def delete_user_group_view(request): """ Remove a user from a group. """ db = request.db user = ar.get_user_matchdict_checked_or_logged(request) group = ar.get_group_matchdict_checked(request) def del_usr_grp(usr, grp): db.query(models.UserGroup) \ .filter(models.UserGroup.user_id == usr.id) \ .filter(models.UserGroup.group_id == grp.id) \ .delete() ax.evaluate_call( lambda: del_usr_grp(user, group), fallback=lambda: db.rollback(), httpError=HTTPNotFound, msgOnFail=s.UserGroup_DELETE_NotFoundResponseSchema.description, content={ u"user_name": user.user_name, u"group_name": group.group_name }) return ax.valid_http( httpSuccess=HTTPOk, detail=s.UserGroup_DELETE_OkResponseSchema.description)
def get_user_service_resources_view(request): """ List all resources under a service a user has permission on. """ inherit_groups_perms = asbool(ar.get_query_param(request, "inherit")) user = ar.get_user_matchdict_checked_or_logged(request) service = ar.get_service_matchdict_checked(request) service_perms = uu.get_user_service_permissions( user, service, request=request, inherit_groups_permissions=inherit_groups_perms) resources_perms_dict = uu.get_user_service_resources_permissions_dict( user, service, request=request, inherit_groups_permissions=inherit_groups_perms) user_svc_res_json = format_service_resources( service=service, db_session=request.db, service_perms=service_perms, resources_perms_dict=resources_perms_dict, show_all_children=False, show_private_url=False, ) return ax.valid_http( httpSuccess=HTTPOk, detail=s.UserServiceResources_GET_OkResponseSchema.description, content={u"service": user_svc_res_json})
def get_user_service_permissions_view(request): """ List all permissions a user has on a service. """ user = ar.get_user_matchdict_checked_or_logged(request) service = ar.get_service_matchdict_checked(request) inherit_groups_perms = asbool( ar.get_query_param(request, ["inherit", "inherited"])) resolve_groups_perms = asbool( ar.get_query_param(request, ["resolve", "resolved"])) perm_type = PermissionType.INHERITED if inherit_groups_perms else PermissionType.DIRECT perms = ax.evaluate_call( lambda: uu.get_user_service_permissions( service=service, user=user, request=request, inherit_groups_permissions=inherit_groups_perms, resolve_groups_permissions=resolve_groups_perms), fallback=lambda: request.db.rollback(), http_error=HTTPNotFound, msg_on_fail=s.UserServicePermissions_GET_NotFoundResponseSchema. description, content={ "service_name": str(service.resource_name), "user_name": str(user.user_name) }) return ax.valid_http( http_success=HTTPOk, content=format_permissions(perms, perm_type), detail=s.UserServicePermissions_GET_OkResponseSchema.description)
def get_user_service_permissions_view(request): """ List all permissions a user has on a service. """ user = ar.get_user_matchdict_checked_or_logged(request) service = ar.get_service_matchdict_checked(request) inherit_groups_perms = asbool(ar.get_query_param(request, "inherit")) perms = ax.evaluate_call( lambda: uu.get_user_service_permissions(service=service, user=user, request=request, inherit_groups_permissions= inherit_groups_perms), fallback=lambda: request.db.rollback(), httpError=HTTPNotFound, msgOnFail=s.UserServicePermissions_GET_NotFoundResponseSchema. description, content={ u"service_name": str(service.resource_name), u"user_name": str(user.user_name) }) return ax.valid_http( httpSuccess=HTTPOk, detail=s.UserServicePermissions_GET_OkResponseSchema.description, content={u"permission_names": sorted(p.value for p in perms)})
def assign_user_group_view(request): """ Assign a user to a group. """ user = ar.get_user_matchdict_checked_or_logged(request) group_name = ar.get_value_multiformat_body_checked(request, "group_name") group = ax.evaluate_call( lambda: GroupService.by_group_name(group_name, db_session=request.db), fallback=lambda: request.db.rollback(), http_error=HTTPForbidden, msg_on_fail=s.UserGroups_POST_ForbiddenResponseSchema.description) ax.verify_param( group, not_none=True, http_error=HTTPNotFound, msg_on_fail=s.UserGroups_POST_GroupNotFoundResponseSchema.description) uu.assign_user_group(user, group, db_session=request.db) return ax.valid_http( http_success=HTTPCreated, detail=s.UserGroups_POST_CreatedResponseSchema.description, content={ "user_name": user.user_name, "group_name": group.group_name })
def get_user_view(request): """ Get user information by name. """ user = ar.get_user_matchdict_checked_or_logged(request) return ax.valid_http(http_success=HTTPOk, content={"user": uf.format_user(user)}, detail=s.User_GET_OkResponseSchema.description)
def delete_user_resource_permissions_view(request): """ Delete a permission from a specific resource for a user (not including his groups permissions). """ user = ar.get_user_matchdict_checked_or_logged(request) resource = ar.get_resource_matchdict_checked(request) permission = ar.get_permission_multiformat_body_checked(request, resource) return uu.delete_user_resource_permission_response(user, resource, permission, request.db)
def delete_user_service_permission_name_view(request): """ Delete a permission by name from a service for a user (not including his groups permissions). """ user = ar.get_user_matchdict_checked_or_logged(request) service = ar.get_service_matchdict_checked(request) permission = ar.get_permission_matchdict_checked(request, service) return uu.delete_user_resource_permission_response(user, service, permission, request.db)
def get_user_groups_view(request): """ List all groups a user belongs to. """ user = ar.get_user_matchdict_checked_or_logged(request) group_names = uu.get_user_groups_checked(user, request.db) return ax.valid_http(http_success=HTTPOk, content={"group_names": group_names}, detail=s.UserGroups_GET_OkResponseSchema.description)
def create_user_service_permission_view(request): """ Create a permission on a service for a user. """ user = ar.get_user_matchdict_checked_or_logged(request) service = ar.get_service_matchdict_checked(request) permission = ar.get_permission_multiformat_post_checked(request, service) return uu.create_user_resource_permission_response(user, service, permission, request.db)
def delete_user_resource_permission_view(request): """ Delete a direct permission on a resource for a user (not including his groups permissions). """ user = ar.get_user_matchdict_checked_or_logged(request) resource = ar.get_resource_matchdict_checked(request) permission = ar.get_permission_matchdict_checked(request, resource) return uu.delete_user_resource_permission_response(user, resource, permission, request.db)
def delete_user_group_view(request): """ Removes a user from a group. """ user = ar.get_user_matchdict_checked_or_logged(request) group = ar.get_group_matchdict_checked(request) uu.delete_user_group(user, group, request.db) return ax.valid_http( http_success=HTTPOk, detail=s.UserGroup_DELETE_OkResponseSchema.description)
def delete_user_view(request): """ Delete a user by name. """ user = ar.get_user_matchdict_checked_or_logged(request) ax.evaluate_call( lambda: request.db.delete(user), fallback=lambda: request.db.rollback(), httpError=HTTPForbidden, msgOnFail=s.User_DELETE_ForbiddenResponseSchema.description) return ax.valid_http(httpSuccess=HTTPOk, detail=s.User_DELETE_OkResponseSchema.description)
def create_user_resource_permissions_view(request): """ Create a permission on specific resource for a user. """ user = ar.get_user_matchdict_checked_or_logged(request) resource = ar.get_resource_matchdict_checked(request) permission = ar.get_permission_multiformat_body_checked(request, resource) return uu.create_user_resource_permission_response(user, resource, permission, request.db, overwrite=False)
def replace_user_service_permissions_view(request): """ Create or modify an existing permission on a service for a user. Can be used to adjust permission modifiers. """ user = ar.get_user_matchdict_checked_or_logged(request) service = ar.get_service_matchdict_checked(request) permission = ar.get_permission_multiformat_body_checked(request, service) return uu.create_user_resource_permission_response(user, service, permission, request.db, overwrite=True)
def get_user_resource_permissions_view(request): """ List all permissions a user has on a specific resource. """ user = ar.get_user_matchdict_checked_or_logged(request) resource = ar.get_resource_matchdict_checked(request, "resource_id") inherit_groups_perms = asbool(ar.get_query_param(request, "inherit")) effective_perms = asbool(ar.get_query_param(request, "effective")) return uu.get_user_resource_permissions_response( user, resource, request, inherit_groups_permissions=inherit_groups_perms, effective_permissions=effective_perms)
def get_user_resources_view(request): """ List all resources a user has permissions on. """ inherit_groups_perms = asbool(ar.get_query_param(request, "inherit")) user = ar.get_user_matchdict_checked_or_logged(request) db = request.db def build_json_user_resource_tree(usr): json_res = {} services = ResourceService.all(models.Service, db_session=db) for svc in services: svc_perms = uu.get_user_service_permissions( user=usr, service=svc, request=request, inherit_groups_permissions=inherit_groups_perms) if svc.type not in json_res: json_res[svc.type] = {} res_perms_dict = uu.get_user_service_resources_permissions_dict( user=usr, service=svc, request=request, inherit_groups_permissions=inherit_groups_perms) json_res[svc.type][svc.resource_name] = format_service_resources( svc, db_session=db, service_perms=svc_perms, resources_perms_dict=res_perms_dict, show_all_children=False, show_private_url=False, ) return json_res usr_res_dict = ax.evaluate_call( lambda: build_json_user_resource_tree(user), fallback=lambda: db.rollback(), httpError=HTTPNotFound, msgOnFail=s.UserResources_GET_NotFoundResponseSchema.description, content={ u"user_name": user.user_name, u"resource_types": [models.Service.resource_type_name] }) return ax.valid_http( httpSuccess=HTTPOk, content={u"resources": usr_res_dict}, detail=s.UserResources_GET_OkResponseSchema.description)
def assign_user_group_view(request): """ Assign a user to a group. """ user = ar.get_user_matchdict_checked_or_logged(request) group_name = ar.get_value_multiformat_post_checked(request, "group_name") group = ax.evaluate_call( lambda: GroupService.by_group_name(group_name, db_session=request.db), fallback=lambda: request.db.rollback(), httpError=HTTPForbidden, msgOnFail=s.UserGroups_POST_ForbiddenResponseSchema.description) ax.verify_param( group, notNone=True, httpError=HTTPNotFound, msgOnFail=s.UserGroups_POST_GroupNotFoundResponseSchema.description) ax.verify_param( user.id, paramCompare=[usr.id for usr in group.users], notIn=True, httpError=HTTPConflict, content={ u"user_name": user.user_name, u"group_name": group.group_name }, msgOnFail=s.UserGroups_POST_ConflictResponseSchema.description) # noinspection PyArgumentList ax.evaluate_call( lambda: request.db.add( models.UserGroup(group_id=group.id, user_id=user.id)), fallback=lambda: request.db.rollback(), httpError=HTTPForbidden, msgOnFail=s.UserGroups_POST_RelationshipForbiddenResponseSchema. description, content={ u"user_name": user.user_name, u"group_name": group.group_name }) return ax.valid_http( httpSuccess=HTTPCreated, detail=s.UserGroups_POST_CreatedResponseSchema.description, content={ u"user_name": user.user_name, u"group_name": group.group_name })
def get_user_services_view(request): """ List all services a user has permissions on. """ user = ar.get_user_matchdict_checked_or_logged(request) cascade_resources = asbool(ar.get_query_param(request, "cascade")) inherit_groups_perms = asbool(ar.get_query_param(request, "inherit")) format_as_list = asbool(ar.get_query_param(request, "list")) svc_json = uu.get_user_services( user, request=request, cascade_resources=cascade_resources, inherit_groups_permissions=inherit_groups_perms, format_as_list=format_as_list) return ax.valid_http( httpSuccess=HTTPOk, content={u"services": svc_json}, detail=s.UserServices_GET_OkResponseSchema.description)
def delete_user_view(request): """ Delete a user by name. """ user = ar.get_user_matchdict_checked_or_logged(request) ax.verify_param( user.user_name, not_in=True, with_param=False, # avoid leaking username details param_compare=[ get_constant("MAGPIE_ADMIN_USER", request), get_constant("MAGPIE_ANONYMOUS_USER", request) ], http_error=HTTPForbidden, msg_on_fail=s.User_DELETE_ForbiddenResponseSchema.description) ax.evaluate_call( lambda: request.db.delete(user), fallback=lambda: request.db.rollback(), http_error=HTTPForbidden, msg_on_fail=s.User_DELETE_ForbiddenResponseSchema.description) return ax.valid_http(http_success=HTTPOk, detail=s.User_DELETE_OkResponseSchema.description)
def update_user_view(request): """ Update user information by user name. """ user = ar.get_user_matchdict_checked_or_logged(request) new_user_name = ar.get_multiformat_body(request, "user_name", default=user.user_name) new_email = ar.get_multiformat_body(request, "email", default=user.email) new_password = ar.get_multiformat_body(request, "password", default=user.user_password) update_username = user.user_name != new_user_name and new_user_name is not None update_password = user.user_password != new_password and new_password is not None update_email = user.email != new_email and new_email is not None ax.verify_param( any([update_username, update_password, update_email]), is_true=True, with_param=False, # params are not useful in response for this case content={"user_name": user.user_name}, http_error=HTTPBadRequest, msg_on_fail=s.User_PATCH_BadRequestResponseSchema.description) # user name change is admin-only operation if update_username: ax.verify_param( get_constant("MAGPIE_ADMIN_GROUP"), is_in=True, param_compare=uu.get_user_groups_checked(request.user, request.db), with_param=False, http_error=HTTPForbidden, msg_on_fail=s.User_PATCH_ForbiddenResponseSchema.description) # logged user updating itself is forbidden if it corresponds to special users # cannot edit reserved keywords nor apply them to another user forbidden_user_names = [ get_constant("MAGPIE_ADMIN_USER", request), get_constant("MAGPIE_ANONYMOUS_USER", request), get_constant("MAGPIE_LOGGED_USER", request), ] check_user_name_cases = [user.user_name, new_user_name ] if update_username else [user.user_name] for check_user_name in check_user_name_cases: ax.verify_param( check_user_name, not_in=True, param_compare=forbidden_user_names, param_name="user_name", http_error=HTTPForbidden, content={"user_name": str(check_user_name)}, msg_on_fail=s.User_PATCH_ForbiddenResponseSchema.description) if update_username: uu.check_user_info(user_name=new_user_name, check_email=False, check_password=False, check_group=False) existing_user = ax.evaluate_call( lambda: UserService.by_user_name(new_user_name, db_session=request.db), fallback=lambda: request.db.rollback(), http_error=HTTPForbidden, msg_on_fail=s.User_PATCH_ForbiddenResponseSchema.description) ax.verify_param( existing_user, is_none=True, with_param=False, http_error=HTTPConflict, msg_on_fail=s.User_PATCH_ConflictResponseSchema.description) user.user_name = new_user_name if update_email: uu.check_user_info(email=new_email, check_name=False, check_password=False, check_group=False) user.email = new_email if update_password: uu.check_user_info(password=new_password, check_name=False, check_email=False, check_group=False) UserService.set_password(user, new_password) UserService.regenerate_security_code(user) return ax.valid_http(http_success=HTTPOk, detail=s.Users_PATCH_OkResponseSchema.description)
def get_user_resources_view(request): """ List all resources a user has permissions on. """ inherit_groups_perms = asbool( ar.get_query_param(request, ["inherit", "inherited"])) resolve_groups_perms = asbool( ar.get_query_param(request, ["resolve", "resolved"])) filtered_perms = asbool(ar.get_query_param(request, ["filter", "filtered"])) user = ar.get_user_matchdict_checked_or_logged(request) db = request.db # skip admin-only full listing of resources if filtered view is requested is_admin = False if not filtered_perms and request.user is not None: admin_group = get_constant("MAGPIE_ADMIN_GROUP", settings_container=request) is_admin = admin_group in [ group.group_name for group in request.user.groups ] def build_json_user_resource_tree(usr): json_res = {} perm_type = PermissionType.INHERITED if inherit_groups_perms else PermissionType.DIRECT services = ResourceService.all(models.Service, db_session=db) # add service-types so they are ordered and listed if no service of that type was defined for svc_type in sorted(SERVICE_TYPE_DICT): json_res[svc_type] = {} for svc in services: svc_perms = uu.get_user_service_permissions( user=usr, service=svc, request=request, inherit_groups_permissions=inherit_groups_perms, resolve_groups_permissions=resolve_groups_perms) res_perms_dict = uu.get_user_service_resources_permissions_dict( user=usr, service=svc, request=request, inherit_groups_permissions=inherit_groups_perms, resolve_groups_permissions=resolve_groups_perms) # always allow admin to view full resource tree, unless explicitly requested to be filtered # otherwise (non-admin), only add details if there is at least one resource permission (any level) if (is_admin and not filtered_perms) or (svc_perms or res_perms_dict): json_res[svc.type][ svc.resource_name] = format_service_resources( svc, db_session=db, service_perms=svc_perms, resources_perms_dict=res_perms_dict, permission_type=perm_type, show_all_children=False, show_private_url=False, ) return json_res usr_res_dict = ax.evaluate_call( lambda: build_json_user_resource_tree(user), fallback=lambda: db.rollback(), http_error=HTTPNotFound, msg_on_fail=s.UserResources_GET_NotFoundResponseSchema.description, content={ "user_name": user.user_name, "resource_types": [models.Service.resource_type_name] }) return ax.valid_http( http_success=HTTPOk, content={"resources": usr_res_dict}, detail=s.UserResources_GET_OkResponseSchema.description)