def login():
form = AuthLogin()
if form.validate_on_submit():
user = UserModel.find_by_name(form.username.data)
staff = StaffModel.find_by_name(form.username.data)
if staff and check_password_hash(staff.password_hash,
form.password.data):
login_user(staff)
elif user and check_password_hash(user.password_hash,
form.password.data):
login_user(user)
else:
return render_error_page_wrong_password()
next = request.args.get("next")
if not next:
next = url_for("web.index")
# solve admin login redirect to account bug
if staff and staff.role == 'admin':
next = url_for("web.index")
return redirect(next)
return render_template("login.html", form=form)
def put(self):
data = self.user_parser.parse_args()
user = UserModel.find_by_name(data["username"])
if not user:
return {
"message": "user:{} not found".format(data["username"])
}, 404
# auth group: user account owner, admin
# all staffs are user with wrong id are unauthorized
identity = get_jwt_identity()
if identity["auth_level"] == "staff" or (
identity["auth_level"] == "user"
and identity["id"] != user.id):
return {"message": "unauthorized access"}, 500
# authorized: admin, user account owner
user.email = data["email"]
try:
user.save_to_db()
return {"message": "user info updated succesfully."}, 200
except:
return {"message": "something went wrong."}
def add_super_company_user():
first_company = CompanyModel.find_by_name("OneSteward")
if not first_company:
first_company = CompanyModel("OneSteward", "*****@*****.**",
"555-555-5555")
first_company.save_to_db()
first_staff = StaffModel.find_by_name("admin")
if not first_staff:
first_staff = StaffModel("admin", "admin",
generate_password_hash("admin_password"),
first_company.id)
first_staff.save_to_db()
first_user = UserModel.find_by_name("NA")
if not first_user:
first_user = UserModel(generate_password_hash("admin_password"),
name="NA",
email="NA",
phone="")
first_user.save_to_db()
def post(self):
data = self.user_parser.parse_args()
user = UserModel.find_by_name(data["username"])
if not user:
return {"message": "username does not exist."}, 404
if check_password_hash(user.password_hash, data["password"]):
identity = {"auth_level": "user", "id": user.id}
access_token = create_access_token(identity=identity, fresh=True)
refresh_token = create_refresh_token(identity=identity)
return {
"message": "Logged in as {}".format(user.name),
"access_token": access_token,
"refresh_token": refresh_token
}
else:
return {"message": "wrong credentials."}
def post(self):
data = self.user_parser.parse_args()
user = UserModel.find_by_name(data["username"])
if user:
return {"message": "username:already exists"}, 400
user = UserModel(generate_password_hash(data["password"]),
data["username"], data["email"])
try:
user.save_to_db()
identity = {"auth_level": "user", "id": user.id}
access_token = create_access_token(identity=identity)
refresh_token = create_refresh_token(identity=identity)
return {
"message": "User created successfully.",
"access_token": access_token,
"refresh_token": refresh_token
}, 201
except:
return {"message": "something went wrong."}, 500
def post(self):
data = self.user_parser.parse_args()
user = UserModel.find_by_name(data["username"])
if not user:
return {
"message": "user:{} not found".format(data["username"])
}, 404
# auth group: user account owner, admin
identity = get_jwt_identity()
if identity["auth_level"] == "user" and identity["id"] != user.id:
return {
"message":
"unauthorized access, user is only allowed to view his/her own account info"
}, 500
if identity["auth_level"] == "staff":
return {"message": "unauthorized access for staff."}, 500
return user.json(), 200
def delete(self):
data = self.user_parser.parse_args()
user = UserModel.find_by_name(data["username"])
if not user:
return {
"message": "user:{} not found".format(data["username"])
}, 404
# auth group: user account owner, admin
# all staffs and user with wrong id are unauthorized
identity = get_jwt_identity()
if identity["auth_level"] == "staff" or (
identity["auth_level"] == "user"
and identity["id"] != user.id):
return {"message": "unauthorized access"}, 500
# authorized: admin, user account owner
try:
user.delete_from_db()
return {"message": "user:{} deleted".format(data["username"])}, 200
except:
return {"message": "something went wrong"}
def validate_username(self, username):
if UserModel.find_by_name(username.data):
raise ValidationError("your username has been registered.")
def validate_username(self, username):
if (not UserModel.find_by_name(username.data)) and (
not StaffModel.find_by_name(username.data)):
raise ValidationError("username doesn't exist.")