def init_user_groups():
"""
Administrators:
see_all
delete_at_will
reset_user_pw
modify_user
modify_usergroup
deactivate
manage_networks
review_downloads
toggle_signups
Users:
chat
initiate_rtc
create_revision
retrieve_from_dht
browse_peer_nodes
retrieve_resource
stream_document
There's also a secret privilege called "eval" that we don't create but is
checked for in streams.chat.on_cmd. Perhaps make a special UserGroup for
yourself.
"""
# Bans happen by setting User.active to False and clearing their existing sessions.
groups = ["Administrators", "Users"]
admin_privs = [ "see_all", "delete_at_will", "reset_user_pw", "modify_user",
"modify_usergroup", "deactivate", "manage_networks",
"review_downloads", "toggle_signups"]
privs = [ "create_revision_group", "delete_revision_group", "chat",
"initiate_rtc", "create_revision", "retrieve_from_dht",
"browse_peer_nodes", "retrieve_resource", "stream_document"]
privs.extend(admin_privs)
if not Priv.query.first():
log("Creating privileges.")
for priv in privs:
p = Priv.query.filter(Priv.name == priv).first()
if not p:
p = Priv(name=priv)
db.session.add(p)
db.session.commit()
for group in groups:
g = UserGroup.query.filter(UserGroup.name == group).first()
if not g:
g = UserGroup(name=group)
for p in Priv.query.all():
if group != "Administrators" and p.name in admin_privs:
continue
a = Acl()
a.group = g
a.priv = p
a.allowed = True
db.session.add(a)
db.session.add(p)
db.session.commit()
db.session.add(g)
db.session.commit()
log("Created user group \"%s\"." % group)
def post(self, name):
parser = restful.reqparse.RequestParser()
parser.add_argument("allow", type=str, default=None)
parser.add_argument("deny", type=str, default=None)
parser.add_argument("attach", type=str, default=None)
parser.add_argument("detach", type=str, default=None)
parser.add_argument("add", type=str, default=None)
parser.add_argument("remove", type=str, default=None)
args = parser.parse_args()
user = auth(session, required=True)
if not user.can("modify_usergroup"):
return {}, 403
group = UserGroup.query.filter(UserGroup.name == name).first()
if not group:
return {}, 404
# Attach a privilege to the Group
if args.attach:
if ',' in args.attach:
privs = args.attach.split(',')
else:
privs = [args.attach]
for priv_name in privs:
priv = Priv.query.filter(Priv.name == priv_name).first()
if not priv: continue
acl = Acl.query.filter(and_(Acl.priv == priv, Acl.group == group)).first()
if acl:
continue
acl = Acl(group=group, priv=priv)
db.session.add(acl)
# Detach a privilege from the Group
if args.detach:
if ',' in args.detach:
privs = args.detach.split(',')
else:
privs = [args.detach]
for priv_name in privs:
priv = Priv.query.filter(Priv.name == priv_name).first()
if not priv: continue
acl = Acl.query.filter(and_(Acl.priv == priv, Acl.group == group)).first()
if not acl:
continue
db.session.delete(acl)
# Set an ACL to True
if args.allow:
if ',' in args.allow:
privs = args.allow.split(',')
else:
privs = [args.allow]
for priv_name in privs:
priv = Priv.query.filter(Priv.name == priv_name).first()
if not priv: continue
acl = Acl.query.filter(and_(Acl.priv == priv, Acl.group == group)).first()
if acl:
acl.allowed = True
db.session.add(acl)
continue
acl = Acl()
acl.priv = priv
acl.group = group
acl.allowed = True
db.session.add(acl)
# Set an ACL to False
if args.deny:
if ',' in args.deny:
privs = args.deny.split(',')
else:
privs = [args.deny]
for priv_name in privs:
priv = Priv.query.filter(Priv.name == priv_name).first()
if not priv: continue
acl = Acl.query.filter(and_(Acl.priv == priv, Acl.group == group)).first()
if acl:
acl.allowed = False
db.session.add(acl)
continue
acl = Acl()
acl.priv = priv
acl.group = group
acl.allowed = False
db.session.add(acl)
# Add a User to the Group
if args.add:
if ',' in args.add:
users = args.add.split(',')
else:
users = [args.add]
for username in users:
user = User.query.filter(User.username == username).first()
if not user: continue
if user in group.users: continue
group.users.append(user)
# Remove a User from the Group
if args.remove:
if ',' in args.remove:
users = args.remove.split(',')
else:
users = [args.remove]
for username in users:
user = User.query.filter(User.username == username).first()
if not user: continue
if user not in group.users: continue
group.users.remove(user)
db.session.add(group)
db.session.commit()
return group.jsonify(with_users=True, with_privs=True)