From 3e715a04cf95de0add2c37d6cd5985c43de47dab Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 14 Nov 2007 10:49:03 -0500
Subject: Add an editors group. This is used to generally grant access for
 users to edit other users (the Edit link won't appear otherwise). Additional
 delegation is need to grant permission to individual attributes. Update the
 failed login page to indicate that it is a permission issue. Don't allow
 access to policy at all for non-admins. By default users can only edit
 themselves.

---
 ipa-server/ipa-gui/ipagui/subcontrollers/user.py | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

(limited to 'ipa-server/ipa-gui/ipagui/subcontrollers/user.py')

diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py
index a527c098..bf77b113 100644
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py
@@ -96,7 +96,7 @@ class UserController(IPAController):
         raise turbogears.redirect("/user/list")
 
     @expose("ipagui.templates.usernew")
-    @identity.require(identity.in_group("admins"))
+    @identity.require(identity.in_any_group("admins","editors"))
     def new(self, tg_errors=None):
         """Displays the new user form"""
         if tg_errors:
@@ -106,7 +106,7 @@ class UserController(IPAController):
         return dict(form=user_new_form, user={})
 
     @expose()
-    @identity.require(identity.in_group("admins"))
+    @identity.require(identity.in_any_group("admins","editors"))
     def create(self, **kw):
         """Creates a new user"""
         self.restrict_post()
@@ -377,6 +377,15 @@ class UserController(IPAController):
         kw = self.fix_incoming_fields(kw, 'pager', 'pagers')
         kw = self.fix_incoming_fields(kw, 'homephone', 'homephones')
 
+        # admins and editors can update anybody. A user can only update
+        # themselves. We need this check because it is very easy to guess
+        # the edit URI.
+        if ((not 'admins' in turbogears.identity.current.groups and
+            not 'editors' in turbogears.identity.current.groups) and 
+            (kw.get('uid') != turbogears.identity.current.display_name)):
+            turbogears.flash("You do not have permission to update this user.")
+            raise turbogears.redirect('/user/show', uid=kw.get('uid'))
+
         # Decode the group data, in case we need to round trip
         user_groups_dicts = loads(b64decode(kw.get('user_groups_data')))
 
-- 
cgit