This is an automated email from the ASF dual-hosted git repository. hulee pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/helix.git
commit 241baae6831e08eb2807f01fbf670c00b154dbbb Author: Yi Wang <[email protected]> AuthorDate: Fri Mar 8 15:28:35 2019 -0800 Add adminGroup check for write operations ACLOVERRIDE RB=1590175 BUG=HELIX-1682 G=helix-reviewers A=jxue Signed-off-by: Hunter Lee <[email protected]> --- helix-front/client/app/app.component.ts | 8 +++--- helix-front/server/config.ts | 7 ++---- helix-front/server/controllers/user.ts | 44 ++++++++++++++++++++++----------- 3 files changed, 37 insertions(+), 22 deletions(-) diff --git a/helix-front/client/app/app.component.ts b/helix-front/client/app/app.component.ts index 06f7f5e..4c691ae 100644 --- a/helix-front/client/app/app.component.ts +++ b/helix-front/client/app/app.component.ts @@ -14,6 +14,7 @@ import { Angulartics2Piwik } from 'angulartics2'; import { UserService } from './core/user.service'; import { InputDialogComponent } from './shared/dialog/input-dialog/input-dialog.component'; import { HelperService } from './shared/helper.service'; +import {LDAP} from "../../server/config"; @Component({ selector: 'hi-root', @@ -85,10 +86,11 @@ export class AppComponent implements OnInit { this.service .login(result.username.value, result.password.value) .subscribe( - isAuthroized => { - if (isAuthroized) { - location.reload(); + isAuthorized => { + if (!isAuthorized) { + this.helper.showError("You're not part of " + LDAP.adminGroup + " group or password incorrect"); } + this.currentUser = this.service.getCurrentUser(); }, error => this.helper.showError(error) ); diff --git a/helix-front/server/config.ts b/helix-front/server/config.ts index 1a4265b..35ee27d 100644 --- a/helix-front/server/config.ts +++ b/helix-front/server/config.ts @@ -17,9 +17,6 @@ export const SSL = { export const LDAP = { uri: 'ldap://example.com', base: 'DC=example,DC=com', - principalSuffix: '@example.com' + principalSuffix: '@example.com', + adminGroup: 'admin' }; - -export function CheckAdmin(username: string, callback: (boolean) => void) { - callback(username === 'root'); -} diff --git a/helix-front/server/controllers/user.ts b/helix-front/server/controllers/user.ts index 980d97c..7727255 100644 --- a/helix-front/server/controllers/user.ts +++ b/helix-front/server/controllers/user.ts @@ -1,9 +1,7 @@ -import { Request, Response, Router } from 'express'; - -import * as request from 'request'; +import {Request, Response, Router} from 'express'; import * as LdapClient from 'ldapjs'; -import { LDAP, CheckAdmin } from '../config'; +import {LDAP} from '../config'; export class UserCtrl { @@ -34,10 +32,10 @@ export class UserCtrl { res.json(req.session.isAdmin ? true : false); } - protected login(req: Request, res: Response) { - const credential = req.body; + protected login(request: Request, response: Response) { + const credential = request.body; if (!credential.username || !credential.password) { - res.status(401).json(false); + response.status(401).json(false); return; } @@ -45,16 +43,34 @@ export class UserCtrl { const ldap = LdapClient.createClient({ url: LDAP.uri }); ldap.bind(credential.username + LDAP.principalSuffix, credential.password, err => { if (err) { - res.status(401).json(false); + response.status(401).json(false); } else { - // authroized - req.session.username = credential.username; - CheckAdmin(req.session.username, (isAdmin: boolean) => { - req.session.isAdmin = isAdmin; - res.json(true); + // login success + let opts = { + filter: '(&(sAMAccountName=' + credential.username + ')(objectcategory=person))', + scope: 'sub' + }; + + ldap.search(LDAP.base, opts, function(err, result) { + var isInAdminGroup = false; + result.on('searchEntry', function (entry) { + if (entry.object && !err) { + let groups = entry.object["memberOf"]; + for (var group of groups) { + const groupName = group.split(",", 1)[0].split("=")[1]; + if (groupName == LDAP.adminGroup) { + isInAdminGroup = true; + break; + } + } + } + + request.session.username = credential.username; + request.session.isAdmin = isInAdminGroup; + response.json(isInAdminGroup); + }); }); } }); } - }
