def put(self, user_id):
self.reqparse.add_argument('password', type=str, required=False)
args = self.reqparse.parse_args()
AuditLog.log('user.passwordReset', session['user'].username, args)
user = User.query.filter(User.user_id == user_id).first()
if not user:
return self.make_response('User not found', HTTP.NOT_FOUND)
if ROLE_ADMIN not in session[
'user'].roles and user_id != session['user'].user_id:
self.log.warning(
'{} tried to change the password for another user'.format(
session['user'].user_id))
return self.make_response(
'You cannot change other users passwords', HTTP.FORBIDDEN)
authsys = current_app.available_auth_systems[user.auth_system]
if authsys.readonly:
return self.make_response(
'You cannot reset passwords for the {} based users'.format(
authsys.name), HTTP.FORBIDDEN)
new_pass = args['password'] or generate_password()
user.password = hash_password(new_pass)
db.session.add(user)
db.session.commit()
return self.make_response(
{
'user': user.to_json(),
'newPassword': new_pass if not args['password'] else None
}, HTTP.OK)
def bootstrap(self):
admin_user = db.User.find_one(User.username == 'admin',
User.auth_system == self.name)
if not admin_user:
roles = db.Role.filter(Role.name.in_(
(ROLE_ADMIN, ROLE_USER))).all()
admin_password = generate_password()
admin_user = User()
admin_user.username = '******'
admin_user.auth_system = self.name
admin_user.password = hash_password(admin_password)
db.session.add(admin_user)
db.session.commit()
db.session.refresh(admin_user)
User.add_role(admin_user, roles)
self.log.error(
'Created admin account for local authentication, username: admin, password: {}'
.format(admin_password))
else:
self.log.debug('Local Auth admin user already exists, skipping')
def post(self):
"""Create a new user"""
self.reqparse.add_argument('username', type=str, required=True)
self.reqparse.add_argument('authSystem', type=str, required=True)
self.reqparse.add_argument('password',
type=str,
required=False,
default=None)
self.reqparse.add_argument('roles',
type=str,
action='append',
default=[])
args = self.reqparse.parse_args()
auditlog(event='user.create',
actor=session['user'].username,
data=args)
user = db.User.find_one(User.username == args['username'],
User.auth_system == args['authSystem'])
roles = []
if user:
return self.make_response('User already exists', HTTP.BAD_REQUEST)
if args['authSystem'] not in current_app.available_auth_systems:
return self.make_response(
'The {} auth system does not allow local edits'.format(
args['authSystem']), HTTP.BAD_REQUEST)
if current_app.available_auth_systems[args['authSystem']].readonly:
return self.make_response(
'You cannot create users for the {} auth system as it is handled externally'
.format(args['authSystem']), HTTP.BAD_REQUEST)
for roleName in args['roles']:
role = db.Role.find_one(Role.name == roleName)
if not role:
return self.make_response('No such role {}'.format(roleName),
HTTP.BAD_REQUEST)
if roleName == ROLE_ADMIN and ROLE_ADMIN not in session[
'user'].roles:
self.log.error(
'User {} tried to grant admin privileges to {}'.format(
session['user'].username, args['username']))
return self.make_response(
'You do not have permission to grant admin privileges',
HTTP.FORBIDDEN)
roles.append(role)
authSys = current_app.available_auth_systems[args['authSystem']]
password = args['password'] or generate_password()
user = User()
user.username = args['username']
user.password = hash_password(password)
user.auth_system = authSys.name
db.session.add(user)
db.session.commit()
db.session.refresh(user)
User.add_role(user, roles)
return self.make_response({
'message':
'User {}/{} has been created'.format(user.auth_system,
user.username),
'user':
user,
'password':
password if not args['password'] else None
})