diff options
author | Justin Clarke Casey | 2008-11-17 19:55:32 +0000 |
---|---|---|
committer | Justin Clarke Casey | 2008-11-17 19:55:32 +0000 |
commit | 6052ed470751464b577b835c0ac307f43648154f (patch) | |
tree | 0bf8462d4ca6763cd09857a797f1eeee8373fb5c | |
parent | Add a few comments (diff) | |
download | opensim-SC-6052ed470751464b577b835c0ac307f43648154f.zip opensim-SC-6052ed470751464b577b835c0ac307f43648154f.tar.gz opensim-SC-6052ed470751464b577b835c0ac307f43648154f.tar.bz2 opensim-SC-6052ed470751464b577b835c0ac307f43648154f.tar.xz |
* Add allowed_script_editors to OpenSim.ini in the same fashion as allowed_script_creators.
* This allows one to override normal OpenSim permissions and prevent non-gods from editing any scripts. This allows edit ability
to be rescinded after it has been given, and prevents the security hole where a single script with liberal perms would allow code changes.
* The default setting remains the existing one of never overruling normal edit permissions.
* These two settings may be enough to stop non-gods entering artbirary script code in a closed grid/standalone configuration.
-rw-r--r-- | OpenSim/Region/Environment/Modules/World/Permissions/PermissionsModule.cs | 21 | ||||
-rw-r--r-- | bin/OpenSim.ini.example | 9 |
2 files changed, 21 insertions, 9 deletions
diff --git a/OpenSim/Region/Environment/Modules/World/Permissions/PermissionsModule.cs b/OpenSim/Region/Environment/Modules/World/Permissions/PermissionsModule.cs index ea894ab..e41f975 100644 --- a/OpenSim/Region/Environment/Modules/World/Permissions/PermissionsModule.cs +++ b/OpenSim/Region/Environment/Modules/World/Permissions/PermissionsModule.cs | |||
@@ -87,10 +87,10 @@ namespace OpenSim.Region.Environment.Modules.World.Permissions | |||
87 | private UserSet m_allowedScriptCreators = UserSet.All; | 87 | private UserSet m_allowedScriptCreators = UserSet.All; |
88 | 88 | ||
89 | /// <value> | 89 | /// <value> |
90 | /// The set of users that are allowed to view (and in Second Life, edit) scripts. This is only active if | 90 | /// The set of users that are allowed to edit (save) scripts. This is only active if |
91 | /// permissions are not being bypassed. This overrides normal permissions.- | 91 | /// permissions are not being bypassed. This overrides normal permissions.- |
92 | /// </value> | 92 | /// </value> |
93 | //private UserSet m_allowedScriptViewers = UserSet.All; | 93 | private UserSet m_allowedScriptEditors = UserSet.All; |
94 | 94 | ||
95 | #endregion | 95 | #endregion |
96 | 96 | ||
@@ -171,6 +171,8 @@ namespace OpenSim.Region.Environment.Modules.World.Permissions | |||
171 | 171 | ||
172 | m_allowedScriptCreators | 172 | m_allowedScriptCreators |
173 | = ParseUserSetConfigSetting(myConfig, "allowed_script_creators", m_allowedScriptCreators); | 173 | = ParseUserSetConfigSetting(myConfig, "allowed_script_creators", m_allowedScriptCreators); |
174 | m_allowedScriptEditors | ||
175 | = ParseUserSetConfigSetting(myConfig, "allowed_script_editors", m_allowedScriptEditors); | ||
174 | 176 | ||
175 | if (m_bypassPermissions) | 177 | if (m_bypassPermissions) |
176 | m_log.Info("[PERMISSIONS]: serviceside_object_permissions = false in ini file so disabling all region service permission checks"); | 178 | m_log.Info("[PERMISSIONS]: serviceside_object_permissions = false in ini file so disabling all region service permission checks"); |
@@ -239,7 +241,6 @@ namespace OpenSim.Region.Environment.Modules.World.Permissions | |||
239 | m_scene.EventManager.OnPluginConsole += new EventManager.OnPluginConsoleDelegate(EventManager_OnPluginConsole); | 241 | m_scene.EventManager.OnPluginConsole += new EventManager.OnPluginConsoleDelegate(EventManager_OnPluginConsole); |
240 | } | 242 | } |
241 | 243 | ||
242 | |||
243 | public void PostInitialise() | 244 | public void PostInitialise() |
244 | { | 245 | { |
245 | } | 246 | } |
@@ -302,7 +303,7 @@ namespace OpenSim.Region.Environment.Modules.World.Permissions | |||
302 | rawSetting, settingName, userSet); | 303 | rawSetting, settingName, userSet); |
303 | } | 304 | } |
304 | 305 | ||
305 | //m_log.DebugFormat("[PERMISSIONS]: {0} {1}", settingName, userSet); | 306 | m_log.DebugFormat("[PERMISSIONS]: {0} {1}", settingName, userSet); |
306 | 307 | ||
307 | return userSet; | 308 | return userSet; |
308 | } | 309 | } |
@@ -724,8 +725,11 @@ namespace OpenSim.Region.Environment.Modules.World.Permissions | |||
724 | { | 725 | { |
725 | DebugPermissionInformation(MethodInfo.GetCurrentMethod().Name); | 726 | DebugPermissionInformation(MethodInfo.GetCurrentMethod().Name); |
726 | if (m_bypassPermissions) return m_bypassPermissionsValue; | 727 | if (m_bypassPermissions) return m_bypassPermissionsValue; |
727 | 728 | ||
728 | // If you can view it, you can edit it | 729 | if (m_allowedScriptEditors == UserSet.Administrators && !IsAdministrator(user)) |
730 | return false; | ||
731 | |||
732 | // Ordinarily, if you can view it, you can edit it | ||
729 | // There is no viewing a no mod script | 733 | // There is no viewing a no mod script |
730 | // | 734 | // |
731 | return CanViewScript(script, objectID, user, scene); | 735 | return CanViewScript(script, objectID, user, scene); |
@@ -817,7 +821,6 @@ namespace OpenSim.Region.Environment.Modules.World.Permissions | |||
817 | DebugPermissionInformation(MethodInfo.GetCurrentMethod().Name); | 821 | DebugPermissionInformation(MethodInfo.GetCurrentMethod().Name); |
818 | if (m_bypassPermissions) return m_bypassPermissionsValue; | 822 | if (m_bypassPermissions) return m_bypassPermissionsValue; |
819 | 823 | ||
820 | |||
821 | return GenericCommunicationPermission(user, target); | 824 | return GenericCommunicationPermission(user, target); |
822 | } | 825 | } |
823 | 826 | ||
@@ -1128,7 +1131,7 @@ namespace OpenSim.Region.Environment.Modules.World.Permissions | |||
1128 | private bool CanViewScript(UUID script, UUID objectID, UUID user, Scene scene) | 1131 | private bool CanViewScript(UUID script, UUID objectID, UUID user, Scene scene) |
1129 | { | 1132 | { |
1130 | DebugPermissionInformation(MethodInfo.GetCurrentMethod().Name); | 1133 | DebugPermissionInformation(MethodInfo.GetCurrentMethod().Name); |
1131 | if (m_bypassPermissions) return m_bypassPermissionsValue; | 1134 | if (m_bypassPermissions) return m_bypassPermissionsValue; |
1132 | 1135 | ||
1133 | if (objectID == UUID.Zero) // User inventory | 1136 | if (objectID == UUID.Zero) // User inventory |
1134 | { | 1137 | { |
@@ -1139,7 +1142,7 @@ namespace OpenSim.Region.Environment.Modules.World.Permissions | |||
1139 | { | 1142 | { |
1140 | m_log.ErrorFormat("[PERMISSIONS]: Could not find user {0} for administrator check", user); | 1143 | m_log.ErrorFormat("[PERMISSIONS]: Could not find user {0} for administrator check", user); |
1141 | return false; | 1144 | return false; |
1142 | } | 1145 | } |
1143 | 1146 | ||
1144 | if (userInfo.RootFolder == null) | 1147 | if (userInfo.RootFolder == null) |
1145 | return false; | 1148 | return false; |
diff --git a/bin/OpenSim.ini.example b/bin/OpenSim.ini.example index cee8da0..f34cf09 100644 --- a/bin/OpenSim.ini.example +++ b/bin/OpenSim.ini.example | |||
@@ -141,6 +141,15 @@ | |||
141 | ; Default value is all | 141 | ; Default value is all |
142 | ; allowed_script_creators = all | 142 | ; allowed_script_creators = all |
143 | 143 | ||
144 | ; Control user types that are allowed to edit (save) scripts | ||
145 | ; Only enforced if serviceside_object_permissions is true | ||
146 | ; | ||
147 | ; Current possible values are | ||
148 | ; all - anyone can edit scripts (subject to normal permissions) | ||
149 | ; gods - only administrators can edit scripts (as long as allow_grid_gods is true) | ||
150 | ; Default value is all | ||
151 | ; allowed_script_editors = all | ||
152 | |||
144 | ; ## | 153 | ; ## |
145 | ; ## SCRIPT ENGINE | 154 | ; ## SCRIPT ENGINE |
146 | ; ## | 155 | ; ## |