Add user_is_protected() method to core View class

also, don't allow "protected" users to change their own password
This commit is contained in:
Lance Edgar 2020-09-23 16:28:54 -05:00
parent 77fa2a78d4
commit 746db72046
3 changed files with 19 additions and 19 deletions

View file

@ -172,6 +172,10 @@ class AuthenticationView(View):
if not self.request.user:
return self.redirect(self.request.route_url('home'))
if self.user_is_protected(self.request.user):
self.request.session.flash("Cannot change password for user: {}".format(self.request.user))
return self.redirect(self.request.get_referrer())
use_buefy = self.get_use_buefy()
schema = ChangePassword().bind(user=self.request.user)
form = forms.Form(schema=schema, request=self.request, use_buefy=use_buefy)

View file

@ -42,7 +42,7 @@ from tailbone.db import Session
from tailbone.auth import logout_user
from tailbone.progress import SessionProgress
from tailbone.util import should_use_buefy
from tailbone.config import legacy_mobile_enabled
from tailbone.config import legacy_mobile_enabled, protected_usernames
class View(object):
@ -110,6 +110,20 @@ class View(object):
if uuid:
return Session.query(model.User).get(uuid)
def user_is_protected(self, user):
"""
This logic will consult the settings for a list of "protected"
usernames, which should require root privileges to edit. If the given
``user`` object is represented in this list, it is considered to be
protected and this method will return ``True``; otherwise it returns
``False``.
"""
if not hasattr(self, 'protected_usernames'):
self.protected_usernames = protected_usernames(self.rattail_config)
if self.protected_usernames and user.username in self.protected_usernames:
return True
return False
def redirect(self, url, **kwargs):
"""
Convenience method to return a HTTP 302 response.

View file

@ -42,7 +42,6 @@ from tailbone import forms
from tailbone.db import Session
from tailbone.views import MasterView
from tailbone.views.principal import PrincipalMasterView, PermissionsRenderer
from tailbone.config import protected_usernames
class UsersView(PrincipalMasterView):
@ -154,23 +153,6 @@ class UsersView(PrincipalMasterView):
return True
return not self.user_is_protected(user)
def user_is_protected(self, user):
"""
This logic will consult the settings, for a list of "protected"
usernames, which should require root privileges to edit. If no setting
is found, or the given ``user`` is not represented in the setting, then
edit is allowed.
But if there is a setting, and the ``user`` is represented in it, then
this method will return ``True`` only if the "current" app user is
"root", otherwise will return ``False``.
"""
if not hasattr(self, 'protected_usernames'):
self.protected_usernames = protected_usernames(self.rattail_config)
if self.protected_usernames and user.username in self.protected_usernames:
return True
return False
def unique_username(self, node, value):
query = self.Session.query(model.User)\
.filter(model.User.username == value)