aboutsummaryrefslogtreecommitdiffstatshomepage
diff options
context:
space:
mode:
authorJustin Clarke Casey2008-11-17 19:55:32 +0000
committerJustin Clarke Casey2008-11-17 19:55:32 +0000
commit6052ed470751464b577b835c0ac307f43648154f (patch)
tree0bf8462d4ca6763cd09857a797f1eeee8373fb5c
parentAdd a few comments (diff)
downloadopensim-SC-6052ed470751464b577b835c0ac307f43648154f.zip
opensim-SC-6052ed470751464b577b835c0ac307f43648154f.tar.gz
opensim-SC-6052ed470751464b577b835c0ac307f43648154f.tar.bz2
opensim-SC-6052ed470751464b577b835c0ac307f43648154f.tar.xz
* Add allowed_script_editors to OpenSim.ini in the same fashion as allowed_script_creators.
* This allows one to override normal OpenSim permissions and prevent non-gods from editing any scripts. This allows edit ability to be rescinded after it has been given, and prevents the security hole where a single script with liberal perms would allow code changes. * The default setting remains the existing one of never overruling normal edit permissions. * These two settings may be enough to stop non-gods entering artbirary script code in a closed grid/standalone configuration.
-rw-r--r--OpenSim/Region/Environment/Modules/World/Permissions/PermissionsModule.cs21
-rw-r--r--bin/OpenSim.ini.example9
2 files changed, 21 insertions, 9 deletions
diff --git a/OpenSim/Region/Environment/Modules/World/Permissions/PermissionsModule.cs b/OpenSim/Region/Environment/Modules/World/Permissions/PermissionsModule.cs
index ea894ab..e41f975 100644
--- a/OpenSim/Region/Environment/Modules/World/Permissions/PermissionsModule.cs
+++ b/OpenSim/Region/Environment/Modules/World/Permissions/PermissionsModule.cs
@@ -87,10 +87,10 @@ namespace OpenSim.Region.Environment.Modules.World.Permissions
87 private UserSet m_allowedScriptCreators = UserSet.All; 87 private UserSet m_allowedScriptCreators = UserSet.All;
88 88
89 /// <value> 89 /// <value>
90 /// The set of users that are allowed to view (and in Second Life, edit) scripts. This is only active if 90 /// The set of users that are allowed to edit (save) scripts. This is only active if
91 /// permissions are not being bypassed. This overrides normal permissions.- 91 /// permissions are not being bypassed. This overrides normal permissions.-
92 /// </value> 92 /// </value>
93 //private UserSet m_allowedScriptViewers = UserSet.All; 93 private UserSet m_allowedScriptEditors = UserSet.All;
94 94
95 #endregion 95 #endregion
96 96
@@ -171,6 +171,8 @@ namespace OpenSim.Region.Environment.Modules.World.Permissions
171 171
172 m_allowedScriptCreators 172 m_allowedScriptCreators
173 = ParseUserSetConfigSetting(myConfig, "allowed_script_creators", m_allowedScriptCreators); 173 = ParseUserSetConfigSetting(myConfig, "allowed_script_creators", m_allowedScriptCreators);
174 m_allowedScriptEditors
175 = ParseUserSetConfigSetting(myConfig, "allowed_script_editors", m_allowedScriptEditors);
174 176
175 if (m_bypassPermissions) 177 if (m_bypassPermissions)
176 m_log.Info("[PERMISSIONS]: serviceside_object_permissions = false in ini file so disabling all region service permission checks"); 178 m_log.Info("[PERMISSIONS]: serviceside_object_permissions = false in ini file so disabling all region service permission checks");
@@ -239,7 +241,6 @@ namespace OpenSim.Region.Environment.Modules.World.Permissions
239 m_scene.EventManager.OnPluginConsole += new EventManager.OnPluginConsoleDelegate(EventManager_OnPluginConsole); 241 m_scene.EventManager.OnPluginConsole += new EventManager.OnPluginConsoleDelegate(EventManager_OnPluginConsole);
240 } 242 }
241 243
242
243 public void PostInitialise() 244 public void PostInitialise()
244 { 245 {
245 } 246 }
@@ -302,7 +303,7 @@ namespace OpenSim.Region.Environment.Modules.World.Permissions
302 rawSetting, settingName, userSet); 303 rawSetting, settingName, userSet);
303 } 304 }
304 305
305 //m_log.DebugFormat("[PERMISSIONS]: {0} {1}", settingName, userSet); 306 m_log.DebugFormat("[PERMISSIONS]: {0} {1}", settingName, userSet);
306 307
307 return userSet; 308 return userSet;
308 } 309 }
@@ -724,8 +725,11 @@ namespace OpenSim.Region.Environment.Modules.World.Permissions
724 { 725 {
725 DebugPermissionInformation(MethodInfo.GetCurrentMethod().Name); 726 DebugPermissionInformation(MethodInfo.GetCurrentMethod().Name);
726 if (m_bypassPermissions) return m_bypassPermissionsValue; 727 if (m_bypassPermissions) return m_bypassPermissionsValue;
727 728
728 // If you can view it, you can edit it 729 if (m_allowedScriptEditors == UserSet.Administrators && !IsAdministrator(user))
730 return false;
731
732 // Ordinarily, if you can view it, you can edit it
729 // There is no viewing a no mod script 733 // There is no viewing a no mod script
730 // 734 //
731 return CanViewScript(script, objectID, user, scene); 735 return CanViewScript(script, objectID, user, scene);
@@ -817,7 +821,6 @@ namespace OpenSim.Region.Environment.Modules.World.Permissions
817 DebugPermissionInformation(MethodInfo.GetCurrentMethod().Name); 821 DebugPermissionInformation(MethodInfo.GetCurrentMethod().Name);
818 if (m_bypassPermissions) return m_bypassPermissionsValue; 822 if (m_bypassPermissions) return m_bypassPermissionsValue;
819 823
820
821 return GenericCommunicationPermission(user, target); 824 return GenericCommunicationPermission(user, target);
822 } 825 }
823 826
@@ -1128,7 +1131,7 @@ namespace OpenSim.Region.Environment.Modules.World.Permissions
1128 private bool CanViewScript(UUID script, UUID objectID, UUID user, Scene scene) 1131 private bool CanViewScript(UUID script, UUID objectID, UUID user, Scene scene)
1129 { 1132 {
1130 DebugPermissionInformation(MethodInfo.GetCurrentMethod().Name); 1133 DebugPermissionInformation(MethodInfo.GetCurrentMethod().Name);
1131 if (m_bypassPermissions) return m_bypassPermissionsValue; 1134 if (m_bypassPermissions) return m_bypassPermissionsValue;
1132 1135
1133 if (objectID == UUID.Zero) // User inventory 1136 if (objectID == UUID.Zero) // User inventory
1134 { 1137 {
@@ -1139,7 +1142,7 @@ namespace OpenSim.Region.Environment.Modules.World.Permissions
1139 { 1142 {
1140 m_log.ErrorFormat("[PERMISSIONS]: Could not find user {0} for administrator check", user); 1143 m_log.ErrorFormat("[PERMISSIONS]: Could not find user {0} for administrator check", user);
1141 return false; 1144 return false;
1142 } 1145 }
1143 1146
1144 if (userInfo.RootFolder == null) 1147 if (userInfo.RootFolder == null)
1145 return false; 1148 return false;
diff --git a/bin/OpenSim.ini.example b/bin/OpenSim.ini.example
index cee8da0..f34cf09 100644
--- a/bin/OpenSim.ini.example
+++ b/bin/OpenSim.ini.example
@@ -141,6 +141,15 @@
141 ; Default value is all 141 ; Default value is all
142 ; allowed_script_creators = all 142 ; allowed_script_creators = all
143 143
144 ; Control user types that are allowed to edit (save) scripts
145 ; Only enforced if serviceside_object_permissions is true
146 ;
147 ; Current possible values are
148 ; all - anyone can edit scripts (subject to normal permissions)
149 ; gods - only administrators can edit scripts (as long as allow_grid_gods is true)
150 ; Default value is all
151 ; allowed_script_editors = all
152
144 ; ## 153 ; ##
145 ; ## SCRIPT ENGINE 154 ; ## SCRIPT ENGINE
146 ; ## 155 ; ##