From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat, 25 Jun 2022 18:45:25 +0000 (+0000)
Subject: sessions: Drop impersonation feature
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=70987fab4e5454cb54fc26443e1e20634c1a5ccf;p=pbs.git

sessions: Drop impersonation feature

It was nice, but hopefully won't be needed any more

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/buildservice/sessions.py b/src/buildservice/sessions.py
index 0b87ae69..b3a1a136 100644
--- a/src/buildservice/sessions.py
+++ b/src/buildservice/sessions.py
@@ -68,11 +68,6 @@ class Session(base.DataObject):
 	def user(self):
 		return self.backend.users.get_by_id(self.data.user_id)
 
-	@lazy_property
-	def impersonated_user(self):
-		if self.data.impersonated_user_id:
-			return self.backend.users.get_by_id(self.data.impersonated_user_id)
-
 	@property
 	def created_at(self):
 		return self.data.created_at
@@ -88,15 +83,3 @@ class Session(base.DataObject):
 	@property
 	def user_agent(self):
 		return self.data.user_agent
-
-	def start_impersonation(self, user):
-		if not self.user.is_admin():
-			raise RuntimeError("Only admins can impersonate other users")
-
-		if self.user == user:
-			raise RuntimeError("You cannot impersonate yourself")
-
-		self._set_attribute("impersonated_user_id", user.id)
-
-	def stop_impersonation(self):
-		self._set_attribute("impersonated_user_id", None)
diff --git a/src/database.sql b/src/database.sql
index 7e60f3df..565d294d 100644
--- a/src/database.sql
+++ b/src/database.sql
@@ -1187,10 +1187,8 @@ CREATE TABLE public.sessions (
     created_at timestamp without time zone DEFAULT now() NOT NULL,
     valid_until timestamp without time zone DEFAULT (now() + '7 days'::interval) NOT NULL,
     user_id integer NOT NULL,
-    impersonated_user_id integer,
     address inet,
-    user_agent text,
-    CONSTRAINT sessions_impersonation_check CHECK (((impersonated_user_id IS NULL) OR (user_id <> impersonated_user_id)))
+    user_agent text
 );
 
 
@@ -2617,14 +2615,6 @@ ALTER TABLE ONLY public.repositories
     ADD CONSTRAINT repositories_parent_id FOREIGN KEY (parent_id) REFERENCES public.repositories(id);
 
 
---
--- Name: sessions sessions_impersonated_user_id; Type: FK CONSTRAINT; Schema: public; Owner: pakfire
---
-
-ALTER TABLE ONLY public.sessions
-    ADD CONSTRAINT sessions_impersonated_user_id FOREIGN KEY (impersonated_user_id) REFERENCES public.users(id);
-
-
 --
 -- Name: sessions sessions_user_id; Type: FK CONSTRAINT; Schema: public; Owner: pakfire
 --
diff --git a/src/web/__init__.py b/src/web/__init__.py
index 5219c492..b34874e7 100644
--- a/src/web/__init__.py
+++ b/src/web/__init__.py
@@ -123,7 +123,6 @@ class Application(tornado.web.Application):
 				repos.EditHandler),
 			(r"/users/(?P<user_slug>\w+)/repos/(?P<repo_slug>[A-Za-z0-9\-]+)/mirrorlist",
 				repos.MirrorlistHandler),
-			(r"/user/(\w+)/impersonate", users.UserImpersonateHandler),
 			(r"/user/(\w+)/delete", users.UserDeleteHandler),
 			(r"/user/(\w+)/edit", users.UserEditHandler),
 			(r"/profile/builds", users.UsersBuildsHandler),
diff --git a/src/web/auth.py b/src/web/auth.py
index 6ba06c27..4b6245bf 100644
--- a/src/web/auth.py
+++ b/src/web/auth.py
@@ -44,16 +44,11 @@ class LogoutHandler(base.BaseHandler):
 	def get(self):
 		# Destroy the user's session.
 		with self.db.transaction():
-			# If impersonating, we will just stop the impersonation
-			if self.session.impersonated_user:
-				self.session.stop_impersonation()
+			# Destroy the session
+			self.session.destroy()
 
-			# Otherwise we destroy the session
-			else:
-				self.session.destroy()
-
-				# Remove the session cookie
-				self.clear_cookie("session_id")
+		# Remove the session cookie
+		self.clear_cookie("session_id")
 
 		# Redirect the user to the front page.
 		self.redirect("/")
diff --git a/src/web/base.py b/src/web/base.py
index 859b9c9a..91fd7f55 100644
--- a/src/web/base.py
+++ b/src/web/base.py
@@ -31,7 +31,7 @@ class BaseHandler(tornado.web.RequestHandler):
 
 	def get_current_user(self):
 		if self.session:
-			return self.session.impersonated_user or self.session.user
+			return self.session.user
 
 	def get_user_locale(self):
 		# Get the locale from the user settings
diff --git a/src/web/users.py b/src/web/users.py
index f2b20cbf..bf576c62 100644
--- a/src/web/users.py
+++ b/src/web/users.py
@@ -14,37 +14,6 @@ class ShowHandler(base.BaseHandler):
 		self.render("users/show.html", user=user)
 
 
-class UserImpersonateHandler(base.BaseHandler):
-	@tornado.web.authenticated
-	def get(self, username):
-		# You must be an admin to do this.
-		if not self.current_user.is_admin():
-			raise tornado.web.HTTPError(403, "You are not allowed to do this")
-
-		user = self.backend.users.get_by_name(username)
-		if not user:
-			raise tornado.web.HTTPError(404, "User not found: %s" % username)
-
-		self.render("user-impersonation.html", user=user)
-
-	@tornado.web.authenticated
-	def post(self, username):
-		# You must be an admin to do this.
-		if not self.current_user.is_admin():
-			raise tornado.web.HTTPError(403, "You are not allowed to do this")
-
-		user = self.backend.users.get_by_name(username)
-		if not user:
-			raise tornado.web.HTTPError(404, "User not found: %s" % username)
-
-		# Start impersonation
-		with self.db.transaction():
-			self.session.start_impersonation(user)
-
-		# Redirect to start page.
-		self.redirect("/")
-
-
 class UserActionHandler(base.BaseHandler):
 	def get_user(self, name):
 		user = self.backend.users.get_by_name(name)