def post(self, group_id):
params = self._get_validated_object_parameters(request.form)
group = data_engine.get_group(group_id=group_id, load_users=True)
if group is None:
raise DoesNotExistError(str(group_id))
# Check permissions! The current user must have user admin to be here.
# But if they don't also have permissions admin or superuser then we
# must block the change if the new group would grant one of the same.
if group.permissions.admin_permissions or group.permissions.admin_all:
if not permissions_engine.is_permitted(
SystemPermissions.PERMIT_ADMIN_PERMISSIONS,
get_session_user()):
raise SecurityError(
'You cannot add users to a group that ' +
'grants permissions administration, because you do not ' +
'have permissions administration access yourself.')
user = data_engine.get_user(user_id=params['user_id'])
if user is not None:
if user not in group.users:
group.users.append(user)
data_engine.save_object(group)
reset_user_sessions(user)
permissions_engine.reset()
return make_api_success_response()
def trace_permissions():
embed = request.args.get('embed', '')
user_id = request.args.get('user', '')
folder_path = request.args.get('path', '')
if folder_path == '':
folder_path = os.path.sep
folder = None
user = None
users = []
user_has_admin = False
trace = None
err_msg = None
db_session = data_engine.db_get_session()
try:
# Get folder and selected user info
# User can be None for an anonymous user
user_id = parse_int(user_id)
if user_id != 0:
user = data_engine.get_user(user_id, _db_session=db_session)
if user is None:
raise DoesNotExistError('This user no longer exists')
folder = data_engine.get_folder(folder_path=folder_path,
_db_session=db_session)
if folder is None or folder.status == Folder.STATUS_DELETED:
raise DoesNotExistError('This folder no longer exists')
# Get users list
users = data_engine.list_users(status=User.STATUS_ACTIVE,
order_field=User.username,
_db_session=db_session)
# Get the folder+user traced permissions
trace = permissions_engine._trace_folder_permissions(folder, user)
# Flag on the UI if the user has admin
for gdict in trace['groups']:
gperms = gdict['group'].permissions
if gperms.admin_files or gperms.admin_all:
user_has_admin = True
break
except Exception as e:
log_security_error(e, request)
err_msg = safe_error_str(e)
finally:
try:
return render_template(
'admin_trace_permissions.html',
embed=embed,
folder=folder,
folder_is_root=folder.is_root() if folder else False,
user=user,
user_list=users,
trace=trace,
user_has_admin=user_has_admin,
err_msg=err_msg,
GROUP_ID_PUBLIC=Group.ID_PUBLIC)
finally:
db_session.close()
def _check_for_user_lockout(original_object):
"""
Only to be called when the current user is known to have PERMIT_ADMIN_USERS
permission, checks that the current user hasn't locked themselves out from
user administration.
Also checks that the admin user's administration permission has not been
accidentally revoked.
If a lockout has occurred, the supplied original object is re-saved and a
ParameterError is raised.
"""
user_ids = [get_session_user_id(), 1]
for user_id in user_ids:
db_user = data_engine.get_user(user_id=user_id)
if db_user:
try:
# Require user administration
if not permissions_engine.is_permitted(
SystemPermissions.PERMIT_ADMIN_USERS, db_user):
raise ParameterError()
# For the admin user, also require permissions administration
if user_id == 1 and not permissions_engine.is_permitted(
SystemPermissions.PERMIT_ADMIN_PERMISSIONS, db_user):
raise ParameterError()
except ParameterError:
# Roll back permissions
data_engine.save_object(original_object)
permissions_engine.reset()
# Raise API error
who = 'the \'admin\' user' if user_id == 1 else 'you'
raise ParameterError(
'This change would lock %s out of administration' % who)
def _check_for_user_lockout(original_object):
"""
Only to be called when the current user is known to have PERMIT_ADMIN_USERS
permission, checks that the current user hasn't locked themselves out from
user administration.
Also checks that the admin user's administration permission has not been
accidentally revoked.
If a lockout has occurred, the supplied original object is re-saved and a
ParameterError is raised.
"""
user_ids = [get_session_user_id(), 1]
for user_id in user_ids:
db_user = data_engine.get_user(user_id=user_id)
if db_user:
try:
# Require user administration
if not permissions_engine.is_permitted(
SystemPermissions.PERMIT_ADMIN_USERS,
db_user
): raise ParameterError()
# For the admin user, also require permissions administration
if user_id == 1 and not permissions_engine.is_permitted(
SystemPermissions.PERMIT_ADMIN_PERMISSIONS,
db_user
): raise ParameterError()
except ParameterError:
# Roll back permissions
data_engine.save_object(original_object)
permissions_engine.reset()
# Raise API error
who = 'the \'admin\' user' if user_id == 1 else 'you'
raise ParameterError(
'This change would lock %s out of administration' % who
)
def post(self, group_id):
params = self._get_validated_object_parameters(request.form)
group = data_engine.get_group(group_id=group_id, load_users=True)
if group is None:
raise DoesNotExistError(str(group_id))
# Check permissions! The current user must have user admin to be here.
# But if they don't also have permissions admin or superuser then we
# must block the change if the new group would grant one of the same.
if group.permissions.admin_permissions or group.permissions.admin_all:
if not permissions_engine.is_permitted(
SystemPermissions.PERMIT_ADMIN_PERMISSIONS, get_session_user()
):
raise SecurityError(
'You cannot add users to a group that ' +
'grants permissions administration, because you do not ' +
'have permissions administration access yourself.'
)
user = data_engine.get_user(user_id=params['user_id'])
if user is not None:
if user not in group.users:
group.users.append(user)
data_engine.save_object(group)
permissions_engine.reset()
return make_api_success_response()
def delete(self, user_id):
user = data_engine.get_user(user_id=user_id)
if user is None:
raise DoesNotExistError(str(user_id))
if user.id == 1:
raise ParameterError('The \'admin\' user cannot be deleted')
data_engine.delete_user(user)
# If this is the current user, log out
if get_session_user_id() == user_id:
log_out()
# Reset session caches
reset_user_sessions(user)
return make_api_success_response(object_to_dict(user))
def get(self, user_id=None):
if user_id is None:
# List users
status_filter = self._get_validated_status_arg(request)
ulist = data_engine.list_users(status=status_filter,
order_field=User.username)
return make_api_success_response(object_to_dict_list(ulist))
else:
# Get single user
user = data_engine.get_user(user_id)
if user is None:
raise DoesNotExistError(str(user_id))
return make_api_success_response(object_to_dict(user))
def delete(self, user_id):
user = data_engine.get_user(user_id=user_id)
if user is None:
raise DoesNotExistError(str(user_id))
if user.id == 1:
raise ParameterError('The \'admin\' user cannot be deleted')
data_engine.delete_user(user)
# If this is the current user, log out
if get_session_user_id() == user_id:
log_out()
# Do not give out anything password related
udict = object_to_dict(user)
del udict['password']
return make_api_success_response(udict)
def apply_user(params):
from imageserver.flask_app import data_engine
from imageserver.models import User
from imageserver.errors import DBError
try:
existing_user = data_engine.get_user(username=params.username)
if params.mode == Parameters.MODE_ADD:
if existing_user:
if existing_user.status == User.STATUS_DELETED:
raise ValueError('A deleted user record for this username already exists')
else:
raise ValueError('This username already exists')
else:
data_engine.create_user(User(
params.firstname,
params.lastname,
params.email,
params.username,
params.password,
User.AUTH_TYPE_PASSWORD,
False,
User.STATUS_ACTIVE
))
log('User created')
elif params.mode == Parameters.MODE_UPDATE:
if not existing_user:
raise ValueError('The username was not found')
if existing_user.status == User.STATUS_DELETED:
raise ValueError('This user record is deleted')
existing_user.first_name = params.firstname
existing_user.last_name = params.lastname
existing_user.email = params.email
existing_user.set_password(params.password)
data_engine.save_object(existing_user)
log('User updated')
else:
if not existing_user:
raise ValueError('The username was not found')
data_engine.delete_user(existing_user)
log('User deleted')
return RETURN_OK
except ValueError as e:
error(str(e))
return RETURN_BAD_PARAMS
except DBError as e:
error(str(e))
return RETURN_DB_ERROR
def user_edit(user_id):
embed = request.args.get('embed', '')
user = None
err_msg = None
try:
if user_id > 0:
user = data_engine.get_user(user_id=user_id, load_groups=True)
except Exception as e:
log_security_error(e, request)
err_msg = str(e)
return render_template('admin_user_edit.html',
embed=embed,
user=user,
err_msg=err_msg,
AUTH_TYPE_PASSWORD=User.AUTH_TYPE_PASSWORD,
STATUS_ACTIVE=User.STATUS_ACTIVE)
def user_edit(user_id):
embed = request.args.get('embed', '')
user = None
err_msg = None
try:
if user_id > 0:
user = data_engine.get_user(user_id=user_id, load_groups=True)
except Exception as e:
log_security_error(e, request)
err_msg = str(e)
return render_template(
'admin_user_edit.html',
embed=embed,
user=user,
err_msg=err_msg,
AUTH_TYPE_PASSWORD=User.AUTH_TYPE_PASSWORD,
STATUS_ACTIVE=User.STATUS_ACTIVE
)
def get(self, user_id=None):
if user_id is None:
# List users
ulist = data_engine.list_users(order_field=User.username)
# Do not give out anything password related
udictlist = object_to_dict_list(ulist)
for user in udictlist:
del user['password']
return make_api_success_response(udictlist)
else:
# Get single user
user = data_engine.get_user(user_id)
if user is None:
raise DoesNotExistError(str(user_id))
# Do not give out anything password related
udict = object_to_dict(user)
del udict['password']
return make_api_success_response(udict)
def put(self, user_id):
params = self._get_validated_object_parameters(request.form, False)
user = data_engine.get_user(user_id=user_id)
if user is None:
raise DoesNotExistError(str(user_id))
user.first_name = params['first_name']
user.last_name = params['last_name']
user.email = params['email']
user.auth_type = params['auth_type']
user.allow_api = params['allow_api']
# Don't update the status field with this method
# Update username only if non-LDAP
if user.auth_type != User.AUTH_TYPE_LDAP:
user.username = params['username']
# Update password only if non-LDAP and a new one was passed in
if user.auth_type != User.AUTH_TYPE_LDAP and params['password']:
user.set_password(params['password'])
data_engine.save_object(user)
# Reset session caches
reset_user_sessions(user)
return make_api_success_response(object_to_dict(user))
def put(self, user_id):
params = self._get_validated_object_parameters(request.form, False)
user = data_engine.get_user(user_id=user_id)
if user is None:
raise DoesNotExistError(str(user_id))
user.first_name = params['first_name']
user.last_name = params['last_name']
user.email = params['email']
user.auth_type = params['auth_type']
user.allow_api = params['allow_api']
# Don't update the status field with this method
# Update username only if non-LDAP
if user.auth_type != User.AUTH_TYPE_LDAP:
user.username = params['username']
# Update password only if non-LDAP and a new one was passed in
if user.auth_type != User.AUTH_TYPE_LDAP and params['password']:
user.set_password(params['password'])
data_engine.save_object(user)
# Do not give out anything password related
udict = object_to_dict(user)
del udict['password']
return make_api_success_response(udict)
def trace_permissions():
embed = request.args.get('embed', '')
user_id = request.args.get('user', '')
folder_path = request.args.get('path', '')
if folder_path == '':
folder_path = os.path.sep
folder = None
user = None
users = []
user_has_admin = False
trace = None
err_msg = None
db_session = data_engine.db_get_session()
try:
# Get folder and selected user info
# User can be None for an anonymous user
user_id = parse_int(user_id)
if user_id != 0:
user = data_engine.get_user(user_id, _db_session=db_session)
if user is None:
raise DoesNotExistError('This user no longer exists')
folder = data_engine.get_folder(folder_path=folder_path, _db_session=db_session)
if folder is None or folder.status == Folder.STATUS_DELETED:
raise DoesNotExistError('This folder no longer exists')
# Get users list
users = data_engine.list_users(
status=User.STATUS_ACTIVE,
order_field=User.username,
_db_session=db_session
)
# Get the folder+user traced permissions
trace = permissions_engine._trace_folder_permissions(folder, user)
# Flag on the UI if the user has admin
for gdict in trace['groups']:
gperms = gdict['group'].permissions
if gperms.admin_files or gperms.admin_all:
user_has_admin = True
break
except Exception as e:
log_security_error(e, request)
err_msg = str(e)
finally:
try:
return render_template(
'admin_trace_permissions.html',
embed=embed,
folder=folder,
folder_is_root=folder.is_root() if folder else False,
user=user,
user_list=users,
trace=trace,
user_has_admin=user_has_admin,
err_msg=err_msg,
GROUP_ID_PUBLIC=Group.ID_PUBLIC
)
finally:
db_session.close()
