From 00ef3951514889791a11318124c271309d8b4958 Mon Sep 17 00:00:00 2001
From: Tomas Jelinek <tojeline@redhat.com>
Date: Fri, 4 Sep 2015 16:01:00 +0200
Subject: [PATCH] check and refresh user auth info upon each request

---
 pcs/cluster.py         |  2 ++
 pcs/utils.py           |  2 ++
 pcsd/auth.rb           | 16 ++++++++++++----
 pcsd/test/test_auth.rb |  1 +
 4 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/pcs/cluster.py b/pcs/cluster.py
index d2a80a8..5a2128a 100644
--- a/pcs/cluster.py
+++ b/pcs/cluster.py
@@ -235,6 +235,8 @@ def auth_nodes_do(nodes, username, password, force, local):
         'local': local,
     }
     output, retval = utils.run_pcsdcli('auth', pcsd_data)
+    if retval == 0 and output['status'] == 'access_denied':
+        utils.err('Access denied')
     if retval == 0 and output['status'] == 'ok' and output['data']:
         failed = False
         try:
diff --git a/pcs/utils.py b/pcs/utils.py
index c91b50e..757c159 100644
--- a/pcs/utils.py
+++ b/pcs/utils.py
@@ -803,6 +803,8 @@ def call_local_pcsd(argv, interactive_auth=False, std_in=None):
         return [['Unable to communicate with pcsd'], 1, '', '']
     if output_json['status'] == 'bad_command':
         return [['Command not allowed'], 1, '', '']
+    if output_json['status'] == 'access_denied':
+        return [['Access denied'], 1, '', '']
     if output_json['status'] != "ok" or not output_json["data"]:
         return [['Unable to communicate with pcsd'], 1, '', '']
     try:
diff --git a/pcsd/auth.rb b/pcsd/auth.rb
index 22d7868..53712ed 100644
--- a/pcsd/auth.rb
+++ b/pcsd/auth.rb
@@ -19,7 +19,7 @@ class PCSAuth
 
   def self.validUser(username, password, generate_token = false)
     $logger.info("Attempting login by '#{username}'")
-    if not Rpam.auth(username,password, :service => "pcsd")
+    if not Rpam.auth(username, password, :service => "pcsd")
       $logger.info("Failed login by '#{username}' (bad username or password)")
       return nil
     end
@@ -59,7 +59,7 @@ class PCSAuth
     return [true, stdout.join(' ').split(nil)]
   end
 
-  def self.isUserAllowedToLogin(username)
+  def self.isUserAllowedToLogin(username, log_success=true)
     success, groups = getUsersGroups(username)
     if not success
       $logger.info(
@@ -73,7 +73,9 @@ class PCSAuth
       )
       return false
     end
-    $logger.info("Successful login by '#{username}'")
+    if log_success
+      $logger.info("Successful login by '#{username}'")
+    end
     return true
   end
 
@@ -131,7 +133,13 @@ class PCSAuth
   end
 
   def self.isLoggedIn(session)
-    return session[:username] != nil
+    username = session[:username]
+    if (username != nil) and isUserAllowedToLogin(username, false)
+      success, groups = getUsersGroups(username)
+      session[:usergroups] = success ? groups : []
+      return true
+    end
+    return false
   end
 
   def self.getSuperuserSession()
-- 
1.9.1