def get(current_user, self, name=None):
if name is None and not current_user.is_admin:
abort(
401,
message="Missing rights. Try /user/<username> for user info.")
kwarg = {} if name is None else {'name': name}
user_data = Users.objects(**kwarg)
user_data = [user.to_json() for user in user_data]
if name is None:
return {'users': user_data}, 200
else:
if len(user_data) < 1:
abort(404, message="User '{}' doesn't exist".format(name))
return {'user': user_data[0]}, 200
def delete(current_user, self, name=None):
if name is None:
abort(
405,
message="Can't DELETE at this endpoint. Try /user/<username>")
if current_user.name != name and not current_user.is_admin:
abort(401, message="Missing rights.")
existing_user = Users.objects(name=name).first()
if existing_user is None:
abort(404, message="User '{}' doesn't exist".format(name))
existing_user.delete()
return {}, 204
def get(self):
auth = request.authorization
user = Users.objects(name=auth.username).first()
if not auth or not auth.username or not auth.password or user is None or not verify_password(user.password, auth.password):
return {'message': 'Could not verify'}, 401, {'WWW-Authenticate': 'Basic realm="Login required"'}
if not user.active:
abort(401, message='Your account has been banned. Please contact the moderators if you feel that was a mistake.')
token = encode({
'exp': datetime.utcnow() + timedelta(minutes=60),
'iat': datetime.utcnow(),
'sub': str(user.id)
}, app_secret_key)
return {'token': token.decode('UTF-8')}, 200
def decorated(*args, **kwargs):
try:
token = request.headers['authorization'][7:]
payload = decode(token, app_secret_key)
assert payload['exp'] > timegm(datetime.utcnow().utctimetuple())
assert payload['iat'] > timegm(
(datetime.utcnow() - token_expiration_time).utctimetuple())
current_user = Users.objects(id=payload['sub']).first()
assert current_user is not None
assert current_user.active is True
assert payload['iat'] >= current_user.last_logout_time
except Exception as e:
abort(401, message='Token is missing, invalid or expired')
return f(current_user, *args, **kwargs)
def get(self, name, post_id=None):
if post_id is not None and (not isinstance(post_id, str)
or len(post_id) != 24):
abort(404, message="{} is not a valid post id".format(post_id))
user_data = Users.objects(name=name).first()
if user_data is None:
abort(404, message="User '{}' doesn't exist".format(name))
if post_id is None:
post_data = [post.to_json() for post in user_data.posts]
return {"user's '{}' posts".format(name): post_data}, 200
else:
post_data = [
post.to_json() for post in user_data.posts
if str(post.id) == post_id
]
if len(post_data) < 1:
abort(
404,
message="Post with id '{}' doesn't exist".format(post_id))
return {"user's '{}' post".format(name): post_data[0]}, 200
def put(current_user, self, name=None):
if name is None:
abort(405,
message="Can't PUT to this endpoint. Try /user/<username>")
if current_user.name != name and not current_user.is_admin:
abort(401, message="Missing rights.")
existing_user = Users.objects(name=name).first()
if existing_user is None:
abort(404, message="User '{}' doesn't exist".format(name))
received_json = request.get_json()
errors = validate_values_in_dictionary(
received_json,
Users,
sensitive_keys={'name'},
unique_keys={'name', 'email'},
admin=current_user.is_admin,
admin_keys={'active', 'is_admin', 'name'})
if errors:
abort(400, errors=errors)
if received_json.get('active') is not None:
existing_user.active = bool(received_json.get('active'))
if received_json.get('is_admin') is not None:
existing_user.is_admin = bool(received_json.get('is_admin'))
if received_json.get('name') is not None:
existing_user.name = received_json.get('name')
if received_json.get('email') is not None:
existing_user.email = received_json.get('email')
if received_json.get('password') is not None:
existing_user.password = hash_string_with_salt(
received_json.get('password'))
existing_user.save()
return {}, 204