Ejemplo n.º 1
0
def add_owner_to_group(group_id):
    group_id = sanitize(group_id)
    uid = sanitize(request.json.get('uid'))
    my_uid = token_handler.get_jwt_user(request.headers.get('Authorization'))
    if my_uid == None:
        return abort(401)
    if not api.is_active(my_uid):
        return abort(401)
    if not any(x.uid == my_uid for x in api.get_group_owners(group_id)):
        return abort(401)
    api.add_group_owner(group_id, uid)
    return "ok"
Ejemplo n.º 2
0
    def __call__(self, environ, start_response):
        request = Request(environ)
        authheader = request.headers.get('Authorization')

        uid = token_handler.get_jwt_user(authheader)
        print(request.url.replace(request.url_root, ""))
        if uid == None and \
                not request.url.replace(request.url_root, "") in ["login", "users/reset_password", "users/set_password_with_key"] and \
                not request.url.replace(request.url_root, "").startswith("confirm"):
            res = Response(u'Authorization failed',
                           mimetype='text/plain',
                           status=401)
            return res(environ, start_response)

        return self.app(environ, start_response)
Ejemplo n.º 3
0
def group_owners(group_id):
    my_uid = token_handler.get_jwt_user(request.headers.get('Authorization'))
    if my_uid == None:
        return abort(401)
    if not api.is_active(my_uid):
        return abort(401)
    group_id = sanitize(group_id)
    ldap_owners = api.get_group_owners(group_id)
    owners = []
    for x in ldap_owners:
        try:
            owners.append(object_to_dict(x))
        except Exception as e:
            print(e)
    return jsonify(owners)
Ejemplo n.º 4
0
def accept_pending_member(group_id):
    group_id = sanitize(group_id)
    uid = sanitize(request.json.get('uid'))
    my_uid = token_handler.get_jwt_user(request.headers.get('Authorization'))
    if my_uid == None:
        return abort(401)
    if not api.is_active(my_uid):
        return abort(401)
    if not any(x.uid == my_uid for x in api.get_group_owners(group_id)):
        return abort(401)
    if any(x.uid == uid
           for x in api.get_group_inactive_pending_members(group_id)):
        api.activate_user(uid)
    api.remove_group_active_pending_member(group_id, uid)
    api.add_group_member(group_id, uid)
    return "ok"
Ejemplo n.º 5
0
def mygroups():
    """ Gets all of the groups you are a member of. Returns them as json:
    [
        {
            "businessCategory": "...",
            "cn": "...",
            "ou": "...",
            "membership": "...", // Either "pending", "member", or "admin"
        },
        ...
    ]
    """
    username = token_handler.get_jwt_user(request.headers.get('Authorization'))
    if username == None:
        return abort(401)
    if not api.is_active(username):
        return abort(401)
    pending_groups = [
        object_to_dict(x)
        for x in api.get_groups_as_active_pending_member(username)
    ]
    member_groups = [
        object_to_dict(x) for x in api.get_groups_as_member(username)
    ]
    owned_groups = [
        object_to_dict(x) for x in api.get_groups_as_owner(username)
    ]

    # Groups can overlap. If you're owner you're always also member.
    # But the interesting information is that you're owner.
    member_groups = list(filter(lambda x: x not in owned_groups,
                                member_groups))

    # Add information about membership
    for group in pending_groups:
        group['membership'] = 'pending'
    for group in member_groups:
        group['membership'] = 'member'
    for group in owned_groups:
        group['membership'] = 'admin'

    all_groups = []
    all_groups.extend(pending_groups)
    all_groups.extend(member_groups)
    all_groups.extend(owned_groups)

    return jsonify(all_groups)
Ejemplo n.º 6
0
def user_set_password_with_old():
    """ Sets a new password using the old one. Takes a json body containing
    the keys old_password and new_password. Says ok when done, 401 when not ok.
    You need to be logged in to do this.
    """
    uid = token_handler.get_jwt_user(request.headers.get('Authorization'))
    if uid == None:
        return abort(401)

    old_password = request.json.get('old_password')
    new_password = request.json.get('new_password')
    successful, _ = api.check_user_password(uid, old_password)
    if successful:
        api.set_user_password(uid, new_password)
        return "ok", 200
    else:
        return "invalid old password", 401
Ejemplo n.º 7
0
def group_guests(group_id):
    group_id = sanitize(group_id)
    uid = token_handler.get_jwt_user(request.headers.get('Authorization'))
    if uid == None:
        return abort(401)
    if not api.is_active(uid):
        return abort(401)
    if not any(x.uid == uid for x in api.get_group_owners(group_id)):
        return abort(401)
    ldap_members = api.get_group_guests(group_id)
    members = []
    for x in ldap_members:
        try:
            members.append(object_to_dict(x))
        except Exception as e:
            print(e)
    return jsonify(members)
Ejemplo n.º 8
0
def groups():
    """ Gets all groups. Returns them as json:
    [
        {
            "businessCategory": "...",
            "cn": "...",
            "ou": "...",
        },
        ...
    ]
    """
    username = token_handler.get_jwt_user(request.headers.get('Authorization'))
    if username == None:
        return abort(401)
    if not api.is_active(username):
        return abort(401)
    groups = [object_to_dict(x) for x in api.get_groups()]
    return jsonify(groups)
Ejemplo n.º 9
0
def users():
    """ Lists all users. Returns their uids in a json array.
        
    To access this, one must be owner in some group.
    """
    # Check if user is admin in some group
    uid = token_handler.get_jwt_user(request.headers.get('Authorization'))
    if uid == None:
        return abort(401)
    if not api.is_active(uid):
        return abort(401)
    if not api.is_group_owner_anywhere(uid):
        return abort(
            403), "To access this endpoint, you have to be owner of a group"

    # Ok, they are. List all users and return them!
    all_users = [object_to_dict(x) for x in api.get_users()]

    return jsonify(all_users)
Ejemplo n.º 10
0
def request_access_to_group(group_id):
    group_id = sanitize(group_id)
    my_uid = token_handler.get_jwt_user(request.headers.get('Authorization'))
    if my_uid == None:
        return abort(401)
    if not api.is_active(my_uid):
        return abort(401)
    api.add_group_active_pending_member(group_id, my_uid)
    group = api.get_group(group_id)
    user = api.get_user(my_uid)
    for owner in api.get_group_owners(group_id):
        mail.send_email(str(owner.mail), "Neue Anfrage in " + str(group.cn), \
               "emails/new_pending_member_mail", {
                   "name": str(owner.cn),
                   "group_name": str(group.cn),
                   "dashboard_url": config.FRONTEND_URL,
                   "new_member_name": str(user.cn)
               })
    return "ok"
Ejemplo n.º 11
0
def add_guest_to_group(group_id):
    group_id = sanitize(group_id)
    guest_name = sanitize(request.json.get('name'))
    guest_mail = sanitize(request.json.get('mail'))
    my_uid = token_handler.get_jwt_user(request.headers.get('Authorization'))
    if my_uid == None:
        return abort(401)
    if not api.is_active(my_uid):
        return abort(401)
    if not any(x.uid == my_uid for x in api.get_group_owners(group_id)):
        return abort(401)
    uid = api.create_guest(guest_name, guest_mail)
    api.add_group_member(group_id, uid)

    group = api.get_group(group_id)
    mail.send_email(str(guest_mail), "Du bist jetzt im Verteiler " + str(group.cn), \
           "emails/guest_invite_email", {
               "name": str(guest_name),
               "group_name": str(group.cn),
           })
    return uid
Ejemplo n.º 12
0
def remove_owner_from_group(group_id):
    group_id = sanitize(group_id)
    uid = sanitize(request.json.get('uid'))
    my_uid = token_handler.get_jwt_user(request.headers.get('Authorization'))
    # Auth is missing
    if my_uid == None:
        return abort(401)
    # User is inactive
    if not api.is_active(my_uid):
        return abort(401)
    # User is not an owner
    if not any(x.uid == my_uid for x in api.get_group_owners(group_id)):
        return abort(401)
    # User is not Dashboardadmin, cause dashboardadmin is holy
    if (uid == "dashboardadmin"):
        return abort(401)
    # User is the ownly owner despite dashboardadmin
    if not any((x.uid != "dashboardadmin" and x.uid != my_uid)
               for x in api.get_group_owners(group_id)):
        return abort(401)
    api.remove_group_owner(group_id, uid)
    return "ok"
Ejemplo n.º 13
0
def remove_user_from_group(group_id):
    """ Removes a user from a group. Call this function if you want to either remove
    yourself from a group or you want to remove another user from a group as an owner.
    If an owner removes a user from allgemein, their entire account is deleted.
    If a user is not part of any group after removal, their entire account is deleted.
    """
    group_id = sanitize(group_id)
    uid = sanitize(request.json.get('uid'))
    my_uid = token_handler.get_jwt_user(request.headers.get('Authorization'))
    if my_uid == None:
        return abort(401)
    if not api.is_active(my_uid):
        return abort(401)
    # 1st: Is the uid the group?
    if not (any(x.uid == uid for x in api.get_group_guests(group_id))
            or any(x.uid == uid for x in api.get_group_members(group_id))):
        return abort(400)
    # User is not Dashboardadmin, cause dashboardadmin is holy
    if (uid == "dashboardadmin"):
        return abort(400)
    # 2nd: Is the user an admin or just a user
    if any(x.uid == my_uid for x in api.get_group_owners(group_id)):
        # Group owners can remove anyone from a group but themself
        if uid == my_uid:
            return abort(400)  # admin tried to remove oneself
        api.remove_group_member(group_id, uid)  # remove
        # If user removed from allgemein or from their last group, remove the user
        if group_id == "allgemein" or \
            (api.get_groups_as_member(uid) == [] and api.get_groups_as_owner(uid) == [] and api.get_groups_as_active_pending_member(uid) == []):
            api.delete_user(uid)
        return "ok"
    else:
        # Users can remove themselves from any group but allgemein
        if uid == my_uid and any(x.uid == uid for x in api.get_group_members(
                group_id)) and not group_id == "allgemein":
            api.remove_group_member(group_id, uid)
            return "ok"

    return abort(500)
Ejemplo n.º 14
0
def inactive_info():
    uid = token_handler.get_jwt_user(request.headers.get('Authorization'))
    if uid == None:
        return abort(401)
    inactive_user = None
    try:
        inactive_info = api.get_inactive_user(uid)
    except LdapApiException as e:
        return jsonify({"inactive": False})
    # Get the owners of the group you are pending in
    groups = api.get_groups_as_inactive_pending_member(uid)
    if len(groups) != 1:
        return jsonify({"inactive": True})
    group = groups[0]
    group_name = str(group.cn)
    pending_group_owners = [
        object_to_dict(api.get_user(dn_to_uid(str(x)))) for x in group.owner
    ]
    return jsonify({
        "inactive": True,
        "pending_group_name": group_name,
        "pending_group_owners": pending_group_owners,
    })
Ejemplo n.º 15
0
def remove_pending_member_from_group(group_id):
    """ Cancels a membership request. Call this function if you want to either remove
    your own membership request from a group or you want to remove another user's request
    from a group as an owner.
    """
    group_id = sanitize(group_id)
    uid = sanitize(request.json.get('uid'))
    my_uid = token_handler.get_jwt_user(request.headers.get('Authorization'))
    if my_uid == None:
        return abort(401)
    if not api.is_active(my_uid):
        return abort(401)
    # Users can remove their own requests from a group
    if uid == my_uid and any(
            x.uid == uid
            for x in api.get_group_active_pending_members(group_id)):
        api.remove_group_active_pending_member(group_id, uid)
        return "ok"
    # Group owners can remove any pending member
    if any(x.uid == my_uid for x in api.get_group_owners(group_id)):
        api.remove_group_active_pending_member(group_id, uid)
        return "ok"
    return abort(401)
Ejemplo n.º 16
0
def set_alternative_mail():
    """ Starts the email confirmation process by sending an email.
    Takes a json body with the key "alternative_mail".
    """
    alternative_mail = request.json.get('alternative_mail')
    uid = token_handler.get_jwt_user(request.headers.get('Authorization'))
    if uid == None:
        return abort(401)
    try:
        email_reset_token = token_handler.create_email_confirmation_jwt_token(
            uid, alternative_mail).decode("utf-8")
        mail.send_email(
            alternative_mail, "Email-Confirmation",
            "emails/email_confirmation", {
                "name":
                uid,
                "link":
                join(config.DASHBOARD_URL, "confirm?key=" + email_reset_token),
            })
        return "ok"
    except LdapApiException as e:
        print(e)
        return abort(401)
Ejemplo n.º 17
0
def whoami():
    uid = token_handler.get_jwt_user(request.headers.get('Authorization'))
    if uid == None:
        return abort(401)
    info = api.get_user_info(uid)
    return object_to_dict(info)