feat(xo-server,xo-web/groups): prevent edition of LDAP groups (#5351)

See #1884
2020-11-02 16:18:43 +01:00
parent 18762dc624
commit 7797bce814
4 changed files with 65 additions and 20 deletions
--- a/CHANGELOG.unreleased.md
+++ b/CHANGELOG.unreleased.md
@@ -7,6 +7,8 @@

 > Users must be able to say: “Nice enhancement, I'm eager to test it”

+- [LDAP] Prevent LDAP-provided groups from being edited from XO [#1884](https://github.com/vatesfr/xen-orchestra/issues/1884) (PR [#5351](https://github.com/vatesfr/xen-orchestra/pull/5351))
+
 ### Bug fixes

 > Users must be able to say: “I had this issue, happy to know it's fixed”
@@ -27,3 +29,6 @@
 > - major: if the change breaks compatibility
 >
 > In case of conflict, the highest (lowest in previous list) `$version` wins.
+
+- xo-server minor
+- xo-web minor
--- a/packages/xo-server/src/api/group.js
+++ b/packages/xo-server/src/api/group.js
@@ -1,3 +1,5 @@
+import { forbiddenOperation } from 'xo-common/api-errors'
+
 export async function create({ name }) {
  return (await this.createGroup({ name })).id
 }
@@ -51,6 +53,13 @@ setUsers.params = {

 // adds the user id to group.users
 export async function addUser({ id, userId }) {
+  const group = await this.getGroup(id)
+  if (group.provider !== undefined) {
+    throw forbiddenOperation(
+      'add user',
+      'cannot add user to synchronized group'
+    )
+  }
  await this.addUserToGroup(userId, id)
 }

@@ -65,6 +74,13 @@ addUser.params = {

 // remove the user id from group.users
 export async function removeUser({ id, userId }) {
+  const group = await this.getGroup(id)
+  if (group.provider !== undefined) {
+    throw forbiddenOperation(
+      'remove user',
+      'cannot remove user from synchronized group'
+    )
+  }
  await this.removeUserFromGroup(userId, id)
 }

@@ -80,6 +96,15 @@ removeUser.params = {
 // -------------------------------------------------------------------

 export async function set({ id, name }) {
+  if (name !== undefined) {
+    const group = await this.getGroup(id)
+    if (group.provider !== undefined) {
+      throw forbiddenOperation(
+        'set group name',
+        'cannot edit synchronized group'
+      )
+    }
+  }
  await this.updateGroup(id, { name })
 }

--- a/packages/xo-server/src/xo-mixins/subjects.js
+++ b/packages/xo-server/src/xo-mixins/subjects.js
@@ -304,7 +304,9 @@ export default class {
          [providerId]: {
            id,
            data:
-              data !== undefined ? data : user.authProviders?.[providerId]?.data,
+              data !== undefined
+                ? data
+                : user.authProviders?.[providerId]?.data,
          },
        },
      })
--- a/packages/xo-web/src/xo-app/settings/groups/index.js
+++ b/packages/xo-web/src/xo-app/settings/groups/index.js
@@ -40,7 +40,7 @@ class UserDisplay extends Component {
  }

  render() {
-    const { id, users } = this.props
+    const { id, users, canRemove } = this.props

    return (
      <span>
@@ -51,13 +51,15 @@ class UserDisplay extends Component {
            &gt;
          </em>
        )}{' '}
-        <ActionButton
-          className='pull-right'
-          btnStyle='primary'
-          size='small'
-          icon='remove'
-          handler={this._removeUser}
-        />
+        {canRemove && (
+          <ActionButton
+            className='pull-right'
+            btnStyle='primary'
+            size='small'
+            icon='remove'
+            handler={this._removeUser}
+          />
+        )}
      </span>
    )
  }
@@ -88,7 +90,11 @@ class GroupMembersDisplay extends Component {
                <ul className='list-group'>
                  {map(group.users, user => (
                    <li className='list-group-item' key={user}>
-                      <UserDisplay id={user} group={group} />
+                      <UserDisplay
+                        id={user}
+                        group={group}
+                        canRemove={group.provider === undefined}
+                      />
                    </li>
                  ))}
                </ul>
@@ -107,9 +113,15 @@ const getPredicate = users => entity =>
 const GROUP_COLUMNS = [
  {
    name: _('groupNameColumn'),
-    itemRenderer: group => (
-      <Text value={group.name} onChange={value => setGroupName(group, value)} />
-    ),
+    itemRenderer: group =>
+      group.provider === undefined ? (
+        <Text
+          value={group.name}
+          onChange={value => setGroupName(group, value)}
+        />
+      ) : (
+        group.name
+      ),
    sortCriteria: group => group.name,
  },
  {
@@ -118,13 +130,14 @@ const GROUP_COLUMNS = [
  },
  {
    name: _('addUserToGroupColumn'),
-    itemRenderer: group => (
-      <SelectSubject
-        predicate={getPredicate(group.users)}
-        onChange={user => user && addUserToGroup(user, group)}
-        value={null}
-      />
-    ),
+    itemRenderer: group =>
+      group.provider === undefined ? (
+        <SelectSubject
+          predicate={getPredicate(group.users)}
+          onChange={user => user && addUserToGroup(user, group)}
+          value={null}
+        />
+      ) : null,
  },
 ]