def delete_user_group_view(request):
"""
Remove a user from a group.
"""
db = request.db
user = ar.get_user_matchdict_checked_or_logged(request)
group = ar.get_group_matchdict_checked(request)
def del_usr_grp(usr, grp):
db.query(models.UserGroup) \
.filter(models.UserGroup.user_id == usr.id) \
.filter(models.UserGroup.group_id == grp.id) \
.delete()
ax.evaluate_call(
lambda: del_usr_grp(user, group),
fallback=lambda: db.rollback(),
httpError=HTTPNotFound,
msgOnFail=s.UserGroup_DELETE_NotFoundResponseSchema.description,
content={
u"user_name": user.user_name,
u"group_name": group.group_name
})
return ax.valid_http(
httpSuccess=HTTPOk,
detail=s.UserGroup_DELETE_OkResponseSchema.description)
def get_user_service_resources_view(request):
"""
List all resources under a service a user has permission on.
"""
inherit_groups_perms = asbool(ar.get_query_param(request, "inherit"))
user = ar.get_user_matchdict_checked_or_logged(request)
service = ar.get_service_matchdict_checked(request)
service_perms = uu.get_user_service_permissions(
user,
service,
request=request,
inherit_groups_permissions=inherit_groups_perms)
resources_perms_dict = uu.get_user_service_resources_permissions_dict(
user,
service,
request=request,
inherit_groups_permissions=inherit_groups_perms)
user_svc_res_json = format_service_resources(
service=service,
db_session=request.db,
service_perms=service_perms,
resources_perms_dict=resources_perms_dict,
show_all_children=False,
show_private_url=False,
)
return ax.valid_http(
httpSuccess=HTTPOk,
detail=s.UserServiceResources_GET_OkResponseSchema.description,
content={u"service": user_svc_res_json})
def get_user_service_permissions_view(request):
"""
List all permissions a user has on a service.
"""
user = ar.get_user_matchdict_checked_or_logged(request)
service = ar.get_service_matchdict_checked(request)
inherit_groups_perms = asbool(
ar.get_query_param(request, ["inherit", "inherited"]))
resolve_groups_perms = asbool(
ar.get_query_param(request, ["resolve", "resolved"]))
perm_type = PermissionType.INHERITED if inherit_groups_perms else PermissionType.DIRECT
perms = ax.evaluate_call(
lambda: uu.get_user_service_permissions(
service=service,
user=user,
request=request,
inherit_groups_permissions=inherit_groups_perms,
resolve_groups_permissions=resolve_groups_perms),
fallback=lambda: request.db.rollback(),
http_error=HTTPNotFound,
msg_on_fail=s.UserServicePermissions_GET_NotFoundResponseSchema.
description,
content={
"service_name": str(service.resource_name),
"user_name": str(user.user_name)
})
return ax.valid_http(
http_success=HTTPOk,
content=format_permissions(perms, perm_type),
detail=s.UserServicePermissions_GET_OkResponseSchema.description)
def get_user_service_permissions_view(request):
"""
List all permissions a user has on a service.
"""
user = ar.get_user_matchdict_checked_or_logged(request)
service = ar.get_service_matchdict_checked(request)
inherit_groups_perms = asbool(ar.get_query_param(request, "inherit"))
perms = ax.evaluate_call(
lambda: uu.get_user_service_permissions(service=service,
user=user,
request=request,
inherit_groups_permissions=
inherit_groups_perms),
fallback=lambda: request.db.rollback(),
httpError=HTTPNotFound,
msgOnFail=s.UserServicePermissions_GET_NotFoundResponseSchema.
description,
content={
u"service_name": str(service.resource_name),
u"user_name": str(user.user_name)
})
return ax.valid_http(
httpSuccess=HTTPOk,
detail=s.UserServicePermissions_GET_OkResponseSchema.description,
content={u"permission_names": sorted(p.value for p in perms)})
def assign_user_group_view(request):
"""
Assign a user to a group.
"""
user = ar.get_user_matchdict_checked_or_logged(request)
group_name = ar.get_value_multiformat_body_checked(request, "group_name")
group = ax.evaluate_call(
lambda: GroupService.by_group_name(group_name, db_session=request.db),
fallback=lambda: request.db.rollback(),
http_error=HTTPForbidden,
msg_on_fail=s.UserGroups_POST_ForbiddenResponseSchema.description)
ax.verify_param(
group,
not_none=True,
http_error=HTTPNotFound,
msg_on_fail=s.UserGroups_POST_GroupNotFoundResponseSchema.description)
uu.assign_user_group(user, group, db_session=request.db)
return ax.valid_http(
http_success=HTTPCreated,
detail=s.UserGroups_POST_CreatedResponseSchema.description,
content={
"user_name": user.user_name,
"group_name": group.group_name
})
def get_user_view(request):
"""
Get user information by name.
"""
user = ar.get_user_matchdict_checked_or_logged(request)
return ax.valid_http(http_success=HTTPOk,
content={"user": uf.format_user(user)},
detail=s.User_GET_OkResponseSchema.description)
def delete_user_resource_permissions_view(request):
"""
Delete a permission from a specific resource for a user (not including his groups permissions).
"""
user = ar.get_user_matchdict_checked_or_logged(request)
resource = ar.get_resource_matchdict_checked(request)
permission = ar.get_permission_multiformat_body_checked(request, resource)
return uu.delete_user_resource_permission_response(user, resource,
permission, request.db)
def delete_user_service_permission_name_view(request):
"""
Delete a permission by name from a service for a user (not including his groups permissions).
"""
user = ar.get_user_matchdict_checked_or_logged(request)
service = ar.get_service_matchdict_checked(request)
permission = ar.get_permission_matchdict_checked(request, service)
return uu.delete_user_resource_permission_response(user, service,
permission, request.db)
def get_user_groups_view(request):
"""
List all groups a user belongs to.
"""
user = ar.get_user_matchdict_checked_or_logged(request)
group_names = uu.get_user_groups_checked(user, request.db)
return ax.valid_http(http_success=HTTPOk,
content={"group_names": group_names},
detail=s.UserGroups_GET_OkResponseSchema.description)
def create_user_service_permission_view(request):
"""
Create a permission on a service for a user.
"""
user = ar.get_user_matchdict_checked_or_logged(request)
service = ar.get_service_matchdict_checked(request)
permission = ar.get_permission_multiformat_post_checked(request, service)
return uu.create_user_resource_permission_response(user, service,
permission, request.db)
def delete_user_resource_permission_view(request):
"""
Delete a direct permission on a resource for a user (not including his groups permissions).
"""
user = ar.get_user_matchdict_checked_or_logged(request)
resource = ar.get_resource_matchdict_checked(request)
permission = ar.get_permission_matchdict_checked(request, resource)
return uu.delete_user_resource_permission_response(user, resource,
permission, request.db)
def delete_user_group_view(request):
"""
Removes a user from a group.
"""
user = ar.get_user_matchdict_checked_or_logged(request)
group = ar.get_group_matchdict_checked(request)
uu.delete_user_group(user, group, request.db)
return ax.valid_http(
http_success=HTTPOk,
detail=s.UserGroup_DELETE_OkResponseSchema.description)
def delete_user_view(request):
"""
Delete a user by name.
"""
user = ar.get_user_matchdict_checked_or_logged(request)
ax.evaluate_call(
lambda: request.db.delete(user),
fallback=lambda: request.db.rollback(),
httpError=HTTPForbidden,
msgOnFail=s.User_DELETE_ForbiddenResponseSchema.description)
return ax.valid_http(httpSuccess=HTTPOk,
detail=s.User_DELETE_OkResponseSchema.description)
def create_user_resource_permissions_view(request):
"""
Create a permission on specific resource for a user.
"""
user = ar.get_user_matchdict_checked_or_logged(request)
resource = ar.get_resource_matchdict_checked(request)
permission = ar.get_permission_multiformat_body_checked(request, resource)
return uu.create_user_resource_permission_response(user,
resource,
permission,
request.db,
overwrite=False)
def replace_user_service_permissions_view(request):
"""
Create or modify an existing permission on a service for a user.
Can be used to adjust permission modifiers.
"""
user = ar.get_user_matchdict_checked_or_logged(request)
service = ar.get_service_matchdict_checked(request)
permission = ar.get_permission_multiformat_body_checked(request, service)
return uu.create_user_resource_permission_response(user,
service,
permission,
request.db,
overwrite=True)
def get_user_resource_permissions_view(request):
"""
List all permissions a user has on a specific resource.
"""
user = ar.get_user_matchdict_checked_or_logged(request)
resource = ar.get_resource_matchdict_checked(request, "resource_id")
inherit_groups_perms = asbool(ar.get_query_param(request, "inherit"))
effective_perms = asbool(ar.get_query_param(request, "effective"))
return uu.get_user_resource_permissions_response(
user,
resource,
request,
inherit_groups_permissions=inherit_groups_perms,
effective_permissions=effective_perms)
def get_user_resources_view(request):
"""
List all resources a user has permissions on.
"""
inherit_groups_perms = asbool(ar.get_query_param(request, "inherit"))
user = ar.get_user_matchdict_checked_or_logged(request)
db = request.db
def build_json_user_resource_tree(usr):
json_res = {}
services = ResourceService.all(models.Service, db_session=db)
for svc in services:
svc_perms = uu.get_user_service_permissions(
user=usr,
service=svc,
request=request,
inherit_groups_permissions=inherit_groups_perms)
if svc.type not in json_res:
json_res[svc.type] = {}
res_perms_dict = uu.get_user_service_resources_permissions_dict(
user=usr,
service=svc,
request=request,
inherit_groups_permissions=inherit_groups_perms)
json_res[svc.type][svc.resource_name] = format_service_resources(
svc,
db_session=db,
service_perms=svc_perms,
resources_perms_dict=res_perms_dict,
show_all_children=False,
show_private_url=False,
)
return json_res
usr_res_dict = ax.evaluate_call(
lambda: build_json_user_resource_tree(user),
fallback=lambda: db.rollback(),
httpError=HTTPNotFound,
msgOnFail=s.UserResources_GET_NotFoundResponseSchema.description,
content={
u"user_name": user.user_name,
u"resource_types": [models.Service.resource_type_name]
})
return ax.valid_http(
httpSuccess=HTTPOk,
content={u"resources": usr_res_dict},
detail=s.UserResources_GET_OkResponseSchema.description)
def assign_user_group_view(request):
"""
Assign a user to a group.
"""
user = ar.get_user_matchdict_checked_or_logged(request)
group_name = ar.get_value_multiformat_post_checked(request, "group_name")
group = ax.evaluate_call(
lambda: GroupService.by_group_name(group_name, db_session=request.db),
fallback=lambda: request.db.rollback(),
httpError=HTTPForbidden,
msgOnFail=s.UserGroups_POST_ForbiddenResponseSchema.description)
ax.verify_param(
group,
notNone=True,
httpError=HTTPNotFound,
msgOnFail=s.UserGroups_POST_GroupNotFoundResponseSchema.description)
ax.verify_param(
user.id,
paramCompare=[usr.id for usr in group.users],
notIn=True,
httpError=HTTPConflict,
content={
u"user_name": user.user_name,
u"group_name": group.group_name
},
msgOnFail=s.UserGroups_POST_ConflictResponseSchema.description)
# noinspection PyArgumentList
ax.evaluate_call(
lambda: request.db.add(
models.UserGroup(group_id=group.id, user_id=user.id)),
fallback=lambda: request.db.rollback(),
httpError=HTTPForbidden,
msgOnFail=s.UserGroups_POST_RelationshipForbiddenResponseSchema.
description,
content={
u"user_name": user.user_name,
u"group_name": group.group_name
})
return ax.valid_http(
httpSuccess=HTTPCreated,
detail=s.UserGroups_POST_CreatedResponseSchema.description,
content={
u"user_name": user.user_name,
u"group_name": group.group_name
})
def get_user_services_view(request):
"""
List all services a user has permissions on.
"""
user = ar.get_user_matchdict_checked_or_logged(request)
cascade_resources = asbool(ar.get_query_param(request, "cascade"))
inherit_groups_perms = asbool(ar.get_query_param(request, "inherit"))
format_as_list = asbool(ar.get_query_param(request, "list"))
svc_json = uu.get_user_services(
user,
request=request,
cascade_resources=cascade_resources,
inherit_groups_permissions=inherit_groups_perms,
format_as_list=format_as_list)
return ax.valid_http(
httpSuccess=HTTPOk,
content={u"services": svc_json},
detail=s.UserServices_GET_OkResponseSchema.description)
def delete_user_view(request):
"""
Delete a user by name.
"""
user = ar.get_user_matchdict_checked_or_logged(request)
ax.verify_param(
user.user_name,
not_in=True,
with_param=False, # avoid leaking username details
param_compare=[
get_constant("MAGPIE_ADMIN_USER", request),
get_constant("MAGPIE_ANONYMOUS_USER", request)
],
http_error=HTTPForbidden,
msg_on_fail=s.User_DELETE_ForbiddenResponseSchema.description)
ax.evaluate_call(
lambda: request.db.delete(user),
fallback=lambda: request.db.rollback(),
http_error=HTTPForbidden,
msg_on_fail=s.User_DELETE_ForbiddenResponseSchema.description)
return ax.valid_http(http_success=HTTPOk,
detail=s.User_DELETE_OkResponseSchema.description)
def update_user_view(request):
"""
Update user information by user name.
"""
user = ar.get_user_matchdict_checked_or_logged(request)
new_user_name = ar.get_multiformat_body(request,
"user_name",
default=user.user_name)
new_email = ar.get_multiformat_body(request, "email", default=user.email)
new_password = ar.get_multiformat_body(request,
"password",
default=user.user_password)
update_username = user.user_name != new_user_name and new_user_name is not None
update_password = user.user_password != new_password and new_password is not None
update_email = user.email != new_email and new_email is not None
ax.verify_param(
any([update_username, update_password, update_email]),
is_true=True,
with_param=False, # params are not useful in response for this case
content={"user_name": user.user_name},
http_error=HTTPBadRequest,
msg_on_fail=s.User_PATCH_BadRequestResponseSchema.description)
# user name change is admin-only operation
if update_username:
ax.verify_param(
get_constant("MAGPIE_ADMIN_GROUP"),
is_in=True,
param_compare=uu.get_user_groups_checked(request.user, request.db),
with_param=False,
http_error=HTTPForbidden,
msg_on_fail=s.User_PATCH_ForbiddenResponseSchema.description)
# logged user updating itself is forbidden if it corresponds to special users
# cannot edit reserved keywords nor apply them to another user
forbidden_user_names = [
get_constant("MAGPIE_ADMIN_USER", request),
get_constant("MAGPIE_ANONYMOUS_USER", request),
get_constant("MAGPIE_LOGGED_USER", request),
]
check_user_name_cases = [user.user_name, new_user_name
] if update_username else [user.user_name]
for check_user_name in check_user_name_cases:
ax.verify_param(
check_user_name,
not_in=True,
param_compare=forbidden_user_names,
param_name="user_name",
http_error=HTTPForbidden,
content={"user_name": str(check_user_name)},
msg_on_fail=s.User_PATCH_ForbiddenResponseSchema.description)
if update_username:
uu.check_user_info(user_name=new_user_name,
check_email=False,
check_password=False,
check_group=False)
existing_user = ax.evaluate_call(
lambda: UserService.by_user_name(new_user_name,
db_session=request.db),
fallback=lambda: request.db.rollback(),
http_error=HTTPForbidden,
msg_on_fail=s.User_PATCH_ForbiddenResponseSchema.description)
ax.verify_param(
existing_user,
is_none=True,
with_param=False,
http_error=HTTPConflict,
msg_on_fail=s.User_PATCH_ConflictResponseSchema.description)
user.user_name = new_user_name
if update_email:
uu.check_user_info(email=new_email,
check_name=False,
check_password=False,
check_group=False)
user.email = new_email
if update_password:
uu.check_user_info(password=new_password,
check_name=False,
check_email=False,
check_group=False)
UserService.set_password(user, new_password)
UserService.regenerate_security_code(user)
return ax.valid_http(http_success=HTTPOk,
detail=s.Users_PATCH_OkResponseSchema.description)
def get_user_resources_view(request):
"""
List all resources a user has permissions on.
"""
inherit_groups_perms = asbool(
ar.get_query_param(request, ["inherit", "inherited"]))
resolve_groups_perms = asbool(
ar.get_query_param(request, ["resolve", "resolved"]))
filtered_perms = asbool(ar.get_query_param(request,
["filter", "filtered"]))
user = ar.get_user_matchdict_checked_or_logged(request)
db = request.db
# skip admin-only full listing of resources if filtered view is requested
is_admin = False
if not filtered_perms and request.user is not None:
admin_group = get_constant("MAGPIE_ADMIN_GROUP",
settings_container=request)
is_admin = admin_group in [
group.group_name for group in request.user.groups
]
def build_json_user_resource_tree(usr):
json_res = {}
perm_type = PermissionType.INHERITED if inherit_groups_perms else PermissionType.DIRECT
services = ResourceService.all(models.Service, db_session=db)
# add service-types so they are ordered and listed if no service of that type was defined
for svc_type in sorted(SERVICE_TYPE_DICT):
json_res[svc_type] = {}
for svc in services:
svc_perms = uu.get_user_service_permissions(
user=usr,
service=svc,
request=request,
inherit_groups_permissions=inherit_groups_perms,
resolve_groups_permissions=resolve_groups_perms)
res_perms_dict = uu.get_user_service_resources_permissions_dict(
user=usr,
service=svc,
request=request,
inherit_groups_permissions=inherit_groups_perms,
resolve_groups_permissions=resolve_groups_perms)
# always allow admin to view full resource tree, unless explicitly requested to be filtered
# otherwise (non-admin), only add details if there is at least one resource permission (any level)
if (is_admin and not filtered_perms) or (svc_perms
or res_perms_dict):
json_res[svc.type][
svc.resource_name] = format_service_resources(
svc,
db_session=db,
service_perms=svc_perms,
resources_perms_dict=res_perms_dict,
permission_type=perm_type,
show_all_children=False,
show_private_url=False,
)
return json_res
usr_res_dict = ax.evaluate_call(
lambda: build_json_user_resource_tree(user),
fallback=lambda: db.rollback(),
http_error=HTTPNotFound,
msg_on_fail=s.UserResources_GET_NotFoundResponseSchema.description,
content={
"user_name": user.user_name,
"resource_types": [models.Service.resource_type_name]
})
return ax.valid_http(
http_success=HTTPOk,
content={"resources": usr_res_dict},
detail=s.UserResources_GET_OkResponseSchema.description)
