def validate_dms_token(*args, **kwargs): if flask.request.args.get("token") != settings.DMS_WEBHOOK_TOKEN: errors = ForbiddenError() errors.add_error("token", "Invalid token") raise errors return route_function(*args, **kwargs)
def wrapper(*args, **kwargs): mandatory_authorization_type = "Bearer " authorization_header = request.headers.get("Authorization") if authorization_header and mandatory_authorization_type in authorization_header: adage_jwt = authorization_header.replace( mandatory_authorization_type, "") try: adage_jwt_decoded = user_utils.decode_jwt_token_rs256( adage_jwt) except InvalidSignatureError as invalid_signature_error: logger.error("Signature of adage jwt cannot be verified", extra={"error": invalid_signature_error}) raise ForbiddenError({"Authorization": "Unrecognized token"}) except ExpiredSignatureError as expired_signature_error: logger.warning("Token has expired", extra={"error": expired_signature_error}) raise InvalidTokenError("Token expired") if not adage_jwt_decoded.get("exp"): logger.warning("Token does not contain an expiration date") raise InvalidTokenError("No expiration date provided") authenticated_information = AuthenticatedInformation( civility=adage_jwt_decoded.get("civilite"), lastname=adage_jwt_decoded.get("nom"), firstname=adage_jwt_decoded.get("prenom"), email=adage_jwt_decoded.get("mail"), uai=adage_jwt_decoded.get("uai"), ) kwargs["authenticated_information"] = authenticated_information return route_function(*args, **kwargs) raise ForbiddenError({"Authorization": "Unrecognized token"})
def check_user_can_validate_bookings_v2(user: User, offerer_id: int) -> None: if not user.has_access(offerer_id): api_errors = ForbiddenError() api_errors.add_error( "user", "Vous n’avez pas les droits suffisants pour valider cette contremarque car cette réservation n'a pas été faite sur une de vos offres, ou que votre rattachement à la structure est encore en cours de validation", ) raise api_errors
def check_user_can_validate_bookings_v2(user, offerer_id: int): if not user.has_access(offerer_id): api_errors = ForbiddenError() api_errors.add_error( "user", "Vous n'avez pas les droits suffisants pour valider cette contremarque." ) raise api_errors
def check_user_can_load_config(user: User) -> None: if settings.IS_PROD and user.email not in settings.SUPER_ADMIN_EMAIL_ADDRESSES: error = ForbiddenError() error.add_error( "type", "Seuls les membres de l'équipe de validation peuvent éditer cette configuration" ) raise error
def check_api_key_allows_to_validate_booking(valid_api_key: ApiKey, offerer_id: int) -> None: if not valid_api_key.offererId == offerer_id: api_errors = ForbiddenError() api_errors.add_error( "user", "Vous n’avez pas les droits suffisants pour valider cette contremarque car cette réservation n'a pas été faite sur une de vos offres, ou que votre rattachement à la structure est encore en cours de validation", ) raise api_errors
def check_user_can_create_activation_event(user: User) -> None: if not user.isAdmin: error = ForbiddenError() error.add_error( "type", "Seuls les administrateurs du pass Culture peuvent créer des offres d'activation" ) raise error
def check_user_can_validate_activation_offer(user): forbidden_error = ForbiddenError() if not user.isAdmin: forbidden_error.add_error( "user", "Vous n'avez pas les droits suffisants pour valider cette contremarque." ) raise forbidden_error
def check_api_key_allows_to_cancel_booking(valid_api_key: ApiKey, offerer_id: int): if not valid_api_key.offererId == offerer_id: api_errors = ForbiddenError() api_errors.add_error( "user", "Vous n'avez pas les droits suffisants pour annuler cette réservation." ) raise api_errors
def check_api_key_allows_to_validate_booking(valid_api_key: ApiKey, offerer_id: int): if not valid_api_key.offererId == offerer_id: api_errors = ForbiddenError() api_errors.add_error( "user", "Vous n'avez pas les droits suffisants pour valider cette contremarque." ) raise api_errors
def check_user_can_validate_bookings_v2(self, offerer_id: int): user_has_editors_right = self.hasRights(RightsType.editor, offerer_id) if not user_has_editors_right: api_errors = ForbiddenError() api_errors.add_error( "user", "Vous n'avez pas les droits suffisants pour valider cette contremarque." ) raise api_errors
def check_client_version() -> None: client_version_header = flask.request.headers.get("app-version", None) sentry_sdk.set_tag("client.version", client_version_header) if not client_version_header: return try: client_version = semver.VersionInfo.parse(client_version_header) except ValueError: raise ForbiddenError(errors={"code": "UPGRADE_REQUIRED"}) if client_version < settings.NATIVE_APP_MINIMAL_CLIENT_VERSION: raise ForbiddenError(errors={"code": "UPGRADE_REQUIRED"})
def retrieve_authenticated_user(*args, **kwargs): # type: ignore email = get_jwt_identity() user = find_user_by_email(email) if user is None or not user.isActive: logger.error("Authenticated user with email %s not found or inactive", email) raise ForbiddenError({"email": ["Utilisateur introuvable"]}) return route_function(user, *args, **kwargs)
def wrapper(*args, **kwds): mandatory_authorization_type = "Bearer " authorization_header = request.headers.get("Authorization") if authorization_header and mandatory_authorization_type in authorization_header: adage_api_key = authorization_header.replace(mandatory_authorization_type, "") if adage_api_key == settings.EAC_API_KEY: return route_function(*args, **kwds) raise ForbiddenError({"Authorization": ["Wrong api key"]})
def change_password(user: User, body: ChangePasswordRequest) -> None: try: users_repo.check_user_and_credentials(user, body.current_password) except users_exceptions.InvalidIdentifier: raise ApiErrors({"code": "INVALID_PASSWORD", "currentPassword": ["Le mot de passe est incorrect"]}) except users_exceptions.CredentialsException: raise ForbiddenError() try: check_password_strength("newPassword", body.new_password) except ApiErrors: raise ApiErrors({"code": "WEAK_PASSWORD", "newPassword": ["Le nouveau mot de passe est trop faible"]}) user.setPassword(body.new_password) repository.save(user)
def retrieve_authenticated_user(*args, **kwargs): # type: ignore email = get_jwt_identity() user = find_user_by_email(email) if user is None or not user.isActive: logger.info( "Authenticated user with email %s not found or inactive", email) raise ForbiddenError({"email": ["Utilisateur introuvable"]}) # push the user to the current context - similar to flask-login ctx = _request_ctx_stack.top ctx.user = user # the user is set in sentry in before_request, way before we do the # token auth so it needs to be also set here. sentry_sdk.set_user({"id": user.id}) sentry_sdk.set_tag("device.id", request.headers.get("device-id", None)) return route_function(user, *args, **kwargs)
def check_demarches_simplifiees_webhook_token(token): if token != settings.DMS_WEBHOOK_TOKEN: errors = ForbiddenError() errors.add_error("token", "Invalid token") raise errors
def check_user_can_alter_venue(user: User, venue_id: int) -> None: venue = Venue.query.get(venue_id) if not user.has_access(venue.managingOffererId): api_errors = ForbiddenError() api_errors.add_error("user", "Vous n'avez pas les droits suffisants pour modifier ce lieu.") raise api_errors