def post(self, id): request_arg = RequestMethod_parser.parse_args() requestMethod = request_arg['requestMethod'] if requestMethod == "PUT": permission = Permission(ActionNeed('修改新闻')) if permission.can()is not True: abort_if_unauthorized("修改新闻") news = News.query.filter(News.id == id).first() abort_if_not_exist(news, "news") args = NewsSpec_parser.parse_args() category = args['category'] detail = args['detail'] title = args['title'] editable = args['editable'] tags = args['tags'] try: tags = list(eval(tags[0])) except: pass if category != None: news.category = [] news.addCategory(category) if detail != None: news.detail = detail soup, imgUrlFirst = handle_html(detail) news.img_url = imgUrlFirst outline = soup.get_text()[:80] news.outline = outline if title != None: news.title = title if editable != None: news.editable = editable if tags != None: news.tags = [] for tag in tags: news.addTag(tag) db.session.add(news) db.session.commit() elif requestMethod == "DELETE": permission = Permission(ActionNeed('删除新闻')) if permission.can()is not True: abort_if_unauthorized("删除新闻") news = News.query.filter(News.id == id).first() abort_if_not_exist(news, "news") db.session.delete(news) db.session.commit() else: abort(404, message="api not found")
def test_permission_or_excludes(self): p1 = Permission(RoleNeed('boss'), RoleNeed('lackey')).reverse() p2 = Permission(RoleNeed('lackey'), RoleNeed('underling')).reverse() p3 = p1 | p2 p4 = p1.union(p2) # Ensure that an `or` between sets also result in the expected # behavior. As expected, as "any of which must be present to # access a resource". p3excludes = p1.excludes | p2.excludes assert p3.excludes == p4.excludes assert p3.excludes == p3excludes
def get_quality_assurance_form_dashboard_menu(form_types): """Retrieves a list of forms that have the verification flag set :param form_type: The form type for the forms to be retrieved """ event = g.event return [ { 'url': url_for('submissions.quality_assurance_dashboard', form_id=form.id), 'text': form.name, 'visible': True } for form in [ f for f in models.Form.query.filter( models.Form.form_type.in_(form_types), models.Form.quality_checks_enabled == True # noqa ).join(models.Form.events).filter( models.Form.events.contains(event)).order_by(models.Form.name) if Permission( ItemNeed('access_resource', f.resource_id, f.resource_type), RoleNeed('admin')).can() ] ]
def has_permission(name): """Used by template to judge whether the user has some permissions.""" if Permission(need(name)).can(): return True else: return False
def edit_post(id): post = Post.query.get_or_404(id) if not current_user: return redirect(url_for('main.login')) if current_user != post.users: return redirect(url_for('blog.post', post_id=id)) # 当 user 是 poster 或者 admin 时, 才能够编辑文章 permission = Permission(UserNeed(post.users.id)) if permission.can() or admin_permission.can(): form = PostForm() if form.validate_on_submit(): post.title = form.title.data post.text = form.text.data post.publish_date = datetime.datetime.now() # Update the post db.session.add(post) db.session.commit() return redirect(url_for('blog.post', post_id=post.id)) # Still retain the original content, if validate is false. form.title.data = post.title form.text.data = post.text return render_template('edit_post.html', form=form, post=post) else: abort(403)
def get(self, id): permission = Permission(ActionNeed(('查看新闻'))) if permission.can() is not True: abort_if_unauthorized("查看新闻") news = News.query.filter(News.id == id).first() abort_if_not_exist(news, "news") return news
def edit_post(id): if not current_user: return redirect(url_for('main.login')) post = Post.query.get_or_404(id) if current_user != post.user: abort(403) permission = Permission(UserNeed(post.user.id)) if permission.can() or admin_permission.can(): form = PostForm() if form.validate_on_submit(): post.title = form.title.data post.text = form.text.data post.publish_date = datetime.datetime.now() db.session.add(post) db.session.commit() return redirect(url_for('.post', post_id=post.id)) form.text.data = post.text return render_template('edit.html', form=form, post=post) abort(403)
def post(self): request_arg=RequestMethod_parser.parse_args() requestMethod=request_arg['requestMethod'] print(requestMethod) if requestMethod=="POST": permission=Permission(ActionNeed('添加角色')) if permission.can()is not True: abort_if_unauthorized("添加角色") args=Role_parser.parse_args() roleName=args['roleName'] try: nodeName=list(eval(args['nodeName'][0])) except: nodeName=args['nodeName'] role1=Role.query.filter(Role.roleName==roleName).first() abort_if_exist(role1,"roleName") role=Role(roleName) db.session.add(role) db.session.commit() for name in nodeName: node=Node.query.filter(Node.nodeName==name).first() abort_if_not_exist(node,"node") role.nodes.append(node) db.session.add(role) db.session.commit() else: abort(404,message="api not found")
def __getattr__(self, role): """Return role permission's require method. If it doesn't exist yet, create it.""" if role not in self._permissions: self._permissions[role] = Permission(RoleNeed(role)) return self._permissions[role].require
def decorator(*args, **kwargs): perm = Permission(*[RoleNeed(role) for role in roles]) if not current_user.is_authenticated: return abort(401) if perm.can(): return f(*args, **kwargs) return abort(403)
def post(self): request_arg = RequestMethod_parser.parse_args() requestMethod = request_arg['requestMethod'] if requestMethod == "POST": permission = Permission(ActionNeed('添加新闻')) if permission.can()is not True: abort_if_unauthorized("添加新闻") args = News_parser.parse_args() category = args['category'] detail = args['detail'] title = args['title'] tags = args['tags'] try: tags = list(eval(tags[0])) except: pass soup, imgUrlFirst = handle_html(detail) outline = soup.get_text()[:80] news = News(soup.prettify(), title, outline, imgUrlFirst) db.session.add(news) db.session.commit() news.addCategory(category) for tag in tags: t = Tag.query.filter_by(name=tag).first() abort_if_not_exist(t, "tag") news.tags.append(t) db.session.add(news) db.session.commit() else: abort(404, message="api not found")
def login(): if current_user.is_authenticated: return redirect(url_for("main.index")) form = LoginForm() if form.validate_on_submit(): if re.match("^[a-zA-Z0-9.]+@[a-zA-Z0-9]+\.[a-zA-Z]+$", form.identifier.data): user = User.query.filter_by(_email=form.identifier.data).first() else: user = User.query.filter_by(username=form.identifier.data).first() if user is not None and user.check_password(form.password.data): login_user(user, form.remember_me.data) identity_changed.send(current_app._get_current_object(), identity=Identity(user.id)) if Permission(need("admin")).can(): flash("Hello, admin!") return redirect(request.args.get("next") or url_for("main.index")) else: flash("Your username/email or password is invalid.") return redirect(url_for("auth.login")) return render_template("auth/login.html", form=form)
def article_edit(id): article = BlogArticle.query.get_or_404(id) if not current_user: return redirect(url_for('site.login')) if current_user != article.user: return redirect(url_for('blog.article_one', id=id)) permission = Permission(UserNeed(article.user.id)) if permission.can() or permission_admin.can(): form = ArticleForm() if form.validate_on_submit(): article.title = form.title.data article.content = form.content.data article.publish_time = datetime.datetime.now() db.session.add(article) db.session.commit() return redirect(url_for('blog.article_one', id=article.id)) else: abort(403) form.title.data = article.title form.content.data = article.content return render_template('blog/article/edit.html', obj_form=form, article_one=article)
def decorated_view(*args, **kwargs): target_username = request.values.get('username', None) if (target_username is not None and target_username != current_user.username): if not Permission(('users', 'read')).can(): abort(403, 'you do not have the permission to view other users') return func(*args, **kwargs)
def post(self, restaurant_id, user_id): identityPermission = Permission(UserNeed(user_id)) if not identityPermission.can(): abort(403) #data = parser.parse_args() data = request.get_json(force=True) order = data['orders'][0] order['status'] = "new" order_items = data['order_items'] today = datetime.datetime.now() #将request里面的json key转化为数据库model的key ''' for i in order_items: temp_item['id'] = i['order_history_item_id'] temp_item['number'] = i['number'] temp_item['name'] = i['name'] temp_item['description'] = i['description'] temp_item['image'] = i['image'] temp_item['price'] = i['price'] temp_item['order_history_id'] = i['order_history_id'] items.append(temp_item.copy()) order_items = items ''' #用户自身的订单记录 OrderHistoryDao.add_order_history(today, order['desk_number'], order['total_price'], order['restaurant_id'], order['user_id'], order_items) #同时要发送到餐厅的订单记录 OrderDao.add_order(today, order['desk_number'], order['total_price'], order['status'], order['restaurant_id'], order_items) DaoHelper.commit(db) return 204
def get(self,id): permission=Permission(ActionNeed(('查看权限节点'))) if permission.can() is not True: abort_if_unauthorized("查看权限节点") node=Node.query.filter(Node.id==id).first() abort_if_not_exist(node,"node") return node
def get(self, id): permission = Permission(ActionNeed(('查看新闻'))) if permission.can() is not True: abort_if_unauthorized("查看新闻") silder_show = SilderShow.query.filter(SilderShow.id == id).first() abort_if_not_exist(silder_show, "silder_show") return silder_show
def edit_post(id): post = Post.query.get_or_404(id) # Ensure the user logged in. if not current_user: return redirect(url_for('main.login')) # Only the post onwer can be edit this post. if current_user != post.user: return redirect(url_for('blog.post', post_id=id)) # Admin can be edit the post. permission = Permission(UserNeed(post.user.id)) if permission.can() or admin_permission.can(): form = PostForm() if form.validate_on_submit(): post.title = form.title.data post.text = form.text.data post.publish_date = datetime.now() # Update the post db.session.add(post) db.session.commit() return redirect(url_for('blog.post', post_id=post.id)) else: abort(403) form.title.data = post.title form.text.data = post.text return render_template('edit_post.html', form=form, post=post)
def post(self): request_arg=RequestMethod_parser.parse_args() requestMethod=request_arg['requestMethod'] if requestMethod=="POST": permission=Permission(ActionNeed('添加用户')) if permission.can()is not True: abort_if_unauthorized("添加用户") args=User_parser.parse_args() try: args['roleName']=list(eval(args['roleName'][0])) except: pass userName=args['userName'] passWord=args['passWord'] email=args['email'] roleName=args['roleName'] phone=args['phone'] user1=User.query.filter(User.userName==userName).first() abort_if_exist(user1,"userName") user=User(userName,passWord,email,phone) for name in roleName: role=Role.query.filter(Role.roleName==name).first() abort_if_not_exist(role,"role") user.roles.append(role) db.session.add(user) db.session.commit() else: abort(404,message="api not found")
def test_entry_points(): """Test admin views discovery through entry points.""" from flask_principal import Permission app = Flask('testapp') admin_app = InvenioAdmin(app, permission_factory=lambda x: Permission(), view_class_factory=lambda x: x) # Check if model views were added by checking the labels of menu items menu_items = {str(item.name): item for item in admin_app.admin.menu()} assert 'OneAndTwo' in menu_items # Category for ModelOne and ModelTwo assert 'Four' in menu_items # Category for ModelOne and ModelTwo assert 'Model One' not in menu_items # ModelOne should go to a category assert 'Model Two' not in menu_items # ModelTwo should go to a category assert 'Model Three' in menu_items # ModelThree goes straight to menu assert isinstance(menu_items['Model Three'], flask_admin.menu.MenuView) assert isinstance(menu_items['OneAndTwo'], flask_admin.menu.MenuCategory) assert menu_items['OneAndTwo'].is_category() assert not menu_items['Model Three'].is_category() submenu_items = { str(item.name): item for item in menu_items['OneAndTwo'].get_children() } assert 'Model One' in submenu_items assert 'Model Two' in submenu_items assert not submenu_items['Model One'].is_category() assert not submenu_items['Model Two'].is_category() assert isinstance(submenu_items['Model One'], flask_admin.menu.MenuView) assert isinstance(submenu_items['Model Two'], flask_admin.menu.MenuView) four_item = menu_items['Four'].get_children()[0] assert four_item.name == 'View number Four' assert isinstance(four_item, flask_admin.menu.MenuView)
def post(post_id): form = CommentForm() if form.validate_on_submit(): new_comment = Comment() new_comment.name = form.name.data new_comment.text = form.text.data new_comment.post_id = post_id new_comment.date = datetime.now() db.session.add(new_comment) db.session.commit() return redirect(url_for('.post', post_id=post_id)) post = Post.query.get_or_404(post_id) # 添加阅读量 post.read = post.read + 1 db.session.add(post) db.session.commit() tags = post.tags comments = post.comments.order_by(Comment.date.desc()).all() # 是否有编辑权限 permission = Permission(UserNeed(post.user.id)) is_edit = permission.can() or admin_permission.can() if g.is_login: form.name.data = current_user.username return render_template('post.html', post=post, tags=tags, is_edit=is_edit, comments=comments, form=form)
def post(self): parser = reqparse.RequestParser() parser.add_argument('name', type=str) args = parser.parse_args() if Permission(('appcontexts', 'write')).can(): ctx = AppContext(args['name']) db.session.add(ctx) # give default permissions for the new app to the creator for need in product(APP_MANDATORY_NEEDS, ('read', 'write')): need = Need(ctx, *need) db.session.add(need) current_user.permissions.append(need) try: db.session.commit() except sqlalchemy.exc.IntegrityError: db.session.rollback() abort(409, 'an application with the same name already exists') app_key = generate_token([ctx.id, md5(ctx.name)], salt=app.config['APPLICATION_KEY_SALT']) if app.config['APP_KEYS_FOLDER']: keyfile = os.path.join(app.config['APP_KEYS_FOLDER'], '{}.appkey'.format(ctx.name)) with open(keyfile, 'w') as f: f.write(app_key) return {'application-key': app_key} else: abort(403)
def decorator(*args, **kwargs): topicId = kwargs.get('topicId') permission = Permission(EditTopicNeed(topicId)) if not permission.can(): flash(_('You have no permission'), 'warning') return redirect(url_for('topic.topic', topicId=topicId)) return func(*args, **kwargs)
def edit_post(id): post = Post.query.get_or_404(id) permission = Permission(UserNeed(post.author.id)) # 设置访问本视图的权限 if permission.can() or admin_permission.can(): # 判断Identity是否有要求的permission form = PostForm() if form.validate_on_submit(): post.title = form.title.data post.text = form.text.data post.publish_date = datetime.datetime.now() db.session.add(post) db.session.commit() return redirect(url_for('blog.post', post_id=post.id)) form.text.data = post.text return render_template('blog/edit.html', form=form, post=post) abort(403)
def edit_post(id): post = Post.query.get_or_404(id) #保证用户市登录的 if not current_user: return redirect(url_for('main.login')) if current_user != post.users: return redirect(url_for('blog.post', post_id=id)) #当user是poster或者admin,才可以编辑文章 permission = Permission(UserNeed(post.users.id)) if permission.can() or admin_permission.can(): form = PostForm() if form.validate_on_submit(): post.title = form.title.data post.text = form.text.data post.published_date = datetime.now() db.session.add(post) db.session.commit() return redirect(url_for('blog.post', post_id=post.id)) else: abort(403) form.title.data = post.title form.text.data = post.text return render_template('edit_post.html', form=form, post=post)
def update_user(): """Update current logged user """ user = current_user form = UserForm(request.form, obj=user) del form.role del form.is_active perm = Permission(UserNeed(user.id), RoleNeed('admin')) perm.test() if form.validate_on_submit(): if form.username.data != user.username and User.username_is_in_use( form.username.data): flash( "This username is already been used. Please choose another one!", "alert-danger") form.username.errors.append('Please correct this field') elif form.email.data != user.email and User.email_is_in_use( form.email.data): flash( "This email is already been used. Please choose another one!", "alert-danger") form.email.errors.append('Please correct this field') else: form.populate_obj(user) db.session.commit() flash("Informations updated", "alert-info") return redirect(url_for('dashboard.index')) return render_template("user/update.html", form=form, user=current_user)
def post(self): with Permission(('users', 'write')).require(403): parser = reqparse.RequestParser() parser.add_argument('username', type=str, required=True) parser.add_argument('email', type=str, required=True) parser.add_argument('mobile_number', type=str, required=app.config['ENABLE_2FA']) args = parser.parse_args() if not args['username']: abort(400, 'missing username') if not args['email']: abort(400, 'missing email') try: user = User(username=args['username'], email=args['email'], mobile_number=args['mobile_number']) if app.config['AUTO_ACTIVATE_NEW_USER']: user.active = True except ValueError as err: abort(400, str(err)) db.session.add(user) try: db.session.commit() except sqlalchemy.exc.IntegrityError as err: message = 'an account with the same username/email already exists' abort(409, message) token = user.generate_token() return {"token": token}
def has_roles(*args: Iterable[str]): roles = [(Permission(RoleNeed(role)) if not isinstance(role, list) else [Permission(RoleNeed(role_)) for role_ in role]) for role in args] def wrapper(fn: Callable): @wraps(fn) def wrapped(*args, **kwargs): identity: Identity = g.identity if not check_roles(identity=identity, roles=roles): raise InvalidUsage.user_not_authorized() return fn(*args, **kwargs) return wrapped return wrapper
def edit_post(id): # 此处验证用login_required装饰器代替 """ if not g.current_user: return redirect(url_for('main.login')) """ post = Post.query.get_or_404(id) # 此处使用用户权限进行限制访问 """ if current_user != post.user: abort(403) """ permission = Permission(UserNeed(post.user.id)) if permission.can() or admin_permission.can(): form = PostForm() if form.validate_on_submit(): if form.title.data == post.title and form.text.data == post.text: flash('no changes detected!', category='message') else: post.title = form.title.data post.text = form.text.data post.publish_date = datetime.datetime.now() db.session.add(post) db.session.commit() return redirect(url_for('.post', post_id=post.id)) form.text.data = post.text return render_template('edit.html', form=form, post=post) abort(403)
def post(self): request_arg = RequestMethod_parser.parse_args() requestMethod = request_arg['requestMethod'] if requestMethod == "POST": permission = Permission(ActionNeed('添加新闻')) if permission.can() is not True: abort_if_unauthorized("添加新闻") args = News_parser.parse_args() category = args['category'] detail = args['detail'] title = args['title'] tags = args['tags'] try: tags = list(eval(tags[0])) except: pass soup = BeautifulSoup(detail, "html.parser") k = 0 for img in soup.find_all('img'): imgurl = img.get('src') r = request.urlopen(imgurl) data = r.read() imgBuf = BytesIO(data) i = Image.open(imgBuf) filename = str( int(random.uniform(1, 1000) + time.time())) + ".png" path = os.path.join(app.config['BASEDIR'], 'aunet/static/Uploads/News', filename) # return path; i.save(path, quality="96") f = open(path, "rb") data = f.read() data = base64.b64encode(data) data = str(data) data = data[2:-1] data = "data:image/jpg;base64," + data img['src'] = data # return img k = k + 1 if k > 1: os.remove(path) else: imgUrlFirst = "static/Uploads/News/" + filename if k == 0: imgUrlFirst = "static/Uploads/News/1.jpg" #默认的新闻展示图片 # return imgUrlFirst outline = soup.get_text()[:100] news = News(soup.prettify(), title, outline, imgUrlFirst) db.session.add(news) db.session.commit() news.addCategory(category) for tag in tags: t = Tag.query.filter_by(name=tag).first() abort_if_not_exist(t, "tag") news.tags.append(t) db.session.add(news) db.session.commit() else: abort(404, message="api not found")