def update(self, pk):
user = User.query.filter(User.username == pk).first()
if not user:
raise NotFound("Cannot update non existing object")
if not Grant.check_grant(self.user, Roles.ADMIN) and self.user.id != user.id:
raise Unauthorized('Only administrators and data owners can update user data')
# Can only update password
user.password = self.data.get('password', user.password)
gender = self.data.get('gender', user.details.gender)
if gender and gender not in Genders:
raise BadRequest(("Gender must be one of (" + ','.join(["'%s'"] * len(Genders)) + ")") % tuple(Genders))
# Update user details
user.details.name = self.data.get('name', user.details.name)
user.details.url = self.data.get('url', user.details.url)
user.details.bio = self.data.get('bio', user.details.url)
user.details.born = self.data.get('born', user.details.born)
user.details.gender = gender
db.session.add(user.details)
db.session.add(user)
db.session.commit()
return user
def detail(self, pk):
if Grant.check_grant(self.user, Roles.ADMIN):
return User.query.filter(User.username == pk).first()
if self.user.username == pk:
return self.user
raise Unauthorized('Only admins and data owners can view user data')
def new_admin(email):
"""Create an administrator account"""
# Check if the user already exists
user = User.query.filter(User.email == email).first()
if not user:
user = User(email=email)
user.password = request_password()
db.session.add(user)
else:
sys.stdout.write("User '%s' already exists " % email)
if not Grant.check_grant(user, Roles.ADMIN):
if query_yes_no(", are you sure you want to grant admin rights?" % email, default="no"):
db.session.add(Grant(user=user, role=Roles.ADMIN))
db.session.commit()
print("User with email '%s' is now an administrator" % email)
else:
return "Command cancelled"
print("and is an administrator")
