|
|
Re: Letting any user remove jobs: msg#00021printing.cups.devel
Michael Sweet wrote: > Anders Blomdell wrote: > > ... > > One more comment: Doesn't that allow everything for all users? I > > don't want them to fiddle with configuration, only wih the queues. > > If you mean you want to allow all users to be able to cancel jobs, > but not to start/stop/accept/reject/configure printers, then you'll > want to look at the cancel_job() code in scheduler/ipp.c; just remove > the check for a valid user... Patch that allows finegrained control attached. Now I can specify that anybody can {start, stop, reject, accept} on printers and {hold, release} on jobs by specifying: <Location /jobs/?op=hold-job> SkipJobOwnerValidation true Allow From x.y.z.w/24 </Location> <Location /jobs/?op=release-job> SkipJobOwnerValidation true Allow From x.y.z.w/24 </Location> <Location /admin/?op=stop-printer> Allow From x.y.z.w/24 </Location> <Location /admin/?op=start-printer> Allow From x.y.z.w/24 </Location> <Location /admin/?op=accept-jobs> Allow From x.y.z.w/24 </Location> <Location /admin/?op=reject-jobs> Allow From x.y.z.w/24 </Location> <Location /admin/> # !!! Necessary to avoid infinite loop on /admin/?op=* above Allow From x.y.z.w/24 </Location> <Location /admin/?op> Deny From x.y.z.w/24 </Location> Regards Anders Blomdell Patch below: --- cups-1.1.22rc2.orig/scheduler/auth.h 2004-08-23 20:00:59.000000000 +0200 +++ cups-1.1.22rc2/scheduler/auth.h 2004-10-22 10:05:17.994136744 +0200 @@ -98,6 +98,7 @@ int num_deny; /* Number of Deny lines */ authmask_t *deny; /* Deny lines */ http_encryption_t encryption; /* To encrypt or not to encrypt... */ + int skip_owner_validation; /* Should job ownership be honored */ } location_t; diff -urb cups-1.1.22rc2.orig/scheduler/conf.c cups-1.1.22rc2/scheduler/conf.c --- cups-1.1.22rc2.orig/scheduler/conf.c 2004-08-23 20:00:59.000000000 +0200 +++ cups-1.1.22rc2/scheduler/conf.c 2004-10-22 09:56:16.960386376 +0200 @@ -2040,6 +2040,25 @@ LogMessage(L_WARN, "Unknown Satisfy value %s on line %d.", value, linenum); } + else if (strcasecmp(name, "SkipJobOwnerValidation") == 0) + { + if (strcasecmp(value, "true") == 0 || + strcasecmp(value, "on") == 0 || + strcasecmp(value, "enabled") == 0 || + strcasecmp(value, "yes") == 0 || + atoi(value) != 0) + loc->skip_owner_validation = TRUE; + else if (strcasecmp(value, "false") == 0 || + strcasecmp(value, "off") == 0 || + strcasecmp(value, "disabled") == 0 || + strcasecmp(value, "no") == 0 || + strcasecmp(value, "0") == 0) + loc->skip_owner_validation = FALSE; + else + LogMessage(L_ERROR, "Unknown boolean value %s on line %d.", + value, linenum); + + } else LogMessage(L_ERROR, "Unknown Location directive %s on line %d.", name, linenum); diff -urb cups-1.1.22rc2.orig/scheduler/ipp.c cups-1.1.22rc2/scheduler/ipp.c --- cups-1.1.22rc2.orig/scheduler/ipp.c 2004-10-04 22:23:54.000000000 +0200 +++ cups-1.1.22rc2/scheduler/ipp.c 2004-10-22 11:29:49.674124192 +0200 @@ -149,7 +149,7 @@ static void stop_printer(client_t *con, ipp_attribute_t *uri); static void validate_job(client_t *con, ipp_attribute_t *uri); static int validate_user(client_t *con, const char *owner, char *username, - int userlen); + int userlen, char *op); /* @@ -1830,7 +1830,7 @@ * See if the job is owned by the requesting user... */ - if (!validate_user(con, job->username, username, sizeof(username))) + if (!validate_user(con, job->username, username, sizeof(username), "cancel-job")) { LogMessage(L_ERROR, "cancel_job: \"%s\" not authorized to delete job id %d owned by \"%s\"!", username, jobid, job->username); @@ -4123,7 +4123,7 @@ * See if the job is owned by the requesting user... */ - if (!validate_user(con, job->username, username, sizeof(username))) + if (!validate_user(con, job->username, username, sizeof(username), "hold-job")) { LogMessage(L_ERROR, "hold_job: \"%s\" not authorized to hold job id %d owned by \"%s\"!", username, jobid, job->username); @@ -4278,7 +4278,7 @@ * See if the job is owned by the requesting user... */ - if (!validate_user(con, job->username, username, sizeof(username))) + if (!validate_user(con, job->username, username, sizeof(username), "move-job")) { LogMessage(L_ERROR, "move_job: \"%s\" not authorized to move job id %d owned by \"%s\"!", username, jobid, job->username); @@ -5509,7 +5509,7 @@ * See if the job is owned by the requesting user... */ - if (!validate_user(con, job->username, username, sizeof(username))) + if (!validate_user(con, job->username, username, sizeof(username), "release-job")) { LogMessage(L_ERROR, "release_job: \"%s\" not authorized to release job id %d owned by \"%s\"!", username, jobid, job->username); @@ -5673,7 +5673,7 @@ * See if the job is owned by the requesting user... */ - if (!validate_user(con, job->username, username, sizeof(username))) + if (!validate_user(con, job->username, username, sizeof(username), "restart-job")) { LogMessage(L_ERROR, "restart_job: \"%s\" not authorized to restart job id %d owned by \"%s\"!", username, jobid, job->username); @@ -5808,7 +5808,7 @@ * See if the job is owned by the requesting user... */ - if (!validate_user(con, job->username, username, sizeof(username))) + if (!validate_user(con, job->username, username, sizeof(username), "send-document")) { LogMessage(L_ERROR, "send_document: \"%s\" not authorized to send document for job id %d owned by \"%s\"!", username, jobid, job->username); @@ -6262,7 +6262,7 @@ * See if the job is owned by the requesting user... */ - if (!validate_user(con, job->username, username, sizeof(username))) + if (!validate_user(con, job->username, username, sizeof(username), "set-job-attrs")) { LogMessage(L_ERROR, "set_job_attrs: \"%s\" not authorized to alter job id %d owned by \"%s\"!", username, jobid, job->username); @@ -6785,7 +6785,8 @@ validate_user(client_t *con, /* I - Client connection */ const char *owner, /* I - Owner of job/resource */ char *username, /* O - Authenticated username */ - int userlen) /* I - Length of username */ + int userlen, /* I - Length of username */ + char *op) /* I - Operation to validate */ { int i, j; /* Looping vars */ ipp_attribute_t *attr; /* requesting-user-name attribute */ @@ -6816,6 +6817,32 @@ strlcpy(username, "anonymous", userlen); /* + * Check if we should do user validation + */ + if (op != NULL) + { + /* Create an uri '/jobs/?op=<op>' to match against, this happens to match the + * uri passed by the web admin interface + */ + static char *prefix = "/jobs/?op="; + char *uri = malloc(strlen(prefix) + strlen(op) + 1); + if (uri) + { + location_t *best; /* Best match for authentication */ + + strcpy(uri, prefix); + strcat(uri, op); + best = FindBest(uri, con->http.state); /* Perhaps we should force the http state? */ + free(uri); /* Done with uri, free it before returning */ + if (best->skip_owner_validation) + { + LogMessage(L_DEBUG2, "Skipped owner validation for: '%s'\n", con->username); + return (1); + } + } + } + + /* * Check the username against the owner... */ |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: pstops filter: 00021, pipitas |
|---|---|
| Next by Date: | Development of CUPS Filter: 00021, alex-0oCsfqmDL6BZroRs9YW3xA |
| Previous by Thread: | Re: Letting any user remove jobsi: 00021, Michael Sweet |
| Next by Thread: | Net::CUPS 0.35 has been released.: 00021, D. Hageman |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |