Add user_is_protected() method to core View class

also, don't allow "protected" users to change their own password
This commit is contained in:
Lance Edgar 2020-09-23 16:28:54 -05:00
parent 77fa2a78d4
commit 746db72046
3 changed files with 19 additions and 19 deletions

View file

@ -172,6 +172,10 @@ class AuthenticationView(View):
if not self.request.user: if not self.request.user:
return self.redirect(self.request.route_url('home')) return self.redirect(self.request.route_url('home'))
if self.user_is_protected(self.request.user):
self.request.session.flash("Cannot change password for user: {}".format(self.request.user))
return self.redirect(self.request.get_referrer())
use_buefy = self.get_use_buefy() use_buefy = self.get_use_buefy()
schema = ChangePassword().bind(user=self.request.user) schema = ChangePassword().bind(user=self.request.user)
form = forms.Form(schema=schema, request=self.request, use_buefy=use_buefy) form = forms.Form(schema=schema, request=self.request, use_buefy=use_buefy)

View file

@ -42,7 +42,7 @@ from tailbone.db import Session
from tailbone.auth import logout_user from tailbone.auth import logout_user
from tailbone.progress import SessionProgress from tailbone.progress import SessionProgress
from tailbone.util import should_use_buefy from tailbone.util import should_use_buefy
from tailbone.config import legacy_mobile_enabled from tailbone.config import legacy_mobile_enabled, protected_usernames
class View(object): class View(object):
@ -110,6 +110,20 @@ class View(object):
if uuid: if uuid:
return Session.query(model.User).get(uuid) return Session.query(model.User).get(uuid)
def user_is_protected(self, user):
"""
This logic will consult the settings for a list of "protected"
usernames, which should require root privileges to edit. If the given
``user`` object is represented in this list, it is considered to be
protected and this method will return ``True``; otherwise it returns
``False``.
"""
if not hasattr(self, 'protected_usernames'):
self.protected_usernames = protected_usernames(self.rattail_config)
if self.protected_usernames and user.username in self.protected_usernames:
return True
return False
def redirect(self, url, **kwargs): def redirect(self, url, **kwargs):
""" """
Convenience method to return a HTTP 302 response. Convenience method to return a HTTP 302 response.

View file

@ -42,7 +42,6 @@ from tailbone import forms
from tailbone.db import Session from tailbone.db import Session
from tailbone.views import MasterView from tailbone.views import MasterView
from tailbone.views.principal import PrincipalMasterView, PermissionsRenderer from tailbone.views.principal import PrincipalMasterView, PermissionsRenderer
from tailbone.config import protected_usernames
class UsersView(PrincipalMasterView): class UsersView(PrincipalMasterView):
@ -154,23 +153,6 @@ class UsersView(PrincipalMasterView):
return True return True
return not self.user_is_protected(user) return not self.user_is_protected(user)
def user_is_protected(self, user):
"""
This logic will consult the settings, for a list of "protected"
usernames, which should require root privileges to edit. If no setting
is found, or the given ``user`` is not represented in the setting, then
edit is allowed.
But if there is a setting, and the ``user`` is represented in it, then
this method will return ``True`` only if the "current" app user is
"root", otherwise will return ``False``.
"""
if not hasattr(self, 'protected_usernames'):
self.protected_usernames = protected_usernames(self.rattail_config)
if self.protected_usernames and user.username in self.protected_usernames:
return True
return False
def unique_username(self, node, value): def unique_username(self, node, value):
query = self.Session.query(model.User)\ query = self.Session.query(model.User)\
.filter(model.User.username == value) .filter(model.User.username == value)