Fix to correctly disable manual upgrades

https://forum.virtualmin.com/t/should-this-warning-be-displayed/126011
2026-03-20 08:40:24 +00:00 · 2024-04-17 20:39:43 +03:00
parent c22f7fa8af
commit 54d2766960
5 changed files with 16 additions and 7 deletions
--- a/makedebian.pl
+++ b/makedebian.pl
@@ -334,7 +334,11 @@ if [ "$product" = "webmin" ]; then
 	fi
 fi
 rm -f /var/lock/subsys/$baseproduct
-
+if [ -d /etc/webmin/$product ]; then
+	if [ ! -f /etc/webmin/$product/defaultacl ]; then
+		echo 'disallow=upgrade' > /etc/webmin/$product/defaultacl 2>/dev/null
+	fi
+fi
 if [ "\$inetd" != "1" ]; then
 	productucf=Webmin
 	if [ "$product" = "usermin" ]; then
--- a/makerpm.pl
+++ b/makerpm.pl
@@ -230,6 +230,11 @@ export config_dir var_dir perl autoos port login crypt host ssl nochown autothir
 ./setup.sh >\$tempdir/webmin-setup.out 2>&1
 chmod 600 \$tempdir/webmin-setup.out
 rm -f /var/lock/subsys/webmin
+if [ -d /etc/webmin/webmin ]; then
+	if [ ! -f /etc/webmin/webmin/defaultacl ]; then
+		echo 'disallow=upgrade' > /etc/webmin/webmin/defaultacl 2>/dev/null
+	fi
+fi
 cd /usr/libexec/webmin
 if [ "\$inetd" != "1" ]; then
 	if [ "\$1" == 1 ]; then
--- a/usermin/usermin-lib.pl
+++ b/usermin/usermin-lib.pl
@@ -13,7 +13,9 @@ BEGIN { push(@INC, ".."); };
 use WebminCore;
 &init_config();
 %access = &get_module_acl();
-$access{'upgrade'} = 0 if (&is_readonly_mode());	# too hard to fake
+$access{'upgrade'} = 0
+	if (&is_readonly_mode() ||
+	    $access{'disallow'} =~ /upgrade/);	# too hard to fake
 &foreign_require("webmin");
 &foreign_require("acl");
 %text = ( %webmin::text, %text );
--- a/web-lib-funcs.pl
+++ b/web-lib-funcs.pl
@@ -4520,8 +4520,9 @@ $m ||= "";
 my $mdir = &module_root_directory($m);
 my %rv;
 if (!$nodef) {
-	# Read default ACL first, to be overridden by per-user settings
+	# Read default ACLs first, to be overridden by per-user settings
 	&read_file_cached("$mdir/defaultacl", \%rv);
+	&read_file_cached("$config_directory/$m/defaultacl", \%rv);

 	# If this isn't a master admin user, apply the negative permissions
 	# so that he doesn't un-expectedly gain access to new features
--- a/webmin/webmin-lib.pl
+++ b/webmin/webmin-lib.pl
@@ -1264,14 +1264,11 @@ if (&foreign_check("acl")) {
 	}

 # New Webmin version is available, but only once per day
-my %raccess = &get_module_acl('root');
-my %rdisallow = map { $_, 1 } split(/\s+/, $raccess{'disallow'} || "");
 my %access = &get_module_acl();
 my %disallow = map { $_, 1 } split(/\s+/, $access{'disallow'} || "");
 my %allow = map { $_, 1 } split(/\s+/, $access{'allow'} || "");
 if (&foreign_available($module_name) && !$gconfig{'nowebminup'} &&
-    !$noupdates && ($allow{'upgrade'} ||
-		    (!$disallow{'upgrade'} && !$rdisallow{'upgrade'}))) {
+    !$noupdates && ($allow{'upgrade'} || !$disallow{'upgrade'})) {
 	if (!$config{'last_version_check'} ||
 	    $now - $config{'last_version_check'} > 24*60*60) {
 		# Cached last version has expired .. re-fetch