1. 13 Sep, 2021 9 commits
  2. 12 Sep, 2021 2 commits
  3. 11 Sep, 2021 1 commit
  4. 10 Sep, 2021 8 commits
  5. 08 Sep, 2021 2 commits
  6. 07 Sep, 2021 1 commit
  7. 06 Sep, 2021 1 commit
  8. 05 Sep, 2021 2 commits
    • Julian's avatar
      Refactor base template and add narrow base template · 12b0ea3d
      Julian authored
      Fixes #83.
      Many authentication-related templates shared the same markup originally
      copied from the login template. The duplicated code now lives in
      base_narrow.html. Alerts now always have the same width as the main content.
      Vertical spacing is now more consistent. The footer is now full-width.
    • Julian's avatar
      Refactor permission checking and differenciate login and selfservice access · e6df5bbe
      Julian authored
      Fixes #104.
      Replaced "group" keyword argument for login_required with "permission_check".
      Most views already define a *_acl_check function that returns whether the
      current user has the required permissions for use with register_navbar. The
      same function can now be passed to login_required as the "permission_check"
      Differenciated login and selfservice access permissions. Previously
      ACL_SELFSERVICE_GROUP was required to login. Now ACL_ACCESS_GROUP is required
      to login and ACL_SELFSERVICE_GROUP is required to access selfservice functions
      (and to use role-granting invite links). A user with just ACL_ACCESS_GROUP can
      now login, access the services overview page and authenticate with OAuth2
      services he has access to, but not change his user attributes, password or
  9. 04 Sep, 2021 6 commits
  10. 02 Sep, 2021 2 commits
    • Julian's avatar
      Fix for 45d4598e (Replace flask_oauthlib with plain oauthlib) · 883301c8
      Julian authored
      45d4598e accidentally removed the OAuth2.0 access permission check based on
      Client.required_group. This change adds it again.
    • Julian's avatar
      Replace flask_oauthlib with plain oauthlib · 45d4598e
      Julian authored
      flask_oauthlib is no longer available in Debian Bullseye. It is only a
      wrapper around oauthlib, which is still available. While this change does
      increase the OAuth2 code size, it achieves compatability with both Debian
      Buster and Bullseye.
      Aside from error handling, this change has no noticable effects on OAuth2.0
      clients. In terms of error handling, a few cases that were not properly
      handled before now return appropriate error pages.
      Fixes #101
  11. 30 Aug, 2021 2 commits
    • Julian's avatar
      Restrict password alphabet to SASLprep-safe ASCII subset · cb2d7f35
      Julian authored
      Prior to this change user passwords were not validated on change aside from
      their length, but validated on login/bind by ldap3 with SASLprep. Instead of
      using SASLprep on password change, this change restricts passwords to 7-bit
      ASCII without control characters. Control characters are forbidden by
      SASLprep. Multi-byte characters are uncommon in password, especially in those
      generated by password managers. This ensures that passwords are always
      SASLprep-safe without implementing the rather complex SASLprep algorithm. It
      also allows us to fully describe the alphabet restrictions in the relevant
      Fixes #100
    • Julian's avatar
      Catch LDAPSASLPrepError on login · 3f6a67ea
      Julian authored
      Ldap3 raises LDAPSASLPrepError on bind if the password contains characters
      forbidden by SASLPrep (string preperation/normalization algorithm for user
      names and passwords). Examples are carriage return ("\r") or newline ("\n")
      characters. See #100.
  12. 14 Aug, 2021 1 commit
  13. 13 Aug, 2021 3 commits