def add():
"""Add `email` to the whitelist."""
form = AddToWhitelistForm(request.form)
if form.user_type.data == 'fake_user':
if form.validate_on_submit():
fake_id = str(uuid.uuid4())
fake_email = fake_id[:10] + "@fake-users.com"
filename = form.fake_user_image.data
try:
fake_image = Image.objects().get(filename=filename)
fake_user = User(email=fake_email,
gplus_id=fake_id,
name=form.name.data,
user_type=form.user_type.data,
image=fake_image)
except Image.DoesNotExist:
fake_user = User(email=fake_email,
gplus_id=fake_id,
name=form.name.data,
user_type=form.user_type.data)
fake_user.save()
else:
app.logger.warning(form.errors)
else:
user_exists = User.objects(email=form.email.data).count() != 0
if form.validate_on_submit() and not user_exists:
wl = Whitelist(email=form.email.data,
user_type=form.user_type.data)
wl.save()
else:
app.logger.warning(form.errors)
return redirect(url_for('users.index'))
def test_whitelist_add_duplicate_email(self):
"""Test that when a duplicate email is added to the whitelist it is
rejected.
"""
query_string_data_1 = {
"email": "*****@*****.**",
"user_type": "user"
}
query_string_data_2 = {
"email": "*****@*****.**",
"user_type": "editor"
}
self.request_with_role('/whitelist/add',
method='POST',
data=query_string_data_1,
follow_redirects=True)
resp = self.request_with_role('/whitelist/add',
method='POST',
data=query_string_data_2,
follow_redirects=True)
self.assertEqual(resp.status_code, 200)
self.assertEqual(Whitelist.objects().count(), 1)
wl = Whitelist.objects().get(email="*****@*****.**")
self.assertEqual(wl.user_type, "user")
def create_fake_users(db, nb_users=50, fake=None):
from app.models import User
from app.models import UserRole
from app.models import Whitelist
if fake is None:
fake = Faker()
wl1 = Whitelist(label=fake.word())
admin = UserRole(label=fake.word())
contributor = UserRole(label=fake.word())
db.session.add(wl1)
db.session.add(admin)
db.session.add(contributor)
db.session.commit()
roles = [admin, contributor]
whitelists = [wl1]
try:
for i in range(0, nb_users):
u1 = User(username=fake.user_name(),
password=fake.user_name(),
email=fake.free_email(),
active=random.choice([0, 1]),
first_name=fake.first_name(),
last_name=fake.last_name())
u1.role = random.choice(roles)
u1.whitelists = [random.choice(whitelists)]
db.session.add(u1)
db.session.commit()
except IntegrityError as e:
db.session.rollback()
def delete(user_id):
"""Delete the user with id `user_id`
If the `revoke` property is set to true,
then the user will be removed from the whitelist, and not be
allowed to make an account again.
"""
object_id = ObjectId(user_id)
if User.objects(id=object_id).count() != 1:
abort(401)
user = User.objects().get(id=object_id)
# Update whitelist
try:
wl = Whitelist.objects().get(email=user.email)
wl.redeemed = False
wl.save()
except DoesNotExist:
pass
user.delete()
# Log out if a user is attempting to delete themselves
if 'gplus_id' in session and user.gplus_id == session['gplus_id']:
flash('You deleted yourself successfully. Logging out.')
return redirect(url_for('.logout'), 303)
flash('User deleted successfully.')
return redirect(url_for('.index'), code=303)
def delete(user_id):
"""Delete the user with id ``user_id``
If the ``revoke`` property is set to true,
then the user will be removed from the whitelist, and not be
allowed to make an account again.
**Route:** ``/admin/users/delete/<user_id>``
**Methods:** ``POST``
"""
object_id = ObjectId(user_id)
if User.objects(id=object_id).count() != 1:
abort(401)
user = User.objects().get(id=object_id)
# Update whitelist
try:
wl = Whitelist.objects().get(email=user.email)
wl.redeemed = False
wl.save()
except DoesNotExist:
pass
user.delete()
# Log out if a user is attempting to delete themselves
if "gplus_id" in session and user.gplus_id == session["gplus_id"]:
flash("You deleted yourself successfully. Logging out.", MESSAGE_FLASH)
return redirect(url_for(".logout"), 303)
flash("User deleted successfully.", MESSAGE_FLASH)
return redirect(url_for(".index"), code=303)
def test_whitelist_add_valid_input(self):
"""Test that when valid input is provided, a user is added to the
whitelist.
"""
query_string_data = {
"email": "*****@*****.**",
"user_type": "user"
}
resp = self.request_with_role('/whitelist/add',
method='POST',
data=query_string_data,
follow_redirects=True)
self.assertEqual(resp.status_code, 200)
self.assertEqual(Whitelist.objects().count(), 1)
user = Whitelist.objects().get(email="*****@*****.**")
self.assertEqual(user.user_type, "user")
def get(self):
objects = DBWhitelist.objects()
result = {
'count': objects.count(),
'data': json.loads(objects.to_json())
}
return result
def delete(user_id):
"""Delete the user with id ``user_id``
If the ``revoke`` property is set to true,
then the user will be removed from the whitelist, and not be
allowed to make an account again.
**Route:** ``/admin/users/delete/<user_id>``
**Methods:** ``POST``
"""
object_id = ObjectId(user_id)
if User.objects(id=object_id).count() != 1:
abort(401)
user = User.objects().get(id=object_id)
# Update whitelist
try:
wl = Whitelist.objects().get(email=user.email)
wl.redeemed = False
wl.save()
except DoesNotExist:
pass
user.delete()
# Log out if a user is attempting to delete themselves
if 'gplus_id' in session and user.gplus_id == session['gplus_id']:
flash('You deleted yourself successfully. Logging out.', MESSAGE_FLASH)
return redirect(url_for('.logout'), 303)
flash('User deleted successfully.', MESSAGE_FLASH)
return redirect(url_for('.index'), code=303)
def create_fake_users(db, nb_users=50, fake=None):
from app.models import User
from app.models import UserRole
from app.models import Whitelist
if fake is None:
fake = Faker()
#logging.getLogger('faker.factory').setLevel(logging.ERROR)
wl1 = Whitelist(label=fake.word())
admin = UserRole(label=fake.word())
contributor = UserRole(label=fake.word())
db.session.add(wl1)
db.session.add(admin)
db.session.add(contributor)
db.session.commit()
roles = [admin, contributor]
whitelists = [wl1]
for i in range(0, nb_users):
u1 = User(username=fake.user_name(),
password=fake.user_name(),
email=fake.free_email(),
active=1,
first_name=fake.first_name(),
last_name=fake.last_name())
u1.role = roles[1]
u1.whitelists = whitelists
db.session.add(u1)
db.session.commit()
def wipe():
"""Wipe all users from the database"""
if request.method == "POST":
for w in Whitelist.objects():
w.delete()
# use code=303 to avoid POSTing to the next page.
return redirect(url_for('users.index'), code=303)
return '''\
def delete(email):
"""Delete `email` from the whitelist."""
if Whitelist.objects(email=email).count() > 0:
Whitelist.objects.get(email=email).delete()
flash("Whitelist entry revoked successfully.")
return redirect(url_for('users.index'))
flash('No such user in the database.')
return redirect(url_for('users.index'))
def __call__(self, form, field):
"""Called internally by :mod:`wtforms` on validation of the field.
:param form: The parent form
:type form: :class:`Form`
:param field: The field to validate
:type field: :class:`Field`
:raises: :class:`wtforms.validators.ValidationError`
"""
if form.user_type.data != 'fake_user' and \
Whitelist.objects(email=field.data).count():
raise ValidationError(self.message)
def __call__(self, form, field):
"""Called internally by :mod:`wtforms` on validation of the field.
:param form: The parent form
:type form: :class:`Form`
:param field: The field to validate
:type field: :class:`Field`
:raises: :class:`wtforms.validators.ValidationError`
"""
if form.user_type.data != 'fake_user' and \
Whitelist.objects(email=field.data).count():
raise ValidationError(self.message)
def create_profile():
"""Create a profile (filling in the form with openid data), and
register it in the database.
**Route:** ``/admin/create-profile``
**Methods:** ``GET, POST``
"""
if g.user is not None and 'gplus_id' in session:
# use code=303 to avoid POSTing to the next page.
return redirect(url_for('admin.index'), code=303)
form = CreateProfileForm(request.form,
name=request.args['name'],
email=request.args['email'],
next=request.args['next'])
if form.validate_on_submit():
if User.objects(email=form.email.data).count() != 0:
# A user with this email already exists. Override it.
user = User.objects.get(email=form.email.data)
user.openid = session['openid']
user.name = form.name.data
flash('Account with this email already exists. Overridden.',
MESSAGE_FLASH)
user.register_login()
user.save()
else:
# Retreive their user type from the whitelist then remove them.
wl = Whitelist.objects().get(email=form.email.data)
user_type = wl.user_type
wl.redeemed = True
wl.save()
# Create a brand new user
user = User(email=form.email.data,
name=form.name.data,
gplus_id=session['gplus_id'],
user_type=user_type,
image_url=request.args.get('image_url'))
flash('Account created successfully.', MESSAGE_FLASH)
user.register_login()
user.save()
# redirect to the next url or the root of the application ('/')
if form.next.data:
# use code=303 to avoid POSTing to the next page.
return redirect(form.next.data, code=303)
# use code=303 to avoid POSTing to the next page.
return redirect('/', code=303)
return render_template('admin/auth/create_profile.html',
image_url=request.args.get('image_url'),
form=form)
def add():
"""Add and email to the whitelist.
**Route:** ``/admin/whitelist/add``
**Methods:** ``POST``
"""
form = AddToWhitelistForm(request.form)
if form.user_type.data == 'fake_user':
if form.validate_on_submit():
fake_id = str(uuid.uuid4())
fake_email = fake_id[:10] + "@fake-users.com"
filename = form.fake_user_image.data
try:
fake_image = Image.objects().get(filename=filename)
fake_user = User(email=fake_email,
gplus_id=fake_id,
name=form.name.data,
user_type=form.user_type.data,
image=fake_image)
except Image.DoesNotExist:
fake_user = User(email=fake_email,
gplus_id=fake_id,
name=form.name.data,
user_type=form.user_type.data)
fake_user.save()
else:
app.logger.warning(form.errors)
else:
user_exists = User.objects(email=form.email.data).count() != 0
if form.validate_on_submit() and not user_exists:
wl = Whitelist(email=form.email.data,
user_type=form.user_type.data)
wl.save()
else:
app.logger.warning(form.errors)
return redirect(url_for('users.index'))
def test_whitelist_revoke(self):
"""Test removing an email from the waitlist.
Adds num_trials emails to the whitelist, deletes some of them,
and checks to make sure the right ones were deleted."""
num_trials = 20
# Post `num_trials` new whitelist entries
for i in range(num_trials):
query_string_data = {
"email": "*****@*****.**" % i,
"user_type": "user"
}
resp = self.request_with_role('/whitelist/add',
method='POST',
data=query_string_data,
follow_redirects=True)
# No error pages
self.assertEqual(resp.status_code, 200)
# `num_trials` whitelist items added.
self.assertEqual(Whitelist.objects().count(), num_trials)
delete = [i for i in range(num_trials) if i % 3 == 0]
for i in range(num_trials):
if i in delete:
resp = self.request_with_role(
'/whitelist/delete/email%[email protected]' % i,
method='POST')
self.assertEqual(resp.status_code, 200)
for i in range(num_trials):
in_list = Whitelist.objects(
email="*****@*****.**" % i).count() == 1
if i in delete:
self.assertFalse(in_list)
else:
self.assertTrue(in_list)
def index():
"""View and manage users
Whitelisted users are the only ones allowed to make user accounts.
"""
upload_form = UploadImageForm()
whitelist_form = AddToWhitelistForm()
return render_template('admin/users/users.html',
whitelist_form=whitelist_form,
upload_form=upload_form,
whitelist=Whitelist.objects(redeemed=False),
users=User.objects(),
images=Image.objects(),
current_user=g.user)
def test_whitelist_add_invalid_email(self):
"""Test that when an invalid email is provided, no user is added to the
whitelist.
"""
query_string_data = {
"email": "notanemail",
"user_type": "user"
}
resp = self.request_with_role('/whitelist/add',
method='POST',
query_string=query_string_data,
follow_redirects=True)
self.assertEqual(resp.status_code, 200)
self.assertEqual(Whitelist.objects().count(), 0)
def create_profile():
"""Create a profile (filling in the form with openid data), and
register it in the database.
**Route:** ``/admin/create-profile``
**Methods:** ``GET, POST``
"""
if g.user is not None and 'gplus_id' in session:
# use code=303 to avoid POSTing to the next page.
return redirect(url_for('admin.index'), code=303)
form = CreateProfileForm(request.form,
name=request.args['name'],
email=request.args['email'],
next=request.args['next'])
if form.validate_on_submit():
if User.objects(email=form.email.data).count() != 0:
# A user with this email already exists. Override it.
user = User.objects.get(email=form.email.data)
user.openid = session['openid']
user.name = form.name.data
flash('Account with this email already exists. Overridden.',
MESSAGE_FLASH)
user.register_login()
user.save()
else:
# Retreive their user type from the whitelist then remove them.
wl = Whitelist.objects().get(email=form.email.data)
user_type = wl.user_type
wl.redeemed = True
wl.save()
# Create a brand new user
user = User(email=form.email.data,
name=form.name.data,
gplus_id=session['gplus_id'],
user_type=user_type,
image_url=request.args.get('image_url'))
flash('Account created successfully.', MESSAGE_FLASH)
user.register_login()
user.save()
# redirect to the next url or the root of the application ('/')
if form.next.data:
# use code=303 to avoid POSTing to the next page.
return redirect(form.next.data, code=303)
# use code=303 to avoid POSTing to the next page.
return redirect('/', code=303)
return render_template('admin/auth/create_profile.html',
image_url=request.args.get('image_url'), form=form)
def test_whitelist_add_no_user_type(self):
"""Test that when no user type is provided, then no user is added to
the whitelist.
"""
query_string_data = {
"email": "*****@*****.**",
"user_type": None
}
resp = self.request_with_role('/whitelist/add',
method='POST',
query_string=query_string_data,
follow_redirects=True)
self.assertEqual(resp.status_code, 200)
self.assertEqual(Whitelist.objects().count(), 0)
def delete(email):
"""Delete ``email`` from the whitelist.
**Route:** ``/admin/whitelist/delete/<email>``
**Methods:** ``POST``
:param str email: The email address to delete from the whitelist.
"""
if Whitelist.objects(email=email).count() > 0:
Whitelist.objects.get(email=email).delete()
flash("Whitelist entry revoked successfully.", MESSAGE_FLASH)
return redirect(url_for('users.index'))
flash('No such user in the database.', ERROR_FLASH)
return redirect(url_for('users.index'))
def api_post_whitelist(api_version):
"""
{
data: {
label : 'My new whitelist'
}
}
:return:
"""
data = request.get_json()
try:
new_whitelist_name = data.get("label")
whitelist = Whitelist(label=new_whitelist_name)
whitelist.users = [current_app.get_current_user()]
db.session.add(whitelist)
db.session.commit()
return make_200(data=whitelist.serialize())
except Exception as e:
db.session.rollback()
print(str(e))
return make_400(str(e))
def index():
"""View and manage users
Whitelisted users are the only ones allowed to make user accounts.
"""
upload_form = UploadImageForm()
whitelist_form = AddToWhitelistForm()
return render_template('admin/users/users.html',
whitelist_form=whitelist_form,
upload_form=upload_form,
whitelist=Whitelist.objects(redeemed=False),
users=User.objects(),
images=Image.objects(),
current_user=g.user)
def delete(email):
"""Delete ``email`` from the whitelist.
**Route:** ``/admin/whitelist/delete/<email>``
**Methods:** ``POST``
:param str email: The email address to delete from the whitelist.
"""
if Whitelist.objects(email=email).count() > 0:
Whitelist.objects.get(email=email).delete()
flash("Whitelist entry revoked successfully.")
return redirect(url_for('users.index'))
flash('No such user in the database.')
return redirect(url_for('users.index'))
def index():
"""View and manage users.
Whitelisted users are the only ones allowed to make user accounts.
**Route:** ``/admin/users``
**Methods:** ``GET``
"""
upload_form = UploadImageForm()
whitelist_form = AddToWhitelistForm()
return render_template(
"admin/users/users.html",
whitelist_form=whitelist_form,
upload_form=upload_form,
whitelist=Whitelist.objects(redeemed=False),
users=User.objects(),
images=Image.objects(),
current_user=g.user,
)
def test_whitelist_add_email_of_existing_user(self):
"""Test that when a email is added to the whitelist that belongs to
an existing user, it should be rejected.
"""
# Add a user to the database
user = User(name="Test User", email="*****@*****.**",
gplus_id="test123", user_type="admin")
user.save()
self.assertEqual(User.objects(email="*****@*****.**").count(), 1)
# Post a new whitelist entry
query_string_data = {
"email": "*****@*****.**",
"user_type": "user"
}
resp = self.request_with_role('/whitelist/add',
method='POST',
data=query_string_data,
follow_redirects=True)
self.assertEqual(resp.status_code, 200)
self.assertEqual(Whitelist.objects().count(), 0)
def __call__(self, form, field):
if form.user_type.data != 'fake_user' and \
Whitelist.objects(email=field.data).count() != 0:
raise ValidationError(self.message)
def store_token():
"""Do the oauth flow for Google plus sign in, storing the access token
in the session, and redircting to create an account if appropriate.
Because this method will be called from a ``$.ajax()`` request in
JavaScript, we can't return ``redirect()``, so instead this method returns
the URL that the user should be redirected to, and the redirect happens in
html:
.. code:: javascript
success: function(response) {
window.location.href = response.data.redirect_url;
}
**Route:** ``/admin/store-token``
**Methods:** ``POST``
"""
if request.args.get('state', '') != session.get('state'):
return json_error_message('Invalid state parameter.', 401)
del session['state']
code = request.data
try:
# Upgrade the authorization code into a credentials object
oauth_flow = flow_from_clientsecrets(config['CLIENT_SECRETS_PATH'],
scope='')
oauth_flow.redirect_uri = 'postmessage'
credentials = oauth_flow.step2_exchange(code)
except FlowExchangeError:
return json_error_message('Failed to upgrade the authorization code.',
401)
gplus_id = credentials.id_token['sub']
# Store the access token in the session for later use.
session['credentials'] = credentials.access_token
session['gplus_id'] = gplus_id
if User.objects(gplus_id=gplus_id).count() == 0:
# A new user model must be made
# Get the user's name and email to populate the form
http = httplib2.Http()
http = credentials.authorize(http)
people_document = gplus_service.people().get(userId='me').execute(
http=http)
# The user must be whitelisted in order to create an account.
email = people_document['emails'][0]['value']
if Whitelist.objects(email=email).count() != 1:
return json_error_message('User has not been whitelisted.', 401, {
'whitelisted': False,
'email': email
})
return json_success({
'redirect_url':
url_for('.create_profile',
next=request.args.get('next'),
name=people_document['displayName'],
email=email,
image_url=people_document['image']['url'])
})
user = User.objects().get(gplus_id=gplus_id)
user.register_login()
user.save()
# The user already exists. Redirect to the next url or
# the root of the application ('/')
if request.args.get('next'):
return json_success({'redirect_url': request.args.get('next')})
return json_success({'redirect_url': request.url_root})
def __call__(self, form, field):
if form.user_type.data != 'fake_user' and \
Whitelist.objects(email=field.data).count() != 0:
raise ValidationError(self.message)
def setUp(self):
for w in Whitelist.objects():
w.delete()
super(TestAuth, self).setUp()
def store_token():
"""Do the oauth flow for Google plus sign in, storing the access token
in the session, and redircting to create an account if appropriate.
Because this method will be called from a $.ajax() request in JavaScript,
we can't return redirect(), so instead this method returns the URL that
the user should be redirected to, and the redirect happens in JavaScript:
success: function(response) {
window.location.href = response;
}
"""
if request.args.get('state', '') != session.get('state'):
return json_response('Invalid state parameter.', 401)
del session['state']
code = request.data
try:
# Upgrade the authorization code into a credentials object
oauth_flow = flow_from_clientsecrets(
'config/client_secrets.json', scope='')
oauth_flow.redirect_uri = 'postmessage'
credentials = oauth_flow.step2_exchange(code)
except FlowExchangeError:
return json_response('Failed to upgrade the authorization code.',
401)
gplus_id = credentials.id_token['sub']
# Store the access token in the session for later use.
session['credentials'] = credentials.access_token
session['gplus_id'] = gplus_id
if User.objects(gplus_id=gplus_id).count() == 0:
# A new user model must be made
# Get the user's name and email to populate the form
http = httplib2.Http()
http = credentials.authorize(http)
people_document = gplus_service.people().get(
userId='me').execute(http=http)
# The user must be whitelisted in order to create an account.
email = people_document['emails'][0]['value']
if Whitelist.objects(email=email).count() != 1:
return json_response({
'code': WHITELIST_CODE,
'title': 'User has not been whitelisted.',
'email': email
}, 401)
return json_response(url_for(
'.create_profile',
next=request.args.get('next'),
name=people_document['displayName'],
email=email,
image_url=people_document['image']['url']), 200)
user = User.objects().get(gplus_id=gplus_id)
user.register_login()
user.save()
# The user already exists. Redirect to the next url or
# the root of the application ('/')
if request.args.get('next'):
return json_response(request.args.get('next'), 200)
return json_response(request.url_root, 200)
