mirror/Part-DB.Part-DB-server
1
0
Fork 1
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2025-06-28 04:30:08 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Added basic logic for impersonation

Browse source
This commit is contained in:
Jan Böhmer 2023-07-04 00:31:13 +02:00
parent 15e072a2ff
commit d20153c569
7 changed files with 163 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

3
config/packages/security.yaml
View file

@ -21,6 +21,9 @@ security:
user_checker: App\Security\UserChecker
entry_point: form_login
# Enable user impersonation
switch_user: { role: CAN_SWITCH_USER }
two_factor:
auth_form_path: 2fa_login
check_path: 2fa_login_check

3
config/permissions.yaml
View file

@ -190,6 +190,9 @@ perms: # Here comes a list with all Permission names (they have a perm_[name] co
set_password:
label: "perm.users.set_password"
alsoSet: 'read'
impersonate:
label: "perm.users.impersonate"
alsoSet: ['set_password']
change_user_settings:
label: "perm.users.change_user_settings"
show_history:

60
src/Security/Voter/ImpersonateUserVoter.php Normal file
View file

@ -0,0 +1,60 @@
<?php
/*
* This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
*
* Copyright (C) 2019 - 2023 Jan Böhmer (https://github.com/jbtronics)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published
* by the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
declare(strict_types=1);
namespace App\Security\Voter;
use App\Entity\UserSystem\User;
use App\Services\UserSystem\PermissionManager;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;
use Symfony\Component\Security\Core\User\UserInterface;
class ImpersonateUserVoter extends Voter
{
public function __construct(private PermissionManager $permissionManager)
{
}
protected function supports(string $attribute, mixed $subject): bool
{
return $attribute == 'CAN_SWITCH_USER'
&& $subject instanceof UserInterface;
}
protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token): bool
{
$user = $token->getUser();
if (!$user instanceof User || !$subject instanceof UserInterface) {
return false;
}
//An disabled user is not allowed to do anything...
if ($user->isDisabled()) {
return false;
}
return $this->permissionManager->inherit($user, 'users', 'impersonate') ?? false;
}
}

26
src/Twig/UserExtension.php
View file

@ -46,6 +46,8 @@ use App\Entity\UserSystem\User;
use App\Entity\LogSystem\AbstractLogEntry;
use App\Repository\LogEntryRepository;
use Doctrine\ORM\EntityManagerInterface;
use Symfony\Bundle\SecurityBundle\Security;
use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
use Twig\Extension\AbstractExtension;
use Twig\TwigFilter;
use Twig\TwigFunction;
@ -57,7 +59,7 @@ final class UserExtension extends AbstractExtension
{
private readonly LogEntryRepository $repo;
public function __construct(EntityManagerInterface $em)
public function __construct(EntityManagerInterface $em, private readonly Security $security)
{
$this->repo = $em->getRepository(AbstractLogEntry::class);
}
@ -76,9 +78,31 @@ final class UserExtension extends AbstractExtension
new TwigFunction('last_editing_user', fn(AbstractDBElement $element): ?User => $this->repo->getLastEditingUser($element)),
/* Returns the user which has created the given entity. */
new TwigFunction('creating_user', fn(AbstractDBElement $element): ?User => $this->repo->getCreatingUser($element)),
new TwigFunction('impersonator_user', $this->getImpersonatorUser(...)),
new TwigFunction('impersonation_active', $this->isImpersonationActive(...)),
];
}
/**
* This function returns the user which has impersonated the current user.
* If the current user is not impersonated, null is returned.
* @return User|null
*/
public function getImpersonatorUser(): ?User
{
$token = $this->security->getToken();
if ($token instanceof SwitchUserToken) {
return $token->getOriginalToken()->getUser();
}
return null;
}
public function isImpersonationActive(): bool
{
return $this->security->isGranted('IS_IMPERSONATOR');
}
/**
* This function/filter generates a path.
*/

42
templates/_navbar.html.twig
View file

@ -37,23 +37,45 @@
<li class="nav-item dropdown">
<a href="#" class="dropdown-toggle link-anchor nav-link" data-bs-toggle="dropdown" role="button"
aria-haspopup="true" aria-expanded="false" id="navbar-user-dropdown-btn" data-bs-reference="window">
{% if app.user %}<i class="fa fa-user" aria-hidden="true"></i>{% else %}<i class="far fa-user"
aria-hidden="true"></i>{% endif %}
{% if app.user %} {# Logged in #}
{% if impersonation_active() %} {# Impersonated user #}
<i class="fa-solid fa-user-secret text-warning"></i>
{% else %}
<i class="fas fa-user" aria-hidden="true"></i>
{% endif %}
{% else %} {# Not logged in #}
<i class="far fa-user" aria-hidden="true"></i>
{% endif %}
<span class="caret"></span></a>
<ul class="dropdown-menu dropdown-menu-end" id="login-menu" aria-labelledby="navbar-user-dropdown-btn">
{% if app.user %}
<a class="dropdown-item disabled" href="#">{% trans %}user.loggedin.label{% endtrans %}
{{ helper.user_icon(app.user) }} <b>{{ app.user.firstName }} {{ app.user.lastName }}</b> (@{{ app.user.name }})</a>
<a class="dropdown-item" href="{{ path("user_settings") }}"><i class="fa fa-cogs fa-fw"
aria-hidden="true"></i> {% trans %}user.settings.label{% endtrans %}
{% if impersonation_active() %}
{% set impersonator = impersonator_user() %}
<a class="dropdown-item disabled text-warning" href="#">{% trans %}user.impersonated_by.label{% endtrans %}
{{ helper.user_icon(impersonator) }} <b>{{ impersonator.firstName }} {{ impersonator.lastName }}</b> (@{{ impersonator.name }})</a>
{% endif %}
<a class="dropdown-item" href="{{ path("user_settings") }}">
<i class="fa fa-cogs fa-fw" aria-hidden="true"></i> {% trans %}user.settings.label{% endtrans %}
</a>
<a class="dropdown-item" href="{{ path("user_info_self") }}"><i
class="fa fa-info-circle fa-fw"
aria-hidden="true"></i> {% trans %}user.info.label{% endtrans %}</a>
<a class="dropdown-item" href="{{ path("user_info_self") }}">
<i class="fa fa-info-circle fa-fw" aria-hidden="true"></i> {% trans %}user.info.label{% endtrans %}</a>
<li role="separator" class="dropdown-divider"></li>
<a class="dropdown-item" href="{{ path('logout') }}" data-turbo="false" data-turbo-frame="_top"><i
class="fa fa-sign-out-alt fa-fw"
aria-hidden="true"></i> {% trans %}user.logout{% endtrans %}</a>
{% if impersonation_active() %}
<a class="dropdown-item" href="{{ impersonation_exit_path() }}" data-turbo="false" data-turbo-frame="_top">
<i class="fa fa-turn-up fa-fw" aria-hidden="true"></i> {% trans %}user.stop_impersonation{% endtrans %}
</a>
{% endif %}
<a class="dropdown-item" href="{{ path('logout') }}" data-turbo="false" data-turbo-frame="_top">
<i class="fa fa-sign-out-alt fa-fw" aria-hidden="true"></i> {% trans %}user.logout{% endtrans %}
</a>
{% else %}
<a class="dropdown-item"
href="{{ path('login', {'_target_path': app.request.pathinfo | remove_locale_from_path}) }}"

6
templates/admin/user_admin.html.twig
View file

@ -24,6 +24,12 @@
{{ form_row(form.showEmailOnProfile) }}
{{ form_row(form.department) }}
{{ form_row(form.aboutMe) }}
<div class="row mb-2">
<a href="#" class="btn btn-link">Impersonate</a>
</div>
{% endblock %}
{% block additional_panes %}

48
translations/messages.en.xlf
View file

@ -731,10 +731,10 @@
</notes>
<segment>
<source>user.edit.tfa.disable_tfa_message</source>
<target>This will disable &lt;b&gt;all active two-factor authentication methods of the user&lt;/b&gt; and delete the &lt;b&gt;backup codes&lt;/b&gt;!
&lt;br&gt;
The user will have to set up all two-factor authentication methods again and print new backup codes! &lt;br&gt;&lt;br&gt;
&lt;b&gt;Only do this if you are absolutely sure about the identity of the user (seeking help), otherwise the account could be compromised by an attacker!&lt;/b&gt;</target>
<target><![CDATA[This will disable <b>all active two-factor authentication methods of the user</b> and delete the <b>backup codes</b>!
<br>
The user will have to set up all two-factor authentication methods again and print new backup codes! <br><br>
<b>Only do this if you are absolutely sure about the identity of the user (seeking help), otherwise the account could be compromised by an attacker!</b>]]></target>
</segment>
</unit>
<unit id="02HvwiS" name="user.edit.tfa.disable_tfa.btn">
@ -11326,70 +11326,88 @@ Element 3</target>
</segment>
</unit>
<unit id="DGczoY6" name="tfa_u2f.add_key.registration_error">
<segment state="translated">
<segment>
<source>tfa_u2f.add_key.registration_error</source>
<target>An error occurred during the registration of the security key. Try again or use another security key!</target>
</segment>
</unit>
<unit id="ie0Ca0l" name="log.target_type.none">
<segment state="translated">
<segment>
<source>log.target_type.none</source>
<target>None</target>
</segment>
</unit>
<unit id="R2nX4ip" name="ui.darkmode.light">
<segment state="translated">
<segment>
<source>ui.darkmode.light</source>
<target>Light</target>
</segment>
</unit>
<unit id="3NHpuW3" name="ui.darkmode.dark">
<segment state="translated">
<segment>
<source>ui.darkmode.dark</source>
<target>Dark</target>
</segment>
</unit>
<unit id="4TGOK5_" name="ui.darkmode.auto">
<segment state="translated">
<segment>
<source>ui.darkmode.auto</source>
<target>Auto (decide based on system settings)</target>
</segment>
</unit>
<unit id="9N0N8aL" name="label_generator.no_lines_given">
<segment state="translated">
<segment>
<source>label_generator.no_lines_given</source>
<target>No text content given! The labels will remain empty.</target>
</segment>
</unit>
<unit id="RdFvZsb" name="user.password_strength.very_weak">
<segment state="translated">
<segment>
<source>user.password_strength.very_weak</source>
<target>Very weak</target>
</segment>
</unit>
<unit id="IBjmblZ" name="user.password_strength.weak">
<segment state="translated">
<segment>
<source>user.password_strength.weak</source>
<target>Weak</target>
</segment>
</unit>
<unit id="qSm_ID0" name="user.password_strength.medium">
<segment state="translated">
<segment>
<source>user.password_strength.medium</source>
<target>Medium</target>
</segment>
</unit>
<unit id="aWAaADS" name="user.password_strength.strong">
<segment state="translated">
<segment>
<source>user.password_strength.strong</source>
<target>Strong</target>
</segment>
</unit>
<unit id="Wa9CStW" name="user.password_strength.very_strong">
<segment state="translated">
<segment>
<source>user.password_strength.very_strong</source>
<target>Very strong</target>
</segment>
</unit>
<unit id="6OHd5fv" name="perm.users.impersonate">
<segment>
<source>perm.users.impersonate</source>
<target>Impersonate other users</target>
</segment>
</unit>
<unit id="ssn1H1A" name="user.impersonated_by.label">
<segment>
<source>user.impersonated_by.label</source>
<target>Impersonated by</target>
</segment>
</unit>
<unit id="inTlSge" name="user.stop_impersonation">
<segment>
<source>user.stop_impersonation</source>
<target>Stop impersonation</target>
</segment>
</unit>
</file>
</xliff>