def get(self, user_id=None): # TODO: This handler needs broken down into smaller methods. No point cleaning # this up until that is complete. if self.request.get('user_info') is not '': if self.request.get('user_info') == self.user.username or self.user.is_admin: user = User.get_by_id(self.request.get('user_info')) if not user: raise HttpErrorException.bad_request('invalid user id') self.write_json_response(user.to_dict(user=self.user)) elif self.request.get('user_perms') is not '': user = User.get_by_id(self.request.get('user_perms')) if not user: raise HttpErrorException.bad_request('invalid username') if not user.is_admin and not self.user == user: lr = tt_logging.construct_log(msg_short='Non-Admin User Try Accessing Another User', msg='User (%s) attemped to access user\'s (%s) data ' % (self.user.key.id(), user.key.id()), log_type=tt_logging.SECURITY, request_user=self.user, affected_user=user, request=self.request) log.warning(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.forbidden() user_perms_dict = {} for group_key in user.groups: group = group_key.get() if group is None: user.groups.remove(group_key) user.put() lr = tt_logging.construct_log(msg_short='Broken Group Key in User Group List', msg='Found a broken group key (%s) in the user\'s group list\n' 'Key has been removed' % str(group_key), log_type=tt_logging.USER, request_user=self.user, affected_user=user, request=self.request) log.error(lr['dict_msg']['msg'], extra=lr) elif (group.has_permission(self.user, 'set_user_perms') or group.has_permission(self.user, 'remove_user_perms') or user.key == self.user.key): perms = user.get_group_perms_dict(group) if perms is not None: user_perms_dict[group.key.id()] = perms self.write_json_response(user_perms_dict) elif self.request.get('organization_users') is not '': if self.request.get('organization_users') == 'all': organization = Organization.get_by_id(self.request.get('organization_id')) if organization.is_admin(self.user) or Group.get_by_id('super_admin').key in self.user.groups: user_array = User.get_all_users(organization, request_user=self.user) self.write_json_response(user_array) else: lr = tt_logging.construct_log(msg_short='Non-Admin User Try Accessing Org Users', msg='User (%s) attemped to access all Organization\'s users' % (self.user.key.id()), log_type=tt_logging.SECURITY, request_user=self.user, request=self.request, artifact=organization) log.warning(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.forbidden() elif self.request.get('non_org') is not '': if not self.user.is_super_admin: lr = tt_logging.construct_log(msg_short='Non-Admin User Try Accessing Org Users', msg='User (%s) attemped to access all Organization\'s users' % (self.user.key.id()), log_type=tt_logging.SECURITY, request_user=self.user, request=self.request) log.warning(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.forbidden() else: users = User.query(User.organization == None).fetch() users_dicts = [] for user in users: users_dicts.append(user.to_dict()) self.write_json_response(users_dicts)