Add an editors group. This is used to generally grant access for users

to edit other users (the Edit link won't appear otherwise). Additional
delegation is need to grant permission to individual attributes.
Update the failed login page to indicate that it is a permission issue.
Don't allow access to policy at all for non-admins.
By default users can only edit themselves.

5 files changed, 23 insertions, 13 deletions

diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py b/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py
index d7149265..142d3443 100644
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py
@@ -35,7 +35,7 @@ class DelegationController(IPAController):
         raise turbogears.redirect("/delegate/list")
 
     @expose("ipagui.templates.delegatenew")
-    @identity.require(identity.not_anonymous())
+    @identity.require(identity.in_group("admins"))
     def new(self):
         """Display delegate page"""
         client = self.get_ipaclient()
@@ -46,7 +46,7 @@ class DelegationController(IPAController):
         return dict(form=delegate_form, delegate=delegate)
 
     @expose()
-    @identity.require(identity.not_anonymous())
+    @identity.require(identity.in_group("admins"))
     def create(self, **kw):
         """Creates a new delegation"""
         self.restrict_post()
@@ -107,7 +107,7 @@ class DelegationController(IPAController):
         raise turbogears.redirect('/delegate/list')
 
     @expose("ipagui.templates.delegateedit")
-    @identity.require(identity.not_anonymous())
+    @identity.require(identity.in_group("admins"))
     def edit(self, acistr, tg_errors=None):
         """Display delegate page"""
         if tg_errors:
@@ -134,7 +134,7 @@ class DelegationController(IPAController):
 
 
     @expose()
-    @identity.require(identity.not_anonymous())
+    @identity.require(identity.in_group("admins"))
     def update(self, **kw):
         """Display delegate page"""
         self.restrict_post()
@@ -230,7 +230,7 @@ class DelegationController(IPAController):
                     fields=ipagui.forms.delegate.DelegateFields())
 
     @expose()
-    @identity.require(identity.not_anonymous())
+    @identity.require(identity.in_group("admins"))
     def delete(self, acistr):
         """Display delegate page"""
         self.restrict_post()
diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/group.py b/ipa-server/ipa-gui/ipagui/subcontrollers/group.py
index b412b6d1..0df2d3c8 100644
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/group.py
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/group.py
@@ -168,7 +168,7 @@ class GroupController(IPAController):
 
 
     @expose("ipagui.templates.groupedit")
-    @identity.require(identity.not_anonymous())
+    @identity.require(identity.in_group("admins"))
     def edit(self, cn, tg_errors=None):
         """Displays the edit group form"""
         if tg_errors:
@@ -214,7 +214,7 @@ class GroupController(IPAController):
             raise turbogears.redirect('/group/show', uid=cn)
 
     @expose()
-    @identity.require(identity.not_anonymous())
+    @identity.require(identity.in_group("admins"))
     def update(self, **kw):
         """Updates an existing group"""
         self.restrict_post()
diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/ipapolicy.py b/ipa-server/ipa-gui/ipagui/subcontrollers/ipapolicy.py
index a1c1a9f0..5d902427 100644
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/ipapolicy.py
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/ipapolicy.py
@@ -26,11 +26,12 @@ ipapolicy_edit_form = ipagui.forms.ipapolicy.IPAPolicyForm()
 class IPAPolicyController(IPAController):
 
     @expose()
+    @identity.require(identity.in_group("admins"))
     def index(self):
         raise turbogears.redirect("/ipapolicy/show")
 
     @expose("ipagui.templates.ipapolicyshow")
-    @identity.require(identity.not_anonymous())
+    @identity.require(identity.in_group("admins"))
     def show(self, tg_errors=None):
         """Displays the one policy page"""
 
@@ -45,7 +46,7 @@ class IPAPolicyController(IPAController):
         return dict(ipapolicy=ipapolicy,fields=ipagui.forms.ipapolicy.IPAPolicyFields())
 
     @expose("ipagui.templates.ipapolicyedit")
-    @identity.require(identity.not_anonymous())
+    @identity.require(identity.in_group("admins"))
     def edit(self, tg_errors=None):
         """Displays the edit IPA policy form"""
         if tg_errors:
@@ -68,7 +69,7 @@ class IPAPolicyController(IPAController):
 
 
     @expose()
-    @identity.require(identity.not_anonymous())
+    @identity.require(identity.in_group("admins"))
     def update(self, **kw):
         """Display delegate page"""
         self.restrict_post()
diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/policy.py b/ipa-server/ipa-gui/ipagui/subcontrollers/policy.py
index a9fd3271..1f2e4587 100644
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/policy.py
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/policy.py
@@ -23,7 +23,7 @@ log = logging.getLogger(__name__)
 class PolicyController(IPAController):
 
     @expose("ipagui.templates.policyindex")
-    @identity.require(identity.not_anonymous())
+    @identity.require(identity.in_group("admins"))
     def index(self, tg_errors=None):
         """Displays the one policy page"""
 
diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py
index a527c098..bf77b113 100644
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py
@@ -96,7 +96,7 @@ class UserController(IPAController):
         raise turbogears.redirect("/user/list")
 
     @expose("ipagui.templates.usernew")
-    @identity.require(identity.in_group("admins"))
+    @identity.require(identity.in_any_group("admins","editors"))
     def new(self, tg_errors=None):
         """Displays the new user form"""
         if tg_errors:
@@ -106,7 +106,7 @@ class UserController(IPAController):
         return dict(form=user_new_form, user={})
 
     @expose()
-    @identity.require(identity.in_group("admins"))
+    @identity.require(identity.in_any_group("admins","editors"))
     def create(self, **kw):
         """Creates a new user"""
         self.restrict_post()
@@ -377,6 +377,15 @@ class UserController(IPAController):
         kw = self.fix_incoming_fields(kw, 'pager', 'pagers')
         kw = self.fix_incoming_fields(kw, 'homephone', 'homephones')
 
+        # admins and editors can update anybody. A user can only update
+        # themselves. We need this check because it is very easy to guess
+        # the edit URI.
+        if ((not 'admins' in turbogears.identity.current.groups and
+            not 'editors' in turbogears.identity.current.groups) and 
+            (kw.get('uid') != turbogears.identity.current.display_name)):
+            turbogears.flash("You do not have permission to update this user.")
+            raise turbogears.redirect('/user/show', uid=kw.get('uid'))
+
         # Decode the group data, in case we need to round trip
         user_groups_dicts = loads(b64decode(kw.get('user_groups_data')))