def edit_user(user_id=-1): user_form = EditUserForm() if user_form.validate_on_submit(): user = Users.get(user_form.user_id.data) if user.id == session.get('user_id') or user.admin: user.first_name = user_form.first_name.data user.last_name = user_form.last_name.data user.email = user_form.email.data user.alias = user_form.alias.data user.last_modified = datetime.now() try: avatar = list(Image.select(Image.q.url==user_form.avatar.data))[0] except (SQLObjectNotFound, IndexError): pass else: user.avatar = avatar flash("%s %s has been updated" % (user.first_name, user.last_name)) return redirect(url_for('list_users')) else: flash("Sorry, you're not allowed to do that") return redirect(url_for('edit_user', user_id=user.id)) else: try: user = Users.get(user_id) except SQLObjectNotFound: user = {'first_name': '', 'last_name': '', 'email': '', 'password': '', 'avatar': ''} finally: return render_template('edit_user.html', data={'form': user_form, 'user': user})
def change_password(user_id=0): pass_form = ChangePasswordForm() if pass_form.validate_on_submit(): logged_in_as = session.get('user_id') if user_id != logged_in_as: flash("You can only change your own password!") return redirect(url_for('list_entries')) try: user = Users.get(user_id) except SQLObjectNotFound: flash("You must provide a user ID") return redirect(url_for('list_users')) else: user.password = generate_password(pass_form.password.data) flash("Password successfully changed") return redirect(url_for('edit_user', user_id=user.id)) else: try: user = Users.get(user_id) except SQLNotFoundError: flash("You must provide a user ID") return redirect(url_for('list_users')) else: return render_template('change_password.html', data={'form': pass_form, 'user_id': user.id})
def list_users(user_id=0): if user_id: try: users = list(Users.get(user_id)) except SQLObjectNotFound: flash("No user found by that ID") return render_template('list_users.html') else: users = list(Users.select()) return render_template('list_users.html', data={'users': users})
def admin(*args, **kwargs): try: user = Users.get(session.get('user_id')) if user.admin: return callback(*args, **kwargs) else: flash("Admins only") return redirect(url_for('list_entries')) except SQLObjectNotFound: flash("You're not even logged in") return redirect(url_for('list_entries'))
def login(): error = None login_form = LoginForm() if login_form.validate_on_submit(): u_req = Users.get(login_form.user_id.data) u_req.last_login = datetime.now() session['logged_in'] = True session['user_id'] = u_req.id flash('You were logged in') return redirect(url_for('list_entries')) return render_template('login.html', data={"form": login_form, "error": error})
def has_permission(permission_type, obj, user_id): try: uid = Users.get(user_id) except SQLObjectNotFound: flash("You must be logged in to access this page") return redirect(url_for('login')) else: obj_type = obj.__class__.__name__ perm = Permission.select(AND(permission.q.object_type==obj_type, permission.q.object_id==obj.id)) if user in perm.user or [r for role in user.role if rol in perm.role]: return True else: return False
def role(*args, **kwargs): error = False message = "Unauthorized access" uid = session.get('user_id') try: role = list(Role.select(Role.q.name==role_name))[0] except (SQLObjectNotFound, ValueError, IndexError): error = True message = "Role %s is not a valid role" % role_name try: user = Users.get(user_id) except SQLObjectNotFound: error = True message = "Sorry, you are not permitted to access this" if error: flash(message) return redirect(url_for('list_entries')) else: return callback(*args, **kwargs)