def impersonate(uid): """Impersonate a user.""" # Check that they exist. if not User.exists(uid=uid): flash("That user ID wasn't found.") return redirect(url_for(".users")) db = User.get_user(uid=uid) if db["role"] == "deleted": flash("That user was deleted!") return redirect(url_for(".users")) # Log them in! orig_uid = session["uid"] session.update( login=True, uid=uid, username=db["username"], name=db["name"], role=db["role"], impersonator=orig_uid, ) flash("Now logged in as {}".format(db["name"])) return redirect(url_for("index"))
def create_user(): # Submitting the form. username = request.form.get("username", "") name = request.form.get("name", "") pw1 = request.form.get("password1", "") pw2 = request.form.get("password2", "") role = request.form.get("role", "") # Default name = username. if name == "": name = username # Lowercase the user. username = username.lower() if User.exists(username=username): flash("That username already exists.") return redirect(url_for(".users")) # Validate the form. errors = validate_create_form(username, pw1, pw2) if errors: for error in errors: flash(error) return redirect(url_for(".users")) # Create the account. uid = User.create( username=username, password=pw1, name=name, role=role, ) flash("User created!") return redirect(url_for(".users"))
def create_user(): # Submitting the form. username = request.form.get("username", "") name = request.form.get("name", "") pw1 = request.form.get("password1", "") pw2 = request.form.get("password2", "") role = request.form.get("role", "") # Default name = username. if name == "": name = username # Lowercase the user. username = username.lower() if User.exists(username=username): flash("That username already exists.") return redirect(url_for(".users")) # Validate the form. errors = validate_create_form(username, pw1, pw2) if errors: for error in errors: flash(error) return redirect(url_for(".users")) # Create the account. uid = User.create(username=username, password=pw1, name=name, role=role) flash("User created!") return redirect(url_for(".users"))
def before_request(): """Called before all requests. Initialize global template variables.""" # Default template vars. g.info = rophako.utils.default_vars() # Default session vars. if not "login" in session: session.update(g.info["session"]) # CSRF protection. if request.method == "POST": token = session.pop("_csrf", None) if not token or str(token) != str(request.form.get("token")): abort(403) # Refresh their login status from the DB. if session["login"]: import rophako.model.user as User if not User.exists(uid=session["uid"]): # Weird! Log them out. from rophako.modules.account import logout logout() return db = User.get_user(uid=session["uid"]) session["username"] = db["username"] session["name"] = db["name"] session["role"] = db["role"] # Copy session params into g.info. The only people who should touch the # session are the login/out pages. for key in session: g.info["session"][key] = session[key]
def edit_user(uid): uid = int(uid) user = User.get_user(uid=uid) # Submitting? if request.method == "POST": action = request.form.get("action", "") username = request.form.get("username", "") name = request.form.get("name", "") pw1 = request.form.get("password1", "") pw2 = request.form.get("password2", "") role = request.form.get("role", "") username = username.lower() if action == "save": # Validate... errors = None # Don't allow them to change the username to one that exists. if username != user["username"]: if User.exists(username=username): flash("That username already exists.") return redirect(url_for(".edit_user", uid=uid)) # Password provided? if len(pw1) > 0: errors = validate_create_form(username, pw1, pw2) elif username != user["username"]: # Just validate the username, then. errors = validate_create_form(username, skip_passwd=True) if errors: for error in errors: flash(error) return redirect(url_for(".edit_user", uid=uid)) # Update the user. user["username"] = username user["name"] = name or username user["role"] = role if len(pw1) > 0: user["password"] = User.hash_password(pw1) User.update_user(uid, user) flash("User account updated!") return redirect(url_for(".users")) elif action == "delete": # Don't let them delete themself! if uid == g.info["session"]["uid"]: flash("You shouldn't delete yourself!") return redirect(url_for(".edit_user", uid=uid)) User.delete_user(uid) flash("User deleted!") return redirect(url_for(".users")) return template("admin/edit_user.html", info=user)
def setup(): """Initial setup to create the Admin user account.""" # This can't be done if users already exist on the CMS! if User.exists(uid=1): flash( "This website has already been configured (users already created)." ) return redirect(url_for("index")) if request.method == "POST": # Submitting the form. username = request.form.get("username", "") name = request.form.get("name", "") pw1 = request.form.get("password1", "") pw2 = request.form.get("password2", "") # Default name = username. if name == "": name = username # Lowercase the user. username = username.lower() if User.exists(username=username): flash("That username already exists.") return redirect(url_for(".setup")) # Validate the form. errors = validate_create_form(username, pw1, pw2) if errors: for error in errors: flash(error) return redirect(url_for(".setup")) # Create the account. uid = User.create( username=username, password=pw1, name=name, role="admin", ) flash("Admin user created! Please log in now.".format(uid)) return redirect(url_for(".login")) return template("account/setup.html")
def setup(): """Initial setup to create the Admin user account.""" # This can't be done if users already exist on the CMS! if User.exists(uid=1): flash("This website has already been configured (users already created).") return redirect(url_for("index")) if request.method == "POST": # Submitting the form. username = request.form.get("username", "") name = request.form.get("name", "") pw1 = request.form.get("password1", "") pw2 = request.form.get("password2", "") # Default name = username. if name == "": name = username # Lowercase the user. username = username.lower() if User.exists(username=username): flash("That username already exists.") return redirect(url_for(".setup")) # Validate the form. errors = validate_create_form(username, pw1, pw2) if errors: for error in errors: flash(error) return redirect(url_for(".setup")) # Create the account. uid = User.create( username=username, password=pw1, name=name, role="admin", ) flash("Admin user created! Please log in now.".format(uid)) return redirect(url_for(".login")) return template("account/setup.html")
def impersonate(uid): """Impersonate a user.""" # Check that they exist. if not User.exists(uid=uid): flash("That user ID wasn't found.") return redirect(url_for(".users")) db = User.get_user(uid=uid) if db["role"] == "deleted": flash("That user was deleted!") return redirect(url_for(".users")) # Log them in! orig_uid = session["uid"] session.update( login=True, uid=uid, username=db["username"], name=db["name"], role=db["role"], impersonator=orig_uid ) flash("Now logged in as {}".format(db["name"])) return redirect(url_for("index"))
def before_request(): """Called before all requests. Initialize global template variables.""" # Session lifetime. app.permanent_session_lifetime = datetime.timedelta(days=Config.security.session_lifetime) session.permanent = True # Default template vars. g.info = rophako.utils.default_vars() # Default session vars. if not "login" in session: session.update(g.info["session"]) # CSRF protection. if request.method == "POST": token = session.pop("_csrf", None) if not token or str(token) != str(request.form.get("token")): abort(403) # Refresh their login status from the DB. if session["login"]: import rophako.model.user as User if not User.exists(uid=session["uid"]): # Weird! Log them out. from rophako.modules.account import logout logout() return db = User.get_user(uid=session["uid"]) session["username"] = db["username"] session["name"] = db["name"] session["role"] = db["role"] # Copy session params into g.info. The only people who should touch the # session are the login/out pages. for key in session: g.info["session"][key] = session[key]
def edit_user(uid): uid = int(uid) user = User.get_user(uid=uid) # Submitting? if request.method == "POST": action = request.form.get("action", "") username = request.form.get("username", "") name = request.form.get("name", "") pw1 = request.form.get("password1", "") pw2 = request.form.get("password2", "") role = request.form.get("role", "") username = username.lower() if action == "save": # Validate... errors = None # Don't allow them to change the username to one that exists. if username != user["username"]: if User.exists(username=username): flash("That username already exists.") return redirect(url_for(".edit_user", uid=uid)) # Password provided? if len(pw1) > 0: errors = validate_create_form(username, pw1, pw2) elif username != user["username"]: # Just validate the username, then. errors = validate_create_form(username, skip_passwd=True) if errors: for error in errors: flash(error) return redirect(url_for(".edit_user", uid=uid)) # Update the user. user["username"] = username user["name"] = name or username user["role"] = role if len(pw1) > 0: user["password"] = User.hash_password(pw1) User.update_user(uid, user) flash("User account updated!") return redirect(url_for(".users")) elif action == "delete": # Don't let them delete themself! if uid == g.info["session"]["uid"]: flash("You shouldn't delete yourself!") return redirect(url_for(".edit_user", uid=uid)) User.delete_user(uid) flash("User deleted!") return redirect(url_for(".users")) return template( "admin/edit_user.html", info=user, )