def is_coorganizer_endpoint_related_to_event(view, view_args, view_kwargs,
*args, **kwargs):
"""
If the authorization header is present (but expired) and the event being accessed is not published
- And the user is related to the event (organizer, co-organizer etc) show a 401
- Else show a 404
:param view:
:param view_args:
:param view_kwargs:
:param args:
:param kwargs:
:return:
"""
user = get_identity()
if user.is_staff:
_jwt_required(app.config['JWT_DEFAULT_REALM'])
return view(*view_args, **view_kwargs)
if user.is_organizer(kwargs['event_id']) or user.is_coorganizer(
kwargs['event_id']):
_jwt_required(app.config['JWT_DEFAULT_REALM'])
return view(*view_args, **view_kwargs)
return ForbiddenError({
'source': ''
}, 'Co-organizer access is required.').respond()
def decorator(*args, **kwargs):
_jwt_required(current_app.config['JWT_DEFAULT_REALM'])
token = _default_request_handler()
user = current_identity
if not user.verify_token(token):
raise JWTError('Bad request', 'Invalid token')
return fn(*args, **kwargs)
def decorator(*args, **kwargs):
try:
_jwt_required(realm or app.config['JWT_DEFAULT_REALM'])
except Exception: # JWTError
raise AuthenticationRequired('Authentication is required',
{'source': ''})
return fn(*args, **kwargs)
def decorator(*args, **kwargs):
_jwt_required(None)
restaurant = get_current_restaurant()
if current_identity.is_activated() and \
((current_identity.is_admin) or
current_identity.is_manager_of(restaurant)):
return fn(*args, **kwargs)
return abort(403)
def decorator(*args, **kwargs):
if env.is_auth_enabled():
try:
_jwt_required(realm
or current_app.config['JWT_DEFAULT_REALM'])
except JWTError:
abort(401)
return fn(*args, **kwargs)
def belongs_to(username):
try:
_jwt_required(None)
if not current_identity['username'] == username:
return {'status': 403, 'message': 'not allowed'}, 403
except JWTError as e:
return {'status': 403, 'message': 'not allowed'}, 403
return True
def decorator(*args, **kwargs):
try:
_jwt_required(realm or current_app.config['JWT_DEFAULT_REALM'])
print(current_identity)
if admin == 1 and current_identity.is_admin!=1:
abort(401)
except Exception as e:
raise JWTError('Bad Request', 'Invalid credentials')
return fn(*args, **kwargs)
def accessible_role_based_events(view, view_args, view_kwargs, *args, **kwargs):
if 'POST' in request.method or 'withRole' in request.args:
_jwt_required(app.config['JWT_DEFAULT_REALM'])
user = current_identity
if 'GET' in request.method and user.is_staff:
return view(*view_args, **view_kwargs)
view_kwargs['user_id'] = user.id
return view(*view_args, **view_kwargs)
def get(self, **kwargs):
"""
Returns username if a JWT is found, otherwise reports not authenticated
"""
username = '******'
try:
_jwt_required(current_app.config['JWT_DEFAULT_REALM'])
username = current_identity.username
finally:
resp = {'status': 200, 'version': '1.0', 'username': username}
return resp, 200
def create_game_session():
try:
_jwt_required(None)
except:
pass
identity = None
token = None
_current_identity = current_identity._get_current_object()
if _current_identity is None or _current_identity[0] == 'session':
recaptcha_token = request.json.get('recaptcha')
if recaptcha_token is None:
return make_response(jsonify(ok=False,
error='Recaptcha missing'),
400)
if not is_human(recaptcha_token):
return make_response(jsonify(ok=False,
error='Bad recaptcha'),
400)
category = _get_random_category()
category_id = category.id
else:
category_id = request.json.get('category_id') if request.json is not None else None
user_or_session, identity = _current_identity
collection_id = request.json.get('collection_id') if request.json is not None else None
cursor = _create_cursor(0,
collection_id=collection_id,
category_id=category_id)
game_session = Session(id=str(uuid4()),
game_type='gender',
user_id=identity,
cursor=cursor)
db.session.add(game_session)
db.session.commit()
db.session.refresh(game_session)
if identity is None:
iat = datetime.utcnow()
token = jwt.encode(dict(sub='session:{}'.format(game_session.id),
iat=iat,
nbf=iat + timedelta(seconds=5),
exp=iat + timedelta(minutes=10)
),
JWT_SECRET, algorithm='HS256').decode()
return make_response(jsonify(ok=True,
session=game_session,
token=token),
201)
def filter_by_authentication(self):
filter_type = Analysis.type.in_(['public', 'disease'])
try:
_jwt_required(app.config['JWT_DEFAULT_REALM'])
except:
pass
if not current_identity:
return self.filter(filter_type)
return self.filter(
or_(filter_type, Analysis.user.has(id=current_identity.id)))
def before_get(self, args, kwargs):
kwargs['id'] = 1
if 'Authorization' in request.headers:
_jwt_required(app.config['JWT_DEFAULT_REALM'])
if current_user.is_admin or current_user.is_super_admin:
self.schema = SettingSchemaAdmin
else:
self.schema = SettingSchemaNonAdmin
else:
self.schema = SettingSchemaPublic
def before_get(self, args, kwargs):
kwargs['id'] = 1
if 'Authorization' in request.headers:
_jwt_required(app.config['JWT_DEFAULT_REALM'])
if current_user.is_admin or current_user.is_super_admin:
self.schema = SettingSchemaAdmin
else:
self.schema = SettingSchemaNonAdmin
else:
self.schema = SettingSchemaPublic
def belongs_to(username):
"""
Checks a username against the username in the JWT token
"""
try:
_jwt_required(None)
if not current_identity['username'] == username:
abort(403, 'not allowed')
except JWTError as e:
abort(403, 'not allowed')
return True
def decorator(*args, **kwargs):
_jwt_required(realm or current_app.config['JWT_DEFAULT_REALM'])
if current_identity.admin:
return fn(*args, **kwargs)
raise JWTError(
'Authorization Required',
'You are not admin',
headers={
'WWW-Authenticate': 'JWT realm="%s"' %current_app.config['JWT_DEFAULT_REALM']
}
)
def query(self, view_kwargs):
"""
query method for resource list
:param view_kwargs:
:return:
"""
if 'Authorization' in request.headers:
_jwt_required(current_app.config['JWT_DEFAULT_REALM'])
if current_user.is_super_admin or current_user.is_admin:
query_ = self.session.query(Ticket)
elif view_kwargs.get('event_id') and has_access(
'is_organizer', event_id=view_kwargs['event_id']):
query_ = self.session.query(Ticket)
else:
query_ = self.session.query(Ticket).filter_by(is_hidden=False)
else:
query_ = self.session.query(Ticket).filter_by(is_hidden=False)
if view_kwargs.get('ticket_tag_id'):
ticket_tag = safe_query(self, TicketTag, 'id',
view_kwargs['ticket_tag_id'],
'ticket_tag_id')
query_ = query_.join(ticket_tags_table).filter_by(
ticket_tag_id=ticket_tag.id)
query_ = event_query(self, query_, view_kwargs)
if view_kwargs.get('access_code_id'):
access_code = safe_query(self, AccessCode, 'id',
view_kwargs['access_code_id'],
'access_code_id')
# access_code - ticket :: many-to-many relationship
query_ = Ticket.query.filter(
Ticket.access_codes.any(id=access_code.id))
if view_kwargs.get('discount_code_id'):
discount_code = safe_query(self, DiscountCode, 'id',
view_kwargs['discount_code_id'],
'discount_code_id')
# discount_code - ticket :: many-to-many relationship
query_ = Ticket.query.filter(
Ticket.discount_codes.any(id=discount_code.id))
if view_kwargs.get('order_identifier'):
order = safe_query(self, Order, 'identifier',
view_kwargs['order_identifier'],
'order_identifier')
ticket_ids = []
for ticket in order.tickets:
ticket_ids.append(ticket.id)
query_ = query_.filter(Ticket.id.in_(tuple(ticket_ids)))
return query_
def jwt_auth_method():
from flask_jwt import _jwt_required, current_identity
from youjiao.extensions import login_manager
try:
_jwt_required(current_app.config['JWT_DEFAULT_REALM'])
# load user to flask_login
login_manager.reload_user(user=current_identity)
return True
except Exception as e:
print(e)
else:
return False
def create_event(view, view_args, view_kwargs, *args, **kwargs):
if 'POST' in request.method or 'withRole' in request.args:
_jwt_required(app.config['JWT_DEFAULT_REALM'])
user = current_identity
if user.can_create_event is False:
return ForbiddenError({'source': ''}, 'Please verify your email').respond()
if 'GET' in request.method and user.is_staff:
return view(*view_args, **view_kwargs)
view_kwargs['user_id'] = user.id
return view(*view_args, **view_kwargs)
def jwt_auth_method():
from flask_jwt import _jwt_required, current_identity
from youjiao.extensions import login_manager
try:
_jwt_required(current_app.config['JWT_DEFAULT_REALM'])
# load user to flask_login
login_manager.reload_user(user=current_identity)
return True
except Exception as e:
print(e)
else:
return False
def query(self, view_kwargs):
"""
query method for EventList class
:param view_kwargs:
:return:
"""
query_ = self.session.query(Event).filter_by(state='published')
if 'Authorization' in request.headers:
_jwt_required(current_app.config['JWT_DEFAULT_REALM'])
query2 = self.session.query(Event)
query2 = query2.join(Event.roles).filter_by(user_id=current_identity.id).join(UsersEventsRoles.role). \
filter(or_(Role.name == COORGANIZER, Role.name == ORGANIZER))
query_ = query_.union(query2)
if view_kwargs.get('user_id') and 'GET' in request.method:
if not has_access('is_user_itself',
user_id=int(view_kwargs['user_id'])):
raise ForbiddenException({'source': ''}, 'Access Forbidden')
user = safe_query(db, User, 'id', view_kwargs['user_id'],
'user_id')
query_ = query_.join(Event.roles).filter_by(user_id=user.id).join(UsersEventsRoles.role). \
filter(Role.name != ATTENDEE)
if view_kwargs.get('event_type_id') and 'GET' in request.method:
query_ = self.session.query(Event).filter(
getattr(Event, 'event_type_id') ==
view_kwargs['event_type_id'])
if view_kwargs.get('event_topic_id') and 'GET' in request.method:
query_ = self.session.query(Event).filter(
getattr(Event, 'event_topic_id') ==
view_kwargs['event_topic_id'])
if view_kwargs.get('event_sub_topic_id') and 'GET' in request.method:
query_ = self.session.query(Event).filter(
getattr(Event, 'event_sub_topic_id') ==
view_kwargs['event_sub_topic_id'])
if view_kwargs.get('discount_code_id') and 'GET' in request.method:
event_id = get_id(view_kwargs)['id']
if not has_access('is_coorganizer', event_id=event_id):
raise ForbiddenException({'source': ''},
'Coorganizer access is required')
query_ = self.session.query(Event).filter(
getattr(Event, 'discount_code_id') ==
view_kwargs['discount_code_id'])
return query_
def root():
# check access
ip_whitelist = ip_network(current_app.config.get('PROMETHEUS_WHITELIST'))
if ip_address(request.remote_addr) not in ip_whitelist:
_jwt_required(current_app.config['JWT_DEFAULT_REALM'])
registry = CollectorRegistry()
multiprocess.MultiProcessCollector(registry)
data = generate_latest(registry)
response = make_response(data)
response.headers['Content-Type'] = CONTENT_TYPE_LATEST
response.headers['Content-Length'] = str(len(data))
return response
def api_auth_func(**kw):
if g.user.is_authenticated:
return True
elif _jwt_required(None):
return True
else:
return False
def before_post(self, args, kwargs, data):
"""
before post method to check for required relationship and proper permission
:param args:
:param kwargs:
:param data:
:return:
"""
require_relationship(['event'], data)
if 'Authorization' in request.headers:
_jwt_required(app.config['JWT_DEFAULT_REALM'])
else:
raise ForbiddenException({'source': ''}, 'Only Authorized Users can favourite an event')
data['user'] = current_user.id
user_favourite_event = UserFavouriteEvent.query.filter_by(
user=current_user, event_id=int(data['event'])).first()
if user_favourite_event:
raise ConflictException({'pointer': '/data/relationships/event'}, "Event already favourited")
def query(self, view_kwargs):
"""
query method for EventList class
:param view_kwargs:
:return:
"""
query_ = self.session.query(Event).filter_by(state='published')
if 'Authorization' in request.headers:
_jwt_required(current_app.config['JWT_DEFAULT_REALM'])
query2 = self.session.query(Event)
query2 = query2.join(Event.roles).filter_by(user_id=current_identity.id).join(UsersEventsRoles.role). \
filter(or_(Role.name == COORGANIZER, Role.name == ORGANIZER))
query_ = query_.union(query2)
if view_kwargs.get('user_id') and 'GET' in request.method:
if not has_access('is_user_itself', id=view_kwargs['user_id']):
raise ForbiddenException({'source': ''}, 'Access Forbidden')
user = safe_query(db, User, 'id', view_kwargs['user_id'], 'user_id')
query_ = query_.join(Event.roles).filter_by(user_id=user.id).join(UsersEventsRoles.role). \
filter(Role.name != ATTENDEE)
if view_kwargs.get('event_type_id') and 'GET' in request.method:
query_ = self.session.query(Event).filter(
getattr(Event, 'event_type_id') == view_kwargs['event_type_id'])
if view_kwargs.get('event_topic_id') and 'GET' in request.method:
query_ = self.session.query(Event).filter(
getattr(Event, 'event_topic_id') == view_kwargs['event_topic_id'])
if view_kwargs.get('event_sub_topic_id') and 'GET' in request.method:
query_ = self.session.query(Event).filter(
getattr(Event, 'event_sub_topic_id') == view_kwargs['event_sub_topic_id'])
if view_kwargs.get('discount_code_id') and 'GET' in request.method:
event_id = get_id(view_kwargs)['id']
if not has_access('is_coorganizer', event_id=event_id):
raise ForbiddenException({'source': ''}, 'Coorganizer access is required')
query_ = self.session.query(Event).filter(
getattr(Event, 'discount_code_id') == view_kwargs['discount_code_id'])
return query_
def query(self, view_kwargs):
"""
query method for resource list
:param view_kwargs:
:return:
"""
if 'Authorization' in request.headers:
_jwt_required(current_app.config['JWT_DEFAULT_REALM'])
if current_user.is_super_admin or current_user.is_admin:
query_ = self.session.query(Ticket)
elif view_kwargs.get('event_id') and has_access('is_organizer', event_id=view_kwargs['event_id']):
query_ = self.session.query(Ticket)
else:
query_ = self.session.query(Ticket).filter_by(is_hidden=False)
else:
query_ = self.session.query(Ticket).filter_by(is_hidden=False)
if view_kwargs.get('ticket_tag_id'):
ticket_tag = safe_query(self, TicketTag, 'id', view_kwargs['ticket_tag_id'], 'ticket_tag_id')
query_ = query_.join(ticket_tags_table).filter_by(ticket_tag_id=ticket_tag.id)
query_ = event_query(self, query_, view_kwargs)
if view_kwargs.get('access_code_id'):
access_code = safe_query(self, AccessCode, 'id', view_kwargs['access_code_id'], 'access_code_id')
# access_code - ticket :: many-to-many relationship
query_ = Ticket.query.filter(Ticket.access_codes.any(id=access_code.id))
if view_kwargs.get('discount_code_id'):
discount_code = safe_query(self, DiscountCode, 'id', view_kwargs['discount_code_id'], 'discount_code_id')
# discount_code - ticket :: many-to-many relationship
query_ = Ticket.query.filter(Ticket.discount_codes.any(id=discount_code.id))
if view_kwargs.get('order_identifier'):
order = safe_query(self, Order, 'identifier', view_kwargs['order_identifier'], 'order_identifier')
ticket_ids = []
for ticket in order.tickets:
ticket_ids.append(ticket.id)
query_ = query_.filter(Ticket.id.in_(tuple(ticket_ids)))
return query_
def load_user(user_id):
token = Auth.JWT.request_callback()
if token:
_jwt_required(Auth.APP.config['JWT_DEFAULT_REALM'])
return current_identity
access_token = json.loads(user_id)
if access_token['expires_at'] < time.time():
google = get_google_auth()
resp = google.refresh_token(Auth.TOKEN_URI, refresh_token=access_token['refresh_token'],
client_secret=Auth.CLIENT_SECRET, client_id=Auth.CLIENT_ID)
return User(json.dumps(resp))
google = get_google_auth(token=json.loads(user_id))
resp = google.get(Auth.TOKEN_INFO_URI + urllib.quote_plus(
access_token['access_token']))
response_object = resp.json()
if 'email' in response_object:
user = User(user_id)
user.email = response_object['email']
if not Auth.LIMIT_DOMAIN or Auth.LIMIT_DOMAIN in user.email:
return User(user_id)
return None
def is_coorganizer_endpoint_related_to_event(view, view_args, view_kwargs, *args, **kwargs):
"""
If the authorization header is present (but expired) and the event being accessed is not published
- And the user is related to the event (organizer, co-organizer etc) show a 401
- Else show a 404
:param view:
:param view_args:
:param view_kwargs:
:param args:
:param kwargs:
:return:
"""
user = get_identity()
if user.is_staff:
_jwt_required(app.config['JWT_DEFAULT_REALM'])
return view(*view_args, **view_kwargs)
if user.is_organizer(kwargs['event_id']) or user.is_coorganizer(kwargs['event_id']):
_jwt_required(app.config['JWT_DEFAULT_REALM'])
return view(*view_args, **view_kwargs)
return ForbiddenError({'source': ''}, 'Co-organizer access is required.').respond()
def decorator(*args, **kwargs):
_jwt_required(realm or app.config['JWT_DEFAULT_REALM'])
return fn(*args, **kwargs)
def decorator(*args, **kwargs):
_jwt_required(realm or app.config['JWT_DEFAULT_REALM'])
current_identity.last_accessed_at = datetime.utcnow()
save_to_db(current_identity)
return fn(*args, **kwargs)
def decorator(*args, **kwargs):
_jwt_required(realm or app.config['JWT_DEFAULT_REALM'])
current_identity.last_accessed_at = datetime.utcnow()
save_to_db(current_identity)
return fn(*args, **kwargs)
def decorator(*args, **kwargs):
_jwt_required(None)
if current_identity.is_activated() and current_identity.is_admin:
return fn(*args, **kwargs)
return abort(403)
def authenticated(self):
if self.type in ['private', 'noise']:
_jwt_required(app.config['JWT_DEFAULT_REALM'])
return self.user_id == current_identity.id
return True
def decorator(*args, **kwargs):
_jwt_required(realm=None)
return f(*args, **kwargs)
def decorator(*args, **kwargs):
_jwt_required(realm)
return fn(*args, **kwargs)
def optional_jwt(realm=None):
try:
_jwt_required(realm)
except JWTError:
_request_ctx_stack.top.current_identity = None
def check_access(self):
_jwt_required(current_app.config['JWT_DEFAULT_REALM'])
def handle_unauthorized_response():
from flask_jwt import _jwt_required
if request.mimetype == 'application/json':
_jwt_required(current_app.config['JWT_DEFAULT_REALM'])
else:
return current_app.login_manager.unauthorized()
def check_authentication(self):
_jwt_required(current_app.config['JWT_DEFAULT_REALM'])
