Fix changeable cross realm groups
This commit is contained in:
parent
9a5b6cf4b0
commit
824b15c161
@ -3,13 +3,25 @@ import re
|
|||||||
from django.contrib.auth.decorators import login_required
|
from django.contrib.auth.decorators import login_required
|
||||||
from django.db.models import Q
|
from django.db.models import Q
|
||||||
from django.shortcuts import render, redirect
|
from django.shortcuts import render, redirect
|
||||||
|
from django.http import HttpResponse
|
||||||
from account_helper.models import Realm
|
from account_helper.models import Realm
|
||||||
from account_manager.forms import AddLDAPGroupForm
|
from account_manager.forms import AddLDAPGroupForm
|
||||||
from account_manager.main_views import is_realm_admin
|
from account_manager.main_views import is_realm_admin
|
||||||
from account_manager.models import LdapGroup, LdapUser
|
from account_manager.models import LdapGroup, LdapUser
|
||||||
|
|
||||||
|
|
||||||
|
def protect_cross_realm_group_access(view_func):
|
||||||
|
def decorator(request, *args, **kwargs):
|
||||||
|
realm_id = kwargs.get('realm_id', None)
|
||||||
|
group_dn = kwargs.get('group_dn', None)
|
||||||
|
|
||||||
|
if realm_id and group_dn and Realm.objects.get(id=realm_id).ldap_base_dn not in group_dn:
|
||||||
|
return HttpResponse("Ressource konnte nicht gefunden werden.", status=404)
|
||||||
|
return view_func(request, *args, **kwargs)
|
||||||
|
|
||||||
|
return decorator
|
||||||
|
|
||||||
|
|
||||||
@login_required
|
@login_required
|
||||||
@is_realm_admin
|
@is_realm_admin
|
||||||
def realm_groups(request, realm_id):
|
def realm_groups(request, realm_id):
|
||||||
@ -21,6 +33,7 @@ def realm_groups(request, realm_id):
|
|||||||
|
|
||||||
@login_required
|
@login_required
|
||||||
@is_realm_admin
|
@is_realm_admin
|
||||||
|
@protect_cross_realm_group_access
|
||||||
def group_detail(request, realm_id, group_dn):
|
def group_detail(request, realm_id, group_dn):
|
||||||
realm = Realm.objects.get(id=realm_id)
|
realm = Realm.objects.get(id=realm_id)
|
||||||
LdapGroup.base_dn = f'ou=groups,{realm.ldap_base_dn}'
|
LdapGroup.base_dn = f'ou=groups,{realm.ldap_base_dn}'
|
||||||
@ -55,32 +68,27 @@ def group_add(request, realm_id):
|
|||||||
|
|
||||||
@login_required
|
@login_required
|
||||||
@is_realm_admin
|
@is_realm_admin
|
||||||
|
@protect_cross_realm_group_access
|
||||||
def group_update(request, realm_id, group_dn):
|
def group_update(request, realm_id, group_dn):
|
||||||
realm = Realm.objects.get(id=realm_id)
|
realm = Realm.objects.get(id=realm_id)
|
||||||
LdapGroup.base_dn = f'ou=groups,{realm.ldap_base_dn}'
|
|
||||||
group = LdapGroup.objects.get(dn=group_dn)
|
|
||||||
LdapUser.base_dn = LdapUser.ROOT_DN
|
LdapUser.base_dn = LdapUser.ROOT_DN
|
||||||
|
LdapGroup.base_dn = f'ou=groups,{realm.ldap_base_dn}'
|
||||||
|
|
||||||
|
group = LdapGroup.objects.get(name=group_dn)
|
||||||
|
|
||||||
if request.method == 'POST':
|
if request.method == 'POST':
|
||||||
# user_ids = list(map(int, request.POST.getlist('members')))
|
|
||||||
# user_formset = UserFormset(request.POST)
|
|
||||||
# if user_formset and user_formset.is_valid():
|
|
||||||
# print(user_formset)
|
|
||||||
# create a form instance and populate it with data from the request:
|
|
||||||
form = AddLDAPGroupForm(request.POST)
|
form = AddLDAPGroupForm(request.POST)
|
||||||
# check whether it's valid:
|
|
||||||
if form.is_valid():
|
if form.is_valid():
|
||||||
group.name = form.cleaned_data['name']
|
group.name = form.cleaned_data['name']
|
||||||
members = form.cleaned_data['members']
|
members = form.cleaned_data['members']
|
||||||
group.members = [member.dn for member in members]
|
group.members = [member.dn for member in members]
|
||||||
group.save()
|
group.save()
|
||||||
return redirect('realm-group-detail', realm_id, group.dn)
|
return redirect('realm-group-detail', realm_id, group.dn)
|
||||||
|
|
||||||
# if a GET (or any other method) we'll create a blank form
|
|
||||||
else:
|
else:
|
||||||
# TODO: Automatic checkbox selection
|
|
||||||
members = LdapUser.objects.none()
|
members = LdapUser.objects.none()
|
||||||
if group.members:
|
if group.members:
|
||||||
group_members = [re.compile('uid=([a-zA-Z0-9_]*),(ou=[a-zA-Z_]*),(.*)').match(member).group(1) for member in
|
group_members = [re.compile('uid=([a-zA-Z0-9_]*),(ou=[a-zA-Z_]*),(.*)').match(member).group(1) for
|
||||||
|
member in
|
||||||
group.members]
|
group.members]
|
||||||
query = Q(username=group_members.pop())
|
query = Q(username=group_members.pop())
|
||||||
for member in group_members:
|
for member in group_members:
|
||||||
@ -93,6 +101,9 @@ def group_update(request, realm_id, group_dn):
|
|||||||
{'form': form, 'realm': realm, 'group': group})
|
{'form': form, 'realm': realm, 'group': group})
|
||||||
|
|
||||||
|
|
||||||
|
@login_required
|
||||||
|
@is_realm_admin
|
||||||
|
@protect_cross_realm_group_access
|
||||||
def group_delete(request, realm_id, group_dn):
|
def group_delete(request, realm_id, group_dn):
|
||||||
realm = Realm.objects.get(id=realm_id)
|
realm = Realm.objects.get(id=realm_id)
|
||||||
LdapGroup.base_dn = f'ou=groups,{realm.ldap_base_dn}'
|
LdapGroup.base_dn = f'ou=groups,{realm.ldap_base_dn}'
|
||||||
|
|||||||
@ -25,8 +25,8 @@ def realm_user_detail(request, realm_id, user_dn):
|
|||||||
realm = Realm.objects.get(id=realm_id)
|
realm = Realm.objects.get(id=realm_id)
|
||||||
LdapUser.base_dn = realm.ldap_base_dn
|
LdapUser.base_dn = realm.ldap_base_dn
|
||||||
user = LdapUser.objects.get(dn=user_dn)
|
user = LdapUser.objects.get(dn=user_dn)
|
||||||
|
LdapGroup.base_dn = LdapGroup.ROOT_DN
|
||||||
groups = LdapGroup.objects.filter(members=user.dn)
|
groups = LdapGroup.objects.filter(members=user.dn)
|
||||||
print("GROUPS", groups)
|
|
||||||
if realm_id and (request.user.is_superuser or len(
|
if realm_id and (request.user.is_superuser or len(
|
||||||
Realm.objects.filter(id=realm_id).filter(
|
Realm.objects.filter(id=realm_id).filter(
|
||||||
admin_group__user__username__contains=request.user.username)) > 0):
|
admin_group__user__username__contains=request.user.username)) > 0):
|
||||||
@ -134,8 +134,6 @@ def user_update(request, realm_id, user_dn):
|
|||||||
return redirect('permission-denied')
|
return redirect('permission-denied')
|
||||||
|
|
||||||
|
|
||||||
# # ldap_user.username = form.cleaned_data['username']
|
|
||||||
|
|
||||||
@login_required
|
@login_required
|
||||||
def user_delete_confirm(request, realm_id, user_dn):
|
def user_delete_confirm(request, realm_id, user_dn):
|
||||||
realm = Realm.objects.get(id=realm_id)
|
realm = Realm.objects.get(id=realm_id)
|
||||||
@ -193,10 +191,7 @@ def user_update_controller(request, realm, ldap_user, redirect_name, update_view
|
|||||||
def user_delete_controller(ldap_user, realm):
|
def user_delete_controller(ldap_user, realm):
|
||||||
LdapGroup.base_dn = f'ou=groups,{realm.ldap_base_dn}'
|
LdapGroup.base_dn = f'ou=groups,{realm.ldap_base_dn}'
|
||||||
user_groups = LdapGroup.objects.filter(members__contains=ldap_user.dn)
|
user_groups = LdapGroup.objects.filter(members__contains=ldap_user.dn)
|
||||||
print(user_groups)
|
|
||||||
for group in user_groups:
|
for group in user_groups:
|
||||||
print(group)
|
|
||||||
# LdapGroup.base_dn = group.base_dn
|
|
||||||
group.members.remove(ldap_user.dn)
|
group.members.remove(ldap_user.dn)
|
||||||
group.save()
|
group.save()
|
||||||
ldap_user.delete()
|
ldap_user.delete()
|
||||||
|
|||||||
Reference in New Issue
Block a user