1
0
mirror of https://github.com/kakwa/ldapcherry synced 2024-11-25 02:34:31 +01:00

403 flag for _check_auth + fix default 404 page

_check_auth can now return a 403 error instead of redirected to
the login page if needed (in case of the checkppolicy for example).
The default page handles post data and querystring better now.
This commit is contained in:
kakwa 2016-07-29 22:56:56 +02:00
parent f863b230dd
commit a84ee528aa

View File

@ -570,7 +570,7 @@ class LdapCherry(object):
return 'anonymous' return 'anonymous'
return cherrypy.session.get(SESSION_KEY) return cherrypy.session.get(SESSION_KEY)
def _check_auth(self, must_admin): def _check_auth(self, must_admin, redir_login=True):
""" check if a user is autheticated and, optionnaly an administrator """ check if a user is autheticated and, optionnaly an administrator
if user not authentifaced -> redirection to login page (with base64 if user not authentifaced -> redirection to login page (with base64
of the originaly requested page (redirection after login) of the originaly requested page (redirection after login)
@ -591,15 +591,28 @@ class LdapCherry(object):
b64requrl = base64.b64encode(cherrypy.url() + qs) b64requrl = base64.b64encode(cherrypy.url() + qs)
if not username: if not username:
# return to login page (with base64 of the url in query string # return to login page (with base64 of the url in query string
raise cherrypy.HTTPRedirect( if redir_login:
"/signin?url=%(url)s" % {'url': b64requrl}, raise cherrypy.HTTPRedirect(
) "/signin?url=%(url)s" % {'url': b64requrl},
)
else:
raise cherrypy.HTTPError(
"403 Forbidden",
"You must be logged in to access this ressource.",
)
if 'connected' not in cherrypy.session \ if 'connected' not in cherrypy.session \
or not cherrypy.session['connected']: or not cherrypy.session['connected']:
raise cherrypy.HTTPRedirect( if redir_login:
"/signin?url=%(url)s" % {'url': b64requrl}, raise cherrypy.HTTPRedirect(
) "/signin?url=%(url)s" % {'url': b64requrl},
)
else:
raise cherrypy.HTTPError(
"403 Forbidden",
"You must be logged in to access this ressource.",
)
if cherrypy.session['connected'] and \ if cherrypy.session['connected'] and \
not cherrypy.session['isadmin']: not cherrypy.session['isadmin']:
if must_admin: if must_admin:
@ -610,13 +623,20 @@ class LdapCherry(object):
) )
else: else:
return username return username
if cherrypy.session['connected'] and \ if cherrypy.session['connected'] and \
cherrypy.session['isadmin']: cherrypy.session['isadmin']:
return username return username
else: else:
raise cherrypy.HTTPRedirect( if redir_login:
"/signin?url=%(url)s" % {'url': b64requrl}, raise cherrypy.HTTPRedirect(
) "/signin?url=%(url)s" % {'url': b64requrl},
)
else:
raise cherrypy.HTTPError(
"403 Forbidden",
"You must be logged in to access this ressource.",
)
def _adduser(self, params): def _adduser(self, params):
cherrypy.log.error( cherrypy.log.error(
@ -953,7 +973,7 @@ class LdapCherry(object):
@exception_decorator @exception_decorator
def checkppolicy(self, **params): def checkppolicy(self, **params):
""" search user page """ """ search user page """
self._check_auth(must_admin=False) self._check_auth(must_admin=False, redir_login=False)
keys = params.keys() keys = params.keys()
if len(keys) != 1: if len(keys) != 1:
cherrypy.response.status = 400 cherrypy.response.status = 400
@ -1108,7 +1128,7 @@ class LdapCherry(object):
@cherrypy.expose @cherrypy.expose
@exception_decorator @exception_decorator
def default(self, attr=''): def default(self, attr='', **params):
cherrypy.response.status = 404 cherrypy.response.status = 404
self._check_auth(must_admin=False) self._check_auth(must_admin=False)
is_admin = self._check_admin() is_admin = self._check_admin()