diff options
author | Petr Vobornik <pvoborni@redhat.com> | 2012-11-14 09:35:03 +0100 |
---|---|---|
committer | Petr Vobornik <pvoborni@redhat.com> | 2012-12-06 17:02:03 +0100 |
commit | 8d892f442f27026ac7195f6d9720b6da046ff477 (patch) | |
tree | 31992b4581895b358aa0b2689d7496f7c4b31255 | |
parent | e05a720b12ae9bf8a39fa3103bdd61dc065dface (diff) | |
download | freeipa-8d892f442f27026ac7195f6d9720b6da046ff477.tar.gz freeipa-8d892f442f27026ac7195f6d9720b6da046ff477.tar.xz freeipa-8d892f442f27026ac7195f6d9720b6da046ff477.zip |
Better error message for login of users from other realms
When user from other realm than FreeIPA's tries to use Web UI (login via forms-based auth or with valid trusted realm ticket), he gets an unauthorized error with X-Ipa-Rejection-Reason=denied. Web UI responds with showing login dialog with following error message: 'Sorry you
are not allowed to access this service.'.
Note: such users are not supported because they don't have a corresponding entry in LDAP which is needed for ACLs.
https://fedorahosted.org/freeipa/ticket/3252
denied change
-rw-r--r-- | install/ui/ipa.js | 35 | ||||
-rw-r--r-- | install/ui/login.html | 4 | ||||
-rw-r--r-- | install/ui/login.js | 16 |
3 files changed, 43 insertions, 12 deletions
diff --git a/install/ui/ipa.js b/install/ui/ipa.js index e20d3c08a..a33fbfd5e 100644 --- a/install/ui/ipa.js +++ b/install/ui/ipa.js @@ -399,8 +399,8 @@ IPA.login_password = function(username, password) { //change result from invalid only if we have a header which we //understand - if (reason === 'password-expired') { - result = 'expired'; + if (reason === 'password-expired' || reason === 'denied') { + result = reason; } } @@ -1701,6 +1701,8 @@ IPA.unauthorized_dialog = function(spec) { that.password_expired = "Your password has expired. Please enter a new password."; + that.denied = "Sorry you are not allowed to access this service."; + that.create = function() { that.session_expired_form(); @@ -1816,6 +1818,16 @@ IPA.unauthorized_dialog = function(spec) { that.open = function() { that.dialog_open(); that.show_session_form(); + that.check_error_reason(); + }; + + that.check_error_reason = function() { + if (this.xhr) { + var reason = this.xhr.getResponseHeader("X-IPA-Rejection-Reason"); + if (reason) { + that.show_login_error_message(reason); + } + } }; that.on_username_change = function() { @@ -1858,6 +1870,20 @@ IPA.unauthorized_dialog = function(spec) { that.new_password_widget.focus_input(); }; + that.show_login_error_message = function(reason) { + var errors = { + 'invalid': that.form_auth_failed, + 'denied': that.denied + }; + + var message = errors[reason]; + + if (message) { + that.login_error_box.html(message); + that.login_error_box.css('display', 'block'); + } + }; + that.on_login_keyup = function(event) { if (that.switching) { @@ -1903,12 +1929,11 @@ IPA.unauthorized_dialog = function(spec) { if (result === 'success') { that.on_login_success(); - } else if (result === 'expired') { + } else if (result === 'password-expired') { that.reset_error_box.css('display', 'none'); that.show_reset_form(); } else { - that.login_error_box.html(that.form_auth_failed); - that.login_error_box.css('display', 'block'); + that.show_login_error_message(result); } }; diff --git a/install/ui/login.html b/install/ui/login.html index 69e3dea7f..f279f027d 100644 --- a/install/ui/login.html +++ b/install/ui/login.html @@ -34,6 +34,10 @@ <p>If the problem persists, contact your administrator.</p> </div> + <div id="denied" class="error-box" style="display:none"> + <p>Sorry you are not allowed to access this service.</p> + </div> + <form id="login"> <ul> <li> diff --git a/install/ui/login.js b/install/ui/login.js index cd4e72d95..1fce8ecc5 100644 --- a/install/ui/login.js +++ b/install/ui/login.js @@ -35,8 +35,8 @@ LP.login = function(username, password) { //change result from invalid only if we have a header which we //understand - if (reason === 'password-expired') { - result = 'expired'; + if (reason === 'password-expired' || reason === 'denied') { + result = reason; } } } @@ -70,12 +70,14 @@ LP.on_submit = function() { var result = LP.login(username, password); + $('.error-box').hide(); + if (result === 'invalid') { - $('#expired').css('display', 'none'); - $('#invalid').css('display', 'block'); - } else if (result === 'expired') { - $('#invalid').css('display', 'none'); - $('#expired').css('display', 'block'); + $('#invalid').show(); + } else if (result === 'password-expired') { + $('#expired').show(); + } else if(result === 'denied') { + $('#denied').show(); } else { window.location = '/ipa/ui'; } |