From f0dacb5893d88afb24ca8a32f53bd77700008e07 Mon Sep 17 00:00:00 2001
From: Michael McGrath <mmcgrath@desktop.mmcgrath.net>
Date: Thu, 28 Feb 2008 11:48:10 -0600
Subject: [PATCH] Use authentication when grabbing password data

---
 fas/client/fasClient.py | 7 ++++++-
 fas/fas/json_request.py | 4 +++-
 fas/fas/model.py        | 4 +++-
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/fas/client/fasClient.py b/fas/client/fasClient.py
index 5f97208..cae619b 100755
--- a/fas/client/fasClient.py
+++ b/fas/client/fasClient.py
@@ -66,6 +66,7 @@ class MakeShellAccounts(BaseClient):
         file = open('/tmp/shadow.txt', 'w')
         if not people:
             people = self.people_list()
+        print people
         for person in people:
             uid = person['id']
             username = person['username']
@@ -170,7 +171,11 @@ class MakeShellAccounts(BaseClient):
         
 
 if __name__ == '__main__':
-    fas = MakeShellAccounts(FAS_URL, 'admin', None, None)
+    try:
+        fas = MakeShellAccounts(FAS_URL, 'admin', 'admin', 1)
+    except AuthError, e:
+        print e
+        sys.exit(1)
     fas.make_group_db()
     fas.make_passwd_db()
     fas.make_shadow_db()
diff --git a/fas/fas/json_request.py b/fas/fas/json_request.py
index cbd2fee..64b5489 100644
--- a/fas/fas/json_request.py
+++ b/fas/fas/json_request.py
@@ -21,6 +21,7 @@ class JsonRequest(controllers.Controller):
         '''Perhaps show a nice explanatory message about groups here?'''
         return dict(help='This is a json interface')
     
+    @identity.require(turbogears.identity.not_anonymous())
     @expose("json", allow_json=True)
     def group_list(self, search='*'):
         re_search = re.sub(r'\*', r'%', search).lower()
@@ -29,7 +30,8 @@ class JsonRequest(controllers.Controller):
         for group in groups:
             memberships[group.id] = group.approved_roles
         return dict(groups=groups, memberships=memberships)
-        
+    
+    @identity.require(turbogears.identity.not_anonymous())
     @expose("json", allow_json=True)
     def people_list(self, search='*'):
         re_search = re.sub(r'\*', r'%', search).lower()
diff --git a/fas/fas/model.py b/fas/fas/model.py
index 589c6fe..9af25ed 100644
--- a/fas/fas/model.py
+++ b/fas/fas/model.py
@@ -42,6 +42,7 @@ from turbogears.database import session
 from turbogears import identity
 
 from fas.json import SABase
+
 # Soon we'll use this instead:
 #from fedora.tg.json import SABase
 
@@ -244,7 +245,8 @@ class People(SABase):
                 del props['postal_address']
                 del props['telephone']
                 del props['facsimile']
-            elif not identity.current.user.username == self.username:
+                # Below should check for group accounts instead of a specific username
+            elif not identity.current.user.username == self.username and not identity.current.user.username == 'admin':
                 # Only an admin or the user themselves can see these fields
                 del props['password']
                 del props['passwordtoken']