Mirrored_Repos/crafty-4
1
0
Fork 0
mirror of https://gitlab.com/crafty-controller/crafty-4.git synced 2024-08-30 18:23:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add more secure logic to add/edit users

Browse Source
This commit is contained in:
Andrew 2022-08-20 18:51:35 -04:00
parent cbbb9f9fd2
commit 0672b9378a
5 changed files with 53 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/classes/controllers/roles_controller.py
View File

@ -115,6 +115,7 @@ class RolesController:
role_id: t.Union[str, int], role_id: t.Union[str, int],
role_name: t.Optional[str], role_name: t.Optional[str],
servers: t.Optional[t.Iterable[RoleServerJsonType]], servers: t.Optional[t.Iterable[RoleServerJsonType]],
manager: int,
) -> None: ) -> None:
"""Update a role with a name and a list of servers """Update a role with a name and a list of servers
@ -153,6 +154,7 @@ class RolesController:
up_data = { up_data = {
"role_name": role_name, "role_name": role_name,
"last_update": Helpers.get_time_as_string(), "last_update": Helpers.get_time_as_string(),
"manager": manager,
} }
# TODO: do the last_update on the db side # TODO: do the last_update on the db side
HelperRoles.update_role(role_id, up_data) HelperRoles.update_role(role_id, up_data)

42
app/classes/web/panel_handler.py
View File

@ -897,7 +897,7 @@ class PanelHandler(BaseHandler):
) )
return return
page_data["roles_all"] = self.controller.roles.get_all_roles() page_data["roles"] = self.controller.roles.get_all_roles()
page_data["servers"] = [] page_data["servers"] = []
page_data["servers_all"] = self.controller.servers.get_all_defined_servers() page_data["servers_all"] = self.controller.servers.get_all_defined_servers()
page_data["role-servers"] = [] page_data["role-servers"] = []
@ -920,6 +920,8 @@ class PanelHandler(BaseHandler):
else: else:
page_data["super-disabled"] = "disabled" page_data["super-disabled"] = "disabled"
page_data["exec_user"] = exec_user["user_id"]
page_data["manager"] = { page_data["manager"] = {
"user_id": -100, "user_id": -100,
"username": "None", "username": "None",
@ -1092,7 +1094,8 @@ class PanelHandler(BaseHandler):
page_data["user"] = self.controller.users.get_user_by_id(user_id) page_data["user"] = self.controller.users.get_user_by_id(user_id)
page_data["servers"] = set() page_data["servers"] = set()
page_data["role-servers"] = page_role_servers page_data["role-servers"] = page_role_servers
page_data["roles_all"] = self.controller.roles.get_all_roles() page_data["roles"] = self.controller.roles.get_all_roles()
page_data["exec_user"] = exec_user["user_id"]
page_data["servers_all"] = self.controller.servers.get_all_defined_servers() page_data["servers_all"] = self.controller.servers.get_all_defined_servers()
page_data["superuser"] = superuser page_data["superuser"] = superuser
if page_data["user"]["manager"] is not None: if page_data["user"]["manager"] is not None:
@ -1274,17 +1277,14 @@ class PanelHandler(BaseHandler):
user_roles = self.get_user_roles() user_roles = self.get_user_roles()
page_data["new_role"] = False page_data["new_role"] = False
role_id = self.get_argument("id", None) role_id = self.get_argument("id", None)
role = self.controller.roles.get_role(role_id)
page_data["role"] = self.controller.roles.get_role_with_servers(role_id) page_data["role"] = self.controller.roles.get_role_with_servers(role_id)
if exec_user["superuser"]: if exec_user["superuser"]:
defined_servers = self.controller.servers.list_defined_servers() defined_servers = self.controller.servers.list_defined_servers()
manager = self.get_argument("manager", None)
if manager == "":
manager = None
else: else:
defined_servers = self.controller.servers.get_authorized_servers( defined_servers = self.controller.servers.get_authorized_servers(
exec_user["user_id"] exec_user["user_id"]
) )
manager = exec_user["user_id"]
page_servers = [] page_servers = []
for server in defined_servers: for server in defined_servers:
if server not in page_servers: if server not in page_servers:
@ -1311,7 +1311,11 @@ class PanelHandler(BaseHandler):
"username": "None", "username": "None",
} }
if EnumPermissionsCrafty.ROLES_CONFIG not in exec_user_crafty_permissions: if (
EnumPermissionsCrafty.ROLES_CONFIG not in exec_user_crafty_permissions
and exec_user["user_id"] != role["manager"]
and not exec_user["superuser"]
):
self.redirect( self.redirect(
"/panel/error?error=Unauthorized access: not a role editor" "/panel/error?error=Unauthorized access: not a role editor"
) )
@ -1996,6 +2000,7 @@ class PanelHandler(BaseHandler):
"system user is not editable" "system user is not editable"
) )
user_id = bleach.clean(self.get_argument("id", None)) user_id = bleach.clean(self.get_argument("id", None))
user = self.controller.users.get_user_by_id(user_id)
username = bleach.clean(self.get_argument("username", None).lower()) username = bleach.clean(self.get_argument("username", None).lower())
if ( if (
username != self.controller.users.get_user_by_id(user_id)["username"] username != self.controller.users.get_user_by_id(user_id)["username"]
@ -2034,8 +2039,10 @@ class PanelHandler(BaseHandler):
manager = None manager = None
else: else:
manager = int(manager) manager = int(manager)
else:
manager = user["manager"]
if not exec_user["superuser"]: if not exec_user["superuser"] and exec_user["user_id"] != user["user_id"]:
if username is None or username == "": if username is None or username == "":
self.redirect("/panel/error?error=Invalid username") self.redirect("/panel/error?error=Invalid username")
return return
@ -2288,7 +2295,13 @@ class PanelHandler(BaseHandler):
role_id = bleach.clean(self.get_argument("id", None)) role_id = bleach.clean(self.get_argument("id", None))
role_name = bleach.clean(self.get_argument("role_name", None)) role_name = bleach.clean(self.get_argument("role_name", None))
if EnumPermissionsCrafty.ROLES_CONFIG not in exec_user_crafty_permissions: role = self.controller.roles.get_role(role_id)
if (
EnumPermissionsCrafty.ROLES_CONFIG not in exec_user_crafty_permissions
and exec_user["user_id"] != role["manager"]
and not exec_user["superuser"]
):
self.redirect( self.redirect(
"/panel/error?error=Unauthorized access: not a role editor" "/panel/error?error=Unauthorized access: not a role editor"
) )
@ -2304,9 +2317,18 @@ class PanelHandler(BaseHandler):
self.redirect("/panel/error?error=Invalid Role ID") self.redirect("/panel/error?error=Invalid Role ID")
return return
if exec_user["superuser"]:
manager = self.get_argument("manager", None)
if manager == "":
manager = None
else:
manager = role["manager"]
servers = self.get_role_servers() servers = self.get_role_servers()
self.controller.roles.update_role_advanced(role_id, role_name, servers) self.controller.roles.update_role_advanced(
role_id, role_name, servers, manager
)
self.controller.management.add_to_audit_log( self.controller.management.add_to_audit_log(
exec_user["user_id"], exec_user["user_id"],

13
app/classes/web/server_handler.py
View File

@ -1,6 +1,7 @@
import json import json
import logging import logging
import os import os
import time
import tornado.web import tornado.web
import tornado.escape import tornado.escape
import bleach import bleach
@ -230,9 +231,15 @@ class ServerHandler(BaseHandler):
exec_user["user_id"] exec_user["user_id"]
) )
): ):
self.redirect( time.sleep(3)
"/panel/error?error=Unauthorized access: " self.helper.websocket_helper.broadcast_user(
"not a server creator or server limit reached" exec_user["user_id"],
"send_start_error",
{
"error": "<i class='fas fa-exclamation-triangle'"
" style='font-size:48px;color:red'>"
"</i> Not a server creator or server limit reached."
},
) )
return return

3
app/frontend/templates/panel/dashboard.html
View File

@ -893,9 +893,6 @@
message: '<div align="center"><i class="fas fa-spin fa-spinner"></i> &nbsp; {% raw translate("dashboard", "bePatientClone", data["lang"]) %} </div>', message: '<div align="center"><i class="fas fa-spin fa-spinner"></i> &nbsp; {% raw translate("dashboard", "bePatientClone", data["lang"]) %} </div>',
closeButton: false, closeButton: false,
}); });
setTimeout(function () {
location.reload();
}, 5000)
} }
</script> </script>
<script src="/static/assets/vendors/js/jquery-ui.js"></script> <script src="/static/assets/vendors/js/jquery-ui.js"></script>

10
app/frontend/templates/panel/panel_edit_user.html
View File

@ -162,21 +162,29 @@ data['lang']) }}{% end %}
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
{% for role in data['roles_all'] %} {% for role in data['roles'] %}
<tr> <tr>
{% if data['superuser'] or role.role_id in data['user']['roles'] or role.manager == data['exec_user'] %}
<td>{{ role.role_name }}</td> <td>{{ role.role_name }}</td>
<td> <td>
{% if role.role_id in data['user']['roles'] %} {% if role.role_id in data['user']['roles'] %}
{% if role.manager == data['exec_user'] or data['superuser'] %}
<input type="checkbox" class="form-check-input" <input type="checkbox" class="form-check-input"
id="role_{{ role.role_id }}_membership" name="role_{{ role.role_id }}_membership" id="role_{{ role.role_id }}_membership" name="role_{{ role.role_id }}_membership"
checked="" value="1"> checked="" value="1">
{% else %} {% else %}
<input type="checkbox" class="form-check-input"
id="role_{{ role.role_id }}_membership" name="role_{{ role.role_id }}_membership"
checked="" value="1" disabled>
{% end %}
{% elif data['superuser'] or role.manager == data['exec_user'] %}
<input type="checkbox" class="form-check-input" <input type="checkbox" class="form-check-input"
id="role_{{ role.role_id }}_membership" name="role_{{ role.role_id }}_membership" id="role_{{ role.role_id }}_membership" name="role_{{ role.role_id }}_membership"
value="1"> value="1">
{% end %} {% end %}
</td> </td>
{% end %}
</tr> </tr>
{% end %} {% end %}
</tbody> </tbody>