def password(self, request, pk, *args, **kwargs):
data = request.data.copy()
scirius_user = self.get_object()
data['user'] = scirius_user.user.pk
if request.user.is_superuser:
pass_serializer = ChangePasswordSuperUserSerializer(data=data)
else:
pass_serializer = ChangePasswordSerializer(data=data)
pass_serializer.is_valid(raise_exception=True)
if request.user.is_superuser is False:
if not scirius_user.user.check_password(
pass_serializer.validated_data.get('old_password')):
raise serializers.ValidationError(
{'old_password': ['Wrong password']})
scirius_user.user.set_password(
pass_serializer.validated_data.get('new_password'))
scirius_user.user.save()
scirius_user.save()
comment = data.pop('comment', None)
comment_serializer = CommentSerializer(data={'comment': comment})
comment_serializer.is_valid(raise_exception=True)
UserAction.create(action_type='edit_user_password',
comment=comment_serializer.validated_data['comment'],
user=request.user,
other_user=scirius_user.user)
return Response({'password': '******'})
def add_user(request):
if request.method == 'POST':
form = UserSettingsForm(request.POST)
password_form = PasswordCreationForm(request.POST)
if form.is_valid() and password_form.is_valid():
ruser = form.save()
ruser.set_password(password_form.cleaned_data['password1'])
ruser.save()
UserAction.create(action_type='create_user',
comment=form.cleaned_data['comment'],
user=request.user,
new_user=ruser)
return redirect('list_accounts')
context = {
'error': 'Username and/or password are not valid',
'form': form,
'password_form': password_form,
'current_action': 'Add user'
}
return scirius_render(request, 'accounts/user.html', context)
form = UserSettingsForm()
password_form = PasswordCreationForm()
context = {
'form': form,
'current_action': 'Add user',
'password_form': password_form
}
return scirius_render(request, 'accounts/user.html', context)
def add_group(request):
if request.method == 'POST':
form = GroupEditForm(request.POST)
if form.is_valid():
group = form.save()
UserAction.create(action_type='create_group',
comment=form.cleaned_data['comment'],
user=request.user,
new_group=group)
return redirect('list_accounts')
context = {
'form': form,
'current_action': 'Add role',
'can_edit': True
}
return scirius_render(request, 'accounts/group.html', context)
form = GroupEditForm()
context = {
'form': form,
'current_action': 'Add role',
'mapping': json.dumps(form.mapping),
'can_edit': True
}
return scirius_render(request, 'accounts/group.html', context)
def token(self, request, *args, **kwargs):
scirius_user = self.get_object()
tokens = Token.objects.filter(user=scirius_user.user)
token = ''
if request.method == 'GET':
if len(tokens) > 0:
token = tokens[0].key
else:
if len(tokens) > 0:
tokens[0].delete()
token = Token.objects.create(user=scirius_user.user).key
data = request.data.copy()
comment = data.pop('comment', None)
comment_serializer = CommentSerializer(data={'comment': comment})
comment_serializer.is_valid(raise_exception=True)
UserAction.create(
action_type='edit_user_token',
comment=comment_serializer.validated_data['comment'],
user=request.user,
other_user=scirius_user.user)
return Response({'token': token})
def _update_or_partial_update(self, request, partial, *args, **kwargs):
comment = request.data.pop('comment', None)
instance = self.get_object()
serializer = self.get_serializer(instance,
data=request.data,
partial=partial)
serializer.is_valid(raise_exception=True)
# This save is used to have the new name if user has edited transfo
serializer.save()
trans_type = serializer.validated_data['key']
trans_value = serializer.validated_data['value']
ruleset = serializer.validated_data['ruleset_transformation']
comment_serializer = CommentSerializer(data={'comment': comment})
comment_serializer.is_valid(raise_exception=True)
UserAction.create(action_type='transform_ruleset',
comment=comment_serializer.validated_data['comment'],
user=request.user,
transformation='%s: %s' %
(trans_type, trans_value.title()),
ruleset=ruleset)
def edit_password(request, user_id):
user = get_object_or_404(User, pk=user_id)
context = {'user': user, 'username': json.dumps(user.username)}
if request.method == 'POST':
form = PasswordForm(request.POST)
if form.is_valid():
user.set_password(form.cleaned_data['password'])
user.save()
if user == request.user:
# If the user change his own password prevent the session to be invalidated
update_session_auth_hash(request, user)
UserAction.create(action_type='edit_user_password',
comment=form.cleaned_data['comment'],
user=request.user,
other_user=user)
return redirect('list_accounts')
else:
context['error'] = 'Password form is not valid'
context['form'] = form
return scirius_render(request, 'accounts/user.html', context)
form = PasswordForm()
context['form'] = form
context['current_action'] = 'Edit password for user %s' % user.username
return scirius_render(request, 'accounts/user.html', context)
def partial_update(self, request, pk, *args, **kwargs):
if request.user.is_superuser is False:
for right in (
'is_active',
'is_staff',
'is_superuser',
):
if right in request.data:
raise PermissionDenied({
right:
'You do not have permission to perform this action.'
})
data = request.data.copy()
comment = data.pop('comment', None)
instance = self.get_object()
serializer = self.get_serializer(instance,
data=request.data,
partial=True)
serializer.is_valid(raise_exception=True)
comment_serializer = CommentSerializer(data={'comment': comment})
comment_serializer.is_valid(raise_exception=True)
UserAction.create(action_type='edit_user',
comment=comment_serializer.validated_data['comment'],
user=request.user,
other_user=serializer.instance.user)
return super(AccountViewSet, self).update(request,
pk,
partial=True,
*args,
**kwargs)
def post(self, request, format=None):
suri = Suricata.objects.first()
try:
suri.ruleset.update()
except IOError as e:
raise serializers.ValidationError({'update_push_all': ['Can not fetch data: %s' % e]})
suri.generate()
ret = suri.push()
suri.updated_date = timezone.now()
suri.save()
msg = ['Suricata restart already asked']
if ret:
msg = 'ok'
comment = request.data.get('comment', None)
comment_serializer = CommentSerializer(data={'comment': comment})
comment_serializer.is_valid(raise_exception=True)
UserAction.create(
action_type='update_push_all',
user=request.user,
ruleset=suri.ruleset,
comment=comment_serializer.validated_data['comment']
)
return Response({'update_push_all': msg})
def post(self, request, format=None):
suri = Suricata.objects.first()
try:
suri.ruleset.update()
except IOError as e:
raise serializers.ValidationError(
{'update_push_all': ['Can not fetch data: %s' % e]})
suri.generate()
ret = suri.push()
suri.updated_date = timezone.now()
suri.save()
msg = ['Suricata restart already asked']
if ret:
msg = 'ok'
comment = request.data.get('comment', None)
comment_serializer = CommentSerializer(data={'comment': comment})
comment_serializer.is_valid(raise_exception=True)
UserAction.create(
action_type='update_push_all',
user=request.user,
ruleset=suri.ruleset,
comment=comment_serializer.validated_data['comment'])
return Response({'update_push_all': msg})
def edit_group(request, group_id):
django_group = get_object_or_404(DjangoGroup, pk=group_id)
context = {
'group': django_group,
'action': 'edit',
'group_name': json.dumps(django_group.name)
}
if request.method == 'POST':
form = GroupEditForm(request.POST, instance=django_group)
if form.is_valid():
form.save()
UserAction.create(action_type='edit_group',
comment=form.cleaned_data['comment'],
user=request.user,
group=django_group)
return redirect('list_accounts')
context['error'] = 'Edition form is not valid'
context['form'] = form
context['current_action'] = 'Edit group %s' % django_group.name
return scirius_render(request, 'accounts/group.html', context)
form = GroupEditForm(instance=django_group)
context['can_edit'] = django_group.name not in GroupEditForm.DEFAULT_GROUPS
context['form'] = form
context['mapping'] = json.dumps(form.mapping)
context['current_action'] = 'Edit role %s' % django_group.name
return scirius_render(request, 'accounts/group.html', context)
def edit_user(request, user_id):
user = get_object_or_404(User, pk=user_id)
context = {'user': user, 'username': json.dumps(user.username)}
if request.method == 'POST':
form = UserSettingsForm(request.POST, instance=user)
if form.is_valid():
user = form.save()
UserAction.create(action_type='edit_user',
comment=form.cleaned_data['comment'],
user=request.user,
other_user=user)
return redirect('list_accounts')
context['error'] = 'Edition form is not valid'
context['form'] = form
context['current_action'] = 'Edit user %s' % user.username
return scirius_render(request, 'accounts/user.html', context)
form = UserSettingsForm(instance=user)
context['form'] = form
context['current_action'] = 'Edit user %s' % user.username
context['is_from_ldap'] = user.sciriususer.is_from_ldap()
return scirius_render(request, 'accounts/user.html', context)
def logoutview(request):
from rules.models import UserAction
UserAction.create(action_type='logout',
user=request.user,
force_insert=True)
logout(request)
return redirect(settings.LOGIN_URL)
def _update_or_create(self, operation, instance, validated_data):
filters = validated_data.pop('filter_defs', None)
comment = validated_data.pop('comment', None)
previous_index = None
new_index = None
index_max = RuleProcessingFilter.objects.aggregate(models.Max('index'))['index__max']
if operation == 'create':
if not filters:
# Error on null and empt list
raise serializers.ValidationError({'filter_defs': ['This field is required.']})
if validated_data.get('index') is None:
if index_max is None:
validated_data['index'] = 0
else:
validated_data['index'] = index_max + 1
else:
new_index = validated_data['index']
if new_index != 0 and (index_max is None or new_index > index_max + 1):
raise serializers.ValidationError({'index': ['Invalid index value (too high).']})
instance = super(RuleProcessingFilterSerializer, self).create(validated_data)
user_action = 'create'
else:
if filters is not None and len(filters) == 0:
# Error on empty list only
raise serializers.ValidationError({'filter_defs': ['This field is required.']})
if 'index' in validated_data:
previous_index = instance.index
new_index = validated_data['index']
if new_index is None:
new_index = index_max + 1
validated_data['index'] = new_index
elif new_index > index_max + 1:
raise serializers.ValidationError({'index': ['Invalid index value (too high).']})
instance = super(RuleProcessingFilterSerializer, self).update(instance, validated_data)
user_action = 'edit'
self._reorder(instance, previous_index, new_index)
if filters:
try:
self._set_filters(instance, filters)
except:
if operation == 'create':
instance.delete()
raise
UserAction.create(
action_type='%s_rule_filter' % user_action,
comment=comment,
user=self.context['request'].user,
rule_filter=instance
)
return instance
def _update_or_create(self, operation, instance, validated_data):
filters = validated_data.pop('filter_defs', None)
comment = validated_data.pop('comment', None)
previous_index = None
new_index = None
index_max = RuleProcessingFilter.objects.aggregate(models.Max('index'))['index__max']
if operation == 'create':
if not filters:
# Error on null and empt list
raise serializers.ValidationError({'filter_defs': ['This field is required.']})
if validated_data.get('index') is None:
if index_max is None:
validated_data['index'] = 0
else:
validated_data['index'] = index_max + 1
else:
new_index = validated_data['index']
if new_index != 0 and (index_max is None or new_index > index_max + 1):
raise serializers.ValidationError({'index': ['Invalid index value (too high).']})
instance = super(RuleProcessingFilterSerializer, self).create(validated_data)
user_action = 'create'
else:
if filters is not None and len(filters) == 0:
# Error on empty list only
raise serializers.ValidationError({'filter_defs': ['This field is required.']})
if 'index' in validated_data:
previous_index = instance.index
new_index = validated_data['index']
if new_index is None:
new_index = index_max + 1
validated_data['index'] = new_index
elif new_index > index_max + 1:
raise serializers.ValidationError({'index': ['Invalid index value (too high).']})
instance = super(RuleProcessingFilterSerializer, self).update(instance, validated_data)
user_action = 'edit'
self._reorder(instance, previous_index, new_index)
if filters:
try:
self._set_filters(instance, filters)
except:
if operation == 'create':
instance.delete()
raise
UserAction.create(
action_type='%s_rule_filter' % user_action,
comment=comment,
user=self.context['request'].user,
rule_filter=instance
)
return instance
def update(request):
suri = get_suri()
if not request.user.is_staff:
return redirect('/')
if suri is None:
form = SuricataForm()
context = {'creation': True, 'form': form}
return scirius_render(request, 'suricata/edit.html', context)
if request.method == 'POST':
form = SuricataUpdateForm(request.POST)
if not form.is_valid():
return scirius_render(request, 'suricata/update.html', {
'suricata': suri,
'error': "Invalid form"
})
message = []
if form.cleaned_data['reload']:
try:
suri.ruleset.update()
except IOError as errors:
return index(request,
error="Can not fetch data: %s" % (errors))
message.append("Rule downloaded at %s." %
str(suri.ruleset.updated_date))
if form.cleaned_data['build']:
suri.generate()
suri.updated_date = timezone.now()
suri.save()
message.append("Successful ruleset build at %s." %
str(suri.updated_date))
if form.cleaned_data['push']:
ret = suri.push()
suri.updated_date = timezone.now()
suri.save()
if ret:
message.append("Successful asked ruleset reload at %s." %
str(suri.updated_date))
else:
message.append("Suricata restart already asked.")
UserAction.create(action_type='edit_suricata',
comment=form.cleaned_data['comment'],
user=request.user,
suricata=suri)
context = {'message': message, 'suricata': suri}
return scirius_render(request, 'suricata/update.html', context)
else:
return scirius_render(request, 'suricata/update.html', {
'suricata': suri,
'form': CommentForm()
})
def edit(request):
suri = get_suri()
if request.method == 'POST':
if suri:
suri.updated_date = timezone.now()
form = SuricataForm(request.POST, instance=suri)
else:
form = SuricataForm(request.POST)
if form.is_valid():
if suri:
form.save()
UserAction.create(
action_type='edit_suricata',
comment=form.cleaned_data['comment'],
user=request.user,
suricata=suri
)
return redirect(index)
try:
suricata = Suricata.objects.create(
name=form.cleaned_data['name'],
descr=form.cleaned_data['descr'],
output_directory=form.cleaned_data['output_directory'],
created_date=timezone.now(),
updated_date=timezone.now(),
ruleset=form.cleaned_data['ruleset'],
yaml_file=form.cleaned_data['yaml_file'],
)
except IntegrityError as error:
return scirius_render(
request,
'suricata/edit.html',
{'form': form, 'error': error}
)
UserAction.create(
action_type='create_suricata',
comment=form.cleaned_data['comment'],
user=request.user,
suricata=suricata
)
return redirect(index)
else:
return scirius_render(
request,
'suricata/edit.html',
{'form': form, 'error': 'Invalid form'}
)
else:
if suri:
form = SuricataForm(instance=suri)
else:
form = SuricataForm()
missing = dependencies_check(Suricata)
return scirius_render(request, 'suricata/edit.html', {'form': form, 'missing': missing})
def logoutview(request):
from rules.models import UserAction
UserAction.create(
action_type='logout',
user=request.user,
force_insert=True
)
logout(request)
return redirect(settings.LOGIN_URL)
def destroy(self, request, *args, **kwargs):
ruleset = self.get_object()
comment = request.data.pop('comment', None)
comment_serializer = CommentSerializer(data={'comment': comment})
comment_serializer.is_valid(raise_exception=True)
UserAction.create(action_type='delete_ruleset',
user=request.user,
ruleset=ruleset,
comment=comment_serializer.validated_data['comment'])
return super(RulesetViewSet, self).destroy(request, *args, **kwargs)
def loginview(request, target):
if request.method == 'POST':
form = LoginForm(request.POST)
if not form.is_valid(): # All validation rules pass
form = LoginForm()
context = {'form': form, 'error': 'Invalid form'}
return scirius_render(request, 'accounts/login.html', context)
username = form.cleaned_data['username']
password = form.cleaned_data['password']
user = authenticate(username=username, password=password)
if user is not None:
if user.is_active:
login(request, user)
try:
sciriususer = SciriusUser.objects.get(user=user)
sciriususer.sciriususerapp
except (SciriusUser.DoesNotExist, AttributeError):
SciriusUser.objects.get_or_create(
user=user, defaults={'timezone': 'UTC'})
get_middleware_module('common').update_scirius_user_class(
user, form.cleaned_data)
if not form.cleaned_data['persistent']:
request.session.set_expiry(0)
logger = logging.getLogger('authentication')
logger.info("Successful login for '%s' from '%s'", username,
get_client_ip(request))
UserAction.create(action_type='login',
user=user,
force_insert=True)
return redirect("/" + target)
else:
form = LoginForm()
context = {'form': form, 'error': 'Disabled account'}
logger = logging.getLogger('authentication')
logger.error(
"Invalid login attempt for disabled account '%s' from '%s'",
username, get_client_ip(request))
return scirius_render(request, 'accounts/login.html', context)
else:
form = LoginForm()
context = {'form': form, 'error': 'Invalid login'}
logger = logging.getLogger('authentication')
logger.error("Invalid login attempt for '%s' from '%s'", username,
get_client_ip(request))
return scirius_render(request, 'accounts/login.html', context)
else:
form = LoginForm()
context = {'form': form}
return scirius_render(request, 'accounts/login.html', context)
def destroy(self, request, *args, **kwargs):
old_user = self.get_object()
# Do not need to copy 'request.data' and pop 'comment'
# because we are not using serializer there
comment = request.data.get('comment', None)
comment_serializer = CommentSerializer(data={'comment': comment})
comment_serializer.is_valid(raise_exception=True)
UserAction.create(action_type='delete_user',
user=request.user,
old_user=old_user.user,
comment=comment_serializer.validated_data['comment'])
return super(AccountViewSet, self).destroy(request, *args, **kwargs)
def destroy(self, request, *args, **kwargs):
transfo = self.get_object()
comment = request.data.pop('comment', None)
comment_serializer = CommentSerializer(data={'comment': comment})
comment_serializer.is_valid(raise_exception=True)
UserAction.create(action_type='delete_transform_ruleset',
comment=comment_serializer.validated_data['comment'],
user=request.user,
transformation='%s: %s' %
(transfo.key, transfo.value.title()),
ruleset=transfo.ruleset_transformation)
return super(RulesetTransformationViewSet,
self).destroy(request, *args, **kwargs)
def loginview(request, target):
if request.method == 'POST':
form = LoginForm(request.POST)
if not form.is_valid(): # All validation rules pass
form = LoginForm()
context = {'form': form, 'error': 'Invalid form'}
return scirius_render(request, 'accounts/login.html', context)
username = form.cleaned_data['username']
password = form.cleaned_data['password']
user = authenticate(username=username, password=password)
if user is not None:
if user.is_active:
login(request, user)
try:
sciriususer = SciriusUser.objects.get(user=user)
except SciriusUser.DoesNotExist:
sciriususer = SciriusUser.objects.create(user=user,
timezone='UTC')
if not form.cleaned_data['persistent']:
request.session.set_expiry(0)
logger = logging.getLogger('authentication')
logger.info("Successful login for '%s' from '%s'", username,
get_real_ip(request))
from rules.models import UserAction
UserAction.create(action_type='login',
user=user,
force_insert=True)
return redirect("/" + target)
else:
form = LoginForm()
context = {'form': form, 'error': 'Disabled account'}
logger = logging.getLogger('authentication')
logger.error(
"Invalid login attempt for disabled account '%s' from '%s'",
username, get_real_ip(request))
return scirius_render(request, 'accounts/login.html', context)
else:
form = LoginForm()
context = {'form': form, 'error': 'Invalid login'}
logger = logging.getLogger('authentication')
logger.error("Invalid login attempt for '%s' from '%s'", username,
get_real_ip(request))
return scirius_render(request, 'accounts/login.html', context)
else:
form = LoginForm()
context = {'form': form}
return scirius_render(request, 'accounts/login.html', context)
def delete_user(request, user_id):
if request.method != 'POST':
return HttpResponseNotAllowed('Only POST here')
user = get_object_or_404(User, pk=user_id)
comment_form = CommentForm(request.POST)
if not comment_form.is_valid():
return JsonResponse({'error': '\n'.join(comment_form.errors)})
user.delete()
UserAction.create(action_type='delete_user',
comment=comment_form.cleaned_data['comment'],
user=request.user,
old_user=user)
return JsonResponse({'redirect': '/accounts/user/'})
def update(self, request, pk, *args, **kwargs):
data = request.data.copy()
comment = data.pop('comment', None)
instance = self.get_object()
serializer = self.get_serializer(instance,
data=request.data,
partial=False)
serializer.is_valid(raise_exception=True)
comment_serializer = CommentSerializer(data={'comment': comment})
comment_serializer.is_valid(raise_exception=True)
UserAction.create(action_type='edit_user',
comment=comment_serializer.validated_data['comment'],
user=request.user,
other_user=serializer.instance.user)
return super(AccountViewSet, self).update(request, pk, *args, **kwargs)
def loginview(request, target):
if request.method == 'POST':
form = LoginForm(request.POST)
if not form.is_valid(): # All validation rules pass
form = LoginForm()
context = { 'form': form, 'error': 'Invalid form' }
return scirius_render(request, 'accounts/login.html', context)
username = form.cleaned_data['username']
password = form.cleaned_data['password']
user = authenticate(username=username, password=password)
if user is not None:
if user.is_active:
login(request, user)
try:
sciriususer = SciriusUser.objects.get(user=user)
except SciriusUser.DoesNotExist:
sciriususer = SciriusUser.objects.create(user=user, timezone = 'UTC')
if not form.cleaned_data['persistent']:
request.session.set_expiry(0)
logger = logging.getLogger('authentication')
logger.info("Successful login for '%s' from '%s'", username, get_real_ip(request))
from rules.models import UserAction
UserAction.create(
action_type='login',
user=user,
force_insert=True
)
return redirect("/" + target)
else:
form = LoginForm()
context = { 'form': form, 'error': 'Disabled account' }
logger = logging.getLogger('authentication')
logger.error("Invalid login attempt for disabled account '%s' from '%s'", username, get_real_ip(request))
return scirius_render(request, 'accounts/login.html', context)
else:
form = LoginForm()
context = { 'form': form, 'error': 'Invalid login' }
logger = logging.getLogger('authentication')
logger.error("Invalid login attempt for '%s' from '%s'", username, get_real_ip(request))
return scirius_render(request, 'accounts/login.html', context)
else:
form = LoginForm()
context = { 'form': form }
return scirius_render(request, 'accounts/login.html', context)
def create(self, request, *args, **kwargs):
data = request.data.copy()
comment = data.pop('comment', None)
serializer = AccountSerializer(data=data)
serializer.is_valid(raise_exception=True)
serializer.save()
comment_serializer = CommentSerializer(data={'comment': comment})
comment_serializer.is_valid(raise_exception=True)
UserAction.create(action_type='create_user',
comment=comment_serializer.validated_data['comment'],
user=request.user,
new_user=serializer.instance.user)
headers = self.get_success_headers(serializer.data)
return Response(serializer.data,
headers=headers,
status=status.HTTP_201_CREATED)
def destroy(self, request, *args, **kwargs):
from rules.rest_api import CommentSerializer
comment_serializer = CommentSerializer(data=request.data)
comment_serializer.is_valid(raise_exception=True)
UserAction.create(
action_type='delete_rule_filter',
comment=comment_serializer.validated_data.get('comment'),
user=request.user,
rule_filter=self.get_object()
)
index = self.get_object().index
response = super(RuleProcessingFilterViewSet, self).destroy(request, *args, **kwargs)
# Update index values
RuleProcessingFilter.objects.filter(index__gt=index).update(index=models.F('index') - 1)
return response
def destroy(self, request, *args, **kwargs):
from rules.rest_api import CommentSerializer
comment_serializer = CommentSerializer(data=request.data)
comment_serializer.is_valid(raise_exception=True)
UserAction.create(
action_type='delete_rule_filter',
comment=comment_serializer.validated_data.get('comment'),
user=request.user,
rule_filter=self.get_object()
)
index = self.get_object().index
response = super(RuleProcessingFilterViewSet, self).destroy(request, *args, **kwargs)
# Update index values
RuleProcessingFilter.objects.filter(index__gt=index).update(index=models.F('index') - 1)
return response
def delete_group(request, group_id):
if request.method != 'POST':
return HttpResponseNotAllowed('Only POST here')
group = get_object_or_404(DjangoGroup, pk=group_id)
comment_form = CommentForm(request.POST)
if not comment_form.is_valid():
return JsonResponse({'error': '\n'.join(comment_form.errors)})
Group.objects.filter(
priority__gt=group.group.priority, ).update(priority=F('priority') - 1)
group.delete()
UserAction.create(action_type='delete_group',
comment=comment_form.cleaned_data['comment'],
user=request.user,
group=group.group)
return JsonResponse({'redirect': '/accounts/role/'})
def create(self, request, *args, **kwargs):
comment = request.data.pop('comment', None)
serializer = RulesetSerializer(data=request.data)
serializer.is_valid(raise_exception=True)
serializer.save()
comment_serializer = CommentSerializer(data={'comment': comment})
comment_serializer.is_valid(raise_exception=True)
ruleset = Ruleset.objects.filter(pk=serializer.data['pk'])[0]
UserAction.create(action_type='create_ruleset',
comment=comment_serializer.validated_data['comment'],
user=request.user,
ruleset=ruleset)
headers = self.get_success_headers(serializer.data)
return Response(serializer.data,
status=status.HTTP_201_CREATED,
headers=headers)
def _update_or_partial_update(self, request, partial, *args, **kwargs):
comment = request.data.pop('comment', None)
instance = self.get_object()
serializer = self.get_serializer(instance,
data=request.data,
partial=partial)
serializer.is_valid(raise_exception=True)
# This save is used to have the new name if user has edited ruleset name
serializer.save()
comment_serializer = CommentSerializer(data={'comment': comment})
comment_serializer.is_valid(raise_exception=True)
UserAction.create(action_type='edit_ruleset',
comment=comment_serializer.validated_data['comment'],
user=request.user,
ruleset=instance)
def manageview(request, action):
context = {'action': 'User management'}
if request.method == 'POST':
form = UserCreationForm(request.POST)
if form.is_valid():
if request.user.is_superuser:
ruser = form.save()
sciriususer = SciriusUser.objects.create(user=ruser,
timezone='UTC')
sciriususer.save()
UserAction.create(action_type='create_user',
comment=form.cleaned_data['comment'],
user=request.user,
new_user=sciriususer.user)
else:
context['error'] = 'Not enough permission to create users'
else:
if action != 'add':
context['error'] = 'Invalid form'
else:
context['error'] = 'Username and/or password are not valid'
context['form'] = form
return scirius_render(request, 'accounts/user.html', context)
else:
if request.user.is_superuser is False:
if len(action) == 0:
action = 'list'
context['error'] = 'Not enough permission to %s users' % action
return scirius_render(request, 'accounts/user.html', context)
if (action == 'add'):
form = UserCreationForm()
context = {'form': form, 'current_action': 'Add user'}
return scirius_render(request, 'accounts/user.html', context)
return scirius_listing(request,
User,
'Users',
adduri="/accounts/manage/add")
def create(self, request, *args, **kwargs):
comment = request.data.pop('comment', None)
serializer = self.get_serializer(data=request.data)
serializer.is_valid(raise_exception=True)
serializer.save()
comment_serializer = CommentSerializer(data={'comment': comment})
comment_serializer.is_valid(raise_exception=True)
ruleset = serializer.validated_data['ruleset_transformation']
trans_type = serializer.validated_data['key']
trans_value = serializer.validated_data['value']
UserAction.create(action_type='transform_ruleset',
comment=comment_serializer.validated_data['comment'],
user=request.user,
transformation='%s: %s' %
(trans_type, trans_value.title()),
ruleset=ruleset)
headers = self.get_success_headers(serializer.data)
return Response(serializer.data,
status=status.HTTP_201_CREATED,
headers=headers)
def manageuseraction(request, user_id, action):
user = get_object_or_404(User, pk=user_id)
context = {'action': 'User actions', 'user': user}
if request.method == 'POST':
if not request.user.is_superuser:
context['error'] = 'Unsufficient permissions'
return scirius_render(request, 'accounts/user.html', context)
if action == "edit":
form = UserSettingsForm(request.POST, instance = user)
if form.is_valid():
form.save()
try:
sciriususer = user.sciriususer
sciriususer.timezone = form.cleaned_data['timezone']
except:
sciriususer = SciriusUser.objects.create(user = user, timezone = form.cleaned_data['timezone'])
sciriususer.save()
UserAction.create(
action_type='edit_user',
comment=form.cleaned_data['comment'],
user=request.user,
other_user=user
)
else:
context['error'] = 'Edition form is not valid'
context['form'] = form
elif action == 'password':
form = PasswordForm(request.POST)
if form.is_valid():
user.set_password(form.cleaned_data['password'])
user.save()
if user == request.user:
# If the user change his own password prevent the session to be invalidated
update_session_auth_hash(request, user)
UserAction.create(
action_type='edit_user_password',
comment=form.cleaned_data['comment'],
user=request.user,
other_user=user
)
else:
context['error'] = 'Password form is not valid'
elif action == "delete":
form = DeleteForm(request.POST)
if form.is_valid():
if request.POST.__contains__('confirm'):
user.delete()
UserAction.create(
action_type='delete_user',
comment=form.cleaned_data['comment'],
user=request.user,
old_user=user
)
return redirect('/accounts/manage/')
else:
context['error'] = 'Delete form is not valid'
return scirius_render(request, 'accounts/user.html', context)
if not request.user.is_superuser:
context['error'] = 'Unsufficient permissions'
context['user'] = get_object_or_404(User, pk=request.user.pk)
return scirius_render(request, 'accounts/user.html', context)
if action == "activate":
user.is_active = True
user.save()
context['current_action'] = 'Activate user %s' % user.username
elif action == "deactivate":
user.is_active = False
user.save()
context['current_action'] = 'Deactivate user %s' % user.username
elif action == "edit":
form = UserSettingsForm(instance = user)
try:
form.initial['timezone'] = user.sciriususer.timezone
except:
pass
context['form'] = form
context['current_action'] = 'Edit user %s' % user.username
return scirius_render(request, 'accounts/user.html', context)
elif action == "password":
form = PasswordForm()
context['form'] = form
context['current_action'] = 'Edit password for user %s' % user.username
return scirius_render(request, 'accounts/user.html', context)
elif action == "delete":
form = DeleteForm()
context = {'confirm_action': 'Delete user', 'user': user, 'action': 'delete', 'form': form}
return scirius_render(request, 'accounts/user.html', context)
context['current_action'] = 'User %s' % user.username
return scirius_render(request, 'accounts/user.html', context)
def editview(request, action):
if request.user.is_authenticated():
request_data = None
context = {}
if request.method == 'POST':
request_data = request.POST
if action == 'password':
form = PasswordChangeForm(user=request.user, data=request_data)
context = {'form': form, 'action': 'Change password', 'edition': True}
elif action == 'settings':
tz = 'UTC'
if hasattr(request.user, 'sciriususer'):
tz = request.user.sciriususer.timezone
initial = {'timezone': tz}
if request.user.is_superuser:
form = UserSettingsForm(request_data, instance=request.user, initial=initial)
else:
form = NormalUserSettingsForm(request_data, instance=request.user, initial=initial)
context = {'form': form, 'action': 'Edit settings for ' + request.user.username, 'edition': True}
elif action == 'token':
initial = {}
token = Token.objects.filter(user=request.user)
if len(token):
initial['token'] = token[0]
form = TokenForm(request_data, initial=initial)
context = {'form': form, 'action': 'User token', 'edition': True}
else:
context = {'action': 'User settings', 'edition': False}
if request.method == 'POST':
orig_superuser = request.user.is_superuser
orig_staff = request.user.is_staff
if form.is_valid():
if action == 'token':
current_tokens = Token.objects.filter(user=request.user)
for token in current_tokens:
token.delete()
Token.objects.create(user=request.user)
UserAction.create(
action_type='edit_user_token',
comment=form.cleaned_data['comment'],
user=request.user,
other_user=request.user
)
return redirect('accounts_edit', action='token')
context['edition'] = False
context['action'] = 'User settings'
ruser = form.save(commit = False)
if not orig_superuser:
ruser.is_superuser = False
ruser.is_staff = orig_staff
ruser.save()
if action == 'password':
update_session_auth_hash(request, ruser)
UserAction.create(
action_type='edit_user_password',
comment=form.cleaned_data['comment'],
user=request.user,
other_user=request.user
)
if action == 'settings':
try:
sciriususer = ruser.sciriususer
sciriususer.timezone = form.cleaned_data['timezone']
except:
sciriususer = SciriusUser.objects.create(user = ruser, timezone = form.cleaned_data['timezone'])
UserAction.create(
action_type='edit_user',
comment=form.cleaned_data['comment'],
user=request.user,
other_user=request.user
)
sciriususer.save()
return scirius_render(request, 'accounts/edit.html', context)
