def default_sharing(self, id):
"""Change a user's default sharing.
.. :quickref: User; Change default sharing
When used on another user account, requires the `manage_users` permission.
:param id: user id.
:>json User user: modified user.
"""
self.ensure_permission(id)
user = User(get_or_404(User.get_collection(), _id=id))
groups = request.form.get('groups', '').split(',')
for group in groups:
if group in user['groups']:
break
else:
flash('You have to at least keep one of your groups.', 'danger')
return redirect(request.referrer)
user.update_value('default_sharing', groups)
return redirect({'user': clean_users(user)}, request.referrer)
def update(self, id):
"""Update a user.
.. :quickref: User; Update existing user
Requires the `manage_users` permission.
When succesful, the new user will be returned in the ``user`` field.
Otherwise, an ``errors`` field will list errors.
:form name: full name
:form email: email address
:form groups: comma-delimited list of groups
:form permission_VALUE: specify a value different than ``0`` or ``False``
for all permissions the user should have.
"""
name = request.form.get('name')
email = request.form.get('email').lower()
groups = [g for g in request.form.get('groups', '').split(',') if g]
user = User(get_or_404(User.get_collection(), _id=id))
if not self._valid_form(name, email, groups, user['email']):
return validation_error()
user['name'] = name
user['email'] = email
user['groups'] = groups
user['permissions'] = self.get_permissions(user['permissions'])
user.save()
return redirect({'user': clean_users(user)},
url_for('UsersView:get', id=user['_id']))
def get(self, id):
"""Get a user.
.. :quickref: User; Get a user
The user is returned in the ``user`` field.
:param id: user id
:>json ObjectId _id: user's ObjectId.
:>json string name: full name.
:>json string: email address.
:>json boolean enabled: ``True`` if the user is enabled.
:>json list groups: list of groups the user belongs to.
:>json list default_sharing: list of groups used by the user as default sharing preferences.
:>json list permissions: list of user's permissions
"""
self.ensure_permission(id)
user = User(get_or_404(User.get_collection(), _id=id))
return render(
{
'user': clean_users(user),
'permissions': dispatcher.permissions
}, 'users/profile.html')
def get_or_create_user(saml_name_id, saml_user_data):
user = User.get(saml_name_id=saml_name_id)
if user:
return user_if_enabled(user)
return create_user(saml_name_id, saml_user_data)
def disable(self, id):
"""Disable a user.
.. :quickref: User; Disable a user
Requires the `manage_users` permission.
:param id: user id.
:>json User user: modified user.
"""
user = User(get_or_404(User.get_collection(), _id=id))
user.update_value('enabled', False)
return redirect({'user': clean_users(user)},
url_for('UsersView:index'))
def connect_to_db(**kwargs):
fame_init()
from fame.core.user import User
worker_user = User.get(email="worker@fame")
if worker_user:
fame_config.api_key = worker_user['api_key']
def password_reset_form():
email_server = EmailServer(TEMPLATES_DIR)
if email_server.is_connected:
if request.method == 'POST':
email = request.form.get('email')
if not email:
flash('You have to specify an email address', 'danger')
else:
user = User.get(email=email)
if user:
token = password_reset_token(user)
reset_url = urljoin(fame_config.fame_url, url_for('auth.password_reset', token=token))
msg = email_server.new_message_from_template("Reset your FAME account's password.", 'mail_reset_password.html', {'user': user, 'url': reset_url})
msg.send([user['email']])
flash('A password reset link was sent.')
return redirect('/login')
return render_template('password_reset_form.html')
else:
flash('Functionnality unavailable. Contact your administrator', 'danger')
return redirect('/login')
def api_auth(request):
api_key = request.headers.get('X-API-KEY')
user = User.get(api_key=api_key)
if user:
user.is_api = True
return user_if_enabled(user)
def create_user(name,
email,
groups,
default_sharing,
permissions,
password=None):
user = User.get(email=email.lower())
if user:
print "/!\ User with this email address already exists."
else:
user = User({
'name': name,
'email': email.lower(),
'groups': groups,
'default_sharing': default_sharing,
'permissions': permissions,
'enabled': True
})
if password:
user['pwd_hash'] = generate_password_hash(password)
user.save()
print "[+] User created."
user.generate_avatar()
print "[+] Downloaded avatar."
return user
def password_reset(token):
try:
user_id = validate_password_reset_token(token)
except BadTimeSignature:
flash('Invalid token', 'danger')
return redirect('/login')
except SignatureExpired:
flash('Expired token', 'danger')
return redirect('/login')
if request.method == 'POST':
password = request.form.get('password', '')
confirm = request.form.get('password_confirmation', '')
if valid_new_password(password, confirm):
user = User(get_or_404(User.get_collection(), _id=user_id))
change_password(user, password)
flash('Password was successfully changed.', 'success')
return redirect('/login')
return render_template('password_reset.html')
def create(self):
"""Create a user.
.. :quickref: User; Create new user
Requires the `manage_users` permission.
When succesful, the new user will be returned in the ``user`` field.
Otherwise, an ``errors`` field will list errors.
:form name: full name
:form email: email address
:form groups: comma-delimited list of groups
:form permission_VALUE: specify a value different than ``0`` or ``False``
for all permissions the user should have.
"""
name = request.form.get('name')
email = request.form.get('email').lower()
groups = [g for g in request.form.get('groups', '').split(',') if g]
if not self._valid_form(name, email, groups):
return validation_error()
user = User({
'name': name,
'email': email.lower(),
'groups': groups,
'default_sharing': groups,
'permissions': self.get_permissions(),
'enabled': True
})
if not auth_module.create_user(user):
return validation_error()
user.save()
return redirect({'user': clean_users(user)},
url_for('UsersView:index'))
def authenticate(email, password):
user = User.get(email=email.lower())
if user_if_enabled(user):
if 'pwd_hash' in user:
if check_password_hash(user['pwd_hash'], password):
if 'auth_token' not in user:
user.update_value('auth_token', auth_token(user))
login_user(user)
return user
return None
def create_user_for_worker(context):
from fame.core.user import User
from web.auth.user_password.user_management import create_user
worker_user = User.get(email="worker@fame")
if worker_user:
print "[+] User for worker already created."
else:
print "[+] Creating user for worker ..."
worker_user = create_user("FAME Worker", "worker@fame", ["*"], ["*"], ["worker"])
context['api_key'] = worker_user['api_key']
def _valid_form(self, name, email, groups, previous_email=None):
for var in ['name', 'email', 'groups']:
if not locals()[var]:
flash('"{}" is required'.format(var), 'danger')
return False
if (previous_email is None) or (previous_email != email):
existing_user = User.get_collection().find_one({'email': email})
if existing_user:
flash('User with email "{}" already exists.'.format(email),
'danger')
return False
return True
def get_or_create_user():
user = User.get(email="admin@fame")
if not user:
user = User({
'name': "admin",
'email': "admin@fame",
'groups': ['admin', '*'],
'default_sharing': ['admin'],
'permissions': ['*'],
'enabled': True
})
user.save()
user.generate_avatar()
return user
def authenticate(email, password):
ldap_user = ldap_authenticate(email, password)
if not ldap_user:
# user not found in LDAP, update local user object accordingly (if existent)
user = User.get(email=email)
if user:
print(("Disabling user {}: not available in LDAP".format(email)))
user.update_value('enabled', False)
return user
user = update_or_create_user(ldap_user)
if user:
login_user(user)
return user
def index(self):
"""Get all users.
.. :quickref: User; Get the list of users
Requires the `manage_users` permission.
The result is in the ``users`` field.
:>jsonarr ObjectId _id: user's ObjectId.
:>jsonarr string name: full name.
:>jsonarr string: email address.
:>jsonarr boolean enabled: ``True`` if the user is enabled.
:>jsonarr list groups: list of groups the user belongs to.
:>jsonarr list default_sharing: list of groups used by the user as default sharing preferences.
:>jsonarr list permissions: list of user's permissions
"""
users = {"users": clean_users(list(User.find()))}
return render(users, 'users/index.html')
def create_user(saml_name_id, saml_user_data):
role = saml_user_data[ROLE_KEY][0]
user = User({
'saml_name_id': saml_name_id,
'name': saml_name_id,
'groups': ROLE_MAPPING[role]['groups'],
'default_sharing': ROLE_MAPPING[role]['default_sharing'],
'permissions': ROLE_MAPPING[role]['permissions'],
'enabled': True
})
user.save()
user.generate_avatar()
return user
def update_or_create_user(ldap_user):
user = User.get(email=ldap_user['mail'])
if user:
# update groups
groups = get_mapping(ldap_user['groups'], "groups")
user.update_value('groups', groups)
# update default sharings
default_sharing = get_mapping(ldap_user['groups'], "default_sharing")
user.update_value('default_sharing', default_sharing)
# update permissions
permissions = get_mapping(ldap_user["groups"], "permissions")
user.update_value('permissions', permissions)
# enable/disable user
user.update_value('enabled', ldap_user['enabled'])
return user_if_enabled(user)
return create_user(ldap_user)
def create_user(ldap_user):
groups = get_mapping(ldap_user['groups'], "groups")
default_sharing = get_mapping(ldap_user['groups'], "default_sharing")
permissions = get_mapping(ldap_user["groups"], "permissions")
user = User({
'name': ldap_user['name'],
'email': ldap_user['mail'],
'enabled': ldap_user['enabled'],
'groups': groups,
'default_sharing': default_sharing,
'permissions': permissions,
})
user.save()
user.generate_avatar()
return user
def reset_api(self, id):
"""Reset a user's API key.
.. :quickref: User; Reset API key
When used on another user account, requires the `manage_users` permission.
:param id: user id.
:>json User user: modified user.
"""
self.ensure_permission(id)
user = User(get_or_404(User.get_collection(), _id=id))
user.update_value('api_key', User.generate_api_key())
return redirect({'user': clean_users(user)}, request.referrer)
def load_user(token):
return user_if_enabled(User.get(auth_token=token))
def load_user(user_id):
return user_if_enabled(User.get(_id=ObjectId(user_id)))
