def password_reset_confirmation(self):
if self.request.GET and self.request.GET.get('key'):
try:
user = User.get_by_auth_token(self.request.GET.get('key'))
data = {'email': user.email}
UserModel().reset_password(data)
self.session.flash(
_('Your password reset was successful, '
'a new password has been sent to your email'),
queue='success')
except Exception as e:
log.error(e)
return HTTPFound(self.request.route_path('reset_password'))
return HTTPFound(self.request.route_path('login'))
def request_view(request):
"""
Main request handling method. It handles all logic to call a specific
exposed method
"""
# check if we can find this session using api_key, get_by_auth_token
# search not expired tokens only
try:
u = User.get_by_auth_token(request.rpc_api_key)
if u is None:
return jsonrpc_error(request,
retid=request.rpc_id,
message='Invalid API KEY')
if not u.active:
return jsonrpc_error(request,
retid=request.rpc_id,
message='Request from this user not allowed')
# check if we are allowed to use this IP
auth_u = AuthUser(u.user_id,
request.rpc_api_key,
ip_addr=request.rpc_ip_addr)
if not auth_u.ip_allowed:
return jsonrpc_error(request,
retid=request.rpc_id,
message='Request from IP:%s not allowed' %
(request.rpc_ip_addr, ))
else:
log.info('Access for IP:%s allowed' % (request.rpc_ip_addr, ))
# now check if token is valid for API
role = UserApiKeys.ROLE_API
extra_auth_tokens = [
x.api_key for x in User.extra_valid_auth_tokens(u, role=role)
]
active_tokens = [u.api_key] + extra_auth_tokens
log.debug('Checking if API key has proper role')
if request.rpc_api_key not in active_tokens:
return jsonrpc_error(
request,
retid=request.rpc_id,
message='API KEY has bad role for an API call')
except Exception as e:
log.exception('Error on API AUTH')
return jsonrpc_error(request,
retid=request.rpc_id,
message='Invalid API KEY')
method = request.rpc_method
func = request.registry.jsonrpc_methods[method]
# now that we have a method, add request._req_params to
# self.kargs and dispatch control to WGIController
argspec = inspect.getargspec(func)
arglist = argspec[0]
defaults = map(type, argspec[3] or [])
default_empty = types.NotImplementedType
# kw arguments required by this method
func_kwargs = dict(
itertools.izip_longest(reversed(arglist),
reversed(defaults),
fillvalue=default_empty))
# This attribute will need to be first param of a method that uses
# api_key, which is translated to instance of user at that name
user_var = 'apiuser'
request_var = 'request'
for arg in [user_var, request_var]:
if arg not in arglist:
return jsonrpc_error(request,
retid=request.rpc_id,
message='This method [%s] does not support '
'required parameter `%s`' %
(func.__name__, arg))
# get our arglist and check if we provided them as args
for arg, default in func_kwargs.items():
if arg in [user_var, request_var]:
# user_var and request_var are pre-hardcoded parameters and we
# don't need to do any translation
continue
# skip the required param check if it's default value is
# NotImplementedType (default_empty)
if default == default_empty and arg not in request.rpc_params:
return jsonrpc_error(
request,
retid=request.rpc_id,
message=('Missing non optional `%s` arg in JSON DATA' % arg))
# sanitze extra passed arguments
for k in request.rpc_params.keys()[:]:
if k not in func_kwargs:
del request.rpc_params[k]
call_params = request.rpc_params
call_params.update({'request': request, 'apiuser': auth_u})
try:
ret_value = func(**call_params)
return jsonrpc_response(request, ret_value)
except JSONRPCBaseError:
raise
except Exception:
log.exception('Unhandled exception occured on api call: %s', func)
return jsonrpc_error(request,
retid=request.rpc_id,
message='Internal server error')
def get_by_auth_token(self, auth_token, cache=False):
return User.get_by_auth_token(auth_token, cache)
def set_active(active):
from rhodecode.model.db import Session, User
user = User.get_by_auth_token(self.apikey)
user.active = active
Session().add(user)
Session().commit()
