diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2007-11-14 10:49:03 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2007-11-14 10:49:03 -0500 |
| commit | 3e715a04cf95de0add2c37d6cd5985c43de47dab (patch) | |
| tree | e8b9120376bdd83285bfb9e86d9d2572742ed7a4 /ipa-server | |
| parent | 7502ebe47940e6a5deb03a5f47c10b512cea6d5d (diff) | |
| download | freeipa-3e715a04cf95de0add2c37d6cd5985c43de47dab.tar.gz freeipa-3e715a04cf95de0add2c37d6cd5985c43de47dab.tar.xz freeipa-3e715a04cf95de0add2c37d6cd5985c43de47dab.zip | |
Add an editors group. This is used to generally grant access for users
to edit other users (the Edit link won't appear otherwise). Additional
delegation is need to grant permission to individual attributes.
Update the failed login page to indicate that it is a permission issue.
Don't allow access to policy at all for non-admins.
By default users can only edit themselves.
Diffstat (limited to 'ipa-server')
10 files changed, 62 insertions, 47 deletions
diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py b/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py index d7149265e..142d34430 100644 --- a/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py +++ b/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py @@ -35,7 +35,7 @@ class DelegationController(IPAController): raise turbogears.redirect("/delegate/list") @expose("ipagui.templates.delegatenew") - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def new(self): """Display delegate page""" client = self.get_ipaclient() @@ -46,7 +46,7 @@ class DelegationController(IPAController): return dict(form=delegate_form, delegate=delegate) @expose() - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def create(self, **kw): """Creates a new delegation""" self.restrict_post() @@ -107,7 +107,7 @@ class DelegationController(IPAController): raise turbogears.redirect('/delegate/list') @expose("ipagui.templates.delegateedit") - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def edit(self, acistr, tg_errors=None): """Display delegate page""" if tg_errors: @@ -134,7 +134,7 @@ class DelegationController(IPAController): @expose() - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def update(self, **kw): """Display delegate page""" self.restrict_post() @@ -230,7 +230,7 @@ class DelegationController(IPAController): fields=ipagui.forms.delegate.DelegateFields()) @expose() - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def delete(self, acistr): """Display delegate page""" self.restrict_post() diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/group.py b/ipa-server/ipa-gui/ipagui/subcontrollers/group.py index b412b6d15..0df2d3c8c 100644 --- a/ipa-server/ipa-gui/ipagui/subcontrollers/group.py +++ b/ipa-server/ipa-gui/ipagui/subcontrollers/group.py @@ -168,7 +168,7 @@ class GroupController(IPAController): @expose("ipagui.templates.groupedit") - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def edit(self, cn, tg_errors=None): """Displays the edit group form""" if tg_errors: @@ -214,7 +214,7 @@ class GroupController(IPAController): raise turbogears.redirect('/group/show', uid=cn) @expose() - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def update(self, **kw): """Updates an existing group""" self.restrict_post() diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/ipapolicy.py b/ipa-server/ipa-gui/ipagui/subcontrollers/ipapolicy.py index a1c1a9f03..5d9024275 100644 --- a/ipa-server/ipa-gui/ipagui/subcontrollers/ipapolicy.py +++ b/ipa-server/ipa-gui/ipagui/subcontrollers/ipapolicy.py @@ -26,11 +26,12 @@ ipapolicy_edit_form = ipagui.forms.ipapolicy.IPAPolicyForm() class IPAPolicyController(IPAController): @expose() + @identity.require(identity.in_group("admins")) def index(self): raise turbogears.redirect("/ipapolicy/show") @expose("ipagui.templates.ipapolicyshow") - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def show(self, tg_errors=None): """Displays the one policy page""" @@ -45,7 +46,7 @@ class IPAPolicyController(IPAController): return dict(ipapolicy=ipapolicy,fields=ipagui.forms.ipapolicy.IPAPolicyFields()) @expose("ipagui.templates.ipapolicyedit") - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def edit(self, tg_errors=None): """Displays the edit IPA policy form""" if tg_errors: @@ -68,7 +69,7 @@ class IPAPolicyController(IPAController): @expose() - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def update(self, **kw): """Display delegate page""" self.restrict_post() diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/policy.py b/ipa-server/ipa-gui/ipagui/subcontrollers/policy.py index a9fd3271f..1f2e45876 100644 --- a/ipa-server/ipa-gui/ipagui/subcontrollers/policy.py +++ b/ipa-server/ipa-gui/ipagui/subcontrollers/policy.py @@ -23,7 +23,7 @@ log = logging.getLogger(__name__) class PolicyController(IPAController): @expose("ipagui.templates.policyindex") - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def index(self, tg_errors=None): """Displays the one policy page""" diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py index a527c0983..bf77b113f 100644 --- a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py +++ b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py @@ -96,7 +96,7 @@ class UserController(IPAController): raise turbogears.redirect("/user/list") @expose("ipagui.templates.usernew") - @identity.require(identity.in_group("admins")) + @identity.require(identity.in_any_group("admins","editors")) def new(self, tg_errors=None): """Displays the new user form""" if tg_errors: @@ -106,7 +106,7 @@ class UserController(IPAController): return dict(form=user_new_form, user={}) @expose() - @identity.require(identity.in_group("admins")) + @identity.require(identity.in_any_group("admins","editors")) def create(self, **kw): """Creates a new user""" self.restrict_post() @@ -377,6 +377,15 @@ class UserController(IPAController): kw = self.fix_incoming_fields(kw, 'pager', 'pagers') kw = self.fix_incoming_fields(kw, 'homephone', 'homephones') + # admins and editors can update anybody. A user can only update + # themselves. We need this check because it is very easy to guess + # the edit URI. + if ((not 'admins' in turbogears.identity.current.groups and + not 'editors' in turbogears.identity.current.groups) and + (kw.get('uid') != turbogears.identity.current.display_name)): + turbogears.flash("You do not have permission to update this user.") + raise turbogears.redirect('/user/show', uid=kw.get('uid')) + # Decode the group data, in case we need to round trip user_groups_dicts = loads(b64decode(kw.get('user_groups_data'))) diff --git a/ipa-server/ipa-gui/ipagui/templates/groupshow.kid b/ipa-server/ipa-gui/ipagui/templates/groupshow.kid index f0d1ddfbb..a58220344 100644 --- a/ipa-server/ipa-gui/ipagui/templates/groupshow.kid +++ b/ipa-server/ipa-gui/ipagui/templates/groupshow.kid @@ -12,7 +12,8 @@ edit_url = tg.url('/group/edit', cn=group.get('cn')[0]) <div id="details"> <h1>View Group</h1> - <input class="submitbutton" type="button" + <input py:if="'editors' in tg.identity.groups or 'admins' in tg.identity.groups" + class="submitbutton" type="button" onclick="document.location.href='${edit_url}'" value="Edit Group" /> @@ -84,7 +85,8 @@ edit_url = tg.url('/group/edit', cn=group.get('cn')[0]) <br/> <hr /> - <input class="submitbutton" type="button" + <input py:if="'editors' in tg.identity.groups or 'admins' in tg.identity.groups" + class="submitbutton" type="button" onclick="document.location.href='${edit_url}'" value="Edit Group" /> </div> diff --git a/ipa-server/ipa-gui/ipagui/templates/loginfailed.kid b/ipa-server/ipa-gui/ipagui/templates/loginfailed.kid index 84896be5c..b31db82a7 100644 --- a/ipa-server/ipa-gui/ipagui/templates/loginfailed.kid +++ b/ipa-server/ipa-gui/ipagui/templates/loginfailed.kid @@ -1,35 +1,24 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" - "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml" - xmlns:py="http://purl.org/kid/ns#"> - +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" xmlns:py="http://purl.org/kid/ns#" + py:extends="'master.kid'"> <head> - <meta content="text/html; charset=UTF-8" - http-equiv="content-type" py:replace="''"/> - <title>Login Failure</title> +<meta content="text/html; charset=utf-8" http-equiv="Content-Type" py:replace="''"/> +<title>Permission Denied</title> </head> <body> - <div id="header"> - <div id="logo"> - <a href="${tg.url('/')}"><img - src="${tg.url('/static/images/logo.png')}" - border="0" alt="homepage" - /></a> - </div> - <div id="headerinfo"> - <div id="login"> - <div py:if="tg.config('identity.on') and not defined('logging_in')" id="page -Login"> - <span py:if="tg.identity.anonymous"> - Kerberos login failed. - </span> - <span py:if="not tg.identity.anonymous"> - Logged in as: ${tg.identity.user.display_name} - </span> + <div id="main_content"> + <div id="details"> + <div id="alertbox" py:if="value_of('tg_flash', None)"> + <p py:content="XML(tg_flash)"></p></div> + <h1>Permission Denied</h1> + <div class="instructions"> + <p> + You do not have permission to access this page. + </p> </div> + </div> </div> - </div> - </div> </body> + </html> diff --git a/ipa-server/ipa-gui/ipagui/templates/master.kid b/ipa-server/ipa-gui/ipagui/templates/master.kid index f395f31bf..6b97c73fd 100644 --- a/ipa-server/ipa-gui/ipagui/templates/master.kid +++ b/ipa-server/ipa-gui/ipagui/templates/master.kid @@ -77,12 +77,14 @@ <li py:if="'admins' in tg.identity.groups"><a href="${tg.url('/group/new')}">Add Group</a></li> <li><a href="${tg.url('/group/list')}">Find Groups</a></li> </ul> + <ul py:if="'admins' in tg.identity.groups"> + <li><a href="${tg.url('/policy/index')}">Manage Policy</a></li> + </ul> <ul> - <li py:if="'admins' in tg.identity.groups"><a href="${tg.url('/policy/index')}">Manage Policy</a></li> <li><a href="${tg.url('/user/edit/', principal=tg.identity.user.display_name)}">Self Service</a></li> </ul> - <ul> - <li py:if="'admins' in tg.identity.groups"><a href="${tg.url('/delegate/list')}">Delegations</a></li> + <ul py:if="'admins' in tg.identity.groups"> + <li><a href="${tg.url('/delegate/list')}">Delegations</a></li> </ul> </div> diff --git a/ipa-server/ipa-gui/ipagui/templates/usershow.kid b/ipa-server/ipa-gui/ipagui/templates/usershow.kid index a3b564c11..65c2bc35c 100644 --- a/ipa-server/ipa-gui/ipagui/templates/usershow.kid +++ b/ipa-server/ipa-gui/ipagui/templates/usershow.kid @@ -11,7 +11,8 @@ edit_url = tg.url('/user/edit', uid=user.get('uid')) ?> <h1>View Person</h1> - <input class="submitbutton" type="button" + <input py:if="'editors' in tg.identity.groups or 'admins' in tg.identity.groups" + class="submitbutton" type="button" onclick="document.location.href='${edit_url}'" value="Edit Person" /> @@ -373,7 +374,8 @@ else: <br/> <hr /> - <input class="submitbutton" type="button" + <input py:if="'editors' in tg.identity.groups or 'admins' in tg.identity.groups" + class="submitbutton" type="button" onclick="document.location.href='${edit_url}'" value="Edit Person" /> </body> diff --git a/ipa-server/ipa-install/share/bootstrap-template.ldif b/ipa-server/ipa-install/share/bootstrap-template.ldif index ca8bdcb6b..8eb42b332 100644 --- a/ipa-server/ipa-install/share/bootstrap-template.ldif +++ b/ipa-server/ipa-install/share/bootstrap-template.ldif @@ -84,4 +84,14 @@ objectClass: top objectClass: groupofuniquenames objectClass: posixGroup gidNumber: 1002 +description: Default group for all users cn: ipausers + +dn: cn=editors,cn=groups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofuniquenames +objectClass: posixGroup +gidNumber: 1003 +description: Limited admins who can edit other users +cn: editors |