From a23da324a647296a31436631b958bc3443ceaaf2 Mon Sep 17 00:00:00 2001 From: "bugreport%peshkin.net" <> Date: Fri, 14 Oct 2005 06:58:24 +0000 Subject: Bug 204498 Add su (setuser) function Patch by A. Karl Kornel r=joel, a=justdave --- Bugzilla.pm | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 72 insertions(+), 4 deletions(-) (limited to 'Bugzilla.pm') diff --git a/Bugzilla.pm b/Bugzilla.pm index 183a3227c..a86e799eb 100644 --- a/Bugzilla.pm +++ b/Bugzilla.pm @@ -19,7 +19,7 @@ # # Contributor(s): Bradley Baetz # Erik Stambaugh -# +# A. Karl Kornel package Bugzilla; @@ -132,9 +132,60 @@ sub user { return $_user; } +my $_sudoer; +sub sudoer { + my $class = shift; + return $_sudoer; +} + +sub sudo_request { + my $class = shift; + my $new_user = shift; + my $new_sudoer = shift; + + $_user = $new_user; + $_sudoer = $new_sudoer; + $::userid = $new_user->id; + + # NOTE: If you want to log the start of an sudo session, do it here. + + return; +} + sub login { my ($class, $type) = @_; - $_user = Bugzilla::Auth::Login::WWW->login($type); + my $authenticated_user = Bugzilla::Auth::Login::WWW->login($type); + + # At this point, we now know if a real person is logged in. + # We must now check to see if an sudo session is in progress. + # For a session to be in progress, the following must be true: + # 1: There must be a logged in user + # 2: That user must be in the 'bz_sudoer' group + # 3: There must be a valid value in the 'sudo' cookie + # 4: A Bugzilla::User object must exist for the given cookie value + # 5: That user must NOT be in the 'bz_sudo_protect' group + my $sudo_cookie = $class->cgi->cookie('sudo'); + detaint_natural($sudo_cookie) if defined($sudo_cookie); + my $sudo_target; + $sudo_target = new Bugzilla::User($sudo_cookie) if defined($sudo_cookie); + if (defined($authenticated_user) && + $authenticated_user->in_group('bz_sudoers') && + defined($sudo_cookie) && + defined($sudo_target) && + !($sudo_target->in_group('bz_sudo_protect')) + ) + { + $_user = $sudo_target; + $_sudoer = $authenticated_user; + $::userid = $sudo_target->id; + + # NOTE: If you want to do any special logging, do it here. + } + else { + $_user = $authenticated_user; + } + + return $_user; } sub logout { @@ -164,6 +215,7 @@ sub logout_user_by_id { # hack that invalidates credentials for a single request sub logout_request { undef $_user; + undef $_sudoer; # XXX clean this up eventually $::userid = 0; # We can't delete from $cgi->cookie, so logincookie data will remain @@ -332,8 +384,24 @@ method for those scripts/templates which are only use via CGI, though. =item C -The current C. C if there is no currently logged in user -or if the login code has not yet been run. +C if there is no currently logged in user or if the login code has not +yet been run. If an sudo session is in progress, the C +corresponding to the person who is being impersonated. If no session is in +progress, the current C. + +=item C + +C if there is no currently logged in user, the currently logged in user +is not in the I group, or there is no session in progress. If an sudo +session is in progress, returns the C object corresponding to +the person who logged in and initiated the session. If no session is in +progress, returns the C object corresponding to the currently +logged in user. + +=item C +This begins an sudo session for the current request. It is meant to be +used when a session has just started. For normal use, sudo access should +normally be set at login time. =item C -- cgit v1.2.3-24-g4f1b