Restrict access to some parts of the UI to those in the admins group

This commit is contained in:
Rob Crittenden 2007-11-13 11:15:07 -05:00
parent cd489f0a73
commit 5011f64243
4 changed files with 41 additions and 14 deletions

View File

@ -2,6 +2,11 @@ from turbogears.identity.soprovider import *
from turbogears.identity.visitor import *
import logging
import os
import ipa.ipaclient
from ipaserver import funcs
import ipa.config
import ipa.group
import ipa.user
log = logging.getLogger("turbogears.identity")
@ -15,7 +20,25 @@ class IPA_User(object):
(principal, realm) = user_name.split('@')
self.display_name = principal
self.permissions = None
self.groups = None
transport = funcs.IPAServer()
client = ipa.ipaclient.IPAClient(transport)
client.set_krbccache(os.environ["KRB5CCNAME"])
try:
user = client.get_user_by_principal(user_name, ['dn'])
self.groups = []
groups = client.get_groups_by_member(user.dn, ['dn', 'cn'])
if isinstance(groups, str):
groups = [groups]
for ginfo in groups:
# cn may be multi-valued, add them all just in case
cn = ginfo.getValue('cn')
if isinstance(cn, str):
cn = [cn]
for c in cn:
self.groups.append(c)
except:
raise
return
class ProxyIdentity(object):
@ -57,7 +80,7 @@ class ProxyIdentity(object):
def _get_groups(self):
try:
return self._groups
return self._user.groups
except AttributeError:
# Groups haven't been computed yet
return None
@ -87,10 +110,14 @@ class ProxyIdentityProvider(SqlObjectIdentityProvider):
pass
def validate_identity(self, user_name, password, visit_key):
try:
user = IPA_User(user_name)
log.debug( "validate_identity %s" % user_name)
return ProxyIdentity(visit_key, user)
except:
# Something went wrong in fetching the user. Set to
# anonymous which will deny access.
return ProxyIdentity( None )
def validate_password(self, user, user_name, password):
'''Validation has already occurred in the proxy'''

View File

@ -37,7 +37,7 @@ class GroupController(IPAController):
raise turbogears.redirect("/group/list")
@expose("ipagui.templates.groupnew")
@identity.require(identity.not_anonymous())
@identity.require(identity.in_group("admins"))
def new(self, tg_errors=None):
"""Displays the new group form"""
if tg_errors:
@ -49,7 +49,7 @@ class GroupController(IPAController):
return dict(form=group_new_form, group={})
@expose()
@identity.require(identity.not_anonymous())
@identity.require(identity.in_group("admins"))
def create(self, **kw):
"""Creates a new group"""
self.restrict_post()

View File

@ -96,7 +96,7 @@ class UserController(IPAController):
raise turbogears.redirect("/user/list")
@expose("ipagui.templates.usernew")
@identity.require(identity.not_anonymous())
@identity.require(identity.in_group("admins"))
def new(self, tg_errors=None):
"""Displays the new user form"""
if tg_errors:
@ -106,7 +106,7 @@ class UserController(IPAController):
return dict(form=user_new_form, user={})
@expose()
@identity.require(identity.not_anonymous())
@identity.require(identity.in_group("admins"))
def create(self, **kw):
"""Creates a new user"""
self.restrict_post()

View File

@ -70,19 +70,19 @@
<div id="sidebar">
<h2>Tasks</h2>
<ul>
<li><a href="${tg.url('/user/new')}">Add Person</a></li>
<li py:if="'admins' in tg.identity.groups"><a href="${tg.url('/user/new')}">Add Person</a></li>
<li><a href="${tg.url('/user/list')}">Find People</a></li>
</ul>
<ul>
<li><a href="${tg.url('/group/new')}">Add Group</a></li>
<li py:if="'admins' in tg.identity.groups"><a href="${tg.url('/group/new')}">Add Group</a></li>
<li><a href="${tg.url('/group/list')}">Find Groups</a></li>
</ul>
<ul>
<li><a href="${tg.url('/policy/index')}">Manage Policy</a></li>
<li py:if="'admins' in tg.identity.groups"><a href="${tg.url('/policy/index')}">Manage Policy</a></li>
<li><a href="${tg.url('/user/edit/', principal=tg.identity.user.display_name)}">Self Service</a></li>
</ul>
<ul>
<li><a href="${tg.url('/delegate/list')}">Delegations</a></li>
<li py:if="'admins' in tg.identity.groups"><a href="${tg.url('/delegate/list')}">Delegations</a></li>
</ul>
</div>