mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-16 03:11:57 -06:00
Restrict access to some parts of the UI to those in the admins group
This commit is contained in:
parent
cd489f0a73
commit
5011f64243
@ -2,6 +2,11 @@ from turbogears.identity.soprovider import *
|
||||
from turbogears.identity.visitor import *
|
||||
import logging
|
||||
import os
|
||||
import ipa.ipaclient
|
||||
from ipaserver import funcs
|
||||
import ipa.config
|
||||
import ipa.group
|
||||
import ipa.user
|
||||
|
||||
log = logging.getLogger("turbogears.identity")
|
||||
|
||||
@ -15,7 +20,25 @@ class IPA_User(object):
|
||||
(principal, realm) = user_name.split('@')
|
||||
self.display_name = principal
|
||||
self.permissions = None
|
||||
self.groups = None
|
||||
transport = funcs.IPAServer()
|
||||
client = ipa.ipaclient.IPAClient(transport)
|
||||
client.set_krbccache(os.environ["KRB5CCNAME"])
|
||||
try:
|
||||
user = client.get_user_by_principal(user_name, ['dn'])
|
||||
self.groups = []
|
||||
groups = client.get_groups_by_member(user.dn, ['dn', 'cn'])
|
||||
if isinstance(groups, str):
|
||||
groups = [groups]
|
||||
for ginfo in groups:
|
||||
# cn may be multi-valued, add them all just in case
|
||||
cn = ginfo.getValue('cn')
|
||||
if isinstance(cn, str):
|
||||
cn = [cn]
|
||||
for c in cn:
|
||||
self.groups.append(c)
|
||||
except:
|
||||
raise
|
||||
|
||||
return
|
||||
|
||||
class ProxyIdentity(object):
|
||||
@ -57,7 +80,7 @@ class ProxyIdentity(object):
|
||||
|
||||
def _get_groups(self):
|
||||
try:
|
||||
return self._groups
|
||||
return self._user.groups
|
||||
except AttributeError:
|
||||
# Groups haven't been computed yet
|
||||
return None
|
||||
@ -87,10 +110,14 @@ class ProxyIdentityProvider(SqlObjectIdentityProvider):
|
||||
pass
|
||||
|
||||
def validate_identity(self, user_name, password, visit_key):
|
||||
try:
|
||||
user = IPA_User(user_name)
|
||||
log.debug( "validate_identity %s" % user_name)
|
||||
|
||||
return ProxyIdentity(visit_key, user)
|
||||
except:
|
||||
# Something went wrong in fetching the user. Set to
|
||||
# anonymous which will deny access.
|
||||
return ProxyIdentity( None )
|
||||
|
||||
def validate_password(self, user, user_name, password):
|
||||
'''Validation has already occurred in the proxy'''
|
||||
|
@ -37,7 +37,7 @@ class GroupController(IPAController):
|
||||
raise turbogears.redirect("/group/list")
|
||||
|
||||
@expose("ipagui.templates.groupnew")
|
||||
@identity.require(identity.not_anonymous())
|
||||
@identity.require(identity.in_group("admins"))
|
||||
def new(self, tg_errors=None):
|
||||
"""Displays the new group form"""
|
||||
if tg_errors:
|
||||
@ -49,7 +49,7 @@ class GroupController(IPAController):
|
||||
return dict(form=group_new_form, group={})
|
||||
|
||||
@expose()
|
||||
@identity.require(identity.not_anonymous())
|
||||
@identity.require(identity.in_group("admins"))
|
||||
def create(self, **kw):
|
||||
"""Creates a new group"""
|
||||
self.restrict_post()
|
||||
|
@ -96,7 +96,7 @@ class UserController(IPAController):
|
||||
raise turbogears.redirect("/user/list")
|
||||
|
||||
@expose("ipagui.templates.usernew")
|
||||
@identity.require(identity.not_anonymous())
|
||||
@identity.require(identity.in_group("admins"))
|
||||
def new(self, tg_errors=None):
|
||||
"""Displays the new user form"""
|
||||
if tg_errors:
|
||||
@ -106,7 +106,7 @@ class UserController(IPAController):
|
||||
return dict(form=user_new_form, user={})
|
||||
|
||||
@expose()
|
||||
@identity.require(identity.not_anonymous())
|
||||
@identity.require(identity.in_group("admins"))
|
||||
def create(self, **kw):
|
||||
"""Creates a new user"""
|
||||
self.restrict_post()
|
||||
|
@ -70,19 +70,19 @@
|
||||
<div id="sidebar">
|
||||
<h2>Tasks</h2>
|
||||
<ul>
|
||||
<li><a href="${tg.url('/user/new')}">Add Person</a></li>
|
||||
<li py:if="'admins' in tg.identity.groups"><a href="${tg.url('/user/new')}">Add Person</a></li>
|
||||
<li><a href="${tg.url('/user/list')}">Find People</a></li>
|
||||
</ul>
|
||||
<ul>
|
||||
<li><a href="${tg.url('/group/new')}">Add Group</a></li>
|
||||
<li py:if="'admins' in tg.identity.groups"><a href="${tg.url('/group/new')}">Add Group</a></li>
|
||||
<li><a href="${tg.url('/group/list')}">Find Groups</a></li>
|
||||
</ul>
|
||||
<ul>
|
||||
<li><a href="${tg.url('/policy/index')}">Manage Policy</a></li>
|
||||
<li py:if="'admins' in tg.identity.groups"><a href="${tg.url('/policy/index')}">Manage Policy</a></li>
|
||||
<li><a href="${tg.url('/user/edit/', principal=tg.identity.user.display_name)}">Self Service</a></li>
|
||||
</ul>
|
||||
<ul>
|
||||
<li><a href="${tg.url('/delegate/list')}">Delegations</a></li>
|
||||
<li py:if="'admins' in tg.identity.groups"><a href="${tg.url('/delegate/list')}">Delegations</a></li>
|
||||
</ul>
|
||||
</div>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user