def auth_calculate(self, objid=None):
CrudBase.auth_calculate(self, objid=objid)
# prevent non-super users from editing super users
if objid and session_user.is_authenticated:
sess_user_obj = orm_User.get(session_user.id)
edited_user_obj = orm_User.get(objid)
if edited_user_obj and edited_user_obj.super_user and not sess_user_obj.super_user:
self.is_authorized = False
def post(self):
if self.form.is_valid():
orm_User.get(session_user.id).update_password(self.form.elements.password.value)
session_user.reset_required = False
session_user.add_message('notice', 'Your password has been changed successfully.')
url = after_login_url() if rg.request.url == url_for('auth:ChangePassword') \
else rg.request.url
redirect(url)
elif self.form.is_submitted():
# form was submitted, but invalid
self.form.assign_user_errors()
self.default()
def update(cls, oid=None, **kwargs):
from compstack.auth.model.orm import User
if oid is None:
g = cls()
db.sess.add(g)
else:
g = cls.get(oid)
for k, v in six.iteritems(kwargs):
try:
# some values can not be set directly
if k in ('assigned_users', 'approved_permissions',
'denied_permissions'):
pass
else:
setattr(g, k, v)
except AttributeError:
pass
g.users = [
User.get(uid) for uid in tolist(kwargs.get('assigned_users', []))
]
db.sess.flush()
g.assign_permissions(kwargs.get('approved_permissions', []),
kwargs.get('denied_permissions', []))
return g
def test_user_permission_map(self):
permissions_approved = [
'ugp_approved', 'ugp_approved_grp']
# test user perms map
perm_map = User.get(self.user.id).permission_map
for rec in perm_map:
assert rec['resulting_approval'] == (rec['permission_name'] in permissions_approved)
def test_password_changes(self):
user = User.get(self.userid)
pass_hash = user.pass_hash
r = self.c.post('users/profile', data=self.get_to_post())
assert r.status_code == 200, r.status
user = User.get(self.userid)
assert user.pass_hash == pass_hash
topost = self.get_to_post()
topost['password'] = '******'
topost['password-confirm'] = 'newpass'
r = self.c.post('users/profile', data=topost)
assert r.status_code == 200, r.status
db.sess.expire(user)
assert user.pass_hash != pass_hash
def test_login_id_dups(self):
user2 = User.get(self.userid2)
topost = self.get_to_post()
topost['login_id'] = user2.login_id
r = self.c.post('users/profile', data=topost)
assert r.status_code == 200, r.status
assert b'Login Id: that user already exists' in r.data
def test_email_dups(self):
user2 = User.get(self.userid2)
topost = self.get_to_post()
topost['email_address'] = user2.email_address
r = self.c.post('users/profile', data=topost)
assert r.status_code == 200, r.status
assert b'Email: a user with that email address already exists' in r.data
def test_fields_load(self):
""" make sure fields load with data currently in db """
r = self.c.get('users/profile')
assert r.status_code == 200, r.status
user = User.get(self.userid)
assert user.email_address.encode() in r.data
assert user.login_id.encode() in r.data
r = self.c.post('users/profile', data=self.get_to_post())
assert r.status_code == 200, r.status
user = User.get(self.userid)
assert user.email_address.encode() in r.data
assert user.login_id.encode() in r.data
assert b'usersfirstname' in r.data
assert b'userslastname' in r.data
assert b'profile updated succesfully' in r.data
def test_perm_changes(self):
p1 = Permission.get_by(name=u'prof-test-1').id
p2 = Permission.get_by(name=u'prof-test-2').id
# add user to group
user = User.get(self.userid)
gp = Group.add_iu(name=u'test-group',
approved_permissions=[],
denied_permissions=[],
assigned_users=[user.id]).id
r = self.c.post('users/profile', data=self.get_to_post())
assert r.status_code == 200, r.status
user = User.get(self.userid)
approved, denied = user.assigned_permission_ids
assert p1 in approved
assert p2 in denied
assert gp in [g.id for g in user.groups]
def get_to_post(self):
user = User.get(self.userid)
topost = {
'name_first': 'usersfirstname',
'name_last': 'userslastname',
'login_id': user.login_id,
'email_address': user.email_address,
'user-profile-form-submit-flag': 'submitted'
}
return topost
def test_non_existing_id(self):
non_existing_id = 9999
while User.get(non_existing_id):
non_existing_id += 1000
req, resp = self.c.get('users/edit/%s' % non_existing_id,
follow_redirects=True)
assert req.url.endswith('/users/edit/%s' % non_existing_id), req.url
assert resp.status_code == 404, resp.status
req, resp = self.c.get('users/delete/%s' % non_existing_id,
follow_redirects=True)
assert req.url.endswith('users/delete/%s' % non_existing_id), req.url
assert resp.status_code == 404, resp.status
def test_loginid_unique(self):
user = User.get(self.userid)
topost = {
'login_id': user.login_id,
'password': '******',
'email_address': '*****@*****.**',
'password-confirm': 'testtest',
'user-submit-flag': 'submitted',
'inactive_flag': False,
'inactive_date': '',
'name_first': '',
'name_last': ''
}
r = self.c.post('users/add', data=topost)
assert r.status_code == 200, r.status
assert b'Login Id: that user already exists' in r.data
def test_user_permission_map_groups(self):
# test group perms map
perm_map = User.get(self.user.id).permission_map_groups
assert not Permission.get_by(name=u'ugp_approved').id in perm_map
assert not Permission.get_by(name=u'ugp_not_approved').id in perm_map
assert len(perm_map[self.perm_approved_grp.id]['approved']) == 1
assert perm_map[self.perm_approved_grp.id]['approved'][0]['id'] == self.g1.id
assert len(perm_map[self.perm_approved_grp.id]['denied']) == 0
assert len(perm_map[self.perm_denied.id]['approved']) == 1
assert perm_map[self.perm_denied.id]['approved'][0]['id'] == self.g1.id
assert len(perm_map[self.perm_denied.id]['denied']) == 0
assert len(perm_map[self.perm_denied_grp.id]['approved']) == 1
assert perm_map[self.perm_denied_grp.id]['approved'][0]['id'] == self.g1.id
assert len(perm_map[self.perm_denied_grp.id]['denied']) == 1
assert perm_map[self.perm_denied_grp.id]['denied'][0]['id'] == self.g2.id
def validate_password(self, value):
dbobj = orm_User.get(user.id)
if not dbobj.validate_password(value):
raise ValueInvalid('incorrect password')
return value
def default(self, objid):
dbuser = orm_User.get(objid)
self.assign('dbuser', dbuser)
self.assign('result', dbuser.permission_map)
self.assign('permgroups', dbuser.permission_map_groups)
self.render_template()
def auth_post(self):
self.objid = session_user.id
self.objinst = orm_User.get(self.objid)
self.form.set_defaults(self.objinst.to_dict())