Add an editors group. This is used to generally grant access for users

to edit other users (the Edit link won't appear otherwise). Additional delegation is need to grant permission to individual attributes. Update the failed login page to indicate that it is a permission issue. Don't allow access to policy at all for non-admins. By default users can only edit themselves.
author: Rob Crittenden <rcritten@redhat.com> 2007-11-14 10:49:03 -0500
committer: Rob Crittenden <rcritten@redhat.com> 2007-11-14 10:49:03 -0500
commit: 3e715a04cf95de0add2c37d6cd5985c43de47dab (patch)
tree: e8b9120376bdd83285bfb9e86d9d2572742ed7a4 /ipa-server/ipa-gui/ipagui/subcontrollers/user.py
parent: 7502ebe47940e6a5deb03a5f47c10b512cea6d5d (diff)
download: freeipa.git-3e715a04cf95de0add2c37d6cd5985c43de47dab.tar.gz
freeipa.git-3e715a04cf95de0add2c37d6cd5985c43de47dab.tar.xz
freeipa.git-3e715a04cf95de0add2c37d6cd5985c43de47dab.zip
1 files changed, 11 insertions, 2 deletions
diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py
index a527c098..bf77b113 100644
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py
@@ -96,7 +96,7 @@ class UserController(IPAController):
         raise turbogears.redirect("/user/list")
 
     @expose("ipagui.templates.usernew")
-    @identity.require(identity.in_group("admins"))
+    @identity.require(identity.in_any_group("admins","editors"))
     def new(self, tg_errors=None):
         """Displays the new user form"""
         if tg_errors:
@@ -106,7 +106,7 @@ class UserController(IPAController):
         return dict(form=user_new_form, user={})
 
     @expose()
-    @identity.require(identity.in_group("admins"))
+    @identity.require(identity.in_any_group("admins","editors"))
     def create(self, **kw):
         """Creates a new user"""
         self.restrict_post()
@@ -377,6 +377,15 @@ class UserController(IPAController):
         kw = self.fix_incoming_fields(kw, 'pager', 'pagers')
         kw = self.fix_incoming_fields(kw, 'homephone', 'homephones')
 
+        # admins and editors can update anybody. A user can only update
+        # themselves. We need this check because it is very easy to guess
+        # the edit URI.
+        if ((not 'admins' in turbogears.identity.current.groups and
+            not 'editors' in turbogears.identity.current.groups) and 
+            (kw.get('uid') != turbogears.identity.current.display_name)):
+            turbogears.flash("You do not have permission to update this user.")
+            raise turbogears.redirect('/user/show', uid=kw.get('uid'))
+
         # Decode the group data, in case we need to round trip
         user_groups_dicts = loads(b64decode(kw.get('user_groups_data')))
author	Rob Crittenden <rcritten@redhat.com>	2007-11-14 10:49:03 -0500
committer	Rob Crittenden <rcritten@redhat.com>	2007-11-14 10:49:03 -0500
commit	3e715a04cf95de0add2c37d6cd5985c43de47dab (patch)
tree	e8b9120376bdd83285bfb9e86d9d2572742ed7a4 /ipa-server/ipa-gui/ipagui/subcontrollers/user.py
parent	7502ebe47940e6a5deb03a5f47c10b512cea6d5d (diff)
download	freeipa.git-3e715a04cf95de0add2c37d6cd5985c43de47dab.tar.gz freeipa.git-3e715a04cf95de0add2c37d6cd5985c43de47dab.tar.xz freeipa.git-3e715a04cf95de0add2c37d6cd5985c43de47dab.zip