def get(self, group_id=None, name=None, name2=None, member_type=None): group = Group.get(self.session, group_id, name) if not group: return self.notfound() if self.current_user.name == name2: return self.forbidden() members = group.my_members() my_role = user_role(self.current_user, members) if my_role not in ("manager", "owner", "np-owner"): return self.forbidden() member = members.get((member_type.capitalize(), name2), None) if not member: return self.notfound() edge = GroupEdge.get( self.session, group_id=group.id, member_type=OBJ_TYPES[member.type], member_pk=member.id, ) if not edge: return self.notfound() form = GroupEditMemberForm(self.request.arguments) form.role.choices = [["member", "Member"]] if my_role in ("owner", "np-owner"): form.role.choices.append(["manager", "Manager"]) form.role.choices.append(["owner", "Owner"]) form.role.choices.append(["np-owner", "No-Permissions Owner"]) form.role.data = edge.role form.expiration.data = edge.expiration.strftime( "%m/%d/%Y") if edge.expiration else None self.render( "group-edit-member.html", group=group, member=member, edge=edge, form=form, )
def expire_nonauditors(self, session): """Checks all enabled audited groups and ensures that all approvers for that group have the PERMISSION_AUDITOR permission. All approvers of audited groups that aren't auditors have their membership in the audited group set to expire settings.nonauditor_expiration_days days in the future. Args: session (Session): database session """ now = datetime.utcnow() graph = Graph() exp_days = timedelta(days=settings.nonauditor_expiration_days) # Hack to ensure the graph is loaded before we access it graph.update_from_db(session) # TODO(tyleromeara): replace with graph call for group in get_audited_groups(session): members = group.my_members() # Go through every member of the group and set them to expire if they are an approver # but not an auditor for (type_, member), edge in members.iteritems(): # Auditing is already inherited, so we don't need to handle that here if type_ == "Group": continue member = User.get(session, name=member) member_is_approver = user_role_index( member, members) in APPROVER_ROLE_INDICIES member_is_auditor = user_has_permission( session, member, PERMISSION_AUDITOR) if not member_is_approver or member_is_auditor: continue edge = GroupEdge.get(session, id=edge.edge_id) if edge.expiration and edge.expiration < now + exp_days: continue exp = now + exp_days exp = exp.date() edge.apply_changes_dict({ "expiration": "{}/{}/{}".format(exp.month, exp.day, exp.year) }) edge.add(session) notify_nonauditor_flagged(settings, session, edge) session.commit()
def get(self, group_id=None, name=None, name2=None, member_type=None): group = Group.get(self.session, group_id, name) if not group: return self.notfound() if self.current_user.name == name2: return self.forbidden() members = group.my_members() my_role = self.current_user.my_role(members) if my_role not in ("manager", "owner", "np-owner"): return self.forbidden() member = members.get((member_type.capitalize(), name2), None) if not member: return self.notfound() edge = GroupEdge.get( self.session, group_id=group.id, member_type=OBJ_TYPES[member.type], member_pk=member.id, ) if not edge: return self.notfound() form = GroupEditMemberForm(self.request.arguments) form.role.choices = [["member", "Member"]] if my_role in ("owner", "np-owner"): form.role.choices.append(["manager", "Manager"]) form.role.choices.append(["owner", "Owner"]) form.role.choices.append(["np-owner", "No-Permissions Owner"]) form.role.data = edge.role form.expiration.data = edge.expiration.strftime("%m/%d/%Y") if edge.expiration else None self.render( "group-edit-member.html", group=group, member=member, edge=edge, form=form, )
def expire_nonauditors(self, session): """Checks all enabled audited groups and ensures that all approvers for that group have the PERMISSION_AUDITOR permission. All approvers of audited groups that aren't auditors have their membership in the audited group set to expire settings.nonauditor_expiration_days days in the future. Args: session (Session): database session """ now = datetime.utcnow() graph = Graph() exp_days = timedelta(days=settings.nonauditor_expiration_days) # Hack to ensure the graph is loaded before we access it graph.update_from_db(session) # TODO(tyleromeara): replace with graph call for group in get_audited_groups(session): members = group.my_members() # Go through every member of the group and set them to expire if they are an approver # but not an auditor for (type_, member), edge in members.iteritems(): # Auditing is already inherited, so we don't need to handle that here if type_ == "Group": continue member = User.get(session, name=member) member_is_approver = user_role_index(member, members) in APPROVER_ROLE_INDICIES member_is_auditor = user_has_permission(session, member, PERMISSION_AUDITOR) if not member_is_approver or member_is_auditor: continue edge = GroupEdge.get(session, id=edge.edge_id) if edge.expiration and edge.expiration < now + exp_days: continue exp = now + exp_days exp = exp.date() edge.apply_changes_dict( {"expiration": "{}/{}/{}".format(exp.month, exp.day, exp.year)} ) edge.add(session) notify_nonauditor_flagged(settings, session, edge) session.commit()
def post(self, group_id=None, name=None, name2=None, member_type=None): group = Group.get(self.session, group_id, name) if not group: return self.notfound() if self.current_user.name == name2: return self.forbidden() members = group.my_members() my_role = self.current_user.my_role(members) if my_role not in ("manager", "owner", "np-owner"): return self.forbidden() member = members.get((member_type.capitalize(), name2), None) if not member: return self.notfound() if member.type == "Group": user_or_group = Group.get(self.session, member.id) else: user_or_group = User.get(self.session, member.id) if not user_or_group: return self.notfound() edge = GroupEdge.get( self.session, group_id=group.id, member_type=OBJ_TYPES[member.type], member_pk=member.id, ) if not edge: return self.notfound() form = GroupEditMemberForm(self.request.arguments) form.role.choices = [["member", "Member"]] if my_role in ("owner", "np-owner"): form.role.choices.append(["manager", "Manager"]) form.role.choices.append(["owner", "Owner"]) form.role.choices.append(["np-owner", "No-Permissions Owner"]) if not form.validate(): return self.render( "group-edit-member.html", group=group, member=member, edge=edge, form=form, alerts=self.get_form_alerts(form.errors), ) fail_message = 'This join is denied with this role at this time.' try: user_can_join = assert_can_join(group, user_or_group, role=form.data["role"]) except UserNotAuditor as e: user_can_join = False fail_message = e if not user_can_join: return self.render( "group-edit-member.html", form=form, group=group, member=member, edge=edge, alerts=[ Alert('danger', fail_message, 'Audit Policy Enforcement') ] ) expiration = None if form.data["expiration"]: expiration = datetime.strptime(form.data["expiration"], "%m/%d/%Y") group.edit_member(self.current_user, user_or_group, form.data["reason"], role=form.data["role"], expiration=expiration) return self.redirect("/groups/{}?refresh=yes".format(group.name))
def post(self, group_id=None, name=None, name2=None, member_type=None): group = Group.get(self.session, group_id, name) if not group: return self.notfound() if self.current_user.name == name2: return self.forbidden() members = group.my_members() my_role = user_role(self.current_user, members) if my_role not in ("manager", "owner", "np-owner"): return self.forbidden() member = members.get((member_type.capitalize(), name2), None) if not member: return self.notfound() if member.type == "Group": user_or_group = Group.get(self.session, member.id) else: user_or_group = User.get(self.session, member.id) if not user_or_group: return self.notfound() edge = GroupEdge.get( self.session, group_id=group.id, member_type=OBJ_TYPES[member.type], member_pk=member.id, ) if not edge: return self.notfound() form = GroupEditMemberForm(self.request.arguments) form.role.choices = [["member", "Member"]] if my_role in ("owner", "np-owner"): form.role.choices.append(["manager", "Manager"]) form.role.choices.append(["owner", "Owner"]) form.role.choices.append(["np-owner", "No-Permissions Owner"]) if not form.validate(): return self.render( "group-edit-member.html", group=group, member=member, edge=edge, form=form, alerts=self.get_form_alerts(form.errors), ) fail_message = 'This join is denied with this role at this time.' try: user_can_join = assert_can_join(group, user_or_group, role=form.data["role"]) except UserNotAuditor as e: user_can_join = False fail_message = e if not user_can_join: return self.render("group-edit-member.html", form=form, group=group, member=member, edge=edge, alerts=[ Alert('danger', fail_message, 'Audit Policy Enforcement') ]) expiration = None if form.data["expiration"]: expiration = datetime.strptime(form.data["expiration"], "%m/%d/%Y") try: group.edit_member(self.current_user, user_or_group, form.data["reason"], role=form.data["role"], expiration=expiration) except InvalidRoleForMember as e: return self.render("group-edit-member.html", form=form, group=group, member=member, edge=edge, alerts=[Alert('danger', e.message)]) return self.redirect("/groups/{}?refresh=yes".format(group.name))