diff options
-rw-r--r-- | admin.go | 16 | ||||
-rw-r--r-- | guichet.hcl.example | 2 | ||||
-rw-r--r-- | main.go | 40 | ||||
-rw-r--r-- | templates/home.html | 4 |
4 files changed, 24 insertions, 38 deletions
@@ -18,20 +18,8 @@ func checkAdminLogin(w http.ResponseWriter, r *http.Request) *LoginStatus { return nil } - can_admin := (login.Info.DN == config.AdminAccount) - fmt.Printf("%#v", login.UserEntry) - for _, attr := range login.UserEntry.Attributes { - if strings.EqualFold(attr.Name, "memberof") { - for _, group := range attr.Values { - if config.GroupCanAdmin != "" && group == config.GroupCanAdmin { - can_admin = true - } - } - } - } - - if !can_admin { - http.Redirect(w, r, "/", http.StatusFound) + if !login.CanAdmin { + http.Error(w, "Not authorized to perform administrative operations.", http.StatusUnauthorized) return nil } diff --git a/guichet.hcl.example b/guichet.hcl.example index e2f1791..7c702ae 100644 --- a/guichet.hcl.example +++ b/guichet.hcl.example @@ -12,7 +12,7 @@ job "guichet" { task "server" { driver = "docker" config { - image = "lxpz/guichet_amd64:3" + image = "lxpz/guichet_amd64:4" readonly_rootfs = true port_map { web_port = 9991 @@ -136,6 +136,8 @@ type LoginStatus struct { Info *LoginInfo conn *ldap.Conn UserEntry *ldap.Entry + CanAdmin bool + CanInvite bool } func logRequest(handler http.Handler) http.Handler { @@ -195,7 +197,7 @@ func checkLogin(w http.ResponseWriter, r *http.Request) *LoginStatus { } requestKind := "(objectClass=organizationalPerson)" - if login_info.DN == config.AdminAccount { + if strings.EqualFold(login_info.DN, config.AdminAccount) { requestKind = "(objectclass=*)" } searchRequest := ldap.NewSearchRequest( @@ -218,6 +220,21 @@ func checkLogin(w http.ResponseWriter, r *http.Request) *LoginStatus { loginStatus.UserEntry = sr.Entries[0] + loginStatus.CanAdmin = strings.EqualFold(loginStatus.Info.DN, config.AdminAccount) + loginStatus.CanInvite = false + for _, attr := range loginStatus.UserEntry.Attributes { + if strings.EqualFold(attr.Name, "memberof") { + for _, group := range attr.Values { + if config.GroupCanInvite != "" && strings.EqualFold(group, config.GroupCanInvite) { + loginStatus.CanInvite = true + } + if config.GroupCanAdmin != "" && strings.EqualFold(group, config.GroupCanAdmin) { + loginStatus.CanAdmin = true + } + } + } + } + return loginStatus } @@ -244,8 +261,6 @@ func ldapOpen(w http.ResponseWriter) *ldap.Conn { type HomePageData struct { Login *LoginStatus WelcomeName string - CanAdmin bool - CanInvite bool BaseDN string } @@ -257,25 +272,8 @@ func handleHome(w http.ResponseWriter, r *http.Request) { return } - can_admin := (login.Info.DN == config.AdminAccount) - can_invite := false - for _, attr := range login.UserEntry.Attributes { - if strings.EqualFold(attr.Name, "memberof") { - for _, group := range attr.Values { - if config.GroupCanInvite != "" && group == config.GroupCanInvite { - can_invite = true - } - if config.GroupCanAdmin != "" && group == config.GroupCanAdmin { - can_admin = true - } - } - } - } - data := &HomePageData{ Login: login, - CanAdmin: can_admin, - CanInvite: can_invite, BaseDN: config.BaseDN, WelcomeName: login.UserEntry.GetAttributeValue("givenname"), } @@ -326,7 +324,7 @@ func handleLogin(w http.ResponseWriter, r *http.Request) *LoginInfo { username := strings.Join(r.Form["username"], "") password := strings.Join(r.Form["password"], "") user_dn := fmt.Sprintf("%s=%s,%s", config.UserNameAttr, username, config.UserBaseDN) - if username == config.AdminAccount { + if strings.EqualFold(username, config.AdminAccount) { user_dn = username } diff --git a/templates/home.html b/templates/home.html index 9a9773a..7f227e6 100644 --- a/templates/home.html +++ b/templates/home.html @@ -16,13 +16,13 @@ <div class="list-group list-group-flush"> <a class="list-group-item list-group-item-action" href="/profile">Modifier mon profil</a> <a class="list-group-item list-group-item-action" href="/passwd">Modifier mon mot de passe</a> - {{if .CanInvite}} + {{if .Login.CanInvite}} <a class="list-group-item list-group-item-action" href="/invite">Inviter quelqu'un</a> {{end}} </div> </div> -{{if .CanAdmin}} +{{if .Login.CanAdmin}} <div class="card mt-3"> <div class="card-header"> Administration |