From 123c93f92c575eeb4344f918b86112937b8cb4e8 Mon Sep 17 00:00:00 2001 From: Serhii Tsymbaliuk Date: Mon, 19 Aug 2019 17:28:57 +0200 Subject: [PATCH] WebUI: Make 'Unlock' option is available only on locked user page The implementation includes checking password policy for selected user. 'Unlock' option is available only in case user reached a limit of login failures. Ticket: https://pagure.io/freeipa/issue/5062 Signed-off-by: Serhii Tsymbaliuk Reviewed-By: Petr Vobornik Reviewed-By: Armando Neto --- install/ui/src/freeipa/user.js | 32 +++++++++++++++++++++++--------- ipatests/test_webui/test_user.py | 3 ++- 2 files changed, 25 insertions(+), 10 deletions(-) diff --git a/install/ui/src/freeipa/user.js b/install/ui/src/freeipa/user.js index 714e55d4e..fb626f2a1 100644 --- a/install/ui/src/freeipa/user.js +++ b/install/ui/src/freeipa/user.js @@ -445,7 +445,7 @@ return { label: '@i18n:objects.user.unlock', needs_confirm: true, hide_cond: ['preserved-user'], - disable_cond: ['no-password'], + enable_cond: ['is-locked'], confirm_msg: '@i18n:objects.user.unlock_confirm' }, { @@ -481,7 +481,7 @@ return { }, IPA.user.self_service_other_user_evaluator, IPA.user.preserved_user_evaluator, - IPA.user.no_password_evaluator, + IPA.user.is_locked_evaluator, IPA.object_class_evaluator, IPA.cert.certificate_evaluator ], @@ -1120,15 +1120,21 @@ IPA.user.deleter_dialog = function(spec) { return that; }; -IPA.user.no_password_evaluator = function(spec) { +IPA.user.is_locked_evaluator = function(spec) { spec = spec || {}; spec.event = spec.event || 'post_load'; var that = IPA.state_evaluator(spec); - that.name = spec.name || 'no_password_evaluator'; - that.param = spec.param || 'has_password'; - that.adapter = builder.build('adapter', { $type: 'adapter'}, { context: that }); + that.name = spec.name || 'is_locked_evaluator'; + that.user_adapter = builder.build('adapter', { + $type: 'object_adapter', + result_index: 0 + }, {}); + that.pw_policy_adapter = builder.build('adapter', { + $type: 'object_adapter', + result_index: 1 + }, {}); /** * Evaluates if user has no password @@ -1138,9 +1144,17 @@ IPA.user.no_password_evaluator = function(spec) { var old_state = that.state; that.state = []; - var has_password = that.adapter.load(data)[0]; - if (!has_password) { - that.state.push('no-password'); + var user = that.user_adapter.get_record(data); + var pw_policy = that.pw_policy_adapter.get_record(data); + + if (user.krbloginfailedcount) { + // In case there is no permission to check password policy we + // allow to unlock user even if he has only one failed login. + var max_failure = pw_policy ? pw_policy.krbpwdmaxfailure[0] : 1; + + if (user.krbloginfailedcount[0] >= max_failure) { + that.state.push('is-locked'); + } } that.notify_on_change(old_state); diff --git a/ipatests/test_webui/test_user.py b/ipatests/test_webui/test_user.py index 1a3465c04..9b889235a 100644 --- a/ipatests/test_webui/test_user.py +++ b/ipatests/test_webui/test_user.py @@ -211,7 +211,8 @@ class test_user(user_tasks): self.reset_password_action(pwd) self.assert_text_field('has_password', '******') - self.action_list_action('unlock') + # unlock option should be disabled for new user + self.assert_action_list_action('unlock', enabled=False) # delete self.delete_action(user.ENTITY, user.PKEY, action='delete_active_user')