def remove_users_from_group(self,
userIds,
groupId,
format="json",
**kwargs):
user, sMessages, fMessages = (cherrypy.session.get("user"), [], [])
try:
userIds = split_list_sanitized(userIds)
groupId = int(strip_tags(groupId))
group = session.query(Group).filter(Group.id == groupId).one()
if group.owner_id == user.id or AccountService.user_has_permission(
user, "admin"):
for userId in userIds:
user = AccountService.get_user(userId)
group.members.remove(user)
session.add(
AuditLog(
user.id, Actions.UPDATE_GROUP,
"%s user(s) removed from group \"%s\"(%s)" %
(len(userIds), group.name, group.id)))
session.commit()
sMessages.append("Group members removed successfully")
else:
fMessages.append(
"You do not have permission to modify group with ID:%s" %
str(groupId))
except ValueError:
fMessages.append("Invalid group Id")
except sqlalchemy.orm.exc.NoResultFound, nrf:
fMessages.append("Group with ID:%s could not be found" %
str(groupId))
def process_login(self, username, password, **kwargs):
rootURL, local = cherrypy.request.app.config['filelocker']['root_url'], False
if kwargs.has_key("local") and kwargs['local'] == str(True):
local = True
username = strip_tags(username)
if password is None or password == "":
raise cherrypy.HTTPRedirect("%s/login?msg=3&local=%s" % (rootURL, str(local)))
else:
directory = AccountService.ExternalDirectory(local)
if directory.authenticate(username, password):
cherrypy.session['request-origin'] = str(os.urandom(32).encode('hex'))[0:32]
currentUser = AccountService.get_user(username, True) #if they are authenticated and local, this MUST return a user object
if currentUser is not None:
if not currentUser.authorized:
raise cherrypy.HTTPError(403, "You do not have permission to access this system")
session.add(AuditLog(cherrypy.session.get("user").id, "Login", "User %s logged in successfully from IP %s" % (currentUser.id, Filelocker.get_client_address())))
session.commit()
raise cherrypy.HTTPRedirect(rootURL)
else: #This should only happen in the case of a user existing in the external directory, but having never logged in before
try:
newUser = directory.lookup_user(username)
AccountService.install_user(newUser)
currentUser = AccountService.get_user(username, True)
if currentUser is not None and currentUser.authorized != False:
raise cherrypy.HTTPRedirect(rootURL)
else:
raise cherrypy.HTTPError(403, "You do not have permission to access this system")
except Exception, e:
return "Unable to install user: %s" % str(e)
else:
def remove_users_from_group(self, userIds, groupId, format="json", requestOrigin="", **kwargs):
user, sMessages, fMessages = (cherrypy.session.get("user"), [], [])
if requestOrigin != cherrypy.session['request-origin']:
fMessages.append("Missing request key!!")
else:
try:
userIds = split_list_sanitized(userIds)
groupId = int(strip_tags(groupId))
group = session.query(Group).filter(Group.id==groupId).one()
if group.owner_id == user.id or AccountService.user_has_permission(user, "admin"):
for userId in userIds:
user = AccountService.get_user(userId)
group.members.remove(user)
session.add(AuditLog(user.id, Actions.UPDATE_GROUP, "%s user(s) removed from group \"%s\"(%s)" % (len(userIds), group.name, group.id)))
session.commit()
sMessages.append("Group members removed successfully")
else:
fMessages.append("You do not have permission to modify group with ID:%s" % str(groupId))
except ValueError:
fMessages.append("Invalid group Id")
except sqlalchemy.orm.exc.NoResultFound, nrf:
fMessages.append("Group with ID:%s could not be found" % str(groupId))
except Exception, e:
session.rollback()
fMessages.append("Couldn't remove members from group: %s" % str(e))
cherrypy.log.error("[%s] [remove_users_from_group] [Couldn't remove members from group: %s]" % (user.id, str(e)))
def update_user(self, userId, quota=None, email=None, firstName=None, lastName=None, password=None, confirmPassword=None, format="json", requestOrigin="", **kwargs):
user, sMessages, fMessages = (cherrypy.session.get("user"), [], [])
if requestOrigin != cherrypy.session['request-origin']:
fMessages.append("Missing request key!!")
else:
try:
userId = strip_tags(userId)
if userId == user.id or AccountService.user_has_permission(user, "admin"):
updateUser = AccountService.get_user(userId) #This kind of implicitly enforces permissions
updateUser.email = strip_tags(email) if strip_tags(email) is not None else updateUser.email
updateUser.quota = int(strip_tags(quota)) if strip_tags(quota) is not None else updateUser.quota
updateUser.first_name = strip_tags(firstName) if strip_tags(firstName) is not None else updateUser.first_name
updateUser.last_name = strip_tags(lastName) if strip_tags(lastName) is not None else updateUser.last_name
if password != "" and password is not None and confirmPassword != "" and confirmPassword is not None:
if password == confirmPassword:
updateUser.set_password(password)
else:
fMessages.append("Passwords do not match, password has not been reset")
sMessages.append("Successfully updated user settings")
session.add(AuditLog(user.id, Actions.UPDATE_USER, "%s updated user account \"%s\"" % (user.id, userId), userId))
session.commit()
else:
fMessages.append("You do not have permission to update this user")
except Exception, e:
session.rollback()
cherrypy.log.error("[%s] [update_user] [Problem rupdating user: %s]" % (user.id, str(e)))
fMessages.append("Problem while updating user: %s" % str(e))
def files(self, **kwargs):
user, role, defaultExpiration, uploadRequests, userFiles, userShareableAttributes, attributeFilesDict, sharedFiles = (
cherrypy.session.get("user"), cherrypy.session.get("current_role"),
None, [], [], [], {}, [])
config = cherrypy.request.app.config['filelocker']
orgConfig = get_config_dict_from_objects(
session.query(ConfigParameter).filter(
ConfigParameter.name.like('org_%')).all())
maxDays = int(
session.query(ConfigParameter).filter(
ConfigParameter.name == 'max_file_life_days').one().value)
geoTagging = get_config_dict_from_objects([
session.query(ConfigParameter).filter(
ConfigParameter.name == 'geotagging').one()
])['geotagging']
adminEmail = session.query(ConfigParameter).filter(
ConfigParameter.name == 'admin_email').one().value
defaultExpiration = datetime.date.today() + (datetime.timedelta(
days=maxDays))
userFiles = self.file.get_user_file_list(format="list")
if role is None:
uploadRequests = session.query(UploadRequest).filter(
UploadRequest.owner_id == user.id).all()
userShareableAttributes = AccountService.get_shareable_attributes_by_user(
user)
attributeFilesDict = ShareService.get_files_shared_with_user_by_attribute(
user)
sharedFiles = ShareService.get_files_shared_with_user(user)
else:
userShareableAttributes = AccountService.get_shareable_attributes_by_role(
role)
tpl = Template(file=get_template_file('files.tmpl'),
searchList=[locals(), globals()])
return str(tpl)
def admin_console(self, **kwargs):
user, config = cherrypy.session.get(
"user"), cherrypy.request.app.config['filelocker']
orgConfig = get_config_dict_from_objects(
session.query(ConfigParameter).filter(
ConfigParameter.name.like('org_%')).all())
templateFiles = os.listdir(os.path.join(config['root_path'], "view"))
configParameters = session.query(ConfigParameter).order_by(
ConfigParameter.name).all()
flUsers = session.query(User).slice(0, 50)
flRoles = session.query(Role)
totalFileCount = session.query(func.count(File.id)).scalar()
totalUserCount = session.query(func.count(User.id)).scalar()
totalMessageCount = session.query(func.count(Message.id)).scalar()
currentUsersList = []
currentUploads = len(cherrypy.file_uploads)
logsFile = open(cherrypy.config["log.error_file"])
logs = tail(logsFile, 50)
attributes = AccountService.get_shareable_attributes_by_user(user)
currentUserIds = []
sessionCache = {}
sessionCache = cherrypy.session.cache
for key in sessionCache.keys():
try:
if sessionCache[key][0].has_key('user') and sessionCache[key][
0]['user'] is not None and sessionCache[key][0][
'user'].id not in currentUserIds:
currentUser = sessionCache[key][0]['user']
currentUsersList.append(currentUser)
currentUserIds.append(currentUser.id)
except Exception, e:
cherrypy.log.error(
"[%s] [admin] [Unable to read user session: %s]" %
(user.id, str(e)))
def get_public_shares_by_file_ids(self, fileIds, format="json", **kwargs):
user, role, sMessages, fMessages, publicShares = (
cherrypy.session.get("user"), cherrypy.session.get("current_role"),
[], [], [])
fileIds = split_list_sanitized(fileIds)
try:
publicShareIds = []
for fileId in fileIds:
try:
flFile = session.query(File).filter(
File.id == fileId).one()
if role is not None:
if flFile.role_owner_id == role.id:
for publicShare in flFile.public_shares:
if publicShare.id not in publicShareIds:
publicShareIds.append(publicShare.id)
publicShares.append(publicShare)
else:
fMessages.append(
"This role does not have permission to access public shares on file with ID: %s"
% fileId)
elif flFile.owner_id == user.id or AccountService.user_has_permission(
user, "admin"):
for publicShare in flFile.public_shares:
if publicShare.id not in publicShareIds:
publicShareIds.append(publicShare.id)
publicShares.append(publicShare)
else:
fMessages.append(
"You do not have permission to access public shares on file with ID:%s"
% fileId)
except sqlalchemy.orm.exc.NoResultFound:
fMessages.append("File with ID:%s not found" % fileId)
except Exception, e:
fMessages.append(str(e))
def delete_messages(self,
messageIds,
format="json",
requestOrigin="",
**kwargs):
user, sMessages, fMessages = cherrypy.session.get("user"), [], []
if requestOrigin != cherrypy.session['request-origin']:
fMessages.append("Missing request key!!")
else:
try:
messageIdList = split_list_sanitized(messageIds)
for messageId in messageIdList:
message = session.query(Message).filter(
Message.id == messageId).scalar()
if (message.owner_id == user.id
or AccountService.user_has_permission(
user, "admin")):
session.delete(message)
else:
fMessages.append(
"You do not have permission to delete message with ID: %s"
% messageId)
session.commit()
sMessages.append("Message(s) deleted")
except Exception, e:
cherrypy.log.error(
"[%s] [delete_messages] [Could not delete message: %s]" %
(user.id, str(e)))
fMessages.append("Could not delete message: %s" % str(e))
def take_file(self, fileId, format="json", requestOrigin="", **kwargs):
user, sMessages, fMessages = (cherrypy.session.get("user"), [], [])
if requestOrigin != cherrypy.session['request-origin']:
fMessages.append("Missing request key!!")
else:
config = cherrypy.request.app.config['filelocker']
try:
flFile = session.query(File).filter(File.id==fileId).one()
if flFile.owner_id == user.id:
fMessages.append("You cannot take your own file")
elif flFile.shared_with(user) or AccountService.user_has_permission(user, "admin"):
if (FileService.get_user_quota_usage_bytes(user) + flFile.size) >= (user.quota*1024*1024):
cherrypy.log.error("[%s] [take_file] [User has insufficient quota space remaining to check in file: %s]" % (user.id, flFile.name))
raise Exception("You may not copy this file because doing so would exceed your quota")
takenFile = flFile.get_copy()
takenFile.owner_id = user.id
takenFile.date_uploaded = datetime.datetime.now()
takenFile.notify_on_download = False
session.add(takenFile)
session.commit()
shutil.copy(os.path.join(config['vault'],str(flFile.id)), os.path.join(config['vault'],str(takenFile.id)))
sMessages.append("Successfully took ownership of file %s. This file can now be shared with other users just as if you had uploaded it. " % flFile.name)
else:
fMessages.append("You do not have permission to take this file")
except sqlalchemy.orm.exc.NoResultFound, nrf:
fMessages.append("Could not find file with ID: %s" % str(fileId))
except Exception, e:
session.rollback()
fMessages.append(str(e))
def delete_public_share(self, shareId, format="json", **kwargs):
user, role, sMessages, fMessages = (
cherrypy.session.get("user"), cherrypy.session.get("current_role"),
[], [])
shareId = strip_tags(shareId)
try:
ps = session.query(PublicShare).filter(
PublicShare.id == shareId).one()
if role is not None and ps.role_owner_id == role.id:
session.delete(ps)
session.add(
AuditLog(
user.id, Actions.DELETE_PUBLIC_SHARE,
"Role %s stopped sharing files publicly via URL using share ID: %s"
% (role.name, str(ps.id)), None, role.id))
session.commit()
sMessages.append("Successfully unshared files")
elif ps.owner_id == user.id or AccountService.user_has_permission(
user, "admin"):
session.delete(ps)
session.add(
AuditLog(
user.id, Actions.DELETE_PUBLIC_SHARE,
"You stopped sharing files publicly via URL using share ID: %s"
% str(ps.id)))
session.commit()
sMessages.append("Successfully unshared files")
else:
fMessages.append(
"You do not have permission to modify share ID: %s" %
str(ps.id))
except Exception, e:
fMessages.append(str(e))
def CLI_login(self, CLIkey, userId, format="cli", **kwargs):
rootURL, local, sMessages, fMessages = cherrypy.request.app.config['filelocker']['root_url'], False, [], []
if session.query(ConfigParameter).filter(ConfigParameter.name == "cli_feature").one().value == 'Yes':
userId = strip_tags(userId)
CLIkey = strip_tags(CLIkey)
hostIP = Filelocker.get_client_address()
if(self.validIPv4.match(hostIP)):
hostIPv4 = hostIP
hostIPv6 = ""
elif(self.validIPv6.match(hostIP)):
hostIPv4 = ""
hostIPv6 = hostIP
self.directory = CLIDirectory.CLIDirectory()
if self.directory.authenticate(userId, CLIkey, hostIPv4, hostIPv6):
currentUser = AccountService.get_user(userId, True)
cherrypy.session['request-origin'] = str(os.urandom(32).encode('hex'))[0:32]
if currentUser is not None:
session.add(AuditLog(cherrypy.session.get("user").id, "Login", "User %s logged in successfully from IP %s" % (currentUser.id, Filelocker.get_client_address())))
session.commit()
sMessages.append(cherrypy.session['request-origin'])
else:
fMessages.append("Failure: Not Authorized!")
else:
fMessages.append("Failure: Not Authorized!")
else:
fMessages.append("Failure: CLI not supported by server!")
return fl_response(sMessages, fMessages, format)
def create_attribute_shares(self,
fileIds,
attributeId,
format="json",
**kwargs):
user, sMessages, fMessages = (cherrypy.session.get("user"), [], [])
try:
userShareableAttributes, permission = AccountService.get_shareable_attributes_by_user(
user), False
for attribute in userShareableAttributes:
if attributeId == attribute.id:
permission = True
break
if permission:
fileIds = split_list_sanitized(fileIds)
for fileId in fileIds:
session.add(
AttributeShare(file_id=fileId,
attribute_id=attributeId))
sMessages.append(
"Successfully shared file(s) with users having the %s attribute"
% attributeId)
else:
fMessages.append(
"You do not have permission to share with this attribute")
except Exception, e:
fMessages.append(str(e))
def delete_attribute_shares(self,
fileIds,
attributeId,
format="json",
**kwargs):
user, sMessages, fMessages = (cherrypy.session.get("user"), [], [])
try:
userShareableAttributes, permission = AccountService.get_shareable_attributes_by_user(
user), False
for attribute in userShareableAttributes:
if attributeId == attribute.id:
permission = True
break
if permission:
fileIdList = split_list_sanitized(fileIds)
for fileId in fileIdList:
share = session.query(AttributeShare).filter(
AttributeShare.attribute_id == attributeId
and AttributeShare.fileId == fileId).one()
session.delete(share)
sMessages.append(
"Successfully unshared file(s) with users having the %s attribute"
% attributeId)
else:
fMessages.append(
"You do not have permission to delete attribute shares for this attribute"
)
except Exception, e:
fMessages.append(str(e))
def delete_user_shares(self, fileIds, userId, format="json"):
user, role, sMessages, fMessages = (
cherrypy.session.get("user"), cherrypy.session.get("current_role"),
[], [])
fileIds = split_list_sanitized(fileIds)
for fileId in fileIds:
try:
flFile = session.query(File).filter(File.id == fileId).one()
if (
role is not None and flFile.role_owner_id == role.id
) or flFile.owner_id == user.id or AccountService.user_has_permission(
user, "admin"):
ps = session.query(UserShare).filter(
and_(UserShare.user_id == userId,
UserShare.file_id == flFile.id)).scalar()
if ps is not None:
session.delete(ps)
session.add(
AuditLog(
user.id, Actions.DELETE_USER_SHARE,
"You stopped sharing file %s with %s" %
(flFile.name, userId), None,
role.id if role is not None else None))
session.commit()
sMessages.append("Share has been successfully deleted")
else:
fMessages.append("This share does not exist")
else:
fMessages.append(
"You do not have permission to modify shares for file with ID: %s"
% str(flFile.id))
except Exception, e:
session.rollback()
fMessages.append("Problem deleting share for file: %s" %
str(e))
def upload(self, format="json", **kwargs):
cherrypy.response.timeout = 86400
user, role, uploadRequest, uploadKey, config, sMessages, fMessages, uploadIndex = None, None, None, None, cherrypy.request.app.config['filelocker'], [], [], None
notify_user = False
#Check Permission to upload since we can't wrap in requires login for public uploads
if cherrypy.session.has_key("uploadRequest") and cherrypy.session.get("uploadRequest") is not None and cherrypy.session.get("uploadRequest").expired == False:
uploadRequest = cherrypy.session.get("uploadRequest")
user = AccountService.get_user(uploadRequest.owner_id)
uploadKey = "%s:%s" % (user.id, uploadRequest.id)
if uploadRequest.notify_user:
notify_user = True
else:
#cherrypy.tools.requires_login()
user, sMessages, fMessages = cherrypy.session.get("user"), cherrypy.session.get("sMessages"), cherrypy.session.get("fMessages")
uploadKey = user.id
if cherrypy.session.get("current_role") is not None:
role = cherrypy.session.get("current_role")
#Check upload size
lcHDRS = {}
for key, val in cherrypy.request.headers.iteritems():
lcHDRS[key.lower()] = val
try:
fileSizeBytes = int(lcHDRS['content-length'])
except KeyError, ke:
fMessages.append("Request must have a valid content length")
raise cherrypy.HTTPError(411, "Request must have a valid content length")
def update_file(self, fileId, format="json", requestOrigin="", **kwargs):
user, sMessages, fMessages = (cherrypy.session.get("user"), [], [])
if requestOrigin != cherrypy.session['request-origin']:
fMessages.append("Missing request key!!")
else:
fileId = strip_tags(fileId)
try:
flFile = session.query(File).filter(File.id == fileId).one()
if flFile.owner_id == user.id or AccountService.user_has_permission(
user, "admin"):
if kwargs.has_key("fileName"):
flFile.name = strip_tags(kwargs['fileName'])
if kwargs.has_key('notifyOnDownload'):
flFile.notify_on_download = True if kwargs[
'notifyOnDownload'].lower() == "true" else False
if kwargs.has_key('fileNotes'):
flFile.notes = strip_tags(kwargs['fileNotes'])
session.commit()
sMessages.append("Successfully updated file %s" %
flFile.name)
else:
fMessages.append(
"You do not have permission to update file with ID: %s"
% str(flFile.id))
except sqlalchemy.orm.exc.NoResultFound, nrf:
fMessages.append("Could not find file with ID: %s" %
str(fileId))
except Exception, e:
fMessages.append(str(e))
def delete_upload_request(self, ticketId, format="json", requestOrigin=""):
user, sMessages, fMessages = cherrypy.session.get("user"), [], []
if requestOrigin != cherrypy.session['request-origin']:
fMessages.append("Missing request key!!")
else:
try:
ticketId = strip_tags(ticketId)
uploadRequest = session.query(UploadRequest).filter(
UploadRequest.id == ticketId).one()
if uploadRequest.owner_id == user.id or AccountService.user_has_permission(
user, "admin"):
session.delete(uploadRequest)
session.add(
AuditLog(
user.id, Actions.DELETE_UPLOAD_REQUEST,
"You deleted an upload request with ID: %s" %
uploadRequest.id))
session.commit()
sMessages.append("Upload request deleted")
else:
fMessages.append(
"You do not have permission to delete this upload request"
)
except Exception, e:
fMessages.append(str(e))
def search_users(self,
firstName=None,
lastName=None,
userId=None,
format="json",
external="false",
**kwargs):
config = cherrypy.request.app.config['filelocker']
user, foundUsers, sMessages, fMessages, tooManyResults = (
cherrypy.session.get("user"), [], [], [], False)
external = False if external.lower() != "true" else True
try:
if firstName is not None or lastName is not None or userId is not None: #Must have something to search on
firstName = strip_tags(firstName)
lastName = strip_tags(lastName)
userId = strip_tags(userId)
directory = AccountService.ExternalDirectory(external != True)
foundUsers = directory.get_user_matches(
firstName, lastName, userId)
else:
fMessages.append(
"Please specify the first name, last name, or username of the user for whom you are searching"
)
except Exception, e:
if str(e) == "toomany":
tooManyResults = True
else:
cherrypy.log.error(
"[%s] [search_users] [Errors during directory search: %s]"
% (user.id, str(fMessages)))
fMessages.append(str(e))
def get_public_shares_by_file_ids(self, fileIds, format="json", **kwargs):
user, role, sMessages, fMessages, publicShares = (cherrypy.session.get("user"), cherrypy.session.get("current_role"), [], [], [])
fileIds = split_list_sanitized(fileIds)
try:
publicShareIds = []
for fileId in fileIds:
try:
flFile = session.query(File).filter(File.id==fileId).one()
if role is not None:
if flFile.role_owner_id == role.id:
for publicShare in flFile.public_shares:
if publicShare.id not in publicShareIds:
publicShareIds.append(publicShare.id)
publicShares.append(publicShare)
else:
fMessages.append("This role does not have permission to access public shares on file with ID: %s" % fileId)
elif flFile.owner_id == user.id or AccountService.user_has_permission(user, "admin"):
for publicShare in flFile.public_shares:
if publicShare.id not in publicShareIds:
publicShareIds.append(publicShare.id)
publicShares.append(publicShare)
else:
fMessages.append("You do not have permission to access public shares on file with ID:%s" % fileId)
except sqlalchemy.orm.exc.NoResultFound:
fMessages.append("File with ID:%s not found" % fileId)
except Exception, e:
fMessages.append(str(e))
def admin_console(self, **kwargs):
user, config = cherrypy.session.get("user"), cherrypy.request.app.config['filelocker']
orgConfig = get_config_dict_from_objects(session.query(ConfigParameter).filter(ConfigParameter.name.like('org_%')).all())
templateFiles = os.listdir(os.path.join(config['root_path'], "view"))
configParameters = session.query(ConfigParameter).order_by(ConfigParameter.name).all()
flUsers = session.query(User).slice(0,50)
flRoles = session.query(Role)
totalFileCount = session.query(func.count(File.id)).scalar()
totalUserCount = session.query(func.count(User.id)).scalar()
totalMessageCount = session.query(func.count(Message.id)).scalar()
currentUsersList = []
currentUploads = len(cherrypy.file_uploads)
logsFile = open(cherrypy.config["log.error_file"],"a+")
logs = tail(logsFile, 50)
attributes = AccountService.get_shareable_attributes_by_user(user)
currentUserIds = []
sessionCache = {}
sessionCache = cherrypy.session.cache
for key in sessionCache.keys():
try:
if sessionCache[key][0].has_key('user') and sessionCache[key][0]['user'] is not None and sessionCache[key][0]['user'].id not in currentUserIds:
currentUser = sessionCache[key][0]['user']
currentUsersList.append(currentUser)
currentUserIds.append(currentUser.id)
except Exception, e:
cherrypy.log.error("[%s] [admin] [Unable to read user session: %s]" % (user.id, str(e)))
def delete_files(self, fileIds, format="json", requestOrigin="", **kwargs):
user, role, sMessages, fMessages = (cherrypy.session.get("user"),cherrypy.session.get("current_role"), [], [])
if requestOrigin != cherrypy.session['request-origin']:
fMessages.append("Missing request key!!")
else:
fileIds = split_list_sanitized(fileIds)
for fileId in fileIds:
try:
fileId = int(fileId)
flFile = session.query(File).filter(File.id == fileId).one()
if flFile.role_owner_id is not None and role is not None and flFile.role_owner_id == role.id:
FileService.queue_for_deletion(flFile.id)
session.delete(flFile)
session.add(AuditLog(user.id, Actions.DELETE_FILE, "File %s (%s) owned by role %s has been deleted by user %s. " % (flFile.name, flFile.id, role.name, user.id)))
session.commit()
sMessages.append("File %s deleted successfully" % flFile.name)
elif flFile.owner_id == user.id or AccountService.user_has_permission(user, "admin"):
FileService.queue_for_deletion(flFile.id)
session.delete(flFile)
session.add(AuditLog(user.id, Actions.DELETE_FILE, "File %s (%s) has been deleted" % (flFile.name, flFile.id)))
session.commit()
sMessages.append("File %s deleted successfully" % flFile.name)
else:
fMessages.append("You do not have permission to delete file %s" % flFile.name)
except sqlalchemy.orm.exc.NoResultFound, nrf:
fMessages.append("Could not find file with ID: %s" % str(fileId))
except Exception, e:
session.rollback()
cherrypy.log.error("[%s] [delete_files] [Could not delete file: %s]" % (user.id, str(e)))
fMessages.append("File not deleted: %s" % str(e))
def update_group(self,
groupId,
groupName=None,
groupScope="private",
format="json",
**kwargs):
user, sMessages, fMessages = (cherrypy.session.get("user"), [], [])
try:
groupId = strip_tags(groupId)
group = session.query(Group).filter(Group.id == groupId).one()
if group.owner_id == user.id or AccountService.user_has_permission(
user, "admin"):
group.name = strip_tags(groupName) if strip_tags(
groupName) is not None else group.name
group.scope = strip_tags(groupScope.lower(
)) if groupScope is not None else group.scope
session.add(
AuditLog(
user.id, Actions.UPDATE_GROUP,
"Group \"%s\"(%s) has been updated" %
(group.name, group.id)))
session.commit()
sMessages.append("Group updated")
else:
fMessages.append(
"You do not have permission to update this group")
except sqlalchemy.orm.exc.NoResultFound, nrf:
fMessages.append("Could not find group with ID: %s" % str(groupId))
def take_file(self, fileId, format="json", **kwargs):
user, sMessages, fMessages = (cherrypy.session.get("user"), [], [])
config = cherrypy.request.app.config['filelocker']
try:
flFile = session.query(File).filter(File.id == fileId).one()
if flFile.owner_id == user.id:
fMessages.append("You cannot take your own file")
elif flFile.shared_with(
user) or AccountService.user_has_permission(user, "admin"):
if (FileService.get_user_quota_usage_bytes(user) +
flFile.size) >= (user.quota * 1024 * 1024):
cherrypy.log.error(
"[%s] [take_file] [User has insufficient quota space remaining to check in file: %s]"
% (user.id, flFile.name))
raise Exception(
"You may not copy this file because doing so would exceed your quota"
)
takenFile = flFile.get_copy()
takenFile.owner_id = user.id
takenFile.date_uploaded = datetime.datetime.now()
takenFile.notify_on_download = False
session.add(takenFile)
session.commit()
shutil.copy(os.path.join(config['vault'], str(flFile.id)),
os.path.join(config['vault'], str(takenFile.id)))
sMessages.append(
"Successfully took ownership of file %s. This file can now be shared with other users just as if you had uploaded it. "
% flFile.name)
else:
fMessages.append(
"You do not have permission to take this file")
except sqlalchemy.orm.exc.NoResultFound, nrf:
fMessages.append("Could not find file with ID: %s" % str(fileId))
def upload(self, format="json", **kwargs):
cherrypy.response.timeout = 86400
user, role, uploadRequest, uploadKey, config, sMessages, fMessages, uploadIndex = None, None, None, None, cherrypy.request.app.config[
'filelocker'], [], [], None
#Check Permission to upload since we can't wrap in requires login for public uploads
if cherrypy.session.has_key("uploadRequest") and cherrypy.session.get(
"uploadRequest") is not None and cherrypy.session.get(
"uploadRequest").expired == False:
uploadRequest = cherrypy.session.get("uploadRequest")
user = AccountService.get_user(uploadRequest.owner_id)
uploadKey = "%s:%s" % (user.id, uploadRequest.id)
else:
#cherrypy.tools.requires_login()
user, sMessages, fMessages = cherrypy.session.get(
"user"), cherrypy.session.get(
"sMessages"), cherrypy.session.get("fMessages")
uploadKey = user.id
if cherrypy.session.get("current_role") is not None:
role = cherrypy.session.get("current_role")
#Check upload size
lcHDRS = {}
for key, val in cherrypy.request.headers.iteritems():
lcHDRS[key.lower()] = val
try:
fileSizeBytes = int(lcHDRS['content-length'])
except KeyError, ke:
fMessages.append("Request must have a valid content length")
raise cherrypy.HTTPError(
411, "Request must have a valid content length")
def get_search_widget(self, context, **kwargs):
user, sMessages, fMessages = (cherrypy.session.get("user"), [], [])
orgConfig = get_config_dict_from_objects(session.query(ConfigParameter).filter(ConfigParameter.name.like('org_%')).all())
groups = session.query(User).filter(User.id==user.id).one().groups
directoryType = session.query(ConfigParameter).filter(ConfigParameter.name=="directory_type").one().value
userShareableAttributes = AccountService.get_shareable_attributes_by_user(user)
tpl = Template(file=get_template_file('search_widget.tmpl'), searchList=[locals(),globals()])
return str(tpl)
def process_login(self, username, password, **kwargs):
rootURL, local = cherrypy.request.app.config['filelocker'][
'root_url'], False
if kwargs.has_key("local") and kwargs['local'] == str(True):
local = True
username = strip_tags(username)
if password is None or password == "":
raise cherrypy.HTTPRedirect("%s/login?msg=3&local=%s" %
(rootURL, str(local)))
else:
directory = AccountService.ExternalDirectory(local)
if directory.authenticate(username, password):
cherrypy.session['request-origin'] = str(
os.urandom(32).encode('hex'))[0:32]
currentUser = AccountService.get_user(
username, True
) #if they are authenticated and local, this MUST return a user object
if currentUser is not None:
if not currentUser.authorized:
raise cherrypy.HTTPError(
403,
"You do not have permission to access this system")
session.add(
AuditLog(
cherrypy.session.get("user").id, "Login",
"User %s logged in successfully from IP %s" %
(currentUser.id, Filelocker.get_client_address())))
session.commit()
raise cherrypy.HTTPRedirect(rootURL)
else: #This should only happen in the case of a user existing in the external directory, but having never logged in before
try:
newUser = directory.lookup_user(username)
AccountService.install_user(newUser)
currentUser = AccountService.get_user(username, True)
if currentUser is not None and currentUser.authorized != False:
raise cherrypy.HTTPRedirect(rootURL)
else:
raise cherrypy.HTTPError(
403,
"You do not have permission to access this system"
)
except Exception, e:
return "Unable to install user: %s" % str(e)
else:
def add_user_to_group(self, userId, groupId, format="json", requestOrigin="", **kwargs):
user, sMessages, fMessages = (cherrypy.session.get("user"), [], [])
if requestOrigin != cherrypy.session['request-origin']:
fMessages.append("Missing request key!!")
else:
try:
userId = strip_tags(userId)
groupId = int(strip_tags(groupId))
group = session.query(Group).filter(Group.id == groupId).one()
if group.owner_id == user.id or AccountService.user_has_permission(user, "admin"):
try:
user = AccountService.get_user(userId)
group.members.append(user)
session.add(AuditLog(user.id, Actions.UPDATE_GROUP, "User %s added to group \"%s\"(%s)" % (user.id, group.name, group.id)))
session.commit()
except sqlalchemy.orm.exc.NoResultFound, nrf:
fMessages.append("Invalid user ID: %s, not added to group" % str(userId))
else:
def files(self, **kwargs):
user, role, defaultExpiration, uploadRequests, userFiles, userShareableAttributes,attributeFilesDict,sharedFiles = (cherrypy.session.get("user"), cherrypy.session.get("current_role"), None, [], [], [], {}, [])
config = cherrypy.request.app.config['filelocker']
orgConfig = get_config_dict_from_objects(session.query(ConfigParameter).filter(ConfigParameter.name.like('org_%')).all())
maxDays = int(session.query(ConfigParameter).filter(ConfigParameter.name=='max_file_life_days').one().value)
geoTagging = get_config_dict_from_objects([session.query(ConfigParameter).filter(ConfigParameter.name=='geotagging').one()])['geotagging']
adminEmail = session.query(ConfigParameter).filter(ConfigParameter.name=='admin_email').one().value
defaultExpiration = datetime.date.today() + (datetime.timedelta(days=maxDays))
userFiles = self.file.get_user_file_list(format="list")
if role is None:
uploadRequests = session.query(UploadRequest).filter(UploadRequest.owner_id==user.id).all()
userShareableAttributes = AccountService.get_shareable_attributes_by_user(user)
attributeFilesDict = ShareService.get_files_shared_with_user_by_attribute(user)
sharedFiles = ShareService.get_files_shared_with_user(user)
else:
userShareableAttributes = AccountService.get_shareable_attributes_by_role(role)
tpl = Template(file=get_template_file('files.tmpl'), searchList=[locals(),globals()])
return str(tpl)
def get_group_members(self, groupId, **kwargs):
user, sMessages, fMessages = (cherrypy.session.get("user"), [], [])
searchWidget = self.get_search_widget("manage_groups")
groupId = strip_tags(groupId)
group = session.query(Group).filter(Group.id == groupId).one()
if group.owner_id == user.id or AccountService.user_has_permission(user, "admin"):
tpl = Template(file=get_template_file('view_group.tmpl'), searchList=[locals(),globals()])
return str(tpl)
else:
raise cherrypy.HTTPError(413, "Not permitted")
def delete_group_shares(self, fileIds, groupId, format="json"):
user, role, sMessages, fMessages = (
cherrypy.session.get("user"), cherrypy.session.get("current_role"),
[], [])
fileIds = split_list_sanitized(fileIds)
for fileId in fileIds:
try:
group = session.query(Group).filter(Group.id == groupId).one()
if (
role is not None and group.role_owner_id == role.id
) or group.owner_id == user.id or AccountService.user_has_permission(
user, "admin"):
flFile = session.query(File).filter(
File.id == fileId).one()
if (
role is not None
and flFile.role_owner_id == role.id
) or flFile.owner_id == user.id or AccountService.user_has_permission(
user, "admin"):
share = session.query(GroupShare).filter(
GroupShare.group_id == groupId
and GroupShare.file_id == flFile.id).scalar()
if share is not None:
session.delete(share)
session.add(
AuditLog(
user.id, Actions.DELETE_GROUP_SHARE,
"You stopped sharing file %s with group %s"
% (flFile.name, group.name), None,
role.id if role is not None else None))
session.commit()
else:
fMessages.append(
"You do not have permission to modify shares for file with ID: %s"
% str(flFile.id))
else:
fMessages.append(
"You do not have permission delete shares with this group"
)
except Exception, e:
session.rollback()
fMessages.append("Problem deleting share for file: %s" %
str(e))
def delete_files(self, fileIds, format="json", requestOrigin="", **kwargs):
user, role, sMessages, fMessages = (
cherrypy.session.get("user"), cherrypy.session.get("current_role"),
[], [])
if requestOrigin != cherrypy.session['request-origin']:
fMessages.append("Missing request key!!")
else:
fileIds = split_list_sanitized(fileIds)
for fileId in fileIds:
try:
fileId = int(fileId)
flFile = session.query(File).filter(
File.id == fileId).one()
if flFile.role_owner_id is not None and role is not None and flFile.role_owner_id == role.id:
FileService.queue_for_deletion(flFile.id)
session.delete(flFile)
session.add(
AuditLog(
user.id, Actions.DELETE_FILE,
"File %s (%s) owned by role %s has been deleted by user %s. "
%
(flFile.name, flFile.id, role.name, user.id)))
session.commit()
sMessages.append("File %s deleted successfully" %
flFile.name)
elif flFile.owner_id == user.id or AccountService.user_has_permission(
user, "admin"):
FileService.queue_for_deletion(flFile.id)
session.delete(flFile)
session.add(
AuditLog(
user.id, Actions.DELETE_FILE,
"File %s (%s) has been deleted" %
(flFile.name, flFile.id)))
session.commit()
sMessages.append("File %s deleted successfully" %
flFile.name)
else:
fMessages.append(
"You do not have permission to delete file %s" %
flFile.name)
except sqlalchemy.orm.exc.NoResultFound, nrf:
fMessages.append("Could not find file with ID: %s" %
str(fileId))
except Exception, e:
session.rollback()
cherrypy.log.error(
"[%s] [delete_files] [Could not delete file: %s]" %
(user.id, str(e)))
fMessages.append("File not deleted: %s" % str(e))
def create_user_shares(self, fileIds, userId=None, notify="no", cc="false", format="json", requestOrigin="", **kwargs):
config = cherrypy.request.app.config['filelocker']
orgConfig = get_config_dict_from_objects(session.query(ConfigParameter).filter(ConfigParameter.name.like('org_%')).all())
user, role, sMessages, fMessages = (cherrypy.session.get("user"), cherrypy.session.get("current_role"), [], [])
if requestOrigin != cherrypy.session['request-origin']:
fMessages.append("Missing request key!!")
else:
fileIds = split_list_sanitized(fileIds)
userId = strip_tags(userId) if userId is not None and userId != "" else None
notify = True if notify.lower() == "true" else False
cc = True if cc.lower() == "true" else False
sharedFiles, recipients = [], []
try:
if userId is not None:
shareUser = AccountService.get_user(userId)
if (shareUser.email is not None and shareUser.email != ""):
recipients.append(shareUser)
for fileId in fileIds:
flFile = session.query(File).filter(File.id==fileId).one()
if (role is not None and flFile.role_owner_id == role.id) or flFile.owner_id == user.id or AccountService.user_has_permission(user, "admin"):
existingShare = session.query(UserShare).filter(and_(UserShare.file_id==fileId, UserShare.user_id==userId)).scalar()
if existingShare is None:
flFile.user_shares.append(UserShare(user_id=userId, file_id=fileId))
session.commit()
sharedFiles.append(flFile)
if role is not None: session.add(AuditLog(user.id, Actions.CREATE_USER_SHARE, "Role %s shared file %s(%s) with %s" % (role.id, flFile.name, flFile.id, shareUser.id), shareUser.id, role.id))
else: session.add(AuditLog(user.id, "Create User Share", "%s shared file %s(%s) with %s" % (user.id, flFile.name, flFile.id, shareUser.id), shareUser.id))
session.commit()
else:
fMessages.append("You do not have permission to share file with ID: %s" % str(flFile.id))
if notify:
cherrypy.session.release_lock()
if cc:
if (user is not None and user != ""):
recipients.append(user)
else:
fMessages.append("You elected to receive a carbon copy of the share notification, however your account does not have an email address set.")
for recipient in recipients:
try:
Mail.notify(get_template_file('share_notification.tmpl'),{'sender':user.email if role is None else role.email,'recipient':recipient.email, 'ownerId':user.id if role is None else role.id, 'ownerName':user.display_name if role is None else role.name, 'sharedFiles':sharedFiles, 'filelockerURL': config['root_url'], 'org_url': orgConfig['org_url'], 'org_name': orgConfig['org_name'], 'personalMessage': ""})
session.add(AuditLog(user.id, Actions.SEND_EMAIL, "%s(%s) has been notified via email that you have shared a file with him or her." % (recipient.display_name, recipient.id), None, role.id if role is not None else None))
except Exception, e:
session.rollback()
fMessages.append("Problem sending email notification to %s: %s" % (recipient.display_name, str(e)))
session.commit()
sMessages.append("Shared file(s) successfully")
else:
fMessages.append("You did not specify a user to share the file with")
def create_message(self, subject, body, recipientIds, expiration, format="json", **kwargs):
user, sMessages, fMessages = cherrypy.session.get("user"), [], []
try:
maxDays = int(session.query(ConfigParameter).filter(ConfigParameter.name=='max_file_life_days').one().value)
maxExpiration = datetime.datetime.today() + datetime.timedelta(days=maxDays)
expiration = datetime.datetime(*time.strptime(strip_tags(expiration), "%m/%d/%Y")[0:5]) if (kwargs.has_key('expiration') and strip_tags(expiration) is not None and expiration.lower() != "never") else maxExpiration
recipientIdList = split_list_sanitized(recipientIds)
subject = strip_tags(subject)
if subject is None or subject.strip()=="":
raise Exception("Subject cannot be blank")
#Process the expiration data for the file
if expiration is None and (AccountService.user_has_permission(user, "expiration_exempt") == False and AccountService.user_has_permission(user, "admin")==False): #Check permission before allowing a non-expiring upload
expiration = maxExpiration
else:
if maxExpiration < expiration and AccountService.user_has_permission(user, "expiration_exempt")==False:
raise Exception("Expiration date must be between now and %s." % maxExpiration.strftime("%m/%d/%Y"))
if body is None or body.strip()=="":
raise Exception("Message body cannot be blank")
newMessage = Message(subject=subject, body=body, date_sent=datetime.datetime.now(), owner_id=user.id, date_expires=expiration, encryption_key=Encryption.generatePassword())
session.add(newMessage)
session.commit()
encrypt_message(newMessage)
for recipientId in recipientIdList:
rUser = AccountService.get_user(recipientId)
if rUser is not None:
newMessage.message_shares.append(MessageShare(message_id=newMessage.id, recipient_id=rUser.id))
session.add(AuditLog(user.id, "Send Message", "%s sent a message with subject: \"%s\" to %s(%s)" % (user.id, newMessage.subject, rUser.display_name, rUser.id), rUser.id, None))
else:
fMessages.append("Could not send to user with ID:%s - Invalid user ID" % str(recipientId))
session.commit()
sMessages.append("Message \"%s\" sent." % subject)
except ValueError:
fMessages.append("Invalid expiration date format. Date must be in mm/dd/yyyy format.")
except Exception, e:
cherrypy.log.error("[%s] [create_message] [Could not create message: %s]" % (user.id, str(e)))
fMessages.append("Could not send message: %s" % str(e))
def delete_upload_request(self, ticketId, format="json", requestOrigin=""):
user, sMessages, fMessages = cherrypy.session.get("user"), [], []
if requestOrigin != cherrypy.session['request-origin']:
fMessages.append("Missing request key!!")
else:
try:
ticketId = strip_tags(ticketId)
uploadRequest = session.query(UploadRequest).filter(UploadRequest.id == ticketId).one()
if uploadRequest.owner_id == user.id or AccountService.user_has_permission(user, "admin"):
session.delete(uploadRequest)
session.add(AuditLog(user.id, Actions.DELETE_UPLOAD_REQUEST, "You deleted an upload request with ID: %s" % uploadRequest.id))
session.commit()
sMessages.append("Upload request deleted")
else:
fMessages.append("You do not have permission to delete this upload request")
except Exception, e:
fMessages.append(str(e))
def delete_messages(self, messageIds, format="json", requestOrigin="", **kwargs):
user, sMessages, fMessages = cherrypy.session.get("user"), [], []
if requestOrigin != cherrypy.session["request-origin"]:
fMessages.append("Missing request key!!")
else:
try:
messageIdList = split_list_sanitized(messageIds)
for messageId in messageIdList:
message = session.query(Message).filter(Message.id == messageId).scalar()
if message.owner_id == user.id or AccountService.user_has_permission(user, "admin"):
session.delete(message)
else:
fMessages.append("You do not have permission to delete message with ID: %s" % messageId)
session.commit()
sMessages.append("Message(s) deleted")
except Exception, e:
cherrypy.log.error("[%s] [delete_messages] [Could not delete message: %s]" % (user.id, str(e)))
fMessages.append("Could not delete message: %s" % str(e))
def delete_clikey(self, hostIPv4, hostIPv6, format="json", requestOrigin="", **kwargs):
user, sMessages, fMessages = (cherrypy.session.get("user"), [], [])
if requestOrigin != cherrypy.session['request-origin']:
fMessages.append("Missing request key!!")
else:
try:
clikey = session.query(CLIKey).filter(CLIKey.host_ipv4==hostIPv4).filter(CLIKey.host_ipv6==hostIPv6).one()
if clikey.user_id == user.id or AccountService.user_has_permission(user, "admin"):
session.delete(clikey)
sMessages.append("Key %s deleted successfully" % clikey.value)
session.add(AuditLog(user.id, Actions.DELETE_CLIKEY, "%s deleted CLI Key for host: %s%s" % (user.id, hostIPv4, hostIPv6)))
except sqlalchemy.orm.exc.NoResultFound, nrf:
fMessages.append("Could not find key for host: %s%s" % str(hostIPv4), str(hostIPv6))
session.commit()
except Exception, e:
session.rollback()
fMessages.append("Could not delete Key: %s" % str(e))
cherrypy.log.error("[%s] [delete_clikey] [Could not delete key: %s]" % (user.id, str(e)))
def remove_users_from_role(self, roleId, userIds, format="json", **kwargs):
user, sMessages, fMessages = (cherrypy.session.get("user"), [], [])
try:
roleId = strip_tags(roleId)
userIds = split_list_sanitized(userIds)
if userIds is not None and roleId is not None:
role = session.query(Role).filter(Role.id == roleId).one()
for userId in userIds:
try:
user = AccountService.get_user(userId)
role.members.remove(user)
session.commit()
except sqlalchemy.orm.exc.NoResultFound, nrf:
fMessages.append("User with ID:%s could not be found" %
str(roleId))
sMessages.append("Removed user(s) from role: %s" % str(roleId))
except sqlalchemy.orm.exc.NoResultFound, nrf:
fMessages.append("Role with ID:%s could not be found" %
str(roleId))
def create_attribute_shares(self, fileIds, attributeId, format="json", requestOrigin="", **kwargs):
user, sMessages, fMessages = (cherrypy.session.get("user"), [], [])
if requestOrigin != cherrypy.session['request-origin']:
fMessages.append("Missing request key!!")
else:
try:
userShareableAttributes, permission = AccountService.get_shareable_attributes_by_user(user), False
for attribute in userShareableAttributes:
if attributeId == attribute.id:
permission = True
break
if permission:
fileIds = split_list_sanitized(fileIds)
for fileId in fileIds:
session.add(AttributeShare(file_id=fileId, attribute_id=attributeId))
sMessages.append("Successfully shared file(s) with users having the %s attribute" % attributeId )
else:
fMessages.append("You do not have permission to share with this attribute")
except Exception, e:
fMessages.append(str(e))
def requires_login(permissionId=None, **kwargs):
from lib import AccountService
format, rootURL = None, cherrypy.request.app.config["filelocker"]["root_url"]
if cherrypy.request.params.has_key("format"):
format = cherrypy.request.params["format"]
if cherrypy.session.has_key("user") and cherrypy.session.get("user") is not None:
user = cherrypy.session.get("user")
if user.date_tos_accept == None:
raise cherrypy.HTTPRedirect(rootURL + "/sign_tos")
elif permissionId is not None:
try:
if not AccountService.user_has_permission(user, permissionId):
raise cherrypy.HTTPError(403)
except Exception, e:
raise cherrypy.HTTPError(
500,
"The server is having problems communicating with the database server. Please try again in a few minutes.",
)
else:
pass
def delete_groups(self, groupIds, format="json", requestOrigin="", **kwargs):
user, sMessages, fMessages = (cherrypy.session.get("user"), [], [])
if requestOrigin != cherrypy.session['request-origin']:
fMessages.append("Missing request key!!")
else:
try:
groupIds = split_list_sanitized(groupIds)
for groupId in groupIds:
try:
group = session.query(Group).filter(Group.id==groupId).one()
if group.owner_id == user.id or AccountService.user_has_permission(user, "admin"):
session.delete(group)
sMessages.append("Group %s deleted successfully" % group.name)
session.add(AuditLog(user.id, Actions.DELETE_GROUP, "%s deleted group \"%s\"(%s)" % (user.id, group.name, group.id), None))
except sqlalchemy.orm.exc.NoResultFound, nrf:
fMessages.append("Could not find group with ID: %s" % str(groupId))
session.commit()
except Exception, e:
session.rollback()
fMessages.append("Could not delete groups: %s" % str(e))
cherrypy.log.error("[%s] [remove_users_from_group] [Could not delete groups: %s]" % (user.id, str(e)))
def history(self,
userId=None,
startDate=None,
endDate=None,
logAction=None,
format="html",
**kwargs):
sMessages, fMessages, user, role = (
[], [], cherrypy.session.get("user"),
cherrypy.session.get("current_role"))
config = cherrypy.request.app.config['filelocker']
orgConfig = get_config_dict_from_objects(
session.query(ConfigParameter).filter(
ConfigParameter.name.like('org_%')).all())
userId = strip_tags(userId) if strip_tags(userId) != None else user.id
if (userId != user.id and AccountService.user_has_permission(
user, "admin") == False):
raise cherrypy.HTTPError(403)
actionList, actionLogList = ([], [])
try:
startDateFormatted, endDateFormatted = None, None
sevenDays = datetime.timedelta(days=7)
today = datetime.datetime.now().replace(hour=0,
minute=0,
second=0,
microsecond=0)
sevenDaysAgo = today - sevenDays
sevenDaysAgo = sevenDaysAgo.replace(hour=0,
minute=0,
second=0,
microsecond=0)
if startDate is not None:
try:
startDateFormatted = datetime.datetime(
*time.strptime(strip_tags(startDate), "%m/%d/%Y")[0:5])
except Exception, e:
fMessages.append("Start date was not properly formatted")
startDateFormatted = sevenDaysAgo
else:
def delete_groups(self, groupIds, format="json", **kwargs):
user, sMessages, fMessages = (cherrypy.session.get("user"), [], [])
try:
groupIds = split_list_sanitized(groupIds)
for groupId in groupIds:
try:
group = session.query(Group).filter(
Group.id == groupId).one()
if group.owner_id == user.id or AccountService.user_has_permission(
user, "admin"):
session.delete(group)
sMessages.append("Group %s deleted successfully" %
group.name)
session.add(
AuditLog(
user.id, Actions.DELETE_GROUP,
"%s deleted group \"%s\"(%s)" %
(user.id, group.name, group.id), None))
except sqlalchemy.orm.exc.NoResultFound, nrf:
fMessages.append("Could not find group with ID: %s" %
str(groupId))
session.commit()
def delete_public_share(self, shareId, format="json", requestOrigin="", **kwargs):
user, role, sMessages, fMessages = (cherrypy.session.get("user"), cherrypy.session.get("current_role"), [], [])
if requestOrigin != cherrypy.session['request-origin']:
fMessages.append("Missing request key!!")
else:
shareId = strip_tags(shareId)
try:
ps = session.query(PublicShare).filter(PublicShare.id == shareId).one()
if role is not None and ps.role_owner_id == role.id:
session.delete(ps)
session.add(AuditLog(user.id, Actions.DELETE_PUBLIC_SHARE, "Role %s stopped sharing files publicly via URL using share ID: %s" % (role.name, str(ps.id)), None, role.id))
session.commit()
sMessages.append("Successfully unshared files")
elif ps.owner_id == user.id or AccountService.user_has_permission(user, "admin"):
session.delete(ps)
session.add(AuditLog(user.id, Actions.DELETE_PUBLIC_SHARE, "You stopped sharing files publicly via URL using share ID: %s" % str(ps.id)))
session.commit()
sMessages.append("Successfully unshared files")
else:
fMessages.append("You do not have permission to modify share ID: %s" % str(ps.id))
except Exception, e:
fMessages.append(str(e))
def update_group(self, groupId, groupName=None, groupScope="private", format="json", requestOrigin="", **kwargs):
user, sMessages, fMessages = (cherrypy.session.get("user"), [], [])
if requestOrigin != cherrypy.session['request-origin']:
fMessages.append("Missing request key!!")
else:
try:
groupId = strip_tags(groupId)
group = session.query(Group).filter(Group.id == groupId).one()
if group.owner_id == user.id or AccountService.user_has_permission(user, "admin"):
group.name = strip_tags(groupName) if strip_tags(groupName) is not None else group.name
group.scope = strip_tags(groupScope.lower()) if groupScope is not None else group.scope
session.add(AuditLog(user.id, Actions.UPDATE_GROUP, "Group \"%s\"(%s) has been updated" % (group.name, group.id)))
session.commit()
sMessages.append("Group updated")
else:
fMessages.append("You do not have permission to update this group")
except sqlalchemy.orm.exc.NoResultFound, nrf:
fMessages.append("Could not find group with ID: %s" % str(groupId))
except Exception, e:
session.rollback()
cherrypy.log.error("[%s] [update_group] [Couldn't update group: %s]" % (user.id, str(e)))
fMessages.append("Could not update group: %s" % str(e))
def requires_login(permissionId=None, **kwargs):
from lib import AccountService
format, rootURL = None, cherrypy.request.app.config['filelocker'][
'root_url']
if cherrypy.request.params.has_key("format"):
format = cherrypy.request.params['format']
if cherrypy.session.has_key("user") and cherrypy.session.get(
'user') is not None:
user = cherrypy.session.get('user')
if user.date_tos_accept == None:
raise cherrypy.HTTPRedirect(rootURL + "/sign_tos")
elif permissionId is not None:
try:
if not AccountService.user_has_permission(user, permissionId):
raise cherrypy.HTTPError(403)
except Exception, e:
raise cherrypy.HTTPError(
500,
"The server is having problems communicating with the database server. Please try again in a few minutes."
)
else:
pass
def history(self, userId=None, startDate=None, endDate=None, logAction=None, format="html", **kwargs):
sMessages, fMessages, user, role= ([],[],cherrypy.session.get("user"),cherrypy.session.get("current_role"))
config = cherrypy.request.app.config['filelocker']
orgConfig = get_config_dict_from_objects(session.query(ConfigParameter).filter(ConfigParameter.name.like('org_%')).all())
userId = strip_tags(userId) if strip_tags(userId) != None else user.id
if (userId != user.id and AccountService.user_has_permission(user, "admin")==False):
raise cherrypy.HTTPError(403)
actionList, actionLogList = ([], [])
try:
startDateFormatted, endDateFormatted = None, None
sevenDays = datetime.timedelta(days=7)
today = datetime.datetime.now().replace(hour=0, minute=0, second=0, microsecond=0)
sevenDaysAgo = today - sevenDays
sevenDaysAgo = sevenDaysAgo.replace(hour=0, minute=0, second=0, microsecond=0)
if startDate is not None:
try:
startDateFormatted = datetime.datetime(*time.strptime(strip_tags(startDate), "%m/%d/%Y")[0:5])
except Exception, e:
fMessages.append("Start date was not properly formatted")
startDateFormatted = sevenDaysAgo
else:
def remove_users_from_role(self, roleId, userIds, format="json", requestOrigin="", **kwargs):
user, sMessages, fMessages = (cherrypy.session.get("user"), [], [])
if requestOrigin != cherrypy.session['request-origin']:
fMessages.append("Missing request key!!")
else:
try:
roleId = strip_tags(roleId)
userIds = split_list_sanitized(userIds)
if userIds is not None and roleId is not None:
role = session.query(Role).filter(Role.id==roleId).one()
for userId in userIds:
try:
user = AccountService.get_user(userId)
role.members.remove(user)
session.commit()
except sqlalchemy.orm.exc.NoResultFound, nrf:
fMessages.append("User with ID:%s could not be found" % str(roleId))
sMessages.append("Removed user(s) from role: %s" % str(roleId))
except sqlalchemy.orm.exc.NoResultFound, nrf:
fMessages.append("Role with ID:%s could not be found" % str(roleId))
except Exception, e:
fMessages.append("Unable to remove users from roles: %s" % str(e))
cherrypy.log.error("[%s] [remove_users_from_role] [Unable to remove users from roles: %s]" % (userIds, str(e)))
def update_file(self, fileId, format="json", requestOrigin="", **kwargs):
user, sMessages, fMessages = (cherrypy.session.get("user"), [], [])
if requestOrigin != cherrypy.session['request-origin']:
fMessages.append("Missing request key!!")
else:
fileId = strip_tags(fileId)
try:
flFile = session.query(File).filter(File.id==fileId).one()
if flFile.owner_id == user.id or AccountService.user_has_permission(user, "admin"):
if kwargs.has_key("fileName"):
flFile.name = strip_tags(kwargs['fileName'])
if kwargs.has_key('notifyOnDownload'):
flFile.notify_on_download = True if kwargs['notifyOnDownload'].lower()=="true" else False
if kwargs.has_key('fileNotes'):
flFile.notes = strip_tags(kwargs['fileNotes'])
session.commit()
sMessages.append("Successfully updated file %s" % flFile.name)
else:
fMessages.append("You do not have permission to update file with ID: %s" % str(flFile.id))
except sqlalchemy.orm.exc.NoResultFound, nrf:
fMessages.append("Could not find file with ID: %s" % str(fileId))
except Exception, e:
fMessages.append(str(e))
def delete_user_shares(self, fileIds, userId, format="json", requestOrigin=""):
user, role, sMessages, fMessages = (cherrypy.session.get("user"), cherrypy.session.get("current_role"), [], [])
if requestOrigin != cherrypy.session['request-origin']:
fMessages.append("Missing request key!!")
else:
fileIds = split_list_sanitized(fileIds)
for fileId in fileIds:
try:
flFile = session.query(File).filter(File.id==fileId).one()
if (role is not None and flFile.role_owner_id == role.id) or flFile.owner_id == user.id or AccountService.user_has_permission(user, "admin"):
ps = session.query(UserShare).filter(and_(UserShare.user_id == userId, UserShare.file_id == flFile.id)).scalar()
if ps is not None:
session.delete(ps)
session.add(AuditLog(user.id, Actions.DELETE_USER_SHARE, "You stopped sharing file %s with %s" % (flFile.name, userId), None, role.id if role is not None else None))
session.commit()
sMessages.append("Share has been successfully deleted")
else:
fMessages.append("This share does not exist")
else:
fMessages.append("You do not have permission to modify shares for file with ID: %s" % str(flFile.id))
except Exception, e:
session.rollback()
fMessages.append("Problem deleting share for file: %s" % str(e))
def create_message(self, subject, body, recipientIds, expiration, format="json", requestOrigin="", **kwargs):
user, sMessages, fMessages = cherrypy.session.get("user"), [], []
if requestOrigin != cherrypy.session["request-origin"]:
fMessages.append("Missing request key!!")
else:
try:
maxDays = int(
session.query(ConfigParameter).filter(ConfigParameter.name == "max_file_life_days").one().value
)
maxExpiration = datetime.datetime.today() + datetime.timedelta(days=maxDays)
expiration = (
datetime.datetime(*time.strptime(strip_tags(expiration), "%m/%d/%Y")[0:5])
if (
kwargs.has_key("expiration")
and strip_tags(expiration) is not None
and expiration.lower() != "never"
)
else maxExpiration
)
recipientIdList = split_list_sanitized(recipientIds)
subject = strip_tags(subject)
if subject is None or subject.strip() == "":
raise Exception("Subject cannot be blank")
# Process the expiration data for the file
if expiration is None and (
AccountService.user_has_permission(user, "expiration_exempt") == False
and AccountService.user_has_permission(user, "admin") == False
): # Check permission before allowing a non-expiring upload
expiration = maxExpiration
else:
if (
maxExpiration < expiration
and AccountService.user_has_permission(user, "expiration_exempt") == False
):
raise Exception(
"Expiration date must be between now and %s." % maxExpiration.strftime("%m/%d/%Y")
)
if body is None or body.strip() == "":
raise Exception("Message body cannot be blank")
newMessage = Message(
subject=subject,
body=body,
date_sent=datetime.datetime.now(),
owner_id=user.id,
date_expires=expiration,
encryption_key=Encryption.generatePassword(),
)
session.add(newMessage)
session.commit()
encrypt_message(newMessage)
for recipientId in recipientIdList:
rUser = AccountService.get_user(recipientId)
if rUser is not None:
newMessage.message_shares.append(MessageShare(message_id=newMessage.id, recipient_id=rUser.id))
session.add(
AuditLog(
user.id,
"Send Message",
'%s sent a message with subject: "%s" to %s(%s)'
% (user.id, newMessage.subject, rUser.display_name, rUser.id),
rUser.id,
None,
)
)
else:
fMessages.append("Could not send to user with ID:%s - Invalid user ID" % str(recipientId))
session.commit()
sMessages.append('Message "%s" sent.' % subject)
except ValueError:
fMessages.append("Invalid expiration date format. Date must be in mm/dd/yyyy format.")
except Exception, e:
cherrypy.log.error("[%s] [create_message] [Could not create message: %s]" % (user.id, str(e)))
fMessages.append("Could not send message: %s" % str(e))
def create_public_share(self, fileIds, expiration, shareType, message, notifyEmails, cc="false", format="json", requestOrigin="", **kwargs):
user, role, sMessages, fMessages, shareId, ps = (cherrypy.session.get("user"), cherrypy.session.get("current_role"), [], [], None, None)
if requestOrigin != cherrypy.session['request-origin']:
fMessages.append("Missing request key!!")
else:
config = cherrypy.request.app.config['filelocker']
orgConfig = get_config_dict_from_objects(session.query(ConfigParameter).filter(ConfigParameter.name.like('org_%')).all())
fileIds = split_list_sanitized(fileIds)
cc = True if cc == "true" else False
try:
try:
expiration = datetime.datetime(*(time.strptime(strip_tags(expiration), "%m/%d/%Y")[0:6]))
except Exception, e:
raise Exception("Invalid expiration date format. Date must be in mm/dd/yyyy format.")
if expiration is None or expiration == "":
raise Exception("Public shares must have a valid expiration date")
message = strip_tags(message)
shareType = "single" if shareType != "multi" else "multi"
ps = PublicShare(date_expires=expiration, reuse=shareType, message=message)
if role is not None:
ps.role_owner_id = role.id
else:
ps.owner_id = user.id
if (kwargs.has_key("password") and kwargs['password']!=""):
ps.set_password(kwargs['password'])
elif shareType=="multi":
raise Exception("You must specify a password for public shares that don't expire after 1 use")
ps.generate_share_id()
session.add(ps)
sharedFiles = []
for fileId in fileIds:
flFile = session.query(File).filter(File.id==fileId).one()
if flFile.owner_id == user.id or AccountService.user_has_permission(user, "admin"):
ps.files.append(flFile)
session.commit()
sharedFiles.append(flFile)
session.commit()
else:
fMessages.append("You do not have permission to share file with ID: %s" % str(flFile.id))
session.add(AuditLog(user.id, Actions.CREATE_PUBLIC_SHARE, "%s file(s) publicly shared." % len(ps.files), None, role.id if role is not None else None))
notifyEmailList = split_list_sanitized(notifyEmails)
if cc:
if (user.email is not None and user.email != ""):
notifyEmailList.append(user.email)
else:
fMessages.append("You elected to receive a carbon copy of the share notification, however your account does not have an email address set.")
cherrypy.session.release_lock()
for recipient in notifyEmailList:
if recipient is not None and recipient != "":
Mail.notify(get_template_file('public_share_notification.tmpl'), {'sender':user.email if role is None else role.email, 'recipient':recipient, 'sharedFiles':sharedFiles, 'ownerId':user.id if role is None else role.id, 'ownerName': user.display_name if role is None else role.name, 'shareId':ps.id, 'filelockerURL':config['root_url'], 'org_url': orgConfig['org_url'], 'org_name': orgConfig['org_name'], 'personalMessage': message})
if len(notifyEmailList) > 0:
session.add(AuditLog(user.id, Actions.SEND_EMAIL, "Email notifications about a public share were sent to the following addresses: %s" % ",".join(notifyEmailList), None, role.id if role is not None else None))
session.commit()
shareId = ps.id
sMessages.append("Files shared successfully")
except Exception, e:
session.rollback()
fMessages.append(str(e))
cherrypy.log.error("[%s] [create_public_share] [Unable to create public share: %s]" % (user.id, str(e)))
def delete_group_shares(self, fileIds, groupId, format="json", requestOrigin=""):
user, role, sMessages, fMessages = (cherrypy.session.get("user"), cherrypy.session.get("current_role"), [], [])
if requestOrigin != cherrypy.session['request-origin']:
fMessages.append("Missing request key!!")
else:
fileIds = split_list_sanitized(fileIds)
for fileId in fileIds:
try:
group = session.query(Group).filter(Group.id==groupId).one()
if (role is not None and group.role_owner_id == role.id) or group.owner_id == user.id or AccountService.user_has_permission(user, "admin"):
flFile = session.query(File).filter(File.id==fileId).one()
if (role is not None and flFile.role_owner_id == role.id) or flFile.owner_id == user.id or AccountService.user_has_permission(user, "admin"):
share = session.query(GroupShare).filter(GroupShare.group_id == groupId and GroupShare.file_id == flFile.id).scalar()
if share is not None:
session.delete(share)
session.add(AuditLog(user.id, Actions.DELETE_GROUP_SHARE, "You stopped sharing file %s with group %s" % (flFile.name, group.name), None, role.id if role is not None else None))
session.commit()
else:
fMessages.append("You do not have permission to modify shares for file with ID: %s" % str(flFile.id))
else:
fMessages.append("You do not have permission delete shares with this group")
except Exception, e:
session.rollback()
fMessages.append("Problem deleting share for file: %s" % str(e))
def create_group_shares(self, fileIds, groupId, notify="false", cc="false", format="json", requestOrigin=""):
user, role, sMessages, fMessages, config = (cherrypy.session.get("user"), cherrypy.session.get("current_role"), [], [], cherrypy.request.app.config['filelocker'])
if requestOrigin != cherrypy.session['request-origin']:
fMessages.append("Missing request key!!")
else:
orgConfig = get_config_dict_from_objects(session.query(ConfigParameter).filter(ConfigParameter.name.like('org_%')).all())
fileIds = split_list_sanitized(fileIds)
groupId = strip_tags(groupId) if groupId is not None and groupId != "" else None
notify = True if notify.lower() == "true" else False
cc = True if cc.lower() == "true" else False
try:
if groupId is not None:
sharedFiles = []
group = session.query(Group).filter(Group.id==groupId).one()
if (role is not None and group.role_owner_id == role.id) or group.owner_id == user.id or AccountService.user_has_permission(user, "admin"):
for fileId in fileIds:
flFile = session.query(File).filter(File.id == fileId).one()
existingShare = session.query(GroupShare).filter(and_(GroupShare.group_id==group.id, GroupShare.file_id==fileId)).scalar()
if existingShare is not None:
fMessages.append("File %s is already shared with group %s" % (flFile.name, group.name))
elif (role is not None and flFile.role_owner_id == role.id) or flFile.owner_id == user.id or AccountService.user_has_permission(user, "admin"):
flFile.group_shares.append(GroupShare(group_id=groupId, file_id=fileId))
sharedFiles.append(flFile)
else:
fMessages.append("You do not have permission to share file with ID: %s" % fileId)
sMessages.append("Shared file(s) successfully")
if role is not None:
session.add(AuditLog(user.id, Actions.CREATE_GROUP_SHARE, "Role %s shared %s files with group %s(%s)" % (role.id, len(fileIds), group.name, group.id), None, role.id))
else:
session.add(AuditLog(user.id, Actions.CREATE_GROUP_SHARE, "%s shared %s files with group %s(%s)" % (user.id, len(fileIds), group.name, group.id), None))
else:
fMessages.append("You do not have permission to share with this group")
session.commit()
if notify:
cherrypy.session.release_lock()
for groupMember in group.members:
try:
Mail.notify(get_template_file('share_notification.tmpl'),{'sender':user.email if role is None else role.email,'recipient':groupMember.email, 'ownerId':user.id if role is None else role.id, 'ownerName':user.display_name if role is None else role.name, 'sharedFiles':sharedFiles, 'filelockerURL': config['root_url'], 'org_url': orgConfig['org_url'], 'org_name': orgConfig['org_name']})
session.add(AuditLog(user.id, Actions.SEND_EMAIL, "%s has been notified via email that you have shared a file with him or her." % (groupMember.email), None, role.id if role is not None else None))
session.commit()
except Exception, e:
session.rollback()
fMessages.append("Problem sending email notification to %s: %s" % (groupMember.display_name, str(e)))
if cc:
if (user.email is not None and user.email != ""):
try:
Mail.notify(get_template_file('share_notification.tmpl'),{'sender':user.email if role is None else role.email,'recipient':user.email if role is None else role.email, 'ownerId':user.id if role is None else role.id, 'ownerName':user.display_name if role is None else role.name, 'sharedFiles':sharedFiles, 'filelockerURL': config['root_url'], 'org_url': orgConfig['org_url'], 'org_name': orgConfig['org_name']})
session.add(AuditLog(user.id, Actions.SEND_EMAIL, "You have been carbon copied via email on the notification that was sent out as a result of your file share."))
session.commit()
except Exception, e:
session.rollback()
fMessages.append("Problem carbon copying email notification: %s" % (str(e)))
else:
fMessages.append("You elected to receive a carbon copy of the share notification, however your account does not have an email address set.")
