def dbRevokeRoleFromUser(db, role, targetUser, user):
"""Revoke a role from a user, i.e. ungrant it."""
if userIsAdmin(db, user):
grantedRoleKeys = {r.roleKey() for r in targetUser.roles}
if role.roleKey() not in grantedRoleKeys:
raise OstracionError('Role is not granted to user')
else:
# delicate checks: cannot remove 'admin' from self
if (user.username == targetUser.username
and role.roleKey() == ('system', 'admin')):
raise OstracionError('Cannot revoke "admin" role from self')
else:
dbDeleteRecordsByKey(
db,
'user_roles',
{
'username': targetUser.username,
'role_class': role.role_class,
'role_id': role.role_id,
},
dbTablesDesc=dbSchema,
)
db.commit()
else:
raise OstracionError('Insufficient permissions')
def dbDeleteRole(db, roleClass, roleId, user):
""" Delete a role from DB."""
if userIsAdmin(db, user):
role = dbGetRole(db, roleClass, roleId, user)
if role.can_delete == 0:
raise OstracionError('Role cannot be deleted')
else:
dbDeleteRecordsByKey(
db,
'box_role_permissions',
{
'role_class': role.role_class,
'role_id': role.role_id
},
dbTablesDesc=dbSchema,
)
dbDeleteRecordsByKey(
db,
'roles',
{
'role_class': role.role_class,
'role_id': role.role_id
},
dbTablesDesc=dbSchema,
)
db.commit()
else:
raise OstracionError('Insufficient permissions')
def deleteLink(
db, parentBox, link, user, fileStorageDirectory,
skipCommit=False, accountDeletionInProgress=False):
""" Delete a link (either because permissions allow it
or the caller is working as part of an account deletion,
in which case the caller is responsible for lifting
permission checks).
Returns the filesystem delete queue.
"""
if (accountDeletionInProgress or
userHasPermission(db, user, parentBox.permissions, 'w')):
#
fsDeleteQueue = (
[
fileIdToPath(
link.icon_file_id,
fileStorageDirectory=fileStorageDirectory,
)
]
if link.icon_file_id != '' else []
)
dbDeleteRecordsByKey(
db,
'links',
{'link_id': link.link_id},
dbTablesDesc=dbSchema,
)
if not skipCommit:
db.commit()
return fsDeleteQueue
else:
raise OstracionError('User has no write permission')
def dbDeleteTicket(db, ticketId, user, mode, skipCommit=False):
""" Remove a ticket from DB."""
ticketDict = dbRetrieveRecordByKey(
db,
'tickets',
{'ticket_id': ticketId},
dbTablesDesc=dbSchema,
)
if (ticketDict is not None and
ticketTargetTypeToModeNameMap[ticketDict['target_type']] == mode):
ticket = Ticket(**ticketDict)
if userIsAdmin(db, user) or user.username == ticket.username:
#
dbDeleteRecordsByKey(
db,
'tickets',
{'ticket_id': ticketId},
dbTablesDesc=dbSchema,
)
if not skipCommit:
db.commit()
else:
raise OstracionError('Insufficient permissions')
else:
raise OstracionWarning('Ticket unavailable')
def _recursiveBoxDeletion(
db, box, parentBox, user,
fileStorageDirectory, accountDeletionInProgress=False):
""" Take care of deleting a box, invoking itself on children boxes
and erasing contained files, joining the results (the delete queue)
accumulated in the sub-deletions. Used internaly by deleteBox.
"""
if box.box_id == '':
raise OstracionError('Box cannot be deleted')
else:
if (accountDeletionInProgress or
(
userHasPermission(db, user, box.permissions, 'w') and
userHasPermission(db, user, parentBox.permissions, 'c')
)):
fsDeleteQueue = ([fileIdToPath(
box.icon_file_id,
fileStorageDirectory=fileStorageDirectory,
)]) if box.icon_file_id != '' else []
allChildren = list(getBoxesFromParent(db, box, user))
if any(c is None for c in allChildren):
raise OstracionError('User is not allowed to delete box')
#
for c in allChildren:
if c is not None:
fsDeleteQueue += _recursiveBoxDeletion(
db, c, box, user,
fileStorageDirectory=fileStorageDirectory,
accountDeletionInProgress=accountDeletionInProgress)
allChildFiles = getFilesFromBox(db, box)
for f in allChildFiles:
fsDeleteQueue += deleteFile(
db, box, f, user,
fileStorageDirectory=fileStorageDirectory,
skipCommit=True,
accountDeletionInProgress=accountDeletionInProgress)
# actual deletion
dbDeleteRecordsByKey(
db, 'box_role_permissions', {'box_id': box.box_id},
dbTablesDesc=dbSchema)
dbDeleteRecordsByKey(
db, 'boxes', {'box_id': box.box_id},
dbTablesDesc=dbSchema)
return fsDeleteQueue
else:
raise OstracionError('User is not allowed to delete box')
def dbDeleteBoxRolePermission(db,
boxId,
roleClass,
roleId,
user,
skipCommit=False):
"""Remove a permission set (i.e. for a role) from a box."""
if boxId == '':
raise OstracionError('Cannot delete root box permissions')
else:
if userIsAdmin(db, user):
recordExists = len(
list(
dbRetrieveRecordsByKey(
db,
'box_role_permissions',
{
'box_id': boxId,
'role_class': roleClass,
'role_id': roleId,
},
dbTablesDesc=dbSchema,
))) != 0
if recordExists:
try:
dbDeleteRecordsByKey(
db,
'box_role_permissions',
{
'box_id': boxId,
'role_class': roleClass,
'role_id': roleId,
},
dbTablesDesc=dbSchema,
)
if not skipCommit:
db.commit()
except Exception as e:
db.rollback()
raise e
else:
raise OstracionError('Box role permission does not exist')
else:
raise OstracionError('Insufficient permissions')
def dbDeleteUser(db, username, user, fileStorageDirectory):
""" Delete a user altogether. Return a fsDeletionQueue for deletions."""
if username != '':
if not userIsAdmin(db, dbGetUser(db, username)):
try:
if username == user.username or userIsAdmin(db, user):
fsDeleteQueue = []
# 1. cleanup of file system
rootBox = getRootBox(db)
fsDeleteQueue += _traverseForAccountDeletion(
db,
rootBox,
username,
user,
path=[''],
fileStorageDirectory=fileStorageDirectory,
)
# 2. deleting user-related data around
dbDeleteRecordsByKey(
db,
'user_roles',
{'username': username},
dbTablesDesc=dbSchema,
)
deleteeUser = dbGetUser(db, username)
if deleteeUser.icon_file_id != '':
fsDeleteQueue.append(fileIdToPath(
deleteeUser.icon_file_id,
fileStorageDirectory=fileStorageDirectory,
))
dbDeleteRecordsByKey(
db,
'tickets',
{'username': username},
dbTablesDesc=dbSchema,
)
for u in dbGetAllUsers(db, user,
accountDeletionInProgress=True):
if u.username != username:
if u.icon_file_id_username == username:
if u.icon_file_id != '':
fsDeleteQueue.append(fileIdToPath(
u.icon_file_id,
fileStorageDirectory,
))
dbUpdateUser(
db,
User(**recursivelyMergeDictionaries(
{
'icon_file_id': '',
'icon_file_id_username': '',
},
defaultMap=u.asDict(),
)),
user,
skipCommit=True,
)
# 3. delete user-specific role association from boxes
dbDeleteRecordsByKey(
db,
'box_role_permissions',
{'role_class': 'user', 'role_id': username},
dbTablesDesc=dbSchema,
)
# 4. delete user-specific role
dbDeleteRecordsByKey(
db,
'roles',
{'role_class': 'user', 'role_id': username},
dbTablesDesc=dbSchema
)
# 5. finally, delete the user
dbDeleteRecordsByKey(
db,
'users',
{'username': username},
dbTablesDesc=dbSchema
)
db.commit()
return fsDeleteQueue
else:
raise OstracionError('Insufficient permissions')
except Exception as e:
db.rollback()
raise e
else:
raise OstracionError('Cannot delete an admin')
else:
raise OstracionError('Cannot alter system user')