Fixes #5442: Use LDAP groups to find permissions

tobiasge · tobiasge · commit 82300990ec79 · 2021-07-09T08:14:45.000+02:00
When AUTH_LDAP_FIND_GROUP_PERMS is set to true the filter to find the
users permissions is extended to search for all permissions assigned to
groups in which the LDAP user is.
diff --git a/netbox/netbox/authentication.py b/netbox/netbox/authentication.py
@@ -11,7 +11,7 @@
 from utilities.permissions import permission_is_exempt, resolve_permission, resolve_permission_ct
 
 
-class ObjectPermissionBackend(ModelBackend):
+class ObjectPermissionMixin():
 
     def get_all_permissions(self, user_obj, obj=None):
         if not user_obj.is_active or user_obj.is_anonymous:
@@ -20,13 +20,16 @@ def get_all_permissions(self, user_obj, obj=None):
             user_obj._object_perm_cache = self.get_object_permissions(user_obj)
         return user_obj._object_perm_cache
 
+    def get_permission_filter(self, user_obj):
+        return Q(users=user_obj) | Q(groups__user=user_obj)
+
     def get_object_permissions(self, user_obj):
         """
         Return all permissions granted to the user by an ObjectPermission.
         """
         # Retrieve all assigned and enabled ObjectPermissions
         object_permissions = ObjectPermission.objects.filter(
-            Q(users=user_obj) | Q(groups__user=user_obj),
+            self.get_permission_filter(user_obj),
             enabled=True
         ).prefetch_related('object_types')
 
@@ -86,6 +89,10 @@ def has_perm(self, user_obj, perm, obj=None):
         return model.objects.filter(constraints, pk=obj.pk).exists()
 
 
+class ObjectPermissionBackend(ObjectPermissionMixin, ModelBackend):
+    pass
+
+
 class RemoteUserBackend(_RemoteUserBackend):
     """
     Custom implementation of Django's RemoteUserBackend which provides configuration hooks for basic customization.
@@ -163,8 +170,15 @@ def __new__(cls, *args, **kwargs):
                 "Required parameter AUTH_LDAP_SERVER_URI is missing from ldap_config.py."
             )
 
-        # Create a new instance of django-auth-ldap's LDAPBackend
-        obj = LDAPBackend_()
+        # Create a new instance of django-auth-ldap's LDAPBackend with our own ObjectPermissions
+        class NBLDAPBackend(ObjectPermissionMixin, LDAPBackend_):
+            def get_permission_filter(self, user_obj):
+                permission_filter = Q(users=user_obj) | Q(groups__user=user_obj)
+                if self.settings.FIND_GROUP_PERMS:
+                    permission_filter = permission_filter | Q(groups__name__in=user_obj.ldap_user.group_names)
+                return permission_filter
+
+        obj = NBLDAPBackend()
 
         # Read LDAP configuration parameters from ldap_config.py instead of settings.py
         settings = LDAPSettings()
