From cac0c9f280928927171f99f6d209b26da0d5ae97 Mon Sep 17 00:00:00 2001
From: Eduardo Silva <eduardo@eth0.com.br>
Date: Thu, 15 Feb 2024 12:34:51 -0300
Subject: [PATCH] User level check implementation

---
 templates/access_denied.html | 19 +++++++++++++++++++
 user_manager/views.py        |  4 ++++
 wireguard/views.py           |  3 +++
 wireguard_peer/views.py      | 10 ++++++++++
 4 files changed, 36 insertions(+)
 create mode 100644 templates/access_denied.html

diff --git a/templates/access_denied.html b/templates/access_denied.html
new file mode 100644
index 0000000..de9b6a3
--- /dev/null
+++ b/templates/access_denied.html
@@ -0,0 +1,19 @@
+{% extends "base.html" %}
+
+{% block content %}
+
+<div class='row'>
+    <div class='col-lg-6'>    
+<div class="card card-primary card-outline">
+    <div class="card-header">
+        <h3 class="card-title">Access Denied</h3>
+    </div>
+    <div class="card-body">
+        <p>Sorry, you do not have permission to access this page. <br>Please contact your system administrator if you believe this is an error.</p>
+    </div>
+</div>
+
+</div>
+</div>
+
+{% endblock %}
diff --git a/user_manager/views.py b/user_manager/views.py
index fd188b4..1f4a6f6 100644
--- a/user_manager/views.py
+++ b/user_manager/views.py
@@ -8,6 +8,8 @@ from django.contrib.sessions.models import Session
 
 @login_required
 def view_user_list(request):
+    if not UserAcl.objects.filter(user=request.user).filter(user_level__gte=50).exists():
+        return render(request, 'access_denied.html', {'page_title': 'Access Denied'})
     page_title = 'User Manager'
     user_acl_list = UserAcl.objects.all().order_by('user__username')
     context = {'page_title': page_title, 'user_acl_list': user_acl_list}
@@ -16,6 +18,8 @@ def view_user_list(request):
 
 @login_required
 def view_manage_user(request):
+    if not UserAcl.objects.filter(user=request.user).filter(user_level__gte=50).exists():
+        return render(request, 'access_denied.html', {'page_title': 'Access Denied'})
     user_acl = None
     user = None
     if 'uuid' in request.GET:
diff --git a/wireguard/views.py b/wireguard/views.py
index 8bdaed3..fadec58 100644
--- a/wireguard/views.py
+++ b/wireguard/views.py
@@ -1,4 +1,5 @@
 from django.shortcuts import render, get_object_or_404, redirect
+from user_manager.models import UserAcl
 
 from wireguard.forms import WireGuardInstanceForm
 from .models import WireGuardInstance
@@ -80,6 +81,8 @@ def view_wireguard_status(request):
 
 @login_required
 def view_wireguard_manage_instance(request):
+    if not UserAcl.objects.filter(user=request.user).filter(user_level__gte=50).exists():
+        return render(request, 'access_denied.html', {'page_title': 'Access Denied'})
     wireguard_instances = WireGuardInstance.objects.all().order_by('instance_id')
     if request.GET.get('uuid'):
         current_instance = get_object_or_404(WireGuardInstance, uuid=request.GET.get('uuid'))
diff --git a/wireguard_peer/views.py b/wireguard_peer/views.py
index fcb4cad..5cb11c2 100644
--- a/wireguard_peer/views.py
+++ b/wireguard_peer/views.py
@@ -1,5 +1,6 @@
 from django.shortcuts import render, get_object_or_404, redirect
 from django.contrib.auth.decorators import login_required
+from user_manager.models import UserAcl
 from wireguard.models import WireGuardInstance, Peer, PeerAllowedIP
 from django.contrib import messages
 from django.db.models import Max
@@ -60,6 +61,13 @@ def view_wireguard_peer_list(request):
 
 @login_required
 def view_wireguard_peer_manage(request):
+    if request.method == 'POST':
+        if not UserAcl.objects.filter(user=request.user).filter(user_level__gte=30).exists():
+            return render(request, 'access_denied.html', {'page_title': 'Access Denied'})
+    else:
+        if not UserAcl.objects.filter(user=request.user).filter(user_level__gte=20).exists():
+            return render(request, 'access_denied.html', {'page_title': 'Access Denied'})
+
     if request.GET.get('instance'):
         current_instance = get_object_or_404(WireGuardInstance, uuid=request.GET.get('instance'))
         current_peer = None
@@ -122,6 +130,8 @@ def view_wireguard_peer_manage(request):
 
 
 def view_manage_ip_address(request):
+    if not UserAcl.objects.filter(user=request.user).filter(user_level__gte=30).exists():
+        return render(request, 'access_denied.html', {'page_title': 'Access Denied'})
     if request.GET.get('peer'):
         current_peer = get_object_or_404(Peer, uuid=request.GET.get('peer'))
         page_title = 'Add new IP address for Peer '