def save_group_permissions(self, **kw): try: permission_name = kw['permissions']['text'] except KeyError: log.exception('Permission not submitted correctly') response.status = 403 return ['Permission not submitted correctly'] try: permission = Permission.by_name(permission_name) except NoResultFound: log.exception('Invalid permission: %s' % permission_name) response.status = 403 return ['Invalid permission value'] try: group_id = kw['group_id'] except KeyError: log.exception('Group id not submitted') response.status = 403 return ['No group id given'] try: group = Group.by_id(group_id) except NoResultFound: log.exception('Group id %s is not a valid group id' % group_id) response.status = 403 return ['Invalid Group Id'] group = Group.by_id(group_id) if permission not in group.permissions: group.permissions.append(permission) else: response.status = 403 return ['%s already exists in group %s' % (permission.permission_name, group.group_name)] return {'name':permission_name, 'id':permission.permission_id}
def grant_owner(self, group_id=None, id=None, **kw): if group_id is not None and id is not None: group = Group.by_id(group_id) user = User.by_id(id) service = 'WEBUI' else: group = Group.by_name(kw['group_name']) user = User.by_user_name(kw['member_name']) service = 'XMLRPC' if group.ldap: raise GroupOwnerModificationForbidden('An LDAP group does not have an owner') if not group.can_edit(identity.current.user): raise GroupOwnerModificationForbidden('You are not an owner of the group %s' % group) if user not in group.users: raise GroupOwnerModificationForbidden('User is not a group member') else: for assoc in group.user_group_assocs: if assoc.user == user: if not assoc.is_owner: assoc.is_owner = True group.record_activity(user=identity.current.user, service=service, field=u'Owner', action='Added', old=u'', new=user.user_name) return ''
def removeUser(self, group_id=None, id=None, **kw): group = Group.by_id(group_id) if not group.can_modify_membership(identity.current.user): flash(_(u'You are not an owner of group %s' % group)) redirect('../groups/mine') if not group.can_remove_member(identity.current.user, id): flash(_(u'Cannot remove member')) redirect('../groups/edit?group_id=%s' % group_id) groupUsers = group.users for user in groupUsers: if user.user_id == int(id): group.users.remove(user) removed = user activity = GroupActivity(identity.current.user, u'WEBUI', u'Removed', u'User', removed.user_name, u"") group.activity.append(activity) mail.group_membership_notify(user, group, agent=identity.current.user, action='Removed') flash(_(u"%s Removed" % removed.display_name)) redirect("../groups/edit?group_id=%s" % group_id) flash( _(u"No user %s in group %s" % (id, removed.display_name))) raise redirect("../groups/edit?group_id=%s" % group_id)
def remove(self, **kw): u = identity.current.user try: group = Group.by_id(kw['group_id']) except DatabaseLookupError: flash(unicode('Invalid group or already removed')) redirect('../groups/mine') if not group.can_edit(u): flash(_(u'You are not an owner of group %s' % group)) redirect('../groups/mine') if group.is_protected_group(): flash(_(u'This group %s is predefined and cannot be deleted' % group)) redirect('../groups/mine') if group.jobs: flash(_(u'Cannot delete a group which has associated jobs')) redirect('../groups/mine') # Record the access policy rules that will be removed # before deleting the group for rule in group.system_access_policy_rules: rule.record_deletion() # For any system pool owned by this group, unset owning_group # and set owning_user to the user deleting this group pools = SystemPool.query.filter_by(owning_group_id=group.group_id) for pool in pools: pool.change_owner(user=u, service='WEBUI') session.delete(group) activity = Activity(u, u'WEBUI', u'Removed', u'Group', group.display_name, u"") session.add(activity) flash( _(u"%s deleted") % group.display_name ) raise redirect(".")
def revoke_owner(self, group_id=None, id=None, **kw): if group_id is not None and id is not None: group = Group.by_id(group_id) user = User.by_id(id) service = 'WEBUI' else: group = Group.by_name(kw['group_name']) user = User.by_user_name(kw['member_name']) service = 'XMLRPC' if group.membership_type == GroupMembershipType.ldap: raise GroupOwnerModificationForbidden( 'An LDAP group does not have an owner') if not group.can_edit(identity.current.user): raise GroupOwnerModificationForbidden( 'You are not an owner of group %s' % group) if user not in group.users: raise GroupOwnerModificationForbidden('User is not a group member') if len(group.owners()) == 1 and not identity.current.user.is_admin(): raise GroupOwnerModificationForbidden( 'Cannot remove the only owner') else: group.revoke_ownership(user=user, agent=identity.current.user, service=service) # hack to return the user removing this owner # so that if the user was logged in as a group # owner, he/she can be redirected appropriately return str(identity.current.user.user_id)
def save_user(self, **kw): user = User.by_user_name(kw['user']['text']) if user is None: flash(_(u"Invalid user %s" % kw['user']['text'])) redirect("./edit?group_id=%s" % kw['group_id']) group = Group.by_id(kw['group_id']) if not group.can_modify_membership(identity.current.user): flash(_(u'You are not an owner of group %s' % group)) redirect('../groups/mine') if user not in group.users: group.users.append(user) activity = GroupActivity(identity.current.user, u'WEBUI', u'Added', u'User', u"", user.user_name) group.activity.append(activity) mail.group_membership_notify(user, group, agent=identity.current.user, action='Added') flash(_(u"OK")) redirect("./edit?group_id=%s" % kw['group_id']) else: flash( _(u"User %s is already in Group %s" % (user.user_name, group.group_name))) redirect("./edit?group_id=%s" % kw['group_id'])
def revoke_owner(self, group_id=None, id=None, **kw): if group_id is not None and id is not None: group = Group.by_id(group_id) user = User.by_id(id) service = 'WEBUI' else: group = Group.by_name(kw['group_name']) user = User.by_user_name(kw['member_name']) service = 'XMLRPC' if group.ldap: raise GroupOwnerModificationForbidden('An LDAP group does not have an owner') if not group.can_edit(identity.current.user): raise GroupOwnerModificationForbidden('You are not an owner of group %s' % group) if user not in group.users: raise GroupOwnerModificationForbidden('User is not a group member') if len(group.owners())==1 and not identity.current.user.is_admin(): raise GroupOwnerModificationForbidden('Cannot remove the only owner') else: for assoc in group.user_group_assocs: if assoc.user == user: if assoc.is_owner: assoc.is_owner = False group.record_activity(user=identity.current.user, service=service, field=u'Owner', action='Removed', old=user.user_name, new=u'') # hack to return the user removing this owner # so that if the user was logged in as a group # owner, he/she can be redirected appropriately return str(identity.current.user.user_id)
def grant_owner(self, group_id=None, id=None, **kw): if group_id is not None and id is not None: group = Group.by_id(group_id) user = User.by_id(id) service = 'WEBUI' else: group = Group.by_name(kw['group_name']) user = User.by_user_name(kw['member_name']) service = 'XMLRPC' if group.membership_type == GroupMembershipType.ldap: raise GroupOwnerModificationForbidden( 'An LDAP group does not have an owner') if not group.can_edit(identity.current.user): raise GroupOwnerModificationForbidden( 'You are not an owner of the group %s' % group) if user not in group.users: raise GroupOwnerModificationForbidden('User is not a group member') else: group.grant_ownership(user=user, agent=identity.current.user, service=service) return ''
def revoke_owner(self, group_id=None, id=None, **kw): if group_id is not None and id is not None: group = Group.by_id(group_id) user = User.by_id(id) service = 'WEBUI' else: group = Group.by_name(kw['group_name']) user = User.by_user_name(kw['member_name']) service = 'XMLRPC' if group.membership_type == GroupMembershipType.ldap: raise GroupOwnerModificationForbidden('An LDAP group does not have an owner') if not group.can_edit(identity.current.user): raise GroupOwnerModificationForbidden('You are not an owner of group %s' % group) if user not in group.users: raise GroupOwnerModificationForbidden('User is not a group member') if len(group.owners())==1 and not identity.current.user.is_admin(): raise GroupOwnerModificationForbidden('Cannot remove the only owner') else: group.revoke_ownership(user=user, agent=identity.current.user, service=service) # hack to return the user removing this owner # so that if the user was logged in as a group # owner, he/she can be redirected appropriately return str(identity.current.user.user_id)
def removeUser(self, group_id=None, id=None, **kw): group = Group.by_id(group_id) if not group.can_modify_membership(identity.current.user): flash(_(u'You are not an owner of group %s' % group)) redirect('../groups/mine') if not group.can_remove_member(identity.current.user, id): flash(_(u'Cannot remove member')) redirect('../groups/edit?group_id=%s' % group_id) groupUsers = group.users for user in groupUsers: if user.user_id == int(id): group.users.remove(user) removed = user activity = GroupActivity(identity.current.user, u'WEBUI', u'Removed', u'User', removed.user_name, u"") group.activity.append(activity) mail.group_membership_notify(user, group, agent=identity.current.user, action='Removed') flash(_(u"%s Removed" % removed.display_name)) redirect("../groups/edit?group_id=%s" % group_id) flash(_(u"No user %s in group %s" % (id, removed.display_name))) raise redirect("../groups/edit?group_id=%s" % group_id)
def grant_owner(self, group_id=None, id=None, **kw): if group_id is not None and id is not None: group = Group.by_id(group_id) user = User.by_id(id) service = 'WEBUI' else: group = Group.by_name(kw['group_name']) user = User.by_user_name(kw['member_name']) service = 'XMLRPC' if group.ldap: raise GroupOwnerModificationForbidden( 'An LDAP group does not have an owner') if not group.can_edit(identity.current.user): raise GroupOwnerModificationForbidden( 'You are not an owner of the group %s' % group) if user not in group.users: raise GroupOwnerModificationForbidden('User is not a group member') else: for assoc in group.user_group_assocs: if assoc.user == user: if not assoc.is_owner: assoc.is_owner = True group.record_activity(user=identity.current.user, service=service, field=u'Owner', action='Added', old=u'', new=user.user_name) return ''
def get_group_users(self, group_id=None, *args, **kw): try: group = Group.by_id(group_id) except DatabaseLookupError: log.exception('Group id %s is not a valid group id' % group_id) response.status = 403 return ['Invalid Group Id'] users = group.users return [(user.user_id, user.display_name) for user in users]
def get_group_systems(self, group_id=None, *args, **kw): try: group = Group.by_id(group_id) except NoResultFound: log.exception('Group id %s is not a valid group id' % group_id) response.status = 403 return ['Invalid Group Id'] systems = group.systems return [(system.id, system.fqdn) for system in systems]
def systems(self,group_id=None,*args,**kw): try: group = Group.by_id(group_id) except NoResultFound: log.exception('Group id %s is not a valid group id' % group_id) flash(_(u'Need a valid group to search on')) redirect('../groups/mine') systems = System.all(identity.current.user).filter(System.groups.contains(group)) title = 'Systems in Group %s' % group.group_name from bkr.server.controllers import Root return Root()._systems(systems,title, group_id = group_id,**kw)
def get_group_systems(self, group_id=None, *args, **kw): try: group = Group.by_id(group_id) except DatabaseLookupError: log.exception('Group id %s is not a valid group id' % group_id) response.status = 403 return ['Invalid Group Id'] systems = System.all(identity.current.user).filter(System.groups.contains(group)). \ filter(System.status != SystemStatus.removed) return [(system.id, system.fqdn) for system in systems]
def edit(self, group_id, **kw): # Not just for editing, also provides a read-only view try: group = Group.by_id(group_id) except NoResultFound: log.exception('Group id %s is not a valid group id' % group_id) flash(_(u'Need a valid group to search on')) redirect('../groups/mine') usergrid = self.show_members(group) can_edit = False if identity.current.user: can_edit = group.can_edit(identity.current.user) systems_fields = [('System', lambda x: x.link)] if can_edit: system_remove_widget = DeleteLinkWidgetForm(action='removeSystem', hidden_fields=[widgets.HiddenField(name='group_id'), widgets.HiddenField(name='id')], action_text=u'Remove') systems_fields.append((' ', lambda x: system_remove_widget.display( dict(group_id=group_id, id=x.id)))) systemgrid = BeakerDataGrid(fields=systems_fields) permissions_fields = [('Permission', lambda x: x.permission_name)] if can_edit: permissions_fields.append((' ', lambda x: XML( '<a class="btn" href="#" id="remove_permission_%s">' '<i class="icon-remove"/> Remove</a>' % x.permission_id))) group_permissions_grid = BeakerDataGrid(name='group_permission_grid', fields=permissions_fields) group_permissions = GroupPermissions() return dict( form = self.group_form, system_form = self.group_system_form, user_form = self.group_user_form, group_edit_js = LocalJSLink('bkr', '/static/javascript/group_users_v2.js'), action = './save', system_action = './save_system', user_action = './save_user', options = {}, value = group, group_pw = group.root_password, usergrid = usergrid, systemgrid = systemgrid, disabled_fields=[], group_permissions = group_permissions, group_form = self.permissions_form, group_permissions_grid = group_permissions_grid, )
def edit(self, group_id=None, group_name=None, **kw): # Not just for editing, also provides a read-only view if group_id is not None: try: group = Group.by_id(group_id) except DatabaseLookupError: log.exception('Group id %s is not a valid group id' % group_id) flash(_(u'Need a valid group to search on')) redirect('../groups/mine') elif group_name is not None: try: group = Group.by_name(group_name) except NoResultFound: log.exception('Group name %s is not a valid group name' % group_name) flash(_(u'Need a valid group to search on')) redirect('../groups/mine') else: redirect('../groups/mine') usergrid = self.show_members(group) can_edit = False if identity.current.user: can_edit = group.can_edit(identity.current.user) permissions_fields = [('Permission', lambda x: x.permission_name)] if can_edit: permissions_fields.append((' ', lambda x: XML( '<a class="btn" href="#" id="remove_permission_%s">' '<i class="fa fa-times"/> Remove</a>' % x.permission_id))) group_permissions_grid = BeakerDataGrid(name='group_permission_grid', fields=permissions_fields) group_permissions = GroupPermissions() return dict( form=self.group_form, user_form=self.group_user_form, group_edit_js=LocalJSLink('bkr', '/static/javascript/group_users_v2.js'), action='./save', user_action='./save_user', options={}, value=group, group_pw=group.root_password, usergrid=usergrid, disabled_fields=[], group_permissions=group_permissions, group_form=self.permissions_form, group_permissions_grid=group_permissions_grid, )
def systems(self, group_id=None, *args, **kw): try: group = Group.by_id(group_id) except DatabaseLookupError: log.exception('Group id %s is not a valid group id' % group_id) flash(_(u'Need a valid group to search on')) redirect('../groups/mine') systems = System.all(identity.current.user). \ filter(System.groups.contains(group)). \ filter(System.status != SystemStatus.removed) title = 'Systems in Group %s' % group.group_name from bkr.server.controllers import Root return Root()._systems(systems, title, group_id=group_id, **kw)
def save_group_permissions(self, **kw): try: permission_name = kw['permissions']['text'] except KeyError: log.exception('Permission not submitted correctly') response.status = 403 return ['Permission not submitted correctly'] try: permission = Permission.by_name(permission_name) except NoResultFound: log.exception('Invalid permission: %s' % permission_name) response.status = 403 return ['Invalid permission value'] try: group_id = kw['group_id'] except KeyError: log.exception('Group id not submitted') response.status = 403 return ['No group id given'] try: group = Group.by_id(group_id) except NoResultFound: log.exception('Group id %s is not a valid group id' % group_id) response.status = 403 return ['Invalid Group Id'] group = Group.by_id(group_id) if permission not in group.permissions: group.permissions.append(permission) else: response.status = 403 return [ '%s already exists in group %s' % (permission.permission_name, group.group_name) ] return {'name': permission_name, 'id': permission.permission_id}
def edit(self, group_id=None, group_name=None, **kw): # Not just for editing, also provides a read-only view if group_id is not None: try: group = Group.by_id(group_id) except DatabaseLookupError: log.exception('Group id %s is not a valid group id' % group_id) flash(_(u'Need a valid group to search on')) redirect('../groups/mine') elif group_name is not None: try: group = Group.by_name(group_name) except NoResultFound: log.exception('Group name %s is not a valid group name' % group_name) flash(_(u'Need a valid group to search on')) redirect('../groups/mine') else: redirect('../groups/mine') usergrid = self.show_members(group) can_edit = False if identity.current.user: can_edit = group.can_edit(identity.current.user) permissions_fields = [('Permission', lambda x: x.permission_name)] if can_edit: permissions_fields.append((' ', lambda x: XML( '<a class="btn" href="#" id="remove_permission_%s">' '<i class="fa fa-times"/> Remove</a>' % x.permission_id))) group_permissions_grid = BeakerDataGrid(name='group_permission_grid', fields=permissions_fields) group_permissions = GroupPermissions() return dict( form = self.group_form, user_form = self.group_user_form, group_edit_js = LocalJSLink('bkr', '/static/javascript/group_users_v2.js'), action = './save', user_action = './save_user', options = {}, value = group, group_pw = group.root_password, usergrid = usergrid, disabled_fields=[], group_permissions = group_permissions, group_form = self.permissions_form, group_permissions_grid = group_permissions_grid, )
def get_group_by_id_or_name(): """ Created for backwards compatibility. Will redirect to /groups/<group_name>. :queryparam group_id: Group's id. :queryparam group_name: Group's name. """ if 'group_id' in request.args: with convert_internal_errors(): group = Group.by_id(request.args['group_id']) elif 'group_name' in request.args: group = _get_group_by_name(request.args['group_name']) else: raise NotFound404 return flask_redirect(absolute_url(group.href))
def save(self, group_id=None, display_name=None, group_name=None, ldap=False, root_password=None, **kwargs): user = identity.current.user if ldap and not user.is_admin(): flash(_(u'Only admins can create LDAP groups')) redirect('mine') try: group = Group.by_id(group_id) except DatabaseLookupError: flash(_(u"Group %s does not exist." % group_id)) redirect('mine') try: Group.by_name(group_name) except NoResultFound: pass else: if group_name != group.group_name: flash( _(u'Failed to update group %s: Group name already exists: %s' % (group.group_name, group_name))) redirect('mine') if not group.can_edit(user): flash(_(u'You are not an owner of group %s' % group)) redirect('../groups/mine') try: group.set_name(user, u'WEBUI', group_name) group.set_display_name(user, u'WEBUI', display_name) group.ldap = ldap group.set_root_password(user, u'WEBUI', root_password) except BeakerException, err: session.rollback() flash(_(u'Failed to update group %s: %s' % (group.group_name, err))) redirect('.')
def remove(self, **kw): group = Group.by_id(kw['group_id']) if not group.can_edit(identity.current.user): flash(_(u'You are not an owner of group %s' % group)) redirect('../groups/mine') if group.jobs: flash(_(u'Cannot delete a group which has associated jobs')) redirect('../groups/mine') session.delete(group) activity = Activity(identity.current.user, u'WEBUI', u'Removed', u'Group', group.display_name, u"") session.add(activity) for system in group.systems: session.add(SystemActivity(identity.current.user, u'WEBUI', u'Removed', u'Group', group.display_name, u"", object=system)) flash( _(u"%s deleted") % group.display_name ) raise redirect(".")
def save_system(self, **kw): system = System.by_fqdn(kw['system']['text'],identity.current.user) # A system owner can add their system to a group, but a group owner # *cannot* add an arbitrary system to their group because that would # grant them extra privileges over it. if not system.can_edit(identity.current.user): flash(_(u'You do not have permission to edit system %s' % system)) redirect('edit?group_id=%s' % kw['group_id']) group = Group.by_id(kw['group_id']) if group in system.groups: flash( _(u"System '%s' is already in group '%s'" % (system.fqdn, group.group_name))) redirect("./edit?group_id=%s" % kw['group_id']) group.systems.append(system) activity = GroupActivity(identity.current.user, u'WEBUI', u'Added', u'System', u"", system.fqdn) sactivity = SystemActivity(identity.current.user, u'WEBUI', u'Added', u'Group', u"", group.display_name) group.activity.append(activity) system.activity.append(sactivity) flash( _(u"OK") ) redirect("./edit?group_id=%s" % kw.get('group_id'))
def removeSystem(self, group_id=None, id=None, **kw): group = Group.by_id(group_id) system = System.by_id(id, identity.current.user) # A group owner can remove a system from their group. # A system owner can remove their system from a group. # But note this is not symmetrical with adding systems. if not (group.can_edit(identity.current.user) or system.can_edit(identity.current.user)): flash(_(u'Not permitted to remove %s from %s') % (system, group)) redirect('../groups/mine') group.systems.remove(system) activity = GroupActivity(identity.current.user, u'WEBUI', u'Removed', u'System', system.fqdn, u"") sactivity = SystemActivity(identity.current.user, u'WEBUI', u'Removed', u'Group', group.display_name, u"") group.activity.append(activity) system.activity.append(sactivity) flash( _(u"%s Removed" % system.fqdn)) raise redirect("./edit?group_id=%s" % group_id)
def remove_group_permission(self, group_id, permission_id): try: group = Group.by_id(group_id) except DatabaseLookupError: log.exception('Group id %s is not a valid Group to remove' % group_id) return ['0'] if not group.can_edit(identity.current.user): log.exception('User %d does not have edit permissions for Group id %s' % (identity.current.user.user_id, group_id)) response.status = 403 return ['You are not an owner of group %s' % group] try: permission = Permission.by_id(permission_id) except NoResultFound: log.exception('Permission id %s is not a valid Permission to remove' % permission_id) return ['0'] group.permissions.remove(permission) return ['1']
def remove(self, **kw): try: group = Group.by_id(kw['group_id']) except DatabaseLookupError: flash(unicode('Invalid group or already removed')) redirect('../groups/mine') if not group.can_edit(identity.current.user): flash(_(u'You are not an owner of group %s' % group)) redirect('../groups/mine') if group.is_protected_group(): flash( _(u'This group %s is predefined and cannot be deleted' % group)) redirect('../groups/mine') if group.jobs: flash(_(u'Cannot delete a group which has associated jobs')) redirect('../groups/mine') # Record the access policy rules that will be removed # before deleting the group for rule in group.system_access_policy_rules: rule.record_deletion() session.delete(group) activity = Activity(identity.current.user, u'WEBUI', u'Removed', u'Group', group.display_name, u"") session.add(activity) for system in group.systems: session.add( SystemActivity(identity.current.user, u'WEBUI', u'Removed', u'Group', group.display_name, u"", object=system)) flash(_(u"%s deleted") % group.display_name) raise redirect(".")
def revoke_owner(self, group_id=None, id=None, **kw): if group_id is not None and id is not None: group = Group.by_id(group_id) user = User.by_id(id) service = 'WEBUI' else: group = Group.by_name(kw['group_name']) user = User.by_user_name(kw['member_name']) service = 'XMLRPC' if group.ldap: raise GroupOwnerModificationForbidden( 'An LDAP group does not have an owner') if not group.can_edit(identity.current.user): raise GroupOwnerModificationForbidden( 'You are not an owner of group %s' % group) if user not in group.users: raise GroupOwnerModificationForbidden('User is not a group member') if len(group.owners()) == 1 and not identity.current.user.is_admin(): raise GroupOwnerModificationForbidden( 'Cannot remove the only owner') else: for assoc in group.user_group_assocs: if assoc.user == user: if assoc.is_owner: assoc.is_owner = False group.record_activity(user=identity.current.user, service=service, field=u'Owner', action='Removed', old=user.user_name, new=u'') # hack to return the user removing this owner # so that if the user was logged in as a group # owner, he/she can be redirected appropriately return str(identity.current.user.user_id)
def save(self, group_id=None, display_name=None, group_name=None, ldap=False, root_password=None, **kwargs): user = identity.current.user if ldap and not user.is_admin(): flash(_(u'Only admins can create LDAP groups')) redirect('mine') try: group = Group.by_id(group_id) except DatabaseLookupError: flash( _(u"Group %s does not exist." % group_id) ) redirect('mine') try: Group.by_name(group_name) except NoResultFound: pass else: if group_name != group.group_name: flash(_(u'Failed to update group %s: Group name already exists: %s' % (group.group_name, group_name))) redirect('mine') if not group.can_edit(user): flash(_(u'You are not an owner of group %s' % group)) redirect('../groups/mine') try: group.set_name(user, u'WEBUI', group_name) group.set_display_name(user, u'WEBUI', display_name) group.ldap = ldap group.set_root_password(user, u'WEBUI', root_password) except BeakerException, err: session.rollback() flash(_(u'Failed to update group %s: %s' % (group.group_name, err))) redirect('.')
def grant_owner(self, group_id=None, id=None, **kw): if group_id is not None and id is not None: group = Group.by_id(group_id) user = User.by_id(id) service = 'WEBUI' else: group = Group.by_name(kw['group_name']) user = User.by_user_name(kw['member_name']) service = 'XMLRPC' if group.membership_type == GroupMembershipType.ldap: raise GroupOwnerModificationForbidden('An LDAP group does not have an owner') if not group.can_edit(identity.current.user): raise GroupOwnerModificationForbidden('You are not an owner of the group %s' % group) if user not in group.users: raise GroupOwnerModificationForbidden('User is not a group member') else: group.grant_ownership(user=user, agent=identity.current.user, service=service) return ''
def remove(self, **kw): u = identity.current.user try: group = Group.by_id(kw['group_id']) except DatabaseLookupError: flash(unicode('Invalid group or already removed')) redirect('../groups/mine') if not group.can_edit(u): flash(_(u'You are not an owner of group %s' % group)) redirect('../groups/mine') if group.is_protected_group(): flash( _(u'This group %s is predefined and cannot be deleted' % group)) redirect('../groups/mine') if group.jobs: flash(_(u'Cannot delete a group which has associated jobs')) redirect('../groups/mine') # Record the access policy rules that will be removed # before deleting the group for rule in group.system_access_policy_rules: rule.record_deletion() # For any system pool owned by this group, unset owning_group # and set owning_user to the user deleting this group pools = SystemPool.query.filter_by(owning_group_id=group.group_id) for pool in pools: pool.change_owner(user=u, service='WEBUI') session.delete(group) activity = Activity(u, u'WEBUI', u'Removed', u'Group', group.display_name, u"") session.add(activity) flash(_(u"%s deleted") % group.display_name) raise redirect(".")
def save_user(self, **kw): user = User.by_user_name(kw['user']['text']) if user is None: flash(_(u"Invalid user %s" % kw['user']['text'])) redirect("./edit?group_id=%s" % kw['group_id']) group = Group.by_id(kw['group_id']) if not group.can_modify_membership(identity.current.user): flash(_(u'You are not an owner of group %s' % group)) redirect('../groups/mine') if user not in group.users: group.users.append(user) activity = GroupActivity(identity.current.user, u'WEBUI', u'Added', u'User', u"", user.user_name) group.activity.append(activity) mail.group_membership_notify(user, group, agent=identity.current.user, action='Added') flash( _(u"OK") ) redirect("./edit?group_id=%s" % kw['group_id']) else: flash( _(u"User %s is already in Group %s" %(user.user_name, group.group_name))) redirect("./edit?group_id=%s" % kw['group_id'])
def removeSystem(self, group_id=None, id=None, **kw): group = Group.by_id(group_id) system = System.by_id(id, identity.current.user) # A group owner can remove a system from their group. # A system owner can remove their system from a group. # But note this is not symmetrical with adding systems. if not (group.can_edit(identity.current.user) or system.can_edit(identity.current.user)): flash(_(u'Not permitted to remove %s from %s') % (system, group)) redirect('../groups/mine') group.systems.remove(system) activity = GroupActivity(identity.current.user, u'WEBUI', u'Removed', u'System', system.fqdn, u"") group.activity.append(activity) system.record_activity(user=identity.current.user, service=u'WEBUI', action=u'Removed', field=u'Group', old=group.display_name, new=u"") flash(_(u"%s Removed" % system.fqdn)) raise redirect("./edit?group_id=%s" % group_id)
def remove_group_permission(self, group_id, permission_id): try: group = Group.by_id(group_id) except DatabaseLookupError: log.exception('Group id %s is not a valid Group to remove' % group_id) return ['0'] if not group.can_edit(identity.current.user): log.exception( 'User %d does not have edit permissions for Group id %s' % (identity.current.user.user_id, group_id)) response.status = 403 return ['You are not an owner of group %s' % group] try: permission = Permission.by_id(permission_id) except NoResultFound: log.exception( 'Permission id %s is not a valid Permission to remove' % permission_id) return ['0'] group.permissions.remove(permission) return ['1']
def save_system(self, **kw): try: with convert_db_lookup_error('No such system: %s' % kw['system']['text']): system = System.by_fqdn(kw['system']['text'], identity.current.user) except DatabaseLookupError, e: flash(unicode(e)) redirect("./edit?group_id=%s" % kw['group_id']) # A system owner can add their system to a group, but a group owner # *cannot* add an arbitrary system to their group because that would # grant them extra privileges over it. if not system.can_edit(identity.current.user): flash(_(u'You do not have permission to edit system %s' % system)) redirect('edit?group_id=%s' % kw['group_id']) group = Group.by_id(kw['group_id']) if group in system.groups: flash( _(u"System '%s' is already in group '%s'" % (system.fqdn, group.group_name))) redirect("./edit?group_id=%s" % kw['group_id']) group.systems.append(system) activity = GroupActivity(identity.current.user, u'WEBUI', u'Added', u'System', u"", system.fqdn) group.activity.append(activity) system.record_activity(user=identity.current.user, service=u'WEBUI', action=u'Added', field=u'Group', old=u"", new=group.display_name)