Commits

Zhang Huangbin  committed 9f2d420

NOT allow normal admin to view/update other's profile.

  • Participants
  • Parent commits 0420206

Comments (0)

Files changed (2)

File controllers/ldap/admin.py

 
 import web
 from web import render
+from controllers.ldap.basic import dbinit
 from controllers.ldap import base
-from controllers.ldap.basic import dbinit
 from libs.ldaplib import admin
 
 cfg = web.iredconfig
 class profile(dbinit):
     @base.protected
     def GET(self, profile_type, mail):
+        self.mail = web.safestr(mail)
         self.profile_type = web.safestr(profile_type)
-        self.mail = web.safestr(mail)
         i = web.input()
 
         self.langs = adminLib.get_langs()
 
-        return render.admin_profile(
-                mail=self.mail,
-                profile_type=self.profile_type,
-                cur_lang=self.langs['cur_lang'],
-                langmaps=self.langs['langmaps'],
-                min_passwd_length=cfg.general.get('min_passwd_length'),
-                max_passwd_length=cfg.general.get('max_passwd_length'),
-                msg=i.get('msg', None),
-                )
+        if session.get('domainGlobalAdmin') != 'yes' and session.get('username') != self.mail:
+            # Don't allow to view/update other admins' profile.
+            web.seeother('/profile/admin/%s/%s?msg=PERMISSION_DENIED' % ( self.profile_type, session.get('username') ))
+        else:
+            return render.admin_profile(
+                    mail=self.mail,
+                    profile_type=self.profile_type,
+                    cur_lang=self.langs['cur_lang'],
+                    langmaps=self.langs['langmaps'],
+                    min_passwd_length=cfg.general.get('min_passwd_length'),
+                    max_passwd_length=cfg.general.get('max_passwd_length'),
+                    msg=i.get('msg', None),
+                    )
 
     @base.protected
     def POST(self, profile_type, mail):
         i = web.input()
 
         result = adminLib.update(
-                    profile_type=self.profile_type,
-                    mail=self.mail,
-                    data=i,
-                    )
+                profile_type=self.profile_type,
+                mail=self.mail,
+                data=i,
+                )
         if result[0] is True:
             web.seeother('/profile/admin/%s/%s?msg=SUCCESS' % (self.profile_type, self.mail))
         else:
             self.langs = adminLib.get_langs()
-            cur_lang = self.langs['cur_lang']
+            self.cur_lang = self.langs['cur_lang']
             return render.admin_profile(
                     mail=self.mail,
                     profile_type=self.profile_type,
-                    cur_lang=cur_lang,
+                    cur_lang=self.cur_lang,
                     langmaps=self.langs['langmaps'],
                     min_passwd_length=cfg.general.get('min_passwd_length'),
                     max_passwd_length=cfg.general.get('max_passwd_length'),

File templates/default/ldap/admin_profile.html

         <div class="success">{{ _('Profile update success.') }}</div>
     {% else %}
         <div class="error">
-        {% if msg == 'INCORRECT_OLDPW' %}
-            {{ _('Current password is incorrect.') }}
-        {% elif msg == 'PW_LESS_THAN_MIN_LENGTH' %}
-            {{ _('New password must contain at least %s characters.') |format(min_passwd_length) }}
-        {% elif msg == 'PW_MISMATCH' %}
-            {{ _('New passwords are not match.') }}
-        {% else %}
-            {# Catch-all #}
-            {{ msg }}
-        {% endif %}
+            {% if msg == 'PERMISSION_DENIED' %}
+                {{ _("You are NOT permited to view/update other's profile.") }}
+            {# Password related #}
+            {% elif msg == 'INCORRECT_OLDPW' %}
+                {{ _('Current password is incorrect.') }}
+            {% elif msg == 'PW_LESS_THAN_MIN_LENGTH' %}
+                {{ _('New password must contain at least %s characters.') |format(min_passwd_length) }}
+            {% elif msg == 'PW_MISMATCH' %}
+                {{ _('New passwords are not match.') }}
+            {% else %}
+                {# Catch-all #}
+                {{ msg }}
+            {% endif %}
         </div>
     {% endif %}
     </div>