Fixed access to admin-only resources in case of disabled access control
parent
552048efbe
commit
d7d8bba2e9
|
@ -574,7 +574,7 @@ def performSystemAction():
|
||||||
|
|
||||||
@app.route(BASEURL + "login", methods=["POST"])
|
@app.route(BASEURL + "login", methods=["POST"])
|
||||||
def login():
|
def login():
|
||||||
if "user" in request.values.keys() and "pass" in request.values.keys():
|
if userManager is not None and "user" in request.values.keys() and "pass" in request.values.keys():
|
||||||
username = request.values["user"]
|
username = request.values["user"]
|
||||||
password = request.values["pass"]
|
password = request.values["pass"]
|
||||||
|
|
||||||
|
@ -594,8 +594,7 @@ def login():
|
||||||
user = current_user
|
user = current_user
|
||||||
if user is not None and not user.is_anonymous():
|
if user is not None and not user.is_anonymous():
|
||||||
return jsonify(user.asDict())
|
return jsonify(user.asDict())
|
||||||
else:
|
return jsonify(SUCCESS)
|
||||||
return jsonify(SUCCESS)
|
|
||||||
|
|
||||||
@app.route(BASEURL + "logout", methods=["POST"])
|
@app.route(BASEURL + "logout", methods=["POST"])
|
||||||
@login_required
|
@login_required
|
||||||
|
@ -613,11 +612,7 @@ def logout():
|
||||||
def on_identity_loaded(sender, identity):
|
def on_identity_loaded(sender, identity):
|
||||||
user = load_user(identity.name)
|
user = load_user(identity.name)
|
||||||
if user is None:
|
if user is None:
|
||||||
if userManager is None:
|
return
|
||||||
# access control is disabled, we'll create permissions for the DummyUser
|
|
||||||
user = users.DummyUser()
|
|
||||||
else:
|
|
||||||
return
|
|
||||||
|
|
||||||
identity.provides.add(UserNeed(user.get_name()))
|
identity.provides.add(UserNeed(user.get_name()))
|
||||||
if user.is_user():
|
if user.is_user():
|
||||||
|
@ -628,7 +623,7 @@ def on_identity_loaded(sender, identity):
|
||||||
def load_user(id):
|
def load_user(id):
|
||||||
if userManager is not None:
|
if userManager is not None:
|
||||||
return userManager.findUser(id)
|
return userManager.findUser(id)
|
||||||
return None
|
return users.DummyUser()
|
||||||
|
|
||||||
#~~ startup code
|
#~~ startup code
|
||||||
class Server():
|
class Server():
|
||||||
|
@ -674,6 +669,7 @@ class Server():
|
||||||
login_manager.user_callback = load_user
|
login_manager.user_callback = load_user
|
||||||
if userManager is None:
|
if userManager is None:
|
||||||
login_manager.anonymous_user = users.DummyUser
|
login_manager.anonymous_user = users.DummyUser
|
||||||
|
principals.identity_loaders.appendleft(users.dummy_identity_loader)
|
||||||
login_manager.init_app(app)
|
login_manager.init_app(app)
|
||||||
|
|
||||||
if self._host is None:
|
if self._host is None:
|
||||||
|
|
|
@ -3,6 +3,7 @@ __author__ = "Gina Häußge <osd@foosel.net>"
|
||||||
__license__ = 'GNU Affero General Public License http://www.gnu.org/licenses/agpl.html'
|
__license__ = 'GNU Affero General Public License http://www.gnu.org/licenses/agpl.html'
|
||||||
|
|
||||||
from flask.ext.login import UserMixin
|
from flask.ext.login import UserMixin
|
||||||
|
from flask.ext.principal import Identity
|
||||||
import hashlib
|
import hashlib
|
||||||
import os
|
import os
|
||||||
import yaml
|
import yaml
|
||||||
|
@ -224,4 +225,11 @@ class DummyUser(User):
|
||||||
User.__init__(self, "dummy", "", True, UserManager.valid_roles)
|
User.__init__(self, "dummy", "", True, UserManager.valid_roles)
|
||||||
|
|
||||||
def check_password(self, passwordHash):
|
def check_password(self, passwordHash):
|
||||||
return True
|
return True
|
||||||
|
|
||||||
|
class DummyIdentity(Identity):
|
||||||
|
def __init__(self):
|
||||||
|
Identity.__init__(self, "dummy")
|
||||||
|
|
||||||
|
def dummy_identity_loader():
|
||||||
|
return DummyIdentity()
|
Loading…
Reference in New Issue