def get(self, username=None): try: checkout_info = payment.get_checkout_data(self.user, GlobalConfig.get_configs()) if checkout_info == 'free': self.redirect('/', abort=True) except payment.coupon.InActiveCouponExpcetion as e: lr = tt_logging.construct_log(msg_short='Error Processing User\'s Checkout', msg=e.message, log_type=tt_logging.PAYMENT, request=self.request, request_user=self.user) log.error(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.bad_request('There was an error processing your checkout') except Exception as e: lr = tt_logging.construct_log(msg_short='Error Processing User\'s Checkout', msg=e.message, log_type=tt_logging.PAYMENT, request=self.request, request_user=self.user) log.error(lr['dict_msg']['msg'], extra=lr) raise template_data = { 'title': 'thinkTank Checkout', 'nav_bar_title': 'thinkTank', 'domain': self.request.host_url, 'merchant': self.user.merchant, 'payment_plan': checkout_info['items']['pay_plan'], 'jwt_token': checkout_info['jwt_token'], 'production': server.PRODUCTION, } if 'adjusted_plan' in checkout_info['items']: template_data['adjusted_plan'] = checkout_info['items']['adjusted_plan'] template_index = JINJA_ENVIRONMENT.get_template('checkout.html') self.response.write(template_index.render(template_data))
def new(request, request_data, request_user): if not request_user.is_super_admin: lr = tt_logging.construct_log( msg_short='Non-Admin User Tried Creating New Organization', log_type=tt_logging.SECURITY, request_user=request_user, request=request) log.warning(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.forbidden() if request_data.get('name') is None: raise HttpErrorException.bad_request('no name given') if request_data.get('id') is None: raise HttpErrorException.bad_request('no organization id given') org = Organization( key=Organization.create_key(request_data.get('id').strip())) org.name = request_data.get('name').strip() org.groups.append(Group.get_worldshare_key()) if request_data.get('description') is not None: org.description = request_data.get('description') if request_data.get('domain') is not None: org.domain = request_data.get('domain') if request_data.get('owner') is not None: org.owner = request_data.get('owner') if request_data.get('webpage') is not None: org.webpage = request_data.get('webpage') if request_data.get('point_of_contact') is not None: org.point_of_contact = request_data.get('point_of_contact') if request_data.get('email') is not None: org.email = request_data.get('email') if request_data.get('phone') is not None: org.phone = request_data.get('phone') if request_data.get('fax') is not None: org.fax = request_data.get('fax') if request_data.get('account_type') is not None: org.account_type = request_data.get('account_type') group = Group(key=Group.create_key(), name=org.name, description=str(org.name) + '\'s organization group', organization=org.key, active=True) group.put() org.groups.append(group.key) org.org_group = group.key org.put() lr = tt_logging.construct_log(msg_short='New Organization Was Created', log_type=tt_logging.DEFAULT, request_user=request_user, request=request, artifact=org) log.info(lr['dict_msg']['msg'], extra=lr) return org.to_dict()
def edit(request, request_data, request_user): org = None if not request_user.is_admin and org.organization == request_user.key: lr = tt_logging.construct_log( msg_short='Non-Admin User Tried Altering Organization', log_type=tt_logging.SECURITY, request_user=request_user, request=request, artifact=org) log.warning(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.forbidden() if request_data.get('add'): if request_data.get('admin'): if request_data.get('user_id') == '': raise HttpErrorException.bad_request('no user_id given') user = ndb.Key('User', request_data.get('user_id')) if not user: raise HttpErrorException.bad_request( 'invalid user_id given') if user.key not in org.admins: lr = tt_logging.construct_log( msg_short='User Was Added as Organization Admin', log_type=tt_logging.USER, request_user=request_user, request=request, artifact=org, affected_user=user) log.info(lr['dict_msg']['msg'], extra=lr) org.admins.append(user.key) if request_data.get('remove'): if request_data.get('remove') == 'admin': if request_data.get('user_id') == '': raise HttpErrorException.bad_request('no user_id given') user = ndb.Key('User', request_data.get('user_id')) if not user: raise HttpErrorException.bad_request( 'invalid user_id given') if user.key in org.admins: lr = tt_logging.construct_log( msg_short='User Was Removed as Organization Admin', log_type=tt_logging.USER, request_user=request_user, request=request, artifact=org, affected_user=user) log.info(lr['dict_msg']['msg'], extra=lr) org.admins.remove(user.key) org.put()
def post(self, user_id=None): if not user_id: raise HttpErrorException.bad_request('no user id given') user = User.get_by_id(user_id) if not user: raise HttpErrorException.bad_request('invalid user id given') if user != self.user and not self.user.is_super_admin: lr = tt_logging.construct_log( msg_short='Non-Admin User try to Alter Another User\'s Billing', msg='User (%s) attemped to change another user\'s (%s) ' 'billing information' % (self.user.key.id(), user.key.id()), log_type=tt_logging.SECURITY, request_user=self.user, affected_user=user, request=self.request ) log.warning(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.forbidden() if self.json_request.get('subscribe'): pay_plan = self.json_request.get('subscribe') if user.is_billable_account(): raise HttpErrorException.bad_request('user already has billable account') checkout_url = user.setup_billable_account(pay_plan) self.write_json_response({'checkout_url': checkout_url})
def on_authentication_fail(self, method): lr = tt_logging.construct_log( msg_short='Non-logged in User Attempted to Access Admin Panel', log_type=tt_logging.SECURITY, request=self.request) log.warning(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.unauthorized()
def get(self, verification_id): if not verification_id: return HttpErrorException.bad_request('no verification id given') if self.request.get('username') == '': return HttpErrorException.bad_request('no username given') user = User.get_by_id(self.request.get('username')) if not user: return HttpErrorException.bad_request('invilad username') if user.email_verification.verify_id == verification_id: user.email_verification.verified = True user.put() lr = tt_logging.construct_log( msg_short='User has verified their email', msg='User has verified their email: ' + user.email, log_type=tt_logging.USER, affected_user=user ) log.info(lr['dict_msg']['msg'], extra=lr) self.redirect('/') else: return HttpErrorException.bad_request('invalid verification id')
def post(self, organization): if not organization and not Organization.valid_id(organization): raise HttpErrorException.bad_request('invalid organization id') organization = Organization.get_by_id(organization) if organization is None: raise HttpErrorException.bad_request('invalid organization id') user = user_user.User.get_by_id(self.json_request.get('username')) if user is None: raise HttpErrorException.bad_request('bad username') if not self.user.is_admin: lr = tt_logging.construct_log( msg_short='Non-Admin User Tried Adding Org Admin', msg='A Non-Admin user try setting another user as admin', log_type=tt_logging.SECURITY, request_user=self.user, affected_user=user, request=self.request, artifact=organization ) log.warning(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.forbidden() is_admin = self.json_request.get('is_admin') if is_admin is None and not type(is_admin) == bool: raise HttpErrorException.bad_request('invalid admin settings') if is_admin: if user.key not in organization.admins: organization.admins.append(user.key) organization.put() lr = tt_logging.construct_log( msg_short='User was made organization admin', log_type=tt_logging.USER, request_user=self.user, affected_user=user, artifact=organization, request=self.request ) log.info(lr['dict_msg']['msg'], extra=lr) else: if user.key in organization.admins: organization.admins.remove(user.key) organization.put() lr = tt_logging.construct_log( msg_short='User was removed as organization admin', log_type=tt_logging.USER, request_user=self.user, affected_user=user, artifact=organization, request=self.request ) log.info(lr['dict_msg']['msg'], extra=lr)
def post(self, group): if not group and Group.valid_id(group): raise HttpErrorException.bad_request('invalid group id') group = Group.get_by_id(group) if group is None: raise HttpErrorException.bad_request('invalid group id') if not self.json_request.get('username', None): raise HttpErrorException.bad_request('invalid username') user = user_user.User.get_by_id(self.json_request.get('username')) if user is None: raise HttpErrorException.bad_request('invalid username') if not self.user.is_admin and not group.is_admin(self.user): lr = tt_logging.construct_log( msg_short='Non-Admin User Tried To Give Group Admin', msg='User (%s) tried to give User (%s) group admin for group (%s)Request:' '%s' % (self.user.key.id(), user.key.id(), group.key.id(), str(self.request)), log_type=tt_logging.SECURITY, request_user=self.user, affected_user=user, artifact=group, request=self.request ) log.warning(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.forbidden() is_group_admin = self.json_request.get('is_group_admin') if is_group_admin is None: raise HttpErrorException.bad_request('no group settings') if is_group_admin: if user.key not in group.admins: group.admins.append(user.key) group.put() lr = tt_logging.construct_log( msg_short='User was set a group admin', log_type=tt_logging.USER, request_user=self.user, affected_user=user, artifact=group, request=self.request ) log.info(lr['dict_msg']['msg'], extra=lr) else: if user.key in group.admins: group.admins.remove(user.key) group.put() lr = tt_logging.construct_log( msg_short='User was removed as group admin', log_type=tt_logging.USER, request_user=self.user, affected_user=user, artifact=group, request=self.request ) log.info(lr['dict_msg']['msg'], extra=lr)
def _serve_project_page( self, doc, act_con_path, ): open_chal = False if self.request.get('open_chal').lower() == 'false': open_chal = False context_menu = True if self.request.get('context_menu').lower() == 'false': context_menu = False template_index = JINJA_ENVIRONMENT.get_template('project.html') display_name = self.user.display_name short_name = (display_name[:14] + '...') if len(display_name) > 17 else display_name debug_level = 0 if os.environ.get('SERVER_SOFTWARE', '').startswith('Development'): debug_level = 3 try: debug_level = int(self.request.get('debug_level', debug_level)) except ValueError: debug_level = 0 template_data = { 'data': json.dumps({ 'project': self.project.to_dict(self.user), 'user': self.user.to_dict(), 'act_con_path': act_con_path, 'doc': doc.key.id() if doc else None, 'page': 'project', 'debug': self.client_debug, 'check_auth': self.client_check_auth, 'loader_configs': self.loader_configs, 'open_chal': open_chal, 'context_menu': context_menu, 'an_token': self.analytic_session.key.id(), 'debug_level': debug_level, }), 'display_name': short_name, 'project': self.project, } lr = tt_logging.construct_log(msg_short='Opened Project', log_type=tt_logging.USER, request=self.request, artifact=self.project, request_user=self.user) log.info(lr['dict_msg']['msg'], extra=lr) self.response.write(template_index.render(template_data))
def get(self, pay_plan=None): if not self.user.is_super_admin: lr = tt_logging.construct_log( msg_short='Non-Admin User Attemped to Access Payment Plans', log_type=tt_logging.SECURITY, request=self.request, request_user=self.user) log.warning(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.forbidden() if not pay_plan: self.write_json_response(payment_plan.get_payment_plan_list()) else: raise NotImplementedError()
def get(self, org_id=None): if self.user.is_super_admin: self._serve_site_organizations() elif self.user.is_org_admin: self._serve_user_organization() else: lr = tt_logging.construct_log( msg_short='Non-Admin User Tried Access Organizations', msg='A Non-Admin user tried accessing other organizations', log_type=tt_logging.SECURITY, request_user=self.user, request=self.request ) log.warning(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.forbidden()
def post(self, secret_key=None): if self.request.get('jwt') == '': lr = tt_logging.construct_log( msg_short='[Google Postback] No JWT Given', log_type=tt_logging.PAYMENT, request=self.request) log.error(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.bad_request('no jwt token given') try: self.response.write( google_merchant.handle_google_callback( self.request.get('jwt'))) except google_merchant.InvalidSellerDataException as e: lr = tt_logging.construct_log( msg_short='[Google Postback] Invalied Seller Data', msg=e.message, log_type=tt_logging.PAYMENT, request=self.request) log.error(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.bad_request(e.message) except google_merchant.InvalidOrderIdException as e: lr = tt_logging.construct_log( msg_short='[Google Postback] Invalide Order Id', msg=e.message, log_type=tt_logging.PAYMENT, request=self.request) log.error(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.bad_request(e.message) except Exception as e: lr = tt_logging.construct_log( msg_short='[Google Postback] Unknow Error', msg=e.message, log_type=tt_logging.PAYMENT, request=self.request) log.error(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.bad_request(e.message)
def server_error_callback(e, t, v, tb, func, request, user, log_type=tt_logging.EXCEPTION, log_level=logging.ERROR): lr = tt_logging.construct_log(msg_short=e.message, request=request, msg='\n\nTraceBack:\n' + traceback.format_exc(tb), log_type=log_type, request_user=user) log.log(log_level, lr['dict_msg']['msg'], extra=lr)
def _serve_org_project_json(self): organization = Organization.get_by_id( self.request.get('organization_id')) if not self.user.is_admin: lr = tt_logging.construct_log( msg_short='Non-Admin User Attemped to Access all Org Projects', log_type=tt_logging.SECURITY, request=self.request, artifact=organization, request_user=self.user) log.warning(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.forbidden() else: project_arry = Project.get_org_projects(organization, self.user) self.write_json_response(project_arry)
def get(self): if self.request.get('organization_groups') is not '': if self.request.get('organization_groups') == 'all': organization = Organization.get_by_id(self.request.get('organization')) if organization.is_user(self.user) or self.user.is_super_admin: hidden = False if self.request.get('hidden') is not '': hidden = self.request.get('hidden') group_array = organization.get_all_groups() if hidden and self.user.is_admin: hidden_group_array = organization.get_all_hidden_groups() group_array = group_array + hidden_group_array elif self.user.is_admin: hidden_group_array = organization.get_all_hidden_groups() group_array = group_array + hidden_group_array else: user_hidden_groups = organization.get_user_hidden_groups(self.user) for group in user_hidden_groups: group_array.append(group.to_dict()) self.write_json_response(group_array) else: lr = tt_logging.construct_log( msg_short='User Tried Access Organization Groups', msg='User (%s) tried to access groups that belongs to organization ' '(%s) and they are not in this organization' % (self.user.key.id(), organization.key.id()), log_type=tt_logging.SECURITY, request_user=self.user, artifact=organization, request=self.request ) log.warning(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.forbidden() elif self.request.get('organization_groups') == 'mine': user_groups = self.user.get_groups() user_groups = ndb.get_multi(user_groups) user_groups_dict_list = [] for group in user_groups: user_groups_dict_list.append(group.to_dict()) self.write_json_response(user_groups_dict_list) else: self._serve_user_groups()
def post(self, secret=None): if not secret: raise HttpErrorException.bad_request('no reset code given') user = User.query(User.password_reset_secret == secret).get() if not user: raise HttpErrorException.bad_request('could not find user for password reset') creds = GenericCredentials(user.username, self.json_request.get('password')) user.password = Password(creds.password) lr = tt_logging.construct_log( msg_short='User has changed their password', log_type=tt_logging.USER, affected_user=user, request=self.request ) log.info(lr['dict_msg']['msg'], extra=lr) user.put()
def put(self, user_id=None): if not self.user.is_admin: lr = tt_logging.construct_log( msg_short='Non-Admin User Try Create New User', msg='User (%s) attemped to create a new user' % (self.user.key.id()), log_type=tt_logging.SECURITY, request_user=self.user, request=self.request ) log.warning(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.forbidden() if self.json_request.get('username'): org = None if self.json_request.get('organization'): org = Organization.get_by_id(self.json_request.get('organization')) User.new(self.json_request, verify_email=False, request=self.request, worldshare_group=Group.get_worldshare_key(), organization=org)
def delete(self, request): if self.key.id() == 'super_user': raise HttpErrorException.forbidden() organization = self.organization.get() if self.key in organization.groups: organization.groups.remove(self.key) if self.key in organization.hidden_groups: organization.hidden_groups.remove(self.key) organization.put() self.key.delete() lr = tt_logging.construct_log(msg_short='Group Was Deleted', msg='Group (%s) was deleted' % str(self.key), log_type=tt_logging.DEFAULT, request_user=request.user, request=request, artifact=self) log.info(lr['dict_msg']['msg'], extra=lr)
def on_authentication_success(self, user, session, method): if self.requires_admin: if not self.user.is_admin: lr = tt_logging.construct_log( msg_short= 'Non-Admin User Attemped to Prefrom Admin Operations', msg='Method: %s'.format(method), log_type=tt_logging.SECURITY, request_user=self.user, request=self.request) log.warning(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.forbidden() if user.email_verification_lock() and self.enable_unverified_account: self.redirect('/account/unverified/' + user.username, abort=True) if user.account_locked() and self.enable_locked_account: self.redirect('/account/locked/' + user.username, abort=True) if user.account_expired() and self.enable_expired_account: self.redirect('/account/expired/' + user.username, abort=True) if user.account_disabled() and self.enable_disabled_account: self.redirect('/account/disabled/' + user.username, abort=True)
def get(self): if self.user.is_admin: template_data = { 'title': 'thinkTank', 'user_super_admin': self.user.is_super_admin, 'data': { 'debug': True if self.request.get('debug').lower() == 'true' else False } } template_index = JINJA_ENVIRONMENT.get_template('admin.html') self.response.write(template_index.render(template_data)) else: lr = tt_logging.construct_log( msg_short='Non-Admin User Attemped to Access Admin Panel', log_type=tt_logging.SECURITY, request_user=self.user, request=self.request) log.warning(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.bad_request()
def _parse_json_request(self): """Return the JSON POST body as Python object or None""" if self.request.method == 'GET': return None if self.strict_parsing and not self._is_request_json(): log.debug( 'Request Content-Type not "application/json", nothing to de-serialize!' ) raise HttpStatus.bad_request() try: json_obj = json.loads(self.request.body) except ValueError, e: lr = tt_logging.construct_log( msg_short='Failed parsing JSON request', log_type=tt_logging.DEFAULT, msg='Failed parsing JSON request: %s'.format(str(e)), user=self.user if self.user else None) log.exception(lr['dict_msg']['msg'], extra=lr) raise HttpStatus.bad_request()
def get(self, user_id=None): if not user_id: raise HttpErrorException.bad_request('no user id given') user = User.get_by_id(user_id) if not user: raise HttpErrorException.bad_request('invalid user id given') if user != self.user and not self.user.is_super_admin: lr = tt_logging.construct_log( msg_short='Non-Admin User try to Alter Another User\'s Billing', msg='User (%s) attemped to change another user\'s (%s) ' 'billing information' % (self.user.key.id(), user.key.id()), log_type=tt_logging.SECURITY, request_user=self.user, affected_user=user, request=self.request ) log.warning(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.forbidden() template_data = { 'title': 'thinkTank', 'display_name': self.user.display_name, 'nav_bar_title': 'thinkTank', 'domain': self.request.host_url, 'payment_plans': payment_plan.get_payment_plan_list(), 'data': { 'user': json.dumps(self.user.to_dict(user=self.user)) }, } if user.is_billable_account(): template_data['billable_account'] = True else: template_data['billable_account'] = False if user.is_admin: template_data['admin'] = True template_index = JINJA_ENVIRONMENT.get_template('user_billing.html') self.response.write(template_index.render(template_data))
def get(self, project_id=None): if project_id: if not Project.valid_id(project_id): raise HttpErrorException.bad_request('invalid project id') self.project = Project.get_by_id(project_id) if not self.project: raise HttpErrorException.bad_request('invalid project id') if not self.project.has_permission_read(self.user): lr = tt_logging.construct_log( msg_short= 'User does not have permission to access this project', log_type=tt_logging.SECURITY, request=self.request, artifact=self.project, request_user=self.user) log.info(lr['dict_msg']['msg'], extra=lr) self.redirect('/', abort=True) self._serve_page() elif self.request.get('type') == 'json': self._serve_json()
def post(self): for log_record in self.json_request: logger = log_record.get('logger', None) try: timestamp = 'client time: %s' % datetime.datetime.fromtimestamp( float(log_record.get('timestamp'))/1000) except ValueError: timestamp = 'server time: %s' % datetime.datetime.now() url = log_record.get('url', 'No URL Given') message_list = log_record.get('message', 'No Message Given') msg = '' for message in message_list: msg += str(message).replace('\r\n', '\n') msg_complete = 'Client logger: %s\nDatetime: %s\nURL: %s\n%s' % (logger, timestamp, url, msg) lr = tt_logging.construct_log( msg_short='Received Error Log From Client', msg=msg_complete, client_log=True, log_type=tt_logging.USER, request=self.request, request_user=self.user) log.error(lr['dict_msg']['msg'], extra=lr)
def post(self): # TODO: This handler needs broken down into smaller methods. No point cleaning # this up until that is complete. if self.json_request.get('status') == 'login': gc = GlobalConfig.get_configs() user = User.get_by_id(self.json_request.get('username')) if not user: self.request.body = '' # Make sure we don't record the users credentials in plan text lr = tt_logging.construct_log(msg_short='Unknow user attempted to login', log_type=tt_logging.USER, request=self.request) log.info(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.bad_request('invalid username or password given') if user.login_timeout(): raise HttpErrorException.forbidden() if not gc.allow_non_admin_user_login and not user.is_admin: self.request.body = '' # Make sure we don't record the users credentials in plan text lr = tt_logging.construct_log(msg_short='User attempted to loggin, but login is disabled', log_type=tt_logging.USER, request=self.request, request_user=user) log.info(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.forbidden() creds = GenericCredentials.from_request(self.json_request) if not creds.authenticate(): user.failed_login_attemps.append(datetime.datetime.now()) self.request.body = '' # Make sure we don't record the users credentials in plan text lr = tt_logging.construct_log(msg_short='User provided invalid credentials', log_type=tt_logging.USER, request=self.request, request_user=user) log.info(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.bad_request('invalid username or password given') user.failed_login_attemps = [] user.last_login == datetime.datetime.now() user.put() session = login(self.request, creds, User) self.request.body = '' # Make sure we don't record the users credentials in plan text lr = tt_logging.construct_log(msg_short='User logged in', msg='User logged in: session: %s, IP Address: %s' % (session.token, self.request.remote_addr), log_type=tt_logging.USER, request=self.request, request_user=user) log.info(lr['dict_msg']['msg'], extra=lr) self.response.set_cookie('auth_user', base64.b64encode(creds.username)) self.response.set_cookie('user', creds.username) self.response.set_cookie('auth_token', session.token) self.write_json_response({'status': 'success'}) elif self.json_request.get('status') == 'logout': user = User.get_by_id(self.json_request.get('user')) Session.invalidate_cache_for(user) session = Session.get_by_id(user.username) if session is not None: lr = tt_logging.construct_log(msg_short='User logged out', msg='User logged out: session: %s, IP Address: %s' % (session.token, self.request.remote_addr), log_type=tt_logging.USER, request=self.request, request_user=user) log.info(lr['dict_msg']['msg'], extra=lr) session.key.delete() else: lr = tt_logging.construct_log(msg_short='User logged out', msg='User logged out: session: %s, IP Address: %s' % self.request.remote_addr, log_type=tt_logging.USER, request=self.request, request_user=user) log.info(lr['dict_msg']['msg'], extra=lr) elif self.json_request.get('reset_password'): user = User.get_by_id(self.json_request.get('username')) if not user: raise HttpErrorException.bad_request('invalid username') lr = tt_logging.construct_log(msg_short='Password Reset Requested', msg='User has requested password reset', log_type=tt_logging.USER, request=self.request, request_user=user) log.info(lr['dict_msg']['msg'], extra=lr) user.send_password_reset() else: self.write_json_response({'status': 'failed do not know what to do!!!'})
def post(self, phrasing_id=None): if not phrasing_id: raise HttpErrorException.bad_request('no phrasing_id given') phrasing = Phrasing.get_by_id(phrasing_id) if not phrasing: raise HttpErrorException.bad_request('invalid phrasing_id given') if not self.json_request.get('document'): raise HttpErrorException.bad_request('no document given') document = Document.get_by_id(self.json_request.get('document')) if not document: raise HttpErrorException.bad_request('invalid document given') if not document.has_permission(self.user, 'manage_phrasings'): lr = tt_logging.construct_log( msg_short='User does not have manage_phrasing perm', log_type=tt_logging.SECURITY, request=self.request, artifact=document, request_user=self.user) log.info(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.forbidden() concept = phrasing.concept.get() project = concept.project.get() selected_phrasing = None if document.is_distilled_document( ) and project.key == document.project: concept.distilled_phrasing = phrasing.key concept.put() else: if concept.has_selected_phrasing(document=document): selected_phrasing = concept.get_selected_phrasing(document) selected_phrasing.phrasing = phrasing.key selected_phrasing.put() else: selected_phrasing = SelectedPhrasing(id=Phrasing.create_uuid(), project=concept.project, document=document.key, phrasing=phrasing.key) selected_phrasing.put() concept.selected_phrasings.append(selected_phrasing.key) concept.put() project = document.project.get( ) # Don't want concept's project, this could be a linked concept project.pw_modified_ts = datetime.datetime.now() project.put() self.get_analytic_session() concept.record_analytic('con_phr_cha', self.analytic_session) if selected_phrasing: self.write_json_response(selected_phrasing.to_dict()) action_data = {'document': document.key.id()} trans = Transaction(action='phr_chg', user=self.user.key, artifact=phrasing.key, project=project.key, action_data=action_data) trans.put() self.get_channel_token() channel_tokens = ChannelToken.get_by_project_key( project.key, self.user_channel_token) channel_tokens = ChannelToken.remove_unauthorized_users( channel_tokens, [concept, document, phrasing]) message = { 'user': self.get_user_channel_data(), 'transaction': trans.to_dict(self.user) } ChannelToken.broadcast_message(channel_tokens, message)
def handle_google_callback(jwt_token): from server import GlobalConfig gc = GlobalConfig.get_configs() if SANDBOX_MODE: jwt_token = jwt.decode(jwt_token, SANDBOX_SELLER_SECRET) else: jwt_token = jwt.decode(jwt_token, gc.google_seller_secret) log.info('Google Callback jwt: ' + str(jwt_token)) order_id = jwt_token['response']['orderId'] from models.account.user import User from models import payment if 'request' in jwt_token: user_id = jwt_token['request']['sellerData'] user = User.query(User.user_id == user_id).get() if not user: raise InvalidSellerDataException( 'could not find user to match user_id: ' + str(user_id)) payment.process_payment( user=user, status='complete', discription='Recurrening payment', denomination=jwt_token['request']['recurrence']['currencyCode'], price=jwt_token['request']['initialPayment']['price'] if 'initialPayment' in jwt_token['request'] else 0, rec_price=jwt_token['request']['recurrence']['price'], merchant='Google', order_id=order_id, merchant_data=jwt_token) lr = tt_logging.construct_log(msg_short='[Google Postback] JWT', msg=str(jwt_token), log_type=tt_logging.PAYMENT, user=user) log.info(lr['dict_msg']['msg'], extra=lr) else: if 'statusCode' in jwt_token['response']: if jwt_token['response']['statusCode'] == 'SUBSCRIPTION_CANCELED': trans = Transaction.query( Transaction.order_id == order_id).get() if not trans: raise InvalidOrderIdException( 'Could not find transaction for order id') user = trans.user.get() user.account_expire_data = datetime.datetime.now( ) + datetime.timedelta( days=gc.subscription_account_extension_period) user.account_status = payment.PAID user.put() payment.process_payment( user=user, status='complete', discription='Recurrening canceled', denomination='', price=0, rec_price=0, merchant='Google', order_id=order_id, merchant_data=jwt_token, update_status=False, ) lr = tt_logging.construct_log( msg_short='[Google Postback] JWT', msg=str(jwt_token), log_type=tt_logging.PAYMENT, user=user) log.info(lr['dict_msg']['msg'], extra=lr) return order_id
def import_images(self): concepts = [] deleted_concept = [] image_concept = [] for img_tag in self.image_tags: try: tag = img_tag['img'] src = HTMLImporter.normalize_image_url(self.url, tag['src']) alt = tag.get('alt', None) concept = img_tag['concept'] r = requests.get(src, stream=True) concept.media_id = server.create_uuid() filename = '/' + server.GCS_BUCKET_NAME + '/' + concept.media_id image_data = StringIO(r.content).getvalue() image = images.Image(image_data=image_data) if 'image' not in r.headers['content-type']: deleted_concept.append({ 'concept': concept.key.id(), 'parent_child_count': concept.parent.get().num_of_children(self.user) if concept.parent else None, 'parent': concept.parent.id() if concept.parent else None }) concept.remove_from_parent(concept.project) concept.delete(self.user) continue if image.width < 100 or image.height < 100: deleted_concept.append({ 'concept': concept.key.id(), 'parent_child_count': concept.parent.get().num_of_children(self.user) if concept.parent else None, 'parent': concept.parent.id() if concept.parent else None }) concept.remove_from_parent(concept.project) concept.delete(self.user) else: f = gcs.open(filename, mode='w', content_type=r.headers['content-type']) f.write(image_data) f.close() concept.media_blob = blobstore.create_gs_key('/gs' + filename) concept.media_ready = True concept.media_mime_type = r.headers['content-type'] if alt and alt.rstrip() != '': phr_perm = Permission( permissions=Permission.init_perm_struct( Phrasing.operations_list), key=Permission.create_key(), project=self.project.key) phrasing = Phrasing( key=Phrasing.create_key(), text=alt, concept=concept.key, owner=[self.user.key], permissions=phr_perm.key, originating_document=self.document.key, project=self.project.key) phr_perm.artifact = phrasing.key ndb.put_multi([phrasing, phr_perm]) concept.phrasings.append(phrasing.key) concept.distilled_phrasing = phrasing.key image_concept.append(concept.key.id()) concepts.append(concept) concept.put() except Exception as e: # raise type_, value_, traceback_ = sys.exc_info() ex = traceback.format_exception(type_, value_, traceback_) lr = tt_logging.construct_log( msg_short='Error Importing Image', msg=e.message + '\n\n' + str(ex), log_type=tt_logging.USER, artifact=self.project, request_user=self.user) log.error(lr['dict_msg']['msg'], extra=lr)
def get(self, user_id=None): # TODO: This handler needs broken down into smaller methods. No point cleaning # this up until that is complete. if self.request.get('user_info') is not '': if self.request.get('user_info') == self.user.username or self.user.is_admin: user = User.get_by_id(self.request.get('user_info')) if not user: raise HttpErrorException.bad_request('invalid user id') self.write_json_response(user.to_dict(user=self.user)) elif self.request.get('user_perms') is not '': user = User.get_by_id(self.request.get('user_perms')) if not user: raise HttpErrorException.bad_request('invalid username') if not user.is_admin and not self.user == user: lr = tt_logging.construct_log(msg_short='Non-Admin User Try Accessing Another User', msg='User (%s) attemped to access user\'s (%s) data ' % (self.user.key.id(), user.key.id()), log_type=tt_logging.SECURITY, request_user=self.user, affected_user=user, request=self.request) log.warning(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.forbidden() user_perms_dict = {} for group_key in user.groups: group = group_key.get() if group is None: user.groups.remove(group_key) user.put() lr = tt_logging.construct_log(msg_short='Broken Group Key in User Group List', msg='Found a broken group key (%s) in the user\'s group list\n' 'Key has been removed' % str(group_key), log_type=tt_logging.USER, request_user=self.user, affected_user=user, request=self.request) log.error(lr['dict_msg']['msg'], extra=lr) elif (group.has_permission(self.user, 'set_user_perms') or group.has_permission(self.user, 'remove_user_perms') or user.key == self.user.key): perms = user.get_group_perms_dict(group) if perms is not None: user_perms_dict[group.key.id()] = perms self.write_json_response(user_perms_dict) elif self.request.get('organization_users') is not '': if self.request.get('organization_users') == 'all': organization = Organization.get_by_id(self.request.get('organization_id')) if organization.is_admin(self.user) or Group.get_by_id('super_admin').key in self.user.groups: user_array = User.get_all_users(organization, request_user=self.user) self.write_json_response(user_array) else: lr = tt_logging.construct_log(msg_short='Non-Admin User Try Accessing Org Users', msg='User (%s) attemped to access all Organization\'s users' % (self.user.key.id()), log_type=tt_logging.SECURITY, request_user=self.user, request=self.request, artifact=organization) log.warning(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.forbidden() elif self.request.get('non_org') is not '': if not self.user.is_super_admin: lr = tt_logging.construct_log(msg_short='Non-Admin User Try Accessing Org Users', msg='User (%s) attemped to access all Organization\'s users' % (self.user.key.id()), log_type=tt_logging.SECURITY, request_user=self.user, request=self.request) log.warning(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.forbidden() else: users = User.query(User.organization == None).fetch() users_dicts = [] for user in users: users_dicts.append(user.to_dict()) self.write_json_response(users_dicts)
def edit(command, request, request_data, request_user=None): if command is not None: command = command.split(' ') if request_data.get('group_id') is None: raise HttpErrorException.bad_request('no group id given') group = Group.get_by_id(request_data.get('group_id')) if 'add' in command: if 'admin' in command: if request_data.get('user_id') is None: raise HttpErrorException.bad_request('no user id given') user = ndb.Key('User', request_data.get('user_id')) if (not request_user.is_admin and not group.is_admin(request_user)): lr = tt_logging.construct_log( msg_short= 'Non-Admin User Tried Adding User To Group Admin', log_type=tt_logging.SECURITY, request_user=request_user, request=request, artifact=group, affected_user=user) log.warning(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.forbidden() if user.key not in group.admins: lr = tt_logging.construct_log( msg_short='User Was Set as Group Admin', log_type=tt_logging.USER, request_user=request_user, request=request, artifact=group, affected_user=user) log.info(lr['dict_msg']['msg'], extra=lr) group.admins.append(user.key) if 'remove' in command: if 'admin' in command: if request_data.get('user_id') is None: raise HttpErrorException.bad_request('no user id given') user = ndb.Key('User', request_data.get('user_id')) if (not request_user.is_admin and not group.is_admin(request_user)): lr = tt_logging.construct_log( msg_short= 'Non-Admin User Tried Removing User From Group Admin', log_type=tt_logging.SECURITY, request_user=request_user, request=request, artifact=group, affected_user=user) log.warning(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.forbidden() if user.key in group.admins: lr = tt_logging.construct_log( msg_short='User Was Removed as Group Admin', log_type=tt_logging.USER, request_user=request_user, request=request, artifact=group, affected_user=user) log.info(lr['dict_msg']['msg'], extra=lr) group.admins.remove(user.key) if 'set' in command: if 'inactive' in command: if not request_user.is_admin: lr = tt_logging.construct_log( msg_short= 'Non-Admin User Tried Setting Group to Inactive', log_type=tt_logging.SECURITY, request_user=request_user, request=request, artifact=group) log.warning(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.forbidden() group.active = False if 'active' in command: if not request_user.is_admin: lr = tt_logging.construct_log( msg_short= 'Non-Admin User Tried Setting Group to Active', log_type=tt_logging.SECURITY, request_user=request_user, request=request, artifact=group) log.warning(lr['dict_msg']['msg'], extra=lr) raise HttpErrorException.forbidden() group.active = True group.put() return group.to_dict()