_list_queries returns a client dependent list, so don't cache that data.

[moira.git] / server / qaccess.pc

diff --git a/server/qaccess.pc b/server/qaccess.pc
index b2d827b02bd7825526c7253dbad9adf670ab65fc..f6ea10440852c5130a0022c421142f253bc3b4f4 100644 (file)
--- a/server/qaccess.pc
+++ b/server/qaccess.pc
@@ -198,7 +198,7 @@ int access_list(struct query *q, char *argv[], client *cl)
 
   /* If not amtl, atml, or dmfl, we lose. */
   if (strcmp(q->shortname, "amtl") && strcmp(q->shortname, "atml") &&
-      strcmp(q->shortname, "dmfl"))
+      strcmp(q->shortname, "dmfl") && strcmp(q->shortname, "tmol"))
     return MR_PERM;
 
   if (find_member(memacl_type, memacl_id, cl))
@@ -412,16 +412,19 @@ int access_filesys(struct query *q, char *argv[], client *cl)
 int access_host(struct query *q, char *argv[], client *cl)
 {
   EXEC SQL BEGIN DECLARE SECTION;
-  int mid, sid, id;
+  int mid, sid, id, subnet_status;
   char mtype[MACHINE_OWNER_TYPE_SIZE], stype[SUBNET_OWNER_TYPE_SIZE];
+  char *account_number;
   EXEC SQL END DECLARE SECTION;
   int status, idx;
 
   if (q->version < 6)
     idx = 0;
-  else
+  else if (q->version >= 6 && q->version < 8)
     idx = 1;
-
+  else
+    idx = 2;
+  
   if (q->type == RETRIEVE)
     {
       if (strcmp(argv[0], "*") || strcmp(argv[1], "*") ||
@@ -442,11 +445,24 @@ int access_host(struct query *q, char *argv[], client *cl)
        return MR_BAD_CHAR;
 
       id = *(int *)argv[8 + idx];
-      EXEC SQL SELECT s.owner_type, s.owner_id
-       INTO :stype, :sid FROM subnet s
+      EXEC SQL SELECT s.owner_type, s.owner_id, s.status
+       INTO :stype, :sid, :subnet_status FROM subnet s
        WHERE s.snet_id = :id;
       mid = 0;
 
+      /* Non query owner must provide valid billing information. */
+      if (q->version >= 8)
+       {
+         if (subnet_status == SNET_STATUS_BILLABLE)
+           {
+             account_number = argv[7];
+             EXEC SQL SELECT account_number FROM accountnumbers 
+               WHERE account_number = :account_number;
+             if (sqlca.sqlcode == SQL_NO_MATCH)
+               return MR_ACCOUNT_NUMBER;
+           }
+       }
+
       if (find_member(stype, sid, cl))
        return MR_SUCCESS;
       else
@@ -464,14 +480,28 @@ int access_host(struct query *q, char *argv[], client *cl)
       id = *(int *)argv[0];
       EXEC SQL SELECT m.name, m.use, m.contact, m.billing_contact, m.status, 
        m.address, m.owner_type, m.owner_id, m.acomment, m.ocomment, m.snet_id,
-       s.owner_type, s.owner_id INTO :name, :use, :contact, :billing_contact,
-       :status, :address, :mtype, :mid, :acomment, :ocomment, :snid, :stype, 
-       :sid
+       s.owner_type, s.owner_id, s.status INTO :name, :use, :contact, 
+       :billing_contact, :status, :address, :mtype, :mid, :acomment, 
+       :ocomment, :snid, :stype, :sid, :subnet_status
        FROM machine m, subnet s
        WHERE m.mach_id = :id AND s.snet_id = m.snet_id;
       if (dbms_errno)
        return mr_errcode;
 
+      /* Non query owner must provide valid billing information. */
+      if (q->version >= 8)
+       {
+         if ((subnet_status == SNET_STATUS_BILLABLE) &&
+             (atoi(argv[10]) != 3))
+           {
+             account_number = argv[8];
+             EXEC SQL SELECT account_number FROM accountnumbers 
+               WHERE account_number = :account_number;
+             if (sqlca.sqlcode == SQL_NO_MATCH)
+               return MR_ACCOUNT_NUMBER;
+           }
+       }
+
       /* non-query-owner cannot change use or ocomment */
       if ((use != atoi(argv[7 + idx])) || (ocomment != *(int *)argv[14 + idx]))
        return MR_PERM;
@@ -619,3 +649,66 @@ int access_zephyr(struct query *q, char *argv[], client *cl)
     return MR_PERM;
 }
 
+/* access_container - check access for most container operations
+ *
+ * Inputs: argv[0] - cnt_id
+ *         q - query name        
+ *          cl - client name
+ *
+ * - check if that client is a member of the access control list
+ * - OR, if the query is add_machine_to_container or delete_machine_from_container
+ *     check if the client is a memeber of the mem_acl list
+ * - if the query is update_container and the container is to be renamed and
+ *   it is a top-level container, only priviledged users can do it
+ */
+
+int access_container(struct query *q, char *argv[], client *cl)
+{
+  EXEC SQL BEGIN DECLARE SECTION;
+  int cnt_id, acl_id, memacl_id;
+  char acl_type[CONTAINERS_ACL_TYPE_SIZE], memacl_type[CONTAINERS_ACL_TYPE_SIZE];
+  char name[CONTAINERS_NAME_SIZE], *newname;
+  EXEC SQL END DECLARE SECTION;
+  int status;
+
+  cnt_id = *(int *)argv[0];
+  
+  /* if amcn or dmcn, container id is the second argument */
+  if (strcmp(q->shortname, "amcn") == 0 || strcmp(q->shortname, "dmcn") == 0)
+       cnt_id = *(int *)argv[1];
+
+  EXEC SQL SELECT acl_id, acl_type, memacl_id, memacl_type, name
+    INTO :acl_id, :acl_type, :memacl_id, :memacl_type, :name
+    FROM containers
+    WHERE cnt_id = :cnt_id;
+
+  if (sqlca.sqlerrd[2] != 1)
+    return MR_INTERNAL;
+
+   /* trim off the trailing spaces */
+   strcpy(name, strtrim(name));
+
+  /* if the query is update_container and the containers is to be renamed
+   * and it is a top-level container, only dbadmin can do it */
+  if (!strcmp(q->shortname, "ucon"))
+  {
+    newname = argv[1];
+    if (strcmp(name, newname) && strchr(name, '/') == NULL)
+      return MR_PERM;
+  }
+
+  /* check for client in access control list and return success right 
+   * away if it's there. */
+  if (find_member(acl_type, acl_id, cl))
+    return MR_SUCCESS;
+
+  /* If not amcn, dmcn, we lose. */
+  if (strcmp(q->shortname, "amcn") && strcmp(q->shortname, "dmcn"))
+    return MR_PERM;
+
+  if (find_member(memacl_type, memacl_id, cl))
+    return MR_SUCCESS;
+
+  /* Otherwise fail. */
+  return MR_PERM;
+}