From 0f86bbfad846ebc44a47505454d8bd681f1f33df Mon Sep 17 00:00:00 2001 From: sadnub Date: Tue, 29 Oct 2024 11:17:42 -0400 Subject: [PATCH] disable password/mfa reset views if block_local_logon is enabled --- api/tacticalrmm/accounts/permissions.py | 8 +++++++- api/tacticalrmm/accounts/views.py | 8 ++++---- api/tacticalrmm/core/models.py | 7 +++++++ api/tacticalrmm/core/views.py | 2 ++ 4 files changed, 20 insertions(+), 5 deletions(-) diff --git a/api/tacticalrmm/accounts/permissions.py b/api/tacticalrmm/accounts/permissions.py index e9e809ec..dca10bae 100644 --- a/api/tacticalrmm/accounts/permissions.py +++ b/api/tacticalrmm/accounts/permissions.py @@ -1,7 +1,7 @@ from rest_framework import permissions from tacticalrmm.permissions import _has_perm - +from tacticalrmm.utils import get_core_settings class AccountsPerms(permissions.BasePermission): def has_permission(self, r, view) -> bool: @@ -40,3 +40,9 @@ class APIKeyPerms(permissions.BasePermission): return _has_perm(r, "can_list_api_keys") return _has_perm(r, "can_manage_api_keys") + + +class LocalUserPerms(permissions.BasePermission): + def has_permission(self, r, view) -> bool: + settings = get_core_settings() + return not settings.block_local_user_logon \ No newline at end of file diff --git a/api/tacticalrmm/accounts/views.py b/api/tacticalrmm/accounts/views.py index 0818d723..1d7532f4 100644 --- a/api/tacticalrmm/accounts/views.py +++ b/api/tacticalrmm/accounts/views.py @@ -25,7 +25,7 @@ from tacticalrmm.helpers import notify_error from tacticalrmm.utils import get_core_settings from .models import APIKey, Role, User -from .permissions import AccountsPerms, APIKeyPerms, RolesPerms +from .permissions import AccountsPerms, APIKeyPerms, RolesPerms, LocalUserPerms from .serializers import ( APIKeySerializer, RoleSerializer, @@ -381,7 +381,7 @@ class GetUpdateDeleteUser(APIView): class UserActions(APIView): - permission_classes = [IsAuthenticated, AccountsPerms] + permission_classes = [IsAuthenticated, AccountsPerms, LocalUserPerms] # reset password def post(self, request): @@ -507,7 +507,7 @@ class GetUpdateDeleteAPIKey(APIView): class ResetPass(APIView): - permission_classes = [IsAuthenticated] + permission_classes = [IsAuthenticated, LocalUserPerms] def put(self, request): user = request.user @@ -517,7 +517,7 @@ class ResetPass(APIView): class Reset2FA(APIView): - permission_classes = [IsAuthenticated] + permission_classes = [IsAuthenticated, LocalUserPerms] def put(self, request): user = request.user diff --git a/api/tacticalrmm/core/models.py b/api/tacticalrmm/core/models.py index 0e3ef1a2..9f549911 100644 --- a/api/tacticalrmm/core/models.py +++ b/api/tacticalrmm/core/models.py @@ -130,6 +130,13 @@ class CoreSettings(BaseAuditModel): self.mesh_token = settings.MESH_TOKEN_KEY old_settings = type(self).objects.get(pk=self.pk) if self.pk else None + + print(old_settings.__dict__) + # fail safe to not lock out user logons + if not old_settings.sso_enabled and old_settings.block_local_user_logon: + self.block_local_user_logon = False + print("I'm Here!") + super().save(*args, **kwargs) if old_settings: diff --git a/api/tacticalrmm/core/views.py b/api/tacticalrmm/core/views.py index d2915fa9..eff8147a 100644 --- a/api/tacticalrmm/core/views.py +++ b/api/tacticalrmm/core/views.py @@ -137,6 +137,8 @@ def dashboard_info(request): "run_cmd_placeholder_text": runcmd_placeholder_text(), "server_scripts_enabled": core_settings.server_scripts_enabled, "web_terminal_enabled": core_settings.web_terminal_enabled, + "block_local_user_logon": core_settings.block_local_user_logon, + "sso_enabled": core_settings.sso_enabled, } )