def get(self, user_id): # Session request handler current_session = Session(self) JINJA_ENVIRONMENT.globals['session'] = current_session # Language request handler Language.language(self) # Retrieved user_id to integer user_id = int(user_id) # Retrieve user data user = database.UserManager.select_by_id(user_id) # Check if user can see the profile photo if user.photo is not None: profilePhoto = database.PhotosManager.get_photo_by_id(int(user.photo)) if current_session.get_id() is None: profilePhotoAllowed = False else: requestUser = database.UserManager.select_by_id(current_session.get_id()) if security.PhotoSecurity.user_is_allowed_to_watch_photo(profilePhoto, requestUser): profilePhotoAllowed = True else: profilePhotoAllowed = False else: profilePhotoAllowed = False # Prompt page template = JINJA_ENVIRONMENT.get_template('static/templates/profile.html') self.response.write(template.render(user=user, profilePhotoAllowed=profilePhotoAllowed))
def get(self, option): # Session current_session = Session(self) # Load response template template = JINJA_ENVIRONMENT.get_template('static/templates/api.json') self.response.headers['Content-Type'] = 'application/json' if option == "list": # List all accesible photos photos = database.PhotosManager.retrieveAllPhotos() if current_session.get_id() is None: user = None else: user = database.UserManager.select_by_id(current_session.get_id()) data = '{"photos":[' isAnyPhotoAllowed = False for photo in photos: if security.PhotoSecurity.user_is_allowed_to_watch_photo(photo, user): # Check user has permission to retrieve isAnyPhotoAllowed = True id = photo.key.id() username = photo.owner.get().name date = photo.date name = photo.name data += '{"photo_id": ' + str(id) + ', "username": "******", "date": "' + str( date) + '", "name": "' + name + '"},' if isAnyPhotoAllowed: data = data[:-1] data += ']}' result = "OK" else: # Print method not allowed data = '{"error": "Method not allowed"}' result = "FAIL" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result))
def get(self, option): # Session current_session = Session(self) # Load response template template = JINJA_ENVIRONMENT.get_template("static/templates/api.json") self.response.headers["Content-Type"] = "application/json" if option == "list": # List all accesible photos photos = database.PhotosManager.retrieveAllPhotos() if current_session.get_id() is None: user = None else: user = database.UserManager.select_by_id(current_session.get_id()) data = '{"photos":[' isAnyPhotoAllowed = False for photo in photos: if security.PhotoSecurity.user_is_allowed_to_watch_photo( photo, user ): # Check user has permission to retrieve isAnyPhotoAllowed = True id = photo.key.id() username = photo.owner.get().name date = photo.date name = photo.name data += ( '{"photo_id": ' + str(id) + ', "username": "******", "date": "' + str(date) + '", "name": "' + name + '"},' ) if isAnyPhotoAllowed: data = data[:-1] data += "]}" result = "OK" else: # Print method not allowed data = '{"error": "Method not allowed"}' result = "FAIL" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result))
def get(self): # Session request handler current_session = Session(self) JINJA_ENVIRONMENT.globals['session'] = current_session # Language request handler Language.language(self) # Check if user is already logged in if current_session.get_id() is not None: self.redirect("/") return None template = JINJA_ENVIRONMENT.get_template('static/templates/register.html') self.response.write(template.render())
def get(self, photo_id): # Session current_session = Session(self) # Load response template template = JINJA_ENVIRONMENT.get_template("static/templates/api.json") # Retrieve photo url for photo_id photo = database.PhotosManager.get_photo_by_id(int(photo_id)) if current_session.get_id() is None: user = None else: user = database.UserManager.select_by_id(current_session.get_id()) if not photo: self.response.write("No photo") elif not blobstore_2.get(photo.image): self.response.write("No blob") else: # Check visualization permissions to current user if security.PhotoSecurity.user_is_allowed_to_watch_photo(photo, user): self.send_blob(photo.image) else: self.error(404)
def get(self, photo_id): # Session current_session = Session(self) # Load response template template = JINJA_ENVIRONMENT.get_template('static/templates/api.json') # Retrieve photo url for photo_id photo = database.PhotosManager.get_photo_by_id(int(photo_id)) if current_session.get_id() is None: user = None else: user = database.UserManager.select_by_id(current_session.get_id()) if not photo: self.response.write("No photo") elif not blobstore_2.get(photo.image): self.response.write("No blob") else: # Check visualization permissions to current user if security.PhotoSecurity.user_is_allowed_to_watch_photo(photo, user): self.send_blob(photo.image) else: self.error(404)
def get(self): # Session request handler current_session = Session(self) JINJA_ENVIRONMENT.globals['session'] = current_session # Language request handler Language.language(self) # Check if user has session started if current_session.get_id() is None: self.redirect("/") # Logout user current_session.logout(self) # Prompt logout page JINJA_ENVIRONMENT.globals['session'] = current_session template = JINJA_ENVIRONMENT.get_template('static/templates/logout.html') self.response.write(template.render())
def post(self): # Session request handler current_session = Session(self) JINJA_ENVIRONMENT.globals['session'] = current_session # Language request handler Language.language(self) # Check if user is already logged in if current_session.get_id() is not None: self.redirect("/") # Language task Language.language(self) # Load form template = JINJA_ENVIRONMENT.get_template('static/templates/login.html') # Check user and password submitted_username = cgi.escape(self.request.get("username")) submitted_password = hashlib.sha1(cgi.escape(self.request.get("password"))).hexdigest() user = database.UserManager.select_by_username(submitted_username) # Check user exists if user is not None: # Check if user account is blocked or not if user.attempts < 3: # Check if user and password matches if submitted_username == user.name and submitted_password == user.password: # Session initialization current_session.set(self, user.key.id()) # Login attempts to zero database.UserManager.modify_user(user.key, attempts=0) # Redirection to initial page self.redirect("/") else: # Add an attempt to user login database.UserManager.modify_user(user.key, attempts=user.attempts+1) self.response.write(template.render(error=_("InvalidUsernameOrPassword"))) else: self.response.write(template.render(error=_("AccountBlocked"))) else: self.response.write(template.render(error=_("InvalidUsernameOrPassword")))
def get(self, user_id, option): # Session current_session = Session(self) # Load response template template = JINJA_ENVIRONMENT.get_template("static/templates/api.json") self.response.headers["Content-Type"] = "application/json" user_id = int(user_id) # If user is not admin and not himself, not allow to query anything if current_session.get_role_level() < 3 and current_session.get_id() != user_id: role_level = str(current_session.get_role_level()) data = '{"error": "Permission denied' + role_level + '"}' result = "FAIL" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result)) return None # Check if user exists user = database.UserManager.select_by_id(int(user_id)) # If user not exists if user is None: data = '{"error": "User not exists."}' result = "FAIL" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result)) return None # Options if option == "activateAccountByAdmin": # Only admin is allowed to change permissions if current_session.get_role_level() < 3: data = '{"error": "You cannot change your permission level."}' result = "FAIL" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result)) return None # If user has not his account activated, admin cannot active it if user.role_level != 1: data = '{"error": "User has not his account activated yet."}' result = "FAIL" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result)) return None # Activate account by admin database.UserManager.modify_user(user.key, role_level=2) data = '{"message": "Account activated by admin."}' result = "OK" elif option == "deactivateAccountByAdmin": # Only admin is allowed to change permissions if current_session.get_role_level() < 3: data = '{"error": "You cannot change your permission level."}' result = "FAIL" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result)) return None # If user has not his account activated, admin cannot active it if user.role_level != 2: data = '{"error": "User account can not deactivated."}' result = "FAIL" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result)) return None # Activate account by admin database.UserManager.modify_user(user.key, role_level=1) data = '{"message": "Account deactivated by admin."}' result = "OK" elif option == "blockAccount": # Only admin is allowed to block account if current_session.get_role_level() < 3: data = '{"error": "You cannot change your block status."}' result = "FAIL" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result)) return None # No anyone is allowed to block an admin if user.role_level == 3: data = '{"error": "You cannot block an admin account."}' result = "FAIL" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result)) return None database.UserManager.modify_user(user.key, attempts=3) # Account is blocked with 3 attempts data = '{"message": "Account blocked by admin."}' result = "OK" elif option == "unblockAccount": # Only admin is allowed to unblock account if current_session.get_role_level() < 3: data = '{"error": "You cannot change your permission level."}' result = "FAIL" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result)) return None database.UserManager.modify_user(user.key, attempts=0) # Account is unblocked with 0 attempts data = '{"message": "Account unblock by admin."}' result = "OK" elif option == "profileChangeRequest": # Only user himself is allowed to change profile if current_session.get_id() == user_id: token = database.TokenManager.create_token(user.key) email_handler.Email.send_change_profile(user.name, token.id(), user.email) data = '{"message": "Change profile email send"}' result = "OK" else: data = '{"error": "Method not allowed"}' result = "FAIL" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result))
def post(self, user_id, option): # Session current_session = Session(self) # Load response template template = JINJA_ENVIRONMENT.get_template("static/templates/api.json") self.response.headers["Content-Type"] = "application/json" # Check if request is done by admin or himself user_id = int(user_id) if current_session.get_role_level() < 3 and current_session.get_id() != user_id: role_level = str(current_session.get_role_level()) data = '{"error": "Permission denied"}' result = "FAIL" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result)) return None # Check if user exists user = database.UserManager.select_by_id(int(user_id)) # If user not exists if user is None: data = '{"error": "User not exists."}' result = "FAIL" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result)) return None # Options if option == "changeUserData": # update email and user email = self.request.get("email", None) username = self.request.get("username", None) background = self.request.get("background", None) photo_id = self.request.get("photo", None) if email is not None: userbyemail = database.UserManager.select_by_email(email) if userbyemail is None: database.UserManager.modify_user(user.key, email=email) else: data = '{"error": "Field exists", "field": "email"}' result = "FAIL" self.response.write( template.render(feature="user", data=data, query=self.request.url, result=result) ) if username is not None: userbyname = database.UserManager.select_by_username(username) if userbyname is None: database.UserManager.modify_user(user.key, username=username) else: data = '{"error": "Field exists", "field": "username"}' result = "FAIL" self.response.write( template.render(feature="user", data=data, query=self.request.url, result=result) ) if background is not None: # Check if photo exists background_photo = database.PhotosManager.get_photo_by_id(int(background)) if background_photo is not None: # Change user background image database.UserManager.modify_user(user.key, background=background_photo.key.id()) else: data = '{"error": "Field not exists", "field": "background"}' result = "FAIL" self.response.write( template.render(feature="user", data=data, query=self.request.url, result=result) ) if photo_id is not None: # Check if photo exists photo = database.PhotosManager.get_photo_by_id(int(photo_id)) if photo is not None: # Change user background image database.UserManager.modify_user(user.key, photo=photo.key.id()) else: data = '{"error": "Field not exists", "field": "background"}' result = "FAIL" self.response.write( template.render(feature="user", data=data, query=self.request.url, result=result) ) data = '{"message": "User updated"}' result = "OK" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result))
def post(self): # Session request handler current_session = Session(self) JINJA_ENVIRONMENT.globals['session'] = current_session # Language request handler Language.language(self) # Check if user is already logged in if current_session.get_id() is not None: self.redirect("/") return None # Retrieve request data username = cgi.escape(self.request.get('username')) password1 = cgi.escape(self.request.get('password1')) password2 = cgi.escape(self.request.get('password2')) email = cgi.escape(self.request.get('email')) # Load success and fail templates register_template = JINJA_ENVIRONMENT.get_template('static/templates/register.html') registered_template = JINJA_ENVIRONMENT.get_template('static/templates/registered.html') # Check email is well formed if not re.match(r"[^@]+@[^@]+\.[^@]+", email): self.response.write(register_template.render(error=_("BadEmail."))) return None # Check passwords min size is 6 if len(password1) < 6: self.response.write(register_template.render(error=_("PasswordMinLengthNotReached."))) return None # Check passwords match if password1 != password2: self.response.write(register_template.render(error=_("PasswordMissmatch"))) return None # Username not empty if len(username) < 1: self.response.write(register_template.render(error=_("EmptyUsername."))) return None # Check user exists user = database.UserManager.select_by_username(username) if user is not None: self.response.write(register_template.render(error=_("UsernameExists"))) return None # Check email exists user = database.UserManager.select_by_email(email) if user is not None: self.response.write(register_template.render(error=_("EmailExists"))) return None # Save new user in DB user_key = database.UserManager.create(username, password1, email) if user_key: # Create activation token token_key = database.TokenManager.create_token(user_key) # Send activation email email_handler.Email.send_activation(username, str(token_key.id()), email) # Autologin new user current_session.set(self, user_key.id()) JINJA_ENVIRONMENT.globals['session'] = current_session self.response.write(registered_template.render(username=username)) else: self.response.write(register_template.render(error=_("DatabaseError"))) return None
def get(self, photo_id): # Session request handler current_session = Session(self) JINJA_ENVIRONMENT.globals['session'] = current_session # Language request handler Language.language(self) # Load jinja template template = JINJA_ENVIRONMENT.get_template('static/templates/photo.html') # Check permission photo = database.PhotosManager.get_photo_by_id(int(photo_id)) if current_session.get_id() is None: request_user = None else: request_user = database.UserManager.select_by_id(current_session.get_id()) if not security.PhotoSecurity.user_is_allowed_to_watch_photo(photo, request_user): self.redirect("/") # Get photo info to display user = photo.owner.get() privacy = photo.privacy date = photo.date # Check if user can edit photo attributes edition_permission = (current_session.get_role_level() is 3) or (photo.owner == current_session.get_user_key()) # Get user allowed to watch photo if privacy == 1: allowed_users = database.PhotoUserPermissionManager.get_allowed_users_by_photo(photo) else: allowed_users = None # Count photo visited by user if current_session.get_id() is None: database.PhotoViewManager.newView(photo, None) else: database.PhotoViewManager.newView(photo, current_session.user) # Photo visualization count photo_views = database.PhotoViewManager.select_users_by_photo(photo) views_counter = {} for photo_view in photo_views: if photo_view.user is None: if "Anonymous" in views_counter: views_counter["Anonymous"]['count'] += 1 else: views_counter["Anonymous"] = {'count':1, 'name':"Anonymous", 'id': None} else: photo_view_user = photo_view.user if photo_view_user.get().name in views_counter: views_counter[photo_view_user.get().name]['count'] += 1 else: views_counter[photo_view_user.get().name] = {'count':1, 'name':photo_view_user.get().name, 'id': photo_view_user.id()} # Response page self.response.write(template.render( photo_id=photo_id, owner=user, name=photo.name, edition_permission= edition_permission, date= date, privacy=privacy, views=views_counter, every_user_list=database.UserManager.select(), allowed_users=allowed_users ))
def get(self, user_id, option): # Session current_session = Session(self) # Load response template template = JINJA_ENVIRONMENT.get_template('static/templates/api.json') self.response.headers['Content-Type'] = 'application/json' user_id = int(user_id) # If user is not admin and not himself, not allow to query anything if current_session.get_role_level() < 3 and current_session.get_id() != user_id: role_level = str(current_session.get_role_level()) data = '{"error": "Permission denied' + role_level + '"}' result = "FAIL" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result)) return None # Check if user exists user = database.UserManager.select_by_id(int(user_id)) # If user not exists if user is None: data = '{"error": "User not exists."}' result = "FAIL" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result)) return None # Options if option == "activateAccountByAdmin": # Only admin is allowed to change permissions if current_session.get_role_level() < 3: data = '{"error": "You cannot change your permission level."}' result = "FAIL" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result)) return None # If user has not his account activated, admin cannot active it if user.role_level != 1: data = '{"error": "User has not his account activated yet."}' result = "FAIL" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result)) return None # Activate account by admin database.UserManager.modify_user(user.key, role_level=2) data = '{"message": "Account activated by admin."}' result = "OK" elif option == "deactivateAccountByAdmin": # Only admin is allowed to change permissions if current_session.get_role_level() < 3: data = '{"error": "You cannot change your permission level."}' result = "FAIL" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result)) return None # If user has not his account activated, admin cannot active it if user.role_level != 2: data = '{"error": "User account can not deactivated."}' result = "FAIL" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result)) return None # Activate account by admin database.UserManager.modify_user(user.key, role_level=1) data = '{"message": "Account deactivated by admin."}' result = "OK" elif option == "blockAccount": # Only admin is allowed to block account if current_session.get_role_level() < 3: data = '{"error": "You cannot change your block status."}' result = "FAIL" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result)) return None # No anyone is allowed to block an admin if user.role_level == 3: data = '{"error": "You cannot block an admin account."}' result = "FAIL" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result)) return None database.UserManager.modify_user(user.key, attempts=3) # Account is blocked with 3 attempts data = '{"message": "Account blocked by admin."}' result = "OK" elif option == "unblockAccount": # Only admin is allowed to unblock account if current_session.get_role_level() < 3: data = '{"error": "You cannot change your permission level."}' result = "FAIL" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result)) return None database.UserManager.modify_user(user.key, attempts=0) # Account is unblocked with 0 attempts data = '{"message": "Account unblock by admin."}' result = "OK" elif option == "profileChangeRequest": # Only user himself is allowed to change profile if current_session.get_id() == user_id: token = database.TokenManager.create_token(user.key) email_handler.Email.send_change_profile(user.name, token.id(), user.email) data = '{"message": "Change profile email send"}' result = "OK" else: data = '{"error": "Method not allowed"}' result = "FAIL" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result))
def post(self, user_id, option): # Session current_session = Session(self) # Load response template template = JINJA_ENVIRONMENT.get_template('static/templates/api.json') self.response.headers['Content-Type'] = 'application/json' # Check if request is done by admin or himself user_id = int(user_id) if current_session.get_role_level() < 3 and current_session.get_id() != user_id: role_level = str(current_session.get_role_level()) data = '{"error": "Permission denied"}' result = "FAIL" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result)) return None # Check if user exists user = database.UserManager.select_by_id(int(user_id)) # If user not exists if user is None: data = '{"error": "User not exists."}' result = "FAIL" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result)) return None # Options if option == "changeUserData": # update email and user email = self.request.get("email", None) username = self.request.get("username", None) background = self.request.get("background", None) photo_id = self.request.get("photo", None) if email is not None: userbyemail = database.UserManager.select_by_email(email) if userbyemail is None: database.UserManager.modify_user(user.key, email=email) else: data = '{"error": "Field exists", "field": "email"}' result = "FAIL" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result)) if username is not None: userbyname = database.UserManager.select_by_username(username) if userbyname is None: database.UserManager.modify_user(user.key, username=username) else: data = '{"error": "Field exists", "field": "username"}' result = "FAIL" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result)) if background is not None: # Check if photo exists background_photo = database.PhotosManager.get_photo_by_id(int(background)) if background_photo is not None: # Change user background image database.UserManager.modify_user(user.key, background=background_photo.key.id()) else: data = '{"error": "Field not exists", "field": "background"}' result = "FAIL" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result)) if photo_id is not None: # Check if photo exists photo = database.PhotosManager.get_photo_by_id(int(photo_id)) if photo is not None: # Change user background image database.UserManager.modify_user(user.key, photo=photo.key.id()) else: data = '{"error": "Field not exists", "field": "background"}' result = "FAIL" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result)) data = '{"message": "User updated"}' result = "OK" self.response.write(template.render(feature="user", data=data, query=self.request.url, result=result))