def wmSaveSettings(self):
"""
In this method, the values come from the browser in a jQuery serialized array of name/value pairs.
"""
sModule = uiCommon.getAjaxArg("module")
sSettings = uiCommon.getAjaxArg("settings")
# sweet, use getattr to actually get the class we want!
objname = getattr(settings.settings, sModule.lower())
obj = objname()
if obj:
# spin the sValues array and set the appropriate properties.
# setattr is so awesome
for pair in sSettings:
setattr(obj, pair["name"], pair["value"])
# print "setting %s to %s" % (pair["name"], pair["value"])
# of course all of our settings classes must have a DBSave method
obj.DBSave()
catocommon.add_security_log(uiCommon.GetSessionUserID(), catocommon.SecurityLogTypes.Security,
catocommon.SecurityLogActions.ConfigChange, catocommon.CatoObjectTypes.NA, "",
"%s settings changed." % sModule.capitalize())
return "{}"
def check_roles(method):
# if you wanna enable verbose page view logging, this is the place to do it.
s_set = settings.settings.security()
if s_set.PageViewLogging:
catocommon.add_security_log(GetSessionUserID(), catocommon.SecurityLogTypes.Usage, catocommon.SecurityLogActions.PageView, 0, method, method)
user_role = GetSessionUserRole()
if user_role == "Administrator":
return True
if method in uiGlobals.RoleMethods:
mapping = uiGlobals.RoleMethods[method]
if mapping is True:
return True
if user_role in mapping:
return True
else:
log("User requesting %s - insufficient permissions" % method)
return False
else:
log("ERROR: %s does not have a role mapping." % method)
return False
def update_settings(self, args):
"""Updates the settings of a process or module.
NOTE: the update_settings command requires submission of a JSON settings object.
As a guide for updating settings, first execute this command with the output_format set to json.
For example, to update Messenger settings, first do:
get_settings?module=messenger&output_format=json
...then use the result as a template for update_settings.
Required Arguments:
* `module` - name of the module to apply the settings.
* `settings` - a list of name:value setting objects.
Returns: Nothing if successful, error messages on failure.
"""
mod = args.get("module")
sets = args.get("settings")
# this is a admin function, kick out
if not api._ADMIN:
return R(err_code=R.Codes.Forbidden, err_msg="Only Administrators can perform this function.")
required_params = ["module", "settings"]
has_required, resp = api.check_required_params(required_params, args)
if not has_required:
return resp
if not sets:
return R(err_code=R.Codes.UpdateError, err_detail="Settings JSON is required.")
# first, validate the settings JSON
# are the settings json?
try:
setsdict = json.loads(sets)
except Exception as ex:
return R(err_code=R.Codes.UpdateError, err_detail="Trying to parse settings as JSON failed. %s" % ex)
# sweet, use getattr to actually get the class we want!
objname = getattr(settings.settings, mod.lower())
obj = objname()
if obj:
# spin the sValues array and set the appropriate properties.
# setattr is so awesome
for k, v in setsdict.iteritems():
setattr(obj, k, v)
# print "setting %s to %s" % (pair["name"], pair["value"])
# of course all of our settings classes must have a DBSave method
obj.DBSave()
catocommon.add_security_log(api._USER_ID, catocommon.SecurityLogTypes.Security,
catocommon.SecurityLogActions.ConfigChange, catocommon.CatoObjectTypes.NA, "",
"%s settings changed via API." % mod.capitalize())
if args.get("output_format") == "json":
return R(response=obj.AsJSON())
elif args.get("output_format") == "text":
return R(response=obj.AsText(args.get("output_delimiter"), args.get("header")))
else:
return R(response=obj.AsXML())
def AttemptLogin(app_name, token=None, sid=None):
if not app_name:
raise Exception("Missing Application Name.")
if not web.ctx.ip:
raise Exception("Unable to determine client address.")
address = "%s (%s)" % (web.ctx.ip, app_name)
in_name = getAjaxArg("username")
in_pwd = getAjaxArg("password")
in_pwd = unpackJSON(in_pwd)
new_pwd = getAjaxArg("change_password")
new_pwd = unpackJSON(new_pwd)
answer = getAjaxArg("answer")
answer = unpackJSON(answer)
u = catouser.User()
if token:
log("Trying Token Authentication using [%s]." % token, 3)
result, code = u.AuthenticateToken(token, address)
if not result:
return json.dumps({"info": code})
elif sid:
sid = base64.b64decode(sid)
log("Attempting to trust another CSK application using [%s]." % sid, 3)
result, code = u.AuthenticateSession(sid, address)
if not result:
return json.dumps({"info": code})
else:
log("Attempting Authentication using POST args.", 3)
# Authenticate will return the codes so we will know
# how to respond to the login page
# (must change password, password expired, etc)
result, code = u.Authenticate(in_name, in_pwd, address, new_pwd, answer)
if not result:
if code == "disabled":
return json.dumps({"info": "Your account has been suspended. Please contact an Adminstrator."})
if code == "failures":
return json.dumps({"info": "Your account has been temporarily locked due to excessive password failures."})
if code == "change":
return json.dumps({"result": "change"})
# no codes matched, but there is a message in there...
if code:
return json.dumps({"info": code})
# failed with no code returned
return json.dumps({"info": "Invalid Username or Password."})
# So... they authenticated, but based on the users 'role' (Administrator, Developer, User) ...
# they may not be allowed to log in to certain "app_name"s.
# specifically, the User role cannot log in to the "Cato Admin UI" app.
# TODO: enable this when the Cato EE Portal is released.
# if u.Role == "User" and "Admin" in app_name:
# return json.dumps({"info": "Your account isn't authorized for this application."})
# all good, put a few key things in the session, not the whole object
# yes, I said SESSION not a cookie, otherwise it could be hacked client side
current_user = {}
current_user["session_id"] = u.SessionID
current_user["user_id"] = u.ID
current_user["user_name"] = u.LoginID
current_user["full_name"] = u.FullName
current_user["role"] = u.Role
current_user["tags"] = u.Tags
current_user["email"] = u.Email
current_user["ip_address"] = address
SetSessionObject("user", current_user)
# bit of a hack here... this function was given a pretty "app_name", but we want the non-pretty one.
cookiename = "%s-applink" % (app_name.replace(" ", "_").lower())
SetCookie(cookiename, base64.b64encode(u.SessionID))
log("Login granted for: %s" % (u.FullName), 3)
log(uiGlobals.session.user, 4)
# update the security log
catocommon.add_security_log(u.ID, catocommon.SecurityLogTypes.Security,
catocommon.SecurityLogActions.UserLogin, catocommon.CatoObjectTypes.User, "",
"Login to [%s] from [%s] granted." % (app_name, address))
return json.dumps({"result": "success"})
