コード例 #1
0
ファイル: auth.py プロジェクト: WaliyaYohannaJoseph/hedy
    def login():
        body = request.json
        # Validations
        if not type_check(body, 'dict'):
            return 'body must be an object', 400
        if not object_check(body, 'username', 'str'):
            return 'username must be a string', 400
        if not object_check(body, 'password', 'str'):
            return 'password must be a string', 400

        # If username has an @-sign, then it's an email
        if '@' in body['username']:
            user = db_get('users', {'email': body['username'].strip().lower()},
                          True)
        else:
            user = db_get('users',
                          {'username': body['username'].strip().lower()})

        if not user:
            return 'invalid username/password', 403
        if not check_password(body['password'], user['password']):
            return 'invalid username/password', 403

        cookie = make_salt()
        db_set(
            'tokens', {
                'id': cookie,
                'username': user['username'],
                'ttl': times() + session_length
            })
        db_set('users', {'username': user['username'], 'last_login': timems()})
        resp = make_response({})
        resp.set_cookie(cookie_name, value=cookie, httponly=True, path='/')
        return resp
コード例 #2
0
    def reset():
        body = request.json
        # Validations
        if not type_check(body, 'dict'):
            return 'body must be an object', 400
        if not object_check(body, 'username', 'str'):
            return 'body.username must be a string', 400
        if not object_check(body, 'token', 'str'):
            return 'body.token must be a string', 400
        if not object_check(body, 'password', 'str'):
            return 'body.password be a string', 400

        if len(body['password']) < 6:
            return 'password must be at least six characters long', 400

        # There's no need to trim or lowercase username, because it should come within a link prepared by the app itself and not inputted manually by the user.
        token = db_get('tokens', {'id': body['username']})
        if not token:
            return 'invalid username/token', 403
        if not check_password(body['token'], token['token']):
            return 'invalid username/token', 403

        hashed = hash(body['password'], make_salt())
        token = db_del('tokens', {'id': body['username']})
        db_set('users', {'username': body['username'], 'password': hashed})
        user = db_get('users', {'username': body['username']})

        if env:
            send_email_template('reset_password', user['email'],
                                requested_lang(), None)

        return '', 200
コード例 #3
0
ファイル: auth.py プロジェクト: balath/hedy
def current_user(request):
    if request.cookies.get(cookie_name):
        token = db_get('tokens', {'id': request.cookies.get(cookie_name)})
        if token:
            user = db_get('users', {'username': token['username']})
            if user:
                return user
    return {'username': '', 'email': ''}
コード例 #4
0
ファイル: auth.py プロジェクト: balath/hedy
    def login():
        body = request.json
        # Validations
        if not type_check(body, 'dict'):
            return 'body must be an object', 400
        if not object_check(body, 'username', 'str'):
            return 'username must be a string', 400
        if not object_check(body, 'password', 'str'):
            return 'password must be a string', 400

        # If username has an @-sign, then it's an email
        if '@' in body['username']:
            user = db_get('users', {'email': body['username'].strip().lower()},
                          True)
        else:
            user = db_get('users',
                          {'username': body['username'].strip().lower()})

        if not user:
            return 'invalid username/password', 403
        if not check_password(body['password'], user['password']):
            return 'invalid username/password', 403

        # If the number of bcrypt rounds has changed, create a new hash.
        new_hash = None
        if config['bcrypt_rounds'] != extract_bcrypt_rounds(user['password']):
            new_hash = hash(body['password'], make_salt())

        cookie = make_salt()
        db_set(
            'tokens', {
                'id': cookie,
                'username': user['username'],
                'ttl': times() + session_length
            })
        if new_hash:
            db_set(
                'users', {
                    'username': user['username'],
                    'password': new_hash,
                    'last_login': timems()
                })
        else:
            db_set('users', {
                'username': user['username'],
                'last_login': timems()
            })
        resp = make_response({})
        # We set the cookie to expire in a year, just so that the browser won't invalidate it if the same cookie gets renewed by constant use.
        # The server will decide whether the cookie expires.
        resp.set_cookie(cookie_name,
                        value=cookie,
                        httponly=True,
                        secure=True,
                        samesite='Lax',
                        path='/',
                        max_age=365 * 24 * 60 * 60)
        return resp
コード例 #5
0
ファイル: auth.py プロジェクト: balath/hedy
    def inner(*args, **kws):
        User = None
        if request.cookies.get(cookie_name):
            token = db_get('tokens', {'id': request.cookies.get(cookie_name)})
            if not token:
                return 'unauthorized', 403
            user = db_get('users', {'username': token['username']})
            if not user:
                return 'unauthorized', 403
        else:
            return 'unauthorized', 403

        return f(user, *args, **kws)
コード例 #6
0
    def verify_email():
        username = request.args.get('username', None)
        token = request.args.get('token', None)
        if not token:
            return 'no token', 400
        if not username:
            return 'no username', 400

        user = db_get('users', {'username': username})

        if not user:
            return 'invalid username/token', 403

        # If user is verified, succeed anyway
        if not 'verification_pending' in user:
            return redirect('/')

        if token != user['verification_pending']:
            return 'invalid username/token', 403

        db_update('users', {
            'username': username,
            'verification_pending': None
        })
        return redirect('/')
コード例 #7
0
def index(level, step):
    session_id()  # Run this for the side effect of generating a session ID
    g.level = level = int(level)
    g.lang = requested_lang()
    g.prefix = '/hedy'

    # If step is a string that has more than two characters, it must be an id of a program
    if step and type_check(step, 'str') and len(step) > 2:
        result = db_get('programs', {'id': step})
        if not result:
            return 'No such program', 404
        # Allow only the owner of the program, the admin user and the teacher users to access the program
        user = current_user(request)
        if user['username'] != result['username'] and not is_admin(
                request) and not is_teacher(request):
            return 'No such program!', 404
        loaded_program = result['code']
        # We default to step 1 to provide a meaningful default assignment
        step = 1
    else:
        loaded_program = None

    return hedyweb.render_assignment_editor(request=request,
                                            course=HEDY_COURSE[g.lang],
                                            level_number=level,
                                            assignment_number=step,
                                            menu=render_main_menu('hedy'),
                                            translations=TRANSLATIONS,
                                            version=version(),
                                            loaded_program=loaded_program)
コード例 #8
0
ファイル: auth.py プロジェクト: balath/hedy
    def mark_as_teacher():
        if not is_admin(request):
            return 'unauthorized', 403

        body = request.json

        # Validations
        if not type_check(body, 'dict'):
            return 'body must be an object', 400
        if not object_check(body, 'username', 'str'):
            return 'body.username must be a string', 400
        if not object_check(body, 'is_teacher', 'bool'):
            return 'body.is_teacher must be boolean', 400

        user = db_get('users', {'username': body['username'].strip().lower()})

        if not user:
            return 'invalid username', 400

        db_set(
            'users', {
                'username': user['username'],
                'is_teacher': 1 if body['is_teacher'] else 0
            })

        return '', 200
コード例 #9
0
ファイル: app.py プロジェクト: TiBiBa/hedy
def delete_program (user, program_id):
    result = db_get ('programs', {'id': program_id})
    if not result or result ['username'] != user ['username']:
        return "", 404
    db_del ('programs', {'id': program_id})
    program_count = 0
    if 'program_count' in user:
        program_count = user ['program_count']
    db_update ('users', {'username': user ['username'], 'program_count': program_count - 1})
    return redirect ('/programs')
コード例 #10
0
ファイル: app.py プロジェクト: TiBiBa/hedy
def index(level, step):


    # Sublevel requested
    if re.match ('\d+-\d+', level):
        pass
        # If level has a dash, we keep it as a string
    # Normal level requested
    elif re.match ('\d', level):
        try:
            g.level = level = int(level)
        except:
            return 'No such Hedy level!', 404
    else:
        return 'No such Hedy level!', 404

    g.lang = requested_lang()
    g.prefix = '/hedy'

    initialize_gfi_session(g.lang)

    loaded_program = ''
    loaded_program_name = ''
    adventure_name = ''

    # If step is a string that has more than two characters, it must be an id of a program
    if step and type_check (step, 'str') and len (step) > 2:
        result = db_get ('programs', {'id': step})
        if not result:
            return 'No such program', 404
        # If the program is not public, allow only the owner of the program, the admin user and the teacher users to access the program
        user = current_user (request)
        public_program = 'public' in result and result ['public']
        if not public_program and user ['username'] != result ['username'] and not is_admin (request) and not is_teacher (request):
            return 'No such program!', 404
        loaded_program = result ['code']
        loaded_program_name = result ['name']
        if 'adventure_name' in result:
            adventure_name = result ['adventure_name']
        # We default to step 1 to provide a meaningful default assignment
        step = 1

    adventure_assignments = load_adventure_assignments_per_level(g.lang, level)
    return hedyweb.render_assignment_editor(
        request=request,
        course=HEDY_COURSE[g.lang],
        level_number=level,
        assignment_number=step,
        menu=render_main_menu('hedy'),
        translations=TRANSLATIONS,
        version=version(),
        adventure_assignments=adventure_assignments,
        loaded_program=loaded_program,
        loaded_program_name=loaded_program_name,
        adventure_name=adventure_name)
コード例 #11
0
ファイル: auth.py プロジェクト: balath/hedy
    def recover():
        body = request.json
        # Validations
        if not type_check(body, 'dict'):
            return 'body must be an object', 400
        if not object_check(body, 'username', 'str'):
            return 'body.username must be a string', 400

        # If username has an @-sign, then it's an email
        if '@' in body['username']:
            user = db_get('users', {'email': body['username'].strip().lower()},
                          True)
        else:
            user = db_get('users',
                          {'username': body['username'].strip().lower()})

        if not user:
            return 'invalid username', 403

        token = make_salt()
        hashed = hash(token, make_salt())

        db_set(
            'tokens', {
                'id': user['username'],
                'token': hashed,
                'ttl': times() + session_length
            })

        if not env:
            # If on local environment, we return email verification token directly instead of emailing it, for test purposes.
            return jsonify({'username': user['username'], 'token': token}), 200
        else:
            send_email_template(
                'recover_password', user['email'], requested_lang(),
                os.getenv('BASE_URL') + '/reset?username='******'username']) + '&token=' +
                urllib.parse.quote_plus(token))
            return '', 200
コード例 #12
0
ファイル: app.py プロジェクト: TiBiBa/hedy
def share_unshare_program(user):
    body = request.json
    if not type_check (body, 'dict'):
        return 'body must be an object', 400
    if not object_check (body, 'id', 'str'):
        return 'id must be a string', 400
    if not object_check (body, 'public', 'bool'):
        return 'public must be a string', 400

    result = db_get ('programs', {'id': body ['id']})
    if not result or result ['username'] != user ['username']:
        return 'No such program!', 404

    db_update ('programs', {'id': body ['id'], 'public': 1 if body ['public'] else None})
    return jsonify({})
コード例 #13
0
ファイル: api.py プロジェクト: WB-Solutions/lab
 def get_queryset(self):
     qset = super(AbstractView, self).get_queryset()
     for name, deep in [ ('incats', True), ('cats', False) ]:
         cats = self.request.QUERY_PARAMS.get(name)
         if cats:
             model = qset.model # self.get_serializer().opts.model
             field = model._meta.get_field('cats')
             if field:
                 cats = utils.str_ints(cats)
                 if cats:
                     if deep:
                         target = field.related.parent_model
                         cats = utils.list_compact([ utils.db_get(target, cat) for cat in cats ])
                         cats = utils.tree_all_downs(cats)
                     qset = qset.filter(cats__in=cats)
                     # print 'get_queryset', self, type(qset), model, cats
     return qset
コード例 #14
0
ファイル: auth.py プロジェクト: tech189/hedy
    def update_profile (user):

        body = request.json
        if not type_check (body, 'dict'):
            return 'body must be an object', 400
        if 'email' in body:
            if not object_check (body, 'email', 'str'):
                return 'body.email must be a string', 400
            if not re.match ('^(([a-zA-Z0-9_\.\-]+)@([\da-zA-Z\.\-]+)\.([a-zA-Z\.]{2,6})\s*)$', body ['email']):
                return 'body.email must be a valid email', 400
        if 'country' in body:
            if not body ['country'] in countries:
                return 'body.country must be a valid country', 400
        if 'birth_year' in body:
            if not object_check (body, 'birth_year', 'int') or body ['birth_year'] <= 1900 or body ['birth_year'] > datetime.datetime.now ().year:
                return 'birth_year must be a year between 1900 and ' + str (datetime.datetime.now ().year), 400
        if 'gender' in body:
            if body ['gender'] != 'm' and body ['gender'] != 'f' and body ['gender'] != 'o':
                return 'body.gender must be m/f/o', 400

        resp = {}
        if 'email' in body:
            email = body ['email'].strip ().lower ()
            if email != user ['email']:
                exists = db_get ('users', {'email': email}, True)
                if exists:
                    return 'email exists', 403
                token = make_salt ()
                hashed_token = hash (token, make_salt ())
                db_set ('users', {'username': user ['username'], 'email': email, 'verification_pending': hashed_token})
                if not env:
                   # If on local environment, we return email verification token directly instead of emailing it, for test purposes.
                   resp = {'username': user ['username'], 'token': hashed_token}
                else:
                    send_email_template ('welcome_verify', email, requested_lang (), os.getenv ('BASE_URL') + '/auth/verify?username='******'&token=' + urllib.parse.quote_plus (hashed_token))

        if 'country' in body:
            db_set ('users', {'username': user ['username'], 'country': body ['country']})
        if 'birth_year' in body:
            db_set ('users', {'username': user ['username'], 'birth_year': body ['birth_year']})
        if 'gender' in body:
            db_set ('users', {'username': user ['username'], 'gender': body ['gender']})

        return jsonify (resp)
コード例 #15
0
    def change_user_email():
        if not is_admin(request):
            return 'unauthorized', 403

        body = request.json

        # Validations
        if not type_check(body, 'dict'):
            return 'body must be an object', 400
        if not object_check(body, 'username', 'str'):
            return 'body.username must be a string', 400
        if not object_check(body, 'email', 'str'):
            return 'body.email must be a string', 400
        if not valid_email(body['email']):
            return 'email must be a valid email', 400

        user = db_get('users', {'username': body['username'].strip().lower()})

        if not user:
            return 'invalid username', 400

        token = make_salt()
        hashed_token = hash(token, make_salt())

        # We assume that this email is not in use by any other users. In other words, we trust the admin to enter a valid, not yet used email address.
        db_update(
            'users', {
                'username': user['username'],
                'email': body['email'],
                'verification_pending': hashed_token
            })

        # If this is an e2e test, we return the email verification token directly instead of emailing it.
        if is_testing_request(request):
            resp = {'username': user['username'], 'token': hashed_token}
        else:
            send_email_template(
                'welcome_verify', body['email'], requested_lang(),
                os.getenv('BASE_URL') + '/auth/verify?username='******'username']) + '&token=' +
                urllib.parse.quote_plus(hashed_token))

        return '', 200
コード例 #16
0
ファイル: auth.py プロジェクト: balath/hedy
    def signup():
        body = request.json
        # Validations, mandatory fields
        if not type_check(body, 'dict'):
            return 'body must be an object', 400
        if not object_check(body, 'username', 'str'):
            return 'username must be a string', 400
        if '@' in body['username']:
            return 'username cannot contain an @-sign', 400
        if ':' in body['username']:
            return 'username cannot contain a colon', 400
        if len(body['username'].strip()) < 3:
            return 'username must be at least three characters long', 400
        if not object_check(body, 'password', 'str'):
            return 'password must be a string', 400
        if len(body['password']) < 6:
            return 'password must be at least six characters long', 400
        if not object_check(body, 'email', 'str'):
            return 'email must be a string', 400
        if not re.match(
                '^(([a-zA-Z0-9_\.\-]+)@([\da-zA-Z\.\-]+)\.([a-zA-Z\.]{2,6})\s*)$',
                body['email']):
            return 'email must be a valid email', 400
        # Validations, optional fields
        if 'country' in body:
            if not body['country'] in countries:
                return 'country must be a valid country', 400
        if 'birth_year' in body:
            if not object_check(
                    body, 'birth_year',
                    'int') or body['birth_year'] <= 1900 or body[
                        'birth_year'] > datetime.datetime.now().year:
                return 'birth_year must be a year between 1900 and ' + datetime.datetime.now(
                ).year, 400
        if 'gender' in body:
            if body['gender'] != 'm' and body['gender'] != 'f' and body[
                    'gender'] != 'o':
                return 'gender must be m/f/o', 400

        user = db_get('users', {'username': body['username'].strip().lower()})
        if user:
            return 'username exists', 403
        email = db_get('users', {'email': body['email'].strip().lower()}, True)
        if email:
            return 'email exists', 403

        hashed = hash(body['password'], make_salt())

        token = make_salt()
        hashed_token = hash(token, make_salt())
        username = body['username'].strip().lower()
        email = body['email'].strip().lower()

        if env and 'subscribe' in body and body['subscribe'] == True:
            # If we have a Mailchimp API key, we use it to add the subscriber through the API
            if os.getenv('MAILCHIMP_API_KEY') and os.getenv(
                    'MAILCHIMP_AUDIENCE_ID'):
                # The first domain in the path is the server name, which is contained in the Mailchimp API key
                request_path = 'https://' + os.getenv(
                    'MAILCHIMP_API_KEY').split(
                        '-')[1] + '.api.mailchimp.com/3.0/lists/' + os.getenv(
                            'MAILCHIMP_AUDIENCE_ID') + '/members'
                request_headers = {
                    'Content-Type': 'application/json',
                    'Authorization': 'apikey ' + os.getenv('MAILCHIMP_API_KEY')
                }
                request_body = {'email_address': email, 'status': 'subscribed'}
                r = requests.post(request_path,
                                  headers=request_headers,
                                  data=json.dumps(request_body))

                subscription_error = None
                if r.status_code != 200 and r.status_code != 400:
                    subscription_error = True
                # We can get a 400 if the email is already subscribed to the list. We should ignore this error.
                if r.status_code == 400 and not re.match(
                        '.*already a list member', r.text):
                    subscription_error = True
                # If there's an error in subscription through the API, we report it to the main email address
                if subscription_error:
                    send_email(
                        config['email']['sender'],
                        'ERROR - Subscription to Hedy newsletter on signup',
                        email, '<p>' + email + '</p><pre>Status:' +
                        str(r.status_code) + '    Body:' + r.text + '</pre>')
            # Otherwise, we send an email to notify about this to the main email address
            else:
                send_email(config['email']['sender'],
                           'Subscription to Hedy newsletter on signup', email,
                           '<p>' + email + '</p>')

        user = {
            'username': username,
            'password': hashed,
            'email': email,
            'created': timems(),
            'verification_pending': hashed_token
        }

        if 'country' in body:
            user['country'] = body['country']
        if 'birth_year' in body:
            user['birth_year'] = body['birth_year']
        if 'gender' in body:
            user['gender'] = body['gender']

        db_set('users', user)

        # We automatically login the user
        cookie = make_salt()
        db_set(
            'tokens', {
                'id': cookie,
                'username': user['username'],
                'ttl': times() + session_length
            })
        db_set('users', {'username': user['username'], 'last_login': timems()})

        # If on local environment, we return email verification token directly instead of emailing it, for test purposes.
        if not env:
            resp = make_response({'username': username, 'token': hashed_token})
        # Otherwise, we send an email with a verification link and we return an empty body
        else:
            send_email_template(
                'welcome_verify', email, requested_lang(),
                os.getenv('BASE_URL') + '/auth/verify?username='******'&token=' +
                urllib.parse.quote_plus(hashed_token))
            resp = make_response({})

        # We set the cookie to expire in a year, just so that the browser won't invalidate it if the same cookie gets renewed by constant use.
        # The server will decide whether the cookie expires.
        resp.set_cookie(cookie_name,
                        value=cookie,
                        httponly=True,
                        secure=True,
                        samesite='Lax',
                        path='/',
                        max_age=365 * 24 * 60 * 60)
        return resp
コード例 #17
0
ファイル: auth.py プロジェクト: WaliyaYohannaJoseph/hedy
    def signup():
        body = request.json
        # Validations, mandatory fields
        if not type_check(body, 'dict'):
            return 'body must be an object', 400
        if not object_check(body, 'username', 'str'):
            return 'username must be a string', 400
        if '@' in body['username']:
            return 'username cannot contain an @-sign', 400
        if ':' in body['username']:
            return 'username cannot contain a colon', 400
        if len(body['username'].strip()) < 3:
            return 'username must be at least three characters long', 400
        if not object_check(body, 'password', 'str'):
            return 'password must be a string', 400
        if len(body['password']) < 6:
            return 'password must be at least six characters long', 400
        if not object_check(body, 'email', 'str'):
            return 'email must be a string', 400
        if not re.match(
                '^(([a-zA-Z0-9_\.\-]+)@([\da-zA-Z\.\-]+)\.([a-zA-Z\.]{2,6})\s*)$',
                body['email']):
            return 'email must be a valid email', 400
        # Validations, optional fields
        if 'country' in body:
            if not body['country'] in countries:
                return 'country must be a valid country', 400
        if 'birth_year' in body:
            if not object_check(
                    body, 'birth_year',
                    'int') or body['birth_year'] <= 1900 or body[
                        'birth_year'] > datetime.datetime.now().year:
                return 'birth_year must be a year between 1900 and ' + datetime.datetime.now(
                ).year, 400
        if 'gender' in body:
            if body['gender'] != 'm' and body['gender'] != 'f' and body[
                    'gender'] != 'o':
                return 'gender must be m/f/o', 400

        user = db_get('users', {'username': body['username'].strip().lower()})
        if user:
            return 'username exists', 403
        email = db_get('users', {'email': body['email'].strip().lower()}, True)
        if email:
            return 'email exists', 403

        hashed = hash(body['password'], make_salt())

        token = make_salt()
        hashed_token = hash(token, make_salt())
        username = body['username'].strip().lower()
        email = body['email'].strip().lower()

        if env and 'subscribe' in body and body['subscribe'] == True:
            send_email(config['email']['sender'],
                       'Subscription to Hedy newsletter on signup', email,
                       '<p>' + email + '</p>')

        user = {
            'username': username,
            'password': hashed,
            'email': email,
            'created': timems(),
            'verification_pending': hashed_token
        }

        if 'country' in body:
            user['country'] = body['country']
        if 'birth_year' in body:
            user['birth_year'] = body['birth_year']
        if 'gender' in body:
            user['gender'] = body['gender']

        db_set('users', user)

        # We automatically login the user
        cookie = make_salt()
        db_set(
            'tokens', {
                'id': cookie,
                'username': user['username'],
                'ttl': times() + session_length
            })
        db_set('users', {'username': user['username'], 'last_login': timems()})

        # If on local environment, we return email verification token directly instead of emailing it, for test purposes.
        if not env:
            resp = make_response({'username': username, 'token': hashed_token})
        # Otherwise, we send an email with a verification link and we return an empty body
        else:
            send_email_template(
                'welcome_verify', email, requested_lang(),
                os.getenv('BASE_URL') + '/auth/verify?username='******'&token=' +
                urllib.parse.quote_plus(hashed_token))
            resp = make_response({})

        resp.set_cookie(cookie_name, value=cookie, httponly=True, path='/')
        return resp
コード例 #18
0
ファイル: app.py プロジェクト: PatWg/hedy
def delete_program (user, program_id):
    result = db_get ('programs', {'id': program_id})
    if not result or result ['username'] != user ['username']:
        return "", 404
    db_del ('programs', {'id': program_id})
    return redirect ('/programs')