system: prevent several creative ways to strip read-only privileges

src/www/system_groupmanager.php

@@ -65,20 +65,20 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         $id = $_POST['groupid'];
     }
     $pconfig = $_POST;
+    $input_errors = array();
     $act = (isset($pconfig['act']) ? $pconfig['act'] : '');
-    if (isset($id) && $act == "delgroup" && isset($pconfig['groupname']) && $pconfig['groupname'] == $a_group[$id]['name']) {
-        // remove group
+
+    $user = getUserEntry($_SESSION['Username']);
+    if (userHasPrivilege($user, 'user-config-readonly')) {
+        $input_errors[] = gettext('You do not have the permission to perform this action.');
+    } elseif (isset($id) && $act == "delgroup" && isset($pconfig['groupname']) && $pconfig['groupname'] == $a_group[$id]['name']) {
         local_group_del($a_group[$id]);
         $groupdeleted = $a_group[$id]['name'];
         unset($a_group[$id]);
         write_config();
-        // reload page
         header(url_safe('Location: /system_groupmanager.php'));
         exit;
-    }  elseif (isset($pconfig['save'])) {
-        $input_errors = array();
-
-        /* input validation */
+    } elseif (isset($pconfig['save'])) {
         $reqdfields = explode(" ", "name");
         $reqdfieldsn = array(gettext("Group Name"));
 
@@ -108,6 +108,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
                 }
             }
         }
+
         if (count($input_errors) == 0) {
             $group = array();
             if (isset($id) && $a_group[$id]) {
@@ -215,11 +216,7 @@ $( document ).ready(function() {
 <section class="page-content-main">
   <div class="container-fluid">
     <div class="row">
-<?php
-      if (isset($input_errors) && count($input_errors) > 0) {
-          print_input_errors($input_errors);
-      }
-?>
+      <?php if (isset($input_errors) && count($input_errors)) print_input_errors($input_errors); ?>
       <section class="col-xs-12">
         <div class="tab-content content-box col-xs-12 table-responsive">
 <?php

src/www/system_usermanager.php

@@ -79,7 +79,6 @@ function get_user_privdesc(& $user)
 $a_user = &config_read_array('system', 'user');
 
 // reset errors and action
-$input_errors = array();
 $act = null;
 if ($_SERVER['REQUEST_METHOD'] === 'GET') {
     // process get type actions
@@ -170,8 +169,12 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         $act = $_POST['act'];
     }
     $pconfig = $_POST;
+    $input_errors = array();
 
-    if ($act == "deluser" && isset($id)) {
+    $user = getUserEntry($_SESSION['Username']);
+    if (userHasPrivilege($user, 'user-config-readonly')) {
+        $input_errors[] = gettext('You do not have the permission to perform this action.');
+    } elseif ($act == "deluser" && isset($id)) {
         // drop user
         if ($_SESSION['Username'] === $a_user[$id]['name']) {
             $input_errors[] = gettext('You cannot delete yourself.');
@@ -220,8 +223,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         header(url_safe('Location: /system_usermanager.php?savemsg=%s&act=edit&userid=%d', array($savemsg, $id)));
         exit;
     } elseif (isset($pconfig['save']) || isset($pconfig['save_close'])) {
-        // save user
-        /* input validation */
         $reqdfields = explode(' ', 'usernamefld');
         $reqdfieldsn = array(gettext('Username'));
 
@@ -559,18 +560,11 @@ $( document ).ready(function() {
 });
 </script>
 
-
   <section class="page-content-main">
     <div class="container-fluid">
       <div class="row">
-<?php
-      if (isset($input_errors) && count($input_errors) > 0) {
-          print_input_errors($input_errors);
-      }
-      if (isset($savemsg)) {
-          print_info_box($savemsg);
-      }
-?>
+        <?php if (isset($input_errors) && count($input_errors)) print_input_errors($input_errors); ?>
+        <?php if (isset($savemsg)) print_info_box($savemsg); ?>
         <section class="col-xs-12">
             <div class="tab-content content-box col-xs-12 table-responsive">
 <?php

src/www/system_usermanager_addprivs.php

@@ -1,39 +1,34 @@
 <?php
 
 /*
-    Copyright (C) 2014-2016 Deciso B.V.
-    Copyright (C) 2006 Daniel S. Haischt
-    All rights reserved.
-
-    Redistribution and use in source and binary forms, with or without
-    modification, are permitted provided that the following conditions are met:
-
-    1. Redistributions of source code must retain the above copyright notice,
-       this list of conditions and the following disclaimer.
-
-    2. Redistributions in binary form must reproduce the above copyright
-       notice, this list of conditions and the following disclaimer in the
-       documentation and/or other materials provided with the distribution.
-
-    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGE.
-*/
+ * Copyright (C) 2014-2016 Deciso B.V.
+ * Copyright (C) 2006 Daniel S. Haischt
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
 
 require_once("guiconfig.inc");
 
-function cpusercmp($a, $b)
-{
-    return strcasecmp($a['name'], $b['name']);
-}
-
 function sort_user_privs($privs)
 {
     /* Privileges to place first, to redirect properly. */
@@ -62,8 +57,17 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         $a_privs = &config_read_array('system', 'user', $id, 'priv');
     }
 } elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    $input_errors = array();
     $pconfig = $_POST;
-    if (isset($pconfig['input_type']) && isset($pconfig['id'])) {
+
+    $user = getUserEntry($_SESSION['Username']);
+    if (userHasPrivilege($user, 'user-config-readonly')) {
+        $input_errors[] = gettext('You do not have the permission to perform this action.');
+    }
+
+    if (count($input_errors)) {
+        /* FALLTHROUGH */
+    } elseif (isset($pconfig['input_type']) && isset($pconfig['id'])) {
         if ($pconfig['input_type'] == 'user' && isset($config['system']['user'][$pconfig['id']]['name'])) {
             $userid = $_POST['id'];
             $a_user = &config_read_array('system', 'user', $userid);
@@ -90,21 +94,24 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             }
 
             if (isset($config['system']['group']) && is_array($config['system']['group'])) {
-                usort($config['system']['group'], "cpusercmp");
+                usort($config['system']['group'], function ($a, $b) {
+                    return strcasecmp($a['name'], $b['name']);
+                });
             }
 
             write_config();
             header(url_safe('Location: /system_groupmanager.php?act=edit&groupid=%s', array($groupid)));
             exit;
         }
+    } else {
+        header(url_safe('Location: /system_usermanager.php'));
+        exit;
     }
-    header(url_safe('Location: /system_usermanager.php'));
-    exit;
 }
 
 include("head.inc");
-?>
 
+?>
 <body>
 <?php include("fbegin.inc"); ?>
 <script>
@@ -157,11 +164,7 @@ include("head.inc");
 <section class="page-content-main">
   <div class="container-fluid">
     <div class="row">
-<?php
-    if (isset($input_errors) && count($input_errors) > 0) {
-        print_input_errors($input_errors);
-    }
-?>
+      <?php if (isset($input_errors) && count($input_errors) > 0) print_input_errors($input_errors); ?>
       <section class="col-xs-12">
         <div class="tab-content content-box col-xs-12">
           <form method="post" name="iform">
@@ -213,7 +216,7 @@ include("head.inc");
                                  } ?>
                                 <tr class="acl_item" data-search-phrase="<?= $pdesc . ' ' . $pnamesafe ?>">
                                     <td>
-                                        <input name="sysprivs[]" type="checkbox" value="<?=$pname;?>" <?=in_array($pname, $a_privs) ?  "checked=\"checked\"" : "";?>>
+                                        <input name="sysprivs[]" type="checkbox" value="<?= $pname ?>" <?= !empty($a_privs) && in_array($pname, $a_privs) ? 'checked="checked"' : '' ?>>
                                     </td>
                                     <td><?= $pdesc ?></td>
                                     <td><?= $pnamesafe ?></td>