コード例 #1
0
	def delete(self, request: 'th_Request') -> responses.Response:
		validator = validation.Dict({
			"room_id": validation.Integer(),
			"user_id": validation.Integer()
		}, allow_undefined_keys=not self._strict_requests)
		try:
			# Validation
			try: validator.validate(request.body)
			except validation.Error as ve: return responses.Unprocessable(ve.errors)

			room_id = request.body["room_id"]
			user_id = request.body["user_id"]

			# Query for authorization
			try:
				orm_room = self._m_rooms.get(room_id)
			except NoResultFound: return responses.NotFoundByID("room_id")

			# Authorization
			auth_response = self._s_auth.authorize(Action.ROOMS_USERS_DELETE, request.user, orm_room.user_id)
			if not isinstance(auth_response, responses.OKEmpty): return auth_response

			# Query
			try:
				self._m_rooms_users.delete(room_id, user_id)
				return responses.OKEmpty()
			except NoResultFound: return responses.NotFoundByID("user_id")
		except SQLAlchemyError as sqlae:
			return responses.DatabaseException(sqlae)
コード例 #2
0
    def delete_self(self, request: 'th_Request'):
        validator = validation.Dict(
            {},
            allow_none=True,
            allow_empty=True,
            allow_all_defined_keys_missing=True,
            allow_undefined_keys=not self._strict_requests)
        try:
            # Validation
            try:
                validator.validate(request.body)
            except validation.Error as ve:
                return responses.Unprocessable(ve.errors)

            # Authorization
            auth_response = self._s_auth.authorize(Action.USERS_DELETE_SELF,
                                                   request.user)
            if not isinstance(auth_response, responses.OKEmpty):
                return auth_response

            # Get the user's ID from request (Which gets it's user info from a token)
            if not isinstance(request.user, Registered):
                return responses.UnauthorizedNotLoggedIn()
            user: Registered = request.user

            # Query
            try:
                self._m_users.delete(user.user_id)
                return responses.OKEmpty()
            except NoResultFound:
                return responses.NotFoundByID("user_id")
        except SQLAlchemyError as sqlae:
            return responses.DatabaseException(sqlae)
コード例 #3
0
	def update(self, request: 'th_Request') -> responses.Response:
		validator = validation.Dict({
			"user_id": validation.Integer(),
			"reason": validation.String(length_min=orm.UsersBans.REASON_LEN_MIN, length_max=orm.UsersBans.REASON_LEN_MAX)
		}, allow_undefined_keys=not self._strict_requests)
		try:
			# Validation
			try: validator.validate(request.body)
			except validation.Error as ve: return responses.Unprocessable(ve.errors)

			user_id = request.body["user_id"]

			# Query for authorization
			try: orm_user_ban = self._m_users_bans.get(user_id)
			except NoResultFound: return responses.NotFoundByID("user_id")

			# Authorization
			auth_response = self._s_auth.authorize(Action.USERS_BANS_UPDATE, request.user, orm_user_ban.banner_id)
			if not isinstance(auth_response, responses.OKEmpty): return auth_response

			# Query
			try:
				self._m_users_bans.update(user_id, request.body["reason"])
				return responses.OKEmpty()
			except NoResultFound: return responses.NotFoundByID("user_id")
		except SQLAlchemyError as sqlae:
			return responses.DatabaseException(sqlae)
コード例 #4
0
	def update(self, request: 'th_Request') -> responses.Response:
		validator = validation.Dict({
			"room_id": validation.Integer(),
			"title": validation.String(length_min=orm.Rooms.TITLE_LEN_MIN, length_max=orm.Rooms.TITLE_LEN_MAX),
		})
		try:
			# Validation
			try: validator.validate(request.body)
			except validation.Error as ve: return responses.Unprocessable(ve.errors)

			room_id = request.body["room_id"]

			# Query for authorization
			try: orm_room = self._m_rooms.get(room_id)
			except NoResultFound: return responses.NotFoundByID("room_id")

			# Authorization
			auth_response = self._s_auth.authorize(Action.ROOMS_UPDATE_TITLE, request.user, orm_room.user_id)
			if not isinstance(auth_response, responses.OKEmpty): return auth_response

			try:
				self._m_rooms.update(room_id, request.body["title"])
				return responses.OKEmpty()
			except NoResultFound: return responses.NotFoundByID("room_id")
		except SQLAlchemyError as sqlae:
			return responses.DatabaseException(sqlae)
コード例 #5
0
ファイル: auth.py プロジェクト: jonpet6/STPP
	def authorize(
			self,
			actions: typing.Union['th_Action', typing.List['th_Action']],
			user: '******',
			allowed_ids: typing.Union[int, typing.List[int]] = None
		) -> responses.Response:
		if not isinstance(actions, list):
			actions = [actions]
		# Can the user execute the given actions?
		if all([action in user.role.actions for action in actions]):
			return responses.OKEmpty()
		# The action can now be only executed by allowed user ids
		# Does this user have a user id?
		if not isinstance(user, Registered):
			return responses.UnauthorizedNotLoggedIn()
		# Are there any ids allowed?
		if allowed_ids is not None:
			if not isinstance(allowed_ids, list):
				allowed_ids = [allowed_ids]
			# Is user one of them?
			if user.user_id in allowed_ids:
				return responses.OKEmpty()
		return responses.Forbidden()
コード例 #6
0
    def update(self, request: 'th_Request') -> responses.Response:
        validator = validation.Dict(
            {
                "post_id":
                validation.Integer(),
                "content":
                validation.String(length_min=orm.Posts.CONTENT_LEN_MIN,
                                  length_max=orm.Posts.CONTENT_LEN_MAX)
            },
            allow_undefined_keys=not self._strict_requests)
        try:
            # Validation
            try:
                validator.validate(request.body)
            except validation.Error as ve:
                return responses.Unprocessable(ve.errors)

            post_id = request.body["post_id"]

            # Query for authorization
            try:
                orm_post = self._m_posts.get(post_id)
            except NoResultFound:
                return responses.NotFoundByID("post_id")

            # Authorization
            auth_response = self._s_auth.authorize(Action.POSTS_UPDATE,
                                                   request.user,
                                                   orm_post.user_id)
            if not isinstance(auth_response, responses.OKEmpty):
                return auth_response

            # TODO
            # Also possible to revoke update access to the user on lost access to the room
            # What about banned room checks

            try:
                self._m_posts.update(post_id, request.body["content"])
                return responses.OKEmpty()
            except NoResultFound:
                return responses.NotFoundByID("post_id")
        except SQLAlchemyError as sqlae:
            return responses.DatabaseException(sqlae)
コード例 #7
0
    def delete(self, request: 'th_Request') -> responses.Response:
        validator = validation.Dict(
            {
                "post_id": validation.Integer(),
            },
            allow_undefined_keys=not self._strict_requests)
        try:
            # Validation
            try:
                validator.validate(request.body)
            except validation.Error as ve:
                return responses.Unprocessable(ve.errors)

            post_id = request.body["post_id"]

            # Query for authorization
            try:
                orm_post = self._m_posts.get(post_id)
            except NoResultFound:
                return responses.NotFoundByID("post_id")

            # Authorization
            auth_response = self._s_auth.authorize(Action.POSTS_DELETE,
                                                   request.user,
                                                   orm_post.user_id)
            if not isinstance(auth_response, responses.OKEmpty):
                return auth_response

            # Also possible to revoke delete access to the user on lost access to the room
            # what about bans

            try:
                self._m_posts.delete(post_id)
                return responses.OKEmpty()
            except NoResultFound:
                return responses.NotFoundByID("post_id")
        except SQLAlchemyError as sqlae:
            return responses.DatabaseException(sqlae)
コード例 #8
0
    def update(self, request: 'th_Request') -> responses.Response:
        validator = validation.Dict(
            {
                "user_id":
                validation.Integer(),
                "role":
                validation.Integer(allow_none=True),
                "login":
                validation.String(allow_none=True,
                                  length_min=orm.Users.LOGIN_LEN_MIN,
                                  length_max=orm.Users.LOGIN_LEN_MAX),
                "name":
                validation.String(allow_none=True,
                                  length_min=orm.Users.NAME_LEN_MIN,
                                  length_max=orm.Users.NAME_LEN_MAX),
                "password":
                validation.String(allow_none=True,
                                  length_min=orm.Users.PASSWORD_LEN_MIN,
                                  length_max=orm.Users.PASSWORD_LEN_MAX)
            },
            allow_undefined_keys=not self._strict_requests)
        try:
            # Validation
            try:
                validator.validate(request.body)
            except validation.Error as ve:
                return responses.Unprocessable(ve.errors)

            user_id = request.body["user_id"]

            # Authorization (certain attributes)
            if "name" in request.body:
                # Authorize name change
                auth_response = self._s_auth.authorize(
                    Action.USERS_UPDATE_NAME, request.user, user_id)
                if not isinstance(auth_response, responses.OKEmpty):
                    return auth_response
            if "role" in request.body:
                # Authorize role change
                auth_response = self._s_auth.authorize(
                    Action.USERS_UPDATE_ROLE, request.user, None)
                if not isinstance(auth_response, responses.OKEmpty):
                    return auth_response
            if "login" in request.body or "password" in request.body:
                # Authorize credential change
                auth_response = self._s_auth.authorize(
                    Action.USERS_UPDATE_CRED, request.user, user_id)
                if not isinstance(auth_response, responses.OKEmpty):
                    return auth_response

            # Hash password
            try:
                passhash = None if "password" not in request.body else self._password_hasher.hash(
                    request.body["password"])
            except HashingError as he:
                return responses.InternalException(
                    he, {"password": ["Could not be hashed"]})

            # Query
            try:
                self._m_users.update(user_id, request.body.get("role"),
                                     request.body.get("login"),
                                     request.body.get("name"), passhash)
                return responses.OKEmpty()
            except IntegrityError:
                return responses.ConflictID("login")
            except NoResultFound:
                return responses.NotFoundByID("user_id")
        except SQLAlchemyError as sqlae:
            return responses.DatabaseException(sqlae)