def post(self, request): """Add a group in address book. parent_group: -1 - no parent group; > 0 - have parent group. group_owner: default to system admin group_staff: default to system admin """ group_name = request.data.get('group_name', '').strip() if not group_name: error_msg = 'name %s invalid.' % group_name return api_error(status.HTTP_400_BAD_REQUEST, error_msg) # Check whether group name is validate. if not validate_group_name(group_name): error_msg = _('Name can only contain letters, numbers, blank, hyphen or underscore.') return api_error(status.HTTP_400_BAD_REQUEST, error_msg) # Check whether group name is duplicated. pattern_matched_groups = ccnet_api.search_groups(group_name, -1, -1) for group in pattern_matched_groups: if group.group_name == group_name: error_msg = _('There is already a group with that name.') return api_error(status.HTTP_400_BAD_REQUEST, error_msg) # Group owner is 'system admin' group_owner = request.data.get('group_owner', '') try: parent_group = int(request.data.get('parent_group', -1)) except ValueError: error_msg = 'parent_group invalid' return api_error(status.HTTP_400_BAD_REQUEST, error_msg) if parent_group < 0 and parent_group != -1: error_msg = 'parent_group invalid' return api_error(status.HTTP_400_BAD_REQUEST, error_msg) # TODO: check parent group exists try: if is_org_context(request): # request called by org admin org_id = request.user.org.org_id group_id = ccnet_api.create_org_group( org_id, group_name, group_owner, parent_group_id=parent_group) else: group_id = ccnet_api.create_group(group_name, group_owner, parent_group_id=parent_group) seafile_api.set_group_quota(group_id, -2) except SearpcError as e: logger.error(e) error_msg = 'Internal Server Error' return api_error(status.HTTP_500_INTERNAL_SERVER_ERROR, error_msg) # get info of new group group_info = address_book_group_to_dict(group_id) return Response(group_info, status=status.HTTP_200_OK)
def test_can_clean_department_repo_trash(self): if not LOCAL_PRO_DEV_ENV: return # create a department group_id = ccnet_api.create_group('department_test', 'system admin', parent_group_id=-1) seafile_api.set_group_quota(group_id, -2) repo_id = seafile_api.add_group_owned_repo(group_id, 'dep_test', 'rw') repo_owner = seafile_api.get_repo_owner(repo_id) assert '@seafile_group' in repo_owner group_repos = seafile_api.get_repos_by_group(group_id) assert len(group_repos) == 1 group = ccnet_api.get_group(group_id) # department add user ccnet_api.group_add_member(group_id, group.creator_name, self.user_name) ccnet_api.group_add_member(group_id, group.creator_name, self.tmp_user.username) ccnet_api.group_set_admin(group_id, self.user_name) ccnet_api.group_unset_admin(group_id, self.tmp_user.username) assert is_group_admin(group_id, self.user_name) assert not is_group_admin(group_id, self.tmp_user.username) file_name = 'dep_test.txt' self.create_file(repo_id=repo_id, parent_dir='/', filename=file_name, username=self.user_name) # delete a file first seafile_api.del_file(repo_id, '/', file_name, self.user_name) # get trash item count self.login_as(self.user) resp = self.client.get(reverse('api-v2.1-repo-trash', args=[repo_id])) json_resp = json.loads(resp.content) assert len(json_resp['data']) > 0 # department member can not clean trash self.logout() self.login_as(self.tmp_user) resp = self.client.delete(self.url) self.assertEqual(403, resp.status_code) # department admin can clean library trash self.logout() self.login_as(self.user) ccnet_api.group_set_admin(group_id, self.user_name) resp = self.client.delete(self.url) self.assertEqual(200, resp.status_code) # get trash item count again resp = self.client.get(self.url) json_resp = json.loads(resp.content) assert len(json_resp['data']) == 0
def post(self, request): """Add a group in address book. parent_group: -1 - no parent group; > 0 - have parent group. group_owner: default to system admin group_staff: default to system admin """ group_name = request.data.get('group_name', '').strip() if not group_name: error_msg = 'name %s invalid.' % group_name return api_error(status.HTTP_400_BAD_REQUEST, error_msg) # Check whether group name is validate. if not validate_group_name(group_name): error_msg = _(u'Name can only contain letters, numbers, blank, hyphen or underscore.') return api_error(status.HTTP_400_BAD_REQUEST, error_msg) # Check whether group name is duplicated. if check_group_name_conflict(request, group_name): error_msg = _(u'The name already exists.') return api_error(status.HTTP_400_BAD_REQUEST, error_msg) # Group owner is 'system admin' group_owner = request.data.get('group_owner', '') try: parent_group = int(request.data.get('parent_group', -1)) except ValueError: error_msg = 'parent_group invalid' return api_error(status.HTTP_400_BAD_REQUEST, error_msg) if parent_group < 0 and parent_group != -1: error_msg = 'parent_group invalid' return api_error(status.HTTP_400_BAD_REQUEST, error_msg) # TODO: check parent group exists try: if is_org_context(request): # request called by org admin org_id = request.user.org.org_id group_id = ccnet_api.create_org_group( org_id, group_name, group_owner, parent_group_id=parent_group) else: group_id = ccnet_api.create_group(group_name, group_owner, parent_group_id=parent_group) seafile_api.set_group_quota(group_id, -2) except SearpcError as e: logger.error(e) error_msg = 'Internal Server Error' return api_error(status.HTTP_500_INTERNAL_SERVER_ERROR, error_msg) # get info of new group group_info = address_book_group_to_dict(group_id) return Response(group_info, status=status.HTTP_200_OK)
def test_can_set_department_repo(self): if not LOCAL_PRO_DEV_ENV: return # create a department group_id = ccnet_api.create_group('department_test', 'system admin', parent_group_id=-1) seafile_api.set_group_quota(group_id, -2) repo_id = seafile_api.add_group_owned_repo(group_id, 'dep_test', 'rw') repo_owner = seafile_api.get_repo_owner(repo_id) assert '@seafile_group' in repo_owner group_repos = seafile_api.get_repos_by_group(group_id) assert len(group_repos) == 1 group = ccnet_api.get_group(group_id) # department add user ccnet_api.group_add_member(group_id, group.creator_name, self.user.username) ccnet_api.group_add_member(group_id, group.creator_name, self.tmp_user.username) ccnet_api.group_set_admin(group_id, self.user.username) ccnet_api.group_unset_admin(group_id, self.tmp_user.username) assert is_group_admin(group_id, self.user.username) assert not is_group_admin(group_id, self.tmp_user.username) url = reverse("api2-repo-history-limit", args=[repo_id]) self.config.ENABLE_REPO_HISTORY_SETTING = True # department member can not set self.logout() self.login_as(self.tmp_user) data = 'keep_days=%s' % 6 resp = self.client.put(url, data, 'application/x-www-form-urlencoded') self.assertEqual(403, resp.status_code) # department admin can set self.logout() self.login_as(self.user) data = 'keep_days=%s' % 6 resp = self.client.put(url, data, 'application/x-www-form-urlencoded') self.assertEqual(200, resp.status_code) self.remove_group(group_id) self.remove_repo(repo_id)
def post(self, request): """import department from work weixin permission: IsProVersion """ if not request.user.admin_permissions.can_manage_user(): return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.') # argument check department_id = request.data.get('work_weixin_department_id') try: department_id = int(department_id) except Exception as e: logger.error(e) error_msg = 'work_weixin_department_ids invalid.' return api_error(status.HTTP_400_BAD_REQUEST, error_msg) # is pro version and work weixin check if not IsProVersion or not admin_work_weixin_departments_check(): error_msg = 'Feature is not enabled.' return api_error(status.HTTP_403_FORBIDDEN, error_msg) access_token = get_work_weixin_access_token() if not access_token: logger.error('can not get work weixin access_token') error_msg = '获取企业微信组织架构失败' return api_error(status.HTTP_404_NOT_FOUND, error_msg) # list departments from work weixin api_department_list = self._list_departments_from_work_weixin( access_token, department_id) if api_department_list is None: error_msg = '获取企业微信组织架构失败' return api_error(status.HTTP_404_NOT_FOUND, error_msg) # list department members from work weixin api_user_list = self._list_department_members_from_work_weixin( access_token, department_id) if api_user_list is None: error_msg = '获取企业微信组织架构成员失败' return api_error(status.HTTP_404_NOT_FOUND, error_msg) # main success = list() failed = list() department_map_to_group_dict = dict() for index, department_obj in enumerate(api_department_list): # check department argument new_group_name = department_obj.get('name') department_obj_id = department_obj.get('id') if department_obj_id is None or not new_group_name or not validate_group_name( new_group_name): failed_msg = self._api_department_failed_msg( department_obj_id, new_group_name, '部门参数错误') failed.append(failed_msg) continue # check parent group if index == 0: parent_group_id = -1 else: parent_department_id = department_obj.get('parentid') parent_group_id = department_map_to_group_dict.get( parent_department_id) if parent_group_id is None: failed_msg = self._api_department_failed_msg( department_obj_id, new_group_name, '父级部门不存在') failed.append(failed_msg) continue # check department exist by group name exist, exist_group = self._admin_check_group_name_conflict( new_group_name) if exist: department_map_to_group_dict[ department_obj_id] = exist_group.id failed_msg = self._api_department_failed_msg( department_obj_id, new_group_name, '部门已存在') failed.append(failed_msg) continue # import department try: group_id = ccnet_api.create_group( new_group_name, DEPARTMENT_OWNER, parent_group_id=parent_group_id) seafile_api.set_group_quota(group_id, -2) department_map_to_group_dict[department_obj_id] = group_id success_msg = self._api_department_success_msg( department_obj_id, new_group_name, group_id) success.append(success_msg) except Exception as e: logger.error(e) failed_msg = self._api_department_failed_msg( department_obj_id, new_group_name, '部门导入失败') failed.append(failed_msg) # todo filter ccnet User database social_auth_queryset = SocialAuthUser.objects.filter( provider=WORK_WEIXIN_PROVIDER, uid__contains=WORK_WEIXIN_UID_PREFIX) # import api_user for api_user in api_user_list: uid = WORK_WEIXIN_UID_PREFIX + api_user.get('userid', '') api_user['contact_email'] = api_user['email'] api_user_name = api_user.get('name') # determine the user exists if social_auth_queryset.filter(uid=uid).exists(): email = social_auth_queryset.get(uid=uid).username else: # create user email = gen_user_virtual_id() create_user_success = _import_user_from_work_weixin( email, api_user) if not create_user_success: failed_msg = self._api_user_failed_msg( '', api_user_name, department_id, '导入用户失败') failed.append(failed_msg) continue # bind user to department api_user_department_list = api_user.get('department') for department_obj_id in api_user_department_list: group_id = department_map_to_group_dict.get(department_obj_id) if group_id is None: # the api_user also exist in the brother department which not import continue if ccnet_api.is_group_user(group_id, email): failed_msg = self._api_user_failed_msg( email, api_user_name, department_obj_id, '部门成员已存在') failed.append(failed_msg) continue try: ccnet_api.group_add_member(group_id, DEPARTMENT_OWNER, email) success_msg = self._api_user_success_msg( email, api_user_name, department_obj_id, group_id) success.append(success_msg) except Exception as e: logger.error(e) failed_msg = self._api_user_failed_msg( email, api_user_name, department_id, '导入部门成员失败') failed.append(failed_msg) return Response({ 'success': success, 'failed': failed, })
def put(self, request, group_id): """ Admin update a group 1. transfer a group. 2. set group quota Permission checking: 1. Admin user; """ # recourse check group_id = int(group_id) # Checked by URL Conf group = ccnet_api.get_group(group_id) if not group: error_msg = 'Group %d not found.' % group_id return api_error(status.HTTP_404_NOT_FOUND, error_msg) new_owner = request.data.get('new_owner', '') if new_owner: if not is_valid_username(new_owner): error_msg = 'new_owner %s invalid.' % new_owner return api_error(status.HTTP_400_BAD_REQUEST, error_msg) # check if new_owner exists, # NOT need to check old_owner for old_owner may has been deleted. try: User.objects.get(email=new_owner) except User.DoesNotExist: error_msg = 'User %s not found.' % new_owner return api_error(status.HTTP_404_NOT_FOUND, error_msg) old_owner = group.creator_name if new_owner == old_owner: error_msg = _(u'User %s is already group owner.') % new_owner return api_error(status.HTTP_400_BAD_REQUEST, error_msg) # transfer a group try: if not is_group_member(group_id, new_owner): ccnet_api.group_add_member(group_id, old_owner, new_owner) if not is_group_admin(group_id, new_owner): ccnet_api.group_set_admin(group_id, new_owner) ccnet_api.set_group_creator(group_id, new_owner) ccnet_api.group_unset_admin(group_id, old_owner) except SearpcError as e: logger.error(e) error_msg = 'Internal Server Error' return api_error(status.HTTP_500_INTERNAL_SERVER_ERROR, error_msg) # send admin operation log signal admin_op_detail = { "id": group_id, "name": group.group_name, "from": old_owner, "to": new_owner, } admin_operation.send(sender=None, admin_name=request.user.username, operation=GROUP_TRANSFER, detail=admin_op_detail) # set group quota group_quota = request.data.get('quota', '') if group_quota: try: group_quota = int(group_quota) except ValueError: error_msg = 'quota invalid.' return api_error(status.HTTP_400_BAD_REQUEST, error_msg) if not (group_quota > 0 or group_quota == -2): error_msg = 'quota invalid.' return api_error(status.HTTP_400_BAD_REQUEST, error_msg) try: seafile_api.set_group_quota(group_id, group_quota) except Exception as e: logger.error(e) error_msg = 'Internal Server Error' return api_error(status.HTTP_500_INTERNAL_SERVER_ERROR, error_msg) group_info = get_group_info(group_id) return Response(group_info)
def post(self, request): """import department from dingtalk """ if not ENABLE_DINGTALK: error_msg = 'Feature is not enabled.' return api_error(status.HTTP_403_FORBIDDEN, error_msg) if not request.user.admin_permissions.can_manage_user(): return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.') # argument check department_id = request.data.get('department_id') try: department_id = int(department_id) except Exception as e: logger.error(e) error_msg = 'department_id invalid.' return api_error(status.HTTP_400_BAD_REQUEST, error_msg) access_token = dingtalk_get_access_token() if not access_token: error_msg = '获取钉钉组织架构失败' return api_error(status.HTTP_404_NOT_FOUND, error_msg) # get department list # https://developers.dingtalk.com/document/app/obtain-the-department-list data = {'access_token': access_token, 'id': department_id} current_department_resp_json = requests.get(DINGTALK_DEPARTMENT_GET_DEPARTMENT_URL, params=data).json() current_department_list = [current_department_resp_json] sub_department_resp_json = requests.get(DINGTALK_DEPARTMENT_LIST_DEPARTMENT_URL, params=data).json() sub_department_list = sub_department_resp_json.get('department', []) department_list = current_department_list + sub_department_list department_list = sorted(department_list, key=lambda x:x['id']) # get department user list data = { 'access_token': access_token, 'department_id': department_id, 'offset': 0, 'size': DINGTALK_DEPARTMENT_USER_SIZE, } user_resp_json = requests.get(DINGTALK_DEPARTMENT_GET_DEPARTMENT_USER_LIST_URL, params=data).json() api_user_list = user_resp_json.get('userlist', []) # main success = list() failed = list() department_map_to_group_dict = dict() for index, department_obj in enumerate(department_list): # check department argument new_group_name = department_obj.get('name') department_obj_id = department_obj.get('id') parent_department_id = department_obj.get('parentid', 0) if department_obj_id is None or not new_group_name or not validate_group_name(new_group_name): failed_msg = self._api_department_failed_msg( department_obj_id, new_group_name, '部门参数错误') failed.append(failed_msg) continue # check parent group if index == 0: parent_group_id = -1 else: parent_group_id = department_map_to_group_dict.get(parent_department_id) if parent_group_id is None: failed_msg = self._api_department_failed_msg( department_obj_id, new_group_name, '父级部门不存在') failed.append(failed_msg) continue # check department exist exist_department = ExternalDepartment.objects.get_by_provider_and_outer_id( DINGTALK_PROVIDER, department_obj_id) if exist_department: department_map_to_group_dict[department_obj_id] = exist_department.group_id failed_msg = self._api_department_failed_msg( department_obj_id, new_group_name, '部门已存在') failed.append(failed_msg) continue # import department try: group_id = ccnet_api.create_group( new_group_name, DEPARTMENT_OWNER, parent_group_id=parent_group_id) seafile_api.set_group_quota(group_id, -2) ExternalDepartment.objects.create( group_id=group_id, provider=DINGTALK_PROVIDER, outer_id=department_obj_id, ) department_map_to_group_dict[department_obj_id] = group_id success_msg = self._api_department_success_msg( department_obj_id, new_group_name, group_id) success.append(success_msg) except Exception as e: logger.error(e) failed_msg = self._api_department_failed_msg( department_obj_id, new_group_name, '部门导入失败') failed.append(failed_msg) # todo filter ccnet User database social_auth_queryset = SocialAuthUser.objects.filter(provider='dingtalk') # import api_user for api_user in api_user_list: uid = api_user.get('unionid', '') api_user['contact_email'] = api_user['email'] api_user_name = api_user.get('name') # determine the user exists if social_auth_queryset.filter(uid=uid).exists(): email = social_auth_queryset.get(uid=uid).username else: # create user email = gen_user_virtual_id() try: User.objects.create_user(email) SocialAuthUser.objects.add(email, 'dingtalk', uid) except Exception as e: logger.error(e) failed_msg = self._api_user_failed_msg( '', api_user_name, department_id, '导入用户失败') failed.append(failed_msg) continue # bind user to department api_user_department_list = api_user.get('department') for department_obj_id in api_user_department_list: group_id = department_map_to_group_dict.get(department_obj_id) if group_id is None: # the api_user also exist in the brother department which not import continue if ccnet_api.is_group_user(group_id, email, in_structure=False): failed_msg = self._api_user_failed_msg( email, api_user_name, department_obj_id, '部门成员已存在') failed.append(failed_msg) continue try: ccnet_api.group_add_member(group_id, DEPARTMENT_OWNER, email) success_msg = self._api_user_success_msg( email, api_user_name, department_obj_id, group_id) success.append(success_msg) except Exception as e: logger.error(e) failed_msg = self._api_user_failed_msg( email, api_user_name, department_id, '导入部门成员失败') failed.append(failed_msg) try: update_dingtalk_user_info(email, api_user.get('name'), api_user.get('contact_email'), api_user.get('avatar')) except Exception as e: logger.error(e) return Response({ 'success': success, 'failed': failed, })
def create_and_add_group_to_db(self, dn_name, group, group_dn_db, group_data_ldap): if group.is_department and group_dn_db.has_key(dn_name): return group_dn_db[dn_name] super_user = None if group.is_department: super_user = '******' else: super_user = LdapGroupSync.get_super_user() parent_id = 0 if not group.is_department: parent_id = 0 else: if not group.parent_dn: parent_id = -1 elif group_dn_db.has_key(group.parent_dn): parent_id = group_dn_db[group.parent_dn] else: parent_group = group_data_ldap[group.parent_dn] parent_id = self.create_and_add_group_to_db( group.parent_dn, parent_group, group_dn_db, group_data_ldap) group_id = ccnet_api.create_group(group.cn, super_user, 'LDAP', parent_id) if group_id < 0: logger.warning('create ldap group [%s] failed.' % group.cn) return ret = add_group_dn_pair(group_id, dn_name) if ret < 0: logger.warning('add group dn pair %d<->%s failed.' % (group_id, dn_name)) # admin should remove created group manually in web return logger.debug('create group %d, and add dn pair %s<->%d success.' % (group_id, dn_name, group_id)) self.agroup += 1 group.group_id = group_id if group.is_department: if group.config.default_department_quota > 0: quota_to_set = group.config.default_department_quota * 1000000 else: quota_to_set = group.config.default_department_quota ret = seafile_api.set_group_quota(group_id, quota_to_set) if ret < 0: logger.warning('Failed to set group [%s] quota.' % group.cn) if group.config.create_department_library: ret = seafile_api.add_group_owned_repo(group_id, group.cn, 'rw') if not ret: logger.warning( 'Failed to create group owned repo for %s.' % group.cn) for member in group.members: ret = group_add_member(group_id, super_user, member) if ret < 0: logger.warning('add member %s to group %d failed.' % (member, group_id)) return logger.debug('add member %s to group %d success.' % (member, group_id)) group_dn_db[dn_name] = group_id return group_id
def put(self, request, group_id): """ Admin update a group 1. transfer a group. 2. set group quota Permission checking: 1. Admin user; """ # recourse check group_id = int(group_id) # Checked by URL Conf group = ccnet_api.get_group(group_id) if not group: error_msg = 'Group %d not found.' % group_id return api_error(status.HTTP_404_NOT_FOUND, error_msg) new_owner = request.data.get('new_owner', '') if new_owner: if not is_valid_username(new_owner): error_msg = 'new_owner %s invalid.' % new_owner return api_error(status.HTTP_400_BAD_REQUEST, error_msg) # check if new_owner exists, # NOT need to check old_owner for old_owner may has been deleted. try: User.objects.get(email=new_owner) except User.DoesNotExist: error_msg = 'User %s not found.' % new_owner return api_error(status.HTTP_404_NOT_FOUND, error_msg) old_owner = group.creator_name if new_owner == old_owner: error_msg = _(u'User %s is already group owner.') % new_owner return api_error(status.HTTP_400_BAD_REQUEST, error_msg) # transfer a group try: if not is_group_member(group_id, new_owner): ccnet_api.group_add_member(group_id, old_owner, new_owner) if not is_group_admin(group_id, new_owner): ccnet_api.group_set_admin(group_id, new_owner) ccnet_api.set_group_creator(group_id, new_owner) ccnet_api.group_unset_admin(group_id, old_owner) except SearpcError as e: logger.error(e) error_msg = 'Internal Server Error' return api_error(status.HTTP_500_INTERNAL_SERVER_ERROR, error_msg) # send admin operation log signal admin_op_detail = { "id": group_id, "name": group.group_name, "from": old_owner, "to": new_owner, } admin_operation.send(sender=None, admin_name=request.user.username, operation=GROUP_TRANSFER, detail=admin_op_detail) # set group quota group_quota = request.data.get('quota', '') if group_quota: try: group_quota = int(group_quota) except ValueError: error_msg = 'quota invalid.' return api_error(status.HTTP_400_BAD_REQUEST, error_msg) if not (group_quota > 0 or group_quota == -2): error_msg = 'quota invalid.' return api_error(status.HTTP_400_BAD_REQUEST, error_msg) try: seafile_api.set_group_quota(group_id, group_quota) except Exception as e: logger.error(e) error_msg = 'Internal Server Error' return api_error(status.HTTP_500_INTERNAL_SERVER_ERROR, error_msg) group_info = get_group_info(group_id) return Response(group_info)