Example #1
0
def _check_for_user_lockout(original_object):
    """
    Only to be called when the current user is known to have PERMIT_ADMIN_USERS
    permission, checks that the current user hasn't locked themselves out from
    user administration.
    Also checks that the admin user's administration permission has not been
    accidentally revoked.
    If a lockout has occurred, the supplied original object is re-saved and a
    ParameterError is raised.
    """
    user_ids = [get_session_user_id(), 1]
    for user_id in user_ids:
        db_user = data_engine.get_user(user_id=user_id)
        if db_user:
            try:
                # Require user administration
                if not permissions_engine.is_permitted(
                        SystemPermissions.PERMIT_ADMIN_USERS, db_user):
                    raise ParameterError()
                # For the admin user, also require permissions administration
                if user_id == 1 and not permissions_engine.is_permitted(
                        SystemPermissions.PERMIT_ADMIN_PERMISSIONS, db_user):
                    raise ParameterError()
            except ParameterError:
                # Roll back permissions
                data_engine.save_object(original_object)
                permissions_engine.reset()
                # Raise API error
                who = 'the \'admin\' user' if user_id == 1 else 'you'
                raise ParameterError(
                    'This change would lock %s out of administration' % who)
Example #2
0
def _check_for_user_lockout(original_object):
    """
    Only to be called when the current user is known to have PERMIT_ADMIN_USERS
    permission, checks that the current user hasn't locked themselves out from
    user administration.
    Also checks that the admin user's administration permission has not been
    accidentally revoked.
    If a lockout has occurred, the supplied original object is re-saved and a
    ParameterError is raised.
    """
    user_ids = [get_session_user_id(), 1]
    for user_id in user_ids:
        db_user = data_engine.get_user(user_id=user_id)
        if db_user:
            try:
                # Require user administration
                if not permissions_engine.is_permitted(
                    SystemPermissions.PERMIT_ADMIN_USERS,
                    db_user
                ): raise ParameterError()
                # For the admin user, also require permissions administration
                if user_id == 1 and not permissions_engine.is_permitted(
                    SystemPermissions.PERMIT_ADMIN_PERMISSIONS,
                    db_user
                ): raise ParameterError()
            except ParameterError:
                # Roll back permissions
                data_engine.save_object(original_object)
                permissions_engine.reset()
                # Raise API error
                who = 'the \'admin\' user' if user_id == 1 else 'you'
                raise ParameterError(
                    'This change would lock %s out of administration' % who
                )
Example #3
0
 def decorated_function(*args, **kwargs):
     res = _check_internal_request(request, session, False, True, SystemPermissions.PERMIT_ADMIN_USERS)
     # If not admin_users, allow GET and PUT for current user's record
     if res:
         allow = (request.method == 'GET' or request.method == 'PUT') and \
                 'user_id' in kwargs and \
                 kwargs['user_id'] == get_session_user_id()
         if not allow:
             return res
     return f(*args, **kwargs)
Example #4
0
 def decorated_function(*args, **kwargs):
     res = _check_internal_request(request, session, False, True,
                                   SystemPermissions.PERMIT_ADMIN_USERS)
     # If not admin_users, allow GET and PUT for current user's record
     if res:
         allow = (request.method in ['GET', 'PUT'] and 'user_id' in kwargs
                  and kwargs['user_id'] > 0
                  and kwargs['user_id'] == get_session_user_id())
         if not allow:
             return res
     return f(*args, **kwargs)
Example #5
0
 def get(self, task_id):
     db_task = task_engine.get_task(task_id=task_id, decode_attrs=True)
     if not db_task:
         raise DoesNotExistError(str(task_id))
     else:
         # Requires super user or task owner
         if not db_task.user or db_task.user.id != get_session_user_id():
             permissions_engine.ensure_permitted(SystemPermissions.PERMIT_SUPER_USER, get_session_user())
         tdict = object_to_dict(db_task)
         if tdict.get("user") is not None:
             # Do not give out anything password related
             del tdict["user"]["password"]
         return make_api_success_response(tdict)
Example #6
0
 def delete(self, user_id):
     user = data_engine.get_user(user_id=user_id)
     if user is None:
         raise DoesNotExistError(str(user_id))
     if user.id == 1:
         raise ParameterError('The \'admin\' user cannot be deleted')
     data_engine.delete_user(user)
     # If this is the current user, log out
     if get_session_user_id() == user_id:
         log_out()
     # Reset session caches
     reset_user_sessions(user)
     return make_api_success_response(object_to_dict(user))
Example #7
0
 def delete(self, user_id):
     user = data_engine.get_user(user_id=user_id)
     if user is None:
         raise DoesNotExistError(str(user_id))
     if user.id == 1:
         raise ParameterError('The \'admin\' user cannot be deleted')
     data_engine.delete_user(user)
     # If this is the current user, log out
     if get_session_user_id() == user_id:
         log_out()
     # Do not give out anything password related
     udict = object_to_dict(user)
     del udict['password']
     return make_api_success_response(udict)