def new_function(*args, **kwargs) -> Callable:
if not flask.g.user:
raise _401Exception
elif not flask.g.user.has_permission(permission):
if flask.g.user.locked and not masquerade:
raise _312Exception(lock=True)
raise _403Exception(masquerade=masquerade)
elif flask.g.api_key and not flask.g.api_key.has_permission(
permission):
raise _403Exception(
message='This APIKey does not have permission to '
'access this resource.')
return func(*args, **kwargs)
def modify_conversations(
user: User,
conversation_ids: List[int],
read: bool = None,
deleted: bool = None,
):
conversations = []
failed: List[str] = []
for conv_id in conversation_ids:
pm_state = PrivateConversationState.from_attrs(conv_id=conv_id,
user_id=user.id,
deleted='f')
if not pm_state:
failed.append(str(conv_id))
else:
conversations.append(pm_state)
if failed:
raise _403Exception(
f'You cannot modify conversations that you are not a member of: {", ".join(failed)}.'
)
for conv in conversations:
if read:
conv.read = read
if deleted:
conv.deleted = deleted
db.session.commit()
PrivateConversation.clear_cache_keys(user.id)
return flask.jsonify(
f'Successfully modified conversations {", ".join(str(c.conv_id) for c in conversations)}.'
)
def users_edit_settings(
user: User, existing_password: str = None, new_password: str = None
) -> flask.Response:
"""
Change a user's settings. Requires the ``users_edit_settings`` permission.
Requires the ``users_moderate`` permission to change another user's
settings, which can be done by specifying a ``user_id``.
.. :quickref: Settings; Change settings.
**Example request**:
.. parsed-literal::
PUT /users/settings HTTP/1.1
{
"existing_password": "******",
"new_password": "******"
}
**Example response**:
.. parsed-literal::
{
"status": "success",
"response": "Settings updated."
}
:json string existing_password: User's existing password, not needed
if setting another user's password with ``moderate_user`` permission.
:json string new_password: User's new password. Must be 12+ characters and contain
at least one letter, one number, and one special character.
:statuscode 200: Settings successfully updated
:statuscode 400: Settings unsuccessfully updated
:statuscode 403: User does not have permission to change user's settings
"""
if new_password:
if not flask.g.user.has_permission(UserPermissions.CHANGE_PASS):
raise _403Exception(
message='You do not have permission to change this password.'
)
if not existing_password or not user.check_password(existing_password):
raise _401Exception(message='Invalid existing password.')
user.set_password(new_password)
APIKey.update_many(
pks=APIKey.hashes_from_user(user.id), update={'revoked': True}
)
db.session.commit()
return flask.jsonify('Settings updated.')
def create_conversation(topic: str, recipient_ids: List[int], message: str):
if len(recipient_ids) > 1 and not flask.g.user.has_permission(
MessagePermissions.MULTI_USER):
raise _403Exception(
'You cannot create a conversation with multiple users.')
pm = PrivateConversation.new(
topic=topic,
sender_id=flask.g.user.id,
recipient_ids=recipient_ids,
initial_message=message,
)
pm.set_state(flask.g.user.id)
return flask.jsonify(pm)
def modify_conversation(user: User,
id: int,
read: bool = None,
deleted: bool = None):
pm_state = PrivateConversationState.from_attrs(conv_id=id,
user_id=user.id,
deleted='f')
if not pm_state:
raise _403Exception(
'You cannot modify a conversation that you are not a member of.')
if read:
pm_state.read = read
if deleted:
pm_state.deleted = deleted
db.session.commit()
PrivateConversation.clear_cache_keys(user.id)
return flask.jsonify(f'Successfully modified conversation {id}.')
def new_function(*args, **kwargs) -> Callable:
try:
user_id = int(flask.request.args.to_dict().get(
'user_id', flask.g.user.id))
except ValueError:
raise APIException('User ID must be an integer.')
# Remove user_id from the query string because validator will choke on it.
flask.request.args = MultiDict([
(e, v) for e, v in flask.request.args.to_dict().items()
if e != 'user_id'
])
if user_id == flask.g.user.id:
return func(*args, user=flask.g.user, **kwargs)
if permission:
if not flask.g.user.has_permission(permission):
raise _403Exception
elif flask.g.api_key and not flask.g.api_key.has_permission(
permission):
raise _403Exception(
message='This APIKey does not have permission to '
'access this resource.')
return func(*args, user=User.from_pk(user_id, _404=True), **kwargs)