def reserve_boat(): form = ReservationForm() if not ("admin" in current_user.roles() or "club" in current_user.roles()): del form.boats return render_template("reservations/show_reservationform.html", form = form, form_action = url_for("make_reservation"), button_text = "Reserve boat")
def bookings_update(booking_id): b = Booking.query.get(booking_id) if not b: return render_template("404.html", res_type="booking"), 404 if ((b.start_dt <= dt.utcnow() and ADMIN not in current_user.roles()) or b.id not in [b.id for b in Booking.get_allowed_by_account()]): return login_manager.unauthorized() old_b = copy.deepcopy(b) form = BookingFormUpdate(request.form) if not form.validate(): return render_template("bookings/update.html", booking=b, form=form) for field in [form.account, form.resource]: if field.data: setattr(b, field.name, field.data) b.start_dt = dt.combine(form.start_date.data, form.start_time.data) b.end_dt = dt.combine(form.end_date.data, form.end_time.data) if b.start_dt < dt.utcnow() and ADMIN not in current_user.roles(): form.start_date.errors.append(msg_past) form.start_time.errors.append(msg_past) return render_template("bookings/update.html", booking=old_b, form=form) if b.start_dt >= b.end_dt: for field in [form.start_date, form.start_time]: if field: field.errors.append(msg_start) for field in [form.end_date, form.end_time]: if field: field.errors.append(msg_end) return render_template("bookings/update.html", booking=old_b, form=form) if not Booking.is_free_time_slot(b): for field in [ form.resource, form.start_date, form.start_time, form.end_date, form.end_time ]: field.errors.extend( [msg_free_rts_1(form.resource.data), msg_free_rts_2]) return render_template("bookings/update.html", booking=old_b, form=form) b.calculate_price() db.session().commit() return redirect(url_for("bookings_single", booking_id=b.id))
def delete_thread(thread_id): thread = Thread.query.get(thread_id) print(current_user.roles()) if not (thread.user_id == current_user.id or "ADMIN" in current_user.roles()): return login_manager.unauthorized() db.session.delete(thread) db.session().commit() return redirect(url_for("boards_index"))
def show_reservation(reservation_id): reservation = Reservation.query.get(reservation_id) if reservation.user_id != current_user.id or reservation.ending_time < datetime.now(): return redirect(url_for("calendar_index")) form = ReservationForm(obj=reservation, boats = reservation.number_of_boats()) if not ("admin" in current_user.roles() or "club" in current_user.roles()): del form.boats return render_template("reservations/show_reservationform.html", form = form, form_action = url_for("modify_reservation", reservation_id=reservation_id), button_text = "Save changes")
def validate_form(form, form_action, button_text): if not ("admin" in current_user.roles() or "club" in current_user.roles()): del form.boats if not form.validate(): return "" starting = datetime.combine(form.starting_date.data, form.starting_time.data) ending = datetime.combine(form.ending_date.data, form.ending_time.data) message = validate_reservation_times(starting, ending) if not message == "Clear": return message return "Clear"
def bookings_create(): form = BookingFormCreate(request.form) if not form.validate(): return render_template("bookings/new.html", form=form) start_dt = dt.combine(form.start_date.data, form.start_time.data) end_dt = dt.combine(form.end_date.data, form.end_time.data) if start_dt < dt.utcnow() and ADMIN not in current_user.roles(): form.start_date.errors.append(msg_past) form.start_time.errors.append(msg_past) return render_template("bookings/new.html", form=form) if start_dt >= end_dt: form.start_date.errors.append(msg_start) form.start_time.errors.append(msg_start) form.end_date.errors.append(msg_end) form.end_time.errors.append(msg_end) return render_template("bookings/new.html", form=form) b = Booking(form.account.data.id, form.resource.data.id, start_dt, end_dt) if not Booking.is_free_time_slot(b): for field in [ form.resource, form.start_date, form.start_time, form.end_date, form.end_time ]: field.errors.extend( [msg_free_rts_1(form.resource.data), msg_free_rts_2]) return render_template("bookings/new.html", form=form) db.session().add(b) db.session().commit() return redirect(url_for("bookings_single", booking_id=b.id))
def cc_only(): if current_user.is_authenticated: if "ADMIN" in current_user.roles(): print("------IS ADMIN!") return render_template("colorcode/listwdelete.html", items = Colorcode.cc_iterable(), form = CodeSearchForm()) return render_template("colorcode/listccptype.html", items = Colorcode.cc_iterable(), form = CodeSearchForm())
def decorated_view(*args, **kwargs): if not current_user: return login_manager.unauthorized() if not current_user.is_authenticated: return login_manager.unauthorized() # If somebody manages bypass login with this user id created because of adding default categories. if current_user.get_id == 0: return login_manager.unauthorized() unauthorized = False if role != "ANY": unauthorized = True for user_role in current_user.roles(): if user_role == role: unauthorized = False break if unauthorized: return login_manager.unauthorized() return fn(*args, **kwargs)
def make_reservation(): form = ReservationForm(request.form) message = validate_form(form, form_action = url_for("make_reservation"), button_text = "Reserve boat") if message != "Clear": return render_template("reservations/show_reservationform.html", form = form, form_action = url_for("make_reservation"), button_text = "Reserve boat", error = message) if ("admin" in current_user.roles() or "club" in current_user.roles()): number_of_boats = form.boats.data else: count_users_reservations = Reservation.count_reserved_boats_for_user(datetime.now(), datetime.now() + timedelta(days = 365), user_id = current_user.id) if count_users_reservations >= 4: return render_template("reservations/show_reservationform.html", form = form, form_action = url_for("make_reservation"), button_text = "Reserve boat", error = "You can only have 4 reservations") number_of_boats = 1 starting = datetime.combine(form.starting_date.data, form.starting_time.data) ending = datetime.combine(form.ending_date.data, form.ending_time.data) available_boats = Boat.available_boats(starting, ending) if len(available_boats) < number_of_boats: return render_template("reservations/show_reservationform.html", form = form, form_action = url_for("make_reservation"), button_text = "Reserve boat", error = "Not enough boats available for this time, only " + str(len(available_boats)) + " boats available") reservation = Reservation(starting, ending, current_user.id) for i in range(number_of_boats): reservation.boats_reserved.append(Boat.query.get(available_boats[i])) db.session().add(reservation) db.session().commit() return redirect(url_for("calendar_index"))
def events_edit(event_id): def get_booked_rooms(): rooms = Room.query.all() for room in rooms: eventRoom = EventRoom.query.filter_by(event_id=event_id).filter_by( room_id=room.id).first() if eventRoom is not None: room.booked = "checked" if eventRoom.privateEvent is True: room.private = "checked" else: room.private = "" else: room.booked = "" room.private = "" return rooms e = Event.query.get(event_id) if e.accountId != current_user.id and 'ADMIN' not in current_user.roles(): flash("You are not authorized to remove others events.") return redirect(url_for("events_list")) form = EventForm(request.form) if request.method == "POST": if not form.validate(): flash('Validation error: please check all fields') return render_template("calendar/events/edit.html", form=EventForm(), e=Event.query.get(event_id), rooms=get_booked_rooms()) EventRoom.query.filter_by(event_id=event_id).delete() e.id = form.event_id.data e.name = form.name.data e.start_time = form.start_time.data e.end_time = form.end_time.data e.description = form.description.data e.responsible = form.responsible.data e.accountId = current_user.id # TODO use the original user ID for roomId in form.roomsBooked.data: if roomId in form.privateReserve.data: er = EventRoom(e.id, roomId, 1) else: er = EventRoom(e.id, roomId, 0) db.session().add(er) try: db.session().commit() except IntegrityError: flash('There is something wrong ! Please check the form !') db.session.rollback() return render_template("calendar/events/edit.html", form=EventForm(), e=Event.query.get(event_id), rooms=get_booked_rooms()) return redirect(url_for("events_index")) else: return render_template("calendar/events/edit.html", form=EventForm(), e=Event.query.get(event_id), rooms=get_booked_rooms())
def modify_reservation(reservation_id): form = ReservationForm(request.form) reservation = Reservation.query.get(reservation_id) if reservation.user_id != current_user.id or reservation.ending_time < datetime.now(): return redirect(url_for("calendar_index")) message = validate_form(form, form_action = url_for("modify_reservation", reservation_id=reservation_id), button_text = "Save changes") if message != "Clear": return render_template("reservations/show_reservationform.html", reservation = reservation, form = form, form_action = url_for("modify_reservation", reservation_id=reservation_id), button_text = "Save changes", error = message) if ("admin" in current_user.roles() or "club" in current_user.roles()): number_of_boats = form.boats.data else: number_of_boats = 1 starting = datetime.combine(form.starting_date.data, form.starting_time.data) ending = datetime.combine(form.ending_date.data, form.ending_time.data) available_boats = Boat.available_boats_for_changing_reservation(starting, ending, reservation.id) if len(available_boats) < number_of_boats: return render_template("reservations/show_reservationform.html", reservation = reservation, form = form, form_action = url_for("modify_reservation", reservation_id=reservation_id), button_text = "Save changes", error = "Not enough boats available for this time, only " + str(len(available_boats)) + " boats available") reservation.update(starting, ending) reservation.boats_reserved = [] for i in range(number_of_boats): reservation.boats_reserved.append(Boat.query.get(available_boats[i])) db.session().add(reservation) db.session().commit() return redirect(url_for("calendar_index"))
def events_delete(event_id): e = Event.query.get(event_id) if e.accountId != current_user.id and 'ADMIN' not in current_user.roles(): flash("You are not authorized to remove others events.") return redirect(url_for("events_list")) EventRoom.query.filter_by(event_id=event_id).delete() Event.query.filter_by(id=event_id).delete() db.session().commit() return redirect(url_for("events_list"))
def decorated_view(*args, **kwargs): if current_user.is_authenticated: for bettor_role in current_user.roles(): if role == "ANY" or role == bettor_role: return fn(*args, **kwargs) flash("You are not authorized to use this functionality") return login_manager.unauthorized() else: return login_manager.unauthorized()
def decorated_view(*args, **kwargs): if not (current_user and current_user.is_authenticated): return login_manager.unauthorized() acceptable_roles = set(("ANY", *current_user.roles())) if role not in acceptable_roles: return login_manager.unauthorized() return func(*args, **kwargs)
def decorated_view(*args, **kwargs): if not current_user.is_authenticated: return login_manager.unauthorized() if not any(role in s for s in current_user.roles(current_user.email)): return login_manager.unauthorized() return fn(*args, **kwargs)
def items_delete(item_id): owned = Item.query.filter(Item.id == item_id, Item.account_id == current_user.id).first() if owned or "ADMIN" in current_user.roles(): item = Item.query.get(item_id) db.session.delete(item) db.session().commit() return redirect(url_for("index"))
def bookings_delete_ask(booking_id): b = Booking.query.get(booking_id) if not b: return render_template("404.html", res_type="booking"), 404 if ((b.start_dt <= dt.utcnow() and ADMIN not in current_user.roles()) or b.id not in [b.id for b in Booking.get_allowed_by_account()]): return login_manager.unauthorized() return render_template("bookings/delete.html", booking=b)
def decorated_view(*args, **kwargs): if not current_user: return login_manager.unauthorized() if not current_user.is_authenticated: return login_manager.unauthorized() unauthorized = False print(current_user.roles()) print(role) if role != "ANY": unauthorized = True if current_user.roles() == role: unauthorized = False if unauthorized: return login_manager.unauthorized() return fn(*args, **kwargs)
def decorated_view(*args, **kwargs): roles = current_user.roles() if not current_user: return login_manager.unauthorized() if not current_user.is_authenticated: return login_manager.unauthorized() unauthorized = False if role == role: unauthorized = True for user_role in current_user.roles(): if user_role == role or user_role == "A": unauthorized = False break if unauthorized: return login_manager.unauthorized() return fn(*args, **kwargs)
def message_edit_form(message_id): f = MessageForm() m = Message.query.get(message_id) if current_user.id != m.account_id and not current_user.roles( ).__contains__("ADMIN"): return login_manager.unauthorized() f.subject.default = m.subject f.body.default = m.body f.process() return render_template("messages/edit.html", form=f, m=m)
def module_take(cid=None): if cid == None: if Professors.query.get(current_user.id): cid = Professors.query.get(current_user.id).cid else: abort(404) mod = Courses.query.get_or_404(cid) if request.method == 'POST': if request.form['btn'] == 'Accept': sid = request.form['sid'] student = TakenCourses.query.get([sid, cid]) student.is_pending = False db.session.commit() flash(f'{Students.query.get(sid).info.name} is now enrolled into {mod.cid} {mod.cname}!', 'success') elif request.form['btn'] == 'Reject': sid = request.form['sid'] student = TakenCourses.query.get([sid, cid]) db.session.delete(student) db.session.commit() flash(f'{Students.query.get(sid).info.name} is rejected from {mod.cid} {mod.cname}!', 'warning') return redirect(url_for('module_take', cid=cid)) if not Professors.query.filter_by(cid=cid).first(): abort(404) is_student, is_ta, is_prof = (False for i in range(3)) if (TakenCourses.query.filter_by(sid=current_user.id, cid=cid, year=cur_year, sem=cur_sem, is_pending=False).first()): is_student = True if 'Professor' in current_user.roles() and Professors.query.get(current_user.id).cid==cid: is_prof = True if 'TA' in current_user.roles() and TeachingAssistants.query.filter_by(sid=current_user.id, is_ta=True).first().cid==cid: is_ta = True if is_student or is_prof or is_ta: prof = Professors.query.filter_by(cid=cid).first() groups = Groups.query.filter_by(pid=prof.pid).all() students = TakenCourses.query.filter_by(cid=cid, year=cur_year, sem=cur_sem, is_pending=False).all() requests = TakenCourses.query.filter_by(cid=cid, year=cur_year, sem=cur_sem, is_pending=True).all() return render_template('module_take.html', title=cid + ' ' + mod.cname, mod=mod, students=students, groups=groups, Groups=Groups, \ groupinfo=GroupInfo, prof=prof, requests=requests, is_student=is_student, is_ta=is_ta, is_prof=is_prof, year=cur_year, sem=cur_sem) else: abort(403)
def bookings_delete(booking_id): b = Booking.query.get(booking_id) if not b: return render_template("404.html", res_type="booking"), 404 if ((b.start_dt <= dt.utcnow() and ADMIN not in current_user.roles()) or b.id not in [b.id for b in Booking.get_allowed_by_account()]): return login_manager.unauthorized() db.session.delete(b) db.session.commit() return redirect(url_for("bookings_list"))
def edit_thread(thread_id): thread = Thread.query.get(thread_id) if not (thread.user_id == current_user.id or "ADMIN" in current_user.roles()): return login_manager.unauthorized() if request.method == "GET": return render_template("threads/edit.html", form=ThreadForm(), thread=thread) thread.title = request.form.get("title") db.session().commit() return redirect(url_for("view_thread", thread_id=thread_id))
def bookings_form_update(booking_id): b = Booking.query.get(booking_id) if not b: return render_template("404.html", res_type="booking"), 404 if ((b.start_dt <= dt.utcnow() and ADMIN not in current_user.roles()) or b.id not in [b.id for b in Booking.get_allowed_by_account()]): return login_manager.unauthorized() form = BookingFormUpdate() form.account.data = b.account form.resource.data = b.resource form.start_date.data = b.start_dt.date() form.start_time.data = b.start_dt.time() form.end_date.data = b.end_dt.date() form.end_time.data = b.end_dt.time() return render_template("bookings/update.html", booking=b, form=form)
def decorated_view(*args, **kwargs): if not current_user: return login_manager.unauthorized() if not current_user.is_authenticated: return login_manager.unauthorized() unauthorized = False if role != "any": unauthorized = True if role in current_user.roles(): unauthorized = False if unauthorized: return login_manager.unauthorized() return fn(*args, **kwargs)
def communities_create(): form = CommunityFormCreate(request.form) if not form.validate(): return render_template("communities/new.html", form=form) c = Community(form.address.data) try: db.session().add(c) db.session().commit() except exc.SQLAlchemyError as e: db.session().rollback() msg = "This address is already taken, please choose another one." form.address.errors.append(msg) return render_template("communities/new.html", form=form) if current_user.is_authenticated and ADMIN in current_user.roles(): return redirect(url_for("communities_single", community_id=c.id)) return redirect(url_for("communities_list"))
def decorated_view(*args, **kwargs): if not current_user: return login_manager.unauthorized() if not current_user.is_authenticated: return login_manager.unauthorized() unauthorized = False if accepted_roles != "ANY": unauthorized = True for user_role in current_user.roles(): for role in accepted_roles: if user_role.name == role: unauthorized = False break if unauthorized: return login_manager.unauthorized() return fn(*args, **kwargs)
def decorated_view(*args, **kwargs): if not current_user: return login_manager.unauthorized() if not current_user.is_authenticated: return login_manager.unauthorized() unauthorized = False if "ANY" not in roles: unauthorized = True for user_role in current_user.roles(): if user_role in roles: unauthorized = False break if unauthorized: flash('Sinulla ei ole oikeuksia käyttää tätä toiminnallisuutta.') return redirect(url_for('index')) return fn(*args, **kwargs)
def decorated_view(*args, **kwargs): if not current_user: return login_manager.unauthorized() if not current_user.is_authenticated: return login_manager.unauthorized() unauthorized = False if "ANY" not in roles: unauthorized = True for user_role in current_user.roles(): if user_role in roles: unauthorized = False break if unauthorized: flash('You do not have permission to use this functionality.') return redirect(url_for('index')) return fn(*args, **kwargs)
def decorated_view(*args, **kwargs): if not current_user: return login_manager.unauthorized() if not current_user.is_authenticated: return login_manager.unauthorized() unauthorized = False if role != "ANY": unauthorized = True for user_role in current_user.roles(): for auth_role in role: if user_role.lower() == auth_role.lower(): unauthorized = False break if unauthorized: return login_manager.unauthorized() return fn(*args, **kwargs)