Python has_permission Examples

Example #1

  def one_expenditure(expense_id):
    # if id is zero, use last submitted
    try:
      if expense_id < 1:
        target_expense = Expenditure.query.order_by(text("id desc")).first()
      else:
        target_expense = Expenditure.query.filter_by(id=expense_id).one()
    except:
      abort(404)

    if request.method == "GET":
      return jsonify({
        "success": True,
        "expenditure": target_expense.dict_form(),
        })

    try:
      if request.method == "PATCH":
        if has_permission("patch:expenditures"):

          valid_attributes = set(target_expense.dict_form().keys())
          valid_attributes.remove("id")
          attempted_attributes = set(request.json.keys())
          # passed json should be a subset of valid
          assert attempted_attributes <= valid_attributes

          target_expense.update(request.json)
          return jsonify({
            "success": True,
            "expenditure": target_expense.dict_form(),
          })
        else:
          abort(401)

      if request.method == "DELETE":
        if has_permission("delete:expenditures"):
          target_expense.delete()
          all_expenditures = Expenditure.query.all()
          return jsonify({
            "success": True,
            "expenditures": [e.dict_form() for e in all_expenditures]
            })
        else:
          abort(401)
    except:
      abort(422)

Example #2

  def update_category(category_id):
    # if ID is zero, use last submitted
    if category_id == 0:
      target_category = Category.query.order_by(text("id desc")).first()
    else:
      target_category = Category.query.get(category_id)

    if request.method == "GET":
      return jsonify({
        "success": True,
        "category": target_category.dict_form(),
        })
    try:
      if request.method == "PATCH":
        if has_permission("patch:expenditures"):
          valid_attributes = set(target_category.dict_form().keys())
          valid_attributes.remove('id')
          attempted_attributes = set(request.json.keys())

          assert attempted_attributes <= valid_attributes

          target_category.update(request.json)
          return jsonify({
            "success": True,
            "category": target_category.dict_form()
            })
        else:
          abort(401)

      if request.method == "DELETE":
        if has_permission("delete:expenditures"):
          target_category.delete()
          all_categories = Category.query.all()
          return jsonify({
            "success": True,
            "categories": [e.dict_form() for e in all_categories]
            })
        else:
          abort(401)
    except AssertionError:
      abort(422)

Example #3

File: managerviews.py Project: tlemberg10/glossify

def phrase_page(lang, base):

	# Authentication
	user_profile = auth.verify_auth_token()
	if user_profile == None or not auth.has_permission(user_profile, 'MANAGE_DICTIONARY'):
		return flask.redirect(flask.url_for('unauthorized_page'))

	# Get the phrase from the database
	phrase = mongo.db.phrases.find_one({
		'lang': lang,
		'base': base
	})

	section = dbutils.get_section_for_phrase(mongo, phrase)

	if phrase and flask.request.method == 'POST':
		# Apply changes from the form
		for k, txs in phrase['txs'].iteritems():
			for tx in txs:
				orig_rank = int(tx['rank'])
				tx['deleted'] = flask.request.form["tx-deleted-%s-%d" % (k, orig_rank)] == '1'
				tx['text'] = flask.request.form["tx-%s-%d" % (k, orig_rank)]
				tx['rank'] = int(flask.request.form["tx-rank-%s-%d" % (k, orig_rank)])
			phrase['txs'][k] = sorted(txs, key=lambda tx: tx['rank'])

		# Perform the update
		mongo.db.phrases.update(
			{
			'lang': lang,
			'base': base
			},
			phrase,
		)

	# Parse parameters
	show_deleted = int(flask.request.args.get('show-deleted', 0))

	# Pass the translation to the template
	return flask.render_template('phrase.html',
		lang         = lang,
		phrase       = phrase,
		section      = section,
		show_deleted = show_deleted
	)

Example #4

File: managerviews.py Project: tlemberg10/glossify

def phrases_page(lang):

	# Authentication
	user_profile = auth.verify_auth_token()
	if user_profile == None or not auth.has_permission(user_profile, 'manage_dictionary'):
		return flask.redirect(flask.url_for('unauthorized_page'))

	min_phrase = flask.request.args.get('min-phrase')
	max_phrase = flask.request.args.get('max-phrase')
	if min_phrase and max_phrase:
		min_phrase = int(min_phrase)
		max_phrase = int(max_phrase)
	else:
		min_phrase = 0
		max_phrase = 99


	phrases = mongo.db.phrases.find({
		'lang': lang,
		'rank': { '$gt': min_phrase-1, '$lt': max_phrase+1 }
	}).sort('rank', 1)

	processed_phrases = []
	for phrase in phrases:
		if dbutils.get_section_for_phrase(mongo, phrase):
			phrase['has_section'] = 1
		if 'txs' in phrase:
			phrase['has_txs'] = 1
		processed_phrases.append(phrase)

	# Render the template by passing the total phrase counts
	return flask.render_template('phrases.html',
		lang          = lang,
		min_phrase    = min_phrase,
		max_phrase    = max_phrase,
		phrase_counts = processed_phrases,
	)

Example #5

    def auth0_callback_handling():
        response = auth0.authorize_access_token()
        token = response.get('access_token')
        resp = auth0.get('userinfo')
        userinfo = resp.json()

        # Session variables are set only for gui, not for the api.
        # The permissions are set to pass to the html to hide buttons that
        # the user is not authorized for without having to call the
        # has_permission() function repeatedly
        session['return_html'] = True
        session['user'] = {
            'user_id': userinfo['sub'],
            'email': userinfo['email'],
            'first_name': userinfo['nickname'].title(),
        }
        session['jwt_token'] = token
        print('')
        print('token:', token)
        print('')

        if has_permission(token, 'get:volunteer'):
            # the user is either assistant or director and will be redirected
            # to the dashboard
            session['public_user'] = False
            session['delete_task_ok'] = str(
                has_permission(token, 'delete:task'))
            session['delete_vol_ok'] = str(
                has_permission(token, 'delete:volun'
                               'teer'))
            session['add_task_ok'] = str(has_permission(token, 'post:task'))
            session['add_vol_ok'] = str(has_permission(token,
                                                       'post:volunteer'))
            session['update_task_ok'] = str(has_permission(
                token, 'patch:task'))
            return redirect('/dashboard')
        else:
            # the user is a member of the public and has no permissions
            # they will be redirected to the index route
            session['public_user'] = True
            return redirect('/')