mirror of
https://github.com/grafana/grafana.git
synced 2025-07-29 03:52:31 +08:00
Users: Disable users removed from LDAP (#16820)
* Users: add is_disabled column * Users: disable users removed from LDAP * Auth: return ErrInvalidCredentials for failed LDAP auth * User: return isDisabled flag in user search api * User: mark disabled users at the server admin page * Chore: refactor according to review * Auth: prevent disabled user from login * Auth: re-enable user when it found in ldap * User: add api endpoint for disabling user * User: use separate endpoints to disable/enable user * User: disallow disabling external users * User: able do disable users from admin UI * Chore: refactor based on review * Chore: use more clear error check when disabling user * Fix login tests * Tests for disabling user during the LDAP login * Tests for disable user API * Tests for login with disabled user * Remove disable user UI stub * Sync with latest LDAP refactoring
This commit is contained in:
Alexander Zobnin
@ -4,12 +4,12 @@ import (
|
||||
"github.com/grafana/grafana/pkg/api/dtos"
|
||||
"github.com/grafana/grafana/pkg/bus"
|
||||
"github.com/grafana/grafana/pkg/infra/metrics"
|
||||
m "github.com/grafana/grafana/pkg/models"
|
||||
"github.com/grafana/grafana/pkg/models"
|
||||
"github.com/grafana/grafana/pkg/util"
|
||||
)
|
||||
|
||||
func AdminCreateUser(c *m.ReqContext, form dtos.AdminCreateUserForm) {
|
||||
cmd := m.CreateUserCommand{
|
||||
func AdminCreateUser(c *models.ReqContext, form dtos.AdminCreateUserForm) {
|
||||
cmd := models.CreateUserCommand{
|
||||
Login: form.Login,
|
||||
Email: form.Email,
|
||||
Password: form.Password,
|
||||
@ -38,7 +38,7 @@ func AdminCreateUser(c *m.ReqContext, form dtos.AdminCreateUserForm) {
|
||||
|
||||
user := cmd.Result
|
||||
|
||||
result := m.UserIdDTO{
|
||||
result := models.UserIdDTO{
|
||||
Message: "User created",
|
||||
Id: user.Id,
|
||||
}
|
||||
@ -46,7 +46,7 @@ func AdminCreateUser(c *m.ReqContext, form dtos.AdminCreateUserForm) {
|
||||
c.JSON(200, result)
|
||||
}
|
||||
|
||||
func AdminUpdateUserPassword(c *m.ReqContext, form dtos.AdminUpdateUserPasswordForm) {
|
||||
func AdminUpdateUserPassword(c *models.ReqContext, form dtos.AdminUpdateUserPasswordForm) {
|
||||
userID := c.ParamsInt64(":id")
|
||||
|
||||
if len(form.Password) < 4 {
|
||||
@ -54,7 +54,7 @@ func AdminUpdateUserPassword(c *m.ReqContext, form dtos.AdminUpdateUserPasswordF
|
||||
return
|
||||
}
|
||||
|
||||
userQuery := m.GetUserByIdQuery{Id: userID}
|
||||
userQuery := models.GetUserByIdQuery{Id: userID}
|
||||
|
||||
if err := bus.Dispatch(&userQuery); err != nil {
|
||||
c.JsonApiErr(500, "Could not read user from database", err)
|
||||
@ -63,7 +63,7 @@ func AdminUpdateUserPassword(c *m.ReqContext, form dtos.AdminUpdateUserPasswordF
|
||||
|
||||
passwordHashed := util.EncodePassword(form.Password, userQuery.Result.Salt)
|
||||
|
||||
cmd := m.ChangeUserPasswordCommand{
|
||||
cmd := models.ChangeUserPasswordCommand{
|
||||
UserId: userID,
|
||||
NewPassword: passwordHashed,
|
||||
}
|
||||
@ -77,17 +77,17 @@ func AdminUpdateUserPassword(c *m.ReqContext, form dtos.AdminUpdateUserPasswordF
|
||||
}
|
||||
|
||||
// PUT /api/admin/users/:id/permissions
|
||||
func AdminUpdateUserPermissions(c *m.ReqContext, form dtos.AdminUpdateUserPermissionsForm) {
|
||||
func AdminUpdateUserPermissions(c *models.ReqContext, form dtos.AdminUpdateUserPermissionsForm) {
|
||||
userID := c.ParamsInt64(":id")
|
||||
|
||||
cmd := m.UpdateUserPermissionsCommand{
|
||||
cmd := models.UpdateUserPermissionsCommand{
|
||||
UserId: userID,
|
||||
IsGrafanaAdmin: form.IsGrafanaAdmin,
|
||||
}
|
||||
|
||||
if err := bus.Dispatch(&cmd); err != nil {
|
||||
if err == m.ErrLastGrafanaAdmin {
|
||||
c.JsonApiErr(400, m.ErrLastGrafanaAdmin.Error(), nil)
|
||||
if err == models.ErrLastGrafanaAdmin {
|
||||
c.JsonApiErr(400, models.ErrLastGrafanaAdmin.Error(), nil)
|
||||
return
|
||||
}
|
||||
|
||||
@ -98,10 +98,10 @@ func AdminUpdateUserPermissions(c *m.ReqContext, form dtos.AdminUpdateUserPermis
|
||||
c.JsonOK("User permissions updated")
|
||||
}
|
||||
|
||||
func AdminDeleteUser(c *m.ReqContext) {
|
||||
func AdminDeleteUser(c *models.ReqContext) {
|
||||
userID := c.ParamsInt64(":id")
|
||||
|
||||
cmd := m.DeleteUserCommand{UserId: userID}
|
||||
cmd := models.DeleteUserCommand{UserId: userID}
|
||||
|
||||
if err := bus.Dispatch(&cmd); err != nil {
|
||||
c.JsonApiErr(500, "Failed to delete user", err)
|
||||
@ -111,8 +111,48 @@ func AdminDeleteUser(c *m.ReqContext) {
|
||||
c.JsonOK("User deleted")
|
||||
}
|
||||
|
||||
// POST /api/admin/users/:id/disable
|
||||
func AdminDisableUser(c *models.ReqContext) {
|
||||
userID := c.ParamsInt64(":id")
|
||||
|
||||
// External users shouldn't be disabled from API
|
||||
authInfoQuery := &models.GetAuthInfoQuery{UserId: userID}
|
||||
if err := bus.Dispatch(authInfoQuery); err != models.ErrUserNotFound {
|
||||
c.JsonApiErr(500, "Could not disable external user", nil)
|
||||
return
|
||||
}
|
||||
|
||||
disableCmd := models.DisableUserCommand{UserId: userID, IsDisabled: true}
|
||||
if err := bus.Dispatch(&disableCmd); err != nil {
|
||||
c.JsonApiErr(500, "Failed to disable user", err)
|
||||
return
|
||||
}
|
||||
|
||||
c.JsonOK("User disabled")
|
||||
}
|
||||
|
||||
// POST /api/admin/users/:id/enable
|
||||
func AdminEnableUser(c *models.ReqContext) {
|
||||
userID := c.ParamsInt64(":id")
|
||||
|
||||
// External users shouldn't be disabled from API
|
||||
authInfoQuery := &models.GetAuthInfoQuery{UserId: userID}
|
||||
if err := bus.Dispatch(authInfoQuery); err != models.ErrUserNotFound {
|
||||
c.JsonApiErr(500, "Could not enable external user", nil)
|
||||
return
|
||||
}
|
||||
|
||||
disableCmd := models.DisableUserCommand{UserId: userID, IsDisabled: false}
|
||||
if err := bus.Dispatch(&disableCmd); err != nil {
|
||||
c.JsonApiErr(500, "Failed to enable user", err)
|
||||
return
|
||||
}
|
||||
|
||||
c.JsonOK("User enabled")
|
||||
}
|
||||
|
||||
// POST /api/admin/users/:id/logout
|
||||
func (server *HTTPServer) AdminLogoutUser(c *m.ReqContext) Response {
|
||||
func (server *HTTPServer) AdminLogoutUser(c *models.ReqContext) Response {
|
||||
userID := c.ParamsInt64(":id")
|
||||
|
||||
if c.UserId == userID {
|
||||
@ -123,13 +163,13 @@ func (server *HTTPServer) AdminLogoutUser(c *m.ReqContext) Response {
|
||||
}
|
||||
|
||||
// GET /api/admin/users/:id/auth-tokens
|
||||
func (server *HTTPServer) AdminGetUserAuthTokens(c *m.ReqContext) Response {
|
||||
func (server *HTTPServer) AdminGetUserAuthTokens(c *models.ReqContext) Response {
|
||||
userID := c.ParamsInt64(":id")
|
||||
return server.getUserAuthTokensInternal(c, userID)
|
||||
}
|
||||
|
||||
// POST /api/admin/users/:id/revoke-auth-token
|
||||
func (server *HTTPServer) AdminRevokeUserAuthToken(c *m.ReqContext, cmd m.RevokeAuthTokenCmd) Response {
|
||||
func (server *HTTPServer) AdminRevokeUserAuthToken(c *models.ReqContext, cmd models.RevokeAuthTokenCmd) Response {
|
||||
userID := c.ParamsInt64(":id")
|
||||
return server.revokeUserAuthTokenInternal(c, userID, cmd)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user