IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Better error message for login of users from other realms

Browse Source 
When user from other realm than FreeIPA's tries to use Web UI (login via forms-based auth or with valid trusted realm ticket), he gets an unauthorized error with X-Ipa-Rejection-Reason=denied. Web UI responds with showing login dialog with following error message: 'Sorry you
are not allowed to access this service.'.

Note: such users are not supported because they don't have a corresponding entry in LDAP which is needed for ACLs.

https://fedorahosted.org/freeipa/ticket/3252

denied change
This commit is contained in:
Petr Vobornik
2012-11-14 09:35:03 +01:00
parent e05a720b12
commit 8d892f442f
3 changed files with 43 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
install/ui/ipa.js
View File

@@ -399,8 +399,8 @@ IPA.login_password = function(username, password) {
//change result from invalid only if we have a header which we
//understand
if (reason === 'password-expired') {
result = 'expired';
if (reason === 'password-expired' || reason === 'denied') {
result = reason;
}
}
@@ -1701,6 +1701,8 @@ IPA.unauthorized_dialog = function(spec) {
that.password_expired = "Your password has expired. Please enter a new password.";
that.denied = "Sorry you are not allowed to access this service.";
that.create = function() {
that.session_expired_form();
@@ -1816,6 +1818,16 @@ IPA.unauthorized_dialog = function(spec) {
that.open = function() {
that.dialog_open();
that.show_session_form();
that.check_error_reason();
};
that.check_error_reason = function() {
if (this.xhr) {
var reason = this.xhr.getResponseHeader("X-IPA-Rejection-Reason");
if (reason) {
that.show_login_error_message(reason);
}
}
};
that.on_username_change = function() {
@@ -1858,6 +1870,20 @@ IPA.unauthorized_dialog = function(spec) {
that.new_password_widget.focus_input();
};
that.show_login_error_message = function(reason) {
var errors = {
'invalid': that.form_auth_failed,
'denied': that.denied
};
var message = errors[reason];
if (message) {
that.login_error_box.html(message);
that.login_error_box.css('display', 'block');
}
};
that.on_login_keyup = function(event) {
if (that.switching) {
@@ -1903,12 +1929,11 @@ IPA.unauthorized_dialog = function(spec) {
if (result === 'success') {
that.on_login_success();
} else if (result === 'expired') {
} else if (result === 'password-expired') {
that.reset_error_box.css('display', 'none');
that.show_reset_form();
} else {
that.login_error_box.html(that.form_auth_failed);
that.login_error_box.css('display', 'block');
that.show_login_error_message(result);
}
};

4
install/ui/login.html
View File

@@ -34,6 +34,10 @@
<p>If the problem persists, contact your administrator.</p>
</div>
<div id="denied" class="error-box" style="display:none">
<p>Sorry you are not allowed to access this service.</p>
</div>
<form id="login">
<ul>
<li>

16
install/ui/login.js
View File

@@ -35,8 +35,8 @@ LP.login = function(username, password) {
//change result from invalid only if we have a header which we
//understand
if (reason === 'password-expired') {
result = 'expired';
if (reason === 'password-expired' || reason === 'denied') {
result = reason;
}
}
}
@@ -70,12 +70,14 @@ LP.on_submit = function() {
var result = LP.login(username, password);
$('.error-box').hide();
if (result === 'invalid') {
$('#expired').css('display', 'none');
$('#invalid').css('display', 'block');
} else if (result === 'expired') {
$('#invalid').css('display', 'none');
$('#expired').css('display', 'block');
$('#invalid').show();
} else if (result === 'password-expired') {
$('#expired').show();
} else if(result === 'denied') {
$('#denied').show();
} else {
window.location = '/ipa/ui';
}