From d67da9fd0f5fd21e0438d6676d7353342a517bea Mon Sep 17 00:00:00 2001
From: Benjamin Kellermann <Benjamin.Kellermann@gmx.de>
Date: Tue, 6 Oct 2009 13:20:12 +0200
Subject: new feature access control (requires .ht* in each dir)

---
 .htaccess      |   5 +++
 config_poll.rb | 108 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 index.cgi      |   6 ++--
 3 files changed, 117 insertions(+), 2 deletions(-)
 create mode 100644 .htaccess

diff --git a/.htaccess b/.htaccess
new file mode 100644
index 0000000..01447f6
--- /dev/null
+++ b/.htaccess
@@ -0,0 +1,5 @@
+<Files ~ "^\.ht.*">
+	deny from all
+	satisfy all
+	ErrorDocument 403 "You are not allowed to access .ht* files!"
+</Files>
diff --git a/config_poll.rb b/config_poll.rb
index 0055790..c88b0e9 100755
--- a/config_poll.rb
+++ b/config_poll.rb
@@ -41,15 +41,79 @@ class << Time
 	end
 end
 
+acusers = {}
+
 if $cgi.include?("revision")
 	REVISION=$cgi["revision"].to_i
 	table = YAML::load(VCS.cat(REVISION, "data.yaml"))
+	VCS.cat(REVISION,".htdigest").each_line{|l| 
+		v,k = l.scan(/^(.*):(.*):.*$/).flatten
+		acusers[k] = v
+	}
 else
 	table = YAML::load_file("data.yaml")
+	File.open(".htdigest","r").each_line{|l| 
+		v,k = l.scan(/^(.*):(.*):.*$/).flatten
+		acusers[k] = v
+	}
 
 	table.invite_delete($cgi["invite_delete"])	if $cgi.include?("invite_delete") and $cgi["invite_delete"] != ""
 	table.add_remove_column($cgi["add_remove_column"],$cgi["columndescription"]) if $cgi.include?("add_remove_column")
 	table.toggle_hidden if $cgi.include?("toggle_hidden")
+
+	def writehtaccess(acusers)
+		File.open(".htaccess","w"){|htaccess|
+			if acusers["admin"]
+				htaccess << <<HTACCESS
+<Files ~ "^(config|remove).cgi$">
+	AuthType digest
+	AuthName "admin"
+	AuthUserFile #{File.expand_path(".")}/.htdigest
+	Require valid-user
+</Files>
+HTACCESS
+			end
+			if acusers["participant"]
+				htaccess << <<HTACCESS
+AuthType digest
+AuthName "participant"
+AuthUserFile #{File.expand_path(".")}/.htdigest
+Require valid-user
+HTACCESS
+				VCS.commit("Access Control changed")
+			end
+		}
+	end
+
+	if $cgi.include?("ac_create")
+		user = $cgi["ac_name"]
+		# only admin and participant is allowed 
+		if user == "admin" || user == "participant"
+			fork {
+				IO.popen("htdigest .htdigest #{user} #{user}","w+"){|htdigest|
+					htdigest.sync
+					2.times{ 
+						htdigest.puts($cgi["ac_password"])
+					}
+				}
+			}
+			acusers[user] = user
+			writehtaccess(acusers)
+		end
+	elsif $cgi.include?("ac_delete_admin") || $cgi.include?("ac_delete_participant")
+		["admin", "participant"].each{|u| user = u if $cgi.include?("ac_delete_#{u}") }
+		htdigest = []
+		File.open(".htdigest","r").each_line{|line|
+			htdigest << line
+		}
+		File.open(".htdigest","w"){|f|
+			htdigest.each{|line|
+				f << line if line.scan(/^#{user}:#{user}:/).empty?
+			}
+		}
+		acusers.delete(user)
+		writehtaccess(acusers)
+	end
 end
 
 $htmlout += <<HTMLHEAD
@@ -96,6 +160,50 @@ $htmlout +=<<ADD_REMOVE
 </div>
 ADD_REMOVE
 
+$htmlout +=<<ACL
+<div id='access_control'>
+	<fieldset>
+		<legend>Change Access Control settings</legend>
+		If you want to restrict the poll, add the participant user.
+		If you want to restrict the configuration interface seperately, please add an admin user!
+		<form method='post' action=''>
+			<table>
+				<tr>
+					<th>Name</th><th>Password</th>
+				</tr>
+ACL
+acusers.each{|action,user|
+		$htmlout += <<USER
+<tr>
+	<td>#{user}</td>
+	<td>*****************</td>
+	<td>
+		<input type='submit' name='ac_delete_#{user}' value='delete' />
+	</td>
+</tr>
+USER
+}
+$htmlout += <<ACL
+				<tr>
+					<td>
+						<select name='ac_name'>
+							<option value='participant'>participant</option>
+							<option value='admin'>admin</option>
+						</select>
+					</td>
+					<td>
+						<input size='16' value="" type='password' name='ac_password' />
+					</td>
+					<td>
+						<input type='submit' name='ac_create' value='add' />
+					</td>
+				</tr>
+			</table>
+		</form>
+	</fieldset>
+</div>
+ACL
+
 $htmlout +=<<HIDDEN
 <div id='toggle_hidden'>
 	<fieldset>
diff --git a/index.cgi b/index.cgi
index 36d2e3c..2119781 100755
--- a/index.cgi
+++ b/index.cgi
@@ -57,8 +57,10 @@ if $cgi.include?("create_poll")
 		File.symlink("../atom_single.rb","atom.cgi")
 		File.symlink("../config_poll.rb","config.cgi")
 		File.symlink("../remove_poll.rb","remove.cgi")
-		File.open("data.yaml","w").close
-		VCS.add("data.yaml")
+		["data.yaml",".htaccess",".htdigest"].each{|f|
+			File.open(f,"w").close
+			VCS.add(f)
+		}
 		case $cgi["poll_type"]
 		when "Poll"
 			Poll.new SITE
-- 
cgit v1.2.3