def _populate_user_provides(self, user_object):
"""
Populates the provides that naturally apply to a user, such as being the admin of their own
namespace.
"""
# Add the user specific permissions, only for non-oauth permission
user_grant = _UserNeed(user_object.username,
self._user_role_for_scopes("admin"))
logger.debug("User permission: {0}".format(user_grant))
self.provides.add(user_grant)
# Every user is the admin of their own 'org'
user_namespace = _OrganizationNeed(user_object.username,
self._team_role_for_scopes("admin"))
logger.debug("User namespace permission: {0}".format(user_namespace))
self.provides.add(user_namespace)
# Org repo roles can differ for scopes
user_repos = _OrganizationRepoNeed(user_object.username,
self._repo_role_for_scopes("admin"))
logger.debug("User namespace repo permission: {0}".format(user_repos))
self.provides.add(user_repos)
if (scopes.SUPERUSER in self._scope_set or scopes.DIRECT_LOGIN
in self._scope_set) and superusers.is_superuser(
user_object.username):
logger.debug("Adding superuser to user: %s", user_object.username)
self.provides.add(_SuperUserNeed())
def post(self, namespace):
"""
Takes ownership of the specified organization or user.
"""
if SuperUserPermission().can():
# Disallow for superusers.
if superusers.is_superuser(namespace):
raise InvalidRequest("Cannot take ownership of a superuser")
authed_user = get_authenticated_user()
entity_id, was_user = pre_oci_model.take_ownership(namespace, authed_user)
if entity_id is None:
raise NotFound()
# Log the change.
log_metadata = {
"entity_id": entity_id,
"namespace": namespace,
"was_user": was_user,
"superuser": authed_user.username,
}
log_action("take_ownership", authed_user.username, log_metadata)
return jsonify({"namespace": namespace})
raise Unauthorized()
def put(self, username):
""" Updates information about the specified user. """
if SuperUserPermission().can():
user = pre_oci_model.get_nonrobot_user(username)
if user is None:
raise NotFound()
if superusers.is_superuser(username):
raise InvalidRequest('Cannot update a superuser')
user_data = request.get_json()
if 'password' in user_data:
# Ensure that we are using database auth.
if app.config['AUTHENTICATION_TYPE'] != 'Database':
raise InvalidRequest(
'Cannot change password in non-database auth')
pre_oci_model.change_password(username, user_data['password'])
if 'email' in user_data:
# Ensure that we are using database auth.
if app.config['AUTHENTICATION_TYPE'] not in [
'Database', 'AppToken'
]:
raise InvalidRequest(
'Cannot change e-mail in non-database auth')
pre_oci_model.update_email(username,
user_data['email'],
auto_verify=True)
if 'enabled' in user_data:
# Disable/enable the user.
pre_oci_model.update_enabled(username,
bool(user_data['enabled']))
if 'superuser' in user_data:
config_object = config_provider.get_config()
superusers_set = set(config_object['SUPER_USERS'])
if user_data['superuser']:
superusers_set.add(username)
elif username in superusers_set:
superusers_set.remove(username)
config_object['SUPER_USERS'] = list(superusers_set)
config_provider.save_config(config_object)
return_value = user.to_dict()
if user_data.get('password') is not None:
password = user_data.get('password')
return_value[
'encrypted_password'] = authentication.encrypt_user_password(
password)
if user_data.get('email') is not None:
return_value['email'] = user_data.get('email')
return return_value
raise Unauthorized()
def put(self, username):
"""
Updates information about the specified user.
"""
if SuperUserPermission().can():
user = pre_oci_model.get_nonrobot_user(username)
if user is None:
raise NotFound()
if superusers.is_superuser(username):
raise InvalidRequest("Cannot update a superuser")
user_data = request.get_json()
if "password" in user_data:
# Ensure that we are using database auth.
if app.config["AUTHENTICATION_TYPE"] != "Database":
raise InvalidRequest("Cannot change password in non-database auth")
pre_oci_model.change_password(username, user_data["password"])
if "email" in user_data:
# Ensure that we are using database auth.
if app.config["AUTHENTICATION_TYPE"] not in ["Database", "AppToken"]:
raise InvalidRequest("Cannot change e-mail in non-database auth")
pre_oci_model.update_email(username, user_data["email"], auto_verify=True)
if "enabled" in user_data:
# Disable/enable the user.
pre_oci_model.update_enabled(username, bool(user_data["enabled"]))
if "superuser" in user_data:
config_object = config_provider.get_config()
superusers_set = set(config_object["SUPER_USERS"])
if user_data["superuser"]:
superusers_set.add(username)
elif username in superusers_set:
superusers_set.remove(username)
config_object["SUPER_USERS"] = list(superusers_set)
config_provider.save_config(config_object)
return_value = user.to_dict()
if user_data.get("password") is not None:
password = user_data.get("password")
return_value["encrypted_password"] = authentication.encrypt_user_password(
password
).decode("ascii")
if user_data.get("email") is not None:
return_value["email"] = user_data.get("email")
return return_value
raise Unauthorized()
def to_dict(self):
user_data = {
"kind": "user",
"name": self.username,
"username": self.username,
"email": self.email,
"verified": self.verified,
"avatar": avatar.get_data_for_user(self),
"super_user": superusers.is_superuser(self.username),
"enabled": self.enabled,
}
return user_data
def to_dict(self):
user_data = {
'kind': 'user',
'name': self.username,
'username': self.username,
'email': self.email,
'verified': self.verified,
'avatar': avatar.get_data_for_user(self),
'super_user': superusers.is_superuser(self.username),
'enabled': self.enabled,
}
return user_data
def delete(self, username):
""" Deletes the specified user. """
if SuperUserPermission().can():
user = pre_oci_model.get_nonrobot_user(username)
if user is None:
raise NotFound()
if superusers.is_superuser(username):
raise InvalidRequest("Cannot delete a superuser")
pre_oci_model.mark_user_for_deletion(username)
return "", 204
raise Unauthorized()
def user_view(user, password=None):
user_data = {
"kind": "user",
"name": user.username,
"username": user.username,
"email": user.email,
"verified": user.verified,
"avatar": avatar.get_data_for_user(user),
"super_user": superusers.is_superuser(user.username),
"enabled": user.enabled,
}
if password is not None:
user_data["encrypted_password"] = authentication.encrypt_user_password(password)
return user_data
def user_view(user, password=None):
user_data = {
'kind': 'user',
'name': user.username,
'username': user.username,
'email': user.email,
'verified': user.verified,
'avatar': avatar.get_data_for_user(user),
'super_user': superusers.is_superuser(user.username),
'enabled': user.enabled,
}
if password is not None:
user_data['encrypted_password'] = authentication.encrypt_user_password(
password)
return user_data
def post(self, username):
# Ensure that we are using database auth.
if app.config["AUTHENTICATION_TYPE"] != "Database":
raise InvalidRequest("Cannot send a recovery e-mail for non-database auth")
if SuperUserPermission().can():
user = pre_oci_model.get_nonrobot_user(username)
if user is None:
raise NotFound()
if superusers.is_superuser(username):
raise InvalidRequest("Cannot send a recovery email for a superuser")
code = pre_oci_model.create_reset_password_email_code(user.email)
send_recovery_email(user.email, code)
return {"email": user.email}
raise Unauthorized()
def to_dict(self):
user_data = {
"kind": "user",
"name": self.username,
"username": self.username,
"email": self.email,
"verified": self.verified,
"avatar": avatar.get_data_for_user(self),
"super_user": superusers.is_superuser(self.username),
"enabled": self.enabled,
}
if features.QUOTA_MANAGEMENT and self.quotas is not None:
user_data["quotas"] = (
[quota_view(quota)
for quota in self.quotas] if self.quotas else [])
user_data[
"quota_report"] = model.namespacequota.get_quota_for_view(
self.username)
return user_data
