def _check_for_user_lockout(original_object):
"""
Only to be called when the current user is known to have PERMIT_ADMIN_USERS
permission, checks that the current user hasn't locked themselves out from
user administration.
Also checks that the admin user's administration permission has not been
accidentally revoked.
If a lockout has occurred, the supplied original object is re-saved and a
ParameterError is raised.
"""
user_ids = [get_session_user_id(), 1]
for user_id in user_ids:
db_user = data_engine.get_user(user_id=user_id)
if db_user:
try:
# Require user administration
if not permissions_engine.is_permitted(
SystemPermissions.PERMIT_ADMIN_USERS, db_user):
raise ParameterError()
# For the admin user, also require permissions administration
if user_id == 1 and not permissions_engine.is_permitted(
SystemPermissions.PERMIT_ADMIN_PERMISSIONS, db_user):
raise ParameterError()
except ParameterError:
# Roll back permissions
data_engine.save_object(original_object)
permissions_engine.reset()
# Raise API error
who = 'the \'admin\' user' if user_id == 1 else 'you'
raise ParameterError(
'This change would lock %s out of administration' % who)
def _check_for_user_lockout(original_object):
"""
Only to be called when the current user is known to have PERMIT_ADMIN_USERS
permission, checks that the current user hasn't locked themselves out from
user administration.
Also checks that the admin user's administration permission has not been
accidentally revoked.
If a lockout has occurred, the supplied original object is re-saved and a
ParameterError is raised.
"""
user_ids = [get_session_user_id(), 1]
for user_id in user_ids:
db_user = data_engine.get_user(user_id=user_id)
if db_user:
try:
# Require user administration
if not permissions_engine.is_permitted(
SystemPermissions.PERMIT_ADMIN_USERS,
db_user
): raise ParameterError()
# For the admin user, also require permissions administration
if user_id == 1 and not permissions_engine.is_permitted(
SystemPermissions.PERMIT_ADMIN_PERMISSIONS,
db_user
): raise ParameterError()
except ParameterError:
# Roll back permissions
data_engine.save_object(original_object)
permissions_engine.reset()
# Raise API error
who = 'the \'admin\' user' if user_id == 1 else 'you'
raise ParameterError(
'This change would lock %s out of administration' % who
)
def post(self, group_id):
params = self._get_validated_object_parameters(request.form)
group = data_engine.get_group(group_id=group_id, load_users=True)
if group is None:
raise DoesNotExistError(str(group_id))
# Check permissions! The current user must have user admin to be here.
# But if they don't also have permissions admin or superuser then we
# must block the change if the new group would grant one of the same.
if group.permissions.admin_permissions or group.permissions.admin_all:
if not permissions_engine.is_permitted(
SystemPermissions.PERMIT_ADMIN_PERMISSIONS,
get_session_user()):
raise SecurityError(
'You cannot add users to a group that ' +
'grants permissions administration, because you do not ' +
'have permissions administration access yourself.')
user = data_engine.get_user(user_id=params['user_id'])
if user is not None:
if user not in group.users:
group.users.append(user)
data_engine.save_object(group)
reset_user_sessions(user)
permissions_engine.reset()
return make_api_success_response()
def post(self, group_id):
params = self._get_validated_object_parameters(request.form)
group = data_engine.get_group(group_id=group_id, load_users=True)
if group is None:
raise DoesNotExistError(str(group_id))
# Check permissions! The current user must have user admin to be here.
# But if they don't also have permissions admin or superuser then we
# must block the change if the new group would grant one of the same.
if group.permissions.admin_permissions or group.permissions.admin_all:
if not permissions_engine.is_permitted(
SystemPermissions.PERMIT_ADMIN_PERMISSIONS, get_session_user()
):
raise SecurityError(
'You cannot add users to a group that ' +
'grants permissions administration, because you do not ' +
'have permissions administration access yourself.'
)
user = data_engine.get_user(user_id=params['user_id'])
if user is not None:
if user not in group.users:
group.users.append(user)
data_engine.save_object(group)
permissions_engine.reset()
return make_api_success_response()
def _set_permissions(self, group, params):
# Apply default permissions if this is a new group
if not group.permissions:
group.permissions = SystemPermissions(group, False, False, False,
False, False, False, False)
# Update permissions only if the current user has permissions admin
if permissions_engine.is_permitted(
SystemPermissions.PERMIT_ADMIN_PERMISSIONS,
get_session_user()):
group.permissions.folios = params['access_folios']
group.permissions.reports = params['access_reports']
group.permissions.admin_users = params['access_admin_users']
group.permissions.admin_files = params['access_admin_files']
group.permissions.admin_folios = params['access_admin_folios']
group.permissions.admin_permissions = params[
'access_admin_permissions']
group.permissions.admin_all = params['access_admin_all']
return True
return False
def _set_permissions(self, group, params):
# Apply default permissions if this is a new group
if not group.permissions:
group.permissions = SystemPermissions(
group, False, False, False, False, False, False, False
)
# Update permissions only if the current user has permissions admin
if permissions_engine.is_permitted(
SystemPermissions.PERMIT_ADMIN_PERMISSIONS, get_session_user()
):
group.permissions.folios = params['access_folios']
group.permissions.reports = params['access_reports']
group.permissions.admin_users = params['access_admin_users']
group.permissions.admin_files = params['access_admin_files']
group.permissions.admin_folios = params['access_admin_folios']
group.permissions.admin_permissions = params['access_admin_permissions']
group.permissions.admin_all = params['access_admin_all']
return True
return False
