You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
162 lines
5.8 KiB
162 lines
5.8 KiB
#!/usr/bin/perl -w
|
|
|
|
#----------------------------------------------------------------------
|
|
# copyright (C) 2011-2012 Firewall Services
|
|
# Daniel Berteaud <daniel@firewall-services.com>
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation; either version 2 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program; if not, write to the Free Software
|
|
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
#----------------------------------------------------------------------
|
|
|
|
use strict;
|
|
use esmith::templates;
|
|
use esmith::ConfigDB;
|
|
use esmith::AccountsDB;
|
|
use File::Path qw(mkpath rmtree);
|
|
use PHP::Serialization qw(serialize unserialize);
|
|
|
|
my $c = esmith::ConfigDB->open_ro;
|
|
my $a = esmith::AccountsDB->open_ro;
|
|
|
|
my $domain = $c->get('DomainName')->value;
|
|
|
|
# Remove all the permissions
|
|
unlink(</var/lib/ajaxplorer/plugins/auth.serial/*/rights.ser>);
|
|
|
|
# Remove active sessions
|
|
unlink(</var/lib/ajaxplorer/tmp/sess_*>);
|
|
|
|
# Remove plugin and i18n cache
|
|
unlink(</var/cache/ajaxplorer/plugin*.ser>);
|
|
unlink(</var/cache/ajaxplorer/i18n/*.ser>);
|
|
|
|
foreach my $user (($a->users),$a->get('admin')){
|
|
my $name = $user->key;
|
|
my $first = $user->prop('FirstName') || '';
|
|
my $last = $user->prop('LastName') || $name;
|
|
my $data;
|
|
mkpath('/var/lib/ajaxplorer/plugins/auth.serial/' . $name);
|
|
chmod 0770, "/var/lib/ajaxplorer/plugins/auth.serial/$name";
|
|
chown '0', '102', "/var/lib/ajaxplorer/plugins/auth.serial/$name";
|
|
if (-s "/var/lib/ajaxplorer/plugins/auth.serial/$name/role.ser"){
|
|
open RROLE, "/var/lib/ajaxplorer/plugins/auth.serial/$name/role.ser";
|
|
$data = <RROLE>;
|
|
close RROLE;
|
|
$data = unserialize($data);
|
|
delete $data->{"\0*\0acls"} if (defined $data->{"\0*\0acls"});
|
|
}
|
|
# No role yet ? lets create it
|
|
else{
|
|
$data->{"\0*\0groupPath"} = undef;
|
|
$data->{"\0*\0autoApplies"} = [];
|
|
$data->{"\0*\0roleLabel"} = undef;
|
|
$data->{"\0*\0actions"} = [];
|
|
$data->{"\0*\0roleId"} = "AJXP_USR_/$name";
|
|
$data = bless $data, 'PHP::Serialization::Object::AJXP_Role';
|
|
}
|
|
# In any case, re-compute the effective permissions
|
|
foreach my $share ($a->get_all_by_prop(type => 'share')){
|
|
my $sharename = $share->key;
|
|
my $access = $share->prop('Ajaxplorer') || 'disabled';
|
|
next unless ($access eq 'enabled');
|
|
my @readgroups = split(/[;,]/, $share->prop('ReadGroups') || '');
|
|
my @writegroups = split(/[;,]/, $share->prop('WriteGroups') || '');
|
|
my @readusers = split(/[;,]/, $share->prop('ReadUsers') || '');
|
|
my @writeusers = split(/[;,]/, $share->prop('WriteUsers') || '');
|
|
|
|
foreach (@readgroups){
|
|
$data->{"\0*\0acls"}->{$sharename} = 'r' if ( $a->is_user_in_group($name,$_) );
|
|
}
|
|
foreach (@writegroups){
|
|
$data->{"\0*\0acls"}->{$sharename} = 'rw' if ( $a->is_user_in_group($name,$_) );
|
|
}
|
|
foreach (@readusers){
|
|
$data->{"\0*\0acls"}->{$sharename} = 'r' if ( $_ eq $name );
|
|
}
|
|
foreach (@writeusers){
|
|
$data->{"\0*\0acls"}->{$sharename} = 'rw' if ( $_ eq $name );
|
|
}
|
|
# Special case: admin has access to everything
|
|
$data->{"\0*\0acls"}->{$sharename} = 'rw' if ($name eq 'admin');
|
|
}
|
|
# As we're here, lets update the email address and the display name
|
|
# First, delete parameter if it's an array (meaning it's empty)
|
|
delete $data->{"\0*\0parameters"} if (ref ($data->{"\0*\0parameters"})=~ m/ARRAY/i);
|
|
|
|
$data->{"\0*\0parameters"}->{'AJXP_REPO_SCOPE_ALL'}->{'core.conf'}->{'email'} = "$name\@$domain";
|
|
$data->{"\0*\0parameters"}->{'AJXP_REPO_SCOPE_ALL'}->{'core.conf'}->{'USER_DISPLAY_NAME'} = "$first $last";
|
|
|
|
open WROLE, '+>', "/var/lib/ajaxplorer/plugins/auth.serial/$name/role.ser";
|
|
print WROLE serialize($data);
|
|
close WROLE;
|
|
}
|
|
|
|
my $ajxp = $c->get('ajaxplorer') || die "Couldn't find ajaxplorer entry in ConfigDB\n";
|
|
my $homedir = $ajxp->prop('HomeDir') || 'none';
|
|
|
|
if ($homedir eq 'enabled'){
|
|
foreach ($a->users){
|
|
my $name = $_->key;
|
|
set_user_acl($name);
|
|
}
|
|
}
|
|
elsif ($homedir eq 'users'){
|
|
foreach ($a->users){
|
|
my $name = $_->key;
|
|
if (($_->prop('AjxpHomeDir') || 'disabled') eq 'enabled'){
|
|
set_user_acl($name);
|
|
}
|
|
else{
|
|
remove_user_acl($name);
|
|
}
|
|
}
|
|
}
|
|
else{
|
|
foreach ($a->users){
|
|
my $name = $_->key;
|
|
remove_user_acl($name);
|
|
}
|
|
}
|
|
|
|
sub set_user_acl{
|
|
my $user = shift;
|
|
my $acl = `/usr/bin/getfacl /home/e-smith/files/users/$user 2>/dev/null | egrep -c '^user:(apache|www):'`;
|
|
chomp($acl);
|
|
return if ($acl > 0);
|
|
system('/usr/bin/setfacl',
|
|
'-m',
|
|
'u:www:x',
|
|
"/home/e-smith/files/users/$user");
|
|
system('/usr/bin/setfacl',
|
|
'-R',
|
|
'-m',
|
|
'u:www:rX,d:u:www:rX',
|
|
"/home/e-smith/files/users/$user/home");
|
|
}
|
|
|
|
sub remove_user_acl{
|
|
my $user = shift;
|
|
my $acl = `/usr/bin/getfacl /home/e-smith/files/users/$user 2>/dev/null | egrep -c '^user:(apache|www):'`;
|
|
chomp($acl);
|
|
return if ($acl < 1);
|
|
system('/usr/bin/setfacl',
|
|
'-R',
|
|
'-x',
|
|
'u:www,d:u:www',
|
|
"/home/e-smith/files/users/$user/home");
|
|
system('/usr/bin/setfacl',
|
|
'-x',
|
|
'u:www',
|
|
"/home/e-smith/files/users/$user");
|
|
}
|
|
|