admin: disallow changing mifareidhash for protected users

webapp/admin.py

@@ -94,6 +94,9 @@ def _get_groups_of(conn, uid):
 
     return groups
 
+def _is_user_protected(conn, uid, groups):
+    return any(group in config.ldap_protected_groups for group in groups)
+
 @bp.route('/admin/users/<uid>')
 @admin_required
 def admin_user_view(uid):
@@ -102,8 +105,7 @@ def admin_user_view(uid):
 
     profile = _get_profile(conn, uid)
     groups = _get_groups_of(conn, uid)
-
-    is_protected = any(group in config.ldap_protected_groups for group in groups)
+    is_protected = _is_user_protected(conn, uid, groups)
 
     return flask.render_template('admin/user.html', uid=uid, profile=_format_profile(profile), groups=groups, is_protected=is_protected)
 
@@ -133,20 +135,28 @@ def admin_user_view_del_mifareidhash(uid):
 def admin_user_add_mifareidhash(uid):
     ldaputils.validate_name(uid)
     conn = context.get_connection()
-    dn = ldaputils.user_dn(uid)
+
+    groups = _get_groups_of(conn, uid)
+    is_protected = _is_user_protected(conn, uid, groups)
 
     redirect_url = flask.url_for('admin.admin_user_view', uid=uid)
-
-    email.send_papertrail(
-        f'Added mifareIDHash for user {uid}',
-        f'New mifareIDHash: {flask.request.form["value"]}'
-    )
+    if is_protected:
+        flask.flash('Cannot modify protected user', 'danger')
+        return flask.redirect(redirect_url)
 
     try:
         form = AddMifareIDHash()
         if form.validate_on_submit():
             new_value = form.value.data
+
+            email.send_papertrail(
+                f'Adding mifareIDHash for user {uid}',
+                f'New mifareIDHash: {new_value}'
+            )
+
+            dn = ldaputils.user_dn(uid)
             conn.modify_s(dn, [(ldap.MOD_ADD, 'mifareidhash', new_value.encode('utf-8'))])
+
             context.refresh_profile(dn)
             flask.flash('Added mifareidhash', category='info')
             return flask.redirect(redirect_url)
@@ -169,21 +179,28 @@ def admin_user_add_mifareidhash(uid):
 def admin_user_del_mifareidhash(uid):
     ldaputils.validate_name(uid)
     conn = context.get_connection()
-    dn = ldaputils.user_dn(uid)
 
-    old_value = flask.request.args.get('value')
+    groups = _get_groups_of(conn, uid)
+    is_protected = _is_user_protected(conn, uid, groups)
 
     redirect_url = flask.url_for('admin.admin_user_view', uid=uid)
-
-    email.send_papertrail(
-        f'Deleted mifareIDHash for user {uid}',
-        f'Deleted mifareIDHash: {old_value}'
-    )
+    if is_protected:
+        flask.flash('Cannot modify protected user', 'danger')
+        return flask.redirect(redirect_url)
 
     try:
         form = DelForm()
         if form.validate_on_submit():
+            old_value = flask.request.args.get('value')
+
+            email.send_papertrail(
+                f'Deleting mifareIDHash for user {uid}',
+                f'Deleted mifareIDHash: {old_value}'
+            )
+
+            dn = ldaputils.user_dn(uid)
             conn.modify_s(dn, [(ldap.MOD_DELETE, 'mifareidhash', old_value.encode('utf-8'))])
+
             context.refresh_profile(dn)
             flask.flash('Deleted mifareidhash', category='info')
             return flask.redirect(redirect_url)