from ldap3.utils.dn import escape_rdn

This commit is contained in:
Franzi 2021-12-21 11:02:48 +01:00
parent c08a24b9f3
commit 1fd2c4e984
Signed by: kunsi
GPG key ID: 12E3D2136B818350

View file

@ -4,6 +4,7 @@ from os import environ
from flask import Flask, flash, redirect, request, session, url_for from flask import Flask, flash, redirect, request, session, url_for
from ldap3 import ALL_ATTRIBUTES, MODIFY_ADD, MODIFY_DELETE from ldap3 import ALL_ATTRIBUTES, MODIFY_ADD, MODIFY_DELETE
from ldap3.core.exceptions import LDAPException from ldap3.core.exceptions import LDAPException
from ldap3.utils.dn import escape_rdn
from .helpers.flask import template from .helpers.flask import template
from .helpers.ldap import ( from .helpers.ldap import (
@ -35,11 +36,11 @@ def login():
if request.method == "POST": if request.method == "POST":
if try_auth( if try_auth(
request.form["username"], escape_rdn(request.form["username"]),
request.form["password"], request.form["password"],
): ):
session["is_logged_in"] = True session["is_logged_in"] = True
session["username"] = request.form["username"] session["username"] = escape_rdn(request.form["username"])
session["password"] = request.form["password"] session["password"] = request.form["password"]
flash("logged in") flash("logged in")
@ -119,12 +120,11 @@ def selfservice(ldap):
flash("password changed") flash("password changed")
except LDAPException as e: except LDAPException as e:
app.logger.error( app.logger.error(
"Updating {} failed: {}\n{}".format( "Updating {} failed: {}".format(
APP_CONFIG["template"]["user_dn"].format( APP_CONFIG["template"]["user_dn"].format(
session["username"] session["username"]
), ),
repr(e), repr(e),
repr(request.form),
), ),
) )
flash(e) flash(e)
@ -154,6 +154,8 @@ def groups(ldap):
@app.route("/groups/<ou>", methods=["GET", "POST"]) @app.route("/groups/<ou>", methods=["GET", "POST"])
@admin_required @admin_required
def group_edit(ldap, ou): def group_edit(ldap, ou):
ou = escape_rdn(ou)
if request.method == "POST": if request.method == "POST":
if request.form.get("remove"): if request.form.get("remove"):
ldap.modify( ldap.modify(
@ -163,7 +165,7 @@ def group_edit(ldap, ou):
( (
MODIFY_DELETE, MODIFY_DELETE,
APP_CONFIG["template"]["user_dn"].format( APP_CONFIG["template"]["user_dn"].format(
request.form["remove"] escape_rdn(request.form["remove"])
), ),
) )
] ]
@ -178,7 +180,7 @@ def group_edit(ldap, ou):
( (
MODIFY_ADD, MODIFY_ADD,
APP_CONFIG["template"]["user_dn"].format( APP_CONFIG["template"]["user_dn"].format(
request.form["add"] escape_rdn(request.form["add"])
), ),
) )
] ]