Can grant a client to all users

2023-04-15 10:39:22 +02:00 · 2023-04-15 10:39:22 +02:00 · d27c542e1f
commit d27c542e1f
parent 412eaf2bff
6 changed files with 31 additions and 15 deletions
--- a/README.md
+++ b/README.md
@ -18,6 +18,8 @@ You can configure a list of clients (Relying Parties) in a `clients.yaml` file w
  redirect_uri: https://mygit.mywebsite.com/
  # If you want new accounts to be granted access to this client by default
  default: true
+  # If you want the client to be granted to every users, regardless their account configuration
+  granted_to_all_users: true
 ```

 On the first run, BasicOIDC will create a new administrator with credentials `admin` / `admin`. On first login you will have to change these default credentials.
--- a/src/controllers/admin_controller.rs
+++ b/src/controllers/admin_controller.rs
@ -42,8 +42,8 @@ pub async fn clients_route(user: CurrentUser, clients: web::Data<ClientManager>)
            _p: BaseSettingsPage::get("Clients list", &user, None, None),
            clients: clients.cloned(),
        }
-            .render()
-            .unwrap(),
+        .render()
+        .unwrap(),
    )
 }

@ -197,7 +197,7 @@ pub async fn users_route(
                    true => "Failed to create user!",
                    false => "Failed to update user!",
                }
-                    .to_string(),
+                .to_string(),
            )
        } else {
            success = Some(match is_creating {
@ -228,14 +228,20 @@ pub async fn users_route(
            _p: BaseSettingsPage::get("Users list", &admin, danger, success),
            users,
        }
-            .render()
-            .unwrap(),
+        .render()
+        .unwrap(),
    )
 }

 pub async fn create_user(admin: CurrentUser, clients: web::Data<ClientManager>) -> impl Responder {
    let mut user = User::default();
-    user.authorized_clients = Some(clients.get_default_clients().iter().map(|u| u.id.clone()).collect());
+    user.authorized_clients = Some(
+        clients
+            .get_default_clients()
+            .iter()
+            .map(|u| u.id.clone())
+            .collect(),
+    );

    HttpResponse::Ok().body(
        EditUserTemplate {
@ -243,8 +249,8 @@ pub async fn create_user(admin: CurrentUser, clients: web::Data<ClientManager>)
            u: user,
            clients: clients.cloned(),
        }
-            .render()
-            .unwrap(),
+        .render()
+        .unwrap(),
    )
 }

@ -279,7 +285,7 @@ pub async fn edit_user(
            u: edited_account.unwrap_or_default(),
            clients: clients.cloned(),
        }
-            .render()
-            .unwrap(),
+        .render()
+        .unwrap(),
    )
 }
--- a/src/controllers/openid_controller.rs
+++ b/src/controllers/openid_controller.rs
@ -164,7 +164,7 @@ pub async fn authorize(
    };

    // Check if user is authorized to access the application
-    if !user.can_access_app(&client.id) {
+    if !user.can_access_app(&client) {
        return error_redirect(
            &query,
            "invalid_request",
--- a/src/data/client.rs
+++ b/src/data/client.rs
@ -24,6 +24,10 @@ pub struct Client {
    /// Specify if the client must be allowed by default for new account
    #[serde(default = "bool::default")]
    pub default: bool,
+
+    /// Specify whether a client is granted to all users
+    #[serde(default = "bool::default")]
+    pub granted_to_all_users: bool,
 }

 impl PartialEq for Client {
--- a/src/data/user.rs
+++ b/src/data/user.rs
@ -2,7 +2,7 @@ use std::collections::HashMap;
 use std::net::IpAddr;

 use crate::constants::SECOND_FACTOR_EXEMPTION_AFTER_SUCCESSFUL_LOGIN;
-use crate::data::client::ClientID;
+use crate::data::client::{Client, ClientID};
 use crate::data::login_redirect::LoginRedirect;
 use crate::data::totp_key::TotpKey;
 use crate::data::webauthn_manager::WebauthnPubKey;
@ -170,10 +170,14 @@ impl User {
        }
    }

-    pub fn can_access_app(&self, id: &ClientID) -> bool {
+    pub fn can_access_app(&self, client: &Client) -> bool {
+        if client.granted_to_all_users {
+            return true;
+        }
+
        match self.granted_clients() {
            GrantedClients::AllClients => true,
-            GrantedClients::SomeClients(c) => c.contains(id),
+            GrantedClients::SomeClients(c) => c.contains(&client.id),
            GrantedClients::NoClient => false,
        }
    }
--- a/templates/settings/edit_user.html
+++ b/templates/settings/edit_user.html
@ -144,7 +144,7 @@
            <div class="form-check">
                <input id="client-{{ c.id.0 }}" class="form-check-input authorize_client_checkbox" type="checkbox"
                       data-id="{{ c.id.0 }}"
-                       {% if u.can_access_app(c.id) %} checked="" {% endif %}>
+                       {% if u.can_access_app(c) %} checked="" {% endif %}>
                <label class="form-check-label" for="client-{{ c.id.0 }}">
                    {{ c.name }}
                </label>