From e1b6cc1f18d3ff1faa4e02cc3ca09c1c78750d05 Mon Sep 17 00:00:00 2001
From: nd <git@notandy.de>
Date: Mon, 13 Jul 2020 00:42:31 +0200
Subject: [PATCH] add admin group checking for user editing

---
 uffd/group/views.py       |  2 +-
 uffd/selfservice/views.py |  2 +-
 uffd/session/__init__.py  |  2 +-
 uffd/session/views.py     | 28 +++++++++++++---------------
 uffd/user/models.py       |  9 +++++++++
 uffd/user/views.py        |  2 +-
 6 files changed, 26 insertions(+), 19 deletions(-)

diff --git a/uffd/group/views.py b/uffd/group/views.py
index cc4583ec..d14e2ad3 100644
--- a/uffd/group/views.py
+++ b/uffd/group/views.py
@@ -9,7 +9,7 @@ from .models import Group
 bp = Blueprint("group", __name__, template_folder='templates', url_prefix='/group/')
 
 @bp.before_request
-@login_required
+@login_required()
 def group_acl():
 	pass
 
diff --git a/uffd/selfservice/views.py b/uffd/selfservice/views.py
index fe8e5035..36077985 100644
--- a/uffd/selfservice/views.py
+++ b/uffd/selfservice/views.py
@@ -11,7 +11,7 @@ from uffd.ldap import get_conn, escape_filter_chars
 bp = Blueprint("selfservice", __name__, template_folder='templates', url_prefix='/self/')
 
 @bp.before_request
-@login_required
+@login_required()
 def self_acl():
 	pass
 
diff --git a/uffd/session/__init__.py b/uffd/session/__init__.py
index a7391f91..97d96e52 100644
--- a/uffd/session/__init__.py
+++ b/uffd/session/__init__.py
@@ -1,3 +1,3 @@
-from .views import bp as bp_ui, get_current_user, login_required, is_user_in_group, is_valid_session
+from .views import bp as bp_ui, get_current_user, login_required, is_valid_session
 
 bp = [bp_ui]
diff --git a/uffd/session/views.py b/uffd/session/views.py
index d65dc3fa..ca88eb29 100644
--- a/uffd/session/views.py
+++ b/uffd/session/views.py
@@ -50,18 +50,16 @@ def is_valid_session():
 	return True
 bp.add_app_template_global(is_valid_session)
 
-def is_user_in_group(user, group):
-	return True
-bp.add_app_template_global(is_user_in_group)
-
-def login_required(view, group=None):
-	@functools.wraps(view)
-	def wrapped_view(**kwargs):
-		if not is_valid_session():
-			flash('You need to login first')
-			return redirect(url_for('session.login', ref=request.url))
-		if not is_user_in_group(get_current_user, group):
-			flash('Access denied')
-			return redirect(url_for('index'))
-		return view(**kwargs)
-	return wrapped_view
+def login_required(group=None):
+	def wrapper(func):
+		@functools.wraps(func)
+		def decorator(*args, **kwargs):
+			if not is_valid_session():
+				flash('You need to login first')
+				return redirect(url_for('session.login', ref=request.url))
+			if not get_current_user().is_in_group(group):
+				flash('Access denied')
+				return redirect(url_for('index'))
+			return func(*args, **kwargs)
+		return decorator
+	return wrapper
diff --git a/uffd/user/models.py b/uffd/user/models.py
index d4d3fb39..4a711b13 100644
--- a/uffd/user/models.py
+++ b/uffd/user/models.py
@@ -82,6 +82,15 @@ class User():
 		self._groups = groups
 		return groups
 
+	def is_in_group(self, name):
+		if not name:
+			return True
+		groups = self.get_groups()
+		for i in groups:
+			if i.name == name:
+				return True
+		return False
+
 	def set_loginname(self, value):
 		if len(value) > 32 or len(value) < 1:
 			return False
diff --git a/uffd/user/views.py b/uffd/user/views.py
index ed38feaa..b2217d81 100644
--- a/uffd/user/views.py
+++ b/uffd/user/views.py
@@ -10,7 +10,7 @@ from .models import User
 bp = Blueprint("user", __name__, template_folder='templates', url_prefix='/user/')
 
 @bp.before_request
-@login_required
+@login_required(group='admins')
 def user_acl():
 	pass
 
-- 
GitLab