule here, you can be sure it will be added when we first implement firewalls on our new servers. Otherwise, your custom services may stop working.</b></p>
342
343 <p>You can find a description of rule formats <a href="http://wiki.hcoop.net/wiki/FirewallRules">on our wiki</a>. Enter here the rule you want, without the initial <tt>user</tt> portion.</p>
344
345 <p>Please note that <b>your firewall rule will be useless</b> if you don't first request the corresponding socket privileges at the top of this page. Also, common ports like 80 (HTTP) are open to everyone with socket permissions. Verify that you can't access a port after socket permissions have been granted before requesting a special rule here.</p>
346
347 <p>We very rarely grant requests for Client rules that don't include remote host whitelists. For example, important security concerns make it a bad idea for us to give anybody blanket IRC permissions. Instead, request specific servers. We will refuse such requests that include networks that are popularly considered fronts for illegal activity.</p>
348
349 <form action="sec" method="post">
350 <input type="hidden" name="node" value="<% nodeNum %>">
351 <input type="hidden" name="uname" value="<% uname %>">
352 <input type="hidden" name="cmd" value="rule">
353 <table class="blanks">
354 <tr> <td>Rule</td> <td><input name="rule" size="80"></td> </tr>
355 <tr> <td>Reason:</td> <td><textarea name="msg" wrap="soft" rows="3" cols="80"></textarea></td> </tr>
356 <tr> <td><input type="submit" value="Request"></td> </tr>
357 </table>
358 </form>
359
360 <% end %>
361
362 <% @footer[] %>
Unnamed repository; edit this file 'description' to name the repository.