def get_all_user(): remote_ip = request.remote_addr output = {} status_code = 200 now = datetime.now().strftime("%Y-%m-%d %H:%M:%S") page = sanitizer(request.args.get("page", "1")) page = int(page) if page is not None and page.isdigit() else 1 per_page = sanitizer(request.args.get("perPage", "5")) per_page = int( per_page) if per_page is not None and per_page.isdigit() else 5 log_msg = "" log_tag = "INFO" username = get_jwt_identity() test = User.query.filter_by(username=username).first() if test and test.admin_privileges and not test.is_first: users = User.query.paginate(page, per_page, error_out=False) total = users.total users = users.items result = users_schema.dump(users) output = {"result": result, "total": total, "date": now} log_msg = f"{remote_ip} get all user records as {test}" else: log_msg = f"{remote_ip} tried to get all user records as {test} and failed because of Unauthorized user" log_tag = "ALERT" output = {"result": "Unauthorized user", "total": 0, "date": now} status_code = 403 add_log(log_msg, log_tag) return jsonify(output), status_code
def add_user(): remote_ip = request.remote_addr output = [] now = datetime.now().strftime("%Y-%m-%d %H:%M:%S") json_data = request.get_json() username = sanitizer(json_data.get("username", "")).lower() password = sanitizer(json_data.get("password", "")) admin = get_jwt_identity() test = User.query.filter_by(username=admin).first() if test and test.admin_privileges: if request.is_json: if len(username) < 4: add_log( f"{remote_ip} as {test} tried to add new user with username: {username} and failed because of short username" ) return jsonify( message="the username must be at least 4 char"), 400 test_user = User.query.filter_by(username=username).first() if test_user: add_log( f"{remote_ip} as {test} tried to add new user with username: {username} and failed because the user exists" ) return jsonify(message="The username is not available."), 409 else: if check_pass_is_strong(password): new_user = User(username=username, password=password, admin_privileges=False, manager_privileges=False) db.session.add(new_user) db.session.commit() add_log( f"{remote_ip} as {test} add new user with username: {username} successfully" ) return jsonify( message=f"new user added with username: {username}" ), 201 else: add_log( f"{remote_ip} as {test} tried to add new user with username: {username} and failed because of weak passwrod" ) return jsonify( message="the password needs to be more than 8 char" + "and must be upper case, lower case, digits and symbols like Test123!" ), 400 else: return jsonify( "Bad Request.\nyou need to send parameters as json object" ), 400 else: add_log( f"{remote_ip} try to add new user with username: {username} as {test}" ) return jsonify(message="Unauthorized user"), 403
def delete_user(): remote_ip = request.remote_addr json_data = request.get_json() username = sanitizer(json_data.get("username", "")).lower() admin = get_jwt_identity() test = User.query.filter_by(username=admin).first() if test and test.admin_privileges: if request.is_json: test_user = User.query.filter_by(username=username).first() if test_user: test_user.is_deleted = True db.session.add(test_user) db.session.commit() add_log( f"{remote_ip} as {test} delete user with username: {username} successfully" ) return jsonify( message=f"user with username: {username} deleted."), 200 else: add_log( f"{remote_ip} as {test} tried to delete user with username: {username} and failed because the user dose not exists" ) return jsonify( message=f"user '{username}' dose not exists."), 404 else: return jsonify( "Bad Request.\nyou need to send parameters as json object" ), 400 else: add_log( f"{remote_ip} try to delete user with username: {username} as {test}" ) return jsonify(message="Unauthorized user"), 403
def signin(): remote_ip = request.remote_addr if request.is_json: json_data = request.get_json() username = sanitizer(json_data.get("username", "")).lower() password = sanitizer(json_data.get("password", "")) user = User.query.filter_by(username=username).first() if user: is_password_right = user.verify_password(password) if is_password_right: if not user.is_deleted: access_token = create_access_token( fresh=True, identity=username, expires_delta=timedelta(minutes=30)) add_log(f"{remote_ip} {user} logged in") user = user_schema.dump(user) return jsonify(message="Login succeeded.", access_token=access_token, user=user) else: add_log( f"{remote_ip} tried to login as {username} and failed because of user deleted by admin" ) return jsonify( message= "Your admin has deleted your user. If you need more information, contact your admin." ), 404 else: add_log( f"{remote_ip} tried to login as {username} and failed because of wrong password" ) return jsonify(message="Wrong username or password!"), 403 else: add_log( f"{remote_ip} tried to login as {username} and failed because of wrong username" ) return jsonify(message="Wrong username or password!"), 403 else: return jsonify( "Bad Request.\nyou need to send parameters as json object"), 400
def change_password(): remote_ip = request.remote_addr if request.is_json: json_data = request.get_json() username = get_jwt_identity() current_password = sanitizer(json_data.get("current_password", "")) new_password = sanitizer(json_data.get("new_password", "")) confirm_new_password = sanitizer( json_data.get("confirm_new_password", "")) if (current_password != "" and check_pass_is_strong(new_password) and check_pass_is_strong(confirm_new_password) and new_password == confirm_new_password and current_password != new_password): test = User.query.filter_by(username=username).first() if test and test.verify_password(current_password): test.set_password(new_password) test.is_first = False db.session.commit() add_log(f"{remote_ip} as {test} change his/hers password") return jsonify( message="Your password changed successfully."), 200 else: add_log( f"{remote_ip} tried as {test} to change his/hers password and failed because of wrong password" ) return jsonify( message="Unauthorized user. wrong password"), 403 else: add_log( f"{remote_ip} tried as {username} to change his/hers password and failed because of Bad request parameters" ) return jsonify( message="Bad request. weak new password or something similar" ), 400 else: return jsonify( "Bad Request.\nyou need to send parameters as json object"), 400
def grant_authorization(): remote_ip = request.remote_addr if request.is_json: json_data = request.get_json() output = [] now = datetime.now().strftime("%Y-%m-%d %H:%M:%S") admin = get_jwt_identity() test = User.query.filter_by(username=admin).first() username = sanitizer(json_data.get("username", "")) if test and test.admin_privileges and not test.is_first: if username is None: add_log( f"{remote_ip} as admin try to grant manager privileges but failed because of not providing username" ) return jsonify(message="Bad request."), 400 user = User.query.filter_by(username=username).first() if user: user.manager_privileges = True db.session.add(user) db.session.commit() output.append(f"{user} authorized with manager privileges") output.append("date: " + now) add_log( f"{remote_ip} as admin grant manager privileges to {user}") return jsonify(message=output) else: output.append(f"user '{username}' does not exist") output.append("date: " + now) add_log( f"{remote_ip} as admin try to grant manager privileges to {username}" ) return jsonify(message=output), 404 else: add_log( f"{remote_ip} try to grant manager privileges to {username} as {admin}" ) return jsonify(message="Unauthorized user"), 403 else: return jsonify( "Bad Request.\nyou need to send parameters as json object"), 400