def user_preprocessor_get_single(instance_id=None, **kw):
"""Create an User specific GET_SINGLE preprocessor.
Accepts a single argument, `instance_id`, the primary key of the
instance of the model to get.
"""
logger.info('`user_preprocessor_get_single` responded to request')
if request.args.get('access_token', '') or \
request.headers.get('Authorization'):
authorization = verify_authorization()
if check_roles('generic', authorization.roles):
logger.warning('User %d %s access failed User GET_SINGLE' %
(authorization.id, 'grantee'))
logger.warning('generic role unauthorized to access '
'User GET_SINGLE')
pass
else:
logger.info('User %d accessed User GET_SINGLE with no'
'role' % (authorization.id))
abort(403)
else:
logger.info('Anonymous user attempted to access User' 'GET_SINGLE')
abort(403)
def user_preprocessor_get_many(search_params=None, **kw):
"""Create an User specific GET_MANY preprocessor.
Accepts a single argument, `search_params`, which is a dictionary
containing the search parameters for the request.
"""
logger.info('`user_preprocessor_get_many` responded to request')
if request.args.get('access_token', '') or \
request.headers.get('Authorization'):
authorization = verify_authorization()
if check_roles('generic', authorization.roles):
logger.warning('User %d %s access failed User GET_MANY' %
(authorization.id, 'generic'))
logger.warning('generic role unauthorized to access '
'User GET_MANY')
pass
else:
logger.info('User %d accessed User GET_MANY with no role' %
(authorization.id))
abort(403)
else:
logger.info('Anonymous user attempted to access User GET_MANY')
abort(403)
def user_preprocessor_delete_single(instance_id=None, **kw):
"""Create an User specific DELETE_SINGLE preprocessor.
Accepts a single argument, `instance_id`, which is the primary key
of the instance which will be deleted.
"""
logger.info('`user_preprocessor_delete_single` used for endpoint')
if request.args.get('access_token', '') or \
request.headers.get('Authorization'):
authorization = verify_authorization()
if check_roles('generic', authorization.roles) and\
not check_roles('admin', authorization.roles):
logger.warning('User %d %s access failed User '
'DELETE_SINGLE' % (authorization.id, 'generic'))
logger.warning('generic role unauthorized to access '
'User DELETE_SINGLE')
abort(401)
elif check_roles('admin', authorization.roles):
pass
else:
logger.info('User %d accessed User DELETE_SINGLE with '
'no role' % (authorization.id))
abort(403)
else:
logger.info('Anonymous user attempted to access User '
'DELETE_SINGLE')
abort(403)
def user_preprocessor_post(data=None, **kw):
"""Create an User specific POST preprocessor.
Accepts a single argument, `data`, which is the dictionary of
fields to set on the new instance of the model.
"""
logger.info('`user_preprocessor_post` used for endpoint')
if request.args.get('access_token', '') or \
request.headers.get('Authorization'):
authorization = verify_authorization()
if check_roles('generic', authorization.roles) and \
not check_roles('admin', authorization.roles):
logger.warning('User %d %s access failed User POST' %
(authorization.id, 'generic'))
logger.warning('generic role unauthorized to access '
'User POST')
abort(401)
elif check_roles('admin', authorization.roles):
logger.info('User %d accessed User POST as %s' %
(authorization.id, 'admin'))
pass
else:
logger.info('User %d accessed User POST with no role' %
(authorization.id))
abort(403)
else:
logger.info('Anonymous user attempted to access User POST')
abort(403)
def user_preprocessor_update_many(search_params=None, **kw):
"""Create an User specific PATCH_MANY and PATCH_SINGLE preprocessor.
Accepts two arguments: `search_params`, which is a dictionary
containing the search parameters for the request, and `data`, which
is a dictionary representing the fields to change on the matching
instances and the values to which they will be set.
"""
logger.info('`user_preprocessor_update_many` used for endpoint')
if request.args.get('access_token', '') or \
request.headers.get('Authorization'):
authorization = verify_authorization()
if check_roles('generic', authorization.roles):
logger.warning('User %d %s access failed User '
'UPDATE_MANY' % (authorization.id, 'generic'))
logger.warning('generic role unauthorized to access '
'User UPDATE_MANY')
abort(401)
else:
logger.info('User %d accessed User UPDATE_MANY '
'with no role' % (authorization.id))
abort(403)
else:
logger.info('Anonymous user attempted to access User'
'UPDATE_MANY')
abort(403)
def verify_roles(user_object, role_required):
"""Verify the user has a required system role.
:param object user_object: The user object to check for roles
:param string role_required: The role that is required to access resource
"""
if not check_roles(role_required, user_object.roles):
logger.warning('User %d attempted to access a protected resource '
'without the appropriate %s role' %
(user_object.id, role_required))
abort(403)
def verify_authorization(oauth_request, **kw):
"""Verify user has appropriate clearances to access data.
:param object oauth_request: User object submitted through OAuth handlers
:return object user: Return the user object or abort
"""
if oauth_request.user:
logger.info('User %d requesting system authorization' %
oauth_request.user.id)
if not oauth_request.user.active:
logger.warning('User %d is inactive and is requesting access to'
'system resources.' % (oauth_request.user.id))
abort(401)
return oauth_request.user
#
# @todo add ip address, access token used, and any other information that
# would be used in blocking or singling out offending user accounts
#
logger.warning('An invalid access_token was submitted')
abort(403)