def createSession(): bf = bruteforceProtection() timeout = bf.isBlocked(request.form.get("uname")) if timeout > 0: return jsonify({ "status": "ERR_TOO_MANY_FAILED_ATTEMPTS", "timeout": timeout }), 200 dbconn = database() dbconn.execute("SELECT unix_hash, P.id FROM userpassword UP INNER JOIN people P ON UP.people_id = P.id WHERE P.username = %s", (request.form.get("uname"),)) results = dbconn.fetchall() if not len(results) == 1: return "ERR_USERNAME_NOT_UNIQUE", 403 if passlib.hash.ldap_salted_sha1.verify(request.form.get("passwd"), results[0]["unix_hash"]): user = apiUser(results[0]["id"]) login_user(user) pCheck = permissionCheck() gMember = groupMembership() bf.successfulLogin(request.form.get("uname")) return jsonify({ "status": "SUCCESS", "permissions": pCheck.get(current_user.username), "groups": gMember.getGroupsOfUser(current_user.username) }), 200 else: timeout = bf.failedLogin(request.form.get("uname")) return jsonify({ "status": "ERR_ACCESS_DENIED", "timeout": timeout }), 401
def checkSession(): pCheck = permissionCheck() gMember = groupMembership() return jsonify({ "status": "SUCCESS", "permissions": pCheck.get(current_user.username), "groups": gMember.getGroupsOfUser(current_user.username) }), 200
def listUsers(): gMember = groupMembership() if not gMember.checkGroupMembership(current_user.username, "teachers"): return "ERR_NOT_ALLOWED", 403 dbconn = database() dbconn.execute("SELECT P.id, preferredname, username FROM people P INNER JOIN people_has_groups PHG ON PHG.people_id = P.id INNER JOIN groups G ON G.id = PHG.group_id INNER JOIN groups_has_permission GHP ON GHP.group_id = G.id INNER JOIN permission PM ON PM.id = GHP.permission_id WHERE PM.detail = 'pwalwrst' ORDER BY username") users = [] for user in dbconn.fetchall(): users.append({"id":user["id"],"name":user["preferredname"] + " (" + user["username"] + ")"}) return jsonify(users), 200
def resetPassword(id): gMember = groupMembership() if not gMember.checkGroupMembership(current_user.username, "teachers"): return "ERR_NOT_ALLOWED", 403 dbconn = database() pCheck = permissionCheck() permissions = pCheck.getForId(id) if "pwalwrst" not in permissions: return "ERR_NOT_ALLOWED", 403 dbconn.execute("SELECT id FROM people WHERE username = %s", (current_user.username,)) teacherResult = dbconn.fetchone() dbconn.execute("SELECT unix_hash FROM userpassword WHERE people_id = %s", (teacherResult["id"],)) teacherPasswordResult = dbconn.fetchone() if not passlib.hash.ldap_salted_sha1.verify(request.form.get("passwd"), teacherPasswordResult["unix_hash"]): return "ERR_ACCESS_DENIED", 401 if not request.form.get("password1") == request.form.get("password2"): return "ERR_PASSWORDS_DIFFERENT", 500 dbconn.execute("UPDATE userpassword SET unix_hash = %s, smb_hash = %s, hint = %s, autogen = 0, cleartext = NULL WHERE people_id = %s", (hash.unix(request.form.get("password1")), hash.samba(request.form.get("password1")), request.form.get("hint"), id)) if not dbconn.commit(): return "ERR_DATABASE_ERROR", 500 ldap = requests.post(url="http://pc_admin/api/public/usercheck/" + id) if not ldap.text == "SUCCESS": return "ERR_LDAP_ERROR", 500 return "SUCCESS", 200
def isTeacher(): gMember = groupMembership() if gMember.checkGroupMembership(current_user.username, "teachers"): return "GRANTED", 200 else: return "NOT ALLOWED", 200