From 6052ed470751464b577b835c0ac307f43648154f Mon Sep 17 00:00:00 2001 From: Justin Clarke Casey Date: Mon, 17 Nov 2008 19:55:32 +0000 Subject: * Add allowed_script_editors to OpenSim.ini in the same fashion as allowed_script_creators. * This allows one to override normal OpenSim permissions and prevent non-gods from editing any scripts. This allows edit ability to be rescinded after it has been given, and prevents the security hole where a single script with liberal perms would allow code changes. * The default setting remains the existing one of never overruling normal edit permissions. * These two settings may be enough to stop non-gods entering artbirary script code in a closed grid/standalone configuration. --- .../Modules/World/Permissions/PermissionsModule.cs | 21 ++++++++++++--------- bin/OpenSim.ini.example | 9 +++++++++ 2 files changed, 21 insertions(+), 9 deletions(-) diff --git a/OpenSim/Region/Environment/Modules/World/Permissions/PermissionsModule.cs b/OpenSim/Region/Environment/Modules/World/Permissions/PermissionsModule.cs index ea894ab..e41f975 100644 --- a/OpenSim/Region/Environment/Modules/World/Permissions/PermissionsModule.cs +++ b/OpenSim/Region/Environment/Modules/World/Permissions/PermissionsModule.cs @@ -87,10 +87,10 @@ namespace OpenSim.Region.Environment.Modules.World.Permissions private UserSet m_allowedScriptCreators = UserSet.All; /// - /// The set of users that are allowed to view (and in Second Life, edit) scripts. This is only active if + /// The set of users that are allowed to edit (save) scripts. This is only active if /// permissions are not being bypassed. This overrides normal permissions.- /// - //private UserSet m_allowedScriptViewers = UserSet.All; + private UserSet m_allowedScriptEditors = UserSet.All; #endregion @@ -171,6 +171,8 @@ namespace OpenSim.Region.Environment.Modules.World.Permissions m_allowedScriptCreators = ParseUserSetConfigSetting(myConfig, "allowed_script_creators", m_allowedScriptCreators); + m_allowedScriptEditors + = ParseUserSetConfigSetting(myConfig, "allowed_script_editors", m_allowedScriptEditors); if (m_bypassPermissions) m_log.Info("[PERMISSIONS]: serviceside_object_permissions = false in ini file so disabling all region service permission checks"); @@ -239,7 +241,6 @@ namespace OpenSim.Region.Environment.Modules.World.Permissions m_scene.EventManager.OnPluginConsole += new EventManager.OnPluginConsoleDelegate(EventManager_OnPluginConsole); } - public void PostInitialise() { } @@ -302,7 +303,7 @@ namespace OpenSim.Region.Environment.Modules.World.Permissions rawSetting, settingName, userSet); } - //m_log.DebugFormat("[PERMISSIONS]: {0} {1}", settingName, userSet); + m_log.DebugFormat("[PERMISSIONS]: {0} {1}", settingName, userSet); return userSet; } @@ -724,8 +725,11 @@ namespace OpenSim.Region.Environment.Modules.World.Permissions { DebugPermissionInformation(MethodInfo.GetCurrentMethod().Name); if (m_bypassPermissions) return m_bypassPermissionsValue; - - // If you can view it, you can edit it + + if (m_allowedScriptEditors == UserSet.Administrators && !IsAdministrator(user)) + return false; + + // Ordinarily, if you can view it, you can edit it // There is no viewing a no mod script // return CanViewScript(script, objectID, user, scene); @@ -817,7 +821,6 @@ namespace OpenSim.Region.Environment.Modules.World.Permissions DebugPermissionInformation(MethodInfo.GetCurrentMethod().Name); if (m_bypassPermissions) return m_bypassPermissionsValue; - return GenericCommunicationPermission(user, target); } @@ -1128,7 +1131,7 @@ namespace OpenSim.Region.Environment.Modules.World.Permissions private bool CanViewScript(UUID script, UUID objectID, UUID user, Scene scene) { DebugPermissionInformation(MethodInfo.GetCurrentMethod().Name); - if (m_bypassPermissions) return m_bypassPermissionsValue; + if (m_bypassPermissions) return m_bypassPermissionsValue; if (objectID == UUID.Zero) // User inventory { @@ -1139,7 +1142,7 @@ namespace OpenSim.Region.Environment.Modules.World.Permissions { m_log.ErrorFormat("[PERMISSIONS]: Could not find user {0} for administrator check", user); return false; - } + } if (userInfo.RootFolder == null) return false; diff --git a/bin/OpenSim.ini.example b/bin/OpenSim.ini.example index cee8da0..f34cf09 100644 --- a/bin/OpenSim.ini.example +++ b/bin/OpenSim.ini.example @@ -141,6 +141,15 @@ ; Default value is all ; allowed_script_creators = all + ; Control user types that are allowed to edit (save) scripts + ; Only enforced if serviceside_object_permissions is true + ; + ; Current possible values are + ; all - anyone can edit scripts (subject to normal permissions) + ; gods - only administrators can edit scripts (as long as allow_grid_gods is true) + ; Default value is all + ; allowed_script_editors = all + ; ## ; ## SCRIPT ENGINE ; ## -- cgit v1.1