def profile_edit(): form = ProfileForm(obj=g.user) form.edit_obj = g.user if form.validate_on_submit(): form.populate_obj(g.user) db.session.commit() next_url = get_next_url() if next_url is not None: return render_redirect(next_url) else: flash("Your profile was successfully edited.", category="info") return render_redirect(url_for("profile"), code=303) return render_form(form, title="Edit profile", formid="profile_edit", submit="Save changes", ajax=True)
def login(): # If user is already logged in, send them back if g.user: return redirect(get_next_url(referrer=True), code=303) loginform = LoginForm() openidform = OpenIdForm(csrf_session_key='csrf_openid') if request.method == 'GET': openidform.openid.data = 'http://' formid = request.form.get('form.id') if request.method == 'POST' and formid == 'openid': if openidform.validate(): return oid.try_login(openidform.openid.data, ask_for=['email', 'fullname', 'nickname']) elif request.method == 'POST' and formid == 'login': if loginform.validate(): user = loginform.user login_internal(user) if loginform.remember.data: session.permanent = True else: session.permanent = False flash('You are now logged in', category='info') return render_redirect(get_next_url(), code=303) if request.is_xhr and formid == 'login': return render_template('forms/loginform.html', loginform=loginform) else: return render_template('login.html', openidform=openidform, loginform=loginform, oiderror=oid.fetch_error(), oidnext=oid.get_next_url())
def client_edit(key): client = Client.query.filter_by(key=key).first_or_404() if not client.owner_is(g.user): abort(403) form = RegisterClientForm(obj=client) form.edit_obj = client form.client_owner.choices = available_client_owners() if request.method == 'GET': if client.user: form.client_owner.data = client.user.userid else: form.client_owner.data = client.org.userid if form.validate_on_submit(): if client.user != form.user or client.org != form.org: # Ownership has changed. Remove existing permission assignments for perm in UserClientPermissions.query.filter_by(client=client).all(): db.session.delete(perm) for perm in TeamClientPermissions.query.filter_by(client=client).all(): db.session.delete(perm) flash("This application’s owner has changed, so all previously assigned permissions " "have been revoked", "warning") form.populate_obj(client) client.user = form.user client.org = form.org db.session.commit() return render_redirect(url_for('client_info', key=client.key), code=303) return render_form(form=form, title="Edit application", formid="client_edit", submit="Save changes", ajax=True)
def login(): # If user is already logged in, send them back if g.user: return redirect(get_next_url(referrer=True), code=303) loginform = LoginForm() openidform = OpenIdForm(csrf_session_key="csrf_openid") if request.method == "GET": openidform.openid.data = "http://" formid = request.form.get("form.id") if request.method == "POST" and formid == "openid": if openidform.validate(): return oid.try_login(openidform.openid.data, ask_for=["email", "fullname", "nickname"]) elif request.method == "POST" and formid == "login": if loginform.validate(): user = loginform.user login_internal(user) if loginform.remember.data: session.permanent = True else: session.permanent = False flash("You are now logged in", category="info") return render_redirect(get_next_url(), code=303) if request.is_xhr and formid == "login": return render_template("forms/loginform.html", loginform=loginform) else: return render_template( "login.html", openidform=openidform, loginform=loginform, oiderror=oid.fetch_error(), oidnext=oid.get_next_url(), )
def resource_action_edit(key, idr, ida): client = Client.query.filter_by(key=key).first() if not client: abort(404) if client.user != g.user: abort(403) resource = Resource.query.get(idr) if not resource: abort(404) action = ResourceAction.query.get(ida) if not action: abort(404) form = ResourceActionForm() form.edit_id = None form.edit_resource = resource if request.method == 'GET': form.name.data = action.name form.title.data = action.title form.description.data = action.description if form.validate_on_submit(): form.populate_obj(action) db.session.commit() flash("Your action has been edited", "info") return render_redirect(url_for('client_info', key=key), code=303) return render_form(form=form, title="Edit action", formid="action_edit", submit="Save changes", ajax=True)
def add_phone(): form = NewPhoneForm() if form.validate_on_submit(): userphone = UserPhoneClaim(user=g.user, phone=form.phone.data) db.session.add(userphone) send_phone_verify_code(userphone) db.session.commit() flash("We sent a verification code to your phone number.", "info") return render_redirect(url_for("verify_phone", number=userphone.phone), code=303) return render_form(form=form, title="Add a phone number", formid="phone_add", submit="Add phone", ajax=True)
def profile_edit(): form = ProfileForm() if request.method == 'GET': form.fullname.data = g.user.fullname form.username.data = g.user.username form.description.data = g.user.description elif form.validate_on_submit(): g.user.fullname = form.fullname.data g.user.username = form.username.data or None g.user.description = form.description.data db.session.commit() next_url = get_next_url() if(next_url is not None): return render_redirect(next_url) else: flash("Your profile was successfully edited.", category='info') return render_redirect(url_for('profile'), code=303) return render_form(form, title="Edit profile", formid="profile_edit", submit="Save changes", ajax=True)
def add_email(): form = NewEmailAddressForm() if form.validate_on_submit(): useremail = UserEmailClaim(user=g.user, email=form.email.data) db.session.add(useremail) db.session.commit() send_email_verify_link(useremail) flash("We sent you an email to confirm your address.", "info") return render_redirect(url_for("profile"), code=303) return render_form(form=form, title="Add an email address", formid="email_add", submit="Add email", ajax=True)
def org_new(): form = OrganizationForm() form.edit_obj = None if form.validate_on_submit(): org = Organization() form.populate_obj(org) org.owners.users.append(g.user) db.session.add(org) db.session.commit() return render_redirect(url_for('org_info', name=org.name), code=303) return render_form(form=form, title="New Organization", formid="org_new", submit="Create", ajax=False)
def org_edit(name): org = Organization.query.filter_by(name=name).first_or_404() if g.user not in org.owners.users: abort(403) form = OrganizationForm(obj=org) form.edit_obj = org if form.validate_on_submit(): form.populate_obj(org) db.session.commit() return render_redirect(url_for('org_info', name=org.name), code=303) return render_form(form=form, title="New Organization", formid="org_edit", submit="Save", ajax=False)
def change_password(): if g.user.pw_hash is None: form = PasswordResetForm() else: form = PasswordChangeForm() if form.validate_on_submit(): g.user.password = form.password.data db.session.commit() flash("Your new password has been saved.", category="info") return render_redirect(url_for("profile"), code=303) return render_form(form=form, title="Change password", formid="changepassword", submit="Change password", ajax=True)
def remove_email(md5sum): useremail = UserEmail.query.filter_by(md5sum=md5sum, user=g.user).first() if not useremail: useremail = UserEmailClaim.query.filter_by(md5sum=md5sum, user=g.user).first() if not useremail: abort(404) if useremail.primary: flash("You cannot remove your primary email address", "error") return render_redirect(url_for('profile'), code=303) return render_delete(useremail, title="Confirm removal", message="Remove email address %s?" % useremail, success="You have removed your email address %s." % useremail, next=url_for('profile'))
def team_new(name): org = Organization.query.filter_by(name=name).first_or_404() if g.user not in org.owners.users: abort(403) form = TeamForm() if form.validate_on_submit(): team = Team(org=org) form.populate_obj(team) db.session.add(team) db.session.commit() return render_redirect(url_for('org_info', name=org.name), code=303) return render_form(form=form, title=u"Create new team", formid='team_new', submit="Create", ajax=False)
def team_edit(name, userid): org = Organization.query.filter_by(name=name).first_or_404() if g.user not in org.owners.users: abort(403) team = Team.query.filter_by(org=org, userid=userid).first_or_404() form = TeamForm(obj=team) form.edit_obj = team if form.validate_on_submit(): form.populate_obj(team) db.session.commit() return render_redirect(url_for('org_info', name=org.name), code=303) return render_form(form=form, title=u"Edit team: %s" % team.title, formid='team_edit', submit="Save", ajax=False)
def permission_new(): form = PermissionForm() if form.validate_on_submit(): perm = Permission(user=g.user) form.populate_obj(perm) perm.allusers = False db.session.add(perm) db.session.commit() flash("Your new permission has been defined", "info") return render_redirect(url_for('permission_list'), code=303) return render_form(form=form, title="Define a new permission", formid="perm_new", submit="Define new permission", ajax=True)
def client_new(): form = RegisterClientForm() if form.validate_on_submit(): client = Client() form.populate_obj(client) client.user = g.user client.trusted = False db.session.add(client) db.session.commit() return render_redirect(url_for('client_info', key=client.key), code=303) return render_form(form=form, title="Register a new client application", formid="client_new", submit="Register application", ajax=True)
def resource_new(key): client = Client.query.filter_by(key=key).first_or_404() if not client.owner_is(g.user): abort(403) form = ResourceForm() form.edit_id = None if form.validate_on_submit(): resource = Resource(client=client) form.populate_obj(resource) db.session.add(resource) db.session.commit() flash("Your new resource has been saved", "info") return render_redirect(url_for('client_info', key=key), code=303) return render_form(form=form, title="Define a resource", formid="resource_new", submit="Define resource", ajax=True)
def permission_edit(id): perm = Permission.query.get(id) if not perm: abort(404) form = PermissionForm() form.edit_id = id if request.method == 'GET': form.name.data = perm.name form.title.data = perm.title form.description.data = perm.description if form.validate_on_submit(): form.populate_obj(perm) db.session.commit() flash("Your permission has been saved", "info") return render_redirect(url_for('permission_list'), code=303) return render_form(form=form, title="Edit permission", formid="perm_edit", submit="Save changes", ajax=True)
def permission_new(): form = PermissionForm() form.context.choices = available_client_owners() if request.method == 'GET': form.context.data = g.user.userid if form.validate_on_submit(): perm = Permission() form.populate_obj(perm) perm.user = form.user perm.org = form.org perm.allusers = False db.session.add(perm) db.session.commit() flash("Your new permission has been defined", "info") return render_redirect(url_for('permission_list'), code=303) return render_form(form=form, title="Define a new permission", formid="perm_new", submit="Define new permission", ajax=True)
def permission_user_new(key): client = Client.query.filter_by(key=key).first() if not client: abort(404) if client.user != g.user: abort(403) available_perms = Permission.query.filter(db.or_(Permission.allusers == True, Permission.user == g.user)).order_by('name').all() form = UserPermissionAssignForm() form.perms.choices = [(ap.name, u"%s – %s" % (ap.name, ap.title)) for ap in available_perms] if form.validate_on_submit(): form.perms.data.sort() perms = u' '.join(form.perms.data) permassign = UserClientPermissions(user=form.user, client=client, permissions=perms) db.session.add(permassign) db.session.commit() flash("Permissions have been assigned to user %s" % form.user.displayname(), "info") return render_redirect(url_for('client_info', key=key), code=303) return render_form(form=form, title="Assign permissions", formid="perm_assign", submit="Assign permissions", ajax=True)
def verify_phone(number): phoneclaim = UserPhoneClaim.query.filter_by(phone=number).first_or_404() if phoneclaim.user != g.user: abort(403) form = VerifyPhoneForm() form.phoneclaim = phoneclaim if form.validate_on_submit(): if not g.user.phones: primary = True else: primary = False userphone = UserPhone(user=g.user, phone=phoneclaim.phone, gets_text=True, primary=primary) db.session.add(userphone) db.session.delete(phoneclaim) db.session.commit() flash("Your phone number has been verified.", "info") return render_redirect(url_for("profile"), code=303) return render_form(form=form, title="Verify phone number", formid="phone_verify", submit="Verify", ajax=True)
def client_new(): form = RegisterClientForm() form.client_owner.choices = available_client_owners() if request.method == 'GET': form.client_owner.data = g.user.userid if form.validate_on_submit(): client = Client() form.populate_obj(client) client.user = form.user client.org = form.org client.trusted = False db.session.add(client) db.session.commit() return render_redirect(url_for('client_info', key=client.key), code=303) return render_form(form=form, title="Register a new client application", formid="client_new", submit="Register application", ajax=True)
def resource_action_new(key, idr): client = Client.query.filter_by(key=key).first_or_404() if not client.owner_is(g.user): abort(403) resource = Resource.query.get_or_404(idr) if resource.client != client: abort(403) form = ResourceActionForm() form.edit_id = None form.edit_resource = resource if form.validate_on_submit(): action = ResourceAction(resource=resource) form.populate_obj(action) db.session.add(action) db.session.commit() flash("Your new action has been saved", "info") return render_redirect(url_for('client_info', key=key), code=303) return render_form(form=form, title="Define an action", formid="action_new", submit="Define action", ajax=True)
def permission_user_new(key): client = Client.query.filter_by(key=key).first_or_404() if not client.owner_is(g.user): abort(403) if client.user: available_perms = Permission.query.filter(db.or_( Permission.allusers == True, Permission.user == g.user)).order_by('name').all() form = UserPermissionAssignForm() elif client.org: available_perms = Permission.query.filter(db.or_( Permission.allusers == True, Permission.org == client.org)).order_by('name').all() form = TeamPermissionAssignForm() form.org = client.org form.team_id.choices = [(team.userid, team.title) for team in client.org.teams] else: abort(403) # This should never happen. Clients always have an owner. form.perms.choices = [(ap.name, u"%s – %s" % (ap.name, ap.title)) for ap in available_perms] if form.validate_on_submit(): perms = set() if client.user: permassign = UserClientPermissions.query.filter_by(user=form.user, client=client).first() if permassign: perms.update(permassign.permissions.split(u' ')) else: permassign = UserClientPermissions(user=form.user, client=client) db.session.add(permassign) else: permassign = TeamClientPermissions.query.filter_by(team=form.team, client=client).first() if permassign: perms.update(permassign.permissions.split(u' ')) else: permassign = TeamClientPermissions(team=form.team, client=client) db.session.add(permassign) perms.update(form.perms.data) permassign.permissions = u' '.join(sorted(perms)) db.session.commit() if client.user: flash("Permissions have been assigned to user %s" % form.user.pickername, "info") else: flash("Permissions have been assigned to team '%s'" % permassign.team.pickername, "info") return render_redirect(url_for('client_info', key=key), code=303) return render_form(form=form, title="Assign permissions", formid="perm_assign", submit="Assign permissions", ajax=True)
def resource_edit(key, idr): client = Client.query.filter_by(key=key).first_or_404() if not client.owner_is(g.user): abort(403) resource = Resource.query.get_or_404(idr) if resource.client != client: abort(403) form = ResourceForm() form.edit_id = idr if request.method == 'GET': form.name.data = resource.name form.title.data = resource.title form.description.data = resource.description form.siteresource.data = resource.siteresource if form.validate_on_submit(): form.populate_obj(resource) db.session.commit() flash("Your resource has been edited", "info") return render_redirect(url_for('client_info', key=key), code=303) return render_form(form=form, title="Edit resource", formid="resource_edit", submit="Save changes", ajax=True)
def permission_user_edit(key, userid): client = Client.query.filter_by(key=key).first_or_404() if not client.owner_is(g.user): abort(403) if client.user: user = User.query.filter_by(userid=userid).first_or_404() available_perms = Permission.query.filter(db.or_( Permission.allusers == True, Permission.user == g.user)).order_by('name').all() permassign = UserClientPermissions.query.filter_by(user=user, client=client).first_or_404() elif client.org: team = Team.query.filter_by(userid=userid).first_or_404() available_perms = Permission.query.filter(db.or_( Permission.allusers == True, Permission.org == client.org)).order_by('name').all() permassign = TeamClientPermissions.query.filter_by(team=team, client=client).first_or_404() form = PermissionEditForm() form.perms.choices = [(ap.name, u"%s – %s" % (ap.name, ap.title)) for ap in available_perms] if request.method == 'GET': if permassign: form.perms.data = permassign.permissions.split(u' ') if form.validate_on_submit(): form.perms.data.sort() perms = u' '.join(form.perms.data) if not perms: db.session.delete(permassign) else: permassign.permissions = perms db.session.commit() if perms: if client.user: flash("Permissions have been updated for user %s" % user.pickername, "info") else: flash("Permissions have been updated for team '%s'" % team.title, "info") else: if client.user: flash("All permissions have been revoked for user %s" % user.pickername, "info") else: flash("All permissions have been revoked for team '%s'" % team.title, "info") return render_redirect(url_for('client_info', key=key), code=303) return render_form(form=form, title="Edit permissions", formid="perm_edit", submit="Save changes", ajax=True)
def permission_edit(id): perm = Permission.query.get_or_404(id) if not perm.owner_is(g.user): abort(403) form = PermissionForm(obj=perm) form.context.choices = available_client_owners() form.edit_obj = perm if request.method == 'GET': if perm.user: form.context.data = perm.user.userid else: form.context.data = perm.org.userid if form.validate_on_submit(): form.populate_obj(perm) perm.user = form.user perm.org = form.org db.session.commit() flash("Your permission has been saved", "info") return render_redirect(url_for('permission_list'), code=303) return render_form(form=form, title="Edit permission", formid="perm_edit", submit="Save changes", ajax=True)
def client_team_access(key): client = Client.query.filter_by(key=key).first_or_404() form = ClientTeamAccessForm() user_orgs = g.user.organizations_owned() form.organizations.choices = [(org.userid, org.title) for org in user_orgs] org_selected = [org.userid for org in user_orgs if client in org.clients_with_team_access()] if request.method == 'GET': form.organizations.data = org_selected if form.validate_on_submit(): org_del = Organization.query.filter(Organization.userid.in_( set(org_selected) - set(form.organizations.data))).all() org_add = Organization.query.filter(Organization.userid.in_( set(form.organizations.data) - set(org_selected))).all() cta_del = ClientTeamAccess.query.filter_by(client=client).filter( ClientTeamAccess.org_id.in_([org.id for org in org_del])).all() for cta in cta_del: db.session.delete(cta) for org in org_add: cta = ClientTeamAccess(org=org, client=client, access_level=CLIENT_TEAM_ACCESS.ALL) db.session.add(cta) db.session.commit() flash("You have assigned access to teams in your organizations for this app.", "info") return render_redirect(url_for('client_info', key=key), code=303) return render_form(form=form, title="Select organizations", submit="Save", ajax=True)
def permission_user_edit(key, userid): client = Client.query.filter_by(key=key).first() if not client: abort(404) if client.user != g.user: abort(403) user = User.query.filter_by(userid=userid).first() if not user: abort(404) available_perms = Permission.query.filter(Permission.allusers == True or Permission.user == g.user).order_by('name').all() permassign = UserClientPermissions.query.filter_by(user=user, client=client).first() form = UserPermissionEditForm() form.perms.choices = [(ap.name, u"%s – %s" % (ap.name, ap.title)) for ap in available_perms] if request.method == 'GET': if permassign: form.perms.data = permassign.permissions.split(u' ') if form.validate_on_submit(): form.perms.data.sort() perms = u' '.join(form.perms.data) if not perms: # No permissions specified. Delete this assignment if permassign: db.session.delete(permassign) elif not permassign: permassign = UserClientPermissions(user=user, client=client) permassign.permissions = perms db.session.add(permassign) else: permassign.permissions = perms db.session.commit() if perms: flash("Permissions have been updated for user %s" % user.displayname(), "info") else: flash("All permissions have been revoked for user %s" % user.displayname(), "info") return render_redirect(url_for('client_info', key=key), code=303) return render_form(form=form, title="Edit permissions", formid="perm_edit", submit="Save changes", ajax=True)
def client_edit(key): client = Client.query.filter_by(key=key).first() if not client: abort(404) if client.user != g.user: abort(403) form = RegisterClientForm() if request.method == 'GET': form.title.data = client.title form.description.data = client.description form.owner.data = client.owner form.website.data = client.website form.redirect_uri.data = client.redirect_uri form.notification_uri.data = client.notification_uri form.resource_uri.data = client.resource_uri form.allow_any_login.data = client.allow_any_login if form.validate_on_submit(): form.populate_obj(client) db.session.commit() return render_redirect(url_for('client_info', key=client.key), code=303) return render_form(form=form, title="Edit application", formid="client_edit", submit="Save changes", ajax=True)