Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

UI rights do not check for user resolver filters #1496

Open
quynh-axiadids opened this Issue Mar 12, 2019 · 1 comment

Comments

Projects
None yet
2 participants
@quynh-axiadids
Copy link
Contributor

quynh-axiadids commented Mar 12, 2019

What did you try to do?

Display UI rights correctly according to policies and their filters.
For example:
In the same realm realmA, there are 2 resolvers resolverX and resolverY. In policies setup, resolverX has assign action enabled, whereas resolverY does not have assign action enabled.

What outcome did you expect?

When logging to the UI, users in resolverX should see assign option in the menu. Users in resolverY should not see assign option in the UI.

What outcome did you experience?

Users in both resolvers of realmA see the assign option. Although when actually self-assigning a token, it will fail for user in resolverY.

Configuration

  • privacyIDEA Version: 2.23.3

  • Installation method: from source

more details:

  • OS: Amazon Linux

  • Webserver: Nginx

  • Tokendatabase: PostgreSQL

Log file

N/A

Side notes:

I checked this method and it seems that we do not pass the resolver info when checking for UI rights, and may result in the described outcome?

# privacyidea/privacyidea/lib/policy.py
def ui_get_rights(self, scope, realm, username, client=None):
[...]

This is not a very critical bug. However, it affects user experience and causes some confusion. It would be nice to have it adjusted!

Cheers,

Quynh Nguyen

@cornelinux

This comment has been minimized.

Copy link
Member

cornelinux commented Mar 13, 2019

Well, works as programmed! ;-)
Honestly there have been several ocasions, where we skipped the resolvers. Especially the login can be a bit tricky, since the user is not available before he authenticated.

But in this case you are right!
It happens here: https://github.com/privacyidea/privacyidea/blob/master/privacyidea/lib/policy.py#L761

We should change it like this:

        if scope == SCOPE.ADMIN:
            adminrealm = realm
            logged_in_user["role"] = ROLE.ADMIN
            if adminrealm: # internal admins can not be resolved
                user = User(username, adminrealm)
                resolver = user.resolver
        elif scope == SCOPE.USER:
            userrealm = realm
            logged_in_user["role"] = ROLE.USER
            resolver = User(username, userrealm).resolver

Then we can use the resolver in the get_policies.

@cornelinux cornelinux added this to the 3.0.1 milestone Mar 13, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.