def set_acl(self, request, token):
""" Set an ACL for this box.
RULES (these are in box.py and in user.py)
The logged in user sets an ACL for a different, target user.
The logged in user must have a token, and the box of the token is the box that will have the ACL changed/set.
If there is already an ACL for the target user, it will be replaced.
The logged in user must have "control" permissions on the box.
The logged in user can give/take read, write or control permissions. They cannot change "owner" permissions.
If the user has owner permissions, it doesn't matter if they dont have "control" permissions, they can change anything.
Only the user that created the box has owner permissions.
"""
if not token:
return self.return_forbidden(request)
BoxHandler.log(logging.DEBUG, "BoxHandler set_acl", extra = {"request": request, "token": token})
wbSession = self.get_session(request)
user = IndxUser(self.database, wbSession.username)
# box is set by the token (token.boxid)
try:
req_acl = json.loads(self.get_arg(request, "acl"))
except Exception as e:
BoxHandler.log(logging.ERROR, "Exception in box.set_acl decoding JSON in query, 'acl': {0}".format(e), extra = {"request": request, "token": token})
return self.return_bad_request(request, "Specify acl as query string parameter 'acl' as valid JSON")
req_username = self.get_arg(request, "target_username") # username of the user of which to change the ACL
def err_cb(failure):
failure.trap(Exception)
BoxHandler.log(logging.ERROR, "BoxHandler set_acl err_cb: {0}".format(failure), extra = {"request": request, "token": token})
return self.return_internal_error(request)
user.set_acl(token.boxid, req_username, req_acl).addCallbacks(lambda empty: self.return_ok(request), err_cb)
def store_cb(store):
def setacl_cb(empty):
def created_cb(empty):
def saved_cb(empty):
def servervar_cb(empty):
# encpk2 = rsa_encrypt(load_key(local_keys['public']), token.password)
encpk2 = make_encpk2(local_keys, token.password)
self.return_created(request, {"data": {"public": local_keys['public'], "public-hash": local_keys['public-hash'], "encpk2": encpk2, "serverid": self.webserver.server_id}})
if is_linked:
self.database.save_linked_box(token.boxid).addCallbacks(servervar_cb, err_cb)
else:
servervar_cb(None)
self.database.save_encpk2(remote_encpk2_hsh, remote_encpk2, remote_serverid).addCallbacks(saved_cb, err_cb)
def new_key_added_cb(empty):
self.webserver.keystore.put(local_keys, token.username, token.boxid).addCallbacks(created_cb, err_cb) # store in the local keystore
remote_keys = {"public": remote_public, "public-hash": remote_hash, "private": ""}
self.webserver.keystore.put(remote_keys, token.username, token.boxid).addCallbacks(new_key_added_cb, err_cb)
user = IndxUser(self.database, token.username)
user.set_acl(token.boxid, "@indx", {"read": True, "write": True, "control": False, "owner": False}).addCallbacks(setacl_cb, lambda failure: self.return_internal_error(request))
def set_acl(self, request, token):
""" Set an ACL for this box.
RULES (these are in box.py and in user.py)
The logged in user sets an ACL for a different, target user.
The logged in user must have a token, and the box of the token is the box that will have the ACL changed/set.
If there is already an ACL for the target user, it will be replaced.
The logged in user must have "control" permissions on the box.
The logged in user can give/take read, write or control permissions. They cannot change "owner" permissions.
If the user has owner permissions, it doesn't matter if they dont have "control" permissions, they can change anything.
Only the user that created the box has owner permissions.
"""
if not token:
return self.return_forbidden(request)
BoxHandler.log(logging.DEBUG, "BoxHandler set_acl", extra = {"request": request, "token": token})
user = IndxUser(self.database, token.username)
# box is set by the token (token.boxid)
try:
req_acl = json.loads(self.get_arg(request, "acl"))
except Exception as e:
BoxHandler.log(logging.ERROR, "Exception in box.set_acl decoding JSON in query, 'acl': {0}".format(e), extra = {"request": request, "token": token})
return self.return_bad_request(request, "Specify acl as query string parameter 'acl' as valid JSON")
try:
req_username = self.get_arg(request, "target_username") # username of the user of which to change the ACL
if req_username is None:
raise Exception("")
except Exception as e:
try:
req_public = self.get_arg(request, "unauth_user")
if req_public:
req_username = UNAUTH_USERNAME # use the magic reserved username in the DB for the unauth user permissions
else:
return self.return_bad_request(request, "If 'target_username' is not specified, then 'unauth_user' must be set true.")
except Exception as e:
return self.return_bad_request(request, "If 'target_username' is not specified, then 'unauth_user' must be set true.")
def err_cb(failure):
failure.trap(Exception)
BoxHandler.log(logging.ERROR, "BoxHandler set_acl err_cb: {0}".format(failure), extra = {"request": request, "token": token})
return self.return_internal_error(request)
user.set_acl(token.boxid, req_username, req_acl).addCallbacks(lambda empty: self.return_ok(request), err_cb)
def link_remote_box(self, request, token):
""" Link a remote box with this box. """
if not token:
return self.return_forbidden(request)
BoxHandler.log(logging.DEBUG, "BoxHandler link_remote_box", extra = {"request": request, "token": token})
def err_cb(failure):
failure.trap(Exception)
BoxHandler.log(logging.ERROR, "BoxHandler link_remote_box err_cb: {0}".format(failure), extra = {"request": request, "token": token})
return self.return_internal_error(request)
def setacl_cb(empty):
remote_address = self.get_arg(request, "remote_address")
remote_box = self.get_arg(request, "remote_box")
remote_token = self.get_arg(request, "remote_token")
if remote_address is None or remote_box is None or remote_token is None:
BoxHandler.log(logging.ERROR, "BoxHandler link_remote_box: remote_address, remote_box or remote_token was missing.", extra = {"request": request, "token": token})
return self.remote_bad_request(request, "remote_address, remote_box or remote_token was missing.")
def synced_cb(indxsync):
def sync_complete_cb(empty):
def linked_cb(remote_public_key):
# encrypt the user's password using the remote public key, and store
# XXX do we need this still? obsolete since enc_pk2 handled in sync
#encrypted_remote_pw = rsa_encrypt(load_key(remote_public_key), token.password)
self.return_created(request)
indxsync.link_remote_box(token.username, token.password, remote_address, remote_box, remote_token, self.webserver.server_id).addCallbacks(linked_cb, err_cb)
indxsync.sync_boxes().addCallbacks(sync_complete_cb, err_cb)
self.webserver.sync_box(token.boxid).addCallbacks(synced_cb, err_cb)
# give read-write access to the @indx user so that the webserver can connect with the user being present
user = IndxUser(self.database, token.username)
user.set_acl(token.boxid, "@indx", {"read": True, "write": True, "control": False, "owner": False}).addCallbacks(setacl_cb, lambda failure: self.return_internal_error(request))
def do_acl(empty):
logging.debug("indx_pg2 create_root_box do_acl")
user = IndxUser(self, username)
user.set_acl(box_name, "@indx", {"read": True, "write": False, "control": False, "owner": False}).addCallbacks(result_d.callback, result_d.errback)
def do_acl(empty):
logging.debug("indx_pg2 create_root_box do_acl")
user = IndxUser(self, username)
user.set_acl(box_name, "@indx", {"read": True, "write": False, "control": False, "owner": False}).addCallbacks(result_d.callback, result_d.errback)
