diff --git a/plinth/middleware.py b/plinth/middleware.py index 562efd0e1..05f970113 100644 --- a/plinth/middleware.py +++ b/plinth/middleware.py @@ -31,6 +31,7 @@ from stronghold.utils import is_view_func_public import plinth from plinth.package import PackageException +from plinth.utils import is_user_admin from . import views @@ -101,5 +102,5 @@ class AdminRequiredMiddleware(object): hasattr(view_func, 'IS_NON_ADMIN'): return - if not request.user.groups.filter(name='admin').exists(): + if not is_user_admin(request.user): raise PermissionDenied diff --git a/plinth/modules/users/forms.py b/plinth/modules/users/forms.py index 38ef40eb9..add7a2379 100644 --- a/plinth/modules/users/forms.py +++ b/plinth/modules/users/forms.py @@ -29,6 +29,7 @@ from plinth import actions from plinth.errors import ActionError from plinth.modules import first_boot from plinth.modules.security import set_restricted_access +from plinth.utils import is_user_admin # Usernames used by optional services (that might not be installed yet). RESERVED_USERNAMES = [ @@ -167,8 +168,13 @@ class UserUpdateForm(ValidNewUsernameCheckMixin, forms.ModelForm): self.request = request self.username = username + super(UserUpdateForm, self).__init__(*args, **kwargs) + if not is_user_admin(request.user): + self.fields['is_active'].widget = forms.HiddenInput() + self.fields['groups'].disabled = True + def save(self, commit=True): """Update LDAP user name and groups after saving user model.""" user = super(UserUpdateForm, self).save(commit) diff --git a/plinth/modules/users/views.py b/plinth/modules/users/views.py index 66358c1e9..626ce83ac 100644 --- a/plinth/modules/users/views.py +++ b/plinth/modules/users/views.py @@ -31,6 +31,7 @@ from .forms import CreateUserForm, UserChangePasswordForm, UserUpdateForm, \ from plinth import actions from plinth.errors import ActionError from plinth.modules import first_boot +from plinth.utils import is_user_admin subsubmenu = [{'url': reverse_lazy('users:index'), 'text': ugettext_lazy('Users')}, @@ -84,7 +85,7 @@ class UserUpdate(ContextMixin, SuccessMessageMixin, UpdateView): def dispatch(self, request, *args, **kwargs): """Handle a request and return a HTTP response.""" if self.request.user.get_username() != self.kwargs['slug'] \ - and not self.request.user.groups.filter(name='admin').exists(): + and not is_user_admin(self.request.user): raise PermissionDenied return super().dispatch(request, *args, **kwargs) @@ -155,7 +156,7 @@ class UserChangePassword(ContextMixin, SuccessMessageMixin, FormView): def dispatch(self, request, *args, **kwargs): """Handle a request and return a HTTP response.""" if self.request.user.get_username() != self.kwargs['slug'] \ - and not self.request.user.groups.filter(name='admin').exists(): + and not is_user_admin(self.request.user): raise PermissionDenied return super().dispatch(request, *args, **kwargs) diff --git a/plinth/utils.py b/plinth/utils.py index 9f6cd97ac..7fd712d58 100644 --- a/plinth/utils.py +++ b/plinth/utils.py @@ -50,3 +50,8 @@ def non_admin_view(func): """Decorator to mark a view as accesible by non-admin users.""" setattr(func, 'IS_NON_ADMIN', True) return func + + +def is_user_admin(user): + """Return whether user is an administrator.""" + return user.groups.filter(name='admin').exists() diff --git a/plinth/views.py b/plinth/views.py index 2f0db2375..31b2dfc52 100644 --- a/plinth/views.py +++ b/plinth/views.py @@ -30,6 +30,7 @@ import time from . import forms, frontpage import plinth +from plinth.utils import is_user_admin @public @@ -44,7 +45,6 @@ def index(request): details_label = frontpage.shortcuts[selection]['label'] configure_url = frontpage.shortcuts[selection]['configure_url'] - user_is_admin = request.user.groups.filter(name='admin').exists() return TemplateResponse(request, 'index.html', {'title': _('FreedomBox'), 'shortcuts': shortcuts, @@ -52,7 +52,7 @@ def index(request): 'details': details, 'details_label': details_label, 'configure_url': configure_url, - 'user_is_admin': user_is_admin}) + 'user_is_admin': is_user_admin(request.user)}) class ServiceView(FormView):