13 Mar
2017
13 Mar
'17
4 a.m.
Module: check_mk
Branch: master
Commit: 2190f03b766bb7093ad91638452db294e2915d49
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=2190f03b766bb7…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon Mar 13 09:32:05 2017 +0100
CME: Customer are not allowed to login to the central site anymore
Change-Id: I812767a73212947f94c2e79d3ab10c0e6038b00d
---
web/htdocs/login.py | 6 ++++++
web/htdocs/userdb.py | 19 +++++++++++++++++++
2 files changed, 25 insertions(+)
diff --git a/web/htdocs/login.py b/web/htdocs/login.py
index a189574..0dc45a6 100644
--- a/web/htdocs/login.py
+++ b/web/htdocs/login.py
@@ -268,6 +268,12 @@ def check_auth(mod_python_req):
if (user_id is not None and type(user_id) != unicode) or user_id == u'':
raise MKInternalError(_("Invalid user authentication"))
+ if user_id and not userdb.is_customer_user_allowed_to_login(user_id):
+ # A CME not assigned with the current sites customer
+ # is not allowed to login
+ auth_logger.debug("User '%s' is not allowed to login: Invalid
customer" % user_id)
+ return None
+
return user_id
diff --git a/web/htdocs/userdb.py b/web/htdocs/userdb.py
index 8fc965e..0fb9351 100644
--- a/web/htdocs/userdb.py
+++ b/web/htdocs/userdb.py
@@ -216,6 +216,20 @@ def is_automation_user(user_id):
return os.path.isfile(cmk.paths.var_dir + "/web/" +
user_id.encode("utf-8") + "/automation.secret")
+def is_customer_user_allowed_to_login(user_id):
+ if not cmk.is_managed_edition():
+ return True
+
+ import managed
+ user = config.LoggedInUser(user_id)
+ customer_id = managed.get_customer_id(user.attributes)
+
+ if managed.is_global(customer_id):
+ return True
+
+ return managed.is_current_customer(customer_id)
+
+
# This function is called very often during regular page loads so it has to be efficient
# even when having a lot of users.
#
@@ -1174,6 +1188,11 @@ def hook_login(username, password):
# Check whether or not the user exists (and maybe create it)
create_non_existing_user(connection_id, username)
+ if not is_customer_user_allowed_to_login(username):
+ # A CME not assigned with the current sites customer
+ # is not allowed to login
+ return False
+
# Now, after successfull login (and optional user account
# creation), check whether or not the user is locked.
# In e.g. htpasswd connector this is checked by validating the