working ldap acls

43f5b114 · nd · ef2619bd · 43f5b114 · 43f5b114 · 43f5b114
Verified Commit 43f5b114 authored 4 years ago by nd
--- a/uffd/default_config.cfg
+++ b/uffd/default_config.cfg
@@ -9,3 +9,6 @@ LDAP_USER_MIN_UID=10000
 LDAP_USER_MAX_UID=18999
 SESSION_LIFETIME_SECONDS=3600
 ACL_LDAP_GROUP_USEREDIT="admins"
+ACL_ADMIN_GROUP="admin"
+ACL_SELFSERVICE_GROUP="user"
--- a/uffd/selfservice/views.py
+++ b/uffd/selfservice/views.py
@@ -13,6 +13,12 @@ bp = Blueprint("selfservice", __name__, template_folder='templates', url_prefix=
 @login_required()
 def self_acl():
 	pass
+	#if not self_acl_check():
+	#	flash('Access denied')
+	#	return redirect(url_for('index'))
+def self_acl_check():
+	return is_valid_session() and get_current_user().is_in_group(current_app.config['ACL_SELFSERVICE_GROUP'])
 @bp.route("/")
 @register_navbar('Selfservice', icon='portrait', blueprint=bp, visible=is_valid_session)

--- a/uffd/user/templates/user_list.html
+++ b/uffd/user/templates/user_list.html
@@ -10,9 +10,11 @@
 					<th scope="col">login name</th>
 					<th scope="col">display name</th>
 					<th scope="col">
+						<p class="text-right">
 							<a type="button" class="btn btn-primary" href="{{ url_for(".user_show") }}">
 								<i class="fa fa-plus" aria-hidden="true"></i> New
 							</a>
+						</p>
 					</th>
 				</tr>
 			</thead>
@@ -31,12 +33,14 @@
 						{{ user.displayname }}
 					</td>
 					<td>
+						<p class="text-right">
 							<a href="{{ url_for(".user_show", uid=user.uid) }}" class="btn btn-primary">
 								<i class="fa fa-edit" aria-hidden="true"></i> Edit
 							</a>
 							<a href="{{ url_for(".user_delete", uid=user.uid) }}" class="btn btn-danger">
 								<i class="fa fa-trash" aria-hidden="true"></i> Delete
 							</a>
+						</p>
 					</td>
 				</tr>
 				{% endfor %}

--- a/uffd/user/views.py
+++ b/uffd/user/views.py
@@ -3,19 +3,23 @@ from flask import Blueprint, render_template, request, url_for, redirect, flash,
 from uffd.navbar import register_navbar
 from uffd.csrf import csrf_protect
 from uffd.ldap import get_conn, escape_filter_chars
-from uffd.session import login_required, is_valid_session
+from uffd.session import login_required, is_valid_session, get_current_user
 from .models import User, Group
 bp_user = Blueprint("user", __name__, template_folder='templates', url_prefix='/user/')
 @bp_user.before_request
-#@login_required(group=current_app.config('ACL_LDAP_GROUP_USEREDIT'))
 @login_required()
 def user_acl():
-	pass
+	if not user_acl_check():
+		flash('Access denied')
+		return redirect(url_for('index'))
+def user_acl_check():
+	return is_valid_session() and get_current_user().is_in_group(current_app.config['ACL_ADMIN_GROUP'])
 @bp_user.route("/")
-@register_navbar('Users', icon='users', blueprint=bp_user, visible=is_valid_session)
+@register_navbar('Users', icon='users', blueprint=bp_user, visible=user_acl_check)
 def user_list():
 	conn = get_conn()
 	conn.search(current_app.config["LDAP_BASE_USER"], '(objectclass=person)')
@@ -81,10 +85,12 @@ bp_group = Blueprint("group", __name__, template_folder='templates', url_prefix=
 @bp_group.before_request
 @login_required()
 def group_acl():
-	pass
+	if not user_acl_check():
+		flash('Access denied')
+		return redirect(url_for('index'))
 @bp_group.route("/")
-@register_navbar('Groups', icon='layer-group', blueprint=bp_group, visible=is_valid_session)
+@register_navbar('Groups', icon='layer-group', blueprint=bp_group, visible=user_acl_check)
 def group_list():
 	conn = get_conn()
 	conn.search(current_app.config["LDAP_BASE_GROUPS"], '(objectclass=groupOfUniqueNames)')