forked from Github-Mirrors/canaille
feat: locked users cannot be impersonated
This commit is contained in:
parent
565d57a887
commit
f9989a960b
4 changed files with 25 additions and 1 deletions
|
@ -1,3 +1,7 @@
|
||||||
|
Changed
|
||||||
|
^^^^^^^
|
||||||
|
- Locked users cannot be impersonated anymore.
|
||||||
|
|
||||||
[0.0.51] - 2024-04-09
|
[0.0.51] - 2024-04-09
|
||||||
---------------------
|
---------------------
|
||||||
|
|
||||||
|
|
|
@ -818,6 +818,9 @@ def profile_delete(user, edited_user):
|
||||||
@bp.route("/impersonate/<user:puppet>")
|
@bp.route("/impersonate/<user:puppet>")
|
||||||
@permissions_needed("impersonate_users")
|
@permissions_needed("impersonate_users")
|
||||||
def impersonate(user, puppet):
|
def impersonate(user, puppet):
|
||||||
|
if puppet.locked:
|
||||||
|
abort(403, _("Locked users cannot be impersonated."))
|
||||||
|
|
||||||
login_user(puppet)
|
login_user(puppet)
|
||||||
flash(
|
flash(
|
||||||
_("Connection successful. Welcome %(user)s", user=puppet.formatted_name),
|
_("Connection successful. Welcome %(user)s", user=puppet.formatted_name),
|
||||||
|
|
|
@ -156,7 +156,7 @@
|
||||||
</button>
|
</button>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{% if user.can_impersonate_users and user.identifier != edited_user.identifier %}
|
{% if user.can_impersonate_users and user.identifier != edited_user.identifier and not edited_user.locked %}
|
||||||
<a href="{{ url_for('core.account.impersonate', puppet=edited_user) }}" class="ui right floated basic button" name="action" value="impersonate" id="impersonate" hx-boost="false">
|
<a href="{{ url_for('core.account.impersonate', puppet=edited_user) }}" class="ui right floated basic button" name="action" value="impersonate" id="impersonate" hx-boost="false">
|
||||||
{{ _("Impersonate") }}
|
{{ _("Impersonate") }}
|
||||||
</a>
|
</a>
|
||||||
|
|
|
@ -265,6 +265,23 @@ def test_impersonate_invalid_user(testclient, backend, logged_admin):
|
||||||
testclient.get("/impersonate/invalid", status=404)
|
testclient.get("/impersonate/invalid", status=404)
|
||||||
|
|
||||||
|
|
||||||
|
def test_impersonate_locked_user(testclient, backend, logged_admin, user):
|
||||||
|
res = testclient.get("/profile/user/settings")
|
||||||
|
res.mustcontain("Impersonate")
|
||||||
|
|
||||||
|
user.lock_date = datetime.datetime.now(datetime.timezone.utc) - datetime.timedelta(
|
||||||
|
days=1
|
||||||
|
)
|
||||||
|
user.save()
|
||||||
|
|
||||||
|
assert user.locked
|
||||||
|
res = testclient.get("/profile/user/settings")
|
||||||
|
res.mustcontain(no="Impersonate")
|
||||||
|
|
||||||
|
res = testclient.get("/impersonate/user", status=403)
|
||||||
|
res.mustcontain("Locked users cannot be impersonated.")
|
||||||
|
|
||||||
|
|
||||||
def test_invalid_form_request(testclient, logged_admin):
|
def test_invalid_form_request(testclient, logged_admin):
|
||||||
res = testclient.get("/profile/admin/settings")
|
res = testclient.get("/profile/admin/settings")
|
||||||
res = res.form.submit(name="action", value="invalid-action", status=400)
|
res = res.form.submit(name="action", value="invalid-action", status=400)
|
||||||
|
|
Loading…
Reference in a new issue