def make_survey_form():
if not check_permission(flask.session.get('username'),
Permissions.SURVEYS):
flask.abort(403)
return flask.render_template('survey_params.html',
groups=helpers.get_groups())
def get_manage_members_houses():
username = flask.session.get('username')
if not username: return ()
permissions = check_permission(username, set(ManageMembersPermissions))
return tuple(permission.name.title()
for permission in ManageMembersPermissions
if permission in permissions)
def login_submit():
"""Handle authentication."""
mask_and_user = flask.request.form.get('username', None)
password = flask.request.form.get('password', None)
# Need to take care of the case when masquerading occurs.
username = None
mask = None
if mask_and_user is not None:
# Check for the character to split.
if ':' in mask_and_user:
# If it's there, we assume the second part is a mask name.
split = mask_and_user.split(':')
if len(split) > 2:
flask.flash('You cannot specify multiple masks at once.')
return flask.redirect(flask.url_for('auth.login'))
username, mask = split
else:
username = mask_and_user
if username is not None and password is not None:
user_id = helpers.authenticate(username, password)
if user_id is not None:
if mask is not None:
# If the user doesn't have permission, refuse the attempt to masquerade.
if not auth_utils.check_permission(username, Permissions.MASK):
flask.flash('You do not have permission to masquerade.')
return flask.redirect(flask.url_for('auth.login'))
# Also check that the mask exists.
if not auth_utils.get_user_id(mask):
flask.flash('That person does not exist to mask.')
return flask.redirect(flask.url_for('auth.login'))
# If the user has mask permissions, give them the mask.
flask.session['username'] = mask
flask.current_app.logger.info(
f'User {username} is masquerading as {mask}')
else:
flask.session['username'] = username
flask.current_app.logger.info(f'User logged in: {username}')
# Update last login time
auth_utils.update_last_login(username)
# Return to previous page if in session
if 'next' in flask.session:
redirect_to = flask.session.pop('next')
return flask.redirect(redirect_to)
else:
return flask.redirect(flask.url_for('home'))
flask.current_app.logger.warn(
f'Invalid login attempt for user: {username}')
flask.flash('Incorrect username or password. Please try again!')
return flask.redirect(flask.url_for('auth.login'))
def restrict_edit_access(survey, allow_after_close):
username = flask.session.get('username')
if not check_permission(username, Permissions.SURVEYS):
flask.abort(403)
if not survey:
return 'Invalid access key'
if get_user_id(username) != survey['creator']:
return 'You are not the creator of this survey'
if not allow_after_close and survey['end_time'] < datetime.now():
return 'Cannot modify a survey after it has closed'
def list_surveys():
username = flask.session.get('username')
user_id = helpers.get_user_id(username)
has_surveys_perm = check_permission(username, Permissions.SURVEYS)
active_surveys = helpers.get_visible_surveys(user_id)
closed_surveys = helpers.get_closed_surveys(user_id)
return flask.render_template('list_surveys.html',
has_surveys_perm=has_surveys_perm,
active_surveys=active_surveys,
closed_surveys=closed_surveys)
def my_surveys():
if 'username' not in flask.session:
return flask.render_template('manage.html', logged_in=False)
if not check_permission(flask.session['username'], Permissions.SURVEYS):
flask.abort(403)
user_id = helpers.get_user_id(flask.session['username'])
my_surveys = helpers.get_my_surveys(user_id)
return flask.render_template('manage.html',
logged_in=True,
my_surveys=my_surveys)
def get_permission():
'''
Returns permissions list related to calendars
'''
permissions = auth_utils.check_permission(flask.session.get('username'),
set(cal_permissions.values()))
perms = {tag: perm in permissions for tag, perm in cal_permissions.items()}
# If they have edit permissions on anything, the events pages and stuff
# will show up.
perms['Any'] = bool(permissions)
return perms
def get_hidden_fields(viewer_name, viewee_id):
"""
Returns a set of strings corresponding to fields
on view_user page for viewee that viewer should not see
"""
if viewer_name is not None:
is_me = get_user_id(viewer_name) == viewee_id
if is_me or check_permission(
viewer_name, DirectoryPermissions.HIDDEN_SEARCH_FIELDS):
return set()
return HIDDEN_FIELDS
def set_resolved(group, id):
if group not in Groups:
return flask.abort(404)
# Authenticate
if not auth_utils.check_login() or not auth_utils.check_permission(
flask.session['username'], permissions[group].TOGGLE_RESOLVED):
return flask.abort(403)
complaint_id = helpers.get_id(group, id)
resolved = 'status' in flask.request.form
helpers.set_resolved(group, complaint_id, resolved)
return flask.redirect(
flask.url_for('feedback.feedback_view_complaint', group=group, id=id))
def feedback_remove_email(group, id):
if group not in Groups:
return flask.abort(404)
if 'username' not in flask.session or not auth_utils.check_permission(
flask.session['username'], permissions[group].ADD_REMOVE_EMAIL):
return flask.abort(403)
complaint_id = helpers.get_id(group, id)
if not complaint_id:
return flask.abort(400)
data = flask.request.form.getlist('emails')
for em in data:
helpers.remove_email(group, complaint_id, em)
return flask.redirect(
flask.url_for('feedback.feedback_view_complaint', group=group, id=id))
def can_manage(item):
"""
Returns whether the currently logged-in user can manage a given item.
Item may be {'user_id': int} or an item_id.
"""
username = flask.session.get('username')
if not username:
# Must be logged in to manage
return False
user_id = table_fetch(
'marketplace_items',
one=True,
fields=('user_id', ),
attrs={'item_id': item}) if type(item) == int else item['user_id']
return get_user_id(username) == user_id or check_permission(username, None)
def release_results(access_key):
if not check_permission(flask.session.get('username'),
Permissions.SURVEYS):
flask.abort(403)
survey = helpers.get_survey_data(access_key)
if not survey:
flask.flash('Invalid access key')
return list_surveys()
user_id = helpers.get_user_id(flask.session.get('username'))
if user_id != survey['creator']:
flask.flash('You are not the creator of this survey')
return list_surveys()
if datetime.now() < survey['end_time']:
flask.flash('Survey has not yet finished')
return list_surveys()
helpers.update_survey_params(survey['survey_id'], {'results_shown': True})
return flask.redirect(
flask.url_for('voting.show_results', access_key=access_key))
def feedback_view_summary(group):
if group not in Groups:
return flask.abort(404)
if 'username' not in flask.session or not auth_utils.check_permission(
flask.session['username'], permissions[group].SUMMARY):
return flask.abort(403)
# Get a list containing data for each post
if flask.request.method == 'POST':
view_unresolved = flask.request.form.get('unresolved')
else:
view_unresolved = True
complaints = helpers.get_posts(group, view_unresolved)
# Add links to each complaint
for complaint in complaints:
complaint['link'] = helpers.get_link(group, complaint['complaint_id'])
return flask.render_template(
'summary.html',
complaints=complaints,
group=group,
view_unresolved=view_unresolved)
def share_calendar(calendars, email, permission_level):
'''
Shares a set of calendars to a given email
'''
try:
for cal_name in calendars:
role = permission_level if auth_utils.check_permission(
flask.session['username'],
cal_permissions[cal_name]) else 'reader'
# Shares a calendar given the id and an email
rule = {
'scope': {
'type': 'user',
'value': email,
},
'role': role
}
created_rule = service.acl().insert(calendarId=cal_id[cal_name],
body=rule).execute()
query = """
INSERT INTO calendar_logs (user_id, calendar_id, calendar_gmail, user_gmail, acl_id, request_time, request_permission) VALUES
(%s, %s, %s, %s, %s, NOW(), %s)
"""
with flask.g.pymysql_db.cursor() as cursor:
cursor.execute(query, (auth_utils.get_user_id(
flask.session['username']), cal_name, cal_id[cal_name],
email, created_rule['id'], role))
return ''
except Exception as e:
calendar_names = ', '.join(calendars)
username = flask.session.get('username')
flask.current_app.logger.exception(
f'Error while sharing {calendar_names} calendars with {email} by {username}: {e}'
)
return e.get('message', e) if type(e) is dict else str(e)
def check_upload_permission():
"""
Checks if the user has upload permissions
"""
return check_login() and check_permission(flask.session['username'],
UploadPermissions.ABLE)
def test_check_permission(client):
assert auth_utils.check_permission('dqu', 1)
# always returns true for admins
assert auth_utils.check_permission('dqu', -1)
assert auth_utils.check_permission('ruddock_pres', 2)
assert not auth_utils.check_permission('csander', -1)
def process_params_request(editing, survey_id=None, access_key=None):
if not check_permission(
flask.session.get('username'), Permissions.SURVEYS):
flask.abort(403)
form = flask.request.form
def creation_error(message):
flask.flash(message)
return flask.render_template(
'survey_params.html',
editing=editing,
access_key=access_key,
groups=get_groups(),
title=form.get('title'),
description=form.get('description'),
start_date=form.get('start_date'),
start_hour=form.get('start_hour'),
start_minute=form.get('start_minute'),
start_period=form.get('start_period'),
end_date=form.get('end_date'),
end_hour=form.get('end_hour'),
end_minute=form.get('end_minute'),
end_period=form.get('end_period'),
public='public' in form,
group_id=form.get('group'))
validations = [
validate_exists(form, 'title'),
validate_exists(form, 'description'),
validate_exists(form, 'start_date')
and validate_date(form['start_date']),
validate_exists(form, 'start_hour')
and validate_int(form['start_hour'], 1, 12),
validate_exists(form, 'start_minute')
and validate_int(form['start_minute'], 0, 59),
validate_exists(form, 'start_period')
and validate_in(form['start_period'], AM_OR_PM),
validate_exists(form, 'end_date') and validate_date(form['end_date']),
validate_exists(form, 'end_hour')
and validate_int(form['end_hour'], 1, 12),
validate_exists(form, 'end_minute')
and validate_int(form['end_minute'], 0, 59),
validate_exists(form, 'end_period')
and validate_in(form['end_period'], AM_OR_PM),
validate_exists(form, 'group')
and (not form['group'] or validate_int(form['group']))
]
if not all(validations):
#Should only happen if a malicious request is sent,
#so error message is not important
return creation_error('Invalid form data')
start_day = datetime.strptime(form['start_date'], YYYY_MM_DD)
start_hour = int(form['start_hour']) % 12
if form['start_period'] == 'P': start_hour += 12
start_minute = int(form['start_minute'])
start = datetime(start_day.year, start_day.month, start_day.day,
start_hour, start_minute)
end_day = datetime.strptime(form['end_date'], YYYY_MM_DD)
end_hour = int(form['end_hour']) % 12
if form['end_period'] == 'P': end_hour += 12
end_minute = int(form['end_minute'])
end = datetime(end_day.year, end_day.month, end_day.day, end_hour,
end_minute)
if start >= end:
return creation_error('Start must be before end')
group = form['group']
group = int(group) if group else None
params = {
'title': form['title'].strip(),
'description': form['description'].strip() or None,
'start_time': start,
'end_time': end,
'public': 'public' in form,
'group_id': group
}
if survey_id:
update_survey_params(survey_id, params)
else:
access_key = generate_random_string(ACCESS_KEY_LENGTH)
params['access_key'] = access_key
params['creator'] = get_user_id(flask.session['username'])
query = 'INSERT INTO surveys (' + ', '.join(
params) + ') VALUES (' + ', '.join(['%s'] * len(params)) + ')'
with flask.g.pymysql_db.cursor() as cursor:
cursor.execute(query, list(params.values()))
return flask.redirect(
flask.url_for('voting.edit_questions', access_key=access_key))
def check_edit_page_permission():
"""
Checks if the user has permission to edit a page
"""
return auth_utils.check_login() and auth_utils.check_permission(
flask.session['username'], EditPermission.ABLE)
