def get(self, username=None):
try:
checkout_info = payment.get_checkout_data(self.user, GlobalConfig.get_configs())
if checkout_info == 'free':
self.redirect('/', abort=True)
except payment.coupon.InActiveCouponExpcetion as e:
lr = tt_logging.construct_log(msg_short='Error Processing User\'s Checkout',
msg=e.message,
log_type=tt_logging.PAYMENT, request=self.request, request_user=self.user)
log.error(lr['dict_msg']['msg'], extra=lr)
raise HttpErrorException.bad_request('There was an error processing your checkout')
except Exception as e:
lr = tt_logging.construct_log(msg_short='Error Processing User\'s Checkout',
msg=e.message,
log_type=tt_logging.PAYMENT, request=self.request, request_user=self.user)
log.error(lr['dict_msg']['msg'], extra=lr)
raise
template_data = {
'title': 'thinkTank Checkout',
'nav_bar_title': 'thinkTank',
'domain': self.request.host_url,
'merchant': self.user.merchant,
'payment_plan': checkout_info['items']['pay_plan'],
'jwt_token': checkout_info['jwt_token'],
'production': server.PRODUCTION,
}
if 'adjusted_plan' in checkout_info['items']:
template_data['adjusted_plan'] = checkout_info['items']['adjusted_plan']
template_index = JINJA_ENVIRONMENT.get_template('checkout.html')
self.response.write(template_index.render(template_data))
def new(request, request_data, request_user):
if not request_user.is_super_admin:
lr = tt_logging.construct_log(
msg_short='Non-Admin User Tried Creating New Organization',
log_type=tt_logging.SECURITY,
request_user=request_user,
request=request)
log.warning(lr['dict_msg']['msg'], extra=lr)
raise HttpErrorException.forbidden()
if request_data.get('name') is None:
raise HttpErrorException.bad_request('no name given')
if request_data.get('id') is None:
raise HttpErrorException.bad_request('no organization id given')
org = Organization(
key=Organization.create_key(request_data.get('id').strip()))
org.name = request_data.get('name').strip()
org.groups.append(Group.get_worldshare_key())
if request_data.get('description') is not None:
org.description = request_data.get('description')
if request_data.get('domain') is not None:
org.domain = request_data.get('domain')
if request_data.get('owner') is not None:
org.owner = request_data.get('owner')
if request_data.get('webpage') is not None:
org.webpage = request_data.get('webpage')
if request_data.get('point_of_contact') is not None:
org.point_of_contact = request_data.get('point_of_contact')
if request_data.get('email') is not None:
org.email = request_data.get('email')
if request_data.get('phone') is not None:
org.phone = request_data.get('phone')
if request_data.get('fax') is not None:
org.fax = request_data.get('fax')
if request_data.get('account_type') is not None:
org.account_type = request_data.get('account_type')
group = Group(key=Group.create_key(),
name=org.name,
description=str(org.name) + '\'s organization group',
organization=org.key,
active=True)
group.put()
org.groups.append(group.key)
org.org_group = group.key
org.put()
lr = tt_logging.construct_log(msg_short='New Organization Was Created',
log_type=tt_logging.DEFAULT,
request_user=request_user,
request=request,
artifact=org)
log.info(lr['dict_msg']['msg'], extra=lr)
return org.to_dict()
def edit(request, request_data, request_user):
org = None
if not request_user.is_admin and org.organization == request_user.key:
lr = tt_logging.construct_log(
msg_short='Non-Admin User Tried Altering Organization',
log_type=tt_logging.SECURITY,
request_user=request_user,
request=request,
artifact=org)
log.warning(lr['dict_msg']['msg'], extra=lr)
raise HttpErrorException.forbidden()
if request_data.get('add'):
if request_data.get('admin'):
if request_data.get('user_id') == '':
raise HttpErrorException.bad_request('no user_id given')
user = ndb.Key('User', request_data.get('user_id'))
if not user:
raise HttpErrorException.bad_request(
'invalid user_id given')
if user.key not in org.admins:
lr = tt_logging.construct_log(
msg_short='User Was Added as Organization Admin',
log_type=tt_logging.USER,
request_user=request_user,
request=request,
artifact=org,
affected_user=user)
log.info(lr['dict_msg']['msg'], extra=lr)
org.admins.append(user.key)
if request_data.get('remove'):
if request_data.get('remove') == 'admin':
if request_data.get('user_id') == '':
raise HttpErrorException.bad_request('no user_id given')
user = ndb.Key('User', request_data.get('user_id'))
if not user:
raise HttpErrorException.bad_request(
'invalid user_id given')
if user.key in org.admins:
lr = tt_logging.construct_log(
msg_short='User Was Removed as Organization Admin',
log_type=tt_logging.USER,
request_user=request_user,
request=request,
artifact=org,
affected_user=user)
log.info(lr['dict_msg']['msg'], extra=lr)
org.admins.remove(user.key)
org.put()
def post(self, user_id=None):
if not user_id:
raise HttpErrorException.bad_request('no user id given')
user = User.get_by_id(user_id)
if not user:
raise HttpErrorException.bad_request('invalid user id given')
if user != self.user and not self.user.is_super_admin:
lr = tt_logging.construct_log(
msg_short='Non-Admin User try to Alter Another User\'s Billing',
msg='User (%s) attemped to change another user\'s (%s) '
'billing information' % (self.user.key.id(), user.key.id()),
log_type=tt_logging.SECURITY, request_user=self.user, affected_user=user,
request=self.request
)
log.warning(lr['dict_msg']['msg'], extra=lr)
raise HttpErrorException.forbidden()
if self.json_request.get('subscribe'):
pay_plan = self.json_request.get('subscribe')
if user.is_billable_account():
raise HttpErrorException.bad_request('user already has billable account')
checkout_url = user.setup_billable_account(pay_plan)
self.write_json_response({'checkout_url': checkout_url})
def on_authentication_fail(self, method):
lr = tt_logging.construct_log(
msg_short='Non-logged in User Attempted to Access Admin Panel',
log_type=tt_logging.SECURITY,
request=self.request)
log.warning(lr['dict_msg']['msg'], extra=lr)
raise HttpErrorException.unauthorized()
def get(self, verification_id):
if not verification_id:
return HttpErrorException.bad_request('no verification id given')
if self.request.get('username') == '':
return HttpErrorException.bad_request('no username given')
user = User.get_by_id(self.request.get('username'))
if not user:
return HttpErrorException.bad_request('invilad username')
if user.email_verification.verify_id == verification_id:
user.email_verification.verified = True
user.put()
lr = tt_logging.construct_log(
msg_short='User has verified their email',
msg='User has verified their email: ' + user.email,
log_type=tt_logging.USER, affected_user=user
)
log.info(lr['dict_msg']['msg'], extra=lr)
self.redirect('/')
else:
return HttpErrorException.bad_request('invalid verification id')
def post(self, organization):
if not organization and not Organization.valid_id(organization):
raise HttpErrorException.bad_request('invalid organization id')
organization = Organization.get_by_id(organization)
if organization is None:
raise HttpErrorException.bad_request('invalid organization id')
user = user_user.User.get_by_id(self.json_request.get('username'))
if user is None:
raise HttpErrorException.bad_request('bad username')
if not self.user.is_admin:
lr = tt_logging.construct_log(
msg_short='Non-Admin User Tried Adding Org Admin',
msg='A Non-Admin user try setting another user as admin',
log_type=tt_logging.SECURITY, request_user=self.user,
affected_user=user, request=self.request,
artifact=organization
)
log.warning(lr['dict_msg']['msg'], extra=lr)
raise HttpErrorException.forbidden()
is_admin = self.json_request.get('is_admin')
if is_admin is None and not type(is_admin) == bool:
raise HttpErrorException.bad_request('invalid admin settings')
if is_admin:
if user.key not in organization.admins:
organization.admins.append(user.key)
organization.put()
lr = tt_logging.construct_log(
msg_short='User was made organization admin',
log_type=tt_logging.USER, request_user=self.user, affected_user=user,
artifact=organization, request=self.request
)
log.info(lr['dict_msg']['msg'], extra=lr)
else:
if user.key in organization.admins:
organization.admins.remove(user.key)
organization.put()
lr = tt_logging.construct_log(
msg_short='User was removed as organization admin',
log_type=tt_logging.USER, request_user=self.user, affected_user=user,
artifact=organization, request=self.request
)
log.info(lr['dict_msg']['msg'], extra=lr)
def post(self, group):
if not group and Group.valid_id(group):
raise HttpErrorException.bad_request('invalid group id')
group = Group.get_by_id(group)
if group is None:
raise HttpErrorException.bad_request('invalid group id')
if not self.json_request.get('username', None):
raise HttpErrorException.bad_request('invalid username')
user = user_user.User.get_by_id(self.json_request.get('username'))
if user is None:
raise HttpErrorException.bad_request('invalid username')
if not self.user.is_admin and not group.is_admin(self.user):
lr = tt_logging.construct_log(
msg_short='Non-Admin User Tried To Give Group Admin',
msg='User (%s) tried to give User (%s) group admin for group (%s)Request:'
'%s' % (self.user.key.id(), user.key.id(), group.key.id(), str(self.request)),
log_type=tt_logging.SECURITY, request_user=self.user, affected_user=user,
artifact=group, request=self.request
)
log.warning(lr['dict_msg']['msg'], extra=lr)
raise HttpErrorException.forbidden()
is_group_admin = self.json_request.get('is_group_admin')
if is_group_admin is None:
raise HttpErrorException.bad_request('no group settings')
if is_group_admin:
if user.key not in group.admins:
group.admins.append(user.key)
group.put()
lr = tt_logging.construct_log(
msg_short='User was set a group admin', log_type=tt_logging.USER,
request_user=self.user, affected_user=user, artifact=group, request=self.request
)
log.info(lr['dict_msg']['msg'], extra=lr)
else:
if user.key in group.admins:
group.admins.remove(user.key)
group.put()
lr = tt_logging.construct_log(
msg_short='User was removed as group admin', log_type=tt_logging.USER,
request_user=self.user, affected_user=user, artifact=group, request=self.request
)
log.info(lr['dict_msg']['msg'], extra=lr)
def _serve_project_page(
self,
doc,
act_con_path,
):
open_chal = False
if self.request.get('open_chal').lower() == 'false':
open_chal = False
context_menu = True
if self.request.get('context_menu').lower() == 'false':
context_menu = False
template_index = JINJA_ENVIRONMENT.get_template('project.html')
display_name = self.user.display_name
short_name = (display_name[:14] +
'...') if len(display_name) > 17 else display_name
debug_level = 0
if os.environ.get('SERVER_SOFTWARE', '').startswith('Development'):
debug_level = 3
try:
debug_level = int(self.request.get('debug_level', debug_level))
except ValueError:
debug_level = 0
template_data = {
'data':
json.dumps({
'project': self.project.to_dict(self.user),
'user': self.user.to_dict(),
'act_con_path': act_con_path,
'doc': doc.key.id() if doc else None,
'page': 'project',
'debug': self.client_debug,
'check_auth': self.client_check_auth,
'loader_configs': self.loader_configs,
'open_chal': open_chal,
'context_menu': context_menu,
'an_token': self.analytic_session.key.id(),
'debug_level': debug_level,
}),
'display_name':
short_name,
'project':
self.project,
}
lr = tt_logging.construct_log(msg_short='Opened Project',
log_type=tt_logging.USER,
request=self.request,
artifact=self.project,
request_user=self.user)
log.info(lr['dict_msg']['msg'], extra=lr)
self.response.write(template_index.render(template_data))
def get(self, pay_plan=None):
if not self.user.is_super_admin:
lr = tt_logging.construct_log(
msg_short='Non-Admin User Attemped to Access Payment Plans',
log_type=tt_logging.SECURITY,
request=self.request,
request_user=self.user)
log.warning(lr['dict_msg']['msg'], extra=lr)
raise HttpErrorException.forbidden()
if not pay_plan:
self.write_json_response(payment_plan.get_payment_plan_list())
else:
raise NotImplementedError()
def get(self, org_id=None):
if self.user.is_super_admin:
self._serve_site_organizations()
elif self.user.is_org_admin:
self._serve_user_organization()
else:
lr = tt_logging.construct_log(
msg_short='Non-Admin User Tried Access Organizations',
msg='A Non-Admin user tried accessing other organizations',
log_type=tt_logging.SECURITY, request_user=self.user,
request=self.request
)
log.warning(lr['dict_msg']['msg'], extra=lr)
raise HttpErrorException.forbidden()
def post(self, secret_key=None):
if self.request.get('jwt') == '':
lr = tt_logging.construct_log(
msg_short='[Google Postback] No JWT Given',
log_type=tt_logging.PAYMENT,
request=self.request)
log.error(lr['dict_msg']['msg'], extra=lr)
raise HttpErrorException.bad_request('no jwt token given')
try:
self.response.write(
google_merchant.handle_google_callback(
self.request.get('jwt')))
except google_merchant.InvalidSellerDataException as e:
lr = tt_logging.construct_log(
msg_short='[Google Postback] Invalied Seller Data',
msg=e.message,
log_type=tt_logging.PAYMENT,
request=self.request)
log.error(lr['dict_msg']['msg'], extra=lr)
raise HttpErrorException.bad_request(e.message)
except google_merchant.InvalidOrderIdException as e:
lr = tt_logging.construct_log(
msg_short='[Google Postback] Invalide Order Id',
msg=e.message,
log_type=tt_logging.PAYMENT,
request=self.request)
log.error(lr['dict_msg']['msg'], extra=lr)
raise HttpErrorException.bad_request(e.message)
except Exception as e:
lr = tt_logging.construct_log(
msg_short='[Google Postback] Unknow Error',
msg=e.message,
log_type=tt_logging.PAYMENT,
request=self.request)
log.error(lr['dict_msg']['msg'], extra=lr)
raise HttpErrorException.bad_request(e.message)
def server_error_callback(e,
t,
v,
tb,
func,
request,
user,
log_type=tt_logging.EXCEPTION,
log_level=logging.ERROR):
lr = tt_logging.construct_log(msg_short=e.message,
request=request,
msg='\n\nTraceBack:\n' +
traceback.format_exc(tb),
log_type=log_type,
request_user=user)
log.log(log_level, lr['dict_msg']['msg'], extra=lr)
def _serve_org_project_json(self):
organization = Organization.get_by_id(
self.request.get('organization_id'))
if not self.user.is_admin:
lr = tt_logging.construct_log(
msg_short='Non-Admin User Attemped to Access all Org Projects',
log_type=tt_logging.SECURITY,
request=self.request,
artifact=organization,
request_user=self.user)
log.warning(lr['dict_msg']['msg'], extra=lr)
raise HttpErrorException.forbidden()
else:
project_arry = Project.get_org_projects(organization, self.user)
self.write_json_response(project_arry)
def get(self):
if self.request.get('organization_groups') is not '':
if self.request.get('organization_groups') == 'all':
organization = Organization.get_by_id(self.request.get('organization'))
if organization.is_user(self.user) or self.user.is_super_admin:
hidden = False
if self.request.get('hidden') is not '':
hidden = self.request.get('hidden')
group_array = organization.get_all_groups()
if hidden and self.user.is_admin:
hidden_group_array = organization.get_all_hidden_groups()
group_array = group_array + hidden_group_array
elif self.user.is_admin:
hidden_group_array = organization.get_all_hidden_groups()
group_array = group_array + hidden_group_array
else:
user_hidden_groups = organization.get_user_hidden_groups(self.user)
for group in user_hidden_groups:
group_array.append(group.to_dict())
self.write_json_response(group_array)
else:
lr = tt_logging.construct_log(
msg_short='User Tried Access Organization Groups',
msg='User (%s) tried to access groups that belongs to organization '
'(%s) and they are not in this organization' %
(self.user.key.id(), organization.key.id()),
log_type=tt_logging.SECURITY, request_user=self.user,
artifact=organization, request=self.request
)
log.warning(lr['dict_msg']['msg'], extra=lr)
raise HttpErrorException.forbidden()
elif self.request.get('organization_groups') == 'mine':
user_groups = self.user.get_groups()
user_groups = ndb.get_multi(user_groups)
user_groups_dict_list = []
for group in user_groups:
user_groups_dict_list.append(group.to_dict())
self.write_json_response(user_groups_dict_list)
else:
self._serve_user_groups()
def post(self, secret=None):
if not secret:
raise HttpErrorException.bad_request('no reset code given')
user = User.query(User.password_reset_secret == secret).get()
if not user:
raise HttpErrorException.bad_request('could not find user for password reset')
creds = GenericCredentials(user.username, self.json_request.get('password'))
user.password = Password(creds.password)
lr = tt_logging.construct_log(
msg_short='User has changed their password', log_type=tt_logging.USER,
affected_user=user, request=self.request
)
log.info(lr['dict_msg']['msg'], extra=lr)
user.put()
def put(self, user_id=None):
if not self.user.is_admin:
lr = tt_logging.construct_log(
msg_short='Non-Admin User Try Create New User',
msg='User (%s) attemped to create a new user' % (self.user.key.id()),
log_type=tt_logging.SECURITY, request_user=self.user,
request=self.request
)
log.warning(lr['dict_msg']['msg'], extra=lr)
raise HttpErrorException.forbidden()
if self.json_request.get('username'):
org = None
if self.json_request.get('organization'):
org = Organization.get_by_id(self.json_request.get('organization'))
User.new(self.json_request, verify_email=False, request=self.request,
worldshare_group=Group.get_worldshare_key(), organization=org)
def delete(self, request):
if self.key.id() == 'super_user':
raise HttpErrorException.forbidden()
organization = self.organization.get()
if self.key in organization.groups:
organization.groups.remove(self.key)
if self.key in organization.hidden_groups:
organization.hidden_groups.remove(self.key)
organization.put()
self.key.delete()
lr = tt_logging.construct_log(msg_short='Group Was Deleted',
msg='Group (%s) was deleted' %
str(self.key),
log_type=tt_logging.DEFAULT,
request_user=request.user,
request=request,
artifact=self)
log.info(lr['dict_msg']['msg'], extra=lr)
def on_authentication_success(self, user, session, method):
if self.requires_admin:
if not self.user.is_admin:
lr = tt_logging.construct_log(
msg_short=
'Non-Admin User Attemped to Prefrom Admin Operations',
msg='Method: %s'.format(method),
log_type=tt_logging.SECURITY,
request_user=self.user,
request=self.request)
log.warning(lr['dict_msg']['msg'], extra=lr)
raise HttpErrorException.forbidden()
if user.email_verification_lock() and self.enable_unverified_account:
self.redirect('/account/unverified/' + user.username, abort=True)
if user.account_locked() and self.enable_locked_account:
self.redirect('/account/locked/' + user.username, abort=True)
if user.account_expired() and self.enable_expired_account:
self.redirect('/account/expired/' + user.username, abort=True)
if user.account_disabled() and self.enable_disabled_account:
self.redirect('/account/disabled/' + user.username, abort=True)
def get(self):
if self.user.is_admin:
template_data = {
'title': 'thinkTank',
'user_super_admin': self.user.is_super_admin,
'data': {
'debug':
True
if self.request.get('debug').lower() == 'true' else False
}
}
template_index = JINJA_ENVIRONMENT.get_template('admin.html')
self.response.write(template_index.render(template_data))
else:
lr = tt_logging.construct_log(
msg_short='Non-Admin User Attemped to Access Admin Panel',
log_type=tt_logging.SECURITY,
request_user=self.user,
request=self.request)
log.warning(lr['dict_msg']['msg'], extra=lr)
raise HttpErrorException.bad_request()
def _parse_json_request(self):
"""Return the JSON POST body as Python object or None"""
if self.request.method == 'GET':
return None
if self.strict_parsing and not self._is_request_json():
log.debug(
'Request Content-Type not "application/json", nothing to de-serialize!'
)
raise HttpStatus.bad_request()
try:
json_obj = json.loads(self.request.body)
except ValueError, e:
lr = tt_logging.construct_log(
msg_short='Failed parsing JSON request',
log_type=tt_logging.DEFAULT,
msg='Failed parsing JSON request: %s'.format(str(e)),
user=self.user if self.user else None)
log.exception(lr['dict_msg']['msg'], extra=lr)
raise HttpStatus.bad_request()
def get(self, user_id=None):
if not user_id:
raise HttpErrorException.bad_request('no user id given')
user = User.get_by_id(user_id)
if not user:
raise HttpErrorException.bad_request('invalid user id given')
if user != self.user and not self.user.is_super_admin:
lr = tt_logging.construct_log(
msg_short='Non-Admin User try to Alter Another User\'s Billing',
msg='User (%s) attemped to change another user\'s (%s) '
'billing information' % (self.user.key.id(), user.key.id()),
log_type=tt_logging.SECURITY, request_user=self.user, affected_user=user,
request=self.request
)
log.warning(lr['dict_msg']['msg'], extra=lr)
raise HttpErrorException.forbidden()
template_data = {
'title': 'thinkTank',
'display_name': self.user.display_name,
'nav_bar_title': 'thinkTank',
'domain': self.request.host_url,
'payment_plans': payment_plan.get_payment_plan_list(),
'data': {
'user': json.dumps(self.user.to_dict(user=self.user))
},
}
if user.is_billable_account():
template_data['billable_account'] = True
else:
template_data['billable_account'] = False
if user.is_admin:
template_data['admin'] = True
template_index = JINJA_ENVIRONMENT.get_template('user_billing.html')
self.response.write(template_index.render(template_data))
def get(self, project_id=None):
if project_id:
if not Project.valid_id(project_id):
raise HttpErrorException.bad_request('invalid project id')
self.project = Project.get_by_id(project_id)
if not self.project:
raise HttpErrorException.bad_request('invalid project id')
if not self.project.has_permission_read(self.user):
lr = tt_logging.construct_log(
msg_short=
'User does not have permission to access this project',
log_type=tt_logging.SECURITY,
request=self.request,
artifact=self.project,
request_user=self.user)
log.info(lr['dict_msg']['msg'], extra=lr)
self.redirect('/', abort=True)
self._serve_page()
elif self.request.get('type') == 'json':
self._serve_json()
def post(self):
for log_record in self.json_request:
logger = log_record.get('logger', None)
try:
timestamp = 'client time: %s' % datetime.datetime.fromtimestamp(
float(log_record.get('timestamp'))/1000)
except ValueError:
timestamp = 'server time: %s' % datetime.datetime.now()
url = log_record.get('url', 'No URL Given')
message_list = log_record.get('message', 'No Message Given')
msg = ''
for message in message_list:
msg += str(message).replace('\r\n', '\n')
msg_complete = 'Client logger: %s\nDatetime: %s\nURL: %s\n%s' % (logger, timestamp, url, msg)
lr = tt_logging.construct_log(
msg_short='Received Error Log From Client',
msg=msg_complete, client_log=True, log_type=tt_logging.USER,
request=self.request, request_user=self.user)
log.error(lr['dict_msg']['msg'], extra=lr)
def post(self):
# TODO: This handler needs broken down into smaller methods. No point cleaning
# this up until that is complete.
if self.json_request.get('status') == 'login':
gc = GlobalConfig.get_configs()
user = User.get_by_id(self.json_request.get('username'))
if not user:
self.request.body = '' # Make sure we don't record the users credentials in plan text
lr = tt_logging.construct_log(msg_short='Unknow user attempted to login',
log_type=tt_logging.USER, request=self.request)
log.info(lr['dict_msg']['msg'], extra=lr)
raise HttpErrorException.bad_request('invalid username or password given')
if user.login_timeout():
raise HttpErrorException.forbidden()
if not gc.allow_non_admin_user_login and not user.is_admin:
self.request.body = '' # Make sure we don't record the users credentials in plan text
lr = tt_logging.construct_log(msg_short='User attempted to loggin, but login is disabled',
log_type=tt_logging.USER, request=self.request, request_user=user)
log.info(lr['dict_msg']['msg'], extra=lr)
raise HttpErrorException.forbidden()
creds = GenericCredentials.from_request(self.json_request)
if not creds.authenticate():
user.failed_login_attemps.append(datetime.datetime.now())
self.request.body = '' # Make sure we don't record the users credentials in plan text
lr = tt_logging.construct_log(msg_short='User provided invalid credentials',
log_type=tt_logging.USER, request=self.request, request_user=user)
log.info(lr['dict_msg']['msg'], extra=lr)
raise HttpErrorException.bad_request('invalid username or password given')
user.failed_login_attemps = []
user.last_login == datetime.datetime.now()
user.put()
session = login(self.request, creds, User)
self.request.body = '' # Make sure we don't record the users credentials in plan text
lr = tt_logging.construct_log(msg_short='User logged in',
msg='User logged in: session: %s, IP Address: %s' %
(session.token, self.request.remote_addr),
log_type=tt_logging.USER, request=self.request, request_user=user)
log.info(lr['dict_msg']['msg'], extra=lr)
self.response.set_cookie('auth_user', base64.b64encode(creds.username))
self.response.set_cookie('user', creds.username)
self.response.set_cookie('auth_token', session.token)
self.write_json_response({'status': 'success'})
elif self.json_request.get('status') == 'logout':
user = User.get_by_id(self.json_request.get('user'))
Session.invalidate_cache_for(user)
session = Session.get_by_id(user.username)
if session is not None:
lr = tt_logging.construct_log(msg_short='User logged out',
msg='User logged out: session: %s, IP Address: %s' %
(session.token, self.request.remote_addr),
log_type=tt_logging.USER, request=self.request, request_user=user)
log.info(lr['dict_msg']['msg'], extra=lr)
session.key.delete()
else:
lr = tt_logging.construct_log(msg_short='User logged out',
msg='User logged out: session: %s, IP Address: %s' %
self.request.remote_addr,
log_type=tt_logging.USER, request=self.request, request_user=user)
log.info(lr['dict_msg']['msg'], extra=lr)
elif self.json_request.get('reset_password'):
user = User.get_by_id(self.json_request.get('username'))
if not user:
raise HttpErrorException.bad_request('invalid username')
lr = tt_logging.construct_log(msg_short='Password Reset Requested',
msg='User has requested password reset',
log_type=tt_logging.USER, request=self.request, request_user=user)
log.info(lr['dict_msg']['msg'], extra=lr)
user.send_password_reset()
else:
self.write_json_response({'status': 'failed do not know what to do!!!'})
def post(self, phrasing_id=None):
if not phrasing_id:
raise HttpErrorException.bad_request('no phrasing_id given')
phrasing = Phrasing.get_by_id(phrasing_id)
if not phrasing:
raise HttpErrorException.bad_request('invalid phrasing_id given')
if not self.json_request.get('document'):
raise HttpErrorException.bad_request('no document given')
document = Document.get_by_id(self.json_request.get('document'))
if not document:
raise HttpErrorException.bad_request('invalid document given')
if not document.has_permission(self.user, 'manage_phrasings'):
lr = tt_logging.construct_log(
msg_short='User does not have manage_phrasing perm',
log_type=tt_logging.SECURITY,
request=self.request,
artifact=document,
request_user=self.user)
log.info(lr['dict_msg']['msg'], extra=lr)
raise HttpErrorException.forbidden()
concept = phrasing.concept.get()
project = concept.project.get()
selected_phrasing = None
if document.is_distilled_document(
) and project.key == document.project:
concept.distilled_phrasing = phrasing.key
concept.put()
else:
if concept.has_selected_phrasing(document=document):
selected_phrasing = concept.get_selected_phrasing(document)
selected_phrasing.phrasing = phrasing.key
selected_phrasing.put()
else:
selected_phrasing = SelectedPhrasing(id=Phrasing.create_uuid(),
project=concept.project,
document=document.key,
phrasing=phrasing.key)
selected_phrasing.put()
concept.selected_phrasings.append(selected_phrasing.key)
concept.put()
project = document.project.get(
) # Don't want concept's project, this could be a linked concept
project.pw_modified_ts = datetime.datetime.now()
project.put()
self.get_analytic_session()
concept.record_analytic('con_phr_cha', self.analytic_session)
if selected_phrasing:
self.write_json_response(selected_phrasing.to_dict())
action_data = {'document': document.key.id()}
trans = Transaction(action='phr_chg',
user=self.user.key,
artifact=phrasing.key,
project=project.key,
action_data=action_data)
trans.put()
self.get_channel_token()
channel_tokens = ChannelToken.get_by_project_key(
project.key, self.user_channel_token)
channel_tokens = ChannelToken.remove_unauthorized_users(
channel_tokens, [concept, document, phrasing])
message = {
'user': self.get_user_channel_data(),
'transaction': trans.to_dict(self.user)
}
ChannelToken.broadcast_message(channel_tokens, message)
def handle_google_callback(jwt_token):
from server import GlobalConfig
gc = GlobalConfig.get_configs()
if SANDBOX_MODE:
jwt_token = jwt.decode(jwt_token, SANDBOX_SELLER_SECRET)
else:
jwt_token = jwt.decode(jwt_token, gc.google_seller_secret)
log.info('Google Callback jwt: ' + str(jwt_token))
order_id = jwt_token['response']['orderId']
from models.account.user import User
from models import payment
if 'request' in jwt_token:
user_id = jwt_token['request']['sellerData']
user = User.query(User.user_id == user_id).get()
if not user:
raise InvalidSellerDataException(
'could not find user to match user_id: ' + str(user_id))
payment.process_payment(
user=user,
status='complete',
discription='Recurrening payment',
denomination=jwt_token['request']['recurrence']['currencyCode'],
price=jwt_token['request']['initialPayment']['price']
if 'initialPayment' in jwt_token['request'] else 0,
rec_price=jwt_token['request']['recurrence']['price'],
merchant='Google',
order_id=order_id,
merchant_data=jwt_token)
lr = tt_logging.construct_log(msg_short='[Google Postback] JWT',
msg=str(jwt_token),
log_type=tt_logging.PAYMENT,
user=user)
log.info(lr['dict_msg']['msg'], extra=lr)
else:
if 'statusCode' in jwt_token['response']:
if jwt_token['response']['statusCode'] == 'SUBSCRIPTION_CANCELED':
trans = Transaction.query(
Transaction.order_id == order_id).get()
if not trans:
raise InvalidOrderIdException(
'Could not find transaction for order id')
user = trans.user.get()
user.account_expire_data = datetime.datetime.now(
) + datetime.timedelta(
days=gc.subscription_account_extension_period)
user.account_status = payment.PAID
user.put()
payment.process_payment(
user=user,
status='complete',
discription='Recurrening canceled',
denomination='',
price=0,
rec_price=0,
merchant='Google',
order_id=order_id,
merchant_data=jwt_token,
update_status=False,
)
lr = tt_logging.construct_log(
msg_short='[Google Postback] JWT',
msg=str(jwt_token),
log_type=tt_logging.PAYMENT,
user=user)
log.info(lr['dict_msg']['msg'], extra=lr)
return order_id
def import_images(self):
concepts = []
deleted_concept = []
image_concept = []
for img_tag in self.image_tags:
try:
tag = img_tag['img']
src = HTMLImporter.normalize_image_url(self.url, tag['src'])
alt = tag.get('alt', None)
concept = img_tag['concept']
r = requests.get(src, stream=True)
concept.media_id = server.create_uuid()
filename = '/' + server.GCS_BUCKET_NAME + '/' + concept.media_id
image_data = StringIO(r.content).getvalue()
image = images.Image(image_data=image_data)
if 'image' not in r.headers['content-type']:
deleted_concept.append({
'concept':
concept.key.id(),
'parent_child_count':
concept.parent.get().num_of_children(self.user)
if concept.parent else None,
'parent':
concept.parent.id() if concept.parent else None
})
concept.remove_from_parent(concept.project)
concept.delete(self.user)
continue
if image.width < 100 or image.height < 100:
deleted_concept.append({
'concept':
concept.key.id(),
'parent_child_count':
concept.parent.get().num_of_children(self.user)
if concept.parent else None,
'parent':
concept.parent.id() if concept.parent else None
})
concept.remove_from_parent(concept.project)
concept.delete(self.user)
else:
f = gcs.open(filename,
mode='w',
content_type=r.headers['content-type'])
f.write(image_data)
f.close()
concept.media_blob = blobstore.create_gs_key('/gs' +
filename)
concept.media_ready = True
concept.media_mime_type = r.headers['content-type']
if alt and alt.rstrip() != '':
phr_perm = Permission(
permissions=Permission.init_perm_struct(
Phrasing.operations_list),
key=Permission.create_key(),
project=self.project.key)
phrasing = Phrasing(
key=Phrasing.create_key(),
text=alt,
concept=concept.key,
owner=[self.user.key],
permissions=phr_perm.key,
originating_document=self.document.key,
project=self.project.key)
phr_perm.artifact = phrasing.key
ndb.put_multi([phrasing, phr_perm])
concept.phrasings.append(phrasing.key)
concept.distilled_phrasing = phrasing.key
image_concept.append(concept.key.id())
concepts.append(concept)
concept.put()
except Exception as e:
# raise
type_, value_, traceback_ = sys.exc_info()
ex = traceback.format_exception(type_, value_, traceback_)
lr = tt_logging.construct_log(
msg_short='Error Importing Image',
msg=e.message + '\n\n' + str(ex),
log_type=tt_logging.USER,
artifact=self.project,
request_user=self.user)
log.error(lr['dict_msg']['msg'], extra=lr)
def get(self, user_id=None):
# TODO: This handler needs broken down into smaller methods. No point cleaning
# this up until that is complete.
if self.request.get('user_info') is not '':
if self.request.get('user_info') == self.user.username or self.user.is_admin:
user = User.get_by_id(self.request.get('user_info'))
if not user:
raise HttpErrorException.bad_request('invalid user id')
self.write_json_response(user.to_dict(user=self.user))
elif self.request.get('user_perms') is not '':
user = User.get_by_id(self.request.get('user_perms'))
if not user:
raise HttpErrorException.bad_request('invalid username')
if not user.is_admin and not self.user == user:
lr = tt_logging.construct_log(msg_short='Non-Admin User Try Accessing Another User',
msg='User (%s) attemped to access user\'s (%s) data ' %
(self.user.key.id(), user.key.id()),
log_type=tt_logging.SECURITY, request_user=self.user, affected_user=user,
request=self.request)
log.warning(lr['dict_msg']['msg'], extra=lr)
raise HttpErrorException.forbidden()
user_perms_dict = {}
for group_key in user.groups:
group = group_key.get()
if group is None:
user.groups.remove(group_key)
user.put()
lr = tt_logging.construct_log(msg_short='Broken Group Key in User Group List',
msg='Found a broken group key (%s) in the user\'s group list\n'
'Key has been removed' %
str(group_key),
log_type=tt_logging.USER, request_user=self.user, affected_user=user,
request=self.request)
log.error(lr['dict_msg']['msg'], extra=lr)
elif (group.has_permission(self.user, 'set_user_perms') or
group.has_permission(self.user, 'remove_user_perms') or
user.key == self.user.key):
perms = user.get_group_perms_dict(group)
if perms is not None:
user_perms_dict[group.key.id()] = perms
self.write_json_response(user_perms_dict)
elif self.request.get('organization_users') is not '':
if self.request.get('organization_users') == 'all':
organization = Organization.get_by_id(self.request.get('organization_id'))
if organization.is_admin(self.user) or Group.get_by_id('super_admin').key in self.user.groups:
user_array = User.get_all_users(organization, request_user=self.user)
self.write_json_response(user_array)
else:
lr = tt_logging.construct_log(msg_short='Non-Admin User Try Accessing Org Users',
msg='User (%s) attemped to access all Organization\'s users' %
(self.user.key.id()),
log_type=tt_logging.SECURITY, request_user=self.user,
request=self.request, artifact=organization)
log.warning(lr['dict_msg']['msg'], extra=lr)
raise HttpErrorException.forbidden()
elif self.request.get('non_org') is not '':
if not self.user.is_super_admin:
lr = tt_logging.construct_log(msg_short='Non-Admin User Try Accessing Org Users',
msg='User (%s) attemped to access all Organization\'s users' %
(self.user.key.id()),
log_type=tt_logging.SECURITY, request_user=self.user,
request=self.request)
log.warning(lr['dict_msg']['msg'], extra=lr)
raise HttpErrorException.forbidden()
else:
users = User.query(User.organization == None).fetch()
users_dicts = []
for user in users:
users_dicts.append(user.to_dict())
self.write_json_response(users_dicts)
def edit(command, request, request_data, request_user=None):
if command is not None:
command = command.split(' ')
if request_data.get('group_id') is None:
raise HttpErrorException.bad_request('no group id given')
group = Group.get_by_id(request_data.get('group_id'))
if 'add' in command:
if 'admin' in command:
if request_data.get('user_id') is None:
raise HttpErrorException.bad_request('no user id given')
user = ndb.Key('User', request_data.get('user_id'))
if (not request_user.is_admin
and not group.is_admin(request_user)):
lr = tt_logging.construct_log(
msg_short=
'Non-Admin User Tried Adding User To Group Admin',
log_type=tt_logging.SECURITY,
request_user=request_user,
request=request,
artifact=group,
affected_user=user)
log.warning(lr['dict_msg']['msg'], extra=lr)
raise HttpErrorException.forbidden()
if user.key not in group.admins:
lr = tt_logging.construct_log(
msg_short='User Was Set as Group Admin',
log_type=tt_logging.USER,
request_user=request_user,
request=request,
artifact=group,
affected_user=user)
log.info(lr['dict_msg']['msg'], extra=lr)
group.admins.append(user.key)
if 'remove' in command:
if 'admin' in command:
if request_data.get('user_id') is None:
raise HttpErrorException.bad_request('no user id given')
user = ndb.Key('User', request_data.get('user_id'))
if (not request_user.is_admin
and not group.is_admin(request_user)):
lr = tt_logging.construct_log(
msg_short=
'Non-Admin User Tried Removing User From Group Admin',
log_type=tt_logging.SECURITY,
request_user=request_user,
request=request,
artifact=group,
affected_user=user)
log.warning(lr['dict_msg']['msg'], extra=lr)
raise HttpErrorException.forbidden()
if user.key in group.admins:
lr = tt_logging.construct_log(
msg_short='User Was Removed as Group Admin',
log_type=tt_logging.USER,
request_user=request_user,
request=request,
artifact=group,
affected_user=user)
log.info(lr['dict_msg']['msg'], extra=lr)
group.admins.remove(user.key)
if 'set' in command:
if 'inactive' in command:
if not request_user.is_admin:
lr = tt_logging.construct_log(
msg_short=
'Non-Admin User Tried Setting Group to Inactive',
log_type=tt_logging.SECURITY,
request_user=request_user,
request=request,
artifact=group)
log.warning(lr['dict_msg']['msg'], extra=lr)
raise HttpErrorException.forbidden()
group.active = False
if 'active' in command:
if not request_user.is_admin:
lr = tt_logging.construct_log(
msg_short=
'Non-Admin User Tried Setting Group to Active',
log_type=tt_logging.SECURITY,
request_user=request_user,
request=request,
artifact=group)
log.warning(lr['dict_msg']['msg'], extra=lr)
raise HttpErrorException.forbidden()
group.active = True
group.put()
return group.to_dict()
