Refuse to edit user primary groups

This commit is contained in:
Alexandre Aubin 2019-09-11 03:30:51 +02:00
parent 97c637f44c
commit 112976f8ee
2 changed files with 26 additions and 22 deletions

View file

@ -196,7 +196,6 @@
"dyndns_registration_failed": "Unable to register DynDNS domain: {error:s}",
"dyndns_domain_not_provided": "Dyndns provider {provider:s} cannot provide domain {domain:s}.",
"dyndns_unavailable": "Domain {domain:s} is not available.",
"edit_group_not_allowed": "You are not allowed to edit the group {group:s}",
"edit_permission_with_group_all_users_not_allowed": "You are not allowed to edit permission for group 'all_users', use 'yunohost user permission clear APP' or 'yunohost user permission add APP -u USER' instead.",
"error_when_removing_sftpuser_group": "Error when trying remove sftpusers group",
"executing_command": "Executing command '{command:s}'…",
@ -235,9 +234,10 @@
"group_name_already_exist": "Group {name:s} already exist",
"group_created": "Group '{group}' successfully created",
"group_creation_failed": "Group creation failed for group '{group}'",
"group_cannot_be_edited": "The group {group:s} cannot be edited manually.",
"group_cannot_be_deleted": "The group {group:s} cannot be deleted manually.",
"group_deleted": "Group '{group}' deleted",
"group_deletion_failed": "Group '{group} 'deletion failed",
"group_deletion_not_allowed": "The group {group:s} cannot be deleted manually.",
"group_info_failed": "Group info failed",
"group_unknown": "Group {group:s} unknown",
"group_updated": "Group '{group}' updated",
@ -449,7 +449,6 @@
"port_unavailable": "Port {port:d} is not available",
"recommend_to_add_first_user": "The post-install is finished but YunoHost needs at least one user to work correctly, you should add one using 'yunohost user create <username>' or the admin interface.",
"remove_main_permission_not_allowed": "Removing the main permission is not allowed",
"remove_user_of_group_not_allowed": "You are not allowed to remove the user {user:s} in the group {group:s}",
"regenconf_file_backed_up": "The configuration file '{conf}' has been backed up to '{backup}'",
"regenconf_file_copy_failed": "Unable to copy the new configuration file '{new}' to '{conf}'",
"regenconf_file_kept_back": "The configuration file '{conf}' is expected to be deleted by regen-conf (category {category}) but has been kept back.",

View file

@ -219,8 +219,7 @@ def user_create(operation_logger, username, firstname, lastname, mail, password,
exc_info=1)
# Create group for user and add to group 'all_users'
user_group_create(groupname=username, gid=uid, sync_perm=False)
user_group_update(groupname=username, add=username, force=True, sync_perm=False)
user_group_create(groupname=username, gid=uid, primary_group=True, sync_perm=False)
user_group_update(groupname='all_users', add=username, force=True, sync_perm=True)
# TODO: Send a welcome mail to user
@ -533,7 +532,7 @@ def user_group_list(names_only=False, full=False):
@is_unit_operation([('groupname', 'user')])
def user_group_create(operation_logger, groupname, gid=None, sync_perm=True):
def user_group_create(operation_logger, groupname, gid=None, primary_group=False, sync_perm=True):
"""
Create group
@ -575,6 +574,12 @@ def user_group_create(operation_logger, groupname, gid=None, sync_perm=True):
'gidNumber': gid,
}
# Here we handle the creation of a primary group
# We want to initialize this group to contain the corresponding user
# (then we won't be able to add/remove any user in this group)
if primary_group:
attr_dict["member"] = ["uid=" + groupname + ",ou=users,dc=yunohost,dc=org"]
if ldap.add('cn=%s,ou=groups' % groupname, attr_dict):
logger.success(m18n.n('group_created', group=groupname))
if sync_perm:
@ -596,9 +601,14 @@ def user_group_delete(operation_logger, groupname, force=False, sync_perm=True):
from yunohost.permission import permission_sync_to_user
from yunohost.utils.ldap import _get_ldap_interface
forbidden_groups = ["all_users", "admins"] + user_list(fields=['uid'])['users'].keys()
if not force and groupname in forbidden_groups:
raise YunohostError('group_deletion_not_allowed', group=groupname)
# Refuse to delete primary groups of a user (e.g. group 'sam' related to user 'sam')
# without the force option...
#
# We also can't delete "all_users" because that's a special group...
existing_users = user_list()['users'].keys()
undeletable_groups = existing_users + ["all_users", "admins"]
if groupname in undeletable_groups and not force:
raise YunohostError('group_cannot_be_deleted', group=groupname)
operation_logger.start()
ldap = _get_ldap_interface()
@ -625,19 +635,18 @@ def user_group_update(operation_logger, groupname, add=None, remove=None, force=
from yunohost.permission import permission_sync_to_user
from yunohost.utils.ldap import _get_ldap_interface
# FIXME : we should also refuse to edit the main group of a user (e.g. group 'sam' related to user 'sam')
if (groupname == 'all_users' or groupname == 'admins') and not force:
raise YunohostError('edit_group_not_allowed', group=groupname)
ldap = _get_ldap_interface()
# Refuse to edit a primary group of a user (e.g. group 'sam' related to user 'sam')
# Those kind of group should only ever contain the user (e.g. sam) and only this one.
# We also can't edit "all_users" without the force option because that's a special group...
existing_users = user_list()['users'].keys()
uneditable_groups = existing_users + ["all_users", "admins"]
if groupname in uneditable_groups and not force:
raise YunohostError('group_cannot_be_edited', group=groupname)
# We extract the uid for each member of the group to keep a simple flat list of members
current_group = user_group_info(groupname)["members"]
new_group = copy.copy(current_group)
existing_users = user_list()['users'].keys()
if add:
users_to_add = [add] if not isinstance(add, list) else add
@ -654,11 +663,6 @@ def user_group_update(operation_logger, groupname, add=None, remove=None, force=
users_to_remove = [remove] if not isinstance(remove, list) else remove
for user in users_to_remove:
if user == groupname:
# FIXME : well if the user equals the group, why pass the two info...
# anyway we should just forbid this from the very beginning ... (editing a user-related group)
raise YunohostError('remove_user_of_group_not_allowed', user=user, group=groupname)
if user not in current_group:
logger.warning(m18n.n('user_not_in_group', user=user, group=groupname))
@ -671,6 +675,7 @@ def user_group_update(operation_logger, groupname, add=None, remove=None, force=
operation_logger.start()
if set(new_group) != set(current_group):
ldap = _get_ldap_interface()
if not ldap.update('cn=%s,ou=groups' % groupname, {"member": set(new_group_dns), "memberUid": set(new_group)}):
raise YunohostError('group_update_failed', group=groupname)