def api_key_add(): form = AddApiKeyForm(request.form) key = ApiKey(owner=current_user.to_dbref(), label=form.label.data) key.save() flash("Key has been added.", category="success") return redirect(url_for('api.api_key_edit', key_id=key.id))
def api_key_edit(key_id): key = ApiKey.objects(id=key_id).first() if key is None or current_user != key.owner: abort(401) form = ApiKeyEditForm() form.acl.choices = list() for access_token in access_tokens.values(): if access_token.get("permission"): if not current_user.has_permission(access_token.get("permission")): continue form.acl.choices.append( (access_token.get("token"), access_token.get("token"))) if request.method == "GET": form.label.data = key.label form.acl.data = key.access return render_template( 'api_settings_edit_pane.html', settings_panels_structure=settings_panels_structure, form=form, key=key, title="Edit - API Keys - Developer - Settings") elif request.method == "POST": form.validate() key.label = form.label.data key.access = form.acl.data key.save() return redirect(url_for('api.api_key_edit', key_id=key_id))
def api_key_edit(key_id): key = ApiKey.objects(id=key_id).first() if key is None or current_user != key.owner: abort(401) form = ApiKeyEditForm() form.acl.choices = list() for access_token in access_tokens.values(): if access_token.get("permission"): if not current_user.has_permission(access_token.get("permission")): continue form.acl.choices.append((access_token.get("token"), access_token.get("token"))) if request.method == "GET": form.label.data = key.label form.acl.data = key.access return render_template('api_settings_edit_pane.html', settings_panels_structure=settings_panels_structure, form=form, key=key, title="Edit - API Keys - Developer - Settings") elif request.method == "POST": form.validate() key.label = form.label.data key.access = form.acl.data key.save() return redirect(url_for('api.api_key_edit', key_id=key_id))
def api_key_delete(key_id): key = ApiKey.objects(id=key_id).first() if key is None or current_user != key.owner: abort(401) key.delete() flash("Key has been deleted.", category="success") return redirect(url_for('api.api_key_settings_pane'))
def api_key_settings_pane(): apikey_add_form = AddApiKeyForm(request.form) apikey_del_form = DelApiKeyForm(request.form) keys = ApiKey.objects(owner=current_user.to_dbref()) return render_template('api_settings_pane.html', settings_panels_structure=settings_panels_structure, keys=keys, apikey_add_form=apikey_add_form, apikey_del_form=apikey_del_form, title="API Keys - Developer - Settings")
def wrap(*args, **kwargs): # If allow_user_permission is True, make sure the user has the appropriate permissions. if allow_user_permission and _check_user_permission(required_access_tokens, current_user): return func(*args, **kwargs) # Check and obtain API key from DB try: key = ApiKey.objects(key=request.headers['ApiKey']).first() except KeyError: return {'error': [{'message': "no/invalid ApiKey header provided", 'identifier': "apikey_not_provided"}]}, 403 if key is None: return {'error': [{'message': "no/invalid ApiKey header provided", 'identifier': "apikey_not_provided"}]}, 403 for access in required_access_tokens: if access not in key.access: return {'error': [{'message': "api key doesn't have access to '%s'" % access, 'identifier': "permission#%s" % access}]}, 403 # Check for the AsUser header, apply stuff to context if 'AsUser' in request.headers or 'AsPlayer' in request.headers: if 'api.as_user' not in key.access: return {'error': [{'message': "api key doesn't have access to 'api.as_user', required for using the AsUser and AsPlayer headers", 'identifier': "permission#api.as_user"}]}, 403 if 'AsUser' in request.headers: username = request.headers['AsUser'] # Obtain user from db user = User.get_user_by_name(username) if user is None and asuser_must_be_registered: return {'error': [{'message': "the user specified in the AsUser header wasn't found", 'identifier': "asuser_not_found"}]}, 403 request.api_user_method = 'as_user' request.api_user = user request.api_user_name = username elif 'AsPlayer' in request.headers: uuid = request.headers['AsPlayer'] player = MinecraftPlayer.find_player(uuid) if player is None: return {'error': [{'message': "player uuid specified in AsPlayer header is not registered in database (has not logged in?)", 'identifier': "player_uuid_not_found"}]}, 403 user = User.get_user_by_uuid(player) if user is None and asuser_must_be_registered: return {'error': [{'message': "the uuid specified in the AsPlayer field is not owned by a website user", 'identifier': "asuser_not_found"}]}, 403 request.api_user_method = 'as_player' request.api_user = user request.api_user_name = user.name if user is not None else None request.api_player = player else: request.api_user_method = 'key_owner' request.api_user = key.owner request.api_user_name = key.owner.name return func(*args, **kwargs)
def wrap(*args, **kwargs): # If allow_user_permission is True, make sure the user has the appropriate permissions. if allow_user_permission and _check_user_permission( required_access_tokens, current_user): return func(*args, **kwargs) # Check and obtain API key from DB try: key = ApiKey.objects(key=request.headers['ApiKey']).first() except KeyError: return { 'error': [{ 'message': "no/invalid ApiKey header provided", 'identifier': "apikey_not_provided" }] }, 403 if key is None: return { 'error': [{ 'message': "no/invalid ApiKey header provided", 'identifier': "apikey_not_provided" }] }, 403 for access in required_access_tokens: if access not in key.access: return { 'error': [{ 'message': "api key doesn't have access to '%s'" % access, 'identifier': "permission#%s" % access }] }, 403 # Check for the AsUser header, apply stuff to context if 'AsUser' in request.headers or 'AsPlayer' in request.headers: if 'api.as_user' not in key.access: return { 'error': [{ 'message': "api key doesn't have access to 'api.as_user', required for using the AsUser and AsPlayer headers", 'identifier': "permission#api.as_user" }] }, 403 if 'AsUser' in request.headers: username = request.headers['AsUser'] # Obtain user from db user = User.get_user_by_name(username) if user is None and asuser_must_be_registered: return { 'error': [{ 'message': "the user specified in the AsUser header wasn't found", 'identifier': "asuser_not_found" }] }, 403 request.api_user_method = 'as_user' request.api_user = user request.api_user_name = username elif 'AsPlayer' in request.headers: uuid = request.headers['AsPlayer'] player = MinecraftPlayer.find_player(uuid) if player is None: return { 'error': [{ 'message': "player uuid specified in AsPlayer header is not registered in database (has not logged in?)", 'identifier': "player_uuid_not_found" }] }, 403 user = User.get_user_by_uuid(player) if user is None and asuser_must_be_registered: return { 'error': [{ 'message': "the uuid specified in the AsPlayer field is not owned by a website user", 'identifier': "asuser_not_found" }] }, 403 request.api_user_method = 'as_player' request.api_user = user request.api_user_name = user.name if user is not None else None request.api_player = player else: request.api_user_method = 'key_owner' request.api_user = key.owner request.api_user_name = key.owner.name return func(*args, **kwargs)