def wrapper_jwt_scope_required(*args, **kwargs):
scopes = jwt_scopes()
# JWT scopes intersect with the allows scopes
if "any_of" in required_scopes and not (
set(required_scopes["any_of"]) & scopes):
raise AccessDenied("Insuffient scope")
# Allowed claims are a proper subset of jwt scopes
if "all_of" in required_scopes and not (set(
required_scopes["all_of"]) <= scopes):
raise AccessDenied("Insuffient scope")
return func(*args, **kwargs)
def delete(self):
if "delete:user" not in self.scopes:
raise AccessDenied("Insufficient permissions")
if not self.user.check_password(self.password):
raise AccessDenied("Wrong password")
tunnels = Tunnel.query.filter_by(user=self.user)
for tunnel in tunnels:
TunnelDeletionService(self.user, tunnel).delete()
entries_deleted = db.session.delete(self.user)
db.session.flush()
return entries_deleted
def delete(self):
if "delete:user" not in self.scopes:
raise AccessDenied("Insufficient permissions")
if not self.user.check_password(self.password):
raise AccessDenied("Wrong password")
boxes = Box.query.filter_by(user=self.user)
for box in boxes:
BoxDeletionService(self.user, box).delete()
entries_deleted = db.session.delete(self.user)
db.session.flush()
return entries_deleted
def check_subdomain_permissions(self) -> None:
if self.subdomain.user != self.current_user:
raise AccessDenied("You do not own this subdomain")
elif self.subdomain.in_use:
raise SubdomainInUse("Subdomain is in use")
elif self.subdomain.user == self.current_user:
pass
def validate_scope_permissions(parent_scope, scopes, attrs):
if parent_scope in scopes:
return
allowed_attrs = set(scope.split(":")[-1] for scope in scopes)
# if the allowed_keys do not include all of the requested keys,
# throw an error
if not allowed_attrs >= set(attrs.keys()):
disallowed = set(attrs.keys()) - scopes
raise AccessDenied(source=f"{disallowed} is not in allowed scopes")
def stripe_webhook_wrapper(*args, **kwargs):
payload = request.data.decode("utf-8")
try:
sig_header = request.headers["stripe-signature"]
event = stripe.Webhook.construct_event(
payload, sig_header,
current_app.config["STRIPE_ENDPOINT_SECRET"])
except ValueError:
# Invalid JSON
return json_api(BadRequest(), ErrorSchema), 400
except (KeyError, stripe.error.SignatureVerificationError):
return json_api(AccessDenied(), ErrorSchema), 403
return func(event=event, *args, **kwargs)
def update(self) -> User:
for attr, val in self.attrs.items():
setattr(self.user, attr, val)
# password is special cased because we encrypt it before
# we actually store it.
if self.new_password:
if ("update:user:new_password" not in self.scopes
and not self.user.check_password(self.old_password)):
raise AccessDenied("Wrong password")
self.user.set_password(self.new_password)
self.user.uuid = str(uuid.uuid4())
# email is also special cased in the sense of we do not attempt
# to perform the write if we know there is a conflicting email
if self.email:
if User.query.filter_by(email=self.email).first() is not None:
raise UserError(detail="Email already in use")
self.user.email = self.email
db.session.add(self.user)
db.session.flush()
return self.user
def check_config_permissions(self) -> None:
if self.config.user != self.current_user:
raise AccessDenied("You do not own this config")
elif self.config.user == self.current_user:
pass