def _check_for_user_lockout(original_object):
"""
Only to be called when the current user is known to have PERMIT_ADMIN_USERS
permission, checks that the current user hasn't locked themselves out from
user administration.
Also checks that the admin user's administration permission has not been
accidentally revoked.
If a lockout has occurred, the supplied original object is re-saved and a
ParameterError is raised.
"""
user_ids = [get_session_user_id(), 1]
for user_id in user_ids:
db_user = data_engine.get_user(user_id=user_id)
if db_user:
try:
# Require user administration
if not permissions_engine.is_permitted(
SystemPermissions.PERMIT_ADMIN_USERS, db_user):
raise ParameterError()
# For the admin user, also require permissions administration
if user_id == 1 and not permissions_engine.is_permitted(
SystemPermissions.PERMIT_ADMIN_PERMISSIONS, db_user):
raise ParameterError()
except ParameterError:
# Roll back permissions
data_engine.save_object(original_object)
permissions_engine.reset()
# Raise API error
who = 'the \'admin\' user' if user_id == 1 else 'you'
raise ParameterError(
'This change would lock %s out of administration' % who)
def _check_for_user_lockout(original_object):
"""
Only to be called when the current user is known to have PERMIT_ADMIN_USERS
permission, checks that the current user hasn't locked themselves out from
user administration.
Also checks that the admin user's administration permission has not been
accidentally revoked.
If a lockout has occurred, the supplied original object is re-saved and a
ParameterError is raised.
"""
user_ids = [get_session_user_id(), 1]
for user_id in user_ids:
db_user = data_engine.get_user(user_id=user_id)
if db_user:
try:
# Require user administration
if not permissions_engine.is_permitted(
SystemPermissions.PERMIT_ADMIN_USERS,
db_user
): raise ParameterError()
# For the admin user, also require permissions administration
if user_id == 1 and not permissions_engine.is_permitted(
SystemPermissions.PERMIT_ADMIN_PERMISSIONS,
db_user
): raise ParameterError()
except ParameterError:
# Roll back permissions
data_engine.save_object(original_object)
permissions_engine.reset()
# Raise API error
who = 'the \'admin\' user' if user_id == 1 else 'you'
raise ParameterError(
'This change would lock %s out of administration' % who
)
def decorated_function(*args, **kwargs):
res = _check_internal_request(request, session, False, True, SystemPermissions.PERMIT_ADMIN_USERS)
# If not admin_users, allow GET and PUT for current user's record
if res:
allow = (request.method == 'GET' or request.method == 'PUT') and \
'user_id' in kwargs and \
kwargs['user_id'] == get_session_user_id()
if not allow:
return res
return f(*args, **kwargs)
def decorated_function(*args, **kwargs):
res = _check_internal_request(request, session, False, True,
SystemPermissions.PERMIT_ADMIN_USERS)
# If not admin_users, allow GET and PUT for current user's record
if res:
allow = (request.method in ['GET', 'PUT'] and 'user_id' in kwargs
and kwargs['user_id'] > 0
and kwargs['user_id'] == get_session_user_id())
if not allow:
return res
return f(*args, **kwargs)
def get(self, task_id):
db_task = task_engine.get_task(task_id=task_id, decode_attrs=True)
if not db_task:
raise DoesNotExistError(str(task_id))
else:
# Requires super user or task owner
if not db_task.user or db_task.user.id != get_session_user_id():
permissions_engine.ensure_permitted(SystemPermissions.PERMIT_SUPER_USER, get_session_user())
tdict = object_to_dict(db_task)
if tdict.get("user") is not None:
# Do not give out anything password related
del tdict["user"]["password"]
return make_api_success_response(tdict)
def delete(self, user_id):
user = data_engine.get_user(user_id=user_id)
if user is None:
raise DoesNotExistError(str(user_id))
if user.id == 1:
raise ParameterError('The \'admin\' user cannot be deleted')
data_engine.delete_user(user)
# If this is the current user, log out
if get_session_user_id() == user_id:
log_out()
# Reset session caches
reset_user_sessions(user)
return make_api_success_response(object_to_dict(user))
def delete(self, user_id):
user = data_engine.get_user(user_id=user_id)
if user is None:
raise DoesNotExistError(str(user_id))
if user.id == 1:
raise ParameterError('The \'admin\' user cannot be deleted')
data_engine.delete_user(user)
# If this is the current user, log out
if get_session_user_id() == user_id:
log_out()
# Do not give out anything password related
udict = object_to_dict(user)
del udict['password']
return make_api_success_response(udict)
