Commit f3bca340 authored by Leonidas Poulopoulos's avatar Leonidas Poulopoulos
Browse files

Added security control checks that display warnings once unauthorized access is caught

parent 9db05e62
...@@ -222,7 +222,7 @@ class InstServer(models.Model): ...@@ -222,7 +222,7 @@ class InstServer(models.Model):
return _('Server: %(servername)s, Type: %(ertype)s') % { return _('Server: %(servername)s, Type: %(ertype)s') % {
# but name is many-to-many from institution # but name is many-to-many from institution
#'inst': self.instid, #'inst': self.instid,
'servername': self.get_name, 'servername': self.get_name(),
# the human-readable name would be nice here # the human-readable name would be nice here
'ertype': self.ertype, 'ertype': self.ertype,
} }
......
...@@ -95,6 +95,10 @@ def add_institution_details(request, institution_pk): ...@@ -95,6 +95,10 @@ def add_institution_details(request, institution_pk):
except UserProfile.DoesNotExist: except UserProfile.DoesNotExist:
return HttpResponseRedirect(reverse("manage")) return HttpResponseRedirect(reverse("manage"))
if institution_pk and int(inst.pk) != int(institution_pk):
messages.add_message(request, messages.ERROR, 'You have no rights on this Institution')
return HttpResponseRedirect(reverse("institutions"))
if request.method == "GET": if request.method == "GET":
request_data = request.POST.copy() request_data = request.POST.copy()
try: try:
...@@ -107,6 +111,7 @@ def add_institution_details(request, institution_pk): ...@@ -107,6 +111,7 @@ def add_institution_details(request, institution_pk):
form.fields['institution'] = forms.ModelChoiceField(queryset=Institution.objects.filter(pk=institution_pk), empty_label=None) form.fields['institution'] = forms.ModelChoiceField(queryset=Institution.objects.filter(pk=institution_pk), empty_label=None)
UrlFormSet = generic_inlineformset_factory(URL_i18n, extra=2, can_delete=True) UrlFormSet = generic_inlineformset_factory(URL_i18n, extra=2, can_delete=True)
urls_form = UrlFormSet(prefix='urlsform') urls_form = UrlFormSet(prefix='urlsform')
form.fields['contact'] = forms.ModelMultipleChoiceField(queryset=Contact.objects.filter(pk__in=getInstContacts(inst))) form.fields['contact'] = forms.ModelMultipleChoiceField(queryset=Contact.objects.filter(pk__in=getInstContacts(inst)))
return render_to_response('edumanage/institution_edit.html', { 'institution': inst, 'form': form, 'urls_form':urls_form}, return render_to_response('edumanage/institution_edit.html', { 'institution': inst, 'form': form, 'urls_form':urls_form},
...@@ -150,7 +155,7 @@ def services(request, service_pk): ...@@ -150,7 +155,7 @@ def services(request, service_pk):
except InstitutionDetails.DoesNotExist: except InstitutionDetails.DoesNotExist:
return HttpResponseRedirect(reverse("manage")) return HttpResponseRedirect(reverse("manage"))
if inst.ertype not in [2,3]: if inst.ertype not in [2,3]:
messages.add_message(request, messages.ERROR, 'Cannot add/edit Service. Your institution should be either SP or IdP/SP') messages.add_message(request, messages.ERROR, 'Cannot add/edit Location. Your institution should be either SP or IdP/SP')
return render_to_response('edumanage/services.html', { 'institution': inst }, return render_to_response('edumanage/services.html', { 'institution': inst },
context_instance=RequestContext(request, base_response(request))) context_instance=RequestContext(request, base_response(request)))
try: try:
...@@ -159,7 +164,11 @@ def services(request, service_pk): ...@@ -159,7 +164,11 @@ def services(request, service_pk):
services = False services = False
if service_pk: if service_pk:
services = services.get(pk=service_pk) try:
services = services.get(pk=service_pk)
except:
messages.add_message(request, messages.ERROR, 'You have no rights to view this location')
return HttpResponseRedirect(reverse("services"))
return render_to_response('edumanage/service_details.html', return render_to_response('edumanage/service_details.html',
{ {
'institution': inst, 'institution': inst,
...@@ -202,9 +211,11 @@ def add_services(request, service_pk): ...@@ -202,9 +211,11 @@ def add_services(request, service_pk):
try: try:
service = ServiceLoc.objects.get(institutionid=inst, pk=service_pk) service = ServiceLoc.objects.get(institutionid=inst, pk=service_pk)
form = ServiceLocForm(instance=service) form = ServiceLocForm(instance=service)
except ServiceLoc.DoesNotExist: except ServiceLoc.DoesNotExist:
form = ServiceLocForm() form = ServiceLocForm()
if service_pk:
messages.add_message(request, messages.ERROR, 'You have no rights to edit this location')
return HttpResponseRedirect(reverse("services"))
form.fields['institutionid'] = forms.ModelChoiceField(queryset=Institution.objects.filter(pk=inst.pk), empty_label=None) form.fields['institutionid'] = forms.ModelChoiceField(queryset=Institution.objects.filter(pk=inst.pk), empty_label=None)
UrlFormSet = generic_inlineformset_factory(URL_i18n, extra=2, can_delete=True) UrlFormSet = generic_inlineformset_factory(URL_i18n, extra=2, can_delete=True)
NameFormSet = generic_inlineformset_factory(Name_i18n, extra=2, can_delete=True) NameFormSet = generic_inlineformset_factory(Name_i18n, extra=2, can_delete=True)
...@@ -235,6 +246,9 @@ def add_services(request, service_pk): ...@@ -235,6 +246,9 @@ def add_services(request, service_pk):
form = ServiceLocForm(request_data) form = ServiceLocForm(request_data)
names_form = NameFormSet(request_data, prefix='namesform') names_form = NameFormSet(request_data, prefix='namesform')
urls_form = UrlFormSet(request_data, prefix='urlsform') urls_form = UrlFormSet(request_data, prefix='urlsform')
if service_pk:
messages.add_message(request, messages.ERROR, 'You have no rights to edit this location')
return HttpResponseRedirect(reverse("services"))
if form.is_valid() and names_form.is_valid() and urls_form.is_valid(): if form.is_valid() and names_form.is_valid() and urls_form.is_valid():
serviceloc = form.save() serviceloc = form.save()
...@@ -331,9 +345,13 @@ def add_server(request, server_pk): ...@@ -331,9 +345,13 @@ def add_server(request, server_pk):
form = InstServerForm(instance=server) form = InstServerForm(instance=server)
except InstServer.DoesNotExist: except InstServer.DoesNotExist:
form = InstServerForm() form = InstServerForm()
if server_pk:
messages.add_message(request, messages.ERROR, 'You have no rights to edit this server')
return HttpResponseRedirect(reverse("servers"))
form.fields['instid'] = forms.ModelChoiceField(queryset=Institution.objects.filter(pk=inst.pk), empty_label=None) form.fields['instid'] = forms.ModelChoiceField(queryset=Institution.objects.filter(pk=inst.pk), empty_label=None)
if server: if server:
edit = True edit = True
return render_to_response('edumanage/servers_edit.html', { 'form': form, 'edit': edit }, return render_to_response('edumanage/servers_edit.html', { 'form': form, 'edit': edit },
context_instance=RequestContext(request, base_response(request))) context_instance=RequestContext(request, base_response(request)))
elif request.method == 'POST': elif request.method == 'POST':
...@@ -343,6 +361,9 @@ def add_server(request, server_pk): ...@@ -343,6 +361,9 @@ def add_server(request, server_pk):
form = InstServerForm(request_data, instance=server) form = InstServerForm(request_data, instance=server)
except InstServer.DoesNotExist: except InstServer.DoesNotExist:
form = InstServerForm(request_data) form = InstServerForm(request_data)
if server_pk:
messages.add_message(request, messages.ERROR, 'You have no rights to edit this server')
return HttpResponseRedirect(reverse("servers"))
if form.is_valid(): if form.is_valid():
instserverf = form.save() instserverf = form.save()
...@@ -430,6 +451,9 @@ def add_realm(request, realm_pk): ...@@ -430,6 +451,9 @@ def add_realm(request, realm_pk):
form = InstRealmForm(instance=realm) form = InstRealmForm(instance=realm)
except InstRealm.DoesNotExist: except InstRealm.DoesNotExist:
form = InstRealmForm() form = InstRealmForm()
if realm_pk:
messages.add_message(request, messages.ERROR, 'You have no rights to edit this realm')
return HttpResponseRedirect(reverse("realms"))
form.fields['instid'] = forms.ModelChoiceField(queryset=Institution.objects.filter(pk=inst.pk), empty_label=None) form.fields['instid'] = forms.ModelChoiceField(queryset=Institution.objects.filter(pk=inst.pk), empty_label=None)
form.fields['proxyto'] = forms.ModelMultipleChoiceField(queryset=InstServer.objects.filter(pk__in=getInstServers(inst))) form.fields['proxyto'] = forms.ModelMultipleChoiceField(queryset=InstServer.objects.filter(pk__in=getInstServers(inst)))
if realm: if realm:
...@@ -443,7 +467,9 @@ def add_realm(request, realm_pk): ...@@ -443,7 +467,9 @@ def add_realm(request, realm_pk):
form = InstRealmForm(request_data, instance=realm) form = InstRealmForm(request_data, instance=realm)
except InstRealm.DoesNotExist: except InstRealm.DoesNotExist:
form = InstRealmForm(request_data) form = InstRealmForm(request_data)
if realm_pk:
messages.add_message(request, messages.ERROR, 'You have no rights to edit this realm')
return HttpResponseRedirect(reverse("realms"))
if form.is_valid(): if form.is_valid():
instserverf = form.save() instserverf = form.save()
return HttpResponseRedirect(reverse("realms")) return HttpResponseRedirect(reverse("realms"))
...@@ -533,6 +559,9 @@ def add_contact(request, contact_pk): ...@@ -533,6 +559,9 @@ def add_contact(request, contact_pk):
form = ContactForm(instance=contact) form = ContactForm(instance=contact)
except InstitutionContactPool.DoesNotExist: except InstitutionContactPool.DoesNotExist:
form = ContactForm() form = ContactForm()
if contact_pk:
messages.add_message(request, messages.ERROR, 'You have no rights to edit this contact')
return HttpResponseRedirect(reverse("contacts"))
if contact: if contact:
edit = True edit = True
return render_to_response('edumanage/contacts_edit.html', { 'form': form, "edit" : edit}, return render_to_response('edumanage/contacts_edit.html', { 'form': form, "edit" : edit},
...@@ -545,6 +574,9 @@ def add_contact(request, contact_pk): ...@@ -545,6 +574,9 @@ def add_contact(request, contact_pk):
form = ContactForm(request_data, instance=contact) form = ContactForm(request_data, instance=contact)
except InstitutionContactPool.DoesNotExist: except InstitutionContactPool.DoesNotExist:
form = ContactForm(request_data) form = ContactForm(request_data)
if contact_pk:
messages.add_message(request, messages.ERROR, 'You have no rights to edit this contact')
return HttpResponseRedirect(reverse("contacts"))
if form.is_valid(): if form.is_valid():
contact = form.save() contact = form.save()
...@@ -637,6 +669,9 @@ def add_instrealmmon(request, instrealmmon_pk): ...@@ -637,6 +669,9 @@ def add_instrealmmon(request, instrealmmon_pk):
form = InstRealmMonForm(instance=instrealmmon) form = InstRealmMonForm(instance=instrealmmon)
except InstRealmMon.DoesNotExist: except InstRealmMon.DoesNotExist:
form = InstRealmMonForm() form = InstRealmMonForm()
if instrealmmon_pk:
messages.add_message(request, messages.ERROR, 'You have no rights to edit this Monitoring Realm')
return HttpResponseRedirect(reverse("instrealmmon"))
if instrealmmon: if instrealmmon:
edit = True edit = True
form.fields['realm'] = forms.ModelChoiceField(queryset=InstRealm.objects.filter(instid=inst.pk).exclude(realm__startswith="*"), empty_label=None) form.fields['realm'] = forms.ModelChoiceField(queryset=InstRealm.objects.filter(instid=inst.pk).exclude(realm__startswith="*"), empty_label=None)
...@@ -649,6 +684,9 @@ def add_instrealmmon(request, instrealmmon_pk): ...@@ -649,6 +684,9 @@ def add_instrealmmon(request, instrealmmon_pk):
form = InstRealmMonForm(request_data, instance=instrealmmon) form = InstRealmMonForm(request_data, instance=instrealmmon)
except InstRealmMon.DoesNotExist: except InstRealmMon.DoesNotExist:
form = InstRealmMonForm(request_data) form = InstRealmMonForm(request_data)
if instrealmmon_pk:
messages.add_message(request, messages.ERROR, 'You have no rights to edit this Monitoring Realm')
return HttpResponseRedirect(reverse("instrealmmon"))
if form.is_valid(): if form.is_valid():
instrealmmonobj = form.save() instrealmmonobj = form.save()
return HttpResponseRedirect(reverse("instrealmmon")) return HttpResponseRedirect(reverse("instrealmmon"))
...@@ -682,8 +720,13 @@ def add_monlocauthpar(request, instrealmmon_pk, monlocauthpar_pk): ...@@ -682,8 +720,13 @@ def add_monlocauthpar(request, instrealmmon_pk, monlocauthpar_pk):
form = MonLocalAuthnParamForm(instance=monlocauthpar) form = MonLocalAuthnParamForm(instance=monlocauthpar)
except MonLocalAuthnParam.DoesNotExist: except MonLocalAuthnParam.DoesNotExist:
form = MonLocalAuthnParamForm() form = MonLocalAuthnParamForm()
if monlocauthpar_pk:
messages.add_message(request, messages.ERROR, 'You have no rights to edit this Monitoring Realm Parameters')
return HttpResponseRedirect(reverse("instrealmmon"))
except InstRealmMon.DoesNotExist: except InstRealmMon.DoesNotExist:
return HttpResponseRedirect(reverse("manage")) if instrealmmon_pk:
messages.add_message(request, messages.ERROR, 'You have no rights to edit this Monitoring Realm Parameters')
return HttpResponseRedirect(reverse("instrealmmon"))
if monlocauthpar: if monlocauthpar:
edit = True edit = True
form.fields['instrealmmonid'] = forms.ModelChoiceField(queryset=InstRealmMon.objects.filter(pk=instrealmmon.pk), empty_label=None) form.fields['instrealmmonid'] = forms.ModelChoiceField(queryset=InstRealmMon.objects.filter(pk=instrealmmon.pk), empty_label=None)
...@@ -697,8 +740,13 @@ def add_monlocauthpar(request, instrealmmon_pk, monlocauthpar_pk): ...@@ -697,8 +740,13 @@ def add_monlocauthpar(request, instrealmmon_pk, monlocauthpar_pk):
form = MonLocalAuthnParamForm(request_data, instance=monlocauthpar) form = MonLocalAuthnParamForm(request_data, instance=monlocauthpar)
except MonLocalAuthnParam.DoesNotExist: except MonLocalAuthnParam.DoesNotExist:
form = MonLocalAuthnParamForm(request_data) form = MonLocalAuthnParamForm(request_data)
if monlocauthpar_pk:
messages.add_message(request, messages.ERROR, 'You have no rights to edit this Monitoring Realm Parameters')
return HttpResponseRedirect(reverse("instrealmmon"))
except InstRealmMon.DoesNotExist: except InstRealmMon.DoesNotExist:
return HttpResponseRedirect(reverse("manage")) if instrealmmon_pk:
messages.add_message(request, messages.ERROR, 'You have no rights to edit this Monitoring Realm Parameters')
return HttpResponseRedirect(reverse("instrealmmon"))
if form.is_valid(): if form.is_valid():
monlocauthparobj = form.save() monlocauthparobj = form.save()
return HttpResponseRedirect(reverse("instrealmmon")) return HttpResponseRedirect(reverse("instrealmmon"))
......
...@@ -41,6 +41,10 @@ select, textarea, input[type="text"], input[type="password"], input[type="dateti ...@@ -41,6 +41,10 @@ select, textarea, input[type="text"], input[type="password"], input[type="dateti
margin-top: 5px; margin-top: 5px;
} }
.paramwell{
margin-bottom: 0px;
padding: 0px;
}
/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* *
......
...@@ -98,6 +98,13 @@ $("#delcontactSubmit").click(function(){ ...@@ -98,6 +98,13 @@ $("#delcontactSubmit").click(function(){
<h4>{% trans "Contacts" %}</h4> <h4>{% trans "Contacts" %}</h4>
<hr> <hr>
{% if messages %}
<table class="table table-condensed">
{% for message in messages %}
<tr {% if message.tags %} class="{{ message.tags }}"{% endif %}><td>{{ message }}<td></tr>
{% endfor %}
</table>
{% endif %}
<div><a href="{% url edit-contacts %}" class="btn btn-primary">{% trans "Add new contact" %}</a></div> <div><a href="{% url edit-contacts %}" class="btn btn-primary">{% trans "Add new contact" %}</a></div>
<div class="span10"></div> <div class="span10"></div>
{% if contacts %} {% if contacts %}
......
...@@ -17,6 +17,13 @@ ...@@ -17,6 +17,13 @@
{% block subcontent %} {% block subcontent %}
<h4>{% trans "Institution" %}</h4> <h4>{% trans "Institution" %}</h4>
<hr> <hr>
{% if messages %}
<table class="table table-condensed">
{% for message in messages %}
<tr {% if message.tags %} class="{{ message.tags }}"{% endif %}><td>{{ message }}<td></tr>
{% endfor %}
</table>
{% endif %}
{% load tolocale %} {% load tolocale %}
{% if institution %} {% if institution %}
{% if institution.institutiondetails %} {% if institution.institutiondetails %}
......
...@@ -101,6 +101,14 @@ $("#delcontactSubmit").click(function(){ ...@@ -101,6 +101,14 @@ $("#delcontactSubmit").click(function(){
<h4>{% trans "Monitored Realms" %}</h4> <h4>{% trans "Monitored Realms" %}</h4>
<hr> <hr>
{% if messages %}
<table class="table table-condensed">
{% for message in messages %}
<tr {% if message.tags %} class="{{ message.tags }}"{% endif %}><td>{{ message }}<td></tr>
{% endfor %}
</table>
{% endif %}
<div><a href="{% url edit-instrealmmon %}" class="btn btn-primary">{% trans "Add monitored realm" %}</a></div> <div><a href="{% url edit-instrealmmon %}" class="btn btn-primary">{% trans "Add monitored realm" %}</a></div>
<div class="span10"></div> <div class="span10"></div>
{% if realms %} {% if realms %}
...@@ -132,19 +140,28 @@ $("#delcontactSubmit").click(function(){ ...@@ -132,19 +140,28 @@ $("#delcontactSubmit").click(function(){
</td> </td>
<td style="text-align: center;"> <td style="text-align: center;">
{% if realm.monlocalauthnparam %} {% if realm.monlocalauthnparam %}
<a href="{% url edit-monlocauthpar realm.pk realm.monlocalauthnparam.pk %}" class="btn btn-small">{% trans "edit" %}</a> <div class="well paramwell">
<a href="{% url edit-monlocauthpar realm.pk realm.monlocalauthnparam.pk %}" class="btn btn-small btn-warning">{% trans "delete" %}</a> <div class="row">
<hr> <div class="span6">
<dl class="dl-horizontal" style=" text-align: left;">
<dt>Method</dt> <dl class="dl-horizontal" style=" text-align: left;">
<dd>{{realm.monlocalauthnparam.get_eap_method_display}}</dd> <dt>Method</dt>
<dt>Phase 2</dt> <dd>{{realm.monlocalauthnparam.get_eap_method_display}}</dd>
<dd>{{realm.monlocalauthnparam.get_phase2_display}}</dd> <dt>Phase 2</dt>
<dt>Username</dt> <dd>{{realm.monlocalauthnparam.get_phase2_display}}</dd>
<dd>{{realm.monlocalauthnparam.username}}</dd> <dt>Username</dt>
</dl> <dd>{{realm.monlocalauthnparam.username}}</dd>
</dl>
</div>
<div class="span6">
<a href="{% url edit-monlocauthpar realm.pk realm.monlocalauthnparam.pk %}" class="btn btn-mini">{% trans "edit" %}</a>
<a href="{% url edit-monlocauthpar realm.pk realm.monlocalauthnparam.pk %}" class="btn btn-mini btn-warning">{% trans "delete" %}</a>
</div>
</div>
{% else %} {% else %}
{% if not realm.monlocalauthnparam %}<a href="{% url edit-monlocauthpar realm.pk %}" class="btn btn-small">{% trans "add" %}</a>{% endif %} {% if not realm.monlocalauthnparam %}<a href="{% url edit-monlocauthpar realm.pk %}" class="btn btn-mini btn-primary">{% trans "add" %}</a>{% endif %}
{% endif %} {% endif %}
</td> </td>
...@@ -167,6 +184,20 @@ $("#delcontactSubmit").click(function(){ ...@@ -167,6 +184,20 @@ $("#delcontactSubmit").click(function(){
<button class="btn" data-dismiss="modal" aria-hidden="true">{% trans "Cancel" %}</button> <button class="btn" data-dismiss="modal" aria-hidden="true">{% trans "Cancel" %}</button>
<a class="btn btn-warning" id="delcontactSubmit" href="#">{% trans "Delete" %}</a> <a class="btn btn-warning" id="delcontactSubmit" href="#">{% trans "Delete" %}</a>
</div> </div>
</div>
<div class="modal hide fade" id="myModal2" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal" aria-hidden="true">×</button>
<h3 id="myModalLabel2">{% trans "Delete monitored realm" %}</h3>
</div>
<div class="modal-body" id="mymodalbody2">
</div>
<div class="modal-footer">
<button class="btn" data-dismiss="modal" aria-hidden="true">{% trans "Cancel" %}</button>
<a class="btn btn-warning" id="delcontactSubmit2" href="#">{% trans "Delete" %}</a>
</div>
</div> </div>
{% endblock %} {% endblock %}
...@@ -102,6 +102,13 @@ $("#delserverSubmit").click(function(){ ...@@ -102,6 +102,13 @@ $("#delserverSubmit").click(function(){
<h4>{% trans "Servers" %}</h4> <h4>{% trans "Servers" %}</h4>
<hr> <hr>
{% if messages %}
<table class="table table-condensed">
{% for message in messages %}
<tr {% if message.tags %} class="{{ message.tags }}"{% endif %}><td>{{ message }}<td></tr>
{% endfor %}
</table>
{% endif %}
<div><a href="{% url edit-servers %}" class="btn btn-primary">{% trans "Add new server" %}</a></div> <div><a href="{% url edit-servers %}" class="btn btn-primary">{% trans "Add new server" %}</a></div>
<div class="span10"></div> <div class="span10"></div>
{% if servers %} {% if servers %}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment