From 7f318277f141a73207ec64f8521ba410a5743215 Mon Sep 17 00:00:00 2001 From: Oren Hurvitz Date: Sun, 11 Sep 2011 20:52:35 +0300 Subject: When creating an OAR, optionally exclude objects according to their permissions --- .../Archiver/ArchiveWriteRequestPreparation.cs | 106 ++++++++++++++++++++- .../CoreModules/World/Archiver/ArchiverModule.cs | 1 + .../World/Permissions/PermissionsModule.cs | 89 ++++++++++------- 3 files changed, 156 insertions(+), 40 deletions(-) (limited to 'OpenSim/Region/CoreModules') diff --git a/OpenSim/Region/CoreModules/World/Archiver/ArchiveWriteRequestPreparation.cs b/OpenSim/Region/CoreModules/World/Archiver/ArchiveWriteRequestPreparation.cs index 10a83ee..b895afe 100644 --- a/OpenSim/Region/CoreModules/World/Archiver/ArchiveWriteRequestPreparation.cs +++ b/OpenSim/Region/CoreModules/World/Archiver/ArchiveWriteRequestPreparation.cs @@ -127,6 +127,12 @@ namespace OpenSim.Region.CoreModules.World.Archiver EntityBase[] entities = m_scene.GetEntities(); List sceneObjects = new List(); + + string checkPermissions = null; + int numObjectsSkippedPermissions = 0; + Object temp; + if (options.TryGetValue("checkPermissions", out temp)) + checkPermissions = (string)temp; // Filter entities so that we only have scene objects. // FIXME: Would be nicer to have this as a proper list in SceneGraph, since lots of methods @@ -136,9 +142,19 @@ namespace OpenSim.Region.CoreModules.World.Archiver if (entity is SceneObjectGroup) { SceneObjectGroup sceneObject = (SceneObjectGroup)entity; - + if (!sceneObject.IsDeleted && !sceneObject.IsAttachment) - sceneObjects.Add((SceneObjectGroup)entity); + { + if (!CanUserArchiveObject(m_scene.RegionInfo.EstateSettings.EstateOwner, sceneObject, checkPermissions)) + { + // The user isn't allowed to copy/transfer this object, so it will not be included in the OAR. + ++numObjectsSkippedPermissions; + } + else + { + sceneObjects.Add(sceneObject); + } + } } } @@ -159,7 +175,14 @@ namespace OpenSim.Region.CoreModules.World.Archiver { m_log.DebugFormat("[ARCHIVER]: Not saving assets since --noassets was specified"); } - + + if (numObjectsSkippedPermissions > 0) + { + m_log.DebugFormat( + "[ARCHIVER]: {0} scene objects skipped due to lack of permissions", + numObjectsSkippedPermissions); + } + // Make sure that we also request terrain texture assets RegionSettings regionSettings = m_scene.RegionInfo.RegionSettings; @@ -211,6 +234,83 @@ namespace OpenSim.Region.CoreModules.World.Archiver } /// + /// Checks whether the user has permission to export an object group to an OAR. + /// + /// The user + /// The object group + /// Which permissions to check: "C" = Copy, "T" = Transfer + /// Whether the user is allowed to export the object to an OAR + private bool CanUserArchiveObject(UUID user, SceneObjectGroup objGroup, string checkPermissions) + { + if (checkPermissions == null) + return true; + + IPermissionsModule module = m_scene.RequestModuleInterface(); + if (module == null) + return true; // this shouldn't happen + + // Check whether the user is permitted to export all of the parts in the SOG. If any + // part can't be exported then the entire SOG can't be exported. + + bool permitted = true; + //int primNumber = 1; + + foreach (SceneObjectPart obj in objGroup.Parts) + { + uint perm; + PermissionClass permissionClass = module.GetPermissionClass(user, obj); + switch (permissionClass) + { + case PermissionClass.Owner: + perm = obj.BaseMask; + break; + case PermissionClass.Group: + perm = obj.GroupMask | obj.EveryoneMask; + break; + case PermissionClass.Everyone: + default: + perm = obj.EveryoneMask; + break; + } + + bool canCopy = (perm & (uint)PermissionMask.Copy) != 0; + bool canTransfer = (perm & (uint)PermissionMask.Transfer) != 0; + + // Special case: if Everyone can copy the object then this implies it can also be + // Transferred. + // However, if the user is the Owner then we don't check EveryoneMask, because it seems that the mask + // always (incorrectly) includes the Copy bit set in this case. But that's a mistake: the viewer + // does NOT show that the object has Everyone-Copy permissions, and doesn't allow it to be copied. + if (permissionClass != PermissionClass.Owner) + { + canTransfer |= (obj.EveryoneMask & (uint)PermissionMask.Copy) != 0; + } + + + bool partPermitted = true; + if (checkPermissions.Contains("C") && !canCopy) + partPermitted = false; + if (checkPermissions.Contains("T") && !canTransfer) + partPermitted = false; + + //string name = (objGroup.PrimCount == 1) ? objGroup.Name : string.Format("{0} ({1}/{2})", obj.Name, primNumber, objGroup.PrimCount); + //m_log.DebugFormat("[ARCHIVER]: Object permissions: {0}: Base={1:X4}, Owner={2:X4}, Everyone={3:X4}, permissionClass={4}, checkPermissions={5}, canCopy={6}, canTransfer={7}, permitted={8}", + // name, obj.BaseMask, obj.OwnerMask, obj.EveryoneMask, + // permissionClass, checkPermissions, canCopy, canTransfer, permitted); + + if (!partPermitted) + { + permitted = false; + break; + } + + //++primNumber; + } + + return permitted; + } + + /// /// Create the control file for the most up to date archive /// /// diff --git a/OpenSim/Region/CoreModules/World/Archiver/ArchiverModule.cs b/OpenSim/Region/CoreModules/World/Archiver/ArchiverModule.cs index 08eb80c..f44a3ba 100644 --- a/OpenSim/Region/CoreModules/World/Archiver/ArchiverModule.cs +++ b/OpenSim/Region/CoreModules/World/Archiver/ArchiverModule.cs @@ -128,6 +128,7 @@ namespace OpenSim.Region.CoreModules.World.Archiver // ops.Add("v|version=", delegate(string v) { options["version"] = v; }); ops.Add("p|profile=", delegate(string v) { options["profile"] = v; }); ops.Add("noassets", delegate(string v) { options["noassets"] = v != null; }); + ops.Add("perm=", delegate(string v) { options["checkPermissions"] = v; }); List mainParams = ops.Parse(cmdparams); diff --git a/OpenSim/Region/CoreModules/World/Permissions/PermissionsModule.cs b/OpenSim/Region/CoreModules/World/Permissions/PermissionsModule.cs index b9bd9a4..3b661ed 100644 --- a/OpenSim/Region/CoreModules/World/Permissions/PermissionsModule.cs +++ b/OpenSim/Region/CoreModules/World/Permissions/PermissionsModule.cs @@ -39,7 +39,7 @@ using OpenSim.Services.Interfaces; namespace OpenSim.Region.CoreModules.World.Permissions { - public class PermissionsModule : IRegionModule + public class PermissionsModule : IRegionModule, IPermissionsModule { private static readonly ILog m_log = LogManager.GetLogger(MethodBase.GetCurrentMethod().DeclaringType); @@ -150,6 +150,8 @@ namespace OpenSim.Region.CoreModules.World.Permissions else m_log.Debug("[PERMISSIONS]: Enabling all region service permission checks"); + scene.RegisterModuleInterface(this); + //Register functions with Scene External Checks! m_scene.Permissions.OnBypassPermissions += BypassPermissions; m_scene.Permissions.OnSetBypassPermissions += SetBypassPermissions; @@ -574,46 +576,18 @@ namespace OpenSim.Region.CoreModules.World.Permissions if (objectOwner != UUID.Zero) objectEveryoneMask |= (uint)PrimFlags.ObjectAnyOwner; - if (m_bypassPermissions) - return objectOwnerMask; - - // Object owners should be able to edit their own content - if (user == objectOwner) - return objectOwnerMask; - - if (IsFriendWithPerms(user, objectOwner)) - { - return objectOwnerMask; - } - // Estate users should be able to edit anything in the sim if RegionOwnerIsGod is set - if (m_RegionOwnerIsGod && IsEstateManager(user) && !IsAdministrator(objectOwner)) - { - return objectOwnerMask; - } - - // Admin should be able to edit anything in the sim (including admin objects) - if (IsAdministrator(user)) - { - return objectOwnerMask; - } + PermissionClass permissionClass = GetPermissionClass(user, task); - // Users should be able to edit what is over their land. - Vector3 taskPos = task.AbsolutePosition; - ILandObject parcel = m_scene.LandChannel.GetLandObject(taskPos.X, taskPos.Y); - if (parcel != null && parcel.LandData.OwnerID == user && m_ParcelOwnerIsGod) + switch (permissionClass) { - // Admin objects should not be editable by the above - if (!IsAdministrator(objectOwner)) - { + case PermissionClass.Owner: return objectOwnerMask; - } + case PermissionClass.Group: + return objectGroupMask | objectEveryoneMask; + case PermissionClass.Everyone: + default: + return objectEveryoneMask; } - - // Group permissions - if ((task.GroupID != UUID.Zero) && IsGroupMember(task.GroupID, user, 0)) - return objectGroupMask | objectEveryoneMask; - - return objectEveryoneMask; } private uint ApplyObjectModifyMasks(uint setPermissionMask, uint objectFlagsMask) @@ -644,6 +618,47 @@ namespace OpenSim.Region.CoreModules.World.Permissions return objectFlagsMask; } + public PermissionClass GetPermissionClass(UUID user, SceneObjectPart obj) + { + if (obj == null) + return PermissionClass.Everyone; + + if (m_bypassPermissions) + return PermissionClass.Owner; + + // Object owners should be able to edit their own content + UUID objectOwner = obj.OwnerID; + if (user == objectOwner) + return PermissionClass.Owner; + + if (IsFriendWithPerms(user, objectOwner)) + return PermissionClass.Owner; + + // Estate users should be able to edit anything in the sim if RegionOwnerIsGod is set + if (m_RegionOwnerIsGod && IsEstateManager(user) && !IsAdministrator(objectOwner)) + return PermissionClass.Owner; + + // Admin should be able to edit anything in the sim (including admin objects) + if (IsAdministrator(user)) + return PermissionClass.Owner; + + // Users should be able to edit what is over their land. + Vector3 taskPos = obj.AbsolutePosition; + ILandObject parcel = m_scene.LandChannel.GetLandObject(taskPos.X, taskPos.Y); + if (parcel != null && parcel.LandData.OwnerID == user && m_ParcelOwnerIsGod) + { + // Admin objects should not be editable by the above + if (!IsAdministrator(objectOwner)) + return PermissionClass.Owner; + } + + // Group permissions + if ((obj.GroupID != UUID.Zero) && IsGroupMember(obj.GroupID, user, 0)) + return PermissionClass.Group; + + return PermissionClass.Everyone; + } + /// /// General permissions checks for any operation involving an object. These supplement more specific checks /// implemented by callers. -- cgit v1.1