* Reworked the security checks for move/copy commands. Theoretically it's

  performing all the same checks, but the code is far more readable.

diff --git a/citadel/ChangeLog b/citadel/ChangeLog
index f32c50544acea5388f76555cf2773728a6cbcab0..72342a14996b6e3319df09bb8fc9d1ed45104983 100644 (file)
--- a/citadel/ChangeLog
+++ b/citadel/ChangeLog
@@ -1,4 +1,8 @@
  $Log$
+ Revision 621.4  2004/05/31 15:19:14  ajc
+ * Reworked the security checks for move/copy commands.  Theoretically it's
+   performing all the same checks, but the code is far more readable.
+
  Revision 621.3  2004/05/26 18:13:15  nbryant
  * stress.c: silence warning
 
@@ -5800,3 +5804,4 @@ Sat Jul 11 00:20:48 EDT 1998 Nathan Bryant <bryant@cs.usm.maine.edu>
 
 Fri Jul 10 1998 Art Cancro <ajc@uncensored.citadel.org>
        * Initial CVS import
+

diff --git a/citadel/msgbase.c b/citadel/msgbase.c
index 9a5c3980982d81af2fa2b965b4db5801a16f01f8..d0088482c423f6ba139788cdefd8804fb4d47431 100644 (file)
--- a/citadel/msgbase.c
+++ b/citadel/msgbase.c
@@ -2934,6 +2934,7 @@ void cmd_move(char *args)
        int err;
        int is_copy = 0;
        int ra;
+       int permit = 0;
 
        num = extract_long(args, 0);
        extract(targ, args, 1);
@@ -2941,24 +2942,38 @@ void cmd_move(char *args)
        is_copy = extract_int(args, 2);
 
        if (getroom(&qtemp, targ) != 0) {
-               cprintf("%d '%s' does not exist.\n", ERROR + ROOM_NOT_FOUND, targ);
+               cprintf("%d '%s' does not exist.\n",
+                       ERROR + ROOM_NOT_FOUND, targ);
                return;
        }
 
        getuser(&CC->user, CC->curr_user);
        ra = CtdlRoomAccess(&qtemp, &CC->user);
+
+       /* Check for permission to perform this operation.
+        * Remember: "CC->room" is source, "qtemp" is target.
+        */
+       permit = 0;
+
        /* Aides can move/copy */
-       if ((CC->user.axlevel < 6)
-           /* Roomaides can move/copy */
-           && (CC->user.usernum != CC->room.QRroomaide)
-           /* Permit move/copy from personal rooms */
-           && (!((CC->room.QRflags & QR_MAILBOX)
-                           && (qtemp.QRflags & QR_MAILBOX)))
-           /* Permit only copy from public to personal room */
-           && (!(is_copy && (CC->room.QRflags & QR_MAILBOX)
-                           || (qtemp.QRflags & QR_MAILBOX)))
-           /* User must have access to target room */
-           && !((ra & UA_KNOWN))) {
+       if (CC->user.axlevel >= 6) permit = 1;
+
+       /* Room aides can move/copy */
+       if (CC->user.usernum == CC->room.QRroomaide) permit = 1;
+
+       /* Permit move/copy from personal rooms */
+       if ((CC->room.QRflags & QR_MAILBOX)
+          && (qtemp.QRflags & QR_MAILBOX)) permit = 1;
+
+       /* Permit only copy from public to personal room */
+       if ( (is_copy)
+          && (!(CC->room.QRflags & QR_MAILBOX))
+          && (qtemp.QRflags & QR_MAILBOX)) permit = 1;
+
+       /* User must have access to target room */
+       if (!(ra & UA_KNOWN))  permit = 0;
+
+       if (!permit) {
                cprintf("%d Higher access required.\n",
                        ERROR + HIGHER_ACCESS_REQUIRED);
                return;