Merge pull request #13 from nomennesc-io/master

fixed access check for non-administrators
2024-09-19 14:59:35 +00:00 · 2017-12-05 12:51:21 +01:00 · 2017-12-05 12:51:21 +01:00 · 21e903fa76
commit 21e903fa76
parent 675a502bcb d5b2dedd7f
3 changed files with 42 additions and 3 deletions
--- a/app/models.py
+++ b/app/models.py
@ -366,7 +366,9 @@ class User(db.Model):
        if self.role.name == "Administrator":
            return True

-        query = self.get_domain_query().filter(Domain.name == domain_name)
+        query = db.session.query(User, DomainUser, Domain).filter(User.id == self.id).filter(
+            User.id == DomainUser.user_id).filter(Domain.id == DomainUser.domain_id).filter(
+            Domain.name == domain_name)
        return query.count() >= 1

    def delete(self):
--- a/app/views.py
+++ b/app/views.py
@ -380,15 +380,45 @@ def login():
            error = e.message['desc'] if 'desc' in e.message else e
            return render_template('register.html', error=error)

-@app.route('/logout')
-def logout():
+def clear_session():
    session.pop('user_id', None)
    session.pop('github_token', None)
    session.pop('google_token', None)
    session.clear()
    logout_user()
+
+@app.route('/logout')
+def logout():
+    if app.config.get('SAML_ENABLED') and 'samlSessionIndex' in session and app.config.get('SAML_LOGOUT'):
+        req = utils.prepare_flask_request(request)
+        auth = utils.init_saml_auth(req)
+        if app.config.get('SAML_LOGOUT_URL'):
+            return redirect(auth.logout(name_id_format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+                                        return_to = app.config.get('SAML_LOGOUT_URL'),
+                            session_index = session['samlSessionIndex'], name_id=session['samlNameId']))
+        return redirect(auth.logout(name_id_format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+                        session_index = session['samlSessionIndex'],
+                                    name_id=session['samlNameId']))
+    clear_session()
+    redirect_url = url_for('login')
    return redirect(url_for('login'))

+@app.route('/saml/sls')
+def saml_logout():
+    req = utils.prepare_flask_request(request)
+    auth = utils.init_saml_auth(req)
+    url = auth.process_slo()
+    errors = auth.get_errors()
+    if len(errors) == 0:
+        clear_session()
+        if url is not None:
+            return redirect(url)
+	elif app.config.get('SAML_LOGOUT_URL'):
+	    return redirect(app.config.get('SAML_LOGOUT_URL'))
+        else:
+            return redirect(url_for('index'))
+    else:
+        return render_template('errors/SAML.html', errors=errors)

@app.route('/dashboard', methods=['GET', 'POST'])
@login_required
--- a/config_template.py
+++ b/config_template.py
@ -92,6 +92,13 @@ SAML_METADATA_CACHE_LIFETIME = 1
 SAML_SP_ENTITY_ID = 'http://<SAML SP Entity ID>'
 SAML_SP_CONTACT_NAME = '<contact name>'
 SAML_SP_CONTACT_MAIL = '<contact mail>'
+#Use SAML standard logout mechanism retreived from idp metadata
+#If configured false don't care about SAML session on logout.
+#Logout from PowerDNS-Admin only and keep SAML session authenticated.
+SAML_LOGOUT = False
+#Configure to redirect to a different url then PowerDNS-Admin login after SAML logout
+#for example redirect to google.com after successful saml logout
+#SAML_LOGOUT_URL = 'https://google.com'

 #Default Auth
 BASIC_ENABLED = True