WebUI: Make 'Unlock' option is available only on locked user page

The implementation includes checking password policy for selected user.
'Unlock' option is available only in case user reached a limit of login failures.

Ticket: https://pagure.io/freeipa/issue/5062
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
This commit is contained in:
Serhii Tsymbaliuk 2019-08-19 17:28:57 +02:00 committed by Florence Blanc-Renaud
parent 2e0850e70e
commit 123c93f92c
2 changed files with 25 additions and 10 deletions

View File

@ -445,7 +445,7 @@ return {
label: '@i18n:objects.user.unlock', label: '@i18n:objects.user.unlock',
needs_confirm: true, needs_confirm: true,
hide_cond: ['preserved-user'], hide_cond: ['preserved-user'],
disable_cond: ['no-password'], enable_cond: ['is-locked'],
confirm_msg: '@i18n:objects.user.unlock_confirm' confirm_msg: '@i18n:objects.user.unlock_confirm'
}, },
{ {
@ -481,7 +481,7 @@ return {
}, },
IPA.user.self_service_other_user_evaluator, IPA.user.self_service_other_user_evaluator,
IPA.user.preserved_user_evaluator, IPA.user.preserved_user_evaluator,
IPA.user.no_password_evaluator, IPA.user.is_locked_evaluator,
IPA.object_class_evaluator, IPA.object_class_evaluator,
IPA.cert.certificate_evaluator IPA.cert.certificate_evaluator
], ],
@ -1120,15 +1120,21 @@ IPA.user.deleter_dialog = function(spec) {
return that; return that;
}; };
IPA.user.no_password_evaluator = function(spec) { IPA.user.is_locked_evaluator = function(spec) {
spec = spec || {}; spec = spec || {};
spec.event = spec.event || 'post_load'; spec.event = spec.event || 'post_load';
var that = IPA.state_evaluator(spec); var that = IPA.state_evaluator(spec);
that.name = spec.name || 'no_password_evaluator'; that.name = spec.name || 'is_locked_evaluator';
that.param = spec.param || 'has_password'; that.user_adapter = builder.build('adapter', {
that.adapter = builder.build('adapter', { $type: 'adapter'}, { context: that }); $type: 'object_adapter',
result_index: 0
}, {});
that.pw_policy_adapter = builder.build('adapter', {
$type: 'object_adapter',
result_index: 1
}, {});
/** /**
* Evaluates if user has no password * Evaluates if user has no password
@ -1138,9 +1144,17 @@ IPA.user.no_password_evaluator = function(spec) {
var old_state = that.state; var old_state = that.state;
that.state = []; that.state = [];
var has_password = that.adapter.load(data)[0]; var user = that.user_adapter.get_record(data);
if (!has_password) { var pw_policy = that.pw_policy_adapter.get_record(data);
that.state.push('no-password');
if (user.krbloginfailedcount) {
// In case there is no permission to check password policy we
// allow to unlock user even if he has only one failed login.
var max_failure = pw_policy ? pw_policy.krbpwdmaxfailure[0] : 1;
if (user.krbloginfailedcount[0] >= max_failure) {
that.state.push('is-locked');
}
} }
that.notify_on_change(old_state); that.notify_on_change(old_state);

View File

@ -211,7 +211,8 @@ class test_user(user_tasks):
self.reset_password_action(pwd) self.reset_password_action(pwd)
self.assert_text_field('has_password', '******') self.assert_text_field('has_password', '******')
self.action_list_action('unlock') # unlock option should be disabled for new user
self.assert_action_list_action('unlock', enabled=False)
# delete # delete
self.delete_action(user.ENTITY, user.PKEY, action='delete_active_user') self.delete_action(user.ENTITY, user.PKEY, action='delete_active_user')