def createSession():
bf = bruteforceProtection()
timeout = bf.isBlocked(request.form.get("uname"))
if timeout > 0:
return jsonify({
"status": "ERR_TOO_MANY_FAILED_ATTEMPTS",
"timeout": timeout
}), 200
dbconn = database()
dbconn.execute("SELECT unix_hash, P.id FROM userpassword UP INNER JOIN people P ON UP.people_id = P.id WHERE P.username = %s", (request.form.get("uname"),))
results = dbconn.fetchall()
if not len(results) == 1:
return "ERR_USERNAME_NOT_UNIQUE", 403
if passlib.hash.ldap_salted_sha1.verify(request.form.get("passwd"), results[0]["unix_hash"]):
user = apiUser(results[0]["id"])
login_user(user)
pCheck = permissionCheck()
gMember = groupMembership()
bf.successfulLogin(request.form.get("uname"))
return jsonify({
"status": "SUCCESS",
"permissions": pCheck.get(current_user.username),
"groups": gMember.getGroupsOfUser(current_user.username)
}), 200
else:
timeout = bf.failedLogin(request.form.get("uname"))
return jsonify({
"status": "ERR_ACCESS_DENIED",
"timeout": timeout
}), 401
def checkSession():
pCheck = permissionCheck()
gMember = groupMembership()
return jsonify({
"status": "SUCCESS",
"permissions": pCheck.get(current_user.username),
"groups": gMember.getGroupsOfUser(current_user.username)
}), 200
def listUsers():
gMember = groupMembership()
if not gMember.checkGroupMembership(current_user.username, "teachers"):
return "ERR_NOT_ALLOWED", 403
dbconn = database()
dbconn.execute("SELECT P.id, preferredname, username FROM people P INNER JOIN people_has_groups PHG ON PHG.people_id = P.id INNER JOIN groups G ON G.id = PHG.group_id INNER JOIN groups_has_permission GHP ON GHP.group_id = G.id INNER JOIN permission PM ON PM.id = GHP.permission_id WHERE PM.detail = 'pwalwrst' ORDER BY username")
users = []
for user in dbconn.fetchall():
users.append({"id":user["id"],"name":user["preferredname"] + " (" + user["username"] + ")"})
return jsonify(users), 200
def resetPassword(id):
gMember = groupMembership()
if not gMember.checkGroupMembership(current_user.username, "teachers"):
return "ERR_NOT_ALLOWED", 403
dbconn = database()
pCheck = permissionCheck()
permissions = pCheck.getForId(id)
if "pwalwrst" not in permissions:
return "ERR_NOT_ALLOWED", 403
dbconn.execute("SELECT id FROM people WHERE username = %s", (current_user.username,))
teacherResult = dbconn.fetchone()
dbconn.execute("SELECT unix_hash FROM userpassword WHERE people_id = %s", (teacherResult["id"],))
teacherPasswordResult = dbconn.fetchone()
if not passlib.hash.ldap_salted_sha1.verify(request.form.get("passwd"), teacherPasswordResult["unix_hash"]):
return "ERR_ACCESS_DENIED", 401
if not request.form.get("password1") == request.form.get("password2"):
return "ERR_PASSWORDS_DIFFERENT", 500
dbconn.execute("UPDATE userpassword SET unix_hash = %s, smb_hash = %s, hint = %s, autogen = 0, cleartext = NULL WHERE people_id = %s", (hash.unix(request.form.get("password1")), hash.samba(request.form.get("password1")), request.form.get("hint"), id))
if not dbconn.commit():
return "ERR_DATABASE_ERROR", 500
ldap = requests.post(url="http://pc_admin/api/public/usercheck/" + id)
if not ldap.text == "SUCCESS":
return "ERR_LDAP_ERROR", 500
return "SUCCESS", 200
def isTeacher():
gMember = groupMembership()
if gMember.checkGroupMembership(current_user.username, "teachers"):
return "GRANTED", 200
else:
return "NOT ALLOWED", 200