def get_user_from_auth():
if verify_superuser_auth_token(request.cookies.get('auth_token')):
return {'is_superuser': True}
user = get_user(request.cookies)
if user is None:
abort(401)
return user
def filter_applications(applications, cookies):
"""Filter applications based on user roles"""
is_superuser = verify_superuser_auth_token(
request.cookies.get('auth_token'))
if is_superuser:
# No filter for superuser
return applications
user = get_user(request.cookies)
if user is None:
abort(401)
if has_role(user, 'flod_saksbehandlere'):
# No filter for flod_saksbehandlere
return applications
if has_role(user, 'flod_brukere'):
# Administratosr should only see applications for resources they own
remote_resource_ids = [c['resource_id']
for c in user.get('credentials', [])
if c['id'].startswith('CAN_EDIT_FACILITY_')]
# Need to map the ids in the credentials which uses remote ids
# to the local ones used in booking.
uris = ["/facilities/%s" % i for i in remote_resource_ids]
res = current_app.db_session.query(Resource).filter(Resource.uri.in_(uris)).all()
local_resource_ids = [r.id for r in res]
applications = applications.filter(
Application.resource_id.in_(local_resource_ids)
)
else:
# External users should only see their own applications and the applications belonging to their organisations
org_ids = []
orgs = get_person_from_web('/persons/%s/organisations/' % user['person_id'])
org_uris = [org.get('uri') for org in orgs]
if len(org_uris) > 0:
res = current_app.db_session.query(Organisation).filter(Organisation.uri.in_(org_uris)).all()
org_ids = [o.id for o in res]
person_uri = '/persons/{}'.format(user['person_id'])
if len(org_ids) == 0:
applications = applications.filter(
Application.person.has(uri=person_uri)
)
else:
applications = applications.filter(
or_(
Application.person.has(uri=person_uri),
Application.organisation_id.in_(org_ids)
)
)
return applications
def get_user(cookies):
if verify_superuser_auth_token(cookies.get('auth_token')):
return {'is_superuser': True}
user_id = get_user_id_from_cookies(cookies)
if user_id:
url = '%s/api/%s/users/%s' % (USERS_URL, USERS_VERSION, user_id)
response = requests.get(url, cookies=cookies)
return response.json()
return None
def validate(self, f, *args, **kwargs):
auth_token = request.cookies.get("auth_token", None)
valid = auth_token is not None and verify_auth_token(auth_token) and verify_superuser_auth_token(auth_token)
if not valid:
self.fail("User is not authorized to request the resource.", f, 403, None, *args, **kwargs)
