From 296c9d9ceb421bbf2a5c1b7c2e4d8167845fec93 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Thu, 12 Sep 2013 13:10:30 +0200 Subject: [PATCH] session: support negative group expressions This change allows excluding specific groups after a wildcard expression. The following example would grant read access to any acl group except the group named "example". list read '*' list read '!example' --- session.c | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/session.c b/session.c index dad7bf1..3cac6d9 100644 --- a/session.c +++ b/session.c @@ -863,6 +863,7 @@ static bool rpc_login_test_permission(struct uci_section *s, const char *perm, const char *group) { + const char *p; struct uci_option *o; struct uci_element *e, *l; @@ -883,9 +884,30 @@ rpc_login_test_permission(struct uci_section *s, if (strcmp(o->e.name, perm)) continue; - uci_foreach_element(&o->v.list, l) - if (l->name && !fnmatch(l->name, group, 0)) + /* Match negative expressions first. If a negative expression matches + * the current group name then deny access. */ + uci_foreach_element(&o->v.list, l) { + p = l->name; + + if (!p || *p != '!') + continue; + + while (isspace(*++p)); + + if (!*p) + continue; + + if (!fnmatch(p, group, 0)) + return false; + } + + uci_foreach_element(&o->v.list, l) { + if (!l->name || !*l->name || *l->name == '!') + continue; + + if (!fnmatch(l->name, group, 0)) return true; + } } /* make sure that write permission implies read permission */ -- 2.25.1