~mdw / secnet / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
make-secnet-sites: Don't allow setting new VPN-level props when restricted.
[secnet] / make-secnet-sites
diff --git a/make-secnet-sites b/make-secnet-sites
index b66f950..5f271e3 100755 (executable)
--- a/make-secnet-sites
+++ b/make-secnet-sites
@@ -380,13 +380,16 @@ def pline(i,allow_include=False):
                        current=nl
                obstack.append(current)
                return [i]
-       if current.allow_properties.has_key(keyword):
-               set_property(current,w)
-               return [i]
-       else:
+       if not current.allow_properties.has_key(keyword):
                complain("Property %s not allowed at %s level"%
                        (keyword,current.type))
                return []
+       elif current.depth == vpnlevel.depth < allow_defs:
+               complain("Not allowed to set VPN properties here")
+               return []
+       else:
+               set_property(current,w)
+               return [i]
 
        complain("unknown keyword '%s'"%(keyword))
 
Secnet virtual private network: clone of http://www.chiark.greenend.org.uk/ucgi/~ian/git/secnet.git/