def api_key_edit(key_id):
    key = ApiKey.objects(id=key_id).first()
    if key is None or current_user != key.owner:
        abort(401)

    form = ApiKeyEditForm()
    form.acl.choices = list()
    for access_token in access_tokens.values():
        if access_token.get("permission"):
            if not current_user.has_permission(access_token.get("permission")):
                continue
        form.acl.choices.append(
            (access_token.get("token"), access_token.get("token")))

    if request.method == "GET":
        form.label.data = key.label
        form.acl.data = key.access

        return render_template(
            'api_settings_edit_pane.html',
            settings_panels_structure=settings_panels_structure,
            form=form,
            key=key,
            title="Edit - API Keys - Developer - Settings")
    elif request.method == "POST":
        form.validate()

        key.label = form.label.data
        key.access = form.acl.data
        key.save()

        return redirect(url_for('api.api_key_edit', key_id=key_id))
def api_key_edit(key_id):
    key = ApiKey.objects(id=key_id).first()
    if key is None or current_user != key.owner:
        abort(401)

    form = ApiKeyEditForm()
    form.acl.choices = list()
    for access_token in access_tokens.values():
        if access_token.get("permission"):
            if not current_user.has_permission(access_token.get("permission")):
                continue
        form.acl.choices.append((access_token.get("token"), access_token.get("token")))

    if request.method == "GET":
        form.label.data = key.label
        form.acl.data = key.access

        return render_template('api_settings_edit_pane.html', settings_panels_structure=settings_panels_structure, form=form, key=key, title="Edit - API Keys - Developer - Settings")
    elif request.method == "POST":
        form.validate()

        key.label = form.label.data
        key.access = form.acl.data
        key.save()

        return redirect(url_for('api.api_key_edit', key_id=key_id))
def api_key_delete(key_id):
    key = ApiKey.objects(id=key_id).first()
    if key is None or current_user != key.owner:
        abort(401)

    key.delete()
    flash("Key has been deleted.", category="success")

    return redirect(url_for('api.api_key_settings_pane'))
def api_key_delete(key_id):
    key = ApiKey.objects(id=key_id).first()
    if key is None or current_user != key.owner:
        abort(401)

    key.delete()
    flash("Key has been deleted.", category="success")

    return redirect(url_for('api.api_key_settings_pane'))
def api_key_settings_pane():
    apikey_add_form = AddApiKeyForm(request.form)
    apikey_del_form = DelApiKeyForm(request.form)
    keys = ApiKey.objects(owner=current_user.to_dbref())
    return render_template('api_settings_pane.html',
                           settings_panels_structure=settings_panels_structure,
                           keys=keys,
                           apikey_add_form=apikey_add_form,
                           apikey_del_form=apikey_del_form,
                           title="API Keys - Developer - Settings")
Exemplo n.º 6
0
        def wrap(*args, **kwargs):

            # If allow_user_permission is True, make sure the user has the appropriate permissions.
            if allow_user_permission and _check_user_permission(required_access_tokens, current_user):
                return func(*args, **kwargs)

            # Check and obtain API key from DB
            try:
                key = ApiKey.objects(key=request.headers['ApiKey']).first()
            except KeyError:
                return {'error': [{'message': "no/invalid ApiKey header provided", 'identifier': "apikey_not_provided"}]}, 403
            if key is None:
                return {'error': [{'message': "no/invalid ApiKey header provided", 'identifier': "apikey_not_provided"}]}, 403
            for access in required_access_tokens:
                if access not in key.access:
                    return {'error': [{'message': "api key doesn't have access to '%s'" % access, 'identifier': "permission#%s" % access}]}, 403

            # Check for the AsUser header, apply stuff to context
            if 'AsUser' in request.headers or 'AsPlayer' in request.headers:
                if 'api.as_user' not in key.access:
                    return {'error': [{'message': "api key doesn't have access to 'api.as_user', required for using the AsUser and AsPlayer headers", 'identifier': "permission#api.as_user"}]}, 403

                if 'AsUser' in request.headers:
                    username = request.headers['AsUser']

                    # Obtain user from db
                    user = User.get_user_by_name(username)
                    if user is None and asuser_must_be_registered:
                        return {'error': [{'message': "the user specified in the AsUser header wasn't found", 'identifier': "asuser_not_found"}]}, 403

                    request.api_user_method = 'as_user'
                    request.api_user = user
                    request.api_user_name = username
                elif 'AsPlayer' in request.headers:
                    uuid = request.headers['AsPlayer']

                    player = MinecraftPlayer.find_player(uuid)
                    if player is None:
                        return {'error': [{'message': "player uuid specified in AsPlayer header is not registered in database (has not logged in?)", 'identifier': "player_uuid_not_found"}]}, 403

                    user = User.get_user_by_uuid(player)
                    if user is None and asuser_must_be_registered:
                        return {'error': [{'message': "the uuid specified in the AsPlayer field is not owned by a website user", 'identifier': "asuser_not_found"}]}, 403

                    request.api_user_method = 'as_player'
                    request.api_user = user
                    request.api_user_name = user.name if user is not None else None
                    request.api_player = player
            else:
                request.api_user_method = 'key_owner'
                request.api_user = key.owner
                request.api_user_name = key.owner.name

            return func(*args, **kwargs)
def api_key_settings_pane():
    apikey_add_form = AddApiKeyForm(request.form)
    apikey_del_form = DelApiKeyForm(request.form)
    keys = ApiKey.objects(owner=current_user.to_dbref())
    return render_template('api_settings_pane.html', settings_panels_structure=settings_panels_structure, keys=keys, apikey_add_form=apikey_add_form, apikey_del_form=apikey_del_form, title="API Keys - Developer - Settings")
Exemplo n.º 8
0
        def wrap(*args, **kwargs):

            # If allow_user_permission is True, make sure the user has the appropriate permissions.
            if allow_user_permission and _check_user_permission(
                    required_access_tokens, current_user):
                return func(*args, **kwargs)

            # Check and obtain API key from DB
            try:
                key = ApiKey.objects(key=request.headers['ApiKey']).first()
            except KeyError:
                return {
                    'error': [{
                        'message': "no/invalid ApiKey header provided",
                        'identifier': "apikey_not_provided"
                    }]
                }, 403
            if key is None:
                return {
                    'error': [{
                        'message': "no/invalid ApiKey header provided",
                        'identifier': "apikey_not_provided"
                    }]
                }, 403
            for access in required_access_tokens:
                if access not in key.access:
                    return {
                        'error': [{
                            'message':
                            "api key doesn't have access to '%s'" % access,
                            'identifier':
                            "permission#%s" % access
                        }]
                    }, 403

            # Check for the AsUser header, apply stuff to context
            if 'AsUser' in request.headers or 'AsPlayer' in request.headers:
                if 'api.as_user' not in key.access:
                    return {
                        'error': [{
                            'message':
                            "api key doesn't have access to 'api.as_user', required for using the AsUser and AsPlayer headers",
                            'identifier': "permission#api.as_user"
                        }]
                    }, 403

                if 'AsUser' in request.headers:
                    username = request.headers['AsUser']

                    # Obtain user from db
                    user = User.get_user_by_name(username)
                    if user is None and asuser_must_be_registered:
                        return {
                            'error': [{
                                'message':
                                "the user specified in the AsUser header wasn't found",
                                'identifier': "asuser_not_found"
                            }]
                        }, 403

                    request.api_user_method = 'as_user'
                    request.api_user = user
                    request.api_user_name = username
                elif 'AsPlayer' in request.headers:
                    uuid = request.headers['AsPlayer']

                    player = MinecraftPlayer.find_player(uuid)
                    if player is None:
                        return {
                            'error': [{
                                'message':
                                "player uuid specified in AsPlayer header is not registered in database (has not logged in?)",
                                'identifier': "player_uuid_not_found"
                            }]
                        }, 403

                    user = User.get_user_by_uuid(player)
                    if user is None and asuser_must_be_registered:
                        return {
                            'error': [{
                                'message':
                                "the uuid specified in the AsPlayer field is not owned by a website user",
                                'identifier': "asuser_not_found"
                            }]
                        }, 403

                    request.api_user_method = 'as_player'
                    request.api_user = user
                    request.api_user_name = user.name if user is not None else None
                    request.api_player = player
            else:
                request.api_user_method = 'key_owner'
                request.api_user = key.owner
                request.api_user_name = key.owner.name

            return func(*args, **kwargs)