def make_survey_form(): if not check_permission(flask.session.get('username'), Permissions.SURVEYS): flask.abort(403) return flask.render_template('survey_params.html', groups=helpers.get_groups())
def get_manage_members_houses(): username = flask.session.get('username') if not username: return () permissions = check_permission(username, set(ManageMembersPermissions)) return tuple(permission.name.title() for permission in ManageMembersPermissions if permission in permissions)
def login_submit(): """Handle authentication.""" mask_and_user = flask.request.form.get('username', None) password = flask.request.form.get('password', None) # Need to take care of the case when masquerading occurs. username = None mask = None if mask_and_user is not None: # Check for the character to split. if ':' in mask_and_user: # If it's there, we assume the second part is a mask name. split = mask_and_user.split(':') if len(split) > 2: flask.flash('You cannot specify multiple masks at once.') return flask.redirect(flask.url_for('auth.login')) username, mask = split else: username = mask_and_user if username is not None and password is not None: user_id = helpers.authenticate(username, password) if user_id is not None: if mask is not None: # If the user doesn't have permission, refuse the attempt to masquerade. if not auth_utils.check_permission(username, Permissions.MASK): flask.flash('You do not have permission to masquerade.') return flask.redirect(flask.url_for('auth.login')) # Also check that the mask exists. if not auth_utils.get_user_id(mask): flask.flash('That person does not exist to mask.') return flask.redirect(flask.url_for('auth.login')) # If the user has mask permissions, give them the mask. flask.session['username'] = mask flask.current_app.logger.info( f'User {username} is masquerading as {mask}') else: flask.session['username'] = username flask.current_app.logger.info(f'User logged in: {username}') # Update last login time auth_utils.update_last_login(username) # Return to previous page if in session if 'next' in flask.session: redirect_to = flask.session.pop('next') return flask.redirect(redirect_to) else: return flask.redirect(flask.url_for('home')) flask.current_app.logger.warn( f'Invalid login attempt for user: {username}') flask.flash('Incorrect username or password. Please try again!') return flask.redirect(flask.url_for('auth.login'))
def restrict_edit_access(survey, allow_after_close): username = flask.session.get('username') if not check_permission(username, Permissions.SURVEYS): flask.abort(403) if not survey: return 'Invalid access key' if get_user_id(username) != survey['creator']: return 'You are not the creator of this survey' if not allow_after_close and survey['end_time'] < datetime.now(): return 'Cannot modify a survey after it has closed'
def list_surveys(): username = flask.session.get('username') user_id = helpers.get_user_id(username) has_surveys_perm = check_permission(username, Permissions.SURVEYS) active_surveys = helpers.get_visible_surveys(user_id) closed_surveys = helpers.get_closed_surveys(user_id) return flask.render_template('list_surveys.html', has_surveys_perm=has_surveys_perm, active_surveys=active_surveys, closed_surveys=closed_surveys)
def my_surveys(): if 'username' not in flask.session: return flask.render_template('manage.html', logged_in=False) if not check_permission(flask.session['username'], Permissions.SURVEYS): flask.abort(403) user_id = helpers.get_user_id(flask.session['username']) my_surveys = helpers.get_my_surveys(user_id) return flask.render_template('manage.html', logged_in=True, my_surveys=my_surveys)
def get_permission(): ''' Returns permissions list related to calendars ''' permissions = auth_utils.check_permission(flask.session.get('username'), set(cal_permissions.values())) perms = {tag: perm in permissions for tag, perm in cal_permissions.items()} # If they have edit permissions on anything, the events pages and stuff # will show up. perms['Any'] = bool(permissions) return perms
def get_hidden_fields(viewer_name, viewee_id): """ Returns a set of strings corresponding to fields on view_user page for viewee that viewer should not see """ if viewer_name is not None: is_me = get_user_id(viewer_name) == viewee_id if is_me or check_permission( viewer_name, DirectoryPermissions.HIDDEN_SEARCH_FIELDS): return set() return HIDDEN_FIELDS
def set_resolved(group, id): if group not in Groups: return flask.abort(404) # Authenticate if not auth_utils.check_login() or not auth_utils.check_permission( flask.session['username'], permissions[group].TOGGLE_RESOLVED): return flask.abort(403) complaint_id = helpers.get_id(group, id) resolved = 'status' in flask.request.form helpers.set_resolved(group, complaint_id, resolved) return flask.redirect( flask.url_for('feedback.feedback_view_complaint', group=group, id=id))
def feedback_remove_email(group, id): if group not in Groups: return flask.abort(404) if 'username' not in flask.session or not auth_utils.check_permission( flask.session['username'], permissions[group].ADD_REMOVE_EMAIL): return flask.abort(403) complaint_id = helpers.get_id(group, id) if not complaint_id: return flask.abort(400) data = flask.request.form.getlist('emails') for em in data: helpers.remove_email(group, complaint_id, em) return flask.redirect( flask.url_for('feedback.feedback_view_complaint', group=group, id=id))
def can_manage(item): """ Returns whether the currently logged-in user can manage a given item. Item may be {'user_id': int} or an item_id. """ username = flask.session.get('username') if not username: # Must be logged in to manage return False user_id = table_fetch( 'marketplace_items', one=True, fields=('user_id', ), attrs={'item_id': item}) if type(item) == int else item['user_id'] return get_user_id(username) == user_id or check_permission(username, None)
def release_results(access_key): if not check_permission(flask.session.get('username'), Permissions.SURVEYS): flask.abort(403) survey = helpers.get_survey_data(access_key) if not survey: flask.flash('Invalid access key') return list_surveys() user_id = helpers.get_user_id(flask.session.get('username')) if user_id != survey['creator']: flask.flash('You are not the creator of this survey') return list_surveys() if datetime.now() < survey['end_time']: flask.flash('Survey has not yet finished') return list_surveys() helpers.update_survey_params(survey['survey_id'], {'results_shown': True}) return flask.redirect( flask.url_for('voting.show_results', access_key=access_key))
def feedback_view_summary(group): if group not in Groups: return flask.abort(404) if 'username' not in flask.session or not auth_utils.check_permission( flask.session['username'], permissions[group].SUMMARY): return flask.abort(403) # Get a list containing data for each post if flask.request.method == 'POST': view_unresolved = flask.request.form.get('unresolved') else: view_unresolved = True complaints = helpers.get_posts(group, view_unresolved) # Add links to each complaint for complaint in complaints: complaint['link'] = helpers.get_link(group, complaint['complaint_id']) return flask.render_template( 'summary.html', complaints=complaints, group=group, view_unresolved=view_unresolved)
def share_calendar(calendars, email, permission_level): ''' Shares a set of calendars to a given email ''' try: for cal_name in calendars: role = permission_level if auth_utils.check_permission( flask.session['username'], cal_permissions[cal_name]) else 'reader' # Shares a calendar given the id and an email rule = { 'scope': { 'type': 'user', 'value': email, }, 'role': role } created_rule = service.acl().insert(calendarId=cal_id[cal_name], body=rule).execute() query = """ INSERT INTO calendar_logs (user_id, calendar_id, calendar_gmail, user_gmail, acl_id, request_time, request_permission) VALUES (%s, %s, %s, %s, %s, NOW(), %s) """ with flask.g.pymysql_db.cursor() as cursor: cursor.execute(query, (auth_utils.get_user_id( flask.session['username']), cal_name, cal_id[cal_name], email, created_rule['id'], role)) return '' except Exception as e: calendar_names = ', '.join(calendars) username = flask.session.get('username') flask.current_app.logger.exception( f'Error while sharing {calendar_names} calendars with {email} by {username}: {e}' ) return e.get('message', e) if type(e) is dict else str(e)
def check_upload_permission(): """ Checks if the user has upload permissions """ return check_login() and check_permission(flask.session['username'], UploadPermissions.ABLE)
def test_check_permission(client): assert auth_utils.check_permission('dqu', 1) # always returns true for admins assert auth_utils.check_permission('dqu', -1) assert auth_utils.check_permission('ruddock_pres', 2) assert not auth_utils.check_permission('csander', -1)
def process_params_request(editing, survey_id=None, access_key=None): if not check_permission( flask.session.get('username'), Permissions.SURVEYS): flask.abort(403) form = flask.request.form def creation_error(message): flask.flash(message) return flask.render_template( 'survey_params.html', editing=editing, access_key=access_key, groups=get_groups(), title=form.get('title'), description=form.get('description'), start_date=form.get('start_date'), start_hour=form.get('start_hour'), start_minute=form.get('start_minute'), start_period=form.get('start_period'), end_date=form.get('end_date'), end_hour=form.get('end_hour'), end_minute=form.get('end_minute'), end_period=form.get('end_period'), public='public' in form, group_id=form.get('group')) validations = [ validate_exists(form, 'title'), validate_exists(form, 'description'), validate_exists(form, 'start_date') and validate_date(form['start_date']), validate_exists(form, 'start_hour') and validate_int(form['start_hour'], 1, 12), validate_exists(form, 'start_minute') and validate_int(form['start_minute'], 0, 59), validate_exists(form, 'start_period') and validate_in(form['start_period'], AM_OR_PM), validate_exists(form, 'end_date') and validate_date(form['end_date']), validate_exists(form, 'end_hour') and validate_int(form['end_hour'], 1, 12), validate_exists(form, 'end_minute') and validate_int(form['end_minute'], 0, 59), validate_exists(form, 'end_period') and validate_in(form['end_period'], AM_OR_PM), validate_exists(form, 'group') and (not form['group'] or validate_int(form['group'])) ] if not all(validations): #Should only happen if a malicious request is sent, #so error message is not important return creation_error('Invalid form data') start_day = datetime.strptime(form['start_date'], YYYY_MM_DD) start_hour = int(form['start_hour']) % 12 if form['start_period'] == 'P': start_hour += 12 start_minute = int(form['start_minute']) start = datetime(start_day.year, start_day.month, start_day.day, start_hour, start_minute) end_day = datetime.strptime(form['end_date'], YYYY_MM_DD) end_hour = int(form['end_hour']) % 12 if form['end_period'] == 'P': end_hour += 12 end_minute = int(form['end_minute']) end = datetime(end_day.year, end_day.month, end_day.day, end_hour, end_minute) if start >= end: return creation_error('Start must be before end') group = form['group'] group = int(group) if group else None params = { 'title': form['title'].strip(), 'description': form['description'].strip() or None, 'start_time': start, 'end_time': end, 'public': 'public' in form, 'group_id': group } if survey_id: update_survey_params(survey_id, params) else: access_key = generate_random_string(ACCESS_KEY_LENGTH) params['access_key'] = access_key params['creator'] = get_user_id(flask.session['username']) query = 'INSERT INTO surveys (' + ', '.join( params) + ') VALUES (' + ', '.join(['%s'] * len(params)) + ')' with flask.g.pymysql_db.cursor() as cursor: cursor.execute(query, list(params.values())) return flask.redirect( flask.url_for('voting.edit_questions', access_key=access_key))
def check_edit_page_permission(): """ Checks if the user has permission to edit a page """ return auth_utils.check_login() and auth_utils.check_permission( flask.session['username'], EditPermission.ABLE)