From e75e410d0cdc5ca62af1888c3cb75163ca22d2ad Mon Sep 17 00:00:00 2001
From: ivan <ivan>
Date: Mon, 29 Jan 2007 23:16:18 +0000
Subject: [PATCH] putting the C in ACL

---
 httemplate/config/config-process.cgi | 110 +++++++++++++++++++----------------
 httemplate/config/config-view.cgi    |   5 +-
 httemplate/config/config.cgi         |   5 +-
 3 files changed, 68 insertions(+), 52 deletions(-)

diff --git a/httemplate/config/config-process.cgi b/httemplate/config/config-process.cgi
index a78f3978c..d8f0d8e93 100644
--- a/httemplate/config/config-process.cgi
+++ b/httemplate/config/config-process.cgi
@@ -1,52 +1,62 @@
-%
-%  my $conf = new FS::Conf;
-%  $FS::Conf::DEBUG = 1;
-%  my @config_items = $conf->config_items;
-%
-%  foreach my $i ( @config_items ) {
-%    my @touch = ();
-%    my @delete = ();
-%    my $n = 0;
-%    foreach my $type ( ref($i->type) ? @{$i->type} : $i->type ) {
-%      if ( $type eq '' ) {
-%      } elsif ( $type eq 'textarea' ) {
-%        if ( $cgi->param($i->key. $n) ne '' ) {
-%          my $value = $cgi->param($i->key. $n);
-%          $value =~ s/\r\n/\n/g; #browsers?
-%          $conf->set($i->key, $value);
-%        } else {
-%          $conf->delete($i->key);
-%        }
-%      } elsif ( $type eq 'checkbox' ) {
-%#        if ( defined($cgi->param($i->key. $n)) && $cgi->param($i->key. $n) ) {
-%        if ( defined $cgi->param($i->key. $n) ) {
-%          #$conf->touch($i->key);
-%          push @touch, $i->key;
-%        } else {
-%          #$conf->delete($i->key);
-%          push @delete, $i->key;
-%        }
-%      } elsif ( $type eq 'text' || $type eq 'select' || $type eq 'select-sub' )  {
-%        if ( $cgi->param($i->key. $n) ne '' ) {
-%          $conf->set($i->key, $cgi->param($i->key. $n));
-%        } else {
-%          $conf->delete($i->key);
-%        }
-%      } elsif ( $type eq 'editlist' || $type eq 'selectmultiple' )  {
-%        if ( scalar(@{[ $cgi->param($i->key. $n) ]}) ) {
-%          $conf->set($i->key, join("\n", @{[ $cgi->param($i->key. $n) ]} ));
-%        } else {
-%          $conf->delete($i->key);
-%        }
-%      } else {
-%      }
-%      $n++;
-%    }
-%   # warn @touch;
-%    $conf->touch($_) foreach @touch;
-%    $conf->delete($_) foreach @delete;
-%  }
-%
-%
+<%init>
 
+die "access denied\n"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+# errant GET/POST protection
+my $Vars = scalar($cgi->Vars);
+my $num_Vars = scalar(keys %$Vars);
+die "only received $num_Vars params; errant or truncated GET/POST?".
+    "  aborting - not updating config\n"
+  unless $num_Vars > 100;
+
+my $conf = new FS::Conf;
+$FS::Conf::DEBUG = 1;
+my @config_items = $conf->config_items;
+
+foreach my $i ( @config_items ) {
+  my @touch = ();
+  my @delete = ();
+  my $n = 0;
+  foreach my $type ( ref($i->type) ? @{$i->type} : $i->type ) {
+    if ( $type eq '' ) {
+    } elsif ( $type eq 'textarea' ) {
+      if ( $cgi->param($i->key. $n) ne '' ) {
+        my $value = $cgi->param($i->key. $n);
+        $value =~ s/\r\n/\n/g; #browsers?
+        $conf->set($i->key, $value);
+      } else {
+        $conf->delete($i->key);
+      }
+    } elsif ( $type eq 'checkbox' ) {
+#        if ( defined($cgi->param($i->key. $n)) && $cgi->param($i->key. $n) ) {
+      if ( defined $cgi->param($i->key. $n) ) {
+        #$conf->touch($i->key);
+        push @touch, $i->key;
+      } else {
+        #$conf->delete($i->key);
+        push @delete, $i->key;
+      }
+    } elsif ( $type eq 'text' || $type eq 'select' || $type eq 'select-sub' )  {
+      if ( $cgi->param($i->key. $n) ne '' ) {
+        $conf->set($i->key, $cgi->param($i->key. $n));
+      } else {
+        $conf->delete($i->key);
+      }
+    } elsif ( $type eq 'editlist' || $type eq 'selectmultiple' )  {
+      if ( scalar(@{[ $cgi->param($i->key. $n) ]}) ) {
+        $conf->set($i->key, join("\n", @{[ $cgi->param($i->key. $n) ]} ));
+      } else {
+        $conf->delete($i->key);
+      }
+    } else {
+    }
+    $n++;
+  }
+ # warn @touch;
+  $conf->touch($_) foreach @touch;
+  $conf->delete($_) foreach @delete;
+}
+
+</%init>
 <% $cgi->redirect("config-view.cgi") %>
diff --git a/httemplate/config/config-view.cgi b/httemplate/config/config-view.cgi
index ff7913d78..91ba33769 100644
--- a/httemplate/config/config-view.cgi
+++ b/httemplate/config/config-view.cgi
@@ -1,4 +1,3 @@
-<!-- mason kludge -->
 <% include("/elements/header.html",'View Configuration', menubar( 'Main Menu' => $p,
                                      'Edit Configuration' => 'config.cgi' ) ) %>
 % my $conf = new FS::Conf; my @config_items = $conf->config_items; 
@@ -90,3 +89,7 @@
 
 
 </body></html>
+<%init>
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+</%init>
diff --git a/httemplate/config/config.cgi b/httemplate/config/config.cgi
index 369314d98..6c3a51aca 100644
--- a/httemplate/config/config.cgi
+++ b/httemplate/config/config.cgi
@@ -1,4 +1,3 @@
-<!-- mason kludge -->
 <% include("/elements/header.html",'Edit Configuration', menubar( 'Main Menu' => $p ) ) %>
 <SCRIPT>
 var gSafeOnload = new Array();
@@ -258,3 +257,7 @@ function SafeOnsubmit() {
 </form>
 
 </body></html>
+<%init>
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+</%init>
-- 
2.11.0