Unauthorized Access refactor

2021-09-30 11:42:42 +03:00 · 2021-09-30 11:42:42 +03:00 · 9044d14fdc
parent b4e5351357
commit 9044d14fdc
3 changed files with 11 additions and 50 deletions
--- a/powerdnsadmin/routes/dashboard.py
+++ b/powerdnsadmin/routes/dashboard.py
@ -150,6 +150,16 @@ def dashboard():
    else:
        current_app.logger.info('Updating domains in background...')

+    if current_user.role.name == 'User' and not Setting().get(
+            'allow_user_create_domain') and not Setting().get('allow_user_view_history'):
+        result = current_user.is_authenticate()
+        if result['auth'] == False:
+            return render_template('errors/401.html',
+                                saml_enabled=current_app.config.get('SAML_ENABLED'),
+                                error='Unauthorized',
+                                username= current_user.username,
+                                admin_email= result['admin_email'])
+
    # Stats for dashboard
    domain_count = 0
    history_number = 0
--- a/powerdnsadmin/routes/index.py
+++ b/powerdnsadmin/routes/index.py
@ -168,14 +168,6 @@ def login():
                return redirect(url_for('index.login'))

        session['user_id'] = user.id
-        result = user.is_authenticate()
-        if result['auth'] == False:
-            signin_history(user.username, 'Google OAuth', False)
-            return render_template('errors/401.html',
-                                saml_enabled=SAML_ENABLED,
-                                error='Unauthorized',
-                                username= user.username,
-                                admin_email= result['admin_email'])
        login_user(user, remember=False)
        session['authentication_type'] = 'OAuth'
        signin_history(user.username, 'Google OAuth', True)
@ -204,14 +196,6 @@ def login():

        session['user_id'] = user.id
        session['authentication_type'] = 'OAuth'
-        result = user.is_authenticate()
-        if result['auth'] == False:
-            signin_history(user.username, 'Github OAuth', False)
-            return render_template('errors/401.html',
-                                saml_enabled=SAML_ENABLED,
-                                error='Unauthorized',
-                                username= user.username,
-                                admin_email= result['admin_email'])
        login_user(user, remember=False)
        signin_history(user.username, 'Github OAuth', True)
        return redirect(url_for('index.index'))
@ -383,14 +367,6 @@ def login():
                        history.add()
                    current_app.logger.warning('group info: {} '.format(account_id))

-        result = user.is_authenticate()
-        if result['auth'] == False:
-            signin_history(user.username, 'Azure OAuth', False)
-            return render_template('errors/401.html',
-                                saml_enabled=SAML_ENABLED,
-                                error='Unauthorized',
-                                username= user.username,
-                                admin_email= result['admin_email'])
        login_user(user, remember=False)
        signin_history(user.username, 'Azure OAuth', True)
        return redirect(url_for('index.index'))
@ -434,14 +410,6 @@ def login():

        session['user_id'] = user.id
        session['authentication_type'] = 'OAuth'
-        result = user.is_authenticate()
-        if result['auth'] == False:
-            signin_history(user.username, 'OIDC OAuth', False)
-            return render_template('errors/401.html',
-                                saml_enabled=SAML_ENABLED,
-                                error='Unauthorized',
-                                username= user.username,
-                                admin_email= result['admin_email'])
        login_user(user, remember=False)
        signin_history(user.username, 'OIDC OAuth', True)
        return redirect(url_for('index.index'))
@ -522,15 +490,6 @@ def login():
                        user.revoke_privilege(True)
                        current_app.logger.warning('Procceding to revoke every privilige from ' + user.username + '.' )

-        result = user.is_authenticate()
-        if result['auth'] == False:
-            signin_history(user.username, 'LOCAL', False)
-            return render_template('errors/401.html',
-                                saml_enabled=SAML_ENABLED,
-                                error='Unauthorized',
-                                username= user.username,
-                                admin_email= result['admin_email'])
-
        login_user(user, remember=remember_me)
        signin_history(user.username, 'LOCAL', True)
        return redirect(session.get('next', url_for('index.index')))
@ -1056,14 +1015,6 @@ def saml_authorized():
        user.plain_text_password = None
        user.update_profile()
        session['authentication_type'] = 'SAML'
-        result = user.is_authenticate()
-        if result['auth'] == False:
-            signin_history(user.username, 'SAML', False)
-            return render_template('errors/401.html',
-                                saml_enabled=SAML_ENABLED,
-                                error='Unauthorized',
-                                username= user.username,
-                                admin_email= result['admin_email'])
        login_user(user, remember=False)
        signin_history(user.username, 'SAML', True)
        return redirect(url_for('index.login'))
--- a/powerdnsadmin/templates/errors/401.html
+++ b/powerdnsadmin/templates/errors/401.html
@ -31,7 +31,7 @@
                at {{ admin_email }}            
                {% endif %}
                for more information.
-                <br/>You may <a href="{{ url_for('index.login') }}">return to the login page</a>.
+                <br/>You may <a href="{{ url_for('index.logout') }}">return to the login page</a>.
            </p>
        </div>
        <!-- /.error-content -->