Merge 75a9254ef3
into 0da9b2185e
This commit is contained in:
commit
928cd0d23d
|
@ -405,6 +405,34 @@ class User(db.Model):
|
|||
current_app.logger.error('Unsupported authentication method')
|
||||
return False
|
||||
|
||||
def is_user(self):
|
||||
from ..models.role import Role
|
||||
User_role_id= Role.query.filter_by(name="User").first().id
|
||||
if (self.role_id==User_role_id):
|
||||
return True
|
||||
return False
|
||||
|
||||
def is_authenticate(self):
|
||||
"""
|
||||
Check if a (type) user has access to at least one domain
|
||||
"""
|
||||
user = User.query.filter(User.id == self.id).first()
|
||||
if user.is_user() and user.get_user_domains() == [] and \
|
||||
(user.get_accounts()==[] or not Setting().get('allow_user_create_domain')):
|
||||
admins = User.query.filter(User.role_id == 1)
|
||||
admin_email = None
|
||||
for admin in admins:
|
||||
if admin.email: #admin has an active email
|
||||
admin_email = admin.email
|
||||
break
|
||||
|
||||
e="User " + user.username + " does not have any domains registered"
|
||||
current_app.logger.warning(
|
||||
"Unauthorized user: {}".format(e))
|
||||
return {'auth': False, 'admin_email': admin_email}
|
||||
|
||||
return {'auth': True, 'admin_email': None}
|
||||
|
||||
def create_user(self):
|
||||
"""
|
||||
If user logged in successfully via LDAP in the first time
|
||||
|
@ -634,7 +662,6 @@ class User(db.Model):
|
|||
accounts.append(q[1])
|
||||
return accounts
|
||||
|
||||
|
||||
def read_entitlements(self, key):
|
||||
"""
|
||||
Get entitlements from ldap server associated with this user
|
||||
|
@ -795,6 +822,3 @@ def getUserInfo(DomainsOrAccounts):
|
|||
for DomainOrAccount in DomainsOrAccounts:
|
||||
current.append(DomainOrAccount.name)
|
||||
return current
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
import datetime
|
||||
from flask import Blueprint, render_template, url_for, current_app, request, jsonify, redirect, g, session
|
||||
from flask_login import login_required, current_user, login_manager
|
||||
from flask_login import login_required, current_user, login_manager, logout_user
|
||||
from sqlalchemy import not_
|
||||
|
||||
from ..decorators import operator_role_required
|
||||
|
@ -150,10 +150,21 @@ def dashboard():
|
|||
Domain().update()
|
||||
else:
|
||||
current_app.logger.info('Updating domains in background...')
|
||||
|
||||
|
||||
show_bg_domain_button = BG_DOMAIN_UPDATE
|
||||
if BG_DOMAIN_UPDATE and current_user.role.name not in ['Administrator', 'Operator']:
|
||||
show_bg_domain_button = False
|
||||
|
||||
result = current_user.is_authenticate()
|
||||
if result['auth'] == False:
|
||||
username=current_user.username
|
||||
history_unauthorized_log(username)
|
||||
logout_user()
|
||||
return render_template('errors/401.html',
|
||||
saml_enabled=current_app.config.get('SAML_ENABLED'),
|
||||
error='Unauthorized',
|
||||
username= username,
|
||||
admin_email= result['admin_email'])
|
||||
|
||||
# Stats for dashboard
|
||||
domain_count = 0
|
||||
|
@ -223,3 +234,18 @@ def domains_updater():
|
|||
"result": d,
|
||||
}
|
||||
return jsonify(response_data)
|
||||
|
||||
def history_unauthorized_log(username):
|
||||
if request.headers.getlist("X-Forwarded-For"):
|
||||
request_ip = request.headers.getlist("X-Forwarded-For")[0]
|
||||
request_ip = request_ip.split(',')[0]
|
||||
else:
|
||||
request_ip = request.remote_addr
|
||||
|
||||
current_app.logger.info("User {} failed to be authorized from {}".format(username, request_ip))
|
||||
History(msg='User {} was not authorized to access Powerdns-Admin'.format(username),
|
||||
detail=str({
|
||||
"username": username,
|
||||
"ip_address": request_ip,
|
||||
}),
|
||||
created_by='System').add()
|
||||
|
|
|
@ -366,7 +366,6 @@ def login():
|
|||
history.add()
|
||||
current_app.logger.warning('group info: {} '.format(account_id))
|
||||
|
||||
|
||||
login_user(user, remember=False)
|
||||
signin_history(user.username, 'Azure OAuth', True)
|
||||
return redirect(url_for('index.index'))
|
||||
|
@ -481,6 +480,7 @@ def login():
|
|||
saml_enabled=SAML_ENABLED,
|
||||
error=e)
|
||||
|
||||
|
||||
# check if user enabled OPT authentication
|
||||
if user.otp_secret:
|
||||
if otp_token and otp_token.isdigit():
|
||||
|
|
42
powerdnsadmin/templates/errors/401.html
Normal file
42
powerdnsadmin/templates/errors/401.html
Normal file
|
@ -0,0 +1,42 @@
|
|||
{% extends "base.html" %}
|
||||
{% block title %}<title>PowerDNS-Admin - 401 Error</title>{% endblock %}
|
||||
|
||||
{% block dashboard_stat %}
|
||||
<!-- Content Header (Page header) -->
|
||||
<section class="content-header">
|
||||
<h1>
|
||||
401
|
||||
<small>Error</small>
|
||||
</h1>
|
||||
<ol class="breadcrumb">
|
||||
<li><a href="{{ url_for('dashboard.dashboard') }}"><i class="fa fa-dashboard"></i>Home</a></li>
|
||||
<li>401</li>
|
||||
</ol>
|
||||
</section>
|
||||
{% endblock %}
|
||||
|
||||
{% block content %}
|
||||
<!-- Main content -->
|
||||
<section class="content">
|
||||
<div class="error-page">
|
||||
<h2 class="headline text-yellow">401</h2>
|
||||
<div class="error-content">
|
||||
<h3>
|
||||
<i class="fa fa-warning text-yellow"></i> Oops! Unauthorized Access
|
||||
</h3>
|
||||
<p>
|
||||
Sorry {{ username }}, you do not have access to any domains yet.
|
||||
Please contact the administrator
|
||||
{% if admin_email %}
|
||||
at {{ admin_email }}
|
||||
{% endif %}
|
||||
for more information.
|
||||
<br/>You may <a href="{{ url_for('index.logout') }}">return to the login page</a>.
|
||||
</p>
|
||||
</div>
|
||||
<!-- /.error-content -->
|
||||
</div>
|
||||
<!-- /.error-page -->
|
||||
</section>
|
||||
<!-- /.content -->
|
||||
{% endblock %}
|
Loading…
Reference in a new issue