Ejemplo n.º 1
0
    def post(self, group_id):
        params = self._get_validated_object_parameters(request.form)
        group = data_engine.get_group(group_id=group_id, load_users=True)
        if group is None:
            raise DoesNotExistError(str(group_id))

        # Check permissions! The current user must have user admin to be here.
        # But if they don't also have permissions admin or superuser then we
        # must block the change if the new group would grant one of the same.
        if group.permissions.admin_permissions or group.permissions.admin_all:
            if not permissions_engine.is_permitted(
                    SystemPermissions.PERMIT_ADMIN_PERMISSIONS,
                    get_session_user()):
                raise SecurityError(
                    'You cannot add users to a group that ' +
                    'grants permissions administration, because you do not ' +
                    'have permissions administration access yourself.')

        user = data_engine.get_user(user_id=params['user_id'])
        if user is not None:
            if user not in group.users:
                group.users.append(user)
                data_engine.save_object(group)
                reset_user_sessions(user)
                permissions_engine.reset()
        return make_api_success_response()
Ejemplo n.º 2
0
def trace_permissions():
    embed = request.args.get('embed', '')
    user_id = request.args.get('user', '')
    folder_path = request.args.get('path', '')
    if folder_path == '':
        folder_path = os.path.sep

    folder = None
    user = None
    users = []
    user_has_admin = False
    trace = None
    err_msg = None
    db_session = data_engine.db_get_session()
    try:
        # Get folder and selected user info
        # User can be None for an anonymous user
        user_id = parse_int(user_id)
        if user_id != 0:
            user = data_engine.get_user(user_id, _db_session=db_session)
            if user is None:
                raise DoesNotExistError('This user no longer exists')
        folder = data_engine.get_folder(folder_path=folder_path,
                                        _db_session=db_session)
        if folder is None or folder.status == Folder.STATUS_DELETED:
            raise DoesNotExistError('This folder no longer exists')

        # Get users list
        users = data_engine.list_users(status=User.STATUS_ACTIVE,
                                       order_field=User.username,
                                       _db_session=db_session)

        # Get the folder+user traced permissions
        trace = permissions_engine._trace_folder_permissions(folder, user)

        # Flag on the UI if the user has admin
        for gdict in trace['groups']:
            gperms = gdict['group'].permissions
            if gperms.admin_files or gperms.admin_all:
                user_has_admin = True
                break

    except Exception as e:
        log_security_error(e, request)
        err_msg = safe_error_str(e)
    finally:
        try:
            return render_template(
                'admin_trace_permissions.html',
                embed=embed,
                folder=folder,
                folder_is_root=folder.is_root() if folder else False,
                user=user,
                user_list=users,
                trace=trace,
                user_has_admin=user_has_admin,
                err_msg=err_msg,
                GROUP_ID_PUBLIC=Group.ID_PUBLIC)
        finally:
            db_session.close()
Ejemplo n.º 3
0
def _check_for_user_lockout(original_object):
    """
    Only to be called when the current user is known to have PERMIT_ADMIN_USERS
    permission, checks that the current user hasn't locked themselves out from
    user administration.
    Also checks that the admin user's administration permission has not been
    accidentally revoked.
    If a lockout has occurred, the supplied original object is re-saved and a
    ParameterError is raised.
    """
    user_ids = [get_session_user_id(), 1]
    for user_id in user_ids:
        db_user = data_engine.get_user(user_id=user_id)
        if db_user:
            try:
                # Require user administration
                if not permissions_engine.is_permitted(
                        SystemPermissions.PERMIT_ADMIN_USERS, db_user):
                    raise ParameterError()
                # For the admin user, also require permissions administration
                if user_id == 1 and not permissions_engine.is_permitted(
                        SystemPermissions.PERMIT_ADMIN_PERMISSIONS, db_user):
                    raise ParameterError()
            except ParameterError:
                # Roll back permissions
                data_engine.save_object(original_object)
                permissions_engine.reset()
                # Raise API error
                who = 'the \'admin\' user' if user_id == 1 else 'you'
                raise ParameterError(
                    'This change would lock %s out of administration' % who)
Ejemplo n.º 4
0
def _check_for_user_lockout(original_object):
    """
    Only to be called when the current user is known to have PERMIT_ADMIN_USERS
    permission, checks that the current user hasn't locked themselves out from
    user administration.
    Also checks that the admin user's administration permission has not been
    accidentally revoked.
    If a lockout has occurred, the supplied original object is re-saved and a
    ParameterError is raised.
    """
    user_ids = [get_session_user_id(), 1]
    for user_id in user_ids:
        db_user = data_engine.get_user(user_id=user_id)
        if db_user:
            try:
                # Require user administration
                if not permissions_engine.is_permitted(
                    SystemPermissions.PERMIT_ADMIN_USERS,
                    db_user
                ): raise ParameterError()
                # For the admin user, also require permissions administration
                if user_id == 1 and not permissions_engine.is_permitted(
                    SystemPermissions.PERMIT_ADMIN_PERMISSIONS,
                    db_user
                ): raise ParameterError()
            except ParameterError:
                # Roll back permissions
                data_engine.save_object(original_object)
                permissions_engine.reset()
                # Raise API error
                who = 'the \'admin\' user' if user_id == 1 else 'you'
                raise ParameterError(
                    'This change would lock %s out of administration' % who
                )
Ejemplo n.º 5
0
    def post(self, group_id):
        params = self._get_validated_object_parameters(request.form)
        group = data_engine.get_group(group_id=group_id, load_users=True)
        if group is None:
            raise DoesNotExistError(str(group_id))

        # Check permissions! The current user must have user admin to be here.
        # But if they don't also have permissions admin or superuser then we
        # must block the change if the new group would grant one of the same.
        if group.permissions.admin_permissions or group.permissions.admin_all:
            if not permissions_engine.is_permitted(
                SystemPermissions.PERMIT_ADMIN_PERMISSIONS, get_session_user()
            ):
                raise SecurityError(
                    'You cannot add users to a group that ' +
                    'grants permissions administration, because you do not ' +
                    'have permissions administration access yourself.'
                )

        user = data_engine.get_user(user_id=params['user_id'])
        if user is not None:
            if user not in group.users:
                group.users.append(user)
                data_engine.save_object(group)
                permissions_engine.reset()
        return make_api_success_response()
Ejemplo n.º 6
0
 def delete(self, user_id):
     user = data_engine.get_user(user_id=user_id)
     if user is None:
         raise DoesNotExistError(str(user_id))
     if user.id == 1:
         raise ParameterError('The \'admin\' user cannot be deleted')
     data_engine.delete_user(user)
     # If this is the current user, log out
     if get_session_user_id() == user_id:
         log_out()
     # Reset session caches
     reset_user_sessions(user)
     return make_api_success_response(object_to_dict(user))
Ejemplo n.º 7
0
 def get(self, user_id=None):
     if user_id is None:
         # List users
         status_filter = self._get_validated_status_arg(request)
         ulist = data_engine.list_users(status=status_filter,
                                        order_field=User.username)
         return make_api_success_response(object_to_dict_list(ulist))
     else:
         # Get single user
         user = data_engine.get_user(user_id)
         if user is None:
             raise DoesNotExistError(str(user_id))
         return make_api_success_response(object_to_dict(user))
Ejemplo n.º 8
0
 def delete(self, user_id):
     user = data_engine.get_user(user_id=user_id)
     if user is None:
         raise DoesNotExistError(str(user_id))
     if user.id == 1:
         raise ParameterError('The \'admin\' user cannot be deleted')
     data_engine.delete_user(user)
     # If this is the current user, log out
     if get_session_user_id() == user_id:
         log_out()
     # Do not give out anything password related
     udict = object_to_dict(user)
     del udict['password']
     return make_api_success_response(udict)
Ejemplo n.º 9
0
def apply_user(params):
    from imageserver.flask_app import data_engine
    from imageserver.models import User
    from imageserver.errors import DBError
    try:
        existing_user = data_engine.get_user(username=params.username)

        if params.mode == Parameters.MODE_ADD:
            if existing_user:
                if existing_user.status == User.STATUS_DELETED:
                    raise ValueError('A deleted user record for this username already exists')
                else:
                    raise ValueError('This username already exists')
            else:
                data_engine.create_user(User(
                    params.firstname,
                    params.lastname,
                    params.email,
                    params.username,
                    params.password,
                    User.AUTH_TYPE_PASSWORD,
                    False,
                    User.STATUS_ACTIVE
                ))
                log('User created')
        elif params.mode == Parameters.MODE_UPDATE:
            if not existing_user:
                raise ValueError('The username was not found')
            if existing_user.status == User.STATUS_DELETED:
                raise ValueError('This user record is deleted')
            existing_user.first_name = params.firstname
            existing_user.last_name = params.lastname
            existing_user.email = params.email
            existing_user.set_password(params.password)
            data_engine.save_object(existing_user)
            log('User updated')
        else:
            if not existing_user:
                raise ValueError('The username was not found')
            data_engine.delete_user(existing_user)
            log('User deleted')

        return RETURN_OK
    except ValueError as e:
        error(str(e))
        return RETURN_BAD_PARAMS
    except DBError as e:
        error(str(e))
        return RETURN_DB_ERROR
Ejemplo n.º 10
0
def user_edit(user_id):
    embed = request.args.get('embed', '')
    user = None
    err_msg = None
    try:
        if user_id > 0:
            user = data_engine.get_user(user_id=user_id, load_groups=True)
    except Exception as e:
        log_security_error(e, request)
        err_msg = str(e)
    return render_template('admin_user_edit.html',
                           embed=embed,
                           user=user,
                           err_msg=err_msg,
                           AUTH_TYPE_PASSWORD=User.AUTH_TYPE_PASSWORD,
                           STATUS_ACTIVE=User.STATUS_ACTIVE)
Ejemplo n.º 11
0
def user_edit(user_id):
    embed = request.args.get('embed', '')
    user = None
    err_msg = None
    try:
        if user_id > 0:
            user = data_engine.get_user(user_id=user_id, load_groups=True)
    except Exception as e:
        log_security_error(e, request)
        err_msg = str(e)
    return render_template(
        'admin_user_edit.html',
        embed=embed,
        user=user,
        err_msg=err_msg,
        AUTH_TYPE_PASSWORD=User.AUTH_TYPE_PASSWORD,
        STATUS_ACTIVE=User.STATUS_ACTIVE
    )
Ejemplo n.º 12
0
 def get(self, user_id=None):
     if user_id is None:
         # List users
         ulist = data_engine.list_users(order_field=User.username)
         # Do not give out anything password related
         udictlist = object_to_dict_list(ulist)
         for user in udictlist:
             del user['password']
         return make_api_success_response(udictlist)
     else:
         # Get single user
         user = data_engine.get_user(user_id)
         if user is None:
             raise DoesNotExistError(str(user_id))
         # Do not give out anything password related
         udict = object_to_dict(user)
         del udict['password']
         return make_api_success_response(udict)
Ejemplo n.º 13
0
 def put(self, user_id):
     params = self._get_validated_object_parameters(request.form, False)
     user = data_engine.get_user(user_id=user_id)
     if user is None:
         raise DoesNotExistError(str(user_id))
     user.first_name = params['first_name']
     user.last_name = params['last_name']
     user.email = params['email']
     user.auth_type = params['auth_type']
     user.allow_api = params['allow_api']
     # Don't update the status field with this method
     # Update username only if non-LDAP
     if user.auth_type != User.AUTH_TYPE_LDAP:
         user.username = params['username']
     # Update password only if non-LDAP and a new one was passed in
     if user.auth_type != User.AUTH_TYPE_LDAP and params['password']:
         user.set_password(params['password'])
     data_engine.save_object(user)
     # Reset session caches
     reset_user_sessions(user)
     return make_api_success_response(object_to_dict(user))
Ejemplo n.º 14
0
 def put(self, user_id):
     params = self._get_validated_object_parameters(request.form, False)
     user = data_engine.get_user(user_id=user_id)
     if user is None:
         raise DoesNotExistError(str(user_id))
     user.first_name = params['first_name']
     user.last_name = params['last_name']
     user.email = params['email']
     user.auth_type = params['auth_type']
     user.allow_api = params['allow_api']
     # Don't update the status field with this method
     # Update username only if non-LDAP
     if user.auth_type != User.AUTH_TYPE_LDAP:
         user.username = params['username']
     # Update password only if non-LDAP and a new one was passed in
     if user.auth_type != User.AUTH_TYPE_LDAP and params['password']:
         user.set_password(params['password'])
     data_engine.save_object(user)
     # Do not give out anything password related
     udict = object_to_dict(user)
     del udict['password']
     return make_api_success_response(udict)
Ejemplo n.º 15
0
def trace_permissions():
    embed = request.args.get('embed', '')
    user_id = request.args.get('user', '')
    folder_path = request.args.get('path', '')
    if folder_path == '':
        folder_path = os.path.sep

    folder = None
    user = None
    users = []
    user_has_admin = False
    trace = None
    err_msg = None
    db_session = data_engine.db_get_session()
    try:
        # Get folder and selected user info
        # User can be None for an anonymous user
        user_id = parse_int(user_id)
        if user_id != 0:
            user = data_engine.get_user(user_id, _db_session=db_session)
            if user is None:
                raise DoesNotExistError('This user no longer exists')
        folder = data_engine.get_folder(folder_path=folder_path, _db_session=db_session)
        if folder is None or folder.status == Folder.STATUS_DELETED:
            raise DoesNotExistError('This folder no longer exists')

        # Get users list
        users = data_engine.list_users(
            status=User.STATUS_ACTIVE,
            order_field=User.username,
            _db_session=db_session
        )

        # Get the folder+user traced permissions
        trace = permissions_engine._trace_folder_permissions(folder, user)

        # Flag on the UI if the user has admin
        for gdict in trace['groups']:
            gperms = gdict['group'].permissions
            if gperms.admin_files or gperms.admin_all:
                user_has_admin = True
                break

    except Exception as e:
        log_security_error(e, request)
        err_msg = str(e)
    finally:
        try:
            return render_template(
                'admin_trace_permissions.html',
                embed=embed,
                folder=folder,
                folder_is_root=folder.is_root() if folder else False,
                user=user,
                user_list=users,
                trace=trace,
                user_has_admin=user_has_admin,
                err_msg=err_msg,
                GROUP_ID_PUBLIC=Group.ID_PUBLIC
            )
        finally:
            db_session.close()