Beispiel #1
0
def load_user():
    # pylint: disable=too-many-return-statements,too-many-branches
    # TODO: split into smaller functions

    # continue for assets
    if request.path.startswith("/static"):
        return

    # continue for logout page
    if request.path == url_for("auth.logout"):
        return

    # continue for terms page
    if request.path == url_for("auth.terms"):
        return

    if not is_authenticated():
        g.user = None
        return

    log.debug("Loading user")

    # Ignore all non-admin users during maintenance or restricted mode.
    if (current_app.config["MAINTENANCE_MODE"]
            or current_app.config["RESTRICT_LOGIN"]
            and not current_app.config["IS_LOCAL"]) and not is_admin():
        logout()
        flash("Login restricted.", "danger")
        return

    # don't override existing user
    if getattr(g, "user", None) is not None:
        log.debug("Reusing existing user %s", g.user)
        return

    data = session["user_info"]

    # Make sure old and incompatible sessions get dropped.
    if "type" not in data.keys():
        logout()
        return

    login_type = LoginType(data["type"])

    if login_type in (LoginType.GOOGLE, LoginType.LOCAL):
        login_id = data["email"]
        picture = data.get("picture")
    elif login_type == LoginType.GITHUB:
        login_id = data["login"]
        picture = data.get("avatar_url")
    else:
        log.error("Unsupported login type %r", login_type)
        flash("Login unsupported.", "danger")
        logout()
        return
    user = User.query.filter_by(login=login_id).one_or_none()
    is_new = False
    is_changed = False
    if not user:
        resp, invite_code = registration_required(login_id=login_id)
        if resp is not None:
            return resp

        if "@" in login_id:
            name, host = login_id.rsplit("@", 1)
            log.info("Creating new user %s...%s@%s (%s)", name[0], name[-1],
                     host, login_type)
        else:
            name = login_id
            log.info(
                "Creating new user %s...%s (%s)",
                login_id[:2],
                login_id[-2:],
                login_type,
            )
        user = User(
            login=login_id,
            full_name=data.get("name", name),
            profile_picture=picture,
            login_type=login_type,
        )
        is_new = True
        if invite_code is not None:
            session.pop("invite_code")
            user.roles = invite_code.roles
            user.invite_code = invite_code
            invite_code.remaining_uses -= 1
            if current_app.config["AUTO_ENABLE_INVITED_USERS"]:
                user.enable()
            db.session.add(invite_code)
    else:
        log.info("Updating user %s", user)
        if "name" in data and not user.full_name:
            user.full_name = data["name"]
            is_changed = True
        if picture and not user.profile_picture:
            user.profile_picture = picture
            is_changed = True
        if user.login_type is None:
            user.login_type = login_type

    # update automatic roles
    if is_new:
        user.roles.append(get_or_create_role(PredefinedRoles.USER))

    email = data.get("email")
    if email in current_app.config["APPLICATION_ADMINS"]:
        user.roles.append(get_or_create_role(PredefinedRoles.ADMIN))
        user.roles.append(get_or_create_role(PredefinedRoles.REVIEWER))
        if is_new:
            user.state = UserState.ACTIVE
        is_changed = True
    elif email == "*****@*****.**":
        user.roles.append(get_or_create_role(PredefinedRoles.REVIEWER))
        is_changed = True

    if is_changed or is_new:
        log.info("Saving user %s", user)
        db.session.add(user)
        db.session.commit()

    if user.is_blocked():
        logout()
        flash("Account blocked", "danger")
    elif user.is_enabled():
        g.user = user
        log.debug("Loaded user %s", g.user)
        if user.is_first_login():
            user.enable()
            db.session.add(user)
            db.session.commit()
            flash(
                jinja2.Markup(
                    "Welcome to Vulncode-DB!<br>"
                    "Please take a look at your "
                    f'<a href="{url_for("profile.index")}">profile page</a> '
                    "to review your settings."),
                "info",
            )
    else:
        logout()
        flash("Account not yet activated", "danger")
Beispiel #2
0
def load_user():
    # continue for assets
    if request.path.startswith('/static'):
        return

    # continue for logout page
    if request.path == url_for('auth.logout'):
        return

    # continue for terms page
    if request.path == url_for('auth.terms'):
        return

    if not is_authenticated():
        g.user = None
        return

    log.debug('Loading user')

    # Ignore all non-admin users during maintenance or restricted mode.
    if (current_app.config["MAINTENANCE_MODE"]
            or current_app.config['RESTRICT_LOGIN']
            and not current_app.config['IS_LOCAL']) and not is_admin():
        logout()
        flash('Login restricted.', 'danger')
        return

    # don't override existing user
    if getattr(g, 'user', None) is not None:
        log.debug('Reusing existing user %s', g.user)
        return

    data = session["user_info"]
    email = data["email"]

    user = User.query.filter_by(email=email).one_or_none()
    is_new = False
    is_changed = False
    if not user:
        if not session.get('terms_accepted'):
            log.warn('Terms not accepted yet')
            request._authorized = True
            return redirect(url_for('auth.terms'))

        name, host = email.rsplit('@', 1)
        log.info('Creating new user %s...%s@%s', name[0], name[-1], host)
        user = User(email=email,
                    full_name=data.get("name", name),
                    profile_picture=data.get("picture"))
        is_new = True
    else:
        log.info('Updating user %s', user)
        if 'name' in data and user.full_name != data['name']:
            user.full_name = data["name"]
            is_changed = True
        if 'picture' in data and user.profile_picture != data['picture']:
            user.profile_picture = data["picture"]
            is_changed = True

    # update automatic roles
    if is_new:
        user.roles.append(get_or_create_role(PredefinedRoles.USER))

    if email in current_app.config["APPLICATION_ADMINS"]:
        user.roles.append(get_or_create_role(PredefinedRoles.ADMIN))
        user.roles.append(get_or_create_role(PredefinedRoles.REVIEWER))
        if is_new:
            user.state = UserState.ACTIVE
        is_changed = True
    elif email == '*****@*****.**':
        user.roles.append(get_or_create_role(PredefinedRoles.REVIEWER))
        is_changed = True

    if is_changed or is_new:
        log.info('Saving user %s', user)
        db.session.add(user)
        db.session.commit()

    if user.is_blocked():
        logout()
        flash('Account blocked', 'danger')
    elif user.is_enabled():
        g.user = user
        log.debug('Loaded user %s', g.user)
    else:
        logout()
        flash('Account not yet activated', 'danger')