Merge 75a9254ef3 into 0da9b2185e

powerdnsadmin/models/user.py

@@ -405,6 +405,34 @@ class User(db.Model):
             current_app.logger.error('Unsupported authentication method')
             return False
 
+    def is_user(self):
+        from ..models.role import Role
+        User_role_id= Role.query.filter_by(name="User").first().id
+        if (self.role_id==User_role_id):
+            return True
+        return False
+
+    def is_authenticate(self):
+        """
+        Check if a (type) user has access to at least one domain
+        """
+        user = User.query.filter(User.id == self.id).first()
+        if user.is_user() and user.get_user_domains() == [] and \
+        (user.get_accounts()==[] or not Setting().get('allow_user_create_domain')):
+            admins = User.query.filter(User.role_id == 1)
+            admin_email = None
+            for admin in admins:
+                if admin.email:  #admin has an active email
+                    admin_email = admin.email
+                    break
+
+            e="User " + user.username + " does not have any domains registered"
+            current_app.logger.warning(
+                "Unauthorized user: {}".format(e))
+            return {'auth': False, 'admin_email': admin_email}
+
+        return {'auth': True, 'admin_email': None}
+
     def create_user(self):
         """
         If user logged in successfully via LDAP in the first time
@@ -634,7 +662,6 @@ class User(db.Model):
             accounts.append(q[1])
         return accounts
 
-
     def read_entitlements(self, key):
         """
         Get entitlements from ldap server associated with this user
@@ -795,6 +822,3 @@ def getUserInfo(DomainsOrAccounts):
     for DomainOrAccount in DomainsOrAccounts:
         current.append(DomainOrAccount.name)
     return current
-
-        
-

powerdnsadmin/routes/dashboard.py

@@ -1,6 +1,6 @@
 import datetime
 from flask import Blueprint, render_template, url_for, current_app, request, jsonify, redirect, g, session
-from flask_login import login_required, current_user, login_manager
+from flask_login import login_required, current_user, login_manager, logout_user
 from sqlalchemy import not_
 
 from ..decorators import operator_role_required
@@ -150,10 +150,21 @@ def dashboard():
         Domain().update()
     else:
         current_app.logger.info('Updating domains in background...')
-
+    
     show_bg_domain_button = BG_DOMAIN_UPDATE
     if BG_DOMAIN_UPDATE and current_user.role.name not in ['Administrator', 'Operator']:
         show_bg_domain_button = False
+    
+    result = current_user.is_authenticate()
+    if result['auth'] == False:
+        username=current_user.username
+        history_unauthorized_log(username)
+        logout_user()
+        return render_template('errors/401.html',
+                            saml_enabled=current_app.config.get('SAML_ENABLED'),
+                            error='Unauthorized',
+                            username= username,
+                    admin_email= result['admin_email'])
 
     # Stats for dashboard
     domain_count = 0
@@ -223,3 +234,18 @@ def domains_updater():
         "result": d,
     }
     return jsonify(response_data)
+
+def history_unauthorized_log(username):
+    if request.headers.getlist("X-Forwarded-For"):
+        request_ip = request.headers.getlist("X-Forwarded-For")[0]
+        request_ip = request_ip.split(',')[0]
+    else:
+        request_ip = request.remote_addr
+
+    current_app.logger.info("User {} failed to be authorized from {}".format(username, request_ip))
+    History(msg='User {} was not authorized to access Powerdns-Admin'.format(username),
+            detail=str({
+                "username": username,
+                "ip_address": request_ip,
+            }),
+            created_by='System').add()

powerdnsadmin/routes/index.py

@@ -366,7 +366,6 @@ def login():
                         history.add()
                     current_app.logger.warning('group info: {} '.format(account_id))
 
-
         login_user(user, remember=False)
         signin_history(user.username, 'Azure OAuth', True)
         return redirect(url_for('index.index'))
@@ -481,6 +480,7 @@ def login():
                                    saml_enabled=SAML_ENABLED,
                                    error=e)
 
+
         # check if user enabled OPT authentication
         if user.otp_secret:
             if otp_token and otp_token.isdigit():

powerdnsadmin/templates/errors/401.html

@@ -0,0 +1,42 @@
+{% extends "base.html" %}
+{% block title %}<title>PowerDNS-Admin - 401 Error</title>{% endblock %}
+
+{% block dashboard_stat %}
+    <!-- Content Header (Page header) -->
+    <section class="content-header">
+      <h1>
+        401
+        <small>Error</small>
+      </h1>
+      <ol class="breadcrumb">
+        <li><a href="{{ url_for('dashboard.dashboard') }}"><i class="fa fa-dashboard"></i>Home</a></li>
+        <li>401</li>
+      </ol>
+    </section>
+{% endblock %}
+
+{% block content %}
+<!-- Main content -->
+<section class="content">
+    <div class="error-page">
+        <h2 class="headline text-yellow">401</h2>
+        <div class="error-content">
+            <h3>
+                <i class="fa fa-warning text-yellow"></i> Oops! Unauthorized Access
+            </h3>
+            <p>
+                Sorry {{ username }}, you do not have access to any domains yet.
+                Please contact the administrator 
+                {% if admin_email %}
+                at {{ admin_email }}            
+                {% endif %}
+                for more information.
+                <br/>You may <a href="{{ url_for('index.logout') }}">return to the login page</a>.
+            </p>
+        </div>
+        <!-- /.error-content -->
+    </div>
+    <!-- /.error-page -->
+</section>
+<!-- /.content -->
+{% endblock %}