Example #1
0
def init_user_groups():
    """
       Administrators:
            see_all
            delete_at_will
            reset_user_pw
            modify_user
            modify_usergroup
            deactivate
            manage_networks
            review_downloads
            toggle_signups
        Users:
            chat
            initiate_rtc
            create_revision
            retrieve_from_dht
            browse_peer_nodes
            retrieve_resource
            stream_document

    There's also a secret privilege called "eval" that we don't create but is
    checked for in streams.chat.on_cmd. Perhaps make a special UserGroup for
    yourself.
    """
    # Bans happen by setting User.active to False and clearing their existing sessions.
    groups = ["Administrators", "Users"]
    admin_privs  = [ "see_all", "delete_at_will", "reset_user_pw", "modify_user",
                     "modify_usergroup", "deactivate", "manage_networks",
                     "review_downloads", "toggle_signups"] 
    privs        = [ "create_revision_group", "delete_revision_group", "chat",
                     "initiate_rtc", "create_revision", "retrieve_from_dht", 
                     "browse_peer_nodes", "retrieve_resource", "stream_document"]

    privs.extend(admin_privs)

    if not Priv.query.first():
        log("Creating privileges.")

    for priv in privs:
        p = Priv.query.filter(Priv.name == priv).first()
        if not p:
            p = Priv(name=priv)
            db.session.add(p)
            db.session.commit()

    for group in groups:
        g = UserGroup.query.filter(UserGroup.name == group).first()
        if not g:
            g = UserGroup(name=group)
            for p in Priv.query.all():
                if group != "Administrators" and p.name in admin_privs:
                    continue
                a         = Acl()
                a.group   = g
                a.priv    = p
                a.allowed = True
                db.session.add(a)
                db.session.add(p)
                db.session.commit()
            db.session.add(g)
            db.session.commit()
            log("Created user group \"%s\"." % group)
Example #2
0
    def post(self, name):
        parser = restful.reqparse.RequestParser()
        parser.add_argument("allow",  type=str, default=None)
        parser.add_argument("deny",   type=str, default=None)
        parser.add_argument("attach", type=str, default=None)
        parser.add_argument("detach", type=str, default=None)
        parser.add_argument("add",    type=str, default=None)
        parser.add_argument("remove", type=str, default=None)
        args = parser.parse_args()

        user = auth(session, required=True)

        if not user.can("modify_usergroup"):
            return {}, 403

        group = UserGroup.query.filter(UserGroup.name == name).first()
        if not group:
            return {}, 404
        
        # Attach a privilege to the Group
        if args.attach:
            if ',' in args.attach:
                privs = args.attach.split(',')
            else:
                privs = [args.attach]
            for priv_name in privs:
                priv = Priv.query.filter(Priv.name == priv_name).first()
                if not priv: continue
                acl = Acl.query.filter(and_(Acl.priv == priv, Acl.group == group)).first()
                if acl:
                    continue
                acl = Acl(group=group, priv=priv)
                db.session.add(acl)

        # Detach a privilege from the Group
        if args.detach:
            if ',' in args.detach:
                privs = args.detach.split(',')
            else:
                privs = [args.detach]
            for priv_name in privs:
                priv = Priv.query.filter(Priv.name == priv_name).first()
                if not priv: continue
                acl = Acl.query.filter(and_(Acl.priv == priv, Acl.group == group)).first()
                if not acl:
                    continue
                db.session.delete(acl)

        # Set an ACL to True
        if args.allow:
            if ',' in args.allow:
                privs = args.allow.split(',')
            else:
                privs = [args.allow]
            for priv_name in privs:
                priv = Priv.query.filter(Priv.name == priv_name).first()
                if not priv: continue
                acl = Acl.query.filter(and_(Acl.priv == priv, Acl.group == group)).first()
                if acl: 
                    acl.allowed = True
                    db.session.add(acl)
                    continue
                acl = Acl()
                acl.priv  = priv
                acl.group = group
                acl.allowed = True
                db.session.add(acl)

        # Set an ACL to False
        if args.deny:
            if ',' in args.deny:
                privs = args.deny.split(',')
            else:
                privs = [args.deny]
            for priv_name in privs:
                priv = Priv.query.filter(Priv.name == priv_name).first()
                if not priv: continue
                acl = Acl.query.filter(and_(Acl.priv == priv, Acl.group == group)).first()
                if acl: 
                    acl.allowed = False
                    db.session.add(acl)
                    continue
                acl = Acl()
                acl.priv  = priv
                acl.group = group
                acl.allowed = False
                db.session.add(acl)

        # Add a User to the Group
        if args.add:
            if ',' in args.add:
                users = args.add.split(',')
            else:
                users = [args.add]
            for username in users:
                user = User.query.filter(User.username == username).first()
                if not user: continue
                if user in group.users: continue
                group.users.append(user)

        # Remove a User from the Group
        if args.remove:
            if ',' in args.remove:
                users = args.remove.split(',')
            else:
                users = [args.remove]
            for username in users:
                user = User.query.filter(User.username == username).first()
                if not user: continue
                if user not in group.users: continue
                group.users.remove(user)


        db.session.add(group)
        db.session.commit()

        return group.jsonify(with_users=True, with_privs=True)