Web UI: allow users from trusted Active Directory forest manage IPA

Extend Web UI logic to decide whether default Web UI view should have a full menu or should be confined to a self-service interface. Standard logic in FreeIPA Web UI is to combine two facts: * for IPA users membership in `admins` group is used to indicate full menu should be shown * for AD users the fact that ID override object is presented by IPA `whoami` command is used to confine to a self-service interface With the change to allow user ID overrides from a default trust view to be members of groups and roles, we can unify the administrative privileges checks for both IPA and AD users. Fixed: https://pagure.io/freeipa/issue/8335 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-06-03 13:12:06 +03:00
parent 306304bb7f
commit 0ba64b1ac3
1 changed files with 18 additions and 12 deletions
--- a/install/ui/src/freeipa/Application_controller.js
+++ b/install/ui/src/freeipa/Application_controller.js
@@ -238,23 +238,26 @@ define([
            IPA.logout();
        },

-        is_selfservice: function() {
-            var whoami = IPA.whoami.data;
-            var self_service = true;
-
+        is_admin: function(whoami) {
            if (whoami.hasOwnProperty('memberof_group') &&
                whoami.memberof_group.indexOf('admins') !== -1) {
-                self_service = false;
+                return true;
            } else if (whoami.hasOwnProperty('memberofindirect_group')&&
                    whoami.memberofindirect_group.indexOf('admins') !== -1) {
-                self_service = false;
+                return true;
            } else if (whoami.hasOwnProperty('memberof_role') &&
                    whoami.memberof_role.length > 0) {
-                self_service = false;
+                return true;
            } else if (whoami.hasOwnProperty('memberofindirect_role') &&
                    whoami.memberofindirect_role.length > 0) {
-                self_service = false;
+                return true;
            }
+            return false;
+        },
+
+        is_selfservice: function() {
+            var whoami = IPA.whoami.data;
+            var self_service = !this.is_admin(whoami);

            IPA.is_selfservice = self_service; // quite ugly, needed for users

@@ -262,11 +265,14 @@ define([
        },

        is_aduser_selfservice: function() {
-            var selfservice = IPA.whoami.metadata.object === 'idoverrideuser';
-            // quite ugly, needed for users and iduseroverride to hide breadcrumb
-            IPA.is_aduser_selfservice = selfservice;
+            var whoami = IPA.whoami.data;
+            var idoverride = IPA.whoami.metadata.object === 'idoverrideuser';
+            var self_service = idoverride && (this.is_admin(whoami) === false);

-            return selfservice;
+            // quite ugly, needed for users and iduseroverride to hide breadcrumb
+            IPA.is_aduser_selfservice = self_service;
+
+            return self_service;
        },

        update_logged_in: function(logged_in) {