Refactor is_admin check

This commit is contained in:
Alex 2020-02-12 00:13:24 +01:00
parent 7ca56ba8df
commit 3fbbe61a46
4 changed files with 24 additions and 38 deletions

View file

@ -18,20 +18,8 @@ func checkAdminLogin(w http.ResponseWriter, r *http.Request) *LoginStatus {
return nil return nil
} }
can_admin := (login.Info.DN == config.AdminAccount) if !login.CanAdmin {
fmt.Printf("%#v", login.UserEntry) http.Error(w, "Not authorized to perform administrative operations.", http.StatusUnauthorized)
for _, attr := range login.UserEntry.Attributes {
if strings.EqualFold(attr.Name, "memberof") {
for _, group := range attr.Values {
if config.GroupCanAdmin != "" && group == config.GroupCanAdmin {
can_admin = true
}
}
}
}
if !can_admin {
http.Redirect(w, r, "/", http.StatusFound)
return nil return nil
} }

View file

@ -12,7 +12,7 @@ job "guichet" {
task "server" { task "server" {
driver = "docker" driver = "docker"
config { config {
image = "lxpz/guichet_amd64:3" image = "lxpz/guichet_amd64:4"
readonly_rootfs = true readonly_rootfs = true
port_map { port_map {
web_port = 9991 web_port = 9991

40
main.go
View file

@ -136,6 +136,8 @@ type LoginStatus struct {
Info *LoginInfo Info *LoginInfo
conn *ldap.Conn conn *ldap.Conn
UserEntry *ldap.Entry UserEntry *ldap.Entry
CanAdmin bool
CanInvite bool
} }
func logRequest(handler http.Handler) http.Handler { func logRequest(handler http.Handler) http.Handler {
@ -195,7 +197,7 @@ func checkLogin(w http.ResponseWriter, r *http.Request) *LoginStatus {
} }
requestKind := "(objectClass=organizationalPerson)" requestKind := "(objectClass=organizationalPerson)"
if login_info.DN == config.AdminAccount { if strings.EqualFold(login_info.DN, config.AdminAccount) {
requestKind = "(objectclass=*)" requestKind = "(objectclass=*)"
} }
searchRequest := ldap.NewSearchRequest( searchRequest := ldap.NewSearchRequest(
@ -218,6 +220,21 @@ func checkLogin(w http.ResponseWriter, r *http.Request) *LoginStatus {
loginStatus.UserEntry = sr.Entries[0] loginStatus.UserEntry = sr.Entries[0]
loginStatus.CanAdmin = strings.EqualFold(loginStatus.Info.DN, config.AdminAccount)
loginStatus.CanInvite = false
for _, attr := range loginStatus.UserEntry.Attributes {
if strings.EqualFold(attr.Name, "memberof") {
for _, group := range attr.Values {
if config.GroupCanInvite != "" && strings.EqualFold(group, config.GroupCanInvite) {
loginStatus.CanInvite = true
}
if config.GroupCanAdmin != "" && strings.EqualFold(group, config.GroupCanAdmin) {
loginStatus.CanAdmin = true
}
}
}
}
return loginStatus return loginStatus
} }
@ -244,8 +261,6 @@ func ldapOpen(w http.ResponseWriter) *ldap.Conn {
type HomePageData struct { type HomePageData struct {
Login *LoginStatus Login *LoginStatus
WelcomeName string WelcomeName string
CanAdmin bool
CanInvite bool
BaseDN string BaseDN string
} }
@ -257,25 +272,8 @@ func handleHome(w http.ResponseWriter, r *http.Request) {
return return
} }
can_admin := (login.Info.DN == config.AdminAccount)
can_invite := false
for _, attr := range login.UserEntry.Attributes {
if strings.EqualFold(attr.Name, "memberof") {
for _, group := range attr.Values {
if config.GroupCanInvite != "" && group == config.GroupCanInvite {
can_invite = true
}
if config.GroupCanAdmin != "" && group == config.GroupCanAdmin {
can_admin = true
}
}
}
}
data := &HomePageData{ data := &HomePageData{
Login: login, Login: login,
CanAdmin: can_admin,
CanInvite: can_invite,
BaseDN: config.BaseDN, BaseDN: config.BaseDN,
WelcomeName: login.UserEntry.GetAttributeValue("givenname"), WelcomeName: login.UserEntry.GetAttributeValue("givenname"),
} }
@ -326,7 +324,7 @@ func handleLogin(w http.ResponseWriter, r *http.Request) *LoginInfo {
username := strings.Join(r.Form["username"], "") username := strings.Join(r.Form["username"], "")
password := strings.Join(r.Form["password"], "") password := strings.Join(r.Form["password"], "")
user_dn := fmt.Sprintf("%s=%s,%s", config.UserNameAttr, username, config.UserBaseDN) user_dn := fmt.Sprintf("%s=%s,%s", config.UserNameAttr, username, config.UserBaseDN)
if username == config.AdminAccount { if strings.EqualFold(username, config.AdminAccount) {
user_dn = username user_dn = username
} }

View file

@ -16,13 +16,13 @@
<div class="list-group list-group-flush"> <div class="list-group list-group-flush">
<a class="list-group-item list-group-item-action" href="/profile">Modifier mon profil</a> <a class="list-group-item list-group-item-action" href="/profile">Modifier mon profil</a>
<a class="list-group-item list-group-item-action" href="/passwd">Modifier mon mot de passe</a> <a class="list-group-item list-group-item-action" href="/passwd">Modifier mon mot de passe</a>
{{if .CanInvite}} {{if .Login.CanInvite}}
<a class="list-group-item list-group-item-action" href="/invite">Inviter quelqu'un</a> <a class="list-group-item list-group-item-action" href="/invite">Inviter quelqu'un</a>
{{end}} {{end}}
</div> </div>
</div> </div>
{{if .CanAdmin}} {{if .Login.CanAdmin}}
<div class="card mt-3"> <div class="card mt-3">
<div class="card-header"> <div class="card-header">
Administration Administration