From 824b15c1613d1b4f8ffdce9a6d89c60a65781bd2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20G=C3=B6tz?=
 <michael-guenther.goetz@stud.uni-bamberg.de>
Date: Wed, 10 Apr 2019 22:00:36 +0200
Subject: [PATCH] Fix changeable cross realm groups

---
 account_manager/views/group_views.py | 37 ++++++++++++++++++----------
 account_manager/views/user_views.py  |  7 +-----
 2 files changed, 25 insertions(+), 19 deletions(-)

diff --git a/account_manager/views/group_views.py b/account_manager/views/group_views.py
index 01f5a8e..3c2910b 100644
--- a/account_manager/views/group_views.py
+++ b/account_manager/views/group_views.py
@@ -3,13 +3,25 @@ import re
 from django.contrib.auth.decorators import login_required
 from django.db.models import Q
 from django.shortcuts import render, redirect
-
+from django.http import HttpResponse
 from account_helper.models import Realm
 from account_manager.forms import AddLDAPGroupForm
 from account_manager.main_views import is_realm_admin
 from account_manager.models import LdapGroup, LdapUser
 
 
+def protect_cross_realm_group_access(view_func):
+    def decorator(request, *args, **kwargs):
+        realm_id = kwargs.get('realm_id', None)
+        group_dn = kwargs.get('group_dn', None)
+
+        if realm_id and group_dn and Realm.objects.get(id=realm_id).ldap_base_dn not in group_dn:
+            return HttpResponse("Ressource konnte nicht gefunden werden.", status=404)
+        return view_func(request, *args, **kwargs)
+
+    return decorator
+
+
 @login_required
 @is_realm_admin
 def realm_groups(request, realm_id):
@@ -21,6 +33,7 @@ def realm_groups(request, realm_id):
 
 @login_required
 @is_realm_admin
+@protect_cross_realm_group_access
 def group_detail(request, realm_id, group_dn):
     realm = Realm.objects.get(id=realm_id)
     LdapGroup.base_dn = f'ou=groups,{realm.ldap_base_dn}'
@@ -55,32 +68,27 @@ def group_add(request, realm_id):
 
 @login_required
 @is_realm_admin
+@protect_cross_realm_group_access
 def group_update(request, realm_id, group_dn):
     realm = Realm.objects.get(id=realm_id)
-    LdapGroup.base_dn = f'ou=groups,{realm.ldap_base_dn}'
-    group = LdapGroup.objects.get(dn=group_dn)
     LdapUser.base_dn = LdapUser.ROOT_DN
+    LdapGroup.base_dn = f'ou=groups,{realm.ldap_base_dn}'
+
+    group = LdapGroup.objects.get(name=group_dn)
+
     if request.method == 'POST':
-        # user_ids = list(map(int, request.POST.getlist('members')))
-        # user_formset = UserFormset(request.POST)
-        # if user_formset and user_formset.is_valid():
-        #     print(user_formset)
-        # create a form instance and populate it with data from the request:
         form = AddLDAPGroupForm(request.POST)
-        # check whether it's valid:
         if form.is_valid():
             group.name = form.cleaned_data['name']
             members = form.cleaned_data['members']
             group.members = [member.dn for member in members]
             group.save()
             return redirect('realm-group-detail', realm_id, group.dn)
-
-    # if a GET (or any other method) we'll create a blank form
     else:
-        # TODO: Automatic checkbox selection
         members = LdapUser.objects.none()
         if group.members:
-            group_members = [re.compile('uid=([a-zA-Z0-9_]*),(ou=[a-zA-Z_]*),(.*)').match(member).group(1) for member in
+            group_members = [re.compile('uid=([a-zA-Z0-9_]*),(ou=[a-zA-Z_]*),(.*)').match(member).group(1) for
+                             member in
                              group.members]
             query = Q(username=group_members.pop())
             for member in group_members:
@@ -93,6 +101,9 @@ def group_update(request, realm_id, group_dn):
                   {'form': form, 'realm': realm, 'group': group})
 
 
+@login_required
+@is_realm_admin
+@protect_cross_realm_group_access
 def group_delete(request, realm_id, group_dn):
     realm = Realm.objects.get(id=realm_id)
     LdapGroup.base_dn = f'ou=groups,{realm.ldap_base_dn}'
diff --git a/account_manager/views/user_views.py b/account_manager/views/user_views.py
index a026761..493b55f 100644
--- a/account_manager/views/user_views.py
+++ b/account_manager/views/user_views.py
@@ -25,8 +25,8 @@ def realm_user_detail(request, realm_id, user_dn):
     realm = Realm.objects.get(id=realm_id)
     LdapUser.base_dn = realm.ldap_base_dn
     user = LdapUser.objects.get(dn=user_dn)
+    LdapGroup.base_dn = LdapGroup.ROOT_DN
     groups = LdapGroup.objects.filter(members=user.dn)
-    print("GROUPS", groups)
     if realm_id and (request.user.is_superuser or len(
             Realm.objects.filter(id=realm_id).filter(
                 admin_group__user__username__contains=request.user.username)) > 0):
@@ -134,8 +134,6 @@ def user_update(request, realm_id, user_dn):
         return redirect('permission-denied')
 
 
-# # ldap_user.username = form.cleaned_data['username']
-
 @login_required
 def user_delete_confirm(request, realm_id, user_dn):
     realm = Realm.objects.get(id=realm_id)
@@ -193,10 +191,7 @@ def user_update_controller(request, realm, ldap_user, redirect_name, update_view
 def user_delete_controller(ldap_user, realm):
     LdapGroup.base_dn = f'ou=groups,{realm.ldap_base_dn}'
     user_groups = LdapGroup.objects.filter(members__contains=ldap_user.dn)
-    print(user_groups)
     for group in user_groups:
-        print(group)
-        # LdapGroup.base_dn = group.base_dn
         group.members.remove(ldap_user.dn)
         group.save()
     ldap_user.delete()