security: cure53 fix (#6039)

* ATH-01-001: resolve path and check start before loading blueprints This is even less of an issue since 411ef239f6, since with that commit we only allow files that the listing returns Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-010: fix missing user filter for webauthn device This prevents an attack that is only possible when an attacker can intercept HTTP traffic and in the case of HTTPS decrypt it. * ATH-01-008: fix web forms not submitting correctly when pressing enter When submitting some forms with the Enter key instead of clicking "Confirm"/etc, the form would not get submitted correctly This would in the worst case is when setting a user's password, where the new password can end up in the URL, but the password was not actually saved to the user. * ATH-01-004: remove env from admin system endpoint this endpoint already required admin access, but for debugging the env variables are used very little Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-003 / ATH-01-012: disable htmlLabels in mermaid Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-005: use hmac.compare_digest for secret_key authentication Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-009: migrate impersonation to use API Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-010: rework Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-014: save authenticator validation state in flow context Signed-off-by: Jens Langhammer <jens@goauthentik.io> bugfixes Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-012: escape quotation marks Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add website Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update release ntoes Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update with all notes Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix format Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-06-22 22:25:04 +02:00
parent f099bd764e
commit b0fbd576fc
39 changed files with 505 additions and 329 deletions
--- a/web/src/admin/groups/RelatedGroupList.ts
+++ b/web/src/admin/groups/RelatedGroupList.ts
@ -45,41 +45,39 @@ export class RelatedGroupAdd extends Form<{ groups: string[] }> {
        return data;
    }

-    renderForm(): TemplateResult {
-        return html`<form class="pf-c-form pf-m-horizontal">
-            <ak-form-element-horizontal label=${msg("Groups to add")} name="groups">
-                <div class="pf-c-input-group">
-                    <ak-user-group-select-table
-                        .confirm=${(items: Group[]) => {
-                            this.groupsToAdd = items;
-                            this.requestUpdate();
-                            return Promise.resolve();
-                        }}
-                    >
-                        <button slot="trigger" class="pf-c-button pf-m-control" type="button">
-                            <i class="fas fa-plus" aria-hidden="true"></i>
-                        </button>
-                    </ak-user-group-select-table>
-                    <div class="pf-c-form-control">
-                        <ak-chip-group>
-                            ${this.groupsToAdd.map((group) => {
-                                return html`<ak-chip
-                                    .removable=${true}
-                                    value=${ifDefined(group.pk)}
-                                    @remove=${() => {
-                                        const idx = this.groupsToAdd.indexOf(group);
-                                        this.groupsToAdd.splice(idx, 1);
-                                        this.requestUpdate();
-                                    }}
-                                >
-                                    ${group.name}
-                                </ak-chip>`;
-                            })}
-                        </ak-chip-group>
-                    </div>
+    renderInlineForm(): TemplateResult {
+        return html`<ak-form-element-horizontal label=${msg("Groups to add")} name="groups">
+            <div class="pf-c-input-group">
+                <ak-user-group-select-table
+                    .confirm=${(items: Group[]) => {
+                        this.groupsToAdd = items;
+                        this.requestUpdate();
+                        return Promise.resolve();
+                    }}
+                >
+                    <button slot="trigger" class="pf-c-button pf-m-control" type="button">
+                        <i class="fas fa-plus" aria-hidden="true"></i>
+                    </button>
+                </ak-user-group-select-table>
+                <div class="pf-c-form-control">
+                    <ak-chip-group>
+                        ${this.groupsToAdd.map((group) => {
+                            return html`<ak-chip
+                                .removable=${true}
+                                value=${ifDefined(group.pk)}
+                                @remove=${() => {
+                                    const idx = this.groupsToAdd.indexOf(group);
+                                    this.groupsToAdd.splice(idx, 1);
+                                    this.requestUpdate();
+                                }}
+                            >
+                                ${group.name}
+                            </ak-chip>`;
+                        })}
+                    </ak-chip-group>
                </div>
-            </ak-form-element-horizontal>
-        </form> `;
+            </div>
+        </ak-form-element-horizontal>`;
    }
 }