secures DB dumps
Project: http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol/commit/3fd65ec9 Tree: http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol/tree/3fd65ec9 Diff: http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol/diff/3fd65ec9 Branch: refs/heads/master Commit: 3fd65ec919e51f40b5165e42c5e36271463db860 Parents: 4dc701c Author: Derek Gelinas <derek_geli...@cable.comcast.com> Authored: Mon Mar 13 18:59:45 2017 -0400 Committer: Jeremy Mitchell <mitchell...@gmail.com> Committed: Tue Mar 14 14:21:45 2017 -0600 ---------------------------------------------------------------------- traffic_ops/app/lib/UI/GenDbDump.pm | 5 +++ traffic_ops/app/templates/tools/db_dump.html.ep | 34 +++++++++++--------- 2 files changed, 24 insertions(+), 15 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol/blob/3fd65ec9/traffic_ops/app/lib/UI/GenDbDump.pm ---------------------------------------------------------------------- diff --git a/traffic_ops/app/lib/UI/GenDbDump.pm b/traffic_ops/app/lib/UI/GenDbDump.pm index 600b77d..80ce1bd 100644 --- a/traffic_ops/app/lib/UI/GenDbDump.pm +++ b/traffic_ops/app/lib/UI/GenDbDump.pm @@ -17,6 +17,7 @@ package UI::GenDbDump; # use Mojo::Base 'Mojolicious::Controller'; use Data::Dumper; +use UI::Utils; sub dbdump { my $self = shift; @@ -32,6 +33,10 @@ sub dbdump { $self->internal_server_error( { Error => "Error dumping database" } ); return; } + if ( !&is_oper($self) ) { + $self->internal_server_error( { Error => "Insufficient permissions for DB Dump. Admin access is required." } ); + return; + } # slurp it in.. undef $/; http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol/blob/3fd65ec9/traffic_ops/app/templates/tools/db_dump.html.ep ---------------------------------------------------------------------- diff --git a/traffic_ops/app/templates/tools/db_dump.html.ep b/traffic_ops/app/templates/tools/db_dump.html.ep index 52d97c4..8a5d353 100644 --- a/traffic_ops/app/templates/tools/db_dump.html.ep +++ b/traffic_ops/app/templates/tools/db_dump.html.ep @@ -31,19 +31,23 @@ $(function () { <body> %= include 'navbar' - <div id=accordion> - <h3><a href="#">Download a database dump</a></h3> - <div> - <script> - function downloadsqlfunction() { - window.location = "/dbdump?filename=" + $('#filename').val(); - } - </script> - Filename: <input id="filename" value="<%= $filename %>" size=70/> - <br> - <br> - <button class="button" type="button" onclick="downloadsqlfunction()">Download DB dump</button> - </div> - </div> - </body> + <div id=accordion> + <h3><a href="#">Download a database dump</a></h3> + <% if ($priv_level >= 20) { %> + <div> + <script> + function downloadsqlfunction() { + window.location = "/dbdump?filename=" + $('#filename').val(); + } + </script> + Filename: <input id="filename" value="<%= $filename %>" size=70/> + <br> + <br> + <button class="button" type="button" onclick="downloadsqlfunction()">Download DB dump</button> + </div> + <% } else { %> + <h2> This operation is for ADMINS only!!!!</h2> + <% } %> + </div> +</body> </html>
