From d60db93b8507a95537c3e889aab777ffb9d27f40 Mon Sep 17 00:00:00 2001 From: Leonidas Poulopoulos <leopoul@noc.grnet.gr> Date: Fri, 2 Mar 2012 15:19:28 +0200 Subject: [PATCH] Bug fixes related to Shib auth --- ChangeLog | 8 ++++++++ djangobackends/shibauthBackend.py | 7 +++---- flowspec/views.py | 21 ++++++++++++++++----- templates/error.html | 2 +- 4 files changed, 28 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index 66eebda..0d0c05d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +=========== +0.8.4 RELEASE +Vulnerability prevention/bug fixes release +Fixes: + - Fixed a bug where the shib auth backend erased non-shibboleth users info + - Added an authsource variable to prevent authentication backend overlapping + - Added exception handling for non-Shibboleth users that do not belong to a peer + =========== 0.8.3 RELEASE Feature enhancement release diff --git a/djangobackends/shibauthBackend.py b/djangobackends/shibauthBackend.py index 6ed5442..c262bae 100644 --- a/djangobackends/shibauthBackend.py +++ b/djangobackends/shibauthBackend.py @@ -10,6 +10,9 @@ class shibauthBackend: firstname = kwargs.get('firstname') lastname = kwargs.get('lastname') mail = kwargs.get('mail') + authsource = kwargs.get('authsource') + if authsource != 'shibboleth': + return None try: user = self._auth_user(username, firstname, lastname, mail) except: @@ -22,10 +25,6 @@ class shibauthBackend: try: user = User.objects.get(username__exact=username) - user.email = mail - user.first_name = firstname - user.last_name = lastname - user.save() # The user did not exist. Create one with no privileges except: user = User.objects.create_user(username, mail, None) diff --git a/flowspec/views.py b/flowspec/views.py index 1502e61..f579ed4 100644 --- a/flowspec/views.py +++ b/flowspec/views.py @@ -63,12 +63,16 @@ def welcome(request): @never_cache def group_routes(request): group_routes = [] - peer = request.user.get_profile().peer + try: + peer = request.user.get_profile().peer + except UserProfile.DoesNotExist: + error = "User <strong>%s</strong> does not belong to any peer or organization. It is not possible to create new firewall rules.<br>Please contact Helpdesk to resolve this issue" % request.user.username + return render_to_response('error.html', {'error': error}) if peer: peer_members = UserProfile.objects.filter(peer=peer) users = [prof.user for prof in peer_members] group_routes = Route.objects.filter(applier__in=users) - return render_to_response('user_routes.html', {'routes': group_routes}, + return render_to_response('user_routes.html', {'routes': group_routes}, context_instance=RequestContext(request)) @@ -207,8 +211,11 @@ def delete_route(request, route_slug): @never_cache def user_profile(request): user = request.user - peer = request.user.get_profile().peer - + try: + peer = request.user.get_profile().peer + except UserProfile.DoesNotExist: + error = "User <strong>%s</strong> does not belong to any peer or organization. It is not possible to create new firewall rules.<br>Please contact Helpdesk to resolve this issue" % user.username + return render_to_response('error.html', {'error': error}) return render_to_response('profile.html', {'user': user, 'peer':peer}, context_instance=RequestContext(request)) @@ -250,10 +257,14 @@ def user_login(request): context_instance=RequestContext(request)) try: user = User.objects.get(username__exact=username) + user.email = mail + user.first_name = firstname + user.last_name = lastname + user.save() user_exists = True except: user_exists = False - user = authenticate(username=username, firstname=firstname, lastname=lastname, mail=mail) + user = authenticate(username=username, firstname=firstname, lastname=lastname, mail=mail, authsource='shibboleth') if user is not None: try: peer = Peer.objects.get(domain_name=organization) diff --git a/templates/error.html b/templates/error.html index a6a79e2..e9bc4e8 100644 --- a/templates/error.html +++ b/templates/error.html @@ -73,7 +73,7 @@ $(document).ready(function(){ </div> <div id="content"> {% block brcrmb_container %} - <div class="info_content_title">{% if user.is_authenticated %}<a href="{% url group-routes %}">{% trans "My routes" %}</a>{% endif %} + <div class="info_content_title">{% if user.is_authenticated %}<a href="{% url group-routes %}">{% trans "My rules" %}</a>{% endif %} {% block breadcrumbs %}{% endblock %} </div> -- GitLab