mirror of
https://gitlab.com/allianceauth/allianceauth.git
synced 2026-02-10 09:06:21 +01:00
Close security loopholes to make non-superuser admins usable
This commit is contained in:
Erik Kalkoken
Ariel Rin
@@ -1,19 +1,20 @@
|
||||
from django import forms
|
||||
from django.apps import apps
|
||||
from django.contrib.auth.models import Permission
|
||||
from django.contrib import admin
|
||||
from django.contrib.auth.models import Group as BaseGroup, User
|
||||
from django.core.exceptions import ValidationError
|
||||
from django.contrib.auth.models import Group as BaseGroup
|
||||
from django.contrib.auth.models import Permission, User
|
||||
from django.db.models import Count
|
||||
from django.db.models.functions import Lower
|
||||
from django.db.models.signals import pre_save, post_save, pre_delete, \
|
||||
post_delete, m2m_changed
|
||||
from django.db.models.signals import (
|
||||
m2m_changed,
|
||||
post_delete,
|
||||
post_save,
|
||||
pre_delete,
|
||||
pre_save
|
||||
)
|
||||
from django.dispatch import receiver
|
||||
from django.utils.timezone import now
|
||||
from django.utils.translation import gettext_lazy as _
|
||||
|
||||
from .models import AuthGroup, ReservedGroupName
|
||||
from .models import GroupRequest
|
||||
from .forms import GroupAdminForm, ReservedGroupNameAdminForm
|
||||
from .models import AuthGroup, GroupRequest, ReservedGroupName
|
||||
|
||||
if 'eve_autogroups' in apps.app_configs:
|
||||
_has_auto_groups = True
|
||||
@@ -28,10 +29,12 @@ class AuthGroupInlineAdmin(admin.StackedInline):
|
||||
'description',
|
||||
'group_leaders',
|
||||
'group_leader_groups',
|
||||
'states', 'internal',
|
||||
'states',
|
||||
'internal',
|
||||
'hidden',
|
||||
'open',
|
||||
'public'
|
||||
'public',
|
||||
'restricted',
|
||||
)
|
||||
verbose_name_plural = 'Auth Settings'
|
||||
verbose_name = ''
|
||||
@@ -50,6 +53,11 @@ class AuthGroupInlineAdmin(admin.StackedInline):
|
||||
def has_change_permission(self, request, obj=None):
|
||||
return request.user.has_perm('auth.change_group')
|
||||
|
||||
def get_readonly_fields(self, request, obj=None):
|
||||
if not request.user.is_superuser:
|
||||
return self.readonly_fields + ("restricted",)
|
||||
return self.readonly_fields
|
||||
|
||||
|
||||
if _has_auto_groups:
|
||||
class IsAutoGroupFilter(admin.SimpleListFilter):
|
||||
@@ -96,17 +104,6 @@ class HasLeaderFilter(admin.SimpleListFilter):
|
||||
return queryset
|
||||
|
||||
|
||||
class GroupAdminForm(forms.ModelForm):
|
||||
def clean_name(self):
|
||||
my_name = self.cleaned_data['name']
|
||||
if ReservedGroupName.objects.filter(name__iexact=my_name).exists():
|
||||
raise ValidationError(
|
||||
_("This name has been reserved and can not be used for groups."),
|
||||
code='reserved_name'
|
||||
)
|
||||
return my_name
|
||||
|
||||
|
||||
class GroupAdmin(admin.ModelAdmin):
|
||||
form = GroupAdminForm
|
||||
list_select_related = ('authgroup',)
|
||||
@@ -143,17 +140,14 @@ class GroupAdmin(admin.ModelAdmin):
|
||||
def _description(self, obj):
|
||||
return obj.authgroup.description
|
||||
|
||||
@admin.display(description="Members", ordering="member_count")
|
||||
def _member_count(self, obj):
|
||||
return obj.member_count
|
||||
|
||||
_member_count.short_description = 'Members'
|
||||
_member_count.admin_order_field = 'member_count'
|
||||
|
||||
@admin.display(boolean=True)
|
||||
def has_leader(self, obj):
|
||||
return obj.authgroup.group_leaders.exists() or obj.authgroup.group_leader_groups.exists()
|
||||
|
||||
has_leader.boolean = True
|
||||
|
||||
def _properties(self, obj):
|
||||
properties = list()
|
||||
if _has_auto_groups and (
|
||||
@@ -172,11 +166,10 @@ class GroupAdmin(admin.ModelAdmin):
|
||||
properties.append('Public')
|
||||
if not properties:
|
||||
properties.append('Default')
|
||||
|
||||
if obj.authgroup.restricted:
|
||||
properties.append('Restricted')
|
||||
return properties
|
||||
|
||||
_properties.short_description = "properties"
|
||||
|
||||
filter_horizontal = ('permissions',)
|
||||
inlines = (AuthGroupInlineAdmin,)
|
||||
|
||||
@@ -192,6 +185,11 @@ class GroupAdmin(admin.ModelAdmin):
|
||||
ag_instance.save()
|
||||
formset.save()
|
||||
|
||||
def get_readonly_fields(self, request, obj=None):
|
||||
if not request.user.is_superuser:
|
||||
return self.readonly_fields + ("permissions",)
|
||||
return self.readonly_fields
|
||||
|
||||
|
||||
class Group(BaseGroup):
|
||||
class Meta:
|
||||
@@ -216,33 +214,10 @@ class GroupRequestAdmin(admin.ModelAdmin):
|
||||
'leave_request',
|
||||
)
|
||||
|
||||
@admin.display(boolean=True, description="is leave request")
|
||||
def _leave_request(self, obj) -> True:
|
||||
return obj.leave_request
|
||||
|
||||
_leave_request.short_description = 'is leave request'
|
||||
_leave_request.boolean = True
|
||||
|
||||
|
||||
class ReservedGroupNameAdminForm(forms.ModelForm):
|
||||
def __init__(self, *args, **kwargs):
|
||||
super().__init__(*args, **kwargs)
|
||||
self.fields['created_by'].initial = self.current_user.username
|
||||
self.fields['created_at'].initial = _("(auto)")
|
||||
|
||||
created_by = forms.CharField(disabled=True)
|
||||
created_at = forms.CharField(disabled=True)
|
||||
|
||||
def clean_name(self):
|
||||
my_name = self.cleaned_data['name'].lower()
|
||||
if Group.objects.filter(name__iexact=my_name).exists():
|
||||
raise ValidationError(
|
||||
_("There already exists a group with that name."), code='already_exists'
|
||||
)
|
||||
return my_name
|
||||
|
||||
def clean_created_at(self):
|
||||
return now()
|
||||
|
||||
|
||||
@admin.register(ReservedGroupName)
|
||||
class ReservedGroupNameAdmin(admin.ModelAdmin):
|
||||
|
||||
39
allianceauth/groupmanagement/forms.py
Normal file
39
allianceauth/groupmanagement/forms.py
Normal file
@@ -0,0 +1,39 @@
|
||||
from django import forms
|
||||
from django.contrib.auth.models import Group
|
||||
from django.core.exceptions import ValidationError
|
||||
from django.utils.timezone import now
|
||||
from django.utils.translation import gettext_lazy as _
|
||||
|
||||
from .models import ReservedGroupName
|
||||
|
||||
|
||||
class GroupAdminForm(forms.ModelForm):
|
||||
def clean_name(self):
|
||||
my_name = self.cleaned_data['name']
|
||||
if ReservedGroupName.objects.filter(name__iexact=my_name).exists():
|
||||
raise ValidationError(
|
||||
_("This name has been reserved and can not be used for groups."),
|
||||
code='reserved_name'
|
||||
)
|
||||
return my_name
|
||||
|
||||
|
||||
class ReservedGroupNameAdminForm(forms.ModelForm):
|
||||
def __init__(self, *args, **kwargs):
|
||||
super().__init__(*args, **kwargs)
|
||||
self.fields['created_by'].initial = self.current_user.username
|
||||
self.fields['created_at'].initial = _("(auto)")
|
||||
|
||||
created_by = forms.CharField(disabled=True)
|
||||
created_at = forms.CharField(disabled=True)
|
||||
|
||||
def clean_name(self):
|
||||
my_name = self.cleaned_data['name'].lower()
|
||||
if Group.objects.filter(name__iexact=my_name).exists():
|
||||
raise ValidationError(
|
||||
_("There already exists a group with that name."), code='already_exists'
|
||||
)
|
||||
return my_name
|
||||
|
||||
def clean_created_at(self):
|
||||
return now()
|
||||
@@ -0,0 +1,18 @@
|
||||
# Generated by Django 3.2.10 on 2022-04-08 19:30
|
||||
|
||||
from django.db import migrations, models
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
('groupmanagement', '0018_reservedgroupname'),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.AddField(
|
||||
model_name='authgroup',
|
||||
name='restricted',
|
||||
field=models.BooleanField(default=False, help_text='Group is restricted. This means that adding or removing users for this group requires a superuser admin.'),
|
||||
),
|
||||
]
|
||||
@@ -13,6 +13,7 @@ from allianceauth.notifications import notify
|
||||
|
||||
class GroupRequest(models.Model):
|
||||
"""Request from a user for joining or leaving a group."""
|
||||
|
||||
leave_request = models.BooleanField(default=0)
|
||||
user = models.ForeignKey(User, on_delete=models.CASCADE)
|
||||
group = models.ForeignKey(Group, on_delete=models.CASCADE)
|
||||
@@ -44,6 +45,7 @@ class GroupRequest(models.Model):
|
||||
|
||||
class RequestLog(models.Model):
|
||||
"""Log entry about who joined and left a group and who approved it."""
|
||||
|
||||
request_type = models.BooleanField(null=True)
|
||||
group = models.ForeignKey(Group, on_delete=models.CASCADE)
|
||||
request_info = models.CharField(max_length=254)
|
||||
@@ -95,6 +97,7 @@ class AuthGroup(models.Model):
|
||||
Open - Users are automatically accepted into the group
|
||||
Not Open - Users requests must be approved before they are added to the group
|
||||
"""
|
||||
|
||||
group = models.OneToOneField(Group, on_delete=models.CASCADE, primary_key=True)
|
||||
internal = models.BooleanField(
|
||||
default=True,
|
||||
@@ -126,6 +129,13 @@ class AuthGroup(models.Model):
|
||||
"are no longer authenticated."
|
||||
)
|
||||
)
|
||||
restricted = models.BooleanField(
|
||||
default=False,
|
||||
help_text=_(
|
||||
"Group is restricted. This means that adding or removing users "
|
||||
"for this group requires a superuser admin."
|
||||
)
|
||||
)
|
||||
group_leaders = models.ManyToManyField(
|
||||
User,
|
||||
related_name='leads_groups',
|
||||
@@ -185,6 +195,7 @@ class ReservedGroupName(models.Model):
|
||||
|
||||
This enables AA to ignore groups on other services (e.g. Discord) with that name.
|
||||
"""
|
||||
|
||||
name = models.CharField(
|
||||
_('name'),
|
||||
max_length=150,
|
||||
|
||||
@@ -1,5 +1,7 @@
|
||||
from unittest.mock import patch
|
||||
|
||||
from django_webtest import WebTest
|
||||
|
||||
from django.conf import settings
|
||||
from django.contrib import admin
|
||||
from django.contrib.admin.sites import AdminSite
|
||||
@@ -10,8 +12,10 @@ from allianceauth.authentication.models import CharacterOwnership, State
|
||||
from allianceauth.eveonline.models import (
|
||||
EveCharacter, EveCorporationInfo, EveAllianceInfo
|
||||
)
|
||||
from ..admin import HasLeaderFilter, GroupAdmin, Group
|
||||
from allianceauth.tests.auth_utils import AuthUtils
|
||||
|
||||
from . import get_admin_change_view_url
|
||||
from ..admin import HasLeaderFilter, GroupAdmin, Group
|
||||
from ..models import ReservedGroupName
|
||||
|
||||
|
||||
@@ -33,7 +37,6 @@ class MockRequest:
|
||||
|
||||
|
||||
class TestGroupAdmin(TestCase):
|
||||
|
||||
@classmethod
|
||||
def setUpClass(cls):
|
||||
super().setUpClass()
|
||||
@@ -468,6 +471,74 @@ class TestGroupAdmin(TestCase):
|
||||
self.assertFalse(Group.objects.filter(name="new group").exists())
|
||||
|
||||
|
||||
class TestGroupAdminChangeFormSuperuserExclusiveEdits(WebTest):
|
||||
@classmethod
|
||||
def setUpClass(cls) -> None:
|
||||
super().setUpClass()
|
||||
cls.super_admin = User.objects.create_superuser("super_admin")
|
||||
cls.staff_admin = User.objects.create_user("staff_admin")
|
||||
cls.staff_admin.is_staff = True
|
||||
cls.staff_admin.save()
|
||||
cls.staff_admin = AuthUtils.add_permissions_to_user_by_name(
|
||||
[
|
||||
"auth.add_group",
|
||||
"auth.change_group",
|
||||
"auth.view_group",
|
||||
"groupmanagement.add_group",
|
||||
"groupmanagement.change_group",
|
||||
"groupmanagement.view_group",
|
||||
],
|
||||
cls.staff_admin
|
||||
)
|
||||
cls.superuser_exclusive_fields = ["permissions", "authgroup-0-restricted"]
|
||||
|
||||
def test_should_show_all_fields_to_superuser_for_add(self):
|
||||
# given
|
||||
self.app.set_user(self.super_admin)
|
||||
page = self.app.get("/admin/groupmanagement/group/add/")
|
||||
# when
|
||||
form = page.forms["group_form"]
|
||||
# then
|
||||
for field in self.superuser_exclusive_fields:
|
||||
with self.subTest(field=field):
|
||||
self.assertIn(field, form.fields)
|
||||
|
||||
def test_should_not_show_all_fields_to_staff_admins_for_add(self):
|
||||
# given
|
||||
self.app.set_user(self.staff_admin)
|
||||
page = self.app.get("/admin/groupmanagement/group/add/")
|
||||
# when
|
||||
form = page.forms["group_form"]
|
||||
# then
|
||||
for field in self.superuser_exclusive_fields:
|
||||
with self.subTest(field=field):
|
||||
self.assertNotIn(field, form.fields)
|
||||
|
||||
def test_should_show_all_fields_to_superuser_for_change(self):
|
||||
# given
|
||||
self.app.set_user(self.super_admin)
|
||||
group = Group.objects.create(name="Dummy group")
|
||||
page = self.app.get(f"/admin/groupmanagement/group/{group.pk}/change/")
|
||||
# when
|
||||
form = page.forms["group_form"]
|
||||
# then
|
||||
for field in self.superuser_exclusive_fields:
|
||||
with self.subTest(field=field):
|
||||
self.assertIn(field, form.fields)
|
||||
|
||||
def test_should_not_show_all_fields_to_staff_admin_for_change(self):
|
||||
# given
|
||||
self.app.set_user(self.staff_admin)
|
||||
group = Group.objects.create(name="Dummy group")
|
||||
page = self.app.get(f"/admin/groupmanagement/group/{group.pk}/change/")
|
||||
# when
|
||||
form = page.forms["group_form"]
|
||||
# then
|
||||
for field in self.superuser_exclusive_fields:
|
||||
with self.subTest(field=field):
|
||||
self.assertNotIn(field, form.fields)
|
||||
|
||||
|
||||
class TestReservedGroupNameAdmin(TestCase):
|
||||
@classmethod
|
||||
def setUpClass(cls):
|
||||
|
||||
Reference in New Issue
Block a user