forked from Deuxfleurs/guichet
Refactor is_admin check
This commit is contained in:
parent
7ca56ba8df
commit
3fbbe61a46
4 changed files with 24 additions and 38 deletions
16
admin.go
16
admin.go
|
@ -18,20 +18,8 @@ func checkAdminLogin(w http.ResponseWriter, r *http.Request) *LoginStatus {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
can_admin := (login.Info.DN == config.AdminAccount)
|
if !login.CanAdmin {
|
||||||
fmt.Printf("%#v", login.UserEntry)
|
http.Error(w, "Not authorized to perform administrative operations.", http.StatusUnauthorized)
|
||||||
for _, attr := range login.UserEntry.Attributes {
|
|
||||||
if strings.EqualFold(attr.Name, "memberof") {
|
|
||||||
for _, group := range attr.Values {
|
|
||||||
if config.GroupCanAdmin != "" && group == config.GroupCanAdmin {
|
|
||||||
can_admin = true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if !can_admin {
|
|
||||||
http.Redirect(w, r, "/", http.StatusFound)
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@ job "guichet" {
|
||||||
task "server" {
|
task "server" {
|
||||||
driver = "docker"
|
driver = "docker"
|
||||||
config {
|
config {
|
||||||
image = "lxpz/guichet_amd64:3"
|
image = "lxpz/guichet_amd64:4"
|
||||||
readonly_rootfs = true
|
readonly_rootfs = true
|
||||||
port_map {
|
port_map {
|
||||||
web_port = 9991
|
web_port = 9991
|
||||||
|
|
40
main.go
40
main.go
|
@ -136,6 +136,8 @@ type LoginStatus struct {
|
||||||
Info *LoginInfo
|
Info *LoginInfo
|
||||||
conn *ldap.Conn
|
conn *ldap.Conn
|
||||||
UserEntry *ldap.Entry
|
UserEntry *ldap.Entry
|
||||||
|
CanAdmin bool
|
||||||
|
CanInvite bool
|
||||||
}
|
}
|
||||||
|
|
||||||
func logRequest(handler http.Handler) http.Handler {
|
func logRequest(handler http.Handler) http.Handler {
|
||||||
|
@ -195,7 +197,7 @@ func checkLogin(w http.ResponseWriter, r *http.Request) *LoginStatus {
|
||||||
}
|
}
|
||||||
|
|
||||||
requestKind := "(objectClass=organizationalPerson)"
|
requestKind := "(objectClass=organizationalPerson)"
|
||||||
if login_info.DN == config.AdminAccount {
|
if strings.EqualFold(login_info.DN, config.AdminAccount) {
|
||||||
requestKind = "(objectclass=*)"
|
requestKind = "(objectclass=*)"
|
||||||
}
|
}
|
||||||
searchRequest := ldap.NewSearchRequest(
|
searchRequest := ldap.NewSearchRequest(
|
||||||
|
@ -218,6 +220,21 @@ func checkLogin(w http.ResponseWriter, r *http.Request) *LoginStatus {
|
||||||
|
|
||||||
loginStatus.UserEntry = sr.Entries[0]
|
loginStatus.UserEntry = sr.Entries[0]
|
||||||
|
|
||||||
|
loginStatus.CanAdmin = strings.EqualFold(loginStatus.Info.DN, config.AdminAccount)
|
||||||
|
loginStatus.CanInvite = false
|
||||||
|
for _, attr := range loginStatus.UserEntry.Attributes {
|
||||||
|
if strings.EqualFold(attr.Name, "memberof") {
|
||||||
|
for _, group := range attr.Values {
|
||||||
|
if config.GroupCanInvite != "" && strings.EqualFold(group, config.GroupCanInvite) {
|
||||||
|
loginStatus.CanInvite = true
|
||||||
|
}
|
||||||
|
if config.GroupCanAdmin != "" && strings.EqualFold(group, config.GroupCanAdmin) {
|
||||||
|
loginStatus.CanAdmin = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return loginStatus
|
return loginStatus
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -244,8 +261,6 @@ func ldapOpen(w http.ResponseWriter) *ldap.Conn {
|
||||||
type HomePageData struct {
|
type HomePageData struct {
|
||||||
Login *LoginStatus
|
Login *LoginStatus
|
||||||
WelcomeName string
|
WelcomeName string
|
||||||
CanAdmin bool
|
|
||||||
CanInvite bool
|
|
||||||
BaseDN string
|
BaseDN string
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -257,25 +272,8 @@ func handleHome(w http.ResponseWriter, r *http.Request) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
can_admin := (login.Info.DN == config.AdminAccount)
|
|
||||||
can_invite := false
|
|
||||||
for _, attr := range login.UserEntry.Attributes {
|
|
||||||
if strings.EqualFold(attr.Name, "memberof") {
|
|
||||||
for _, group := range attr.Values {
|
|
||||||
if config.GroupCanInvite != "" && group == config.GroupCanInvite {
|
|
||||||
can_invite = true
|
|
||||||
}
|
|
||||||
if config.GroupCanAdmin != "" && group == config.GroupCanAdmin {
|
|
||||||
can_admin = true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
data := &HomePageData{
|
data := &HomePageData{
|
||||||
Login: login,
|
Login: login,
|
||||||
CanAdmin: can_admin,
|
|
||||||
CanInvite: can_invite,
|
|
||||||
BaseDN: config.BaseDN,
|
BaseDN: config.BaseDN,
|
||||||
WelcomeName: login.UserEntry.GetAttributeValue("givenname"),
|
WelcomeName: login.UserEntry.GetAttributeValue("givenname"),
|
||||||
}
|
}
|
||||||
|
@ -326,7 +324,7 @@ func handleLogin(w http.ResponseWriter, r *http.Request) *LoginInfo {
|
||||||
username := strings.Join(r.Form["username"], "")
|
username := strings.Join(r.Form["username"], "")
|
||||||
password := strings.Join(r.Form["password"], "")
|
password := strings.Join(r.Form["password"], "")
|
||||||
user_dn := fmt.Sprintf("%s=%s,%s", config.UserNameAttr, username, config.UserBaseDN)
|
user_dn := fmt.Sprintf("%s=%s,%s", config.UserNameAttr, username, config.UserBaseDN)
|
||||||
if username == config.AdminAccount {
|
if strings.EqualFold(username, config.AdminAccount) {
|
||||||
user_dn = username
|
user_dn = username
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -16,13 +16,13 @@
|
||||||
<div class="list-group list-group-flush">
|
<div class="list-group list-group-flush">
|
||||||
<a class="list-group-item list-group-item-action" href="/profile">Modifier mon profil</a>
|
<a class="list-group-item list-group-item-action" href="/profile">Modifier mon profil</a>
|
||||||
<a class="list-group-item list-group-item-action" href="/passwd">Modifier mon mot de passe</a>
|
<a class="list-group-item list-group-item-action" href="/passwd">Modifier mon mot de passe</a>
|
||||||
{{if .CanInvite}}
|
{{if .Login.CanInvite}}
|
||||||
<a class="list-group-item list-group-item-action" href="/invite">Inviter quelqu'un</a>
|
<a class="list-group-item list-group-item-action" href="/invite">Inviter quelqu'un</a>
|
||||||
{{end}}
|
{{end}}
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
{{if .CanAdmin}}
|
{{if .Login.CanAdmin}}
|
||||||
<div class="card mt-3">
|
<div class="card mt-3">
|
||||||
<div class="card-header">
|
<div class="card-header">
|
||||||
Administration
|
Administration
|
||||||
|
|
Loading…
Reference in a new issue