mirror of
https://gitlab.com/crafty-controller/crafty-4.git
synced 2024-08-30 18:23:09 +00:00
Add more secure logic to add/edit users
This commit is contained in:
Andrew
parent
cbbb9f9fd2
commit
0672b9378a
@ -115,6 +115,7 @@ class RolesController:
|
||||
role_id: t.Union[str, int],
|
||||
role_name: t.Optional[str],
|
||||
servers: t.Optional[t.Iterable[RoleServerJsonType]],
|
||||
manager: int,
|
||||
) -> None:
|
||||
"""Update a role with a name and a list of servers
|
||||
|
||||
@ -153,6 +154,7 @@ class RolesController:
|
||||
up_data = {
|
||||
"role_name": role_name,
|
||||
"last_update": Helpers.get_time_as_string(),
|
||||
"manager": manager,
|
||||
}
|
||||
# TODO: do the last_update on the db side
|
||||
HelperRoles.update_role(role_id, up_data)
|
||||
|
||||
@ -897,7 +897,7 @@ class PanelHandler(BaseHandler):
|
||||
)
|
||||
return
|
||||
|
||||
page_data["roles_all"] = self.controller.roles.get_all_roles()
|
||||
page_data["roles"] = self.controller.roles.get_all_roles()
|
||||
page_data["servers"] = []
|
||||
page_data["servers_all"] = self.controller.servers.get_all_defined_servers()
|
||||
page_data["role-servers"] = []
|
||||
@ -920,6 +920,8 @@ class PanelHandler(BaseHandler):
|
||||
else:
|
||||
page_data["super-disabled"] = "disabled"
|
||||
|
||||
page_data["exec_user"] = exec_user["user_id"]
|
||||
|
||||
page_data["manager"] = {
|
||||
"user_id": -100,
|
||||
"username": "None",
|
||||
@ -1092,7 +1094,8 @@ class PanelHandler(BaseHandler):
|
||||
page_data["user"] = self.controller.users.get_user_by_id(user_id)
|
||||
page_data["servers"] = set()
|
||||
page_data["role-servers"] = page_role_servers
|
||||
page_data["roles_all"] = self.controller.roles.get_all_roles()
|
||||
page_data["roles"] = self.controller.roles.get_all_roles()
|
||||
page_data["exec_user"] = exec_user["user_id"]
|
||||
page_data["servers_all"] = self.controller.servers.get_all_defined_servers()
|
||||
page_data["superuser"] = superuser
|
||||
if page_data["user"]["manager"] is not None:
|
||||
@ -1274,17 +1277,14 @@ class PanelHandler(BaseHandler):
|
||||
user_roles = self.get_user_roles()
|
||||
page_data["new_role"] = False
|
||||
role_id = self.get_argument("id", None)
|
||||
role = self.controller.roles.get_role(role_id)
|
||||
page_data["role"] = self.controller.roles.get_role_with_servers(role_id)
|
||||
if exec_user["superuser"]:
|
||||
defined_servers = self.controller.servers.list_defined_servers()
|
||||
manager = self.get_argument("manager", None)
|
||||
if manager == "":
|
||||
manager = None
|
||||
else:
|
||||
defined_servers = self.controller.servers.get_authorized_servers(
|
||||
exec_user["user_id"]
|
||||
)
|
||||
manager = exec_user["user_id"]
|
||||
page_servers = []
|
||||
for server in defined_servers:
|
||||
if server not in page_servers:
|
||||
@ -1311,7 +1311,11 @@ class PanelHandler(BaseHandler):
|
||||
"username": "None",
|
||||
}
|
||||
|
||||
if EnumPermissionsCrafty.ROLES_CONFIG not in exec_user_crafty_permissions:
|
||||
if (
|
||||
EnumPermissionsCrafty.ROLES_CONFIG not in exec_user_crafty_permissions
|
||||
and exec_user["user_id"] != role["manager"]
|
||||
and not exec_user["superuser"]
|
||||
):
|
||||
self.redirect(
|
||||
"/panel/error?error=Unauthorized access: not a role editor"
|
||||
)
|
||||
@ -1996,6 +2000,7 @@ class PanelHandler(BaseHandler):
|
||||
"system user is not editable"
|
||||
)
|
||||
user_id = bleach.clean(self.get_argument("id", None))
|
||||
user = self.controller.users.get_user_by_id(user_id)
|
||||
username = bleach.clean(self.get_argument("username", None).lower())
|
||||
if (
|
||||
username != self.controller.users.get_user_by_id(user_id)["username"]
|
||||
@ -2034,8 +2039,10 @@ class PanelHandler(BaseHandler):
|
||||
manager = None
|
||||
else:
|
||||
manager = int(manager)
|
||||
else:
|
||||
manager = user["manager"]
|
||||
|
||||
if not exec_user["superuser"]:
|
||||
if not exec_user["superuser"] and exec_user["user_id"] != user["user_id"]:
|
||||
if username is None or username == "":
|
||||
self.redirect("/panel/error?error=Invalid username")
|
||||
return
|
||||
@ -2288,7 +2295,13 @@ class PanelHandler(BaseHandler):
|
||||
role_id = bleach.clean(self.get_argument("id", None))
|
||||
role_name = bleach.clean(self.get_argument("role_name", None))
|
||||
|
||||
if EnumPermissionsCrafty.ROLES_CONFIG not in exec_user_crafty_permissions:
|
||||
role = self.controller.roles.get_role(role_id)
|
||||
|
||||
if (
|
||||
EnumPermissionsCrafty.ROLES_CONFIG not in exec_user_crafty_permissions
|
||||
and exec_user["user_id"] != role["manager"]
|
||||
and not exec_user["superuser"]
|
||||
):
|
||||
self.redirect(
|
||||
"/panel/error?error=Unauthorized access: not a role editor"
|
||||
)
|
||||
@ -2304,9 +2317,18 @@ class PanelHandler(BaseHandler):
|
||||
self.redirect("/panel/error?error=Invalid Role ID")
|
||||
return
|
||||
|
||||
if exec_user["superuser"]:
|
||||
manager = self.get_argument("manager", None)
|
||||
if manager == "":
|
||||
manager = None
|
||||
else:
|
||||
manager = role["manager"]
|
||||
|
||||
servers = self.get_role_servers()
|
||||
|
||||
self.controller.roles.update_role_advanced(role_id, role_name, servers)
|
||||
self.controller.roles.update_role_advanced(
|
||||
role_id, role_name, servers, manager
|
||||
)
|
||||
|
||||
self.controller.management.add_to_audit_log(
|
||||
exec_user["user_id"],
|
||||
|
||||
@ -1,6 +1,7 @@
|
||||
import json
|
||||
import logging
|
||||
import os
|
||||
import time
|
||||
import tornado.web
|
||||
import tornado.escape
|
||||
import bleach
|
||||
@ -230,9 +231,15 @@ class ServerHandler(BaseHandler):
|
||||
exec_user["user_id"]
|
||||
)
|
||||
):
|
||||
self.redirect(
|
||||
"/panel/error?error=Unauthorized access: "
|
||||
"not a server creator or server limit reached"
|
||||
time.sleep(3)
|
||||
self.helper.websocket_helper.broadcast_user(
|
||||
exec_user["user_id"],
|
||||
"send_start_error",
|
||||
{
|
||||
"error": "<i class='fas fa-exclamation-triangle'"
|
||||
" style='font-size:48px;color:red'>"
|
||||
"</i> Not a server creator or server limit reached."
|
||||
},
|
||||
)
|
||||
return
|
||||
|
||||
|
||||
@ -893,9 +893,6 @@
|
||||
message: '<div align="center"><i class="fas fa-spin fa-spinner"></i> {% raw translate("dashboard", "bePatientClone", data["lang"]) %} </div>',
|
||||
closeButton: false,
|
||||
});
|
||||
setTimeout(function () {
|
||||
location.reload();
|
||||
}, 5000)
|
||||
}
|
||||
</script>
|
||||
<script src="/static/assets/vendors/js/jquery-ui.js"></script>
|
||||
|
||||
@ -162,21 +162,29 @@ data['lang']) }}{% end %}
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
{% for role in data['roles_all'] %}
|
||||
{% for role in data['roles'] %}
|
||||
<tr>
|
||||
{% if data['superuser'] or role.role_id in data['user']['roles'] or role.manager == data['exec_user'] %}
|
||||
<td>{{ role.role_name }}</td>
|
||||
<td>
|
||||
{% if role.role_id in data['user']['roles'] %}
|
||||
{% if role.manager == data['exec_user'] or data['superuser'] %}
|
||||
<input type="checkbox" class="form-check-input"
|
||||
id="role_{{ role.role_id }}_membership" name="role_{{ role.role_id }}_membership"
|
||||
checked="" value="1">
|
||||
{% else %}
|
||||
<input type="checkbox" class="form-check-input"
|
||||
id="role_{{ role.role_id }}_membership" name="role_{{ role.role_id }}_membership"
|
||||
checked="" value="1" disabled>
|
||||
{% end %}
|
||||
{% elif data['superuser'] or role.manager == data['exec_user'] %}
|
||||
<input type="checkbox" class="form-check-input"
|
||||
id="role_{{ role.role_id }}_membership" name="role_{{ role.role_id }}_membership"
|
||||
value="1">
|
||||
{% end %}
|
||||
|
||||
</td>
|
||||
{% end %}
|
||||
</tr>
|
||||
{% end %}
|
||||
</tbody>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user