Esempio n. 1
0
 def on_put(self, req, resp, post_id):
     """Update single post resource."""
     user = req.context.get('user')
     if not user_has_post_access(user, post_id):
         raise UnauthorizedRequestError(user)
     # ensure non authorized users cannot set post featured status
     if user.role not in (UserRoles.ADMIN,
                          UserRoles.MODERATOR) and req.payload.featured:
         post = get_post(post_id)
         if not post.featured:
             raise UnauthorizedRequestError()
     edit_post(post_id, req.payload)
Esempio n. 2
0
 def on_delete(self, req, resp, comment_id):
     """Delete single comment resource."""
     user = req.context.get('user')
     if not user_has_comment_access(user, comment_id):
         raise UnauthorizedRequestError()
     delete_comment(comment_id)
     # clear post collection/search resource cache to reflect new comment count
     clear_resource_cache(posts.PostCollectionResource, req)
     clear_resource_cache(posts.PostSearchResource, req)
Esempio n. 3
0
 def on_put(self, req, resp, comment_id):
     """Update single comment resource."""
     user = req.context.get('user')
     if not user_has_comment_access(user, comment_id):
         raise UnauthorizedRequestError()
     edit_comment(comment_id, req.payload)
     comment = get_comment(comment_id)
     # clear postst resource cache to reflect changes to comment
     clear_resource_cache(posts.PostResource, req, post_id=comment.post_id)
Esempio n. 4
0
    def process_request(self, req, resp):
        """Process the request for user session before routing it."""

        # Note: RFC6648 recommends application headers prefixed with 'X-'
        # should be depracated
        # Source: https://tools.ietf.org/html/rfc6648

        host = req.access_route[0]
        payload = jwt.decode(req.auth,
                             BLOG_JWT_SECRET_KEY,
                             algorithms=['HS256']) if req.auth else None
        if payload:
            if payload.get('host') != host:
                warning(
                    req,
                    'Token host "{}" does not match the requestee "{}"'.format(
                        payload.get('host'), host))
                raise UnauthorizedRequestError()
            elif int(
                    payload.get('created')
            ) + settings.login.max_session_time <= datetime.datetime.utcnow(
            ).timestamp():
                warning(req, 'Token has expired')
                raise UnauthorizedRequestError()
            else:
                user_id = payload.get('user')
                try:
                    # add our user to the request context
                    user = get_user(user_id)
                    req.context.setdefault('user', user)
                except UserNotFoundError:
                    warning(
                        req,
                        f'Token payload found with invalid user identifier "{user_id}".'
                    )
                    raise UnauthorizedRequestError()
Esempio n. 5
0
def is_moderator(req, resp, resource, params):
    """Ensure request is being made from authorized user."""
    user = req.context.get('user')
    if not user or not (user.role == UserRoles.ADMIN
                        or user.role == UserRoles.MODERATOR):
        raise UnauthorizedRequestError()
Esempio n. 6
0
def is_admin(req, resp, resource, params):
    """Ensure request is being made from authorized user."""
    user = req.context.get('user')
    if not user or user.role != UserRoles.ADMIN:
        raise UnauthorizedRequestError()
Esempio n. 7
0
def is_logged_in(req, resp, resource, params):
    """Ensure request is being made from authorized user."""
    if not req.context.get('user'):
        raise UnauthorizedRequestError()
Esempio n. 8
0
 def on_delete(self, req, resp, post_id):
     """Delete single post resource."""
     user = req.context.get('user')
     if not user_has_post_access(user, post_id):
         raise UnauthorizedRequestError(user)
     delete_post(post_id)