From e976c73ffc58732f47bc8e7b34f90530357737c5 Mon Sep 17 00:00:00 2001
From: Jamie Cameron <jcameron@webmin.com>
Date: Sun, 24 Jan 2021 13:59:17 -0800
Subject: [PATCH] Add ACL for stopping and starting atd
 https://github.com/virtualmin/virtualmin-gpl/issues/246

---
 at/acl_security.pl | 6 +++++-
 at/bootup.cgi      | 1 +
 at/defaultacl      | 1 +
 at/index.cgi       | 2 +-
 at/lang/en         | 4 ++++
 at/negativeacl     | 1 +
 at/start.cgi       | 1 +
 at/stop.cgi        | 1 +
 8 files changed, 15 insertions(+), 2 deletions(-)
 create mode 100644 at/negativeacl

diff --git a/at/acl_security.pl b/at/acl_security.pl
index ab8894362..0d5854227 100755
--- a/at/acl_security.pl
+++ b/at/acl_security.pl
@@ -21,7 +21,10 @@ print &ui_table_row($text{'acl_users'},
 	]), 3);
 
 print &ui_table_row($text{'acl_allow'},
-	&ui_yesno_radio("allow", $o->{'allow'}));
+	&ui_yesno_radio("allow", $o->{'allow'}), 3);
+
+print &ui_table_row($text{'acl_stop'},
+	&ui_yesno_radio("stop", $o->{'stop'}), 3);
 }
 
 # acl_security_save(&options)
@@ -34,5 +37,6 @@ $o->{'users'} = $in{'mode'} == 0 || $in{'mode'} == 3 ? "" :
 		$in{'mode'} == 1 ? $in{'userscan'}
 				 : $in{'userscannot'};
 $o->{'allow'} = $in{'allow'};
+$o->{'stop'} = $in{'stop'};
 }
 
diff --git a/at/bootup.cgi b/at/bootup.cgi
index 81fa16c37..13a1760f0 100755
--- a/at/bootup.cgi
+++ b/at/bootup.cgi
@@ -4,6 +4,7 @@
 require './at-lib.pl';
 &ReadParse();
 &foreign_require("init");
+$access{'stop'} || &error($text{'bootup_ecannot'});
 $init = &get_init_name();
 if ($in{'boot'}) {
 	&init::enable_at_boot($init);
diff --git a/at/defaultacl b/at/defaultacl
index 1552d44cd..1a7bcac42 100644
--- a/at/defaultacl
+++ b/at/defaultacl
@@ -2,3 +2,4 @@ noconfig=0
 users=
 mode=0
 allow=1
+stop=1
diff --git a/at/index.cgi b/at/index.cgi
index 4c17bafad..2be0f917d 100755
--- a/at/index.cgi
+++ b/at/index.cgi
@@ -140,7 +140,7 @@ if ($access{'allow'} && $config{'allow_file'}) {
 # If there is an init script that runs an atd server, show status
 &foreign_require("init");
 my $init = defined(&get_init_name) ? &get_init_name() : undef;
-if ($init) {
+if ($access{'stop'} && $init) {
 	print &ui_hr();
 	print &ui_buttons_start();
 
diff --git a/at/lang/en b/at/lang/en
index a612b165a..45c28d655 100644
--- a/at/lang/en
+++ b/at/lang/en
@@ -55,6 +55,7 @@ acl_this=Current Webmin user
 acl_only=Only users
 acl_except=All except users
 acl_allow=Can edit allowed At users?
+acl_stop=Can stop and start <tt>atd</tt>?
 
 run_title=Running Command
 run_output=Output from scheduled command ..
@@ -79,5 +80,8 @@ log_bootdown=Disabled scheduled commands server at boot
 
 stop_err=Failed to stop server
 start_err=Failed to start server
+stop_ecannot=You are not allowed to stop the server
+start_ecannot=You are not allowed to start the server
+bootup_ecannot=You are not allowed to enable the server at boot
 
 __norefs=1
diff --git a/at/negativeacl b/at/negativeacl
new file mode 100644
index 000000000..fb6975934
--- /dev/null
+++ b/at/negativeacl
@@ -0,0 +1 @@
+stop=0
diff --git a/at/start.cgi b/at/start.cgi
index 19b9cf5ee..5064c3ad8 100755
--- a/at/start.cgi
+++ b/at/start.cgi
@@ -3,6 +3,7 @@
 
 require './at-lib.pl';
 &error_setup($text{'start_err'});
+$access{'stop'} || &error($text{'start_ecannot'});
 &foreign_require("init");
 my $init = &get_init_name();
 my ($ok, $err) = &init::start_action($init);
diff --git a/at/stop.cgi b/at/stop.cgi
index 752322504..198370309 100755
--- a/at/stop.cgi
+++ b/at/stop.cgi
@@ -3,6 +3,7 @@
 
 require './at-lib.pl';
 &error_setup($text{'stop_err'});
+$access{'stop'} || &error($text{'stop_ecannot'});
 &foreign_require("init");
 my $init = &get_init_name();
 my ($ok, $err) = &init::stop_action($init);