def wrapper(*args, **kwargs):
verify_fresh_jwt_in_request()
claims = get_jwt_claims()
if claims['role'] != 'admin':
return {'status': 'FORBIDEN', 'message': 'Access Denied'}, 403
else:
return fn(*args, **kwargs)
def before_request():
req = request.path.split("/")
if req[1] == 'user':
if request.method == 'OPTIONS':
return "", 200
verify_fresh_jwt_in_request()
current_user = get_jwt_identity()
try:
int(req[2])
except IndexError:
return cjreq(error_code=2100, err_msg="Не передал id_users")
if int(current_user[0]) != int(req[2]):
return cjreq(error_code=2100,
err_msg="Несовпадает id jwt и id url: " +
str(current_user[0]) + "!=" + str(req[2]),
status_code=403)
print("USER")
elif req[1] == 'auth':
print("auth")
elif req[1] == 'ping':
print("ping")
else:
print("ALL")
return send_file(
f'{str(node.root_path)[:-4]}front/dist/index.html')
def get_context(self):
user = None
try:
verify_fresh_jwt_in_request()
user = get_current_user()
except Exception:
logger.info("Failed to verify JWT")
return {"request": request, "user": user}
def before_update_object(self, user, data, view_kwargs):
# TODO: Make a celery task for this
# if data.get('avatar_url') and data['original_image_url'] != user.original_image_url:
# try:
# uploaded_images = create_save_image_sizes(data['original_image_url'], 'speaker-image', user.id)
# except (urllib.error.HTTPError, urllib.error.URLError):
# raise UnprocessableEntity(
# {'source': 'attributes/original-image-url'}, 'Invalid Image URL'
# )
# data['original_image_url'] = uploaded_images['original_image_url']
# data['small_image_url'] = uploaded_images['thumbnail_image_url']
# data['thumbnail_image_url'] = uploaded_images['thumbnail_image_url']
# data['icon_image_url'] = uploaded_images['icon_image_url']
if data.get('deleted_at') != user.deleted_at:
if has_access('is_user_itself', user_id=user.id) or has_access('is_admin'):
if data.get('deleted_at'):
if len(user.events) != 0:
raise ForbiddenException({'source': ''}, "Users associated with events cannot be deleted")
elif len(user.orders) != 0:
raise ForbiddenException({'source': ''}, "Users associated with orders cannot be deleted")
else:
modify_email_for_user_to_be_deleted(user)
else:
modify_email_for_user_to_be_restored(user)
data['email'] = user.email
user.deleted_at = data.get('deleted_at')
else:
raise ForbiddenException({'source': ''}, "You are not authorized to update this information.")
users_email = data.get('email', None)
if users_email is not None:
users_email = users_email.strip()
if users_email is not None and users_email != user.email:
try:
db.session.query(User).filter_by(email=users_email).one()
except NoResultFound:
verify_fresh_jwt_in_request()
view_kwargs['email_changed'] = user.email
else:
raise ConflictException({'pointer': '/data/attributes/email'}, "Email already exists")
if has_access('is_super_admin') and data.get('is_admin') and data.get('is_admin') != user.is_admin:
user.is_admin = not user.is_admin
if has_access('is_admin') and ('is_sales_admin' in data) and data.get('is_sales_admin') != user.is_sales_admin:
user.is_sales_admin = not user.is_sales_admin
if has_access('is_admin') and ('us_marketer' in data) and data.get('is_marketer') != user.is_marketer:
user.is_marketer = not user.is_marketer
if data.get('avatar_url'):
start_image_resizing_tasks(user, data['avatar_url'])
def decorated_function(*args, **kwargs):
verify_fresh_jwt_in_request()
__verify_user_id_matches_claim(**kwargs)
return view(*args, **kwargs)
def before_update_object(self, user, data, view_kwargs):
# TODO: Make a celery task for this
# if data.get('avatar_url') and data['original_image_url'] != user.original_image_url:
# try:
# uploaded_images = create_save_image_sizes(data['original_image_url'], 'speaker-image', user.id)
# except (urllib.error.HTTPError, urllib.error.URLError):
# raise UnprocessableEntityError(
# {'source': 'attributes/original-image-url'}, 'Invalid Image URL'
# )
# data['original_image_url'] = uploaded_images['original_image_url']
# data['small_image_url'] = uploaded_images['thumbnail_image_url']
# data['thumbnail_image_url'] = uploaded_images['thumbnail_image_url']
# data['icon_image_url'] = uploaded_images['icon_image_url']
if data.get('deleted_at') != user.deleted_at:
if has_access('is_user_itself',
user_id=user.id) or has_access('is_admin'):
if data.get('deleted_at'):
if len(user.events) != 0:
raise ForbiddenError(
{'source': ''},
"Users associated with events cannot be deleted",
)
# TODO(Areeb): Deduplicate the query. Present in video stream model as well
order_exists = db.session.query(
TicketHolder.query.filter_by(
user=user).join(Order).filter(
or_(
Order.status == 'completed',
Order.status == 'placed',
Order.status == 'initializing',
Order.status == 'pending',
)).exists()).scalar()
# If any pending or completed order exists, we cannot delete the user
if order_exists:
logger.warning(
'User %s has pending or completed orders, hence cannot be deleted',
user,
)
raise ForbiddenError(
{'source': ''},
"Users associated with orders cannot be deleted",
)
modify_email_for_user_to_be_deleted(user)
else:
modify_email_for_user_to_be_restored(user)
data['email'] = user.email
user.deleted_at = data.get('deleted_at')
else:
raise ForbiddenError(
{'source': ''},
"You are not authorized to update this information.")
if (not has_access('is_admin') and data.get('is_verified') is not None
and data.get('is_verified') != user.is_verified):
raise ForbiddenError(
{'pointer': '/data/attributes/is-verified'},
"Admin access is required to update this information.",
)
users_email = data.get('email', None)
if users_email is not None:
users_email = users_email.strip()
if users_email is not None and users_email != user.email:
try:
db.session.query(User).filter_by(email=users_email).one()
except NoResultFound:
verify_fresh_jwt_in_request()
view_kwargs['email_changed'] = user.email
else:
raise ConflictError({'pointer': '/data/attributes/email'},
"Email already exists")
if (has_access('is_super_admin') and data.get('is_admin')
and data.get('is_admin') != user.is_admin):
user.is_admin = not user.is_admin
if (has_access('is_admin') and ('is_sales_admin' in data)
and data.get('is_sales_admin') != user.is_sales_admin):
user.is_sales_admin = not user.is_sales_admin
if (has_access('is_admin') and ('is_marketer' in data)
and data.get('is_marketer') != user.is_marketer):
user.is_marketer = not user.is_marketer
if data.get('avatar_url'):
start_image_resizing_tasks(user, data['avatar_url'])