Disable superuser functions around users when not using DB auth

2015-10-16 15:14:49 -04:00 · 2015-10-16 15:14:49 -04:00 · ad5beab3ef
commit ad5beab3ef
parent 2f42a4d94d
2 changed files with 26 additions and 4 deletions
--- a/endpoints/api/superuser.py
+++ b/endpoints/api/superuser.py
@ -236,6 +236,10 @@ class SuperUserList(ApiResource):
  @require_scope(scopes.SUPERUSER)
  def post(self):
    """ Creates a new user. """
+    # Ensure that we are using database auth.
+    if app.config['AUTHENTICATION_TYPE'] != 'Database':
+      abort(400)
+
    user_information = request.get_json()
    if SuperUserPermission().can():
      username = user_information['username']
@ -274,6 +278,10 @@ class SuperUserSendRecoveryEmail(ApiResource):
  @nickname('sendInstallUserRecoveryEmail')
  @require_scope(scopes.SUPERUSER)
  def post(self, username):
+    # Ensure that we are using database auth.
+    if app.config['AUTHENTICATION_TYPE'] != 'Database':
+      abort(400)
+
    if SuperUserPermission().can():
      user = model.user.get_nonrobot_user(username)
      if not user:
@ -370,9 +378,17 @@ class SuperUserManagement(ApiResource):

      user_data = request.get_json()
      if 'password' in user_data:
+        # Ensure that we are using database auth.
+        if app.config['AUTHENTICATION_TYPE'] != 'Database':
+          abort(400)
+
        model.user.change_password(user, user_data['password'])

      if 'email' in user_data:
+        # Ensure that we are using database auth.
+        if app.config['AUTHENTICATION_TYPE'] != 'Database':
+          abort(400)
+
        model.user.update_email(user, user_data['email'], auto_verify=True)

      if 'enabled' in user_data:
--- a/static/partials/super-user.html
+++ b/static/partials/super-user.html
@ -140,9 +140,13 @@
          </div>
          <div ng-show="users">
            <div class="manager-header" header-title="Users">
-              <button class="create-button btn btn-primary" ng-click="showCreateUser()">
+              <button class="create-button btn btn-primary" ng-click="showCreateUser()"
+                      quay-show="Config.AUTHENTICATION_TYPE == 'Database'">
                <i class="fa fa-plus" style="margin-right: 6px;"></i>Create User
              </button>
+              <span class="co-alert co-alert-info" quay-show="Config.AUTHENTICATION_TYPE != 'Database'">
+                Note: <span class="registry-name"></span> is configured to use external authentication, so users can only be created in that system
+              </span>
            </div>

            <div class="filter-box" collection="users" filter-model="search" filter-name="Users"></div>
@ -177,14 +181,16 @@
                <td style="text-align: center;">
                  <span class="cor-options-menu"
                        ng-if="user.username != current_user.username && !current_user.super_user">
-                    <span class="cor-option" option-click="showChangeEmail(current_user)">
+                    <span class="cor-option" option-click="showChangeEmail(current_user)"
+                          quay-show="Config.AUTHENTICATION_TYPE == 'Database'">
                      <i class="fa fa-envelope-o"></i> Change E-mail Address
                    </span>
-                    <span class="cor-option" option-click="showChangePassword(current_user)">
+                    <span class="cor-option" option-click="showChangePassword(current_user)"
+                          quay-show="Config.AUTHENTICATION_TYPE == 'Database'">
                      <i class="fa fa-key"></i> Change Password
                    </span>
                    <span class="cor-option" option-click="sendRecoveryEmail(current_user)"
-                          quay-show="Features.MAILING">
+                          quay-show="Features.MAILING && Config.AUTHENTICATION_TYPE == 'Database'">
                      <i class="fa fa-envelope"></i> Send Recovery E-mail
                    </span>
                    <span class="cor-option" option-click="showDeleteUser(current_user)">