def update_personal_user(username): data = request.get_json() current_user = get_jwt_identity() # check for internal user if username.id == 1: return Problem.from_crud_resource( HTTPStatus.FORBIDDEN, 'user', 'update', f"Current user does not have permission to update user {username.id}.") # check password if username.verify_password(data['old_password']): if username.id == current_user: # allow ability to update username/password but not roles/active if username.id == 2: username.set_roles([2]) username.active = True return update_user_fields(data, username) else: return update_user_fields(data, username) else: return Problem.from_crud_resource( HTTPStatus.FORBIDDEN, 'user', 'update', f"Current user does not have permission to update user {username.id}.") else: return None, HTTPStatus.FORBIDDEN
def create_role(): json_data = request.get_json() if not Role.query.filter_by(name=json_data['name']).first(): resources = json_data['resources'] if 'resources' in json_data else [] if '/roles' in resources: resources.remove('/roles') role_params = { 'name': json_data['name'], 'description': json_data['description'] if 'description' in json_data else '', 'resources': resources } new_role = Role(**role_params) db.session.add(new_role) db.session.commit() current_app.logger.info(f"Role added: {role_params}") return new_role.as_json(), HTTPStatus.CREATED else: current_app.logger.warning( f"Role with name {json_data['name']} already exists") return Problem.from_crud_resource( HTTPStatus.BAD_REQUEST, 'role', 'create', f"Role with name {json_data['name']} already exists")
def __func(): config_in = request.get_json() if not _reset_token_durations(access_token_duration=config_in.get( 'access_token_duration', None), refresh_token_duration=config_in.get( 'refresh_token_duration', None)): return Problem.from_crud_resource( HTTPStatus.BAD_REQUEST, 'configuration', 'update', 'Access token duration must be less than refresh token duration.' ) for config, config_value in config_in.items(): if hasattr(api_gateway.config.Config, config.upper()): setattr(api_gateway.config.Config, config.upper(), config_value) elif hasattr(current_app.config, config.upper()): setattr(current_app.config, config.upper(), config_value) current_app.logger.info('Changed configuration') try: api_gateway.config.Config.write_values_to_file() return __get_current_configuration(), HTTPStatus.OK except (IOError, OSError) as e: current_app.logger.error( 'Could not write changes to configuration to file') return Problem( HTTPStatus.INTERNAL_SERVER_ERROR, 'Could not write changes to file.', 'Could not write configuration changes to file. Problem: {}'. format(format_exception_message(e)))
def update_user(user_id): data = request.get_json() current_user = get_jwt_identity() # check for internal user if user_id.id == 1: return None, HTTPStatus.FORBIDDEN if user_id.id == current_user: # check for super_admin, allows ability to update username/password but not roles/active if user_id.id == 2: user_id.set_roles([2]) user_id.active = True return update_user_fields(data, user_id) return role_update_user_fields(data, user_id, update=True) else: # check for super_admin if user_id.id == 2: return None, HTTPStatus.FORBIDDEN else: response = role_update_user_fields(data, user_id, update=True) if isinstance(response, tuple) and response[1] == HTTPStatus.FORBIDDEN: current_app.logger.error(f"User {current_user} does not have permission to update user {user_id.id}") return Problem.from_crud_resource( HTTPStatus.FORBIDDEN, 'user', 'update', f"Current user does not have permission to update user {user_id.id}.") else: return response
def update_user_fields(data, user): if user.id != 1: original_username = str(user.username) if 'username' in data and data['username']: user_db = User.query.filter_by(username=data['username']).first() if user_db is None or user_db.id == user.id: user.username = data['username'] else: return Problem(HTTPStatus.BAD_REQUEST, 'Cannot update user.', f"Username {data['username']} is already taken.") elif 'new_username' in data and data['new_username']: user_db = User.query.filter_by(username=data['old_username']).first() if user_db is None or user_db.id == user.id: user.username = data['new_username'] else: return Problem(HTTPStatus.BAD_REQUEST, 'Cannot update user.', f"Username {data['new_username']} is already taken.") if 'old_password' in data and 'password' in data and \ data['old_password'] != "" and data['password'] != "": logger.info("go there") if user.verify_password(data['old_password']): user.password = data['password'] else: user.username = original_username return Problem.from_crud_resource( HTTPStatus.UNAUTHORIZED, 'user', 'update', 'Current password is incorrect.') db.session.commit() current_app.logger.info(f"Updated user {user.id}. Updated to: {user.as_json()}") return user.as_json(), HTTPStatus.OK else: return None, HTTPStatus.FORBIDDEN
def delete_user(user_id): if user_id.id != get_jwt_identity() and user_id.id != 1 and user_id.id != 2: db.session.delete(user_id) db.session.commit() current_app.logger.info(f"User {user_id.username} deleted") return None, HTTPStatus.NO_CONTENT else: if user_id.id == get_jwt_identity(): current_app.logger.error(f"Could not delete user {user_id.id}. User is current user.") return Problem.from_crud_resource(HTTPStatus.FORBIDDEN, 'user', 'delete', 'Current user cannot delete self.') if user_id.id == 2: current_app.logger.error(f"Could not delete user {user_id.username}. " f"You do not have permission to delete Super Admin.") return Problem.from_crud_resource(HTTPStatus.FORBIDDEN, 'user', 'delete', 'A user cannot delete Super Admin.') if user_id.id == 1: current_app.logger.error(f"Could not delete user {user_id.username}. " f"You do not have permission to delete WALKOFF's internal user.") return Problem.from_crud_resource(HTTPStatus.FORBIDDEN, 'user', 'delete', "A user cannot delete WALKOFF's internal user.")
def delete_user(user_id): if user_id.id != get_jwt_identity( ) and user_id.username != "internal_user": db.session.delete(user_id) db.session.commit() current_app.logger.info(f"User {user_id.username} deleted") return None, HTTPStatus.NO_CONTENT else: current_app.logger.error( f"Could not delete user {user_id.id}. User is current user.") return Problem.from_crud_resource(HTTPStatus.FORBIDDEN, 'user', 'delete', 'Current user cannot delete self.')
def update_settings(): config_in = request.get_json() if not _reset_token_durations(access_token_duration=config_in.get('access_token_duration', None), refresh_token_duration=config_in.get('refresh_token_duration', None)): return Problem.from_crud_resource( HTTPStatus.BAD_REQUEST, 'settings', 'update', 'Access token duration must be less than refresh token duration.') for config, config_value in config_in.items(): if hasattr(api_gateway.flask_config.FlaskConfig, config.upper()): setattr(api_gateway.flask_config.FlaskConfig, config.upper(), config_value) elif hasattr(current_app.config, config.upper()): setattr(current_app.config, config.upper(), config_value) current_app.logger.info('Changed settings')
def create_user(): data = request.get_json() username = data['username'] if not User.query.filter_by(username=username).first(): user = add_user(username=username, password=data['password']) if 'roles' in data or 'active' in data: role_update_user_fields(data, user) db.session.commit() current_app.logger.info(f'User added: {user.as_json()}') return user.as_json(), HTTPStatus.CREATED else: current_app.logger.warning( f'Cannot create user {username}. User already exists.') return Problem.from_crud_resource( HTTPStatus.BAD_REQUEST, 'user', 'create', f'User with username {username} already exists')
def update_user(user_id): data = request.get_json() current_user = get_jwt_identity() if user_id.username == "internal_user": return None, HTTPStatus.FORBIDDEN if user_id.id == current_user: return update_user_fields(data, user_id) else: response = role_update_user_fields(data, user_id, update=True) if isinstance(response, tuple) and response[1] == HTTPStatus.FORBIDDEN: current_app.logger.error( f"User {current_user} does not have permission to update user {user_id.id}" ) return Problem.from_crud_resource( HTTPStatus.FORBIDDEN, 'user', 'update', f"Current user does not have permission to update user {user_id.id}." ) else: return response
def scheduled_task_name_already_exists_problem(name, operation): return Problem.from_crud_resource( HTTPStatus.BAD_REQUEST, 'scheduled task', operation, 'Could not {} scheduled task. Scheduled task with name {} already exists.' .format(operation, name))