From 7f2ec02802cabc98e93ac872999933b6e5be48e5 Mon Sep 17 00:00:00 2001
From: Adam Frisby
Date: Sun, 21 Oct 2007 22:15:41 +0000
Subject: * Disabled TCP Remoting Channel Security for InterRegion
communication, as it appears we are not implementing this correctly. (need to
set up certificates first) * Documented ACL class
---
OpenSim/Framework/General/PolicyManager/ACL.cs | 480 ++++++++-------
.../Region/Communications/OGS1/OGS1GridServices.cs | 2 +-
OpenSim/Region/Environment/PermissionManager.cs | 653 +++++++++++----------
3 files changed, 585 insertions(+), 550 deletions(-)
diff --git a/OpenSim/Framework/General/PolicyManager/ACL.cs b/OpenSim/Framework/General/PolicyManager/ACL.cs
index 53c1b2d..8dffe7b 100644
--- a/OpenSim/Framework/General/PolicyManager/ACL.cs
+++ b/OpenSim/Framework/General/PolicyManager/ACL.cs
@@ -1,223 +1,257 @@
-using System;
-using System.Collections.Generic;
-using System.Text;
-
-namespace OpenSim.Framework.PolicyManager
-{
- #region ACL Core Class
- ///
- /// Access Control List Engine
- ///
- public class ACL
- {
- Dictionary Roles = new Dictionary();
- Dictionary Resources = new Dictionary();
-
- public ACL AddRole(Role role)
- {
- if (Roles.ContainsKey(role.Name))
- throw new AlreadyContainsRoleException(role);
-
- Roles.Add(role.Name, role);
-
- return this;
- }
-
- public ACL AddResource(Resource resource)
- {
- Resources.Add(resource.Name, resource);
-
- return this;
- }
-
- public Permission HasPermission(string role, string resource)
- {
- if (!Roles.ContainsKey(role))
- throw new KeyNotFoundException();
-
- if (!Resources.ContainsKey(resource))
- throw new KeyNotFoundException();
-
- return Roles[role].RequestPermission(resource);
- }
-
- public ACL GrantPermission(string role, string resource)
- {
- if (!Roles.ContainsKey(role))
- throw new KeyNotFoundException();
-
- if (!Resources.ContainsKey(resource))
- throw new KeyNotFoundException();
-
- Roles[role].GivePermission(resource, Permission.Allow);
-
- return this;
- }
-
- public ACL DenyPermission(string role, string resource)
- {
- if (!Roles.ContainsKey(role))
- throw new KeyNotFoundException();
-
- if (!Resources.ContainsKey(resource))
- throw new KeyNotFoundException();
-
- Roles[role].GivePermission(resource, Permission.Deny);
-
- return this;
- }
-
- public ACL ResetPermission(string role, string resource)
- {
- if (!Roles.ContainsKey(role))
- throw new KeyNotFoundException();
-
- if (!Resources.ContainsKey(resource))
- throw new KeyNotFoundException();
-
- Roles[role].GivePermission(resource, Permission.None);
-
- return this;
- }
- }
- #endregion
-
- #region Exceptions
- ///
- /// Thrown when an ACL attempts to add a duplicate role.
- ///
- public class AlreadyContainsRoleException : Exception
- {
- protected Role m_role;
-
- public Role ErrorRole
- {
- get { return m_role; }
- }
-
- public AlreadyContainsRoleException(Role role)
- {
- m_role = role;
- }
-
- public override string ToString()
- {
- return "This ACL already contains a role called '" + m_role.Name + "'.";
- }
- }
- #endregion
-
- #region Roles and Resources
-
- ///
- /// Does this Role have permission to access a specified Resource?
- ///
- public enum Permission { Deny, None, Allow };
-
- ///
- /// A role class, for use with Users or Groups
- ///
- public class Role
- {
- private string m_name;
- private Role[] m_parents;
- private Dictionary m_resources = new Dictionary();
-
- public string Name
- {
- get { return m_name; }
- }
-
- public Permission RequestPermission(string resource)
- {
- return RequestPermission(resource, Permission.None);
- }
-
- public Permission RequestPermission(string resource, Permission current)
- {
- // Deny permissions always override any others
- if (current == Permission.Deny)
- return current;
-
- Permission temp = Permission.None;
-
- // Pickup non-None permissions
- if (m_resources.ContainsKey(resource) && m_resources[resource] != Permission.None)
- temp = m_resources[resource];
-
- if (m_parents != null)
- {
- foreach (Role parent in m_parents)
- {
- temp = parent.RequestPermission(resource, temp);
- }
- }
-
- return temp;
- }
-
- public void GivePermission(string resource, Permission perm)
- {
- m_resources[resource] = perm;
- }
-
- public Role(string name)
- {
- m_name = name;
- m_parents = null;
- }
-
- public Role(string name, Role[] parents)
- {
- m_name = name;
- m_parents = parents;
- }
- }
-
- public class Resource
- {
- private string m_name;
-
- public string Name
- {
- get { return m_name; }
- }
-
- public Resource(string name)
- {
- m_name = name;
- }
- }
-
- #endregion
-
- #region Tests
-
- class ACLTester
- {
- public ACLTester()
- {
- ACL acl = new ACL();
-
- Role Guests = new Role("Guests");
- acl.AddRole(Guests);
-
- Role[] parents = new Role[0];
- parents[0] = Guests;
-
- Role JoeGuest = new Role("JoeGuest", parents);
- acl.AddRole(JoeGuest);
-
- Resource CanBuild = new Resource("CanBuild");
- acl.AddResource(CanBuild);
-
-
- acl.GrantPermission("Guests", "CanBuild");
-
- acl.HasPermission("JoeGuest", "CanBuild");
-
- }
- }
-
- #endregion
-}
+/*
+* Copyright (c) Contributors, http://opensimulator.org/
+* See CONTRIBUTORS.TXT for a full list of copyright holders.
+*
+* Redistribution and use in source and binary forms, with or without
+* modification, are permitted provided that the following conditions are met:
+* * Redistributions of source code must retain the above copyright
+* notice, this list of conditions and the following disclaimer.
+* * Redistributions in binary form must reproduce the above copyright
+* notice, this list of conditions and the following disclaimer in the
+* documentation and/or other materials provided with the distribution.
+* * Neither the name of the OpenSim Project nor the
+* names of its contributors may be used to endorse or promote products
+* derived from this software without specific prior written permission.
+*
+* THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS AS IS AND ANY
+* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+* DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE FOR ANY
+* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*
+*/
+using System;
+using System.Collections.Generic;
+using System.Text;
+
+namespace OpenSim.Framework.PolicyManager
+{
+ // ACL Class
+ // Modelled after the structure of the Zend ACL Framework Library
+ // with one key difference - the tree will search for all matching
+ // permissions rather than just the first. Deny permissions will
+ // override all others.
+
+
+ #region ACL Core Class
+ ///
+ /// Access Control List Engine
+ ///
+ public class ACL
+ {
+ Dictionary Roles = new Dictionary();
+ Dictionary Resources = new Dictionary();
+
+ public ACL AddRole(Role role)
+ {
+ if (Roles.ContainsKey(role.Name))
+ throw new AlreadyContainsRoleException(role);
+
+ Roles.Add(role.Name, role);
+
+ return this;
+ }
+
+ public ACL AddResource(Resource resource)
+ {
+ Resources.Add(resource.Name, resource);
+
+ return this;
+ }
+
+ public Permission HasPermission(string role, string resource)
+ {
+ if (!Roles.ContainsKey(role))
+ throw new KeyNotFoundException();
+
+ if (!Resources.ContainsKey(resource))
+ throw new KeyNotFoundException();
+
+ return Roles[role].RequestPermission(resource);
+ }
+
+ public ACL GrantPermission(string role, string resource)
+ {
+ if (!Roles.ContainsKey(role))
+ throw new KeyNotFoundException();
+
+ if (!Resources.ContainsKey(resource))
+ throw new KeyNotFoundException();
+
+ Roles[role].GivePermission(resource, Permission.Allow);
+
+ return this;
+ }
+
+ public ACL DenyPermission(string role, string resource)
+ {
+ if (!Roles.ContainsKey(role))
+ throw new KeyNotFoundException();
+
+ if (!Resources.ContainsKey(resource))
+ throw new KeyNotFoundException();
+
+ Roles[role].GivePermission(resource, Permission.Deny);
+
+ return this;
+ }
+
+ public ACL ResetPermission(string role, string resource)
+ {
+ if (!Roles.ContainsKey(role))
+ throw new KeyNotFoundException();
+
+ if (!Resources.ContainsKey(resource))
+ throw new KeyNotFoundException();
+
+ Roles[role].GivePermission(resource, Permission.None);
+
+ return this;
+ }
+ }
+ #endregion
+
+ #region Exceptions
+ ///
+ /// Thrown when an ACL attempts to add a duplicate role.
+ ///
+ public class AlreadyContainsRoleException : Exception
+ {
+ protected Role m_role;
+
+ public Role ErrorRole
+ {
+ get { return m_role; }
+ }
+
+ public AlreadyContainsRoleException(Role role)
+ {
+ m_role = role;
+ }
+
+ public override string ToString()
+ {
+ return "This ACL already contains a role called '" + m_role.Name + "'.";
+ }
+ }
+ #endregion
+
+ #region Roles and Resources
+
+ ///
+ /// Does this Role have permission to access a specified Resource?
+ ///
+ public enum Permission { Deny, None, Allow };
+
+ ///
+ /// A role class, for use with Users or Groups
+ ///
+ public class Role
+ {
+ private string m_name;
+ private Role[] m_parents;
+ private Dictionary m_resources = new Dictionary();
+
+ public string Name
+ {
+ get { return m_name; }
+ }
+
+ public Permission RequestPermission(string resource)
+ {
+ return RequestPermission(resource, Permission.None);
+ }
+
+ public Permission RequestPermission(string resource, Permission current)
+ {
+ // Deny permissions always override any others
+ if (current == Permission.Deny)
+ return current;
+
+ Permission temp = Permission.None;
+
+ // Pickup non-None permissions
+ if (m_resources.ContainsKey(resource) && m_resources[resource] != Permission.None)
+ temp = m_resources[resource];
+
+ if (m_parents != null)
+ {
+ foreach (Role parent in m_parents)
+ {
+ temp = parent.RequestPermission(resource, temp);
+ }
+ }
+
+ return temp;
+ }
+
+ public void GivePermission(string resource, Permission perm)
+ {
+ m_resources[resource] = perm;
+ }
+
+ public Role(string name)
+ {
+ m_name = name;
+ m_parents = null;
+ }
+
+ public Role(string name, Role[] parents)
+ {
+ m_name = name;
+ m_parents = parents;
+ }
+ }
+
+ public class Resource
+ {
+ private string m_name;
+
+ public string Name
+ {
+ get { return m_name; }
+ }
+
+ public Resource(string name)
+ {
+ m_name = name;
+ }
+ }
+
+ #endregion
+
+ #region Tests
+
+ class ACLTester
+ {
+ public ACLTester()
+ {
+ ACL acl = new ACL();
+
+ Role Guests = new Role("Guests");
+ acl.AddRole(Guests);
+
+ Role[] parents = new Role[0];
+ parents[0] = Guests;
+
+ Role JoeGuest = new Role("JoeGuest", parents);
+ acl.AddRole(JoeGuest);
+
+ Resource CanBuild = new Resource("CanBuild");
+ acl.AddResource(CanBuild);
+
+
+ acl.GrantPermission("Guests", "CanBuild");
+
+ acl.HasPermission("JoeGuest", "CanBuild");
+
+ }
+ }
+
+ #endregion
+}
diff --git a/OpenSim/Region/Communications/OGS1/OGS1GridServices.cs b/OpenSim/Region/Communications/OGS1/OGS1GridServices.cs
index 1a9584a..cc56078 100644
--- a/OpenSim/Region/Communications/OGS1/OGS1GridServices.cs
+++ b/OpenSim/Region/Communications/OGS1/OGS1GridServices.cs
@@ -327,7 +327,7 @@ namespace OpenSim.Region.Communications.OGS1
private void StartRemoting()
{
TcpChannel ch = new TcpChannel(this.serversInfo.RemotingListenerPort);
- ChannelServices.RegisterChannel(ch, true);
+ ChannelServices.RegisterChannel(ch, false); // Disabled security as Mono doesnt support this.
WellKnownServiceTypeEntry wellType = new WellKnownServiceTypeEntry(typeof(OGS1InterRegionRemoting), "InterRegions", WellKnownObjectMode.Singleton);
RemotingConfiguration.RegisterWellKnownServiceType(wellType);
diff --git a/OpenSim/Region/Environment/PermissionManager.cs b/OpenSim/Region/Environment/PermissionManager.cs
index d32ac0b..c40012d 100644
--- a/OpenSim/Region/Environment/PermissionManager.cs
+++ b/OpenSim/Region/Environment/PermissionManager.cs
@@ -1,327 +1,328 @@
-/*
-* Copyright (c) Contributors, http://opensimulator.org/
-* See CONTRIBUTORS.TXT for a full list of copyright holders.
-*
-* Redistribution and use in source and binary forms, with or without
-* modification, are permitted provided that the following conditions are met:
-* * Redistributions of source code must retain the above copyright
-* notice, this list of conditions and the following disclaimer.
-* * Redistributions in binary form must reproduce the above copyright
-* notice, this list of conditions and the following disclaimer in the
-* documentation and/or other materials provided with the distribution.
-* * Neither the name of the OpenSim Project nor the
-* names of its contributors may be used to endorse or promote products
-* derived from this software without specific prior written permission.
-*
-* THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS AS IS AND ANY
-* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-* DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE FOR ANY
-* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
-* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-*
-*/
-
-using libsecondlife;
-using OpenSim.Region.Environment.LandManagement;
+/*
+* Copyright (c) Contributors, http://opensimulator.org/
+* See CONTRIBUTORS.TXT for a full list of copyright holders.
+*
+* Redistribution and use in source and binary forms, with or without
+* modification, are permitted provided that the following conditions are met:
+* * Redistributions of source code must retain the above copyright
+* notice, this list of conditions and the following disclaimer.
+* * Redistributions in binary form must reproduce the above copyright
+* notice, this list of conditions and the following disclaimer in the
+* documentation and/or other materials provided with the distribution.
+* * Neither the name of the OpenSim Project nor the
+* names of its contributors may be used to endorse or promote products
+* derived from this software without specific prior written permission.
+*
+* THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS AS IS AND ANY
+* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+* DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE FOR ANY
+* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*
+*/
+
+using libsecondlife;
+using OpenSim.Region.Environment.LandManagement;
using OpenSim.Region.Environment.Scenes;
-
-namespace OpenSim.Region.Environment
-{
- public class PermissionManager
- {
- protected Scene m_scene;
-
- // Bypasses the permissions engine (always returns OK)
- // disable in any production environment
- // TODO: Change this to false when permissions are a desired default
- // TODO: Move to configuration option.
- private bool m_bypassPermissions = true;
-
- public bool BypassPermissions
- {
- get { return m_bypassPermissions; }
- set { m_bypassPermissions = value; }
- }
-
-
- public PermissionManager(Scene scene)
- {
- m_scene = scene;
- }
-
- protected virtual void SendPermissionError(LLUUID user, string reason)
- {
- m_scene.EventManager.TriggerPermissionError(user, reason);
- }
-
- protected virtual bool IsAdministrator(LLUUID user)
- {
- if (m_bypassPermissions)
- {
- return true;
- }
-
- return m_scene.RegionInfo.MasterAvatarAssignedUUID == user;
- }
-
- protected virtual bool IsEstateManager(LLUUID user)
- {
- if (m_bypassPermissions)
- {
- return true;
- }
-
- return false;
- }
-
- protected virtual bool IsGridUser(LLUUID user)
- {
- return true;
- }
-
- protected virtual bool IsGuest(LLUUID user)
- {
- return false;
- }
-
- public virtual bool CanRezObject(LLUUID user, LLVector3 position)
- {
- bool permission = false;
-
- string reason = "Insufficient permission";
-
- if (IsAdministrator(user))
- {
- permission = true;
- }
- else
- {
- reason = "Not an administrator";
- }
-
- if (GenericParcelPermission(user, position))
- {
- permission = true;
- }
- else
- {
- reason = "Not the parcel owner";
- }
-
- if (!permission)
- SendPermissionError(user, reason);
-
- return permission;
- }
-
- #region Object Permissions
-
- protected virtual bool GenericObjectPermission(LLUUID user, LLUUID objId)
- {
- // Default: deny
- bool permission = false;
-
- if (!m_scene.Entities.ContainsKey(objId))
- {
- return false;
- }
-
- // If it's not an object, we cant edit it.
- if (!(m_scene.Entities[objId] is SceneObjectGroup))
- {
- return false;
- }
-
- SceneObjectGroup task = (SceneObjectGroup) m_scene.Entities[objId];
- LLUUID taskOwner = null;
-
- // Object owners should be able to edit their own content
- if (user == taskOwner)
- permission = true;
-
- // Users should be able to edit what is over their land.
- if (m_scene.LandManager.getLandObject(task.AbsolutePosition.X, task.AbsolutePosition.Y).landData.ownerID ==
- user)
- permission = true;
-
- // Estate users should be able to edit anything in the sim
- if (IsEstateManager(user))
- permission = true;
-
- // Admin objects should not be editable by the above
- if (IsAdministrator(taskOwner))
- permission = false;
-
- // Admin should be able to edit anything in the sim (including admin objects)
- if (IsAdministrator(user))
- permission = true;
-
- return permission;
- }
-
- ///
- /// Permissions check - can user delete an object?
- ///
- /// User attempting the delete
- /// Target object
- /// Has permission?
- public virtual bool CanDeRezObject(LLUUID user, LLUUID obj)
- {
- return GenericObjectPermission(user, obj);
- }
-
- public virtual bool CanEditObject(LLUUID user, LLUUID obj)
- {
- return GenericObjectPermission(user, obj);
- }
-
- public virtual bool CanReturnObject(LLUUID user, LLUUID obj)
- {
- return GenericObjectPermission(user, obj);
- }
-
- #endregion
-
- #region Communication Permissions
-
- public virtual bool GenericCommunicationPermission(LLUUID user, LLUUID target)
- {
- bool permission = false;
- string reason = "Only registered users may communicate with another account.";
-
- if (IsGridUser(user))
- permission = true;
-
- if (!IsGridUser(user))
- {
- permission = false;
- reason = "The person that you are messaging is not a registered user.";
- }
- if (IsAdministrator(user))
- permission = true;
-
- if (IsEstateManager(user))
- permission = true;
-
- if (!permission)
- SendPermissionError(user, reason);
-
- return permission;
- }
-
- public virtual bool CanInstantMessage(LLUUID user, LLUUID target)
- {
- return GenericCommunicationPermission(user, target);
- }
-
- public virtual bool CanInventoryTransfer(LLUUID user, LLUUID target)
- {
- return GenericCommunicationPermission(user, target);
- }
-
- #endregion
-
- public virtual bool CanEditScript(LLUUID user, LLUUID script)
- {
- return IsAdministrator(user);
- }
-
- public virtual bool CanRunScript(LLUUID user, LLUUID script)
- {
- return IsAdministrator(user);
- }
-
- public virtual bool CanTerraform(LLUUID user, LLVector3 position)
- {
- bool permission = false;
-
- // Estate override
- if (GenericEstatePermission(user))
- permission = true;
-
- // Land owner can terraform too
- if (GenericParcelPermission(user, m_scene.LandManager.getLandObject(position.X, position.Y)))
- permission = true;
-
- if (!permission)
- SendPermissionError(user, "Not authorized to terraform at this location.");
-
- return permission;
- }
-
- #region Estate Permissions
-
- protected virtual bool GenericEstatePermission(LLUUID user)
- {
- // Default: deny
- bool permission = false;
-
- // Estate admins should be able to use estate tools
- if (IsEstateManager(user))
- permission = true;
-
- // Administrators always have permission
- if (IsAdministrator(user))
- permission = true;
-
- return permission;
- }
-
- public virtual bool CanEditEstateTerrain(LLUUID user)
- {
- return GenericEstatePermission(user);
- }
-
- #endregion
-
- #region Parcel Permissions
-
- protected virtual bool GenericParcelPermission(LLUUID user, Land parcel)
- {
- bool permission = false;
-
- if (parcel.landData.ownerID == user)
- permission = true;
-
- if (parcel.landData.isGroupOwned)
- {
- // TODO: Need to do some extra checks here. Requires group code.
- }
-
- if (IsEstateManager(user))
- permission = true;
-
- if (IsAdministrator(user))
- permission = true;
-
- return permission;
- }
-
- protected virtual bool GenericParcelPermission(LLUUID user, LLVector3 pos)
- {
- return GenericParcelPermission(user, m_scene.LandManager.getLandObject(pos.X, pos.Y));
- }
-
- public virtual bool CanEditParcel(LLUUID user, Land parcel)
- {
- return GenericParcelPermission(user, parcel);
- }
-
- public virtual bool CanSellParcel(LLUUID user, Land parcel)
- {
- return GenericParcelPermission(user, parcel);
- }
-
- public virtual bool CanAbandonParcel(LLUUID user, Land parcel)
- {
- return GenericParcelPermission(user, parcel);
- }
-
- #endregion
- }
-}
+using OpenSim.Framework.PolicyManager;
+
+namespace OpenSim.Region.Environment
+{
+ public class PermissionManager
+ {
+ protected Scene m_scene;
+
+ // Bypasses the permissions engine (always returns OK)
+ // disable in any production environment
+ // TODO: Change this to false when permissions are a desired default
+ // TODO: Move to configuration option.
+ private bool m_bypassPermissions = true;
+
+ public bool BypassPermissions
+ {
+ get { return m_bypassPermissions; }
+ set { m_bypassPermissions = value; }
+ }
+
+
+ public PermissionManager(Scene scene)
+ {
+ m_scene = scene;
+ }
+
+ protected virtual void SendPermissionError(LLUUID user, string reason)
+ {
+ m_scene.EventManager.TriggerPermissionError(user, reason);
+ }
+
+ protected virtual bool IsAdministrator(LLUUID user)
+ {
+ if (m_bypassPermissions)
+ {
+ return true;
+ }
+
+ return m_scene.RegionInfo.MasterAvatarAssignedUUID == user;
+ }
+
+ protected virtual bool IsEstateManager(LLUUID user)
+ {
+ if (m_bypassPermissions)
+ {
+ return true;
+ }
+
+ return false;
+ }
+
+ protected virtual bool IsGridUser(LLUUID user)
+ {
+ return true;
+ }
+
+ protected virtual bool IsGuest(LLUUID user)
+ {
+ return false;
+ }
+
+ public virtual bool CanRezObject(LLUUID user, LLVector3 position)
+ {
+ bool permission = false;
+
+ string reason = "Insufficient permission";
+
+ if (IsAdministrator(user))
+ {
+ permission = true;
+ }
+ else
+ {
+ reason = "Not an administrator";
+ }
+
+ if (GenericParcelPermission(user, position))
+ {
+ permission = true;
+ }
+ else
+ {
+ reason = "Not the parcel owner";
+ }
+
+ if (!permission)
+ SendPermissionError(user, reason);
+
+ return permission;
+ }
+
+ #region Object Permissions
+
+ protected virtual bool GenericObjectPermission(LLUUID user, LLUUID objId)
+ {
+ // Default: deny
+ bool permission = false;
+
+ if (!m_scene.Entities.ContainsKey(objId))
+ {
+ return false;
+ }
+
+ // If it's not an object, we cant edit it.
+ if (!(m_scene.Entities[objId] is SceneObjectGroup))
+ {
+ return false;
+ }
+
+ SceneObjectGroup task = (SceneObjectGroup) m_scene.Entities[objId];
+ LLUUID taskOwner = null;
+
+ // Object owners should be able to edit their own content
+ if (user == taskOwner)
+ permission = true;
+
+ // Users should be able to edit what is over their land.
+ if (m_scene.LandManager.getLandObject(task.AbsolutePosition.X, task.AbsolutePosition.Y).landData.ownerID ==
+ user)
+ permission = true;
+
+ // Estate users should be able to edit anything in the sim
+ if (IsEstateManager(user))
+ permission = true;
+
+ // Admin objects should not be editable by the above
+ if (IsAdministrator(taskOwner))
+ permission = false;
+
+ // Admin should be able to edit anything in the sim (including admin objects)
+ if (IsAdministrator(user))
+ permission = true;
+
+ return permission;
+ }
+
+ ///
+ /// Permissions check - can user delete an object?
+ ///
+ /// User attempting the delete
+ /// Target object
+ /// Has permission?
+ public virtual bool CanDeRezObject(LLUUID user, LLUUID obj)
+ {
+ return GenericObjectPermission(user, obj);
+ }
+
+ public virtual bool CanEditObject(LLUUID user, LLUUID obj)
+ {
+ return GenericObjectPermission(user, obj);
+ }
+
+ public virtual bool CanReturnObject(LLUUID user, LLUUID obj)
+ {
+ return GenericObjectPermission(user, obj);
+ }
+
+ #endregion
+
+ #region Communication Permissions
+
+ public virtual bool GenericCommunicationPermission(LLUUID user, LLUUID target)
+ {
+ bool permission = false;
+ string reason = "Only registered users may communicate with another account.";
+
+ if (IsGridUser(user))
+ permission = true;
+
+ if (!IsGridUser(user))
+ {
+ permission = false;
+ reason = "The person that you are messaging is not a registered user.";
+ }
+ if (IsAdministrator(user))
+ permission = true;
+
+ if (IsEstateManager(user))
+ permission = true;
+
+ if (!permission)
+ SendPermissionError(user, reason);
+
+ return permission;
+ }
+
+ public virtual bool CanInstantMessage(LLUUID user, LLUUID target)
+ {
+ return GenericCommunicationPermission(user, target);
+ }
+
+ public virtual bool CanInventoryTransfer(LLUUID user, LLUUID target)
+ {
+ return GenericCommunicationPermission(user, target);
+ }
+
+ #endregion
+
+ public virtual bool CanEditScript(LLUUID user, LLUUID script)
+ {
+ return IsAdministrator(user);
+ }
+
+ public virtual bool CanRunScript(LLUUID user, LLUUID script)
+ {
+ return IsAdministrator(user);
+ }
+
+ public virtual bool CanTerraform(LLUUID user, LLVector3 position)
+ {
+ bool permission = false;
+
+ // Estate override
+ if (GenericEstatePermission(user))
+ permission = true;
+
+ // Land owner can terraform too
+ if (GenericParcelPermission(user, m_scene.LandManager.getLandObject(position.X, position.Y)))
+ permission = true;
+
+ if (!permission)
+ SendPermissionError(user, "Not authorized to terraform at this location.");
+
+ return permission;
+ }
+
+ #region Estate Permissions
+
+ protected virtual bool GenericEstatePermission(LLUUID user)
+ {
+ // Default: deny
+ bool permission = false;
+
+ // Estate admins should be able to use estate tools
+ if (IsEstateManager(user))
+ permission = true;
+
+ // Administrators always have permission
+ if (IsAdministrator(user))
+ permission = true;
+
+ return permission;
+ }
+
+ public virtual bool CanEditEstateTerrain(LLUUID user)
+ {
+ return GenericEstatePermission(user);
+ }
+
+ #endregion
+
+ #region Parcel Permissions
+
+ protected virtual bool GenericParcelPermission(LLUUID user, Land parcel)
+ {
+ bool permission = false;
+
+ if (parcel.landData.ownerID == user)
+ permission = true;
+
+ if (parcel.landData.isGroupOwned)
+ {
+ // TODO: Need to do some extra checks here. Requires group code.
+ }
+
+ if (IsEstateManager(user))
+ permission = true;
+
+ if (IsAdministrator(user))
+ permission = true;
+
+ return permission;
+ }
+
+ protected virtual bool GenericParcelPermission(LLUUID user, LLVector3 pos)
+ {
+ return GenericParcelPermission(user, m_scene.LandManager.getLandObject(pos.X, pos.Y));
+ }
+
+ public virtual bool CanEditParcel(LLUUID user, Land parcel)
+ {
+ return GenericParcelPermission(user, parcel);
+ }
+
+ public virtual bool CanSellParcel(LLUUID user, Land parcel)
+ {
+ return GenericParcelPermission(user, parcel);
+ }
+
+ public virtual bool CanAbandonParcel(LLUUID user, Land parcel)
+ {
+ return GenericParcelPermission(user, parcel);
+ }
+
+ #endregion
+ }
+}
--
cgit v1.1