diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2007-11-13 11:15:07 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2007-11-13 11:15:07 -0500 |
| commit | 5011f642436acd1a5de859d9bb7d38c7e269f35c (patch) | |
| tree | ec733df0e075f555b31b6fc4d1cf6c5883f3a15a /ipa-server | |
| parent | cd489f0a73bcdb2583a5f69defb08ea45278c05a (diff) | |
| download | freeipa-5011f642436acd1a5de859d9bb7d38c7e269f35c.tar.gz freeipa-5011f642436acd1a5de859d9bb7d38c7e269f35c.tar.xz freeipa-5011f642436acd1a5de859d9bb7d38c7e269f35c.zip | |
Restrict access to some parts of the UI to those in the admins group
Diffstat (limited to 'ipa-server')
| -rw-r--r-- | ipa-server/ipa-gui/ipagui/proxyprovider.py | 39 | ||||
| -rw-r--r-- | ipa-server/ipa-gui/ipagui/subcontrollers/group.py | 4 | ||||
| -rw-r--r-- | ipa-server/ipa-gui/ipagui/subcontrollers/user.py | 4 | ||||
| -rw-r--r-- | ipa-server/ipa-gui/ipagui/templates/master.kid | 8 |
4 files changed, 41 insertions, 14 deletions
diff --git a/ipa-server/ipa-gui/ipagui/proxyprovider.py b/ipa-server/ipa-gui/ipagui/proxyprovider.py index e8ef69830..bd9cf87a8 100644 --- a/ipa-server/ipa-gui/ipagui/proxyprovider.py +++ b/ipa-server/ipa-gui/ipagui/proxyprovider.py @@ -2,6 +2,11 @@ from turbogears.identity.soprovider import * from turbogears.identity.visitor import * import logging import os +import ipa.ipaclient +from ipaserver import funcs +import ipa.config +import ipa.group +import ipa.user log = logging.getLogger("turbogears.identity") @@ -15,7 +20,25 @@ class IPA_User(object): (principal, realm) = user_name.split('@') self.display_name = principal self.permissions = None - self.groups = None + transport = funcs.IPAServer() + client = ipa.ipaclient.IPAClient(transport) + client.set_krbccache(os.environ["KRB5CCNAME"]) + try: + user = client.get_user_by_principal(user_name, ['dn']) + self.groups = [] + groups = client.get_groups_by_member(user.dn, ['dn', 'cn']) + if isinstance(groups, str): + groups = [groups] + for ginfo in groups: + # cn may be multi-valued, add them all just in case + cn = ginfo.getValue('cn') + if isinstance(cn, str): + cn = [cn] + for c in cn: + self.groups.append(c) + except: + raise + return class ProxyIdentity(object): @@ -57,7 +80,7 @@ class ProxyIdentity(object): def _get_groups(self): try: - return self._groups + return self._user.groups except AttributeError: # Groups haven't been computed yet return None @@ -87,10 +110,14 @@ class ProxyIdentityProvider(SqlObjectIdentityProvider): pass def validate_identity(self, user_name, password, visit_key): - user = IPA_User(user_name) - log.debug( "validate_identity %s" % user_name) - - return ProxyIdentity(visit_key, user) + try: + user = IPA_User(user_name) + log.debug( "validate_identity %s" % user_name) + return ProxyIdentity(visit_key, user) + except: + # Something went wrong in fetching the user. Set to + # anonymous which will deny access. + return ProxyIdentity( None ) def validate_password(self, user, user_name, password): '''Validation has already occurred in the proxy''' diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/group.py b/ipa-server/ipa-gui/ipagui/subcontrollers/group.py index bcc3e1ccd..b412b6d15 100644 --- a/ipa-server/ipa-gui/ipagui/subcontrollers/group.py +++ b/ipa-server/ipa-gui/ipagui/subcontrollers/group.py @@ -37,7 +37,7 @@ class GroupController(IPAController): raise turbogears.redirect("/group/list") @expose("ipagui.templates.groupnew") - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def new(self, tg_errors=None): """Displays the new group form""" if tg_errors: @@ -49,7 +49,7 @@ class GroupController(IPAController): return dict(form=group_new_form, group={}) @expose() - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def create(self, **kw): """Creates a new group""" self.restrict_post() diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py index a33307ae6..a527c0983 100644 --- a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py +++ b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py @@ -96,7 +96,7 @@ class UserController(IPAController): raise turbogears.redirect("/user/list") @expose("ipagui.templates.usernew") - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def new(self, tg_errors=None): """Displays the new user form""" if tg_errors: @@ -106,7 +106,7 @@ class UserController(IPAController): return dict(form=user_new_form, user={}) @expose() - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def create(self, **kw): """Creates a new user""" self.restrict_post() diff --git a/ipa-server/ipa-gui/ipagui/templates/master.kid b/ipa-server/ipa-gui/ipagui/templates/master.kid index 4fa27e6c5..f395f31bf 100644 --- a/ipa-server/ipa-gui/ipagui/templates/master.kid +++ b/ipa-server/ipa-gui/ipagui/templates/master.kid @@ -70,19 +70,19 @@ <div id="sidebar"> <h2>Tasks</h2> <ul> - <li><a href="${tg.url('/user/new')}">Add Person</a></li> + <li py:if="'admins' in tg.identity.groups"><a href="${tg.url('/user/new')}">Add Person</a></li> <li><a href="${tg.url('/user/list')}">Find People</a></li> </ul> <ul> - <li><a href="${tg.url('/group/new')}">Add Group</a></li> + <li py:if="'admins' in tg.identity.groups"><a href="${tg.url('/group/new')}">Add Group</a></li> <li><a href="${tg.url('/group/list')}">Find Groups</a></li> </ul> <ul> - <li><a href="${tg.url('/policy/index')}">Manage Policy</a></li> + <li py:if="'admins' in tg.identity.groups"><a href="${tg.url('/policy/index')}">Manage Policy</a></li> <li><a href="${tg.url('/user/edit/', principal=tg.identity.user.display_name)}">Self Service</a></li> </ul> <ul> - <li><a href="${tg.url('/delegate/list')}">Delegations</a></li> + <li py:if="'admins' in tg.identity.groups"><a href="${tg.url('/delegate/list')}">Delegations</a></li> </ul> </div> |