Changeset 4974

Timestamp:

2003-07-18T10:02:55+12:00 (21 years ago)

Author:

sjboddie

Message:

Added the following options to the collect.cfg file:

=> auth_collection: This has two values document or collection, provides

authentication at the collection level or document level.

=> auth_groups: This allows user groups to access collections or documents.

=> allow_acls: When used in conjunction with authcollection = document to

activate the following two options, must be either true or false.

=> allowallexcept: This option requires a list of space separated document OID's

which means all documents can be viewed and the ones listed cannot
without authentication.

=> denyallexcept: This option requires a list of space separated document OID's

whereby all documents require authentication except those listed
by document OID's.

Location:

trunk/gsdl/src

Files:

• colservr/collectserver.cpp (modified) (1 diff)
• recpt/authenaction.cpp (modified) (2 diffs)
• recpt/comtypes.cpp (modified) (2 diffs)
• recpt/comtypes.h (modified) (1 diff)
• recpt/documentaction.cpp (modified) (1 diff)
• recpt/receptionist.cpp (modified) (2 diffs)

trunk/gsdl/src/colservr/collectserver.cpp

@@ -99 +99 @@
       collectinfo.searchTypes = cfgline;
     }
+
+    // What have we set in our collect.cfg file :  document or collection ?
+    else if (key == "auth_collection") collectinfo.auth_collection = value;
+
+    // What have we set for our group list
+    else if (key == "auth_group")
+       {
+      // use the joinchar helper function from
+      // text_t.h, it takes in the whole cfgline
+      // array and a separator aka a comma in our
+      // case and returns a sting separated by a
+      // comma like this:
+      //
+      //   Rene,Kolla,Crystal,Stefan,Aly,Ian
+      
+      joinchar(cfgline,',',collectinfo.auth_group);
+      //      outconvertclass t;
+      //cerr << t << collectinfo.auth_group << "\n";
+       }
+
+    // Have we set our security switch for use of acl to ON ?
+
+    else if (key == "allow_acls")
+       {
+      if(value=="true")
+         collectinfo.allow_acls = true;
+      else
+         collectinfo.allow_acls = false;
+       }
+
+    // In the map the key-value pair contain the same
+    // data
+    
+    // What have we set for our allowallexcept ACL
+    else if (key == "allowallexcept")
+       {
+      text_tarray::const_iterator begin = cfgline.begin();
+      text_tarray::const_iterator end = cfgline.end();
+      while(begin != end)
+         {
+        collectinfo.allowallexcept[*begin] = *begin;
+        begin++;
+         }
+       }
+    
+    // What have we set for our group list
+    else if (key == "denyallexcept")
+       {
+      text_tarray::const_iterator begin = cfgline.begin();
+      text_tarray::const_iterator end = cfgline.end();
+      while(begin != end)
+         {
+        collectinfo.denyallexcept[*begin] = *begin;
+        begin++;
+         }
+       }
   }
 

trunk/gsdl/src/recpt/authenaction.cpp

@@ -200 +200 @@
     if (thisuser.enabled) {
       bool haspermission = true;
+
       // check to make sure the user is in the required group
+      // one group is available only at the moment.
+      // this is what we are changing !
+      
       if (!args_ug.empty()) {
-    haspermission = false;
-    text_t::const_iterator group_here = thisuser.groups.begin();
-    text_t::const_iterator group_end = thisuser.groups.end();
-    text_t thisgroup;
+
+     // Since we recieve a comma seperated list
+     // of groups like mygroup,yourgroup,ourgroup
+     // we want to split them into individual groups
+     // and examine them. This is what is done here.
+     
+     text_tset splitgrps;
+     text_t::const_iterator split_here = args_ug.begin();
+     text_t::const_iterator split_end = args_ug.end();
+
+     splitchar(split_here,split_end,',',splitgrps);
+
+     haspermission = false;
+
+     // This examines the current user to be authenticated and
+     // tries to see if he or she is in the group that we have in
+     // thisuser structure. We compare args_ua contents with that
+     // of the user database.
+     
+     text_t::const_iterator group_here = thisuser.groups.begin();
+     text_t::const_iterator group_end = thisuser.groups.end();
+     text_t thisgroup;
     while (group_here != group_end) {
-      group_here = getdelimitstr (group_here, group_end, ',', thisgroup);
-      if (thisgroup == args_ug) {
-        haspermission = true;
-        break;
-      }
+       group_here = getdelimitstr (group_here, group_end, ',', thisgroup);
+       if (splitgrps.find(thisgroup) != splitgrps.end() )
+          {
+         haspermission = true;
+         break;
+          }
     }
       }
-
+      
       if (haspermission) {
-    // succeeded, get info about this user
-    // note: we don't need to set "ug" as it is already set to what it needs to be
-    args_us = "enabled";
+     // succeeded, get info about this user
+     // note: we don't need to set "ug" as it is already set to what it needs to be
+     args_us = "enabled";
     args_ky = generate_key (keyfile, args_un); // new key
-
+    
     // delete old keys around every 50 accesses
     if (rand()%50 == 1) remove_old_keys (keyfile, keydecay);
@@ -226 +249 @@
       } else {
     // succeeded, however, the user is not in the correct group
-    args_ua.clear();
-    args_us = "permissiondenied";
-    args_ky.clear();
+     args_ua.clear();
+     args_us = "permissiondenied";
+     args_ky.clear();
       }
-
+      
     } else {
-      // succeeded, however, the account is disabled
+       // succeeded, however, the account is disabled
       args_ua.clear();
       args_us = "disabled";

trunk/gsdl/src/recpt/comtypes.cpp

@@ -44 +44 @@
 }
 
-/* isPublic now defaults to true */
+/*
+   isPublic now defaults to true  most values are default          
+   similar to a constructor in a class to make some initializations
+*/
+
 void ColInfoResponse_t::clear () {
   shortInfo.clear();
@@ -63 +67 @@
   httpprefix.clear();
   receptionist.clear();
+  auth_collection.clear();         // turned off by default
+  auth_group.clear();              // turned off by default
+  allow_acls= false;              // turned off by default
+  allowallexcept.clear();          // turned off by default
+  denyallexcept.clear();           // turned off by default
+
 }
 

trunk/gsdl/src/recpt/comtypes.h

@@ -84 +84 @@
 // }
 struct ColInfoResponse_t {
-  void clear ();
-  ColInfoResponse_t () {clear();}
-
-  ShortColInfo_t shortInfo;
-  bool isPublic;
-  bool isBeta;
-  unsigned long buildDate;
-  text_tarray ccsCols;    // empty if collection does not use cross-collection searching
-  text_tarray languages;
-  unsigned long numDocs;     // 0 if not known
-  unsigned long numSections; // 0 if not known
-  unsigned long numWords;    // 0 if not known
-  unsigned long numBytes;    // 0 if not known
-  text_tmap collectionmeta;
-  text_tmap format;
-  text_tmap building;
-  text_t    httpdomain;      // GRB: could these two http items need removing
-  text_t    httpprefix;
-  text_t    receptionist;
-  text_t    buildType;  // 'mg' or 'mgpp'
-  text_tarray    searchTypes; // form, plain, empty if collection uses mg, or has no searching facility
+   void clear ();
+   ColInfoResponse_t () {clear();}
+   
+   ShortColInfo_t shortInfo;
+   bool isPublic;
+   bool isBeta;
+   unsigned long buildDate;
+   text_tarray ccsCols;    // empty if collection does not use cross-collection searching
+   text_tarray languages;
+   unsigned long numDocs;     // 0 if not known
+   unsigned long numSections; // 0 if not known
+   unsigned long numWords;    // 0 if not known
+   unsigned long numBytes;    // 0 if not known
+   text_tmap      collectionmeta;
+   text_tmap      format;
+   text_tmap      building;
+   text_t         httpdomain;      // GRB: could these two http items need removing
+   text_t         httpprefix;
+   text_t         receptionist;
+   text_t         buildType;       // 'mg' or 'mgpp'
+   text_t         auth_collection; // 'document' or 'collection'
+   text_t         auth_group;      // 'mygroup' 'yourgroup'
+   bool           allow_acls;      // to make sure that the user wants to use this ACL feature
+   text_tmap      allowallexcept;  // the acl to allow stuff or deny things
+   text_tmap      denyallexcept;   // the opposite of the one above
+   text_tarray    searchTypes; // form, plain, empty if collection uses mg, or has no searching facility
 };
 

trunk/gsdl/src/recpt/documentaction.cpp

@@ -166 +166 @@
 
 bool documentaction::check_cgiargs (cgiargsinfoclass &argsinfo, cgiargsclass &args, 
-                    recptprotolistclass * /*protos*/, ostream &logout) {
-
-  // check gc argument
-  int arg_gc = args.getintarg("gc");
+                    recptprotolistclass *protos, ostream &logout) {
+
+   if(!args["d"].empty())
+      {
+     recptproto* collectproto = protos->getrecptproto (args["c"], logout);
+     if (collectproto != NULL)
+        {
+           ColInfoResponse_t *cinfo = recpt->get_collectinfo_ptr (collectproto, args["c"], logout);
+           
+           if(cinfo->auth_collection == "document" && cinfo->allow_acls) 
+          {
+             // both are either commented out or uncomment and are empty
+             if (cinfo->allowallexcept.empty() && cinfo->denyallexcept.empty())
+            {
+               //deny everything
+               args["uan"] = "1";
+               args["ug"] = cinfo->auth_group;
+            }
+
+             // both allowallexcept and denyallexcept are turned on !
+             else if (!cinfo->allowallexcept.empty() && !cinfo->denyallexcept.empty())
+            {
+               //deny everything
+               args["uan"] = "1";
+               args["ug"] = cinfo->auth_group;
+            }
+             
+             // only allowallexcept is set, so ask to authenticate for that article/doc
+             else if (cinfo->allowallexcept.find(args["d"]) != cinfo->allowallexcept.end() )
+            {
+               
+               args["uan"] = "1";
+               args["ug"] = cinfo->auth_group;
+            }
+             
+             // only denyallexcept is set, so ask to authenticate for that article/doc
+             else if (cinfo->denyallexcept.find(args["d"]) == cinfo->denyallexcept.end() )
+            {
+               args["uan"] = "1";
+               args["ug"] = cinfo->auth_group;
+            }
+             
+          }
+        }
+      }
+   // check gc argument
+   int arg_gc = args.getintarg("gc");
   if (arg_gc < 0 || arg_gc > 2) {
     logout << "Warning: \"gc\" argument out of range (" << arg_gc << ")\n";

trunk/gsdl/src/recpt/receptionist.cpp

@@ -1078 +1078 @@
 // error is found it will return false and no cgi page should
 // be created using the arguments.
+
 bool receptionist::check_mainargs (cgiargsclass &args, ostream &logout) {
   // if this receptionist is running in collection dependant mode
@@ -1099 +1100 @@
     } else {
 
-      ColInfoResponse_t *cinfo = get_collectinfo_ptr (collectproto, arg_c, logout);
-
+       ColInfoResponse_t *cinfo = get_collectinfo_ptr (collectproto, arg_c, logout);
+
+       if(cinfo->auth_collection == "collection")
+      {
+         args["uan"] = "1";
+         args["ug"] = cinfo->auth_group;
+      }
+       
+       
       if (cinfo != NULL) {
     if (!cinfo->ccsCols.empty()) {