Fix how self Webmin and Usermin upgrades are banned

system-status/system_info.pl

@@ -328,6 +328,9 @@ if ($info->{'poss'} && &show_section('poss')) {
 	push(@table, { 'desc' => $text{'right_updates'},
 		       'value' => $msg,
 		       'wide' => 1 });
+	# Check for repos
+	&foreign_require("webmin");
+	&webmin::has_repos(1);
 	}
 
 return @rv;

usermin/usermin-lib.pl

@@ -13,13 +13,19 @@ BEGIN { push(@INC, ".."); };
 use WebminCore;
 &init_config();
 %access = &get_module_acl();
-$access{'upgrade'} = 0
-	if (&is_readonly_mode() ||
-	    $access{'disallow'} =~ /upgrade/);	# too hard to fake
+$access{'upgrade'} = 0 if (&is_readonly_mode());	# too hard to fake
 &foreign_require("webmin");
 &foreign_require("acl");
 %text = ( %webmin::text, %text );
 
+if (!defined($gconfig{'noselfwebminup'})) {
+	$access{'upgrade'} = 0
+		if (&webmin::has_repos());
+	}
+else {
+	$access{'upgrade'} = !$gconfig{'noselfwebminup'};
+	}
+
 $usermin_miniserv_config = "$config{'usermin_dir'}/miniserv.conf";
 $usermin_config = "$config{'usermin_dir'}/config";
 

web-lib-funcs.pl

@@ -4520,9 +4520,8 @@ $m ||= "";
 my $mdir = &module_root_directory($m);
 my %rv;
 if (!$nodef) {
-	# Read default ACLs first, to be overridden by per-user settings
+	# Read default ACL first, to be overridden by per-user settings
 	&read_file_cached("$mdir/defaultacl", \%rv);
-	&read_file_cached("$config_directory/$m/defaultacl", \%rv);
 
 	# If this isn't a master admin user, apply the negative permissions
 	# so that he doesn't un-expectedly gain access to new features

webmin/change_startpage.cgi

@@ -18,8 +18,6 @@ $gconfig{'gotoone'} = $in{'gotoone'};
 $gconfig{'deftab'} = $in{'deftab'};
 $gconfig{'nohostname'} = $in{'nohostname'};
 $gconfig{'gotomodule'} = $in{'gotomodule'};
-$gconfig{'nowebminup'} = !$in{'webminup'};
-$gconfig{'nomoduleup'} = !$in{'moduleup'};
 &write_file("$config_directory/config", \%gconfig);
 &unlock_file("$config_directory/config");
 &webmin_log("startpage", undef, undef, \%in);

webmin/edit_startpage.cgi

@@ -38,12 +38,6 @@ print &ui_table_row($text{'startpage_gotomodule'},
 		      sort { $a->{'desc'} cmp $b->{'desc'} } 
 		        grep { !$_->{'hidden'} && !$_->{'webmin_hidden'} } @modules ]));
 
-print &ui_table_row($text{'startpage_webminup'},
-	&ui_yesno_radio("webminup", !$gconfig{'nowebminup'}));
-
-print &ui_table_row($text{'startpage_moduleup'},
-	&ui_yesno_radio("moduleup", !$gconfig{'nomoduleup'}));
-
 print &ui_table_end();
 print &ui_form_end([ [ "", $text{'save'} ] ]);
 

webmin/index.cgi

@@ -61,6 +61,13 @@ push(@wlinks, "edit_ssl.cgi", "edit_ca.cgi");
 push(@wtitles, $text{'ssl_title'}, $text{'ca_title'});
 push(@wicons, "images/ssl.gif", "images/ca.gif");
 
+# Enfoce to disable Webmin updates
+if ($gconfig{'noselfwebminup'}) {
+	$access{'disallow'} ||= '';
+	$access{'disallow'} = join(' ',
+		split(/\s+/, $access{'disallow'}), 'upgrade');
+	}
+
 # Hide dis-allowed pages
 my %allow = map { $_, 1 } split(/\s+/, $access{'allow'});
 my %disallow = map { $_, 1 } split(/\s+/, $access{'disallow'});

webmin/webmin-lib.pl

@@ -108,6 +108,39 @@ our $realos_cache_file = "$module_var_directory/realos-cache";
 our $password_change_mod = "passwd";
 our $password_change_path = "/".$password_change_mod."/change_passwd.cgi";
 
+if (!defined($gconfig{'noselfwebminup'})) {
+	&has_repos();
+	}
+
+=head2 has_repos
+
+Checks if package manager repositories are
+available for Webmin and Usermin updates.
+
+=cut
+sub has_repos
+{
+my ($force) = @_;
+my $has_repos = 0;
+if (-d '/etc/apt' || -d '/etc/yum.repos.d') {
+	my $out = &backquote_command(
+		"grep -irE 'webmin\.com|webmin\.dev|virtualmin\.com|virtualmin\.dev' ".
+		"/etc/apt/sources.list /etc/apt/sources.list.d/ ".
+		"/etc/yum.repos.d/ 2>/dev/null");
+	if ($out) {
+		$has_repos = 1;
+		}
+	}
+if ($force || !defined($gconfig{'noselfwebminup'}) ||
+    $gconfig{'noselfwebminup'} ne $has_repos) {
+	$gconfig{'noselfwebminup'} = $has_repos;
+	&lock_file("$config_directory/config");
+	&write_file("$config_directory/config", \%gconfig);
+	&unlock_file("$config_directory/config");
+	}
+return $has_repos;
+}
+
 =head2 setup_ca
 
 Internal function to create all the configuration files needed for the Webmin
@@ -1267,8 +1300,9 @@ if (&foreign_check("acl")) {
 my %access = &get_module_acl();
 my %disallow = map { $_, 1 } split(/\s+/, $access{'disallow'} || "");
 my %allow = map { $_, 1 } split(/\s+/, $access{'allow'} || "");
-if (&foreign_available($module_name) && !$gconfig{'nowebminup'} &&
-    !$noupdates && ($allow{'upgrade'} || !$disallow{'upgrade'})) {
+if (&foreign_available($module_name) && !$gconfig{'nowebminup'} && 
+    !$gconfig{'noselfwebminup'} && !$noupdates &&
+    ($allow{'upgrade'} || !$disallow{'upgrade'})) {
 	if (!$config{'last_version_check'} ||
 	    $now - $config{'last_version_check'} > 24*60*60) {
 		# Cached last version has expired .. re-fetch