def impersonate(uid):
"""Impersonate a user."""
# Check that they exist.
if not User.exists(uid=uid):
flash("That user ID wasn't found.")
return redirect(url_for(".users"))
db = User.get_user(uid=uid)
if db["role"] == "deleted":
flash("That user was deleted!")
return redirect(url_for(".users"))
# Log them in!
orig_uid = session["uid"]
session.update(
login=True,
uid=uid,
username=db["username"],
name=db["name"],
role=db["role"],
impersonator=orig_uid,
)
flash("Now logged in as {}".format(db["name"]))
return redirect(url_for("index"))
def create_user():
# Submitting the form.
username = request.form.get("username", "")
name = request.form.get("name", "")
pw1 = request.form.get("password1", "")
pw2 = request.form.get("password2", "")
role = request.form.get("role", "")
# Default name = username.
if name == "":
name = username
# Lowercase the user.
username = username.lower()
if User.exists(username=username):
flash("That username already exists.")
return redirect(url_for(".users"))
# Validate the form.
errors = validate_create_form(username, pw1, pw2)
if errors:
for error in errors:
flash(error)
return redirect(url_for(".users"))
# Create the account.
uid = User.create(
username=username,
password=pw1,
name=name,
role=role,
)
flash("User created!")
return redirect(url_for(".users"))
def create_user():
# Submitting the form.
username = request.form.get("username", "")
name = request.form.get("name", "")
pw1 = request.form.get("password1", "")
pw2 = request.form.get("password2", "")
role = request.form.get("role", "")
# Default name = username.
if name == "":
name = username
# Lowercase the user.
username = username.lower()
if User.exists(username=username):
flash("That username already exists.")
return redirect(url_for(".users"))
# Validate the form.
errors = validate_create_form(username, pw1, pw2)
if errors:
for error in errors:
flash(error)
return redirect(url_for(".users"))
# Create the account.
uid = User.create(username=username, password=pw1, name=name, role=role)
flash("User created!")
return redirect(url_for(".users"))
def before_request():
"""Called before all requests. Initialize global template variables."""
# Default template vars.
g.info = rophako.utils.default_vars()
# Default session vars.
if not "login" in session:
session.update(g.info["session"])
# CSRF protection.
if request.method == "POST":
token = session.pop("_csrf", None)
if not token or str(token) != str(request.form.get("token")):
abort(403)
# Refresh their login status from the DB.
if session["login"]:
import rophako.model.user as User
if not User.exists(uid=session["uid"]):
# Weird! Log them out.
from rophako.modules.account import logout
logout()
return
db = User.get_user(uid=session["uid"])
session["username"] = db["username"]
session["name"] = db["name"]
session["role"] = db["role"]
# Copy session params into g.info. The only people who should touch the
# session are the login/out pages.
for key in session:
g.info["session"][key] = session[key]
def edit_user(uid):
uid = int(uid)
user = User.get_user(uid=uid)
# Submitting?
if request.method == "POST":
action = request.form.get("action", "")
username = request.form.get("username", "")
name = request.form.get("name", "")
pw1 = request.form.get("password1", "")
pw2 = request.form.get("password2", "")
role = request.form.get("role", "")
username = username.lower()
if action == "save":
# Validate...
errors = None
# Don't allow them to change the username to one that exists.
if username != user["username"]:
if User.exists(username=username):
flash("That username already exists.")
return redirect(url_for(".edit_user", uid=uid))
# Password provided?
if len(pw1) > 0:
errors = validate_create_form(username, pw1, pw2)
elif username != user["username"]:
# Just validate the username, then.
errors = validate_create_form(username, skip_passwd=True)
if errors:
for error in errors:
flash(error)
return redirect(url_for(".edit_user", uid=uid))
# Update the user.
user["username"] = username
user["name"] = name or username
user["role"] = role
if len(pw1) > 0:
user["password"] = User.hash_password(pw1)
User.update_user(uid, user)
flash("User account updated!")
return redirect(url_for(".users"))
elif action == "delete":
# Don't let them delete themself!
if uid == g.info["session"]["uid"]:
flash("You shouldn't delete yourself!")
return redirect(url_for(".edit_user", uid=uid))
User.delete_user(uid)
flash("User deleted!")
return redirect(url_for(".users"))
return template("admin/edit_user.html", info=user)
def setup():
"""Initial setup to create the Admin user account."""
# This can't be done if users already exist on the CMS!
if User.exists(uid=1):
flash(
"This website has already been configured (users already created)."
)
return redirect(url_for("index"))
if request.method == "POST":
# Submitting the form.
username = request.form.get("username", "")
name = request.form.get("name", "")
pw1 = request.form.get("password1", "")
pw2 = request.form.get("password2", "")
# Default name = username.
if name == "":
name = username
# Lowercase the user.
username = username.lower()
if User.exists(username=username):
flash("That username already exists.")
return redirect(url_for(".setup"))
# Validate the form.
errors = validate_create_form(username, pw1, pw2)
if errors:
for error in errors:
flash(error)
return redirect(url_for(".setup"))
# Create the account.
uid = User.create(
username=username,
password=pw1,
name=name,
role="admin",
)
flash("Admin user created! Please log in now.".format(uid))
return redirect(url_for(".login"))
return template("account/setup.html")
def setup():
"""Initial setup to create the Admin user account."""
# This can't be done if users already exist on the CMS!
if User.exists(uid=1):
flash("This website has already been configured (users already created).")
return redirect(url_for("index"))
if request.method == "POST":
# Submitting the form.
username = request.form.get("username", "")
name = request.form.get("name", "")
pw1 = request.form.get("password1", "")
pw2 = request.form.get("password2", "")
# Default name = username.
if name == "":
name = username
# Lowercase the user.
username = username.lower()
if User.exists(username=username):
flash("That username already exists.")
return redirect(url_for(".setup"))
# Validate the form.
errors = validate_create_form(username, pw1, pw2)
if errors:
for error in errors:
flash(error)
return redirect(url_for(".setup"))
# Create the account.
uid = User.create(
username=username,
password=pw1,
name=name,
role="admin",
)
flash("Admin user created! Please log in now.".format(uid))
return redirect(url_for(".login"))
return template("account/setup.html")
def impersonate(uid):
"""Impersonate a user."""
# Check that they exist.
if not User.exists(uid=uid):
flash("That user ID wasn't found.")
return redirect(url_for(".users"))
db = User.get_user(uid=uid)
if db["role"] == "deleted":
flash("That user was deleted!")
return redirect(url_for(".users"))
# Log them in!
orig_uid = session["uid"]
session.update(
login=True, uid=uid, username=db["username"], name=db["name"], role=db["role"], impersonator=orig_uid
)
flash("Now logged in as {}".format(db["name"]))
return redirect(url_for("index"))
def before_request():
"""Called before all requests. Initialize global template variables."""
# Session lifetime.
app.permanent_session_lifetime = datetime.timedelta(days=Config.security.session_lifetime)
session.permanent = True
# Default template vars.
g.info = rophako.utils.default_vars()
# Default session vars.
if not "login" in session:
session.update(g.info["session"])
# CSRF protection.
if request.method == "POST":
token = session.pop("_csrf", None)
if not token or str(token) != str(request.form.get("token")):
abort(403)
# Refresh their login status from the DB.
if session["login"]:
import rophako.model.user as User
if not User.exists(uid=session["uid"]):
# Weird! Log them out.
from rophako.modules.account import logout
logout()
return
db = User.get_user(uid=session["uid"])
session["username"] = db["username"]
session["name"] = db["name"]
session["role"] = db["role"]
# Copy session params into g.info. The only people who should touch the
# session are the login/out pages.
for key in session:
g.info["session"][key] = session[key]
def edit_user(uid):
uid = int(uid)
user = User.get_user(uid=uid)
# Submitting?
if request.method == "POST":
action = request.form.get("action", "")
username = request.form.get("username", "")
name = request.form.get("name", "")
pw1 = request.form.get("password1", "")
pw2 = request.form.get("password2", "")
role = request.form.get("role", "")
username = username.lower()
if action == "save":
# Validate...
errors = None
# Don't allow them to change the username to one that exists.
if username != user["username"]:
if User.exists(username=username):
flash("That username already exists.")
return redirect(url_for(".edit_user", uid=uid))
# Password provided?
if len(pw1) > 0:
errors = validate_create_form(username, pw1, pw2)
elif username != user["username"]:
# Just validate the username, then.
errors = validate_create_form(username, skip_passwd=True)
if errors:
for error in errors:
flash(error)
return redirect(url_for(".edit_user", uid=uid))
# Update the user.
user["username"] = username
user["name"] = name or username
user["role"] = role
if len(pw1) > 0:
user["password"] = User.hash_password(pw1)
User.update_user(uid, user)
flash("User account updated!")
return redirect(url_for(".users"))
elif action == "delete":
# Don't let them delete themself!
if uid == g.info["session"]["uid"]:
flash("You shouldn't delete yourself!")
return redirect(url_for(".edit_user", uid=uid))
User.delete_user(uid)
flash("User deleted!")
return redirect(url_for(".users"))
return template(
"admin/edit_user.html",
info=user,
)
