From 2deb87c9685c5260d31165bb803a028d2fa54096 Mon Sep 17 00:00:00 2001
From: ziirish <ziirish@ziirish.info>
Date: Thu, 22 Mar 2018 17:55:44 +0100
Subject: [PATCH] WIP: add authorizations page

---
 .gitignore                                    |   1 +
 burpui/routes.py                              |  16 +-
 ...{admin.html => admin-authentications.html} |  15 +-
 burpui/templates/admin-authorizations.html    | 111 +++++
 burpui/templates/admin/authentication.html    |   2 +-
 burpui/templates/admin/sessions.html          |   2 +-
 burpui/templates/gerard.js                    |   6 +-
 .../js/{admin.js => admin-authentications.js} |   4 -
 burpui/templates/js/admin-authorizations.js   | 418 ++++++++++++++++++
 burpui/templates/settings.html                |   2 +-
 burpui/templates/sideadmin.html               |   7 +-
 burpui/templates/topbar.html                  |   2 +-
 burpui/templates/user.html                    |   2 +-
 13 files changed, 561 insertions(+), 27 deletions(-)
 rename burpui/templates/{admin.html => admin-authentications.html} (94%)
 create mode 100644 burpui/templates/admin-authorizations.html
 rename burpui/templates/js/{admin.js => admin-authentications.js} (99%)
 create mode 100644 burpui/templates/js/admin-authorizations.js

diff --git a/.gitignore b/.gitignore
index ecd815d0..5b6353bf 100644
--- a/.gitignore
+++ b/.gitignore
@@ -13,6 +13,7 @@ dist
 _build
 .tags
 celerybeat-schedule
+Pipfile*
 pkgs/burp-ui-sql/burpui_sql/VERSION
 pkgs/burp-ui-extra/burpui_extra/VERSION
 pkgs/burp-ui-agent/burpui_agent
diff --git a/burpui/routes.py b/burpui/routes.py
index 44f01e04..57466ad8 100644
--- a/burpui/routes.py
+++ b/burpui/routes.py
@@ -151,14 +151,24 @@ def admin_authentication(user):
     return render_template('admin/authentication.html', admin=True, authentication=True, user=user, backend=backend, ng_controller='AdminCtrl')
 
 
-@view.route('/admin')
+@view.route('/admin/authorizations')
 @login_required
-def admin():
+def admin_authorizations():
     # Only the admin can access this page
     if not current_user.is_anonymous and not current_user.acl.is_admin() and \
             not current_user.acl.is_moderator():
         abort(403)
-    return render_template('admin.html', admin=True, ng_controller='AdminCtrl')
+    return render_template('admin-authorizations.html', admin=True, authorizations=True, ng_controller='AdminCtrl')
+
+
+@view.route('/admin/authentications')
+@login_required
+def admin_authentications():
+    # Only the admin can access this page
+    if not current_user.is_anonymous and not current_user.acl.is_admin() and \
+            not current_user.acl.is_moderator():
+        abort(403)
+    return render_template('admin-authentications.html', admin=True, authentications=True, ng_controller='AdminCtrl')
 
 
 @view.route('/me')
diff --git a/burpui/templates/admin.html b/burpui/templates/admin-authentications.html
similarity index 94%
rename from burpui/templates/admin.html
rename to burpui/templates/admin-authentications.html
index faa52f81..7bd9a759 100644
--- a/burpui/templates/admin.html
+++ b/burpui/templates/admin-authentications.html
@@ -35,11 +35,11 @@
                 </fieldset>
               </form>
             </div>
-            <br />
-            <h3>{{ _('Users list') }}</h3>
-            <hr />
+          </div>
+          <div class="form-container">
+            <legend>{{ _('Users list') }}</legend>
             <div id="waiting-user-container" class="row">
-              <i class="fa fa-spin fa-fw fa-refresh" aria-hidden="true"></i>{{ _('Loading, Please wait...') }}
+              <i class="fa fa-spin fa-fw fa-refresh" aria-hidden="true"></i>&nbsp;{{ _('Loading, Please wait...') }}
               <br />
               <div class="progress progress-striped active">
                 <div class="progress-bar progress-bar-info" style="width: 100%"></div>
@@ -61,16 +61,13 @@
               </table>
             </div>
           </div>
-          <div class="form-container">
-            <legend id="authorization">{{ _('Authorization') }}</legend>
-          </div>
         </div>
         <div id="delete-user-modal" class="modal fade">
           <div class="modal-dialog modal-lg">
             <div class="modal-content">
               <div class="modal-header">
                 <button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
-                <h4 class="modal-title">Confirmation</h4>
+                <h4 class="modal-title">{{ _('Confirmation') }}</h4>
               </div>
               <div class="modal-body">
                 <div class="alert alert-warning">
@@ -96,7 +93,7 @@
             <div class="modal-content">
               <div class="modal-header">
                 <button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
-                <h4 class="modal-title">Confirmation</h4>
+                <h4 class="modal-title">{{ _('Confirmation') }}</h4>
               </div>
               <div class="modal-body">
                 <form class="form-horizontal">
diff --git a/burpui/templates/admin-authorizations.html b/burpui/templates/admin-authorizations.html
new file mode 100644
index 00000000..7bd9a759
--- /dev/null
+++ b/burpui/templates/admin-authorizations.html
@@ -0,0 +1,111 @@
+{% extends "layout.html" %}
+{% block body %}
+        {% include "notifications.html" %}
+        <div class="col-sm-9 col-sm-offset-3 col-md-10 col-md-offset-2 main">
+          {% include "small_topbar.html" %}
+          <ul class="breadcrumb" style="margin-bottom: 5px;">
+            <li><a href="{{ url_for('view.home') }}">{{ _('Home') }}</a></li>
+            <li class="active">{{ _('Administration') }}</li>
+          </ul>
+          <br />
+          <div class="form-container">
+            <legend id="authentication">{{ _('Authentication') }}</legend>
+            <div class="row well">
+              <form action="{{ url_for('api.auth_users') }}" method="PUT" class="form-inline" name="pctrl.userAdd" ng-submit="addUser($event)">
+                <fieldset>
+                  <Legend>{{ _('Create new User') }}</Legend>
+                  <div class="form-group" ng-class="{'has-error': pctrl.userAdd.auth_username.$touched && !pctrl.userAdd.auth_username.$valid}">
+                    <label class="sr-only" for="auth_username">{{ _('Username') }}</label>
+                    <input class="form-control" type="text" id="auth_username" name="auth_username" placeholder="{{ _('Username') }}" ng-model="auth_username" required>
+                  </div>
+                  <div class="form-group" ng-class="{'has-error': pctrl.userAdd.auth_password.$touched && !pctrl.userAdd.auth_password.$valid}">
+                    <label class="sr-only" for="auth_password">{{ _('Password') }}</label>
+                    <input class="form-control" type="password" id="auth_password" name="auth_password" placeholder="{{ _('Password') }}" ng-model="auth_password" required>
+                  </div>
+                  <div class="form-group">
+                    <label class="sr-only" for="auth_backend">{{ _('Backend') }}</label>
+                    <select class="form-control" name="auth_backend" id="auth_backend" ng-model="auth_backend" ng-change="checkSelect()" required>
+                      <option selected disabled value="placeholder">{{ _('Authentication Backend') }}</option>
+                      {% raw -%}
+                      <option ng-repeat="back in auth_backends" ng-disabled="!back.add" value="{{ back.name }}">{{ back.name }}</option>
+                      {% endraw -%}
+                    </select>
+                  </div>
+                  <button class="btn btn-success" type="submit" ng-disabled="!pctrl.userAdd.$valid"><i class="fa fa-plus" aria-hidden="true"></i>&nbsp;{{ _('Create') }}</button>
+                </fieldset>
+              </form>
+            </div>
+          </div>
+          <div class="form-container">
+            <legend>{{ _('Users list') }}</legend>
+            <div id="waiting-user-container" class="row">
+              <i class="fa fa-spin fa-fw fa-refresh" aria-hidden="true"></i>&nbsp;{{ _('Loading, Please wait...') }}
+              <br />
+              <div class="progress progress-striped active">
+                <div class="progress-bar progress-bar-info" style="width: 100%"></div>
+              </div>
+            </div>
+            <div class="table-responsive" id="table-users-container" style="display: none;">
+              <table class="table table-striped table-hover nowrap" id="table-users" width="100%">
+                <thead>
+                  <tr>
+                    <th>{{ _('Username') }}</th>
+                    <th>{{ _('Authentication Backend') }}</th>
+                    <th>{{ _('Role') }}</th>
+                    <th>{{ _('Groups') }}</th>
+                    <th>{{ _('Controls') }}</th>
+                  </tr>
+                </thead>
+                <tbody>
+                </tbody>
+              </table>
+            </div>
+          </div>
+        </div>
+        <div id="delete-user-modal" class="modal fade">
+          <div class="modal-dialog modal-lg">
+            <div class="modal-content">
+              <div class="modal-header">
+                <button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
+                <h4 class="modal-title">{{ _('Confirmation') }}</h4>
+              </div>
+              <div class="modal-body">
+                <div class="alert alert-warning">
+                  <i class="fa fa-fw fa-2x fa-question-circle"></i>{{ _('You are about to delete a user, are you sure?') }}
+                </div>
+                <form class="form-horizontal" id="delete-user-form">
+                  <fieldset id="delete-details">
+                  </fieldset>
+                </form>
+                <div class="alert alert-danger" id="delete-confirm" style="display:none;">
+                  <strong><i class="fa fa-fw fa-2x fa-exclamation-circle"></i>{{ _('Warning!') }}</strong> {{ _('You are about to remove your <strong>current</strong> user.') }}
+                </div>
+              </div>
+              <div class="modal-footer">
+                <button type="button" class="btn btn-default" data-dismiss="modal">{{ _('Cancel') }}</button>
+                <button type="button" class="btn btn-info" data-dismiss="modal" id="perform-delete">{{ _('Confirm') }}</button>
+              </div>
+            </div>
+          </div>
+        </div>
+        <div id="edit-user-modal" class="modal fade">
+          <div class="modal-dialog modal-lg">
+            <div class="modal-content">
+              <div class="modal-header">
+                <button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
+                <h4 class="modal-title">{{ _('Confirmation') }}</h4>
+              </div>
+              <div class="modal-body">
+                <form class="form-horizontal">
+                  <fieldset id="edit-details">
+                  </fieldset>
+                </form>
+              </div>
+              <div class="modal-footer">
+                <button type="button" class="btn btn-default" data-dismiss="modal">{{ _('Cancel') }}</button>
+                <button type="button" class="btn btn-info" data-dismiss="modal" id="perform-edit">{{ _('Edit') }}</button>
+              </div>
+            </div>
+          </div>
+        </div>
+{% endblock %}
diff --git a/burpui/templates/admin/authentication.html b/burpui/templates/admin/authentication.html
index 18c031f8..07c65474 100644
--- a/burpui/templates/admin/authentication.html
+++ b/burpui/templates/admin/authentication.html
@@ -5,7 +5,7 @@
           {% include "small_topbar.html" %}
           <ul class="breadcrumb" style="margin-bottom: 5px;">
             <li><a href="{{ url_for('view.home') }}">{{ _('Home') }}</a></li>
-            <li><a href="{{ url_for('view.admin') }}">{{ _('Administration') }}</a></li>
+            <li><a href="{{ url_for('view.admin_authentications') }}">{{ _('Administration') }}</a></li>
             <li class="active">{{ _('Authentication user %(backend)s/%(user)s', backend=backend, user=user) }}</li>
           </ul>
           <br />
diff --git a/burpui/templates/admin/sessions.html b/burpui/templates/admin/sessions.html
index 5c794cc1..65e12226 100644
--- a/burpui/templates/admin/sessions.html
+++ b/burpui/templates/admin/sessions.html
@@ -5,7 +5,7 @@
           {% include "small_topbar.html" %}
           <ul class="breadcrumb" style="margin-bottom: 5px;">
             <li><a href="{{ url_for('view.home') }}">{{ _('Home') }}</a></li>
-            <li><a href="{{ url_for('view.admin') }}">{{ _('Administration') }}</a></li>
+            <li><a href="{{ url_for('view.admin_authentications') }}">{{ _('Administration') }}</a></li>
             <li class="active">{{ _('%(user)s\'s sessions', user=user) }}</li>
           </ul>
           <br />
diff --git a/burpui/templates/gerard.js b/burpui/templates/gerard.js
index 82817623..97c6e331 100644
--- a/burpui/templates/gerard.js
+++ b/burpui/templates/gerard.js
@@ -365,8 +365,10 @@ $('#input-client').typeahead({
 {% include "js/admin/authorization.js" %}
 	{% elif sessions -%}
 {% include "js/admin/sessions.js" %}
-	{% else -%}
-{% include "js/admin.js" %}
+	{% elif authorizations -%}
+{% include "js/admin-authorizations.js" %}
+	{% elif authentications -%}
+{% include "js/admin-authentications.js" %}
 	{% endif -%}
 {% endif -%}
 
diff --git a/burpui/templates/js/admin.js b/burpui/templates/js/admin-authentications.js
similarity index 99%
rename from burpui/templates/js/admin.js
rename to burpui/templates/js/admin-authentications.js
index f8510448..578dcc9b 100644
--- a/burpui/templates/js/admin.js
+++ b/burpui/templates/js/admin-authentications.js
@@ -1,4 +1,3 @@
-
 /***
  * The Settings Panel is managed with AngularJS.
  * Following is the AngularJS Application and Controller.
@@ -412,9 +411,6 @@ $('#perform-edit').on('click', function(e) {
 	location = "{{ url_for('view.admin_authentication', user='') }}"+$('#edit_backend').data('id')+'?backend='+$('#edit_backend option:selected').text();
 });
 
-/* Add user */
-
-
 /* user sessions */
 $( document ).on('click', '.btn-sessions-user', function(e) {
 	var user_id = $(this).data('member');
diff --git a/burpui/templates/js/admin-authorizations.js b/burpui/templates/js/admin-authorizations.js
new file mode 100644
index 00000000..578dcc9b
--- /dev/null
+++ b/burpui/templates/js/admin-authorizations.js
@@ -0,0 +1,418 @@
+/***
+ * The Settings Panel is managed with AngularJS.
+ * Following is the AngularJS Application and Controller.
+ * Our $scope is initialized with a $http request that retrieves a JSON like that:
+ * {
+ * 	"boolean": [
+ * 		"key",
+ * 		...
+ * 	],
+ * 	"defaults": {
+ * 		"key1": "default",
+ * 		"key2": false,
+ * 		"key3": [
+ * 			4,
+ * 			2,
+ * 		],
+ * 		...
+ * 	},
+ * 	"integer": [
+ * 		"key",
+ * 	],
+ * 	"multi": [
+ * 		"key",
+ * 	],
+ * 	"placeholders": {
+ * 		"key": "placeholder",
+ * 		...
+ * 	},
+ * 	"results": {
+ * 		"boolean": [
+ * 			{
+ * 				"name": "key",
+ * 				"value": true
+ * 			},
+ * 			...
+ * 		],
+ * 		"clients": [
+ * 			{
+ * 				"name": "clientname",
+ * 				"value": "/etc/burp/clientconfdir/clientname"
+ * 			},
+ * 			...
+ * 		],
+ * 		"common": [
+ * 			{
+ * 				"name": "key",
+ * 				"value": "val"
+ * 			},
+ * 			...
+ * 		],
+ * 		"integer": [
+ * 			{
+ * 				"name": "key",
+ * 				"value": 42
+ * 			},
+ * 			...
+ * 		],
+ * 		"multi": [
+ * 			{
+ * 				"name": "key",
+ * 				"value": [
+ * 					"value1",
+ * 					"value2",
+ * 					...
+ * 				]
+ * 			},
+ * 			...
+ * 		],
+ *    "includes": [
+ *      "glob",
+ *      "example*.conf",
+ *      ...
+ *    ],
+ *    "includes_ext": [
+ *      "glob",
+ *      "example1.conf",
+ *      "example_toto.conf",
+ *      ...
+ *    ]
+ * 	},
+ * 	"server_doc": {
+ * 		"key": "documentations of the specified key from the manpage",
+ * 		...
+ * 	},
+ * 	"string": [
+ * 		"key",
+ * 		...
+ * 	],
+ * 	"suggest": {
+ * 		"key": [
+ * 			"value1",
+ * 			"value2",
+ * 		],
+ * 		[...]
+ * 	}
+ * }
+ * The JSON is then split-ed out into several dict/arrays to build our form.
+ */
+{% import 'macros.html' as macros %}
+
+var _cache_id = _EXTRA;
+
+var _me = undefined;
+var _users = {};
+var _auth_backends = {};
+var _users_array = [];
+var __promises = [];
+var __globals_promises = [];
+
+var app = angular.module('MainApp', ['ngSanitize', 'ui.select', 'mgcrea.ngStrap', 'datatables']);
+
+app.config(function(uiSelectConfig) {
+	uiSelectConfig.theme = 'bootstrap';
+});
+
+app.controller('AdminCtrl', ['$scope', '$http', '$scrollspy', 'DTOptionsBuilder', 'DTColumnDefBuilder', function($scope, $http, $scrollspy, DTOptionsBuilder, DTColumnDefBuilder) {
+	var vm = this;
+	$scope.auth_backends = [];
+
+  $http.get('{{ url_for("api.auth_backends") }}', { headers: { 'X-From-UI': true } })
+		.then(function (response) {
+			$scope.auth_backends = [];
+			_auth_backends = {};
+			angular.forEach(response.data, function(back, i) {
+				_auth_backends[back.name] = back;
+				$scope.auth_backends.push(back);
+			});
+			$scope.auth_backend = "placeholder";
+			vm.userAdd.auth_backend.$setValidity('valid', false);
+			vm.userAdd.$setPristine();
+		});
+
+	$scope.checkSelect = function() {
+		vm.userAdd.auth_backend.$setValidity('valid', ($scope.auth_backend != "placeholder"));
+	};
+
+	$scope.addUser = function(e) {
+		e.preventDefault();
+		var form = $(e.target);
+		submit = form.find('button[type="submit"]');
+		sav = submit.html();
+		submit.html('<i class="fa fa-fw fa-spinner fa-pulse" aria-hidden="true"></i>&nbsp;{{ _("Creating...") }}');
+		submit.attr('disabled', true);
+		$http({
+			url: form.attr('action'),
+			method: form.attr('method'),
+			params: {
+				username: $scope.auth_username,
+				password: $scope.auth_password,
+				backend: $scope.auth_backend,
+			},
+			headers: { 'X-From-UI': true },
+		})
+		.catch(myFail)
+		.then(function(response) {
+			notifAll(response.data);
+			$scope.auth_username = null;
+			$scope.auth_password = null;
+			$scope.auth_backend = "placeholder";
+			vm.userAdd.auth_backend.$setValidity('valid', false);
+			vm.userAdd.auth_username.$setUntouched();
+			vm.userAdd.auth_password.$setUntouched();
+			vm.userAdd.auth_password.$setPristine();
+			vm.userAdd.$setPristine();
+			_authentication();
+		})
+		.finally(function() {
+			submit.html(sav);
+			submit.attr('disabled', false);
+		});
+	};
+}]);
+
+var _users_table = $('#table-users').DataTable( {
+	{{ macros.translate_datatable() }}
+	{{ macros.get_page_length() }}
+	responsive: true,
+	processing: true,
+	fixedHeader: true,
+	select: {
+		style: 'os',
+	},
+	data: [],
+	rowId: 'id',
+	rowCallback: function( row, data, index ) {
+		var classes = row.className.split(' ');
+		_.each(classes, function(cl) {
+			if (_.indexOf(['odd', 'even'], cl) != -1) {
+				row.className = cl;
+				return;
+			}
+		});
+		_.each(data.raw, function(raw) {
+			if (raw.name === _me.name && raw.backend == _me.backend) {
+				row.className += ' success';
+				return;
+			}
+		});
+	},
+	columns: [
+		{
+			data: null,
+			render: function ( data, type, row ) {
+				return data.id;
+			}
+		},
+		{
+			data: null,
+			render: function ( data, type, row ) {
+				var ret = '';
+				$.each(data.backends, function(i, back) {
+					ret += '<span class="label label-default">'+back+'</span>&nbsp;';
+				});
+				return ret;
+			}
+		},
+		{
+			data: null,
+			render: function ( data, type, row ) {
+				var ret = '';
+				$.each(data.roles, function(i, role) {
+					ret += '<span class="label label-warning">'+role+'</span>&nbsp;';
+				});
+				return ret;
+			}
+		},
+		{
+			data: null,
+			render: function ( data, type, row ) {
+				var ret = '';
+				$.each(data.groups, function(i, group) {
+					ret += '<span class="label label-primary">'+group+'</span>&nbsp;';
+				});
+				return ret;
+			}
+		},
+		{
+			data: null,
+			render: function ( data, type, row ) {
+				return '<button data-member="'+data.id+'" class="btn btn-xs btn-danger btn-delete-user" title="{{ _("Remove") }}"><i class="fa fa-trash" aria-hidden="true"></i></button>&nbsp;<button data-member="'+data.id+'" class="btn btn-xs btn-info btn-edit-user" title="{{ _("Edit") }}"><i class="fa fa-pencil" aria-hidden="true"></i></button>&nbsp;<button data-member="'+data.id+'" class="btn btn-xs btn-warning btn-sessions-user" title="{{ _("Sessions") }}"><i class="fa fa-list-alt" aria-hidden="true"></i></button>';
+			}
+		},
+	],
+});
+
+var g = $.getJSON('{{ url_for("api.admin_me") }}').done(function (data) {
+	_me = data;
+});
+__globals_promises.push(g);
+
+var _authentication = function() {
+	$('#waiting-user-container').show();
+	$('#table-users-container').hide();
+	var __usernames = [];
+	$.getJSON('{{ url_for("api.auth_users") }}').done(function (users) {
+		__promises = [];
+		$.each(users, function(i, user) {
+			__usernames.push(user.name);
+			if (_users[user.name]) {
+				if (_users[user.name]['backends'].indexOf(user.backend) === -1) {
+					_users[user.name]['backends'].push(user.backend);
+				}
+				if (_users[user.name]['raw'].indexOf(user) === -1) {
+					_users[user.name]['raw'].push(user);
+				}
+			} else {
+				_users[user.name] = {
+					id: user.name,
+					backends: [user.backend],
+					roles: [],
+					groups: [],
+					raw: [user],
+				};
+				var p = $.getJSON('{{ url_for("api.acl_groups_of", member="") }}'+user.name).done(function (data) {
+					_users[user.name]['groups'] = data.groups;
+				});
+				__promises.push(p);
+				p = $.getJSON('{{ url_for("api.acl_is_admin", member="") }}'+user.name).done(function (data) {
+					if (data.admin) {
+						_users[user.name]['roles'].push('admin');
+					}
+				});
+				__promises.push(p);
+				p = $.getJSON('{{ url_for("api.acl_is_moderator", member="") }}'+user.name).done(function (data) {
+					if (data.moderator) {
+						_users[user.name]['roles'].push('moderator');
+					}
+				});
+				__promises.push(p);
+			}
+		});
+		var redraw = false;
+		_users_array = [];
+		$.each(_users, function(key, value) {
+			if (__usernames.indexOf(key) == -1) {
+				delete _users[key];
+				redraw = true;
+			} else {
+				_users_array.push(value);
+			}
+		});
+		if (redraw) {
+			_users_table.clear();
+			_users_table.rows.add(_users_array).draw();
+			$('#waiting-user-container').hide();
+			$('#table-users-container').show();
+		}
+		$.when.apply( $, __promises ).done(function() {
+			_users_array = [];
+			$.each(_users, function(key, value) {
+				_users_array.push(value);
+			});
+			_users_table.clear();
+			_users_table.rows.add(_users_array).draw();
+			$('#waiting-user-container').hide();
+			$('#table-users-container').show();
+		});
+	});
+};
+
+var _admin = function() {
+	_authentication();
+};
+
+{{ macros.page_length('#table-list-clients') }}
+{{ macros.page_length('#table-list-templates') }}
+
+$( document ).ready(function () {
+	$('#config-nav a').click(function (e) {
+		e.preventDefault();
+		$(this).tab('show');
+	});
+});
+
+/* Delete user */
+var _remove_selected = 0;
+$( document ).on('click', '.btn-delete-user', function(e) {
+	var user_id = $(this).data('member');
+	var user = _users[user_id];
+	var content = '<legend>{{ _("Please select the backend(s) from which to remove the user:") }}</legend>';
+	$.each(user['backends'], function(i, back) {
+		var disabled_legend = '{{ _("The backend does not support user removal") }}';
+		var disabled = 'disabled title="'+disabled_legend+'"';
+		var is_enabled = _auth_backends[back]['del'];
+		content += '<div class="checkbox"><label><input type="checkbox" name="user_backend" data-id="'+user_id+'" data-backend="'+back+'" '+(is_enabled?'':disabled)+'>'+back+(is_enabled?'':' <em>('+disabled_legend+')</em>')+'</label></div>';
+	});
+	/* disable submit button while we did not select a backend */
+	$('#perform-delete').prop('disabled', true);
+	$('#delete-details').html(content);
+	$('#delete-user-modal').modal('toggle');
+});
+$( document ).on('change', 'input[name=user_backend]', function(e) {
+	var user_id = $(this).data('id');
+	var backend = $(this).data('backend');
+	if (user_id == _me.id && backend == _me.backend) {
+		if ($(this).is(':checked')) {
+			$('#delete-confirm').show();
+		} else {
+			$('#delete-confirm').hide();
+		}
+	}
+	if ($(this).is(':checked')) {
+		_remove_selected++;
+	} else {
+		_remove_selected--;
+	}
+	if (_remove_selected > 0) {
+		$('#perform-delete').prop('disabled', false);
+	} else {
+		$('#perform-delete').prop('disabled', true);
+	}
+});
+$('#perform-delete').on('click', function(e) {
+	$.each($('input[name=user_backend]'), function(i, elmt) {
+		var e = $(elmt);
+		if (e.is(':checked')) {
+			$.ajax({
+				url: "{{ url_for('api.auth_users', name='') }}"+$(e).data('id')+"?backend="+$(e).data('backend'),
+				type: 'DELETE',
+				headers: { 'X-From-UI': true },
+			}).done(function(data) {
+				notifAll(data);
+				_authentication();
+			}).fail(myFail);
+		}
+	});
+});
+
+/* Edit user */
+$( document ).on('click', '.btn-edit-user', function(e) {
+	var user_id = $(this).data('member');
+	var user = _users[user_id];
+	var content = '<legend>{{ _("Please select the backend from which to edit the user from:") }}</legend>';
+	content += '<div class="form-group"><label for="edit_backend" class="col-lg-2 control-label">Backend</label>';
+	content += '<div class="col-lg-10"><select class="form-control" id="edit_backend" name="edit_backend" data-id="'+user_id+'"><option disabled selected value="placeholder">'+'{{ _("Please select a backend") }}'+'</option>';
+	$.each(user['backends'], function(i, back) {
+		is_enabled = _auth_backends[back]['mod'];
+		content += '<option'+(is_enabled?'':' disabled')+'>'+back+'</option>';
+	});
+	content += '</select></div></div>';
+	$('#perform-edit').prop('disabled', true);
+	$('#edit-details').html(content);
+	$('#edit-user-modal').modal('toggle');
+});
+$( document ).on('change', '#edit_backend', function(e) {
+	if ($('#edit_backend option:selected').val() != 'placeholder') {
+		$('#perform-edit').prop('disabled', false);
+	}
+});
+$('#perform-edit').on('click', function(e) {
+	location = "{{ url_for('view.admin_authentication', user='') }}"+$('#edit_backend').data('id')+'?backend='+$('#edit_backend option:selected').text();
+});
+
+/* user sessions */
+$( document ).on('click', '.btn-sessions-user', function(e) {
+	var user_id = $(this).data('member');
+	location = "{{ url_for('view.admin_sessions', user='') }}"+user_id;
+});
diff --git a/burpui/templates/settings.html b/burpui/templates/settings.html
index 23c2d0ab..228ab8ee 100644
--- a/burpui/templates/settings.html
+++ b/burpui/templates/settings.html
@@ -66,7 +66,7 @@
           <div id="config-tab-content" class="tab-content">
             <div class="tab-pane fade active in" id="config">
               <div id="waiting-container" class="row">
-                <i class="fa fa-fw fa-spin fa-refresh" aria-hidden="true"></i>{{ _('Loading, Please wait...') }}
+                <i class="fa fa-fw fa-spin fa-refresh" aria-hidden="true"></i>&nbsp;{{ _('Loading, Please wait...') }}
                 <br />
                 <div class="progress progress-striped active">
                   <div class="progress-bar progress-bar-info" style="width: 100%"></div>
diff --git a/burpui/templates/sideadmin.html b/burpui/templates/sideadmin.html
index 3ed4619a..9250abaf 100644
--- a/burpui/templates/sideadmin.html
+++ b/burpui/templates/sideadmin.html
@@ -1,9 +1,8 @@
 
           <div id="navbar-config">
             <h4>{{ _('Administration navigation') }}</h4>
-            <ul class="nav nav-sidebar bui-scrollspy">
-              <li class="active" data-target="#authentication"><a class="scroll" href="#authentication">{{ _('Authentication') }}</a></li>
-              <!-- <li data-target="#settings"><a class="scroll"  href="#settings">{{ _('Settings') }}</a></li> -->
-              <li data-target="#authorization"><a class="scroll" href="#acl">{{ _('Authorization') }}</a></li>
+            <ul class="nav nav-sidebar">
+              <li class="active"><a href="{{ url_for('view.admin_authentications') }}">{{ _('Authentication') }}</a></li>
+              <li><a href="{{ url_for('view.admin_authorizations') }}">{{ _('Authorization') }}</a></li>
             </ul>
           </div>
diff --git a/burpui/templates/topbar.html b/burpui/templates/topbar.html
index 76e441e7..6a33618d 100644
--- a/burpui/templates/topbar.html
+++ b/burpui/templates/topbar.html
@@ -54,7 +54,7 @@
               {% if current_user and current_user.is_authenticated -%}
                 {% if current_user.is_admin or current_user.is_moderator -%}
             <li class="detail {% if admin %}active{% endif %}">
-              <a href="{{ url_for('view.admin') }}">
+              <a href="{{ url_for('view.admin_authentications') }}">
               <i class="fa fa-cogs" aria-hidden="true"></i><span class="dtl">&nbsp;{{ _('Administration') }}</span>
               </a>
             </li>
diff --git a/burpui/templates/user.html b/burpui/templates/user.html
index 679559d2..bc37db5c 100644
--- a/burpui/templates/user.html
+++ b/burpui/templates/user.html
@@ -106,7 +106,7 @@
             <div class="modal-content">
               <div class="modal-header">
                 <button type="button" class="close" data-dismiss="modal" aria-hidden="true">&times;</button>
-                <h4 class="modal-title">Confirmation</h4>
+                <h4 class="modal-title">{{ _('Confirmation') }}</h4>
               </div>
               <div class="modal-body">
                 <div class="alert alert-warning">