From 0ba64b1ac3fa1709c09b30754138946ddc9c2839 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Jun 08 2020 16:39:34 +0000 Subject: Web UI: allow users from trusted Active Directory forest manage IPA Extend Web UI logic to decide whether default Web UI view should have a full menu or should be confined to a self-service interface. Standard logic in FreeIPA Web UI is to combine two facts: * for IPA users membership in `admins` group is used to indicate full menu should be shown * for AD users the fact that ID override object is presented by IPA `whoami` command is used to confine to a self-service interface With the change to allow user ID overrides from a default trust view to be members of groups and roles, we can unify the administrative privileges checks for both IPA and AD users. Fixed: https://pagure.io/freeipa/issue/8335 Signed-off-by: Alexander Bokovoy Reviewed-By: Rob Crittenden --- diff --git a/install/ui/src/freeipa/Application_controller.js b/install/ui/src/freeipa/Application_controller.js index 51f579e..a656b90 100644 --- a/install/ui/src/freeipa/Application_controller.js +++ b/install/ui/src/freeipa/Application_controller.js @@ -238,23 +238,26 @@ define([ IPA.logout(); }, - is_selfservice: function() { - var whoami = IPA.whoami.data; - var self_service = true; - + is_admin: function(whoami) { if (whoami.hasOwnProperty('memberof_group') && whoami.memberof_group.indexOf('admins') !== -1) { - self_service = false; + return true; } else if (whoami.hasOwnProperty('memberofindirect_group')&& whoami.memberofindirect_group.indexOf('admins') !== -1) { - self_service = false; + return true; } else if (whoami.hasOwnProperty('memberof_role') && whoami.memberof_role.length > 0) { - self_service = false; + return true; } else if (whoami.hasOwnProperty('memberofindirect_role') && whoami.memberofindirect_role.length > 0) { - self_service = false; + return true; } + return false; + }, + + is_selfservice: function() { + var whoami = IPA.whoami.data; + var self_service = !this.is_admin(whoami); IPA.is_selfservice = self_service; // quite ugly, needed for users @@ -262,11 +265,14 @@ define([ }, is_aduser_selfservice: function() { - var selfservice = IPA.whoami.metadata.object === 'idoverrideuser'; + var whoami = IPA.whoami.data; + var idoverride = IPA.whoami.metadata.object === 'idoverrideuser'; + var self_service = idoverride && (this.is_admin(whoami) === false); + // quite ugly, needed for users and iduseroverride to hide breadcrumb - IPA.is_aduser_selfservice = selfservice; + IPA.is_aduser_selfservice = self_service; - return selfservice; + return self_service; }, update_logged_in: function(logged_in) {