* Add allowed_script_editors to OpenSim.ini in the same fashion as allowed_script_creators.

* This allows one to override normal OpenSim permissions and prevent non-gods from editing any scripts.  This allows edit ability 
to be rescinded after it has been given, and prevents the security hole where a single script with liberal perms would allow code changes.
* The default setting remains the existing one of never overruling normal edit permissions.
* These two settings may be enough to stop non-gods entering artbirary script code in a closed grid/standalone configuration.
0.6.1-post-fixes
Justin Clarke Casey 2008-11-17 19:55:32 +00:00
parent 7ced8d136a
commit 6052ed4707
2 changed files with 21 additions and 9 deletions

View File

@ -87,10 +87,10 @@ namespace OpenSim.Region.Environment.Modules.World.Permissions
private UserSet m_allowedScriptCreators = UserSet.All; private UserSet m_allowedScriptCreators = UserSet.All;
/// <value> /// <value>
/// The set of users that are allowed to view (and in Second Life, edit) scripts. This is only active if /// The set of users that are allowed to edit (save) scripts. This is only active if
/// permissions are not being bypassed. This overrides normal permissions.- /// permissions are not being bypassed. This overrides normal permissions.-
/// </value> /// </value>
//private UserSet m_allowedScriptViewers = UserSet.All; private UserSet m_allowedScriptEditors = UserSet.All;
#endregion #endregion
@ -171,6 +171,8 @@ namespace OpenSim.Region.Environment.Modules.World.Permissions
m_allowedScriptCreators m_allowedScriptCreators
= ParseUserSetConfigSetting(myConfig, "allowed_script_creators", m_allowedScriptCreators); = ParseUserSetConfigSetting(myConfig, "allowed_script_creators", m_allowedScriptCreators);
m_allowedScriptEditors
= ParseUserSetConfigSetting(myConfig, "allowed_script_editors", m_allowedScriptEditors);
if (m_bypassPermissions) if (m_bypassPermissions)
m_log.Info("[PERMISSIONS]: serviceside_object_permissions = false in ini file so disabling all region service permission checks"); m_log.Info("[PERMISSIONS]: serviceside_object_permissions = false in ini file so disabling all region service permission checks");
@ -239,7 +241,6 @@ namespace OpenSim.Region.Environment.Modules.World.Permissions
m_scene.EventManager.OnPluginConsole += new EventManager.OnPluginConsoleDelegate(EventManager_OnPluginConsole); m_scene.EventManager.OnPluginConsole += new EventManager.OnPluginConsoleDelegate(EventManager_OnPluginConsole);
} }
public void PostInitialise() public void PostInitialise()
{ {
} }
@ -302,7 +303,7 @@ namespace OpenSim.Region.Environment.Modules.World.Permissions
rawSetting, settingName, userSet); rawSetting, settingName, userSet);
} }
//m_log.DebugFormat("[PERMISSIONS]: {0} {1}", settingName, userSet); m_log.DebugFormat("[PERMISSIONS]: {0} {1}", settingName, userSet);
return userSet; return userSet;
} }
@ -725,7 +726,10 @@ namespace OpenSim.Region.Environment.Modules.World.Permissions
DebugPermissionInformation(MethodInfo.GetCurrentMethod().Name); DebugPermissionInformation(MethodInfo.GetCurrentMethod().Name);
if (m_bypassPermissions) return m_bypassPermissionsValue; if (m_bypassPermissions) return m_bypassPermissionsValue;
// If you can view it, you can edit it if (m_allowedScriptEditors == UserSet.Administrators && !IsAdministrator(user))
return false;
// Ordinarily, if you can view it, you can edit it
// There is no viewing a no mod script // There is no viewing a no mod script
// //
return CanViewScript(script, objectID, user, scene); return CanViewScript(script, objectID, user, scene);
@ -817,7 +821,6 @@ namespace OpenSim.Region.Environment.Modules.World.Permissions
DebugPermissionInformation(MethodInfo.GetCurrentMethod().Name); DebugPermissionInformation(MethodInfo.GetCurrentMethod().Name);
if (m_bypassPermissions) return m_bypassPermissionsValue; if (m_bypassPermissions) return m_bypassPermissionsValue;
return GenericCommunicationPermission(user, target); return GenericCommunicationPermission(user, target);
} }

View File

@ -141,6 +141,15 @@
; Default value is all ; Default value is all
; allowed_script_creators = all ; allowed_script_creators = all
; Control user types that are allowed to edit (save) scripts
; Only enforced if serviceside_object_permissions is true
;
; Current possible values are
; all - anyone can edit scripts (subject to normal permissions)
; gods - only administrators can edit scripts (as long as allow_grid_gods is true)
; Default value is all
; allowed_script_editors = all
; ## ; ##
; ## SCRIPT ENGINE ; ## SCRIPT ENGINE
; ## ; ##