def wrapper(*args, **kwargs): try: verify_jwt_in_request() except (CSRFError, FreshTokenRequired, InvalidHeaderError, NoAuthorizationError, UserLoadError) as ex: if request.remote_addr != '127.0.0.1': raise ex return fn(*args, **kwargs)
def jwt_secure_check(arg): logging.info("Rest_API_Plugin.jwt_token_secure() called") if _get_user().is_anonymous is False and rbac_authentication_enabled is True: return func(arg) elif rbac_authentication_enabled is False: return func(arg) else: verify_jwt_in_request() return jwt_required(func(arg))
def wrapper(*args, **kwargs): verify_jwt_in_request() try: claims = get_jwt() roles = claims["roles"] if role_name not in roles and not optional: raise NoAuthorizationError except KeyError as e: raise MissingRequiredClaimError("roles") return fn(*args, **kwargs)
def verify_permissions_in_claims(required_permissions): """ Ensure that the requester has been granted the permissions. Raises a Forbidden exception if the requester does not have sufficient permissions to proceed. """ verify_jwt_in_request() jwt = get_jwt() # Check that the permission claims contain all the required permissions if not all(perm in jwt["permissions"] for perm in required_permissions): raise Forbidden(description="Insufficient permissions")
def get(self): try: verify_jwt_in_request() active_session_token = get_jwt()["jti"] Session.get(token=active_session_token).update(active=False, ignore_none=True, persist=True) except CSRFError: pass response: Response = jsonify({"message": "User logged out!"}) response.delete_cookie("csrftoken") unset_jwt_cookies(response) return response
def resolve_sign(self, info): result = verify_jwt_in_request(True) user_id = get_jwt_identity() if self.owner_id == user_id: timestamp = int((datetime.now() + timedelta(days=STREAM_EXPIRY_DAYS)).timestamp()) payload = "/live/{0}-{1}-{2}".format(self.file_location, timestamp, STREAM_KEY) hashvalue = hashlib.md5(payload.encode('utf-8')).hexdigest() return "{0}-{1}".format(timestamp, hashvalue) return ''
def resolve_permission(self, info): result = verify_jwt_in_request(True) user_id = get_jwt_identity() if not user_id: return "audience" if self.owner_id == user_id: return 'owner' player_access = self.attributes.filter( StageAttributeModel.name == 'playerAccess').first() if player_access: accesses = json.loads(player_access.description) if len(accesses) == 2: if user_id in accesses[0]: return "player" elif user_id in accesses[1]: return "editor" return "audience"
def get_query(cls, model, info, sort=None, **args): query = super(AssetConnectionField, cls).get_query(model, info, sort, **args) result = verify_jwt_in_request(True) user_id = get_jwt_identity() query = query.filter( or_( AssetModel.copyright_level < 3, AssetModel.copyright_level == 3 and AssetModel.owner_id == user_id)) for field, value in args.items(): if field == 'id': _type, _id = from_global_id(value) query = query.filter(getattr(model, field) == _id) elif field == 'media_types': if len(value): query = query.filter( getattr(model, 'asset_type').has( AssetTypeModel.name.in_(value))) elif field == 'owners': if len(value): query = query.filter( getattr(model, 'owner').has(UserModel.username.in_(value))) elif field == 'stages': if len(value): query = query\ .join(ParentStage, AssetModel.stages)\ .filter(ParentStage.stage_id.in_(value)) elif field == 'tags': if len(value): query = query\ .join(MediaTag, AssetModel.tags)\ .join(Tag, MediaTag.tag)\ .filter(Tag.name.in_(value)) elif field == 'created_between': if len(value) == 2: query = query\ .filter(AssetModel.created_on >= value[0])\ .filter(AssetModel.created_on <= value[1]) elif len(field) > 5 and field[-4:] == 'like': query = query.filter( getattr(model, field[:-5]).ilike(f"%{value}%")) elif field not in cls.RELAY_ARGS and hasattr(model, field): query = query.filter(getattr(model, field) == value) return query
def resolve_permission(self, info): result = verify_jwt_in_request(True) user_id = get_jwt_identity() if not user_id: return "none" if self.owner_id == user_id: return 'owner' if not self.asset_license or self.asset_license.level == 0: return "editor" if self.asset_license.level == 3: return "none" player_access = self.asset_license.permissions if player_access: accesses = json.loads(player_access) if len(accesses) == 2: if user_id in accesses[0]: return "readonly" elif user_id in accesses[1]: return "editor" return "none"
def resolve_privilege(self, info): result = verify_jwt_in_request(True) user_id = get_jwt_identity() if not user_id: return Previlege.NONE if self.owner_id == user_id: return Previlege.OWNER if not self.copyright_level: # no copyright return Previlege.APPROVED if self.copyright_level == 3: # not shared, will not visisble to anyone either, this condidtion is just in case return Previlege.NONE usage = DBSession.query(AssetUsageModel).filter( AssetUsageModel.asset_id == self.id).filter( AssetUsageModel.user_id == user_id).first() if usage: if not usage.approved and self.copyright_level == 2: return Previlege.PENDING_APPROVAL else: return Previlege.APPROVED else: return Previlege.REQUIRE_APPROVAL
def get_query(cls, model, info, sort=None, **args): query = super(AssetConnectionField, cls).get_query( model, info, sort, **args) result = verify_jwt_in_request(True) user_id = get_jwt_identity() query = query.filter(or_( AssetModel.asset_license == None, AssetModel.asset_license.has(AssetLicense.level < 3), and_(AssetModel.asset_license.has(AssetLicense.level == 3), AssetModel.owner_id == user_id) )) for field, value in args.items(): if field == 'id': _type, _id = from_global_id(value) query = query.filter(getattr(model, field) == _id) elif field == 'asset_type': query = query.filter(getattr(model, field).has(name=value)) elif len(field) > 5 and field[-4:] == 'like': query = query.filter( getattr(model, field[:-5]).ilike(f"%{value}%")) elif field not in cls.RELAY_ARGS and hasattr(model, field): query = query.filter(getattr(model, field) == value) return query