def is_allowed_to_modify(user_to_modify):
user = get_user_from_jwt()
if user.has_role("admin") or user.id == user_to_modify.id:
return True
if user.has_role("usermanager"):
modifying_privileged_user = user_to_modify.is_privileged()
return False if modifying_privileged_user else True
return False
def query(self, view_kwargs):
"""
Restricts results for GET requests.
"""
query_ = self.session.query(User)
user = get_user_from_jwt()
if not user.is_privileged():
query_ = query_.filter(User.id == user.id)
return query_
def query(self, view_kwargs):
"""
Restricts GET query results to the user itself.
"""
query_ = self.session.query(Run)
user = get_user_from_jwt()
if not user.has_role("admin"):
query_ = query_.filter(Run.user_id == user.id)
return query_
def before_post(*args, **kwargs):
data = kwargs['data']
runner_id = data.get('user')
if not runner_id:
raise_permission_denied_exception(
"Please provide a User relationship for the Run")
user = get_user_from_jwt()
if not (user.id == runner_id or user.has_role("admin")):
raise_permission_denied_exception(
"User doesn't have permission to create Run for another user")
def query(self, view_kwargs):
user = get_user_from_jwt()
week_number = func.date_part('week', Run.start_time)
year = func.date_part('year', Run.start_time)
query_ = self.session.query(
func.avg(Run.distance).label('average_distance'),
func.avg(Run.duration).label('average_duration'),
func.avg(Run.distance / Run.duration).label('average_speed'),
week_number.label('week_number'),
year.label('year')).filter_by(user_id=user.id).group_by(
year, week_number).order_by(year.desc(), week_number.desc())
return query_
def before_post(*args, **kwargs):
"""
Validates authorization for POST requests.
"""
data = kwargs['data']
privileged_roles = [
role.name for role in Role.query.filter_by(privileged=True).all()
]
if list(set(privileged_roles) & set(data['roles'])):
# Only Admin can create privileged users.
user = get_user_from_jwt()
if not user or not user.has_role("admin"):
raise_permission_denied_exception(
"Only admins can create users with privileged roles")
def self_or_privileged_user(view_id):
user = get_user_from_jwt()
return user.is_privileged() or user.id == view_id
def is_self_run_or_admin_role(view_id, run=None):
user = get_user_from_jwt()
if run is None:
run = Run.query.filter_by(id=view_id).first()
return user.is_privileged() or run.user_id == user.id