From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 24 Oct 2017 16:38:42 +0000 (+0100)
Subject: Fix impersonation
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=72568c46875bbc7b798aefbc7a4bb65eb83ae375;p=pbs.git

Fix impersonation

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/templates/base.html b/src/templates/base.html
index 891316f8..9ac8eed9 100644
--- a/src/templates/base.html
+++ b/src/templates/base.html
@@ -147,20 +147,13 @@
 													{{ session.user.realname }}
 												</a>
 											</li>
-											<li>
-												<a href="/user/impersonate?action=stop">
-													<i class="icon-off"></i>
-													{{ _("End impersonation") }}
-												</a>
-											</li>
-										{% else %}
-											<li>
-												<a href="/logout">
-													<i class="icon-off"></i>
-													{{ _("Logout") }}
-												</a>
-											</li>
 										{% end %}
+										<li>
+											<a href="/logout">
+												<i class="icon-off"></i>
+												{{ _("Logout") }}
+											</a>
+										</li>
 									</ul>
 								</li>
 							{% else %}
diff --git a/src/templates/user-profile.html b/src/templates/user-profile.html
index 5dc7efdd..56139c71 100644
--- a/src/templates/user-profile.html
+++ b/src/templates/user-profile.html
@@ -98,7 +98,7 @@
 										{% if not current_user == user and current_user.is_admin() %}
 											<li class="divider"></li>
 											<li>
-												<a href="/user/impersonate?user={{ user.name }}">{{ _("Impersonate user") }}</a>
+												<a href="/user/{{ user.name }}/impersonate">{{ _("Impersonate User") }}</a>
 											</li>
 										{% end %}
 									</ul>
diff --git a/src/web/__init__.py b/src/web/__init__.py
index 27fd59f4..99ef809b 100644
--- a/src/web/__init__.py
+++ b/src/web/__init__.py
@@ -109,7 +109,7 @@ class Application(tornado.web.Application):
 
 			# User profiles
 			(r"/users", UsersHandler),
-			(r"/user/impersonate", UserImpersonateHandler),
+			(r"/user/(\w+)/impersonate", UserImpersonateHandler),
 			(r"/user/(\w+)/passwd", UserPasswdHandler),
 			(r"/user/(\w+)/delete", UserDeleteHandler),
 			(r"/user/(\w+)/edit", UserEditHandler),
diff --git a/src/web/handlers_auth.py b/src/web/handlers_auth.py
index 7c3a5e18..6ecbaeb2 100644
--- a/src/web/handlers_auth.py
+++ b/src/web/handlers_auth.py
@@ -122,11 +122,12 @@ class ActivationHandler(BaseHandler):
 
 				else:
 					# Automatically login the user.
-					session = sessions.Session.create(self.pakfire, user)
+					self.session = self.backend.sessions.create(user,
+						self.current_address, user_agent=self.user_agent)
 
-					# Set a cookie and update the current user.
-					self.set_cookie("session_id", session.id, expires=session.valid_until)
-					self._current_user = user
+					# Set a session cookie
+					self.set_cookie("session_id", self.session.session_id,
+						expires=self.session.valid_until)
 
 				self.render("register-activation-success.html", user=user)
 				return
@@ -153,10 +154,16 @@ class LogoutHandler(BaseHandler):
 	def get(self):
 		# Destroy the user's session.
 		with self.db.transaction():
-			self.session.destroy()
+			# If impersonating, we will just stop the impersonation
+			if self.session.impersonated_user:
+				self.session.stop_impersonation()
 
-		# Remove the cookie, that identifies the user.
-		self.clear_cookie("session_id")
+			# Otherwise we destroy the session
+			else:
+				self.session.destroy()
+
+				# Remove the session cookie
+				self.clear_cookie("session_id")
 
 		# Redirect the user to the front page.
 		self.redirect("/")
diff --git a/src/web/handlers_base.py b/src/web/handlers_base.py
index b64c0bf3..00d64357 100644
--- a/src/web/handlers_base.py
+++ b/src/web/handlers_base.py
@@ -30,11 +30,7 @@ class BaseHandler(tornado.web.RequestHandler):
 
 		# Search for a valid database session
 		if session_id:
-			session = self.backend.sessions.get(session_id)
-
-			# Found a valid session
-			if session:
-				return session
+			return self.backend.sessions.get(session_id)
 
 	def get_current_user(self):
 		if self.session:
diff --git a/src/web/handlers_users.py b/src/web/handlers_users.py
index c9e0b6ec..1064b1c9 100644
--- a/src/web/handlers_users.py
+++ b/src/web/handlers_users.py
@@ -22,39 +22,30 @@ class UserHandler(BaseHandler):
 
 class UserImpersonateHandler(BaseHandler):
 	@tornado.web.authenticated
-	def get(self):
-		action = self.get_argument("action", "start")
-
-		if action == "stop":
-			if self.current_user.session:
-				self.current_user.session.stop_impersonation()
-			self.redirect("/")
-			return
-
+	def get(self, username):
 		# You must be an admin to do this.
 		if not self.current_user.is_admin():
-			raise tornado.web.HTTPError(403, "You are not allowed to do this.")
+			raise tornado.web.HTTPError(403, "You are not allowed to do this")
 
-		username = self.get_argument("user", "")
-		user = self.pakfire.users.get_by_name(username)
+		user = self.backend.users.get_by_name(username)
 		if not user:
 			raise tornado.web.HTTPError(404, "User not found: %s" % username)
 
 		self.render("user-impersonation.html", user=user)
 
 	@tornado.web.authenticated
-	def post(self):
+	def post(self, username):
 		# You must be an admin to do this.
 		if not self.current_user.is_admin():
-			raise tornado.web.HTTPError(403, "You are not allowed to do this.")
+			raise tornado.web.HTTPError(403, "You are not allowed to do this")
 
-		username = self.get_argument("user")
-		user = self.pakfire.users.get_by_name(username)
+		user = self.backend.users.get_by_name(username)
 		if not user:
-			raise tornado.web.HTTPError(404, "User does not exist: %s" % username)
+			raise tornado.web.HTTPError(404, "User not found: %s" % username)
 
-		if self.current_user.session:
-			self.current_user.session.start_impersonation(user)
+		# Start impersonation
+		with self.db.transaction():
+			self.session.start_impersonation(user)
 
 		# Redirect to start page.
 		self.redirect("/")