Restrict access to some parts of the UI to those in the admins group

2024-12-28 01:41:14 -06:00 · 2007-11-13 11:15:07 -05:00 · 2007-11-13 11:15:07 -05:00 · 5011f64243
commit 5011f64243
parent cd489f0a73
4 changed files with 41 additions and 14 deletions
--- a/ipa-server/ipa-gui/ipagui/proxyprovider.py
+++ b/ipa-server/ipa-gui/ipagui/proxyprovider.py
@ -2,6 +2,11 @@ from turbogears.identity.soprovider import *
 from turbogears.identity.visitor import *
 import logging
 import os
+import ipa.ipaclient
+from ipaserver import funcs
+import ipa.config
+import ipa.group
+import ipa.user

 log = logging.getLogger("turbogears.identity")

@ -15,7 +20,25 @@ class IPA_User(object):
        (principal, realm) = user_name.split('@')
        self.display_name = principal
        self.permissions = None
-        self.groups = None
+        transport = funcs.IPAServer()
+        client = ipa.ipaclient.IPAClient(transport)
+        client.set_krbccache(os.environ["KRB5CCNAME"])
+        try:
+            user = client.get_user_by_principal(user_name, ['dn'])
+            self.groups = []
+            groups = client.get_groups_by_member(user.dn, ['dn', 'cn'])
+            if isinstance(groups, str):
+                groups = [groups]
+            for ginfo in groups:
+                # cn may be multi-valued, add them all just in case
+                cn = ginfo.getValue('cn')
+                if isinstance(cn, str):
+                    cn = [cn]
+                for c in cn:
+                    self.groups.append(c)
+        except:
+            raise
+
        return

 class ProxyIdentity(object):
@ -57,7 +80,7 @@ class ProxyIdentity(object):

    def _get_groups(self):
        try:
-            return self._groups
+            return self._user.groups
        except AttributeError:
            # Groups haven't been computed yet
            return None
@ -87,10 +110,14 @@ class ProxyIdentityProvider(SqlObjectIdentityProvider):
        pass

    def validate_identity(self, user_name, password, visit_key):
-        user = IPA_User(user_name)
-        log.debug( "validate_identity %s" % user_name)
-  
-        return ProxyIdentity(visit_key, user)
+        try:
+            user = IPA_User(user_name)
+            log.debug( "validate_identity %s" % user_name)
+            return ProxyIdentity(visit_key, user)
+        except:
+            # Something went wrong in fetching the user. Set to
+            # anonymous which will deny access.
+            return ProxyIdentity( None )

    def validate_password(self, user, user_name, password):
        '''Validation has already occurred in the proxy'''
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/group.py
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/group.py
@ -37,7 +37,7 @@ class GroupController(IPAController):
        raise turbogears.redirect("/group/list")

    @expose("ipagui.templates.groupnew")
-    @identity.require(identity.not_anonymous())
+    @identity.require(identity.in_group("admins"))
    def new(self, tg_errors=None):
        """Displays the new group form"""
        if tg_errors:
@ -49,7 +49,7 @@ class GroupController(IPAController):
        return dict(form=group_new_form, group={})

    @expose()
-    @identity.require(identity.not_anonymous())
+    @identity.require(identity.in_group("admins"))
    def create(self, **kw):
        """Creates a new group"""
        self.restrict_post()
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py
@ -96,7 +96,7 @@ class UserController(IPAController):
        raise turbogears.redirect("/user/list")

    @expose("ipagui.templates.usernew")
-    @identity.require(identity.not_anonymous())
+    @identity.require(identity.in_group("admins"))
    def new(self, tg_errors=None):
        """Displays the new user form"""
        if tg_errors:
@ -106,7 +106,7 @@ class UserController(IPAController):
        return dict(form=user_new_form, user={})

    @expose()
-    @identity.require(identity.not_anonymous())
+    @identity.require(identity.in_group("admins"))
    def create(self, **kw):
        """Creates a new user"""
        self.restrict_post()
--- a/ipa-server/ipa-gui/ipagui/templates/master.kid
+++ b/ipa-server/ipa-gui/ipagui/templates/master.kid
@ -70,19 +70,19 @@
      <div id="sidebar">
        <h2>Tasks</h2>
        <ul>
-        <li><a href="${tg.url('/user/new')}">Add Person</a></li>
+        <li py:if="'admins' in tg.identity.groups"><a href="${tg.url('/user/new')}">Add Person</a></li>
        <li><a href="${tg.url('/user/list')}">Find People</a></li>
        </ul>
        <ul>
-        <li><a href="${tg.url('/group/new')}">Add Group</a></li>
+        <li py:if="'admins' in tg.identity.groups"><a href="${tg.url('/group/new')}">Add Group</a></li>
        <li><a href="${tg.url('/group/list')}">Find Groups</a></li>
        </ul>
        <ul>
-        <li><a href="${tg.url('/policy/index')}">Manage Policy</a></li>
+        <li py:if="'admins' in tg.identity.groups"><a href="${tg.url('/policy/index')}">Manage Policy</a></li>
        <li><a href="${tg.url('/user/edit/', principal=tg.identity.user.display_name)}">Self Service</a></li>
        </ul>
        <ul>
-        <li><a href="${tg.url('/delegate/list')}">Delegations</a></li>
+        <li py:if="'admins' in tg.identity.groups"><a href="${tg.url('/delegate/list')}">Delegations</a></li>
        </ul>
      </div>