disable password/mfa reset views if block_local_logon is enabled

2024-10-29 11:17:42 -04:00
parent 0d021a800a
commit 0f86bbfad8
4 changed files with 20 additions and 5 deletions
--- a/api/tacticalrmm/accounts/permissions.py
+++ b/api/tacticalrmm/accounts/permissions.py
@@ -1,7 +1,7 @@
 from rest_framework import permissions

 from tacticalrmm.permissions import _has_perm
-
+from tacticalrmm.utils import get_core_settings

 class AccountsPerms(permissions.BasePermission):
    def has_permission(self, r, view) -> bool:
@@ -40,3 +40,9 @@ class APIKeyPerms(permissions.BasePermission):
            return _has_perm(r, "can_list_api_keys")

        return _has_perm(r, "can_manage_api_keys")
+
+
+class LocalUserPerms(permissions.BasePermission):
+    def has_permission(self, r, view) -> bool:
+        settings = get_core_settings()
+        return not settings.block_local_user_logon
--- a/api/tacticalrmm/accounts/views.py
+++ b/api/tacticalrmm/accounts/views.py
@@ -25,7 +25,7 @@ from tacticalrmm.helpers import notify_error
 from tacticalrmm.utils import get_core_settings

 from .models import APIKey, Role, User
-from .permissions import AccountsPerms, APIKeyPerms, RolesPerms
+from .permissions import AccountsPerms, APIKeyPerms, RolesPerms, LocalUserPerms
 from .serializers import (
    APIKeySerializer,
    RoleSerializer,
@@ -381,7 +381,7 @@ class GetUpdateDeleteUser(APIView):


 class UserActions(APIView):
-    permission_classes = [IsAuthenticated, AccountsPerms]
+    permission_classes = [IsAuthenticated, AccountsPerms, LocalUserPerms]

    # reset password
    def post(self, request):
@@ -507,7 +507,7 @@ class GetUpdateDeleteAPIKey(APIView):


 class ResetPass(APIView):
-    permission_classes = [IsAuthenticated]
+    permission_classes = [IsAuthenticated, LocalUserPerms]

    def put(self, request):
        user = request.user
@@ -517,7 +517,7 @@ class ResetPass(APIView):


 class Reset2FA(APIView):
-    permission_classes = [IsAuthenticated]
+    permission_classes = [IsAuthenticated, LocalUserPerms]

    def put(self, request):
        user = request.user
--- a/api/tacticalrmm/core/models.py
+++ b/api/tacticalrmm/core/models.py
@@ -130,6 +130,13 @@ class CoreSettings(BaseAuditModel):
                self.mesh_token = settings.MESH_TOKEN_KEY

        old_settings = type(self).objects.get(pk=self.pk) if self.pk else None
+
+        print(old_settings.__dict__)
+        # fail safe to not lock out user logons
+        if not old_settings.sso_enabled and old_settings.block_local_user_logon:
+            self.block_local_user_logon = False
+            print("I'm Here!")
+
        super().save(*args, **kwargs)

        if old_settings:
--- a/api/tacticalrmm/core/views.py
+++ b/api/tacticalrmm/core/views.py
@@ -137,6 +137,8 @@ def dashboard_info(request):
            "run_cmd_placeholder_text": runcmd_placeholder_text(),
            "server_scripts_enabled": core_settings.server_scripts_enabled,
            "web_terminal_enabled": core_settings.web_terminal_enabled,
+            "block_local_user_logon": core_settings.block_local_user_logon,
+            "sso_enabled": core_settings.sso_enabled,
        }
    )