From: Jo-Philipp Wich <jow@openwrt.org>
Date: Thu, 12 Sep 2013 11:10:30 +0000 (+0200)
Subject: session: support negative group expressions
X-Git-Url: http://git.archive.openwrt.org/?p=project%2Frpcd.git;a=commitdiff_plain;h=296c9d9ceb421bbf2a5c1b7c2e4d8167845fec93

session: support negative group expressions

This change allows excluding specific groups after a wildcard expression.
The following example would grant read access to any acl group except the
group named "example".

  list read '*'
  list read '!example'
---

diff --git a/session.c b/session.c
index dad7bf1..3cac6d9 100644
--- a/session.c
+++ b/session.c
@@ -863,6 +863,7 @@ static bool
 rpc_login_test_permission(struct uci_section *s,
                           const char *perm, const char *group)
 {
+	const char *p;
 	struct uci_option *o;
 	struct uci_element *e, *l;
 
@@ -883,9 +884,30 @@ rpc_login_test_permission(struct uci_section *s,
 		if (strcmp(o->e.name, perm))
 			continue;
 
-		uci_foreach_element(&o->v.list, l)
-			if (l->name && !fnmatch(l->name, group, 0))
+		/* Match negative expressions first. If a negative expression matches
+		 * the current group name then deny access. */
+		uci_foreach_element(&o->v.list, l) {
+			p = l->name;
+
+			if (!p || *p != '!')
+				continue;
+
+			while (isspace(*++p));
+
+			if (!*p)
+				continue;
+
+			if (!fnmatch(p, group, 0))
+				return false;
+		}
+
+		uci_foreach_element(&o->v.list, l) {
+			if (!l->name || !*l->name || *l->name == '!')
+				continue;
+
+			if (!fnmatch(l->name, group, 0))
 				return true;
+		}
 	}
 
 	/* make sure that write permission implies read permission */