Feature #4715: Disable group edits for drivers that manage groups

2025-03-21 14:50:08 +03:00 · 2016-08-23 15:36:55 +02:00 · 2016-08-23 15:36:55 +02:00 · 8419b29f16
commit 8419b29f16
parent a3e99f538f
2 changed files with 67 additions and 5 deletions
--- a/src/rm/RequestManagerChown.cc
+++ b/src/rm/RequestManagerChown.cc
@ -354,6 +354,7 @@ void UserChown::request_execute(xmlrpc_c::paramList const& paramList,

    string ngname;
    string uname;
+    string auth_driver;

    User *  user;
    Group * group;
@ -361,6 +362,10 @@ void UserChown::request_execute(xmlrpc_c::paramList const& paramList,
    PoolObjectAuth uperms;
    PoolObjectAuth ngperms;

+    const VectorAttribute* auth_conf;
+    bool driver_managed_groups;
+    bool new_group;
+
    if ( ngid < 0 )
    {
        att.resp_msg = "Wrong group ID";
@ -368,10 +373,36 @@ void UserChown::request_execute(xmlrpc_c::paramList const& paramList,
        return;
    }

-    rc = get_info(upool, oid, PoolObjectSQL::USER, att, uperms, uname, true);
-
-    if ( rc == -1 )
+    if ((user = upool->get(oid,true)) == 0 )
    {
+        att.resp_obj = PoolObjectSQL::USER;
+        att.resp_id  = oid;
+        failure_response(NO_EXISTS, att);
+
+        return;
+    }
+
+    user->get_permissions(uperms);
+
+    uname = user->get_name();
+
+    auth_driver = user->get_auth_driver();
+    new_group = user->get_groups().count(ngid) != 1;
+
+    user->unlock();
+
+    driver_managed_groups = false;
+
+    if (Nebula::instance().get_auth_conf_attribute(auth_driver, auth_conf) == 0)
+    {
+        auth_conf->vector_value("DRIVER_MANAGED_GROUPS", driver_managed_groups);
+    }
+
+    if (driver_managed_groups && new_group)
+    {
+        att.resp_msg =
+            "Groups cannot be manually managed for auth driver "+auth_driver;
+        failure_response(ACTION, att);
        return;
    }

--- a/src/rm/RequestManagerUser.cc
+++ b/src/rm/RequestManagerUser.cc
@ -210,14 +210,45 @@ void UserEditGroup::

    string gname;
    string uname;
+    string auth_driver;

    PoolObjectAuth uperms;
    PoolObjectAuth gperms;

-    rc = get_info(upool, user_id, PoolObjectSQL::USER, att, uperms, uname,true);
+    const VectorAttribute* auth_conf;
+    bool driver_managed_groups;

-    if ( rc == -1 )
+    User* user;
+
+    if ((user = upool->get(user_id,true)) == 0 )
    {
+        att.resp_obj = PoolObjectSQL::USER;
+        att.resp_id  = user_id;
+        failure_response(NO_EXISTS, att);
+
+        return;
+    }
+
+    user->get_permissions(uperms);
+
+    uname = user->get_name();
+
+    auth_driver = user->get_auth_driver();
+
+    user->unlock();
+
+    driver_managed_groups = false;
+
+    if (Nebula::instance().get_auth_conf_attribute(auth_driver, auth_conf) == 0)
+    {
+        auth_conf->vector_value("DRIVER_MANAGED_GROUPS", driver_managed_groups);
+    }
+
+    if (driver_managed_groups)
+    {
+        att.resp_msg =
+            "Groups cannot be manually managed for auth driver "+auth_driver;
+        failure_response(ACTION, att);
        return;
    }