def post(self, group_id): params = self._get_validated_object_parameters(request.form) group = data_engine.get_group(group_id=group_id, load_users=True) if group is None: raise DoesNotExistError(str(group_id)) # Check permissions! The current user must have user admin to be here. # But if they don't also have permissions admin or superuser then we # must block the change if the new group would grant one of the same. if group.permissions.admin_permissions or group.permissions.admin_all: if not permissions_engine.is_permitted( SystemPermissions.PERMIT_ADMIN_PERMISSIONS, get_session_user()): raise SecurityError( 'You cannot add users to a group that ' + 'grants permissions administration, because you do not ' + 'have permissions administration access yourself.') user = data_engine.get_user(user_id=params['user_id']) if user is not None: if user not in group.users: group.users.append(user) data_engine.save_object(group) reset_user_sessions(user) permissions_engine.reset() return make_api_success_response()
def trace_permissions(): embed = request.args.get('embed', '') user_id = request.args.get('user', '') folder_path = request.args.get('path', '') if folder_path == '': folder_path = os.path.sep folder = None user = None users = [] user_has_admin = False trace = None err_msg = None db_session = data_engine.db_get_session() try: # Get folder and selected user info # User can be None for an anonymous user user_id = parse_int(user_id) if user_id != 0: user = data_engine.get_user(user_id, _db_session=db_session) if user is None: raise DoesNotExistError('This user no longer exists') folder = data_engine.get_folder(folder_path=folder_path, _db_session=db_session) if folder is None or folder.status == Folder.STATUS_DELETED: raise DoesNotExistError('This folder no longer exists') # Get users list users = data_engine.list_users(status=User.STATUS_ACTIVE, order_field=User.username, _db_session=db_session) # Get the folder+user traced permissions trace = permissions_engine._trace_folder_permissions(folder, user) # Flag on the UI if the user has admin for gdict in trace['groups']: gperms = gdict['group'].permissions if gperms.admin_files or gperms.admin_all: user_has_admin = True break except Exception as e: log_security_error(e, request) err_msg = safe_error_str(e) finally: try: return render_template( 'admin_trace_permissions.html', embed=embed, folder=folder, folder_is_root=folder.is_root() if folder else False, user=user, user_list=users, trace=trace, user_has_admin=user_has_admin, err_msg=err_msg, GROUP_ID_PUBLIC=Group.ID_PUBLIC) finally: db_session.close()
def _check_for_user_lockout(original_object): """ Only to be called when the current user is known to have PERMIT_ADMIN_USERS permission, checks that the current user hasn't locked themselves out from user administration. Also checks that the admin user's administration permission has not been accidentally revoked. If a lockout has occurred, the supplied original object is re-saved and a ParameterError is raised. """ user_ids = [get_session_user_id(), 1] for user_id in user_ids: db_user = data_engine.get_user(user_id=user_id) if db_user: try: # Require user administration if not permissions_engine.is_permitted( SystemPermissions.PERMIT_ADMIN_USERS, db_user): raise ParameterError() # For the admin user, also require permissions administration if user_id == 1 and not permissions_engine.is_permitted( SystemPermissions.PERMIT_ADMIN_PERMISSIONS, db_user): raise ParameterError() except ParameterError: # Roll back permissions data_engine.save_object(original_object) permissions_engine.reset() # Raise API error who = 'the \'admin\' user' if user_id == 1 else 'you' raise ParameterError( 'This change would lock %s out of administration' % who)
def _check_for_user_lockout(original_object): """ Only to be called when the current user is known to have PERMIT_ADMIN_USERS permission, checks that the current user hasn't locked themselves out from user administration. Also checks that the admin user's administration permission has not been accidentally revoked. If a lockout has occurred, the supplied original object is re-saved and a ParameterError is raised. """ user_ids = [get_session_user_id(), 1] for user_id in user_ids: db_user = data_engine.get_user(user_id=user_id) if db_user: try: # Require user administration if not permissions_engine.is_permitted( SystemPermissions.PERMIT_ADMIN_USERS, db_user ): raise ParameterError() # For the admin user, also require permissions administration if user_id == 1 and not permissions_engine.is_permitted( SystemPermissions.PERMIT_ADMIN_PERMISSIONS, db_user ): raise ParameterError() except ParameterError: # Roll back permissions data_engine.save_object(original_object) permissions_engine.reset() # Raise API error who = 'the \'admin\' user' if user_id == 1 else 'you' raise ParameterError( 'This change would lock %s out of administration' % who )
def post(self, group_id): params = self._get_validated_object_parameters(request.form) group = data_engine.get_group(group_id=group_id, load_users=True) if group is None: raise DoesNotExistError(str(group_id)) # Check permissions! The current user must have user admin to be here. # But if they don't also have permissions admin or superuser then we # must block the change if the new group would grant one of the same. if group.permissions.admin_permissions or group.permissions.admin_all: if not permissions_engine.is_permitted( SystemPermissions.PERMIT_ADMIN_PERMISSIONS, get_session_user() ): raise SecurityError( 'You cannot add users to a group that ' + 'grants permissions administration, because you do not ' + 'have permissions administration access yourself.' ) user = data_engine.get_user(user_id=params['user_id']) if user is not None: if user not in group.users: group.users.append(user) data_engine.save_object(group) permissions_engine.reset() return make_api_success_response()
def delete(self, user_id): user = data_engine.get_user(user_id=user_id) if user is None: raise DoesNotExistError(str(user_id)) if user.id == 1: raise ParameterError('The \'admin\' user cannot be deleted') data_engine.delete_user(user) # If this is the current user, log out if get_session_user_id() == user_id: log_out() # Reset session caches reset_user_sessions(user) return make_api_success_response(object_to_dict(user))
def get(self, user_id=None): if user_id is None: # List users status_filter = self._get_validated_status_arg(request) ulist = data_engine.list_users(status=status_filter, order_field=User.username) return make_api_success_response(object_to_dict_list(ulist)) else: # Get single user user = data_engine.get_user(user_id) if user is None: raise DoesNotExistError(str(user_id)) return make_api_success_response(object_to_dict(user))
def delete(self, user_id): user = data_engine.get_user(user_id=user_id) if user is None: raise DoesNotExistError(str(user_id)) if user.id == 1: raise ParameterError('The \'admin\' user cannot be deleted') data_engine.delete_user(user) # If this is the current user, log out if get_session_user_id() == user_id: log_out() # Do not give out anything password related udict = object_to_dict(user) del udict['password'] return make_api_success_response(udict)
def apply_user(params): from imageserver.flask_app import data_engine from imageserver.models import User from imageserver.errors import DBError try: existing_user = data_engine.get_user(username=params.username) if params.mode == Parameters.MODE_ADD: if existing_user: if existing_user.status == User.STATUS_DELETED: raise ValueError('A deleted user record for this username already exists') else: raise ValueError('This username already exists') else: data_engine.create_user(User( params.firstname, params.lastname, params.email, params.username, params.password, User.AUTH_TYPE_PASSWORD, False, User.STATUS_ACTIVE )) log('User created') elif params.mode == Parameters.MODE_UPDATE: if not existing_user: raise ValueError('The username was not found') if existing_user.status == User.STATUS_DELETED: raise ValueError('This user record is deleted') existing_user.first_name = params.firstname existing_user.last_name = params.lastname existing_user.email = params.email existing_user.set_password(params.password) data_engine.save_object(existing_user) log('User updated') else: if not existing_user: raise ValueError('The username was not found') data_engine.delete_user(existing_user) log('User deleted') return RETURN_OK except ValueError as e: error(str(e)) return RETURN_BAD_PARAMS except DBError as e: error(str(e)) return RETURN_DB_ERROR
def user_edit(user_id): embed = request.args.get('embed', '') user = None err_msg = None try: if user_id > 0: user = data_engine.get_user(user_id=user_id, load_groups=True) except Exception as e: log_security_error(e, request) err_msg = str(e) return render_template('admin_user_edit.html', embed=embed, user=user, err_msg=err_msg, AUTH_TYPE_PASSWORD=User.AUTH_TYPE_PASSWORD, STATUS_ACTIVE=User.STATUS_ACTIVE)
def user_edit(user_id): embed = request.args.get('embed', '') user = None err_msg = None try: if user_id > 0: user = data_engine.get_user(user_id=user_id, load_groups=True) except Exception as e: log_security_error(e, request) err_msg = str(e) return render_template( 'admin_user_edit.html', embed=embed, user=user, err_msg=err_msg, AUTH_TYPE_PASSWORD=User.AUTH_TYPE_PASSWORD, STATUS_ACTIVE=User.STATUS_ACTIVE )
def get(self, user_id=None): if user_id is None: # List users ulist = data_engine.list_users(order_field=User.username) # Do not give out anything password related udictlist = object_to_dict_list(ulist) for user in udictlist: del user['password'] return make_api_success_response(udictlist) else: # Get single user user = data_engine.get_user(user_id) if user is None: raise DoesNotExistError(str(user_id)) # Do not give out anything password related udict = object_to_dict(user) del udict['password'] return make_api_success_response(udict)
def put(self, user_id): params = self._get_validated_object_parameters(request.form, False) user = data_engine.get_user(user_id=user_id) if user is None: raise DoesNotExistError(str(user_id)) user.first_name = params['first_name'] user.last_name = params['last_name'] user.email = params['email'] user.auth_type = params['auth_type'] user.allow_api = params['allow_api'] # Don't update the status field with this method # Update username only if non-LDAP if user.auth_type != User.AUTH_TYPE_LDAP: user.username = params['username'] # Update password only if non-LDAP and a new one was passed in if user.auth_type != User.AUTH_TYPE_LDAP and params['password']: user.set_password(params['password']) data_engine.save_object(user) # Reset session caches reset_user_sessions(user) return make_api_success_response(object_to_dict(user))
def put(self, user_id): params = self._get_validated_object_parameters(request.form, False) user = data_engine.get_user(user_id=user_id) if user is None: raise DoesNotExistError(str(user_id)) user.first_name = params['first_name'] user.last_name = params['last_name'] user.email = params['email'] user.auth_type = params['auth_type'] user.allow_api = params['allow_api'] # Don't update the status field with this method # Update username only if non-LDAP if user.auth_type != User.AUTH_TYPE_LDAP: user.username = params['username'] # Update password only if non-LDAP and a new one was passed in if user.auth_type != User.AUTH_TYPE_LDAP and params['password']: user.set_password(params['password']) data_engine.save_object(user) # Do not give out anything password related udict = object_to_dict(user) del udict['password'] return make_api_success_response(udict)
def trace_permissions(): embed = request.args.get('embed', '') user_id = request.args.get('user', '') folder_path = request.args.get('path', '') if folder_path == '': folder_path = os.path.sep folder = None user = None users = [] user_has_admin = False trace = None err_msg = None db_session = data_engine.db_get_session() try: # Get folder and selected user info # User can be None for an anonymous user user_id = parse_int(user_id) if user_id != 0: user = data_engine.get_user(user_id, _db_session=db_session) if user is None: raise DoesNotExistError('This user no longer exists') folder = data_engine.get_folder(folder_path=folder_path, _db_session=db_session) if folder is None or folder.status == Folder.STATUS_DELETED: raise DoesNotExistError('This folder no longer exists') # Get users list users = data_engine.list_users( status=User.STATUS_ACTIVE, order_field=User.username, _db_session=db_session ) # Get the folder+user traced permissions trace = permissions_engine._trace_folder_permissions(folder, user) # Flag on the UI if the user has admin for gdict in trace['groups']: gperms = gdict['group'].permissions if gperms.admin_files or gperms.admin_all: user_has_admin = True break except Exception as e: log_security_error(e, request) err_msg = str(e) finally: try: return render_template( 'admin_trace_permissions.html', embed=embed, folder=folder, folder_is_root=folder.is_root() if folder else False, user=user, user_list=users, trace=trace, user_has_admin=user_has_admin, err_msg=err_msg, GROUP_ID_PUBLIC=Group.ID_PUBLIC ) finally: db_session.close()