From 3e715a04cf95de0add2c37d6cd5985c43de47dab Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Wed, 14 Nov 2007 10:49:03 -0500 Subject: Add an editors group. This is used to generally grant access for users to edit other users (the Edit link won't appear otherwise). Additional delegation is need to grant permission to individual attributes. Update the failed login page to indicate that it is a permission issue. Don't allow access to policy at all for non-admins. By default users can only edit themselves. --- .../ipa-gui/ipagui/subcontrollers/delegation.py | 10 ++--- ipa-server/ipa-gui/ipagui/subcontrollers/group.py | 4 +- .../ipa-gui/ipagui/subcontrollers/ipapolicy.py | 7 ++-- ipa-server/ipa-gui/ipagui/subcontrollers/policy.py | 2 +- ipa-server/ipa-gui/ipagui/subcontrollers/user.py | 13 ++++++- ipa-server/ipa-gui/ipagui/templates/groupshow.kid | 6 ++- .../ipa-gui/ipagui/templates/loginfailed.kid | 43 ++++++++-------------- ipa-server/ipa-gui/ipagui/templates/master.kid | 8 ++-- ipa-server/ipa-gui/ipagui/templates/usershow.kid | 6 ++- .../ipa-install/share/bootstrap-template.ldif | 10 +++++ 10 files changed, 62 insertions(+), 47 deletions(-) diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py b/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py index d7149265..142d3443 100644 --- a/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py +++ b/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py @@ -35,7 +35,7 @@ class DelegationController(IPAController): raise turbogears.redirect("/delegate/list") @expose("ipagui.templates.delegatenew") - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def new(self): """Display delegate page""" client = self.get_ipaclient() @@ -46,7 +46,7 @@ class DelegationController(IPAController): return dict(form=delegate_form, delegate=delegate) @expose() - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def create(self, **kw): """Creates a new delegation""" self.restrict_post() @@ -107,7 +107,7 @@ class DelegationController(IPAController): raise turbogears.redirect('/delegate/list') @expose("ipagui.templates.delegateedit") - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def edit(self, acistr, tg_errors=None): """Display delegate page""" if tg_errors: @@ -134,7 +134,7 @@ class DelegationController(IPAController): @expose() - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def update(self, **kw): """Display delegate page""" self.restrict_post() @@ -230,7 +230,7 @@ class DelegationController(IPAController): fields=ipagui.forms.delegate.DelegateFields()) @expose() - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def delete(self, acistr): """Display delegate page""" self.restrict_post() diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/group.py b/ipa-server/ipa-gui/ipagui/subcontrollers/group.py index b412b6d1..0df2d3c8 100644 --- a/ipa-server/ipa-gui/ipagui/subcontrollers/group.py +++ b/ipa-server/ipa-gui/ipagui/subcontrollers/group.py @@ -168,7 +168,7 @@ class GroupController(IPAController): @expose("ipagui.templates.groupedit") - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def edit(self, cn, tg_errors=None): """Displays the edit group form""" if tg_errors: @@ -214,7 +214,7 @@ class GroupController(IPAController): raise turbogears.redirect('/group/show', uid=cn) @expose() - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def update(self, **kw): """Updates an existing group""" self.restrict_post() diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/ipapolicy.py b/ipa-server/ipa-gui/ipagui/subcontrollers/ipapolicy.py index a1c1a9f0..5d902427 100644 --- a/ipa-server/ipa-gui/ipagui/subcontrollers/ipapolicy.py +++ b/ipa-server/ipa-gui/ipagui/subcontrollers/ipapolicy.py @@ -26,11 +26,12 @@ ipapolicy_edit_form = ipagui.forms.ipapolicy.IPAPolicyForm() class IPAPolicyController(IPAController): @expose() + @identity.require(identity.in_group("admins")) def index(self): raise turbogears.redirect("/ipapolicy/show") @expose("ipagui.templates.ipapolicyshow") - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def show(self, tg_errors=None): """Displays the one policy page""" @@ -45,7 +46,7 @@ class IPAPolicyController(IPAController): return dict(ipapolicy=ipapolicy,fields=ipagui.forms.ipapolicy.IPAPolicyFields()) @expose("ipagui.templates.ipapolicyedit") - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def edit(self, tg_errors=None): """Displays the edit IPA policy form""" if tg_errors: @@ -68,7 +69,7 @@ class IPAPolicyController(IPAController): @expose() - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def update(self, **kw): """Display delegate page""" self.restrict_post() diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/policy.py b/ipa-server/ipa-gui/ipagui/subcontrollers/policy.py index a9fd3271..1f2e4587 100644 --- a/ipa-server/ipa-gui/ipagui/subcontrollers/policy.py +++ b/ipa-server/ipa-gui/ipagui/subcontrollers/policy.py @@ -23,7 +23,7 @@ log = logging.getLogger(__name__) class PolicyController(IPAController): @expose("ipagui.templates.policyindex") - @identity.require(identity.not_anonymous()) + @identity.require(identity.in_group("admins")) def index(self, tg_errors=None): """Displays the one policy page""" diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py index a527c098..bf77b113 100644 --- a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py +++ b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py @@ -96,7 +96,7 @@ class UserController(IPAController): raise turbogears.redirect("/user/list") @expose("ipagui.templates.usernew") - @identity.require(identity.in_group("admins")) + @identity.require(identity.in_any_group("admins","editors")) def new(self, tg_errors=None): """Displays the new user form""" if tg_errors: @@ -106,7 +106,7 @@ class UserController(IPAController): return dict(form=user_new_form, user={}) @expose() - @identity.require(identity.in_group("admins")) + @identity.require(identity.in_any_group("admins","editors")) def create(self, **kw): """Creates a new user""" self.restrict_post() @@ -377,6 +377,15 @@ class UserController(IPAController): kw = self.fix_incoming_fields(kw, 'pager', 'pagers') kw = self.fix_incoming_fields(kw, 'homephone', 'homephones') + # admins and editors can update anybody. A user can only update + # themselves. We need this check because it is very easy to guess + # the edit URI. + if ((not 'admins' in turbogears.identity.current.groups and + not 'editors' in turbogears.identity.current.groups) and + (kw.get('uid') != turbogears.identity.current.display_name)): + turbogears.flash("You do not have permission to update this user.") + raise turbogears.redirect('/user/show', uid=kw.get('uid')) + # Decode the group data, in case we need to round trip user_groups_dicts = loads(b64decode(kw.get('user_groups_data'))) diff --git a/ipa-server/ipa-gui/ipagui/templates/groupshow.kid b/ipa-server/ipa-gui/ipagui/templates/groupshow.kid index f0d1ddfb..a5822034 100644 --- a/ipa-server/ipa-gui/ipagui/templates/groupshow.kid +++ b/ipa-server/ipa-gui/ipagui/templates/groupshow.kid @@ -12,7 +12,8 @@ edit_url = tg.url('/group/edit', cn=group.get('cn')[0])

View Group

- @@ -84,7 +85,8 @@ edit_url = tg.url('/group/edit', cn=group.get('cn')[0])
-
diff --git a/ipa-server/ipa-gui/ipagui/templates/loginfailed.kid b/ipa-server/ipa-gui/ipagui/templates/loginfailed.kid index 84896be5..b31db82a 100644 --- a/ipa-server/ipa-gui/ipagui/templates/loginfailed.kid +++ b/ipa-server/ipa-gui/ipagui/templates/loginfailed.kid @@ -1,35 +1,24 @@ - - - + + - - Login Failure + +Permission Denied -