From 8fa35e76cd17bb2f59508c8429306b04cb1ea447 Mon Sep 17 00:00:00 2001
From: Jamie Cameron <jcameron@webmin.com>
Date: Sun, 12 Sep 2010 17:30:24 -0700
Subject: [PATCH] More work on editing ACLs for users and groups in the DB

---
 acl/acl-lib.pl     | 54 +++++++++++++++++++++++++---------------------
 acl/edit_group.cgi |  4 ++--
 acl/edit_user.cgi  |  4 ++--
 acl/lang/en        |  7 +++---
 acl/save_group.cgi |  4 ++--
 acl/save_user.cgi  |  6 ++----
 web-lib-funcs.pl   | 45 ++++++++++++++++++++++++++++++++++----
 7 files changed, 83 insertions(+), 41 deletions(-)

diff --git a/acl/acl-lib.pl b/acl/acl-lib.pl
index 82b4e35b2..c40d1fcfc 100755
--- a/acl/acl-lib.pl
+++ b/acl/acl-lib.pl
@@ -1124,16 +1124,13 @@ The parameters are :
 sub copy_acl_files
 {
 my ($from, $to, $mods) = @_;
-my ($dbh, $fromid, $toid);
-my ($proto, $user, $pass, $host, $prefix, $args);
+my ($dbh, $proto, $fromid, $toid);
 
 # Check if the user is in a DB
-&get_miniserv_config(\%miniserv);
-if ($miniserv{'userdb'}) {
-	$dbh = &connect_userdb($miniserv{'userdb'});
+my $userdb = &get_userdb_string();
+if ($userdb) {
+	($dbh, $proto) = &connect_userdb($userdb);
 	&error($dbh) if (!ref($dbh));
-	($proto, $user, $pass, $host, $prefix, $args) =
-		&split_userdb_string($miniserv{'userdb'});
 	if ($proto eq "mysql" || $proto eq "postgresql") {
 		# Search in SQL DB
 		my $cmd = $dbh->prepare(
@@ -1154,10 +1151,12 @@ if ($miniserv{'userdb'}) {
 if (defined($fromid) && defined($toid)) {
 	# Copy from database to database
 	if ($proto eq "mysql" || $proto eq "postgresql") {
-		my $cmd = $dbh->prepare("insert into webmin_user_acl select ?,module,attr,value from webmin_user_acl where id = ?");
-		$cmd && $cmd->execute($toid, $fromid) ||
-			&error("Failed to copy ACLs : ".$dbh->errstr);
-		$cmd->finish();
+		my $cmd = $dbh->prepare("insert into webmin_user_acl select ?,module,attr,value from webmin_user_acl where id = ? and module = ?");
+		foreach my $m (@$mods) {
+			$cmd && $cmd->execute($toid, $fromid, $m) ||
+				&error("Failed to copy ACLs : ".$dbh->errstr);
+			$cmd->finish();
+			}
 		}
 	elsif ($proto eq "ldap") {
 		# XXX
@@ -1175,10 +1174,15 @@ elsif (!defined($fromid) && !defined($toid)) {
 	}
 else {
 	# Source and dest use different storage types
-	# XXX
+	foreach my $m (@$mods) {
+		my %caccess = &get_module_acl($from, $m, 1, 1);
+		if (%caccess) {
+			&save_module_acl(\%caccess, $to, $m, 1);
+			}
+		}
 	}
 if ($dbh) {
-	&disconnect_userdb($miniserv{'userdb'}, $dbh);
+	&disconnect_userdb($userdb, $dbh);
 	}
 }
 
@@ -1219,6 +1223,7 @@ are :
 =cut
 sub copy_group_user_acl_files
 {
+# XXX deal with user DB!
 local $m;
 foreach $m (@{$_[2]}) {
 	&unlink_file("$config_directory/$m/$_[1].acl");
@@ -1247,32 +1252,33 @@ detailed access control settings from the group down to users. Parameters are :
 =cut
 sub set_acl_files
 {
-local $m;
-foreach $m (@{$_[3]}) {
+my ($allusers, $allgroups, $mod, $members, $access) = @_;
+foreach my $m (@$members) {
 	if ($m !~ /^\@(.*)$/) {
 		# Member is a user
-		local ($u) = grep { $_->{'name'} eq $m } @{$_[0]};
+		local ($u) = grep { $_->{'name'} eq $m } @$allusers;
 		if ($u) {
 			local $aclfile =
-				"$config_directory/$_[2]/$u->{'name'}.acl";
+				"$config_directory/$mod/$u->{'name'}.acl";
 			&lock_file($aclfile);
-			&write_file($aclfile, $_[4]);
-			chmod(0640, $aclfile);
+			&save_module_acl($access, $u->{'name'}, $mod, 1);
+			chmod(0640, $aclfile) if (-r $aclfile);
 			&unlock_file($aclfile);
 			}
 		}
 	else {
 		# Member is a group
 		local $gname = substr($m, 1);
-		local ($g) = grep { $_->{'name'} eq $gname } @{$_[1]};
+		local ($g) = grep { $_->{'name'} eq $gname } @$allgroups;
 		if ($g) {
 			local $aclfile =
-				"$config_directory/$_[2]/$g->{'name'}.gacl";
+				"$config_directory/$mod/$g->{'name'}.gacl";
 			&lock_file($aclfile);
-			&write_file($aclfile, $_[4]);
-			chmod(0640, $aclfile);
+			&save_group_module_acl($access, $g->{'name'}, $mod, 1);
+			chmod(0640, $aclfile) if (-r $aclfile);
 			&unlock_file($aclfile);
-			&set_acl_files($_[0], $_[1], $_[2], $g->{'members'}, $_[4]);
+			&set_acl_files($allusers, $allgroups, $mod,
+				       $g->{'members'}, $access);
 			}
 		}
 	}
diff --git a/acl/edit_group.cgi b/acl/edit_group.cgi
index 52362c1e0..7ca1583ab 100755
--- a/acl/edit_group.cgi
+++ b/acl/edit_group.cgi
@@ -76,14 +76,14 @@ if ($in{'group'}) {
 # Storage type
 if ($in{'group'}) {
 	print &ui_table_row($text{'edit_proto'},
-		$text{'edit_proto'.$user{'proto'}});
+		$text{'edit_proto_'.$group{'proto'}});
 	}
 
 print &ui_hidden_table_end("basic");
 
 # Start of modules section
 print &ui_hidden_table_start(@groups ? $text{'edit_modsg'} : $text{'edit_mods'},
-			     "width=100%", 2, "mods", 1);
+			     "width=100%", 2, "mods");
 
 # Show available modules, under categories
 @mlist = &list_module_infos();
diff --git a/acl/edit_user.cgi b/acl/edit_user.cgi
index 4426959b7..3818bf97e 100755
--- a/acl/edit_user.cgi
+++ b/acl/edit_user.cgi
@@ -148,7 +148,7 @@ print &ui_table_row($text{'edit_real'},
 # Storage type
 if ($in{'user'}) {
 	print &ui_table_row($text{'edit_proto'},
-		$text{'edit_proto'.$user{'proto'}});
+		$text{'edit_proto_'.$user{'proto'}});
 	}
 
 print &ui_hidden_table_end("rights");
@@ -309,7 +309,7 @@ map { $has{$_} = 0 } $group ? @{$group->{'modules'}} : ();
 
 # Start of modules section
 print &ui_hidden_table_start(@groups ? $text{'edit_modsg'} : $text{'edit_mods'},
-			     "width=100%", 2, "mods", 1);
+			     "width=100%", 2, "mods");
 
 # Show available modules, under categories
 @mlist = grep { $access{'others'} || $has{$_->{'dir'}} || $mcan{$_->{'dir'}} }
diff --git a/acl/lang/en b/acl/lang/en
index fc1bf4202..f85a85457 100644
--- a/acl/lang/en
+++ b/acl/lang/en
@@ -99,9 +99,10 @@ edit_security=Security and limits options
 edit_mods=Available Webmin modules
 edit_modsg=Available Webmin modules (in addition to those from group)
 edit_proto=Storage type
-edit_protomysql=MySQL database
-edit_protopostgresql=PostgreSQL database
-edit_protoldap=LDAP server
+edit_proto_mysql=MySQL database
+edit_proto_postgresql=PostgreSQL database
+edit_proto_ldap=LDAP server
+edit_proto_=Local files
 
 save_err=Failed to save user
 save_ename='$1' is not a valid username
diff --git a/acl/save_group.cgi b/acl/save_group.cgi
index db4087020..6bcde2a25 100755
--- a/acl/save_group.cgi
+++ b/acl/save_group.cgi
@@ -126,8 +126,8 @@ if ($in{'old'} && $in{'acl_security_form'}) {
 	&foreign_call("", "acl_security_save", \%uaccess, \%in);
 	$aclfile = "$config_directory/$in{'name'}.gacl";
 	&lock_file($aclfile);
-	&write_file($aclfile, \%uaccess);
-	chmod(0640, $aclfile);
+	&save_group_module_acl(\%uaccess, $in{'name'}, "", 1);
+	chmod(0640, $aclfile) if (-r $aclfile);
 	&unlock_file($aclfile);
 	}
 
diff --git a/acl/save_user.cgi b/acl/save_user.cgi
index 64e9c2c44..c4c8315a4 100755
--- a/acl/save_user.cgi
+++ b/acl/save_user.cgi
@@ -348,8 +348,6 @@ else {
 		$access{'users'} .= " ".$in{'name'};
 		&save_module_acl(\%access);
 		}
-	#%aclacl = &get_module_acl();
-	#&save_module_acl(\%aclacl, $in{'name'});
 	}
 
 if ($in{'old'} && $in{'acl_security_form'} && !$group) {
@@ -358,8 +356,8 @@ if ($in{'old'} && $in{'acl_security_form'} && !$group) {
 	&foreign_call("", "acl_security_save", \%uaccess, \%in);
 	$aclfile = "$config_directory/$in{'name'}.acl";
 	&lock_file($aclfile);
-	&write_file($aclfile, \%uaccess);
-	chmod(0640, $aclfile);
+	&save_module_acl(\%uaccess, $in{'name'}, "", 1);
+	chmod(0640, $aclfile) if (-r $aclfile);
 	&unlock_file($aclfile);
 	}
 
diff --git a/web-lib-funcs.pl b/web-lib-funcs.pl
index 8bae4fef3..088eaa621 100755
--- a/web-lib-funcs.pl
+++ b/web-lib-funcs.pl
@@ -3381,7 +3381,46 @@ my $m = defined($_[1]) ? $_[1] : &get_module_name();
 my $mdir = &module_root_directory($m);
 my %rv;
 &read_file_cached("$mdir/defaultacl", \%rv);
-&read_file_cached("$config_directory/$m/$g.gacl", \%rv);
+
+my $userdb = &get_userdb_string();
+my $foundindb = 0;
+if ($userdb) {
+	# Look for this group in the user/group DB
+	my ($dbh, $proto) = &connect_userdb($userdb);
+	ref($dbh) || &error(&text('egroupdbacl', $dbh));
+	if ($proto eq "mysql" || $proto eq "postgresql") {
+		# Find the group in the SQL DB
+		my $cmd = $dbh->prepare(
+			"select id from webmin_group where name = ?");
+		$cmd && $cmd->execute($g) ||
+			&error(&text('egroupdbacl', $dbh->errstr));
+		my ($id) = $cmd->fetchrow();
+		$foundindb = 1 if (defined($id));
+		$cmd->finish();
+
+		# Fetch ACLs with SQL
+		if ($foundindb) {
+			my $cmd = $dbh->prepare(
+			    "select attr,value from webmin_group_acl ".
+			    "where id = ? and module = ?");
+			$cmd && $cmd->execute($id, $m) ||
+			    &error(&text('egroupdbacl', $dbh->errstr));
+			while(my ($a, $v) = $cmd->fetchrow()) {
+				$rv{$a} = $v;
+				}
+			$cmd->finish();
+			}
+		}
+	elsif ($proto eq "ldap") {
+		# Fetch ACLs from LDAP
+		# XXX
+		}
+	&disconnect_userdb($userdb, $dbh);
+	}
+if (!$foundindb) {
+	# Read from local files
+	&read_file_cached("$config_directory/$m/$g.gacl", \%rv);
+	}
 if (defined(&theme_get_module_acl)) {
 	%rv = &theme_get_module_acl($g, $m, \%rv);
 	}
@@ -3525,7 +3564,7 @@ if ($userdb) {
 		# Find the group in the SQL DB
 		my $cmd = $dbh->prepare(
 			"select id from webmin_group where name = ?");
-		$cmd && $cmd->execute($u) ||
+		$cmd && $cmd->execute($g) ||
 			&error(&text('egroupdbacl2', $dbh->errstr));
 		my ($id) = $cmd->fetchrow();
 		$foundindb = 1 if (defined($id));
@@ -3560,8 +3599,6 @@ if ($userdb) {
 	&disconnect_userdb($userdb, $dbh);
 	}
 
-
-
 if (!$foundindb) {
 	# Save ACL to local file
 	if (!-d "$config_directory/$m") {