def reactivate_system_user(user):
"""
reactivate a suspended user account
check if account is suspended if not
then notify the user no need proceeding
if account if already active.
"""
try:
data = request.get_json()
email = data["email"]
check_for_whitespace(data, ["email"])
isValidEmail(email)
employee = employee_schema.dump(
Employees.query.filter_by(companyId=user['companyId']).filter_by(
email=email).first())
if not employee:
abort(403)
user = user_schema.dump(
User.query.filter_by(email=email).filter_by(
companyId=user['companyId']).first())
if employee and not user:
abort(404)
if user['isActive'] == 'true':
abort(400)
User.query.filter_by(email=email).update(dict(isActive="true"))
db.session.commit()
return custom_make_response("data",
"User account activated successfully", 200)
except Exception as e:
if (e.code == 400):
return custom_make_response("error",
"The user account is already active.",
400)
elif (e.code == 403):
return custom_make_response(
"error", "The user whose account you are trying to activate \
is not a member of your company", 403)
elif (e.code == 404):
return custom_make_response(
"error", "You are trying to activate an account\
that does not exist, Please create one.", 404)
def suspend_system_user(user):
"""
suspend a system user
"""
try:
data = request.get_json()
email = data["email"]
check_for_whitespace(data, ["email"])
isValidEmail(email)
employee = employee_schema.dump(
Employees.query.filter_by(companyId=user['companyId']).filter_by(
email=email).first())
if not employee:
abort(400)
user = user_schema.dump(
User.query.filter_by(email=email).filter_by(
companyId=user['companyId']).first())
if employee and not user:
abort(404)
if user['isActive'] == 'false':
abort(403)
User.query.filter_by(email=email).update(dict(isActive="false"))
db.session.commit()
return custom_make_response("data",
"User account suspended successfully", 200)
except Exception as e:
if (e.code == 400):
return custom_make_response(
"error", "The user you are trying to suspend \
is not a member of your company", 400)
elif (e.code == 404):
return custom_make_response(
"error", "The employee you are trying to\
suspend is not a system user.", 404)
elif (e.code == 403):
return custom_make_response(
"error", "The user account is already suspended.", 403)
else:
return custom_make_response(
"error", "An internal server error occured,\
the site admin has been notified, \
please give it a moment and try again.", 500)
def decorated(*args, **kwargs):
user_token = None
company_token = None
if 'auth_token' in request.headers:
user_token = request.headers['auth_token']
if 'company_token' in request.headers:
company_token = request.headers['company_token']
if not (user_token or company_token):
return custom_make_response("error", "Token is missing", 401)
try:
if user_token:
data = jwt.decode(user_token, KEY, algorithm="HS256")
current_user = User.query.filter_by(id=data['id']).first()
_data = user_schema.dump(current_user)
if company_token:
data = jwt.decode(company_token, KEY, algorithms="HS256")
current_company = Company.query.filter_by(
company=data["company"]).first()
_data = company_schema.dump(current_company)
except Exception as e:
# exceptions go to site administrator log and email
# the user gets a friendly error notification
return custom_make_response("error", f"Token {e}", 401)
return f(_data, *args, **kwargs)
def create_new_project(user):
"""
create new project
only the admin can create projects
"""
try:
data = request.get_json()
current_user = User.query.filter_by(id=user["id"]).first()
_data = user_schema.dump(current_user)
companyId = _data["companyId"]
projectName = data["project_name"] + "." + companyId
dateFrom = data["date_from"]
id = generate_db_ids()
project_data = ProjectNumber.query.\
filter_by(companyId=user['companyId']).first()
the_number = project_number_schema.dump(project_data)
project_number = the_number['projectNumber']
check_for_whitespace(
data, ["project_name", "companyId", "dateFrom"])
if Project.query.filter_by(project_name=projectName).first():
abort(409)
new_project = Project(
id=id,
project_name=projectName,
companyId=companyId,
date_from=dateFrom,
project_status="Active",
projectNumber=project_number
)
db.session.add(new_project)
update_project_number = {
"projectNumber": project_number + 1
}
ProjectNumber.query.filter_by(companyId=companyId).\
update(update_project_number)
db.session.commit()
return custom_make_response(
"data",
f"Project {projectName.split('.', 1)[0]} created successfully.",
201
)
except Exception as e:
# exceptions go to site administrator log and email
# the user gets a friendly error notification
if (e.code == 409):
return custom_make_response(
"error",
"""
You already have another project in that name,
Please change and try again !
""",
409,
)
else:
return custom_make_response(
"error",
f"{e} One or more mandatory fields has not been filled!", 400
)
def forgot_password():
"""send reset password email"""
try:
user_data = request.get_json()
email = user_data["email"]
check_for_whitespace(user_data, ["email"])
isValidEmail(email)
user = User.query.filter_by(email=user_data["email"]).first()
if not user:
# well this is interesting we are aborting with a code
# 200 normally this is not the case but for this one we
# have to make an exception reason being we don't
# want to allow enumeration attacks on our system so we
# we want to make it like we sending the email even though
# that will not always be the case.
abort(200)
this_user = user_schema.dump(user)
token = jwt.encode(
{
"id": this_user["id"],
"email": this_user["email"],
"exp":
datetime.datetime.utcnow() + datetime.timedelta(minutes=30),
},
KEY,
algorithm="HS256",
)
subject = """Password reset request"""
content = f"""
Hey {this_user['username'].split('.', 1)[0]},
{password_reset_request_content()}
<a href="{password_reset_url}?u={token.decode('utf-8')}"
style="{button_style()}"
>Reset Password</a>
{email_signature()}
"""
send_mail(email, subject, content)
resp = custom_make_response(
"data", {
"message":
"An email has been sent to the address on record,\
If you don't receive one shortly, please contact\
the site admin.",
}, 202)
return resp
except Exception as e:
# exceptions go to site administrator and email
# the user gets a friendly error notification
if (e.code == 200):
return custom_make_response(
"data", {
"message":
"An email has been sent to the address on record,\
If you don't receive one shortly, please contact\
the site admin.",
}, 200)
elif (e.code == 400):
return custom_make_response(
"error", "Please enter an email and try again.", 400)
else:
return custom_make_response(
"error", "Bummer an internal server error has occured\
the site admin has been notified, Please\
give it some moment and try again.", 500)
def signin_all_users():
"""
this signs in all users
"""
try:
user_data = request.get_json()
email = user_data["email"]
password = user_data["password"]
# check data for sanity incase it bypass js on the frontend
check_for_whitespace(user_data, ["email", "password"])
isValidEmail(email)
user = User.query.filter_by(email=user_data["email"]).first()
if not user:
abort(401)
_user = user_schema.dump(user)
_password_hash = _user["password"]
if not User.compare_password(_password_hash, password):
abort(401)
_curr_user = user_schema.dump(user)
if _curr_user["isActive"] != "true":
abort(403)
token = jwt.encode(
{
"id":
_curr_user["id"],
"role":
_curr_user["role"],
"exp":
datetime.datetime.utcnow() + datetime.timedelta(minutes=480),
},
KEY,
algorithm="HS256",
)
resp = custom_make_response(
"data", {
"message": "Signed in successfully, \
preparing your dashboard...",
"auth_token": token.decode('utf-8'),
"username": _curr_user["username"],
"role": _curr_user["role"],
"companyId": _curr_user["companyId"]
}, 200)
return resp
except Exception as e:
if (e.code == 401):
return custom_make_response(
"error",
"Incorrect email and or password, check & try again !", 401)
elif (e.code == 403):
return custom_make_response(
"error",
"Your account is not in active\
status, contact company admin.",
403,
)
elif (e.code == 400):
return custom_make_response(
"error", "One or more mandatory fields has not been filled.",
400)
else:
return custom_make_response(
"error", "Bummer an internal server error has occured,\
the site admin has been notified, Please give it a \
moment and try again.", 500)