def wrapper(*args, **kwargs):
try:
verify_jwt_in_request()
except (CSRFError, FreshTokenRequired, InvalidHeaderError,
NoAuthorizationError, UserLoadError) as ex:
if request.remote_addr != '127.0.0.1':
raise ex
return fn(*args, **kwargs)
def jwt_secure_check(arg):
logging.info("Rest_API_Plugin.jwt_token_secure() called")
if _get_user().is_anonymous is False and rbac_authentication_enabled is True:
return func(arg)
elif rbac_authentication_enabled is False:
return func(arg)
else:
verify_jwt_in_request()
return jwt_required(func(arg))
def wrapper(*args, **kwargs):
verify_jwt_in_request()
try:
claims = get_jwt()
roles = claims["roles"]
if role_name not in roles and not optional:
raise NoAuthorizationError
except KeyError as e:
raise MissingRequiredClaimError("roles")
return fn(*args, **kwargs)
def verify_permissions_in_claims(required_permissions):
"""
Ensure that the requester has been granted the permissions.
Raises a Forbidden exception if the requester does not have sufficient
permissions to proceed.
"""
verify_jwt_in_request()
jwt = get_jwt()
# Check that the permission claims contain all the required permissions
if not all(perm in jwt["permissions"] for perm in required_permissions):
raise Forbidden(description="Insufficient permissions")
def get(self):
try:
verify_jwt_in_request()
active_session_token = get_jwt()["jti"]
Session.get(token=active_session_token).update(active=False,
ignore_none=True,
persist=True)
except CSRFError:
pass
response: Response = jsonify({"message": "User logged out!"})
response.delete_cookie("csrftoken")
unset_jwt_cookies(response)
return response
def resolve_sign(self, info):
result = verify_jwt_in_request(True)
user_id = get_jwt_identity()
if self.owner_id == user_id:
timestamp = int((datetime.now() +
timedelta(days=STREAM_EXPIRY_DAYS)).timestamp())
payload = "/live/{0}-{1}-{2}".format(self.file_location, timestamp,
STREAM_KEY)
hashvalue = hashlib.md5(payload.encode('utf-8')).hexdigest()
return "{0}-{1}".format(timestamp, hashvalue)
return ''
def resolve_permission(self, info):
result = verify_jwt_in_request(True)
user_id = get_jwt_identity()
if not user_id:
return "audience"
if self.owner_id == user_id:
return 'owner'
player_access = self.attributes.filter(
StageAttributeModel.name == 'playerAccess').first()
if player_access:
accesses = json.loads(player_access.description)
if len(accesses) == 2:
if user_id in accesses[0]:
return "player"
elif user_id in accesses[1]:
return "editor"
return "audience"
def get_query(cls, model, info, sort=None, **args):
query = super(AssetConnectionField,
cls).get_query(model, info, sort, **args)
result = verify_jwt_in_request(True)
user_id = get_jwt_identity()
query = query.filter(
or_(
AssetModel.copyright_level < 3, AssetModel.copyright_level == 3
and AssetModel.owner_id == user_id))
for field, value in args.items():
if field == 'id':
_type, _id = from_global_id(value)
query = query.filter(getattr(model, field) == _id)
elif field == 'media_types':
if len(value):
query = query.filter(
getattr(model, 'asset_type').has(
AssetTypeModel.name.in_(value)))
elif field == 'owners':
if len(value):
query = query.filter(
getattr(model,
'owner').has(UserModel.username.in_(value)))
elif field == 'stages':
if len(value):
query = query\
.join(ParentStage, AssetModel.stages)\
.filter(ParentStage.stage_id.in_(value))
elif field == 'tags':
if len(value):
query = query\
.join(MediaTag, AssetModel.tags)\
.join(Tag, MediaTag.tag)\
.filter(Tag.name.in_(value))
elif field == 'created_between':
if len(value) == 2:
query = query\
.filter(AssetModel.created_on >= value[0])\
.filter(AssetModel.created_on <= value[1])
elif len(field) > 5 and field[-4:] == 'like':
query = query.filter(
getattr(model, field[:-5]).ilike(f"%{value}%"))
elif field not in cls.RELAY_ARGS and hasattr(model, field):
query = query.filter(getattr(model, field) == value)
return query
def resolve_permission(self, info):
result = verify_jwt_in_request(True)
user_id = get_jwt_identity()
if not user_id:
return "none"
if self.owner_id == user_id:
return 'owner'
if not self.asset_license or self.asset_license.level == 0:
return "editor"
if self.asset_license.level == 3:
return "none"
player_access = self.asset_license.permissions
if player_access:
accesses = json.loads(player_access)
if len(accesses) == 2:
if user_id in accesses[0]:
return "readonly"
elif user_id in accesses[1]:
return "editor"
return "none"
def resolve_privilege(self, info):
result = verify_jwt_in_request(True)
user_id = get_jwt_identity()
if not user_id:
return Previlege.NONE
if self.owner_id == user_id:
return Previlege.OWNER
if not self.copyright_level: # no copyright
return Previlege.APPROVED
if self.copyright_level == 3:
# not shared, will not visisble to anyone either, this condidtion is just in case
return Previlege.NONE
usage = DBSession.query(AssetUsageModel).filter(
AssetUsageModel.asset_id == self.id).filter(
AssetUsageModel.user_id == user_id).first()
if usage:
if not usage.approved and self.copyright_level == 2:
return Previlege.PENDING_APPROVAL
else:
return Previlege.APPROVED
else:
return Previlege.REQUIRE_APPROVAL
def get_query(cls, model, info, sort=None, **args):
query = super(AssetConnectionField, cls).get_query(
model, info, sort, **args)
result = verify_jwt_in_request(True)
user_id = get_jwt_identity()
query = query.filter(or_(
AssetModel.asset_license == None,
AssetModel.asset_license.has(AssetLicense.level < 3),
and_(AssetModel.asset_license.has(AssetLicense.level == 3),
AssetModel.owner_id == user_id)
))
for field, value in args.items():
if field == 'id':
_type, _id = from_global_id(value)
query = query.filter(getattr(model, field) == _id)
elif field == 'asset_type':
query = query.filter(getattr(model, field).has(name=value))
elif len(field) > 5 and field[-4:] == 'like':
query = query.filter(
getattr(model, field[:-5]).ilike(f"%{value}%"))
elif field not in cls.RELAY_ARGS and hasattr(model, field):
query = query.filter(getattr(model, field) == value)
return query
