globuzma/canaille-globuzma
1
0
Fork 0
forked from Github-Mirrors/canaille
Code Pull requests Activity

feat: locked users cannot be impersonated

Browse source
This commit is contained in:
Éloi Rivard 2024-04-12 12:12:08 +02:00
parent 565d57a887
commit f9989a960b
No known key found for this signature in database
GPG key ID: 7EDA204EA57DD184
4 changed files with 25 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
CHANGES.rst
View file

@ -1,3 +1,7 @@
Changed
^^^^^^^
- Locked users cannot be impersonated anymore.
[0.0.51] - 2024-04-09 [0.0.51] - 2024-04-09
--------------------- ---------------------

3
canaille/core/endpoints/account.py
View file

@ -818,6 +818,9 @@ def profile_delete(user, edited_user):
@bp.route("/impersonate/<user:puppet>") @bp.route("/impersonate/<user:puppet>")
@permissions_needed("impersonate_users") @permissions_needed("impersonate_users")
def impersonate(user, puppet): def impersonate(user, puppet):
if puppet.locked:
abort(403, _("Locked users cannot be impersonated."))
login_user(puppet) login_user(puppet)
flash( flash(
_("Connection successful. Welcome %(user)s", user=puppet.formatted_name), _("Connection successful. Welcome %(user)s", user=puppet.formatted_name),

2
canaille/core/templates/profile_settings.html
View file

@ -156,7 +156,7 @@
</button> </button>
{% endif %} {% endif %}
{% if user.can_impersonate_users and user.identifier != edited_user.identifier %} {% if user.can_impersonate_users and user.identifier != edited_user.identifier and not edited_user.locked %}
<a href="{{ url_for('core.account.impersonate', puppet=edited_user) }}" class="ui right floated basic button" name="action" value="impersonate" id="impersonate" hx-boost="false"> <a href="{{ url_for('core.account.impersonate', puppet=edited_user) }}" class="ui right floated basic button" name="action" value="impersonate" id="impersonate" hx-boost="false">
{{ _("Impersonate") }} {{ _("Impersonate") }}
</a> </a>

17
tests/core/test_profile_settings.py
View file

@ -265,6 +265,23 @@ def test_impersonate_invalid_user(testclient, backend, logged_admin):
testclient.get("/impersonate/invalid", status=404) testclient.get("/impersonate/invalid", status=404)
def test_impersonate_locked_user(testclient, backend, logged_admin, user):
res = testclient.get("/profile/user/settings")
res.mustcontain("Impersonate")
user.lock_date = datetime.datetime.now(datetime.timezone.utc) - datetime.timedelta(
days=1
)
user.save()
assert user.locked
res = testclient.get("/profile/user/settings")
res.mustcontain(no="Impersonate")
res = testclient.get("/impersonate/user", status=403)
res.mustcontain("Locked users cannot be impersonated.")
def test_invalid_form_request(testclient, logged_admin): def test_invalid_form_request(testclient, logged_admin):
res = testclient.get("/profile/admin/settings") res = testclient.get("/profile/admin/settings")
res = res.form.submit(name="action", value="invalid-action", status=400) res = res.form.submit(name="action", value="invalid-action", status=400)