diff options
Diffstat (limited to 'ipa-server/ipa-gui/ipagui/subcontrollers')
5 files changed, 23 insertions, 13 deletions
diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py b/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py index d7149265..142d3443 100644 --- a/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py +++ b/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py @@ -35,7 +35,7 @@ class DelegationController(IPAController): raise turbogears.redirect("/delegate/list") @expose("ipagui.templates.delegatenew") - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def new(self): """Display delegate page""" client = self.get_ipaclient() @@ -46,7 +46,7 @@ class DelegationController(IPAController): return dict(form=delegate_form, delegate=delegate) @expose() - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def create(self, **kw): """Creates a new delegation""" self.restrict_post() @@ -107,7 +107,7 @@ class DelegationController(IPAController): raise turbogears.redirect('/delegate/list') @expose("ipagui.templates.delegateedit") - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def edit(self, acistr, tg_errors=None): """Display delegate page""" if tg_errors: @@ -134,7 +134,7 @@ class DelegationController(IPAController): @expose() - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def update(self, **kw): """Display delegate page""" self.restrict_post() @@ -230,7 +230,7 @@ class DelegationController(IPAController): fields=ipagui.forms.delegate.DelegateFields()) @expose() - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def delete(self, acistr): """Display delegate page""" self.restrict_post() diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/group.py b/ipa-server/ipa-gui/ipagui/subcontrollers/group.py index b412b6d1..0df2d3c8 100644 --- a/ipa-server/ipa-gui/ipagui/subcontrollers/group.py +++ b/ipa-server/ipa-gui/ipagui/subcontrollers/group.py @@ -168,7 +168,7 @@ class GroupController(IPAController): @expose("ipagui.templates.groupedit") - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def edit(self, cn, tg_errors=None): """Displays the edit group form""" if tg_errors: @@ -214,7 +214,7 @@ class GroupController(IPAController): raise turbogears.redirect('/group/show', uid=cn) @expose() - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def update(self, **kw): """Updates an existing group""" self.restrict_post() diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/ipapolicy.py b/ipa-server/ipa-gui/ipagui/subcontrollers/ipapolicy.py index a1c1a9f0..5d902427 100644 --- a/ipa-server/ipa-gui/ipagui/subcontrollers/ipapolicy.py +++ b/ipa-server/ipa-gui/ipagui/subcontrollers/ipapolicy.py @@ -26,11 +26,12 @@ ipapolicy_edit_form = ipagui.forms.ipapolicy.IPAPolicyForm() class IPAPolicyController(IPAController): @expose() + @identity.require(identity.in_group("admins")) def index(self): raise turbogears.redirect("/ipapolicy/show") @expose("ipagui.templates.ipapolicyshow") - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def show(self, tg_errors=None): """Displays the one policy page""" @@ -45,7 +46,7 @@ class IPAPolicyController(IPAController): return dict(ipapolicy=ipapolicy,fields=ipagui.forms.ipapolicy.IPAPolicyFields()) @expose("ipagui.templates.ipapolicyedit") - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def edit(self, tg_errors=None): """Displays the edit IPA policy form""" if tg_errors: @@ -68,7 +69,7 @@ class IPAPolicyController(IPAController): @expose() - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def update(self, **kw): """Display delegate page""" self.restrict_post() diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/policy.py b/ipa-server/ipa-gui/ipagui/subcontrollers/policy.py index a9fd3271..1f2e4587 100644 --- a/ipa-server/ipa-gui/ipagui/subcontrollers/policy.py +++ b/ipa-server/ipa-gui/ipagui/subcontrollers/policy.py @@ -23,7 +23,7 @@ log = logging.getLogger(__name__) class PolicyController(IPAController): @expose("ipagui.templates.policyindex") - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def index(self, tg_errors=None): """Displays the one policy page""" diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py index a527c098..bf77b113 100644 --- a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py +++ b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py @@ -96,7 +96,7 @@ class UserController(IPAController): raise turbogears.redirect("/user/list") @expose("ipagui.templates.usernew") - @identity.require(identity.in_group("admins")) + @identity.require(identity.in_any_group("admins","editors")) def new(self, tg_errors=None): """Displays the new user form""" if tg_errors: @@ -106,7 +106,7 @@ class UserController(IPAController): return dict(form=user_new_form, user={}) @expose() - @identity.require(identity.in_group("admins")) + @identity.require(identity.in_any_group("admins","editors")) def create(self, **kw): """Creates a new user""" self.restrict_post() @@ -377,6 +377,15 @@ class UserController(IPAController): kw = self.fix_incoming_fields(kw, 'pager', 'pagers') kw = self.fix_incoming_fields(kw, 'homephone', 'homephones') + # admins and editors can update anybody. A user can only update + # themselves. We need this check because it is very easy to guess + # the edit URI. + if ((not 'admins' in turbogears.identity.current.groups and + not 'editors' in turbogears.identity.current.groups) and + (kw.get('uid') != turbogears.identity.current.display_name)): + turbogears.flash("You do not have permission to update this user.") + raise turbogears.redirect('/user/show', uid=kw.get('uid')) + # Decode the group data, in case we need to round trip user_groups_dicts = loads(b64decode(kw.get('user_groups_data'))) |