From 2cb93d1d3b146b60e8eaeabca1a9c278f71bbd85 Mon Sep 17 00:00:00 2001 From: Simon Pirkelmann Date: Wed, 7 Apr 2021 16:15:39 +0200 Subject: [PATCH] Distinguish between normal users and admin users. Normal user can only lock and unlock the door. Admin users can register new tokens. Also added option to grant and revoke admin permissions for super-Admins. --- .../templates/admins.html | 21 +++- imaginaerraum_door_admin/templates/base.html | 2 +- .../{delete_admin.html => delete_user.html} | 4 +- imaginaerraum_door_admin/webapp.py | 96 +++++++++++++------ 4 files changed, 87 insertions(+), 36 deletions(-) rename imaginaerraum_door_admin/templates/{delete_admin.html => delete_user.html} (81%) diff --git a/imaginaerraum_door_admin/templates/admins.html b/imaginaerraum_door_admin/templates/admins.html index 30d712a..afa8b4d 100644 --- a/imaginaerraum_door_admin/templates/admins.html +++ b/imaginaerraum_door_admin/templates/admins.html @@ -8,20 +8,35 @@ {% block content %} - + + + {% for data in admin_data %} + {% if data['active'] %} - {% for field in ['username', 'email', 'active'] %} + {% else %} + + {% endif %} + {% for field in ['username', 'email', 'active', 'admin', 'super_admin'] %} {% endfor %} {% endfor %} @@ -29,7 +44,7 @@
UsernameBenutzer E-Mail AktivAdminSuper-Admin Aktionen
{{ data[field] if data[field] }} + {% if not data['super_admin'] %} Toggle active Delete + {% endif %} + {% if data['admin'] %} + {% if not data['super_admin'] %} + Demote + {% endif %} + {% else %} + Promote + {% endif %}

- Neuen Admin erstellen: + Neuen Benutzer erstellen:

diff --git a/imaginaerraum_door_admin/templates/base.html b/imaginaerraum_door_admin/templates/base.html index e29fe6c..d728c62 100644 --- a/imaginaerraum_door_admin/templates/base.html +++ b/imaginaerraum_door_admin/templates/base.html @@ -48,7 +48,7 @@ {% if current_user.has_role('super_admin') %}
  • - Admins verwalten + Benutzer verwalten
    • {% endif %} diff --git a/imaginaerraum_door_admin/templates/delete_admin.html b/imaginaerraum_door_admin/templates/delete_user.html similarity index 81% rename from imaginaerraum_door_admin/templates/delete_admin.html rename to imaginaerraum_door_admin/templates/delete_user.html index 5b6edff..6acbe2f 100644 --- a/imaginaerraum_door_admin/templates/delete_admin.html +++ b/imaginaerraum_door_admin/templates/delete_user.html @@ -1,12 +1,12 @@ {% extends 'base.html' %} {% block header %} - {% block title %}

    Admin Benutzer löschen

    {% endblock %} + {% block title %}

    Benutzer löschen

    {% endblock %} {% endblock %} {% block content %}
    - Achtung, Admin '{{ username }}' wird gelöscht. + Achtung, Benutzer '{{ username }}' wird gelöscht. Bitte zur Bestätigung den Nutzernamen eingeben:
    diff --git a/imaginaerraum_door_admin/webapp.py b/imaginaerraum_door_admin/webapp.py index a77b431..e88b483 100644 --- a/imaginaerraum_door_admin/webapp.py +++ b/imaginaerraum_door_admin/webapp.py @@ -188,13 +188,12 @@ def create_application(config): attributes=ldap3.ALL_ATTRIBUTES) if lock_permission: new_user_data['email'] = con.entries[0].mail.value - new_user_data['roles'].append('admin') else: new_user_data['email'] = None token_granting_permission = con.search('ou=Users,dc=imaginaerraum,dc=de', f'(&(uid={username})(memberof=cn=Vorstand,ou=Groups,dc=imaginaerraum,dc=de))') if token_granting_permission: - new_user_data['roles'].append('super_admin') + new_user_data['roles'].append('admin') return True, new_user_data @@ -257,21 +256,22 @@ def create_application(config): form = AdminCreationForm() if request.method == 'GET': users = user_datastore.user_model.query.all() - admin_data = [{'username': u.username, 'email': u.email, 'active': u.is_active} for u in users] + admin_data = [{'username': u.username, 'email': u.email, 'active': u.is_active, + 'admin': u.has_role('admin'), 'super_admin': u.has_role('super_admin'), + } for u in users] return render_template('admins.html', admin_data=admin_data, form=form) elif form.validate(): if user_datastore.find_user(username=form.name.data) is not None or \ user_datastore.find_user(email=form.email.data) is not None: - flash("A user with the same name or email is already registered!") + flash("Ein Benutzer mit diesem Nutzernamen oder dieser E-Mail-Adresse existiert bereits!") return redirect('/manage_admins') else: pw = secrets.token_urlsafe(16) - new_user = user_datastore.create_user(username=form.name.data, email=form.email.data, roles=['admin'], + new_user = user_datastore.create_user(username=form.name.data, email=form.email.data, password=hash_password(pw)) logger.info( - f"Super admin {current_user.username} created new admin account for {new_user.username} <{new_user.email}>") - flash( - f"An account for the new admin user {new_user.username} has been created. Use the randomly generated password {pw} to log in.") + f"Super admin {current_user.username} created new user account for {new_user.username} <{new_user.email}>") + flash(f"Ein Account für den Nutzer {new_user.username} wurde erstellt. Verwende das Passwort {pw} um den Nutzer einzuloggen.") db.session.commit() return redirect('/manage_admins') @@ -280,13 +280,13 @@ def create_application(config): def delete_admins(username): user = user_datastore.find_user(username=username) if user is None: - flash(f"Invalid user {username}") + flash(f"Ungültiger Nutzer {username}") return redirect('/manage_admins') if user.has_role('super_admin'): - flash('Cannot delete super admins!') + flash('Super-Admins können nicht gelöscht werden!') return redirect('/manage_admins') if user.is_active: - flash('Cannot delete active users. Please deactivate user first!') + flash('Aktive Nutzer können nicht gelöscht werden! Bitte den Benutzer zuerst deaktivieren.') return redirect('/manage_admins') # set up form for confirming deletion @@ -295,15 +295,15 @@ def create_application(config): if request.method == 'GET': # return page asking the user to confirm delete - return render_template('delete_admin.html', username=username, form=form) + return render_template('delete_user.html', username=username, form=form) elif form.validate(): user_datastore.delete_user(user) - flash(f"Username {username} was deleted.") + flash(f"Benutzer {username} wurde gelöscht.") logger.info(f"Super admin {current_user.username} deleted admin user {username}") db.session.commit() return redirect('/manage_admins') else: - flash("Username does not match. User was not deleted!") + flash("Der eingegebene Nutzername stimmt nicht überein. Der Benutzer wurde nicht gelöscht!") return redirect('/manage_admins') @app.route('/admin_toggle_active/') @@ -311,10 +311,10 @@ def create_application(config): def admin_toggle_active(username): user = user_datastore.find_user(username=username) if user is None: - flash(f"Invalid user {username}") + flash(f"Ungültiger Nutzer {username}") return redirect('/manage_admins') if user.has_role('super_admin'): - flash('Cannot deactivate super admins!') + flash('Super-Admins können nicht deaktiviert werden!') return redirect('/manage_admins') user_datastore.toggle_active(user) if user.is_active: @@ -324,12 +324,46 @@ def create_application(config): db.session.commit() return redirect('/manage_admins') + @app.route('/promote_admin/') + @roles_required('super_admin') + def promote_admin(username): + user = user_datastore.find_user(username=username) + if user is None: + flash(f"Ungültiger Nutzer {username}") + return redirect('/manage_admins') + if user.has_role('admin'): + flash(f'Benutzer {username} hat bereits Admin-Rechte!') + return redirect('/manage_admins') + user_datastore.add_role_to_user(user, 'admin') + logger.info(f"Super admin {current_user.username} granted admin privileges to user {username}") + db.session.commit() + return redirect('/manage_admins') + + @app.route('/demote_admin/') + @roles_required('super_admin') + def demote_admin(username): + user = user_datastore.find_user(username=username) + if user is None: + flash(f"Ungültiger Nutzer {username}") + return redirect('/manage_admins') + if user.has_role('super_admin'): + flash(f'Benutzer {username} hat Super-Admin-Rechte und kann nicht verändert werden!') + return redirect('/manage_admins') + if user.has_role('admin'): + user_datastore.remove_role_from_user(user, 'admin') + logger.info(f"Super admin {current_user.username} revoked admin privileges of user {username}") + db.session.commit() + else: + flash(f'Benutzer {username} ist bereits kein Admin!') + return redirect('/manage_admins') + @app.route('/backup_user_datastore') @roles_required('super_admin') def backup_user_datastore(): # get list of defined admin users for backup users = user_datastore.user_model.query.all() - user_data = [{'username': u.username, 'email': u.email, 'active': u.is_active, 'password_hash': u.password} + user_data = [{'username': u.username, 'email': u.email, 'active': u.is_active, 'password_hash': u.password, + 'roles': [r.name for r in u.roles]} for u in users if not u.has_role('super_admin')] try: with tempfile.TemporaryDirectory() as tmpdir: @@ -362,18 +396,20 @@ def create_application(config): valid &= all(type(d) == dict for d in user_data) if valid: for d in user_data: - entry_valid = set(d.keys()) == { 'active', 'email', 'password_hash', 'username'} + entry_valid = set(d.keys()) == { 'active', 'email', 'password_hash', 'username', 'roles'} entry_valid &= all(len(d[key]) > 0 for key in ['email', 'password_hash', 'username']) entry_valid &= type(d['active']) == bool + entry_valid &= type(d['roles']) == list validate_email(d['email']) if entry_valid: existing_user = user_datastore.find_user(username=d['username'], email=d['email']) if existing_user is None: - user_datastore.create_user(username=d['username'], email=d['email'], password=d['password_hash'], - roles=['admin'], active=d['active']) - flash(f"Admin Account für Benutzer '{d['username']} wurde wiederhergestellt.") + user_datastore.create_user(username=d['username'], email=d['email'], + password=d['password_hash'], active=d['active'], + roles=d['roles']) + flash(f"Account für Benutzer '{d['username']} wurde wiederhergestellt.") else: - flash(f"Admin '{d['username']} existiert bereits. Eintrag wird übersprungen.") + flash(f"Benutzer '{d['username']} existiert bereits. Eintrag wird übersprungen.") else: raise ValueError(f"Ungültige Daten für User Entry {d}") else: @@ -381,7 +417,7 @@ def create_application(config): except Exception as e: flash(f"Die Datei konnte nicht gelesen werden. Exception: {e}") return redirect('/manage_admins') - flash("Admin Benutzer aus Datei gelesen.") + flash("Benutzer aus Datei gelesen.") db.session.commit() else: flash("Ungültige Dateiendung") @@ -393,7 +429,7 @@ def create_application(config): # token overview @app.route('/tokens') - @auth_required() + @roles_required('admin') def list_tokens(): tokens = door.get_tokens() assigned_tokens = {t: data for t, data in tokens.items() if not data['inactive']} @@ -402,7 +438,7 @@ def create_application(config): # routes for registering, editing and deleting tokens @app.route('/register-token', methods=['GET', 'POST']) - @auth_required() + @roles_required('admin') def register(): """Register new token for locking and unlocking the door. @@ -434,7 +470,7 @@ def create_application(config): return render_template('register.html', token=door.get_most_recent_token(), form=form) @app.route('/edit-token/', methods=['GET', 'POST']) - @auth_required() + @roles_required('admin') def edit_token(token): """Edit data in the token file (name, email, valid_thru date, active/inactive). @@ -489,7 +525,7 @@ def create_application(config): return render_template('edit.html', token=token, form=form) @app.route('/store-token') - @auth_required() + @roles_required('admin') def store_token(): """Store token to the token file on disk. @@ -511,7 +547,7 @@ def create_application(config): return redirect('/tokens') @app.route('/delete-token/', methods=['GET', 'POST']) - @auth_required() + @roles_required('admin') def delete_token(token): """Delete the given token from the token file and store the new token file to disk @@ -552,7 +588,7 @@ def create_application(config): return redirect('/tokens') @app.route('/deactivate-token/') - @auth_required() + @roles_required('admin') def deactivate_token(token): """Deactivate access for the given token. This updates the token file on disk. @@ -572,7 +608,7 @@ def create_application(config): return redirect('/tokens') @app.route('/backup_tokens') - @auth_required() + @roles_required('admin') def backup_tokens(): # get list of defined admin users for backup tokens = door.get_tokens()