Add non-privileged user role #405
Conversation
api/users.go
Outdated
| @@ -28,6 +28,13 @@ func addUser(w http.ResponseWriter, r *http.Request) { | |||
| return | |||
| } | |||
|
|
|||
| editor := context.Get(r, "user").(*db.User) | |||
| if editor.Admin != true { | |||
| log.Warn(editor.Username + " doesn't permitted for user creating") | |||
There was a problem hiding this comment.
should be log.Warn(editor.Username + " doesn't permit user creation")
Please correct this for all other instances/variations of this text as well
| @@ -143,7 +143,7 @@ func doSetup() int { | |||
| user.Password = readNewline(" > Password: ", stdin) | |||
| pwdHash, _ := bcrypt.GenerateFromPassword([]byte(user.Password), 11) | |||
|
|
|||
| if _, err := db.Mysql.Exec("insert into user set name=?, username=?, email=?, password=?, created=UTC_TIMESTAMP()", user.Name, user.Username, user.Email, pwdHash); err != nil { | |||
| if _, err := db.Mysql.Exec("insert into user set name=?, username=?, email=?, password=?, admin=1, created=UTC_TIMESTAMP()", user.Name, user.Username, user.Email, pwdHash); err != nil { | |||
There was a problem hiding this comment.
do we have to have admin as default? I would guess most people would prefer admin not to be the default user mode (especially in enterprise usage)
There was a problem hiding this comment.
I think, the first system user always should be an admin. That code executes only for initial setup of Semaphore.
db/versionHistory.go
Outdated
| @@ -71,5 +71,6 @@ func init() { | |||
| {Major: 2, Minor: 3, Patch: 1}, | |||
| {Major: 2, Minor: 3, Patch: 2}, | |||
| {Major: 2, Minor: 4}, | |||
| {Major: 2, Minor: 4, Patch: 2}, | |||
There was a problem hiding this comment.
Please can you update this to 2.5.0
|
Would it be possible to also take care of #158 in this pull request and add some extra authentication against log deletion for non admin users (if it's totally out of scope no worries) |
|
@twhiston all done :) |
api/users.go
Outdated
| @@ -53,23 +60,44 @@ func getUserMiddleware(w http.ResponseWriter, r *http.Request) { | |||
| panic(err) | |||
| } | |||
|
|
|||
| editor := context.Get(r, "user").(*db.User) | |||
| if editor.Admin != true && editor.ID != user.ID { | |||
| log.Warn(editor.Username + " doesn't permitted for user editing") | |||
There was a problem hiding this comment.
should be editor.Username + " is not permitted to edit users" here and in other locations.
Sorry for the pedantry about english sentence construction!
There was a problem hiding this comment.
Done. That's alright, UI should have clear sentences, without any mess.
public/html/users/user.pug
Outdated
| @@ -15,6 +15,10 @@ | |||
| .form-group | |||
| label.control-label.col-sm-4 Password | |||
| .col-sm-8: input.form-control(type="password" placeholder="Enter new password" ng-readonly="user.external == true" ng-model="user.password") | |||
| .form-group(ng-if="!is_self") | |||
| .col-sm-8.col-sm-offset-4: .checkbox: label | |||
| input(type="checkbox" title="User have admin privileges" ng-model="user.admin") | |||
There was a problem hiding this comment.
"User has admin privileges"
api/tasks/http.go
Outdated
| editor := context.Get(r, "user").(*db.User) | ||
|
|
||
| if editor.Admin != true { | ||
| log.Warn(editor.Username + " doesn't permit task log deletion") |
There was a problem hiding this comment.
looks like this file is missing a log import making the tests fail currently
There was a problem hiding this comment.
Oops, my mistake. Fixed for now.
|
looks really good. Another couple of small things and fixing a missing import and this is good to go. Thanks very much for your work |
api/users.go
Outdated
|
|
||
| var user db.User | ||
| if err := mulekick.Bind(w, r, &user); err != nil { | ||
| return | ||
| } | ||
|
|
||
| if editor.Admin != true && editor.ID != oldUser.ID { | ||
| log.Warn(editor.Username + " doesn't permitted for user editing") |
There was a problem hiding this comment.
editor.Username + " is not permitted to edit users"
api/users.go
Outdated
| var pwd struct { | ||
| Pwd string `json:"password"` | ||
| } | ||
|
|
||
| if editor.Admin != true && editor.ID != user.ID { | ||
| log.Warn(editor.Username + " doesn't permitted for user editing") |
There was a problem hiding this comment.
editor.Username + " is not permitted to edit users"
api/users.go
Outdated
| editor := context.Get(r, "user").(*db.User) | ||
|
|
||
| if editor.Admin != true && editor.ID != user.ID { | ||
| log.Warn(editor.Username + " doesn't permitted for user deletion") |
There was a problem hiding this comment.
editor.Username + " is not permitted to delete users"
api/users.go
Outdated
| @@ -28,6 +28,13 @@ func addUser(w http.ResponseWriter, r *http.Request) { | |||
| return | |||
| } | |||
|
|
|||
| editor := context.Get(r, "user").(*db.User) | |||
| if editor.Admin != true { | |||
| log.Warn(editor.Username + " doesn't permit user creation") | |||
There was a problem hiding this comment.
editor.Username + " is not permitted to create users"
api/tasks/http.go
Outdated
| editor := context.Get(r, "user").(*db.User) | ||
|
|
||
| if editor.Admin != true { | ||
| log.Warn(editor.Username + " doesn't permit task log deletion") |
There was a problem hiding this comment.
editor.Username + " is not permitted to delete task logs"
|
All done. I need to take some lessons with an English teacher, instead of watching Netflix shows. :) |
|
I have just installed Semaphore v2.5.1 and I am still facing the same problem as reported in #198. I would need some user to only have the permission to run some templates, but not update or delete them. |
|
@vaol please check user settings ('Admin user' checkbox): |
|
Thank you for answering so quickly ! And still I can delete a template when I am connected as user "demo" |
|
Ugh, sorry, I confused different roles mechanisms. |
Fix for #318 and #198
I added
adminproperty for User. By default, all users after migration will be Admins (for backward compatibility).Non-Admin Users can:
Non-Admin Users can't (will get 401 Unauthorized when trying):
I hide 'add user' button and user editing dialog for Non-Admin User. The first user, created by setup, have admin privileges. Also, I improved User List page, by adding all flags (Admin, Alert, External) to id.