diff options
| author | Jo-Philipp Wich <jow@openwrt.org> | 2013-09-12 13:10:30 +0200 |
|---|---|---|
| committer | Jo-Philipp Wich <jow@openwrt.org> | 2013-09-12 13:10:30 +0200 |
| commit | 296c9d9ceb421bbf2a5c1b7c2e4d8167845fec93 (patch) | |
| tree | b2f65d12320636281cc3fa0da7de1b6324aa7bbb | |
| parent | b76addec87c94faac688469f48f843c47bf1a8de (diff) | |
| download | rpcd-296c9d9ceb421bbf2a5c1b7c2e4d8167845fec93.tar.gz | |
session: support negative group expressions
This change allows excluding specific groups after a wildcard expression.
The following example would grant read access to any acl group except the
group named "example".
list read '*'
list read '!example'
| -rw-r--r-- | session.c | 26 |
1 files changed, 24 insertions, 2 deletions
@@ -863,6 +863,7 @@ static bool rpc_login_test_permission(struct uci_section *s, const char *perm, const char *group) { + const char *p; struct uci_option *o; struct uci_element *e, *l; @@ -883,9 +884,30 @@ rpc_login_test_permission(struct uci_section *s, if (strcmp(o->e.name, perm)) continue; - uci_foreach_element(&o->v.list, l) - if (l->name && !fnmatch(l->name, group, 0)) + /* Match negative expressions first. If a negative expression matches + * the current group name then deny access. */ + uci_foreach_element(&o->v.list, l) { + p = l->name; + + if (!p || *p != '!') + continue; + + while (isspace(*++p)); + + if (!*p) + continue; + + if (!fnmatch(p, group, 0)) + return false; + } + + uci_foreach_element(&o->v.list, l) { + if (!l->name || !*l->name || *l->name == '!') + continue; + + if (!fnmatch(l->name, group, 0)) return true; + } } /* make sure that write permission implies read permission */ |