ambari git commit: AMBARI-16436. Unauthorized user can get access to admin pages by pointing to their URLs (alexantonenko)

alexantonenko Tue, 10 May 2016 09:45:18 -0700

Repository: ambari
Updated Branches:
  refs/heads/trunk 430c01d6a -> cb2212aeb



AMBARI-16436. Unauthorized user can get access to admin pages by pointing to 
their URLs (alexantonenko)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/cb2212ae
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/cb2212ae
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/cb2212ae

Branch: refs/heads/trunk
Commit: cb2212aeb60fbf796c226ae235ea40124e300f23
Parents: 430c01d
Author: Alex Antonenko <hiv...@gmail.com>
Authored: Tue May 10 19:44:00 2016 +0300
Committer: Alex Antonenko <hiv...@gmail.com>
Committed: Tue May 10 19:44:00 2016 +0300

----------------------------------------------------------------------
 .../ui/admin-web/app/scripts/controllers/mainCtrl.js      |  8 ++++++++
 .../ui/admin-web/test/unit/controllers/mainCtrl_test.js   |  1 +
 ambari-web/app/routes/main.js                             | 10 ++++++++++
 3 files changed, 19 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/cb2212ae/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/mainCtrl.js
----------------------------------------------------------------------
diff --git 
a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/mainCtrl.js
 
b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/mainCtrl.js
index 5d1d261..2878f88 100644
--- 
a/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/mainCtrl.js
+++ 
b/ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/mainCtrl.js
@@ -34,6 +34,14 @@ angular.module('ambariAdminConsole')
         $rootScope.supports = data.data ? data.data : {};
       });
 
+  $http.get(Settings.baseUrl + "/users/"  + Auth.getCurrentUser() +  
"/authorizations?fields=*")
+    .then(function(data) {
+      var auth = !!data.data && !!data.data.items ? 
data.data.items.map(function (a){return a.AuthorizationInfo.authorization_id}) 
: [];
+      if(auth.indexOf('AMBARI.RENAME_CLUSTER') == -1){
+        $window.location = "/#/main/dashboard";
+      }
+    });
+
   $scope.about = function() {
    var ambariVersion = $scope.ambariVersion;
        var modalInstance = $modal.open({

http://git-wip-us.apache.org/repos/asf/ambari/blob/cb2212ae/ambari-admin/src/main/resources/ui/admin-web/test/unit/controllers/mainCtrl_test.js
----------------------------------------------------------------------
diff --git 
a/ambari-admin/src/main/resources/ui/admin-web/test/unit/controllers/mainCtrl_test.js
 
b/ambari-admin/src/main/resources/ui/admin-web/test/unit/controllers/mainCtrl_test.js
index e12a61d..12c914e 100644
--- 
a/ambari-admin/src/main/resources/ui/admin-web/test/unit/controllers/mainCtrl_test.js
+++ 
b/ambari-admin/src/main/resources/ui/admin-web/test/unit/controllers/mainCtrl_test.js
@@ -98,6 +98,7 @@ describe('#Auth', function () {
           ]
         });
       $httpBackend.whenGET(/\/persist\/user-pref-.*/).respond(200, {data: 
{data: {addingNewRepository: true}}});
+      
$httpBackend.whenGET(/\/api\/v1\/users\/admin\/authorizations.*/).respond(200, 
{data: {data: {items: [{AuthorizationInfo : {authorization_id : 
"AMBARI.RENAME_CLUSTER"}}]}}});
       scope = $rootScope.$new();
       scope.$apply();
       ctrl = $controller('MainCtrl', {$scope: scope});

http://git-wip-us.apache.org/repos/asf/ambari/blob/cb2212ae/ambari-web/app/routes/main.js
----------------------------------------------------------------------
diff --git a/ambari-web/app/routes/main.js b/ambari-web/app/routes/main.js
index c27ef54..5cf68d0 100644
--- a/ambari-web/app/routes/main.js
+++ b/ambari-web/app/routes/main.js
@@ -384,6 +384,11 @@ module.exports = Em.Route.extend(App.RouterRedirections, {
 
     adminKerberos: Em.Route.extend({
       route: '/kerberos',
+      enter: function (router, transition) {
+        if (router.get('loggedIn') && 
!App.isAuthorized('CLUSTER.TOGGLE_KERBEROS')) {
+          router.transitionTo('main.dashboard.index');
+        }
+      },
       index: Em.Route.extend({
         route: '/',
         connectOutlets: function (router, context) {
@@ -521,6 +526,11 @@ module.exports = Em.Route.extend(App.RouterRedirections, {
     }),
     adminServiceAccounts: Em.Route.extend({
       route: '/serviceAccounts',
+      enter: function (router, transition) {
+        if (router.get('loggedIn') && 
!App.isAuthorized('AMBARI.SET_SERVICE_USERS_GROUP')) {
+          router.transitionTo('main.dashboard.index');
+        }
+      },
       connectOutlets: function (router) {
         router.set('mainAdminController.category', "adminServiceAccounts");
         
router.get('mainAdminController').connectOutlet('mainAdminServiceAccounts');

ambari git commit: AMBARI-16436. Unauthorized user can get access to admin pages by pointing to their URLs (alexantonenko)

Reply via email to