From: Alan T. DeKok <aland@freeradius.org>
Date: Wed, 16 Nov 2022 12:57:23 +0000 (-0500)
Subject: add migration configuration to forbid the use of "update"
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bd547c0d65df30847522980087e963010c543b5c;p=thirdparty%2Ffreeradius-server.git

add migration configuration to forbid the use of "update"
---

diff --git a/src/lib/server/main_config.c b/src/lib/server/main_config.c
index ec2c11c375c..ff68acc4be2 100644
--- a/src/lib/server/main_config.c
+++ b/src/lib/server/main_config.c
@@ -185,6 +185,7 @@ static const CONF_PARSER migrate_config[] = {
 	{ FR_CONF_OFFSET("parse_new_conditions", FR_TYPE_BOOL | FR_TYPE_HIDDEN, main_config_t, parse_new_conditions) },
 	{ FR_CONF_OFFSET("use_new_conditions", FR_TYPE_BOOL | FR_TYPE_HIDDEN, main_config_t, use_new_conditions) },
 	{ FR_CONF_OFFSET("rewrite_update", FR_TYPE_BOOL | FR_TYPE_HIDDEN, main_config_t, rewrite_update) },
+	{ FR_CONF_OFFSET("forbid_update", FR_TYPE_BOOL | FR_TYPE_HIDDEN, main_config_t, forbid_update) },
 	CONF_PARSER_TERMINATOR
 };
 
@@ -1445,6 +1446,7 @@ static fr_table_num_ordered_t config_arg_table[] = {
 	{ L("use_new_conditions"),	 offsetof(main_config_t, use_new_conditions) },
 	{ L("tmpl_tokenize_all_nested"), offsetof(main_config_t, tmpl_tokenize_all_nested) },
 	{ L("rewrite_update"),		 offsetof(main_config_t, rewrite_update) },
+	{ L("forbid_update"),		 offsetof(main_config_t, forbid_update) },
 };
 static size_t config_arg_table_len = NUM_ELEMENTS(config_arg_table);
 
diff --git a/src/lib/server/main_config.h b/src/lib/server/main_config.h
index 4bd204304b3..7bb03fb6d1d 100644
--- a/src/lib/server/main_config.h
+++ b/src/lib/server/main_config.h
@@ -165,6 +165,7 @@ struct main_config_s {
 	bool		parse_new_conditions;		//!< the new xlat expressions will be parsed, but not used.
 	bool		use_new_conditions;		//!< the new xlat expressions will be used for conditions, instead of the old code
 	bool		rewrite_update;			//!< rewrite "update" to be new edit sections
+	bool		forbid_update;			//!< forbid "update" sections
 };
 
 void			main_config_name_set_default(main_config_t *config, char const *name, bool overwrite_config);
diff --git a/src/lib/unlang/compile.c b/src/lib/unlang/compile.c
index b8c3e06ee93..7ce3154346f 100644
--- a/src/lib/unlang/compile.c
+++ b/src/lib/unlang/compile.c
@@ -1554,6 +1554,11 @@ static unlang_t *compile_update(unlang_t *parent, unlang_compile_t *unlang_ctx,
 		.type_name = "unlang_map_t"
 	};
 
+	if (main_config_migrate_option_get("forbid_update")) {
+		cf_log_err(cs, "The use of 'update' sections is forbidden by the server configuration");
+		return NULL;
+	}
+
 	/*
 	 *	If we're migrating "update" sections to edit, then go
 	 *	do that now.