def post(self, id):
request_arg = RequestMethod_parser.parse_args()
requestMethod = request_arg['requestMethod']
if requestMethod == "PUT":
permission = Permission(ActionNeed('修改新闻'))
if permission.can()is not True:
abort_if_unauthorized("修改新闻")
news = News.query.filter(News.id == id).first()
abort_if_not_exist(news, "news")
args = NewsSpec_parser.parse_args()
category = args['category']
detail = args['detail']
title = args['title']
editable = args['editable']
tags = args['tags']
try:
tags = list(eval(tags[0]))
except:
pass
if category != None:
news.category = []
news.addCategory(category)
if detail != None:
news.detail = detail
soup, imgUrlFirst = handle_html(detail)
news.img_url = imgUrlFirst
outline = soup.get_text()[:80]
news.outline = outline
if title != None:
news.title = title
if editable != None:
news.editable = editable
if tags != None:
news.tags = []
for tag in tags:
news.addTag(tag)
db.session.add(news)
db.session.commit()
elif requestMethod == "DELETE":
permission = Permission(ActionNeed('删除新闻'))
if permission.can()is not True:
abort_if_unauthorized("删除新闻")
news = News.query.filter(News.id == id).first()
abort_if_not_exist(news, "news")
db.session.delete(news)
db.session.commit()
else:
abort(404, message="api not found")
def test_permission_or_excludes(self):
p1 = Permission(RoleNeed('boss'), RoleNeed('lackey')).reverse()
p2 = Permission(RoleNeed('lackey'), RoleNeed('underling')).reverse()
p3 = p1 | p2
p4 = p1.union(p2)
# Ensure that an `or` between sets also result in the expected
# behavior. As expected, as "any of which must be present to
# access a resource".
p3excludes = p1.excludes | p2.excludes
assert p3.excludes == p4.excludes
assert p3.excludes == p3excludes
def get_quality_assurance_form_dashboard_menu(form_types):
"""Retrieves a list of forms that have the verification flag set
:param form_type: The form type for the forms to be retrieved
"""
event = g.event
return [
{
'url':
url_for('submissions.quality_assurance_dashboard',
form_id=form.id),
'text':
form.name,
'visible':
True
} for form in [
f for f in models.Form.query.filter(
models.Form.form_type.in_(form_types),
models.Form.quality_checks_enabled == True # noqa
).join(models.Form.events).filter(
models.Form.events.contains(event)).order_by(models.Form.name)
if Permission(
ItemNeed('access_resource', f.resource_id, f.resource_type),
RoleNeed('admin')).can()
]
]
def has_permission(name):
"""Used by template to judge whether the user has some permissions."""
if Permission(need(name)).can():
return True
else:
return False
def edit_post(id):
post = Post.query.get_or_404(id)
if not current_user:
return redirect(url_for('main.login'))
if current_user != post.users:
return redirect(url_for('blog.post', post_id=id))
# 当 user 是 poster 或者 admin 时, 才能够编辑文章
permission = Permission(UserNeed(post.users.id))
if permission.can() or admin_permission.can():
form = PostForm()
if form.validate_on_submit():
post.title = form.title.data
post.text = form.text.data
post.publish_date = datetime.datetime.now()
# Update the post
db.session.add(post)
db.session.commit()
return redirect(url_for('blog.post', post_id=post.id))
# Still retain the original content, if validate is false.
form.title.data = post.title
form.text.data = post.text
return render_template('edit_post.html', form=form, post=post)
else:
abort(403)
def get(self, id):
permission = Permission(ActionNeed(('查看新闻')))
if permission.can() is not True:
abort_if_unauthorized("查看新闻")
news = News.query.filter(News.id == id).first()
abort_if_not_exist(news, "news")
return news
def edit_post(id):
if not current_user:
return redirect(url_for('main.login'))
post = Post.query.get_or_404(id)
if current_user != post.user:
abort(403)
permission = Permission(UserNeed(post.user.id))
if permission.can() or admin_permission.can():
form = PostForm()
if form.validate_on_submit():
post.title = form.title.data
post.text = form.text.data
post.publish_date = datetime.datetime.now()
db.session.add(post)
db.session.commit()
return redirect(url_for('.post', post_id=post.id))
form.text.data = post.text
return render_template('edit.html', form=form, post=post)
abort(403)
def post(self):
request_arg=RequestMethod_parser.parse_args()
requestMethod=request_arg['requestMethod']
print(requestMethod)
if requestMethod=="POST":
permission=Permission(ActionNeed('添加角色'))
if permission.can()is not True:
abort_if_unauthorized("添加角色")
args=Role_parser.parse_args()
roleName=args['roleName']
try:
nodeName=list(eval(args['nodeName'][0]))
except:
nodeName=args['nodeName']
role1=Role.query.filter(Role.roleName==roleName).first()
abort_if_exist(role1,"roleName")
role=Role(roleName)
db.session.add(role)
db.session.commit()
for name in nodeName:
node=Node.query.filter(Node.nodeName==name).first()
abort_if_not_exist(node,"node")
role.nodes.append(node)
db.session.add(role)
db.session.commit()
else:
abort(404,message="api not found")
def __getattr__(self, role):
"""Return role permission's require method. If it doesn't exist yet,
create it."""
if role not in self._permissions:
self._permissions[role] = Permission(RoleNeed(role))
return self._permissions[role].require
def decorator(*args, **kwargs):
perm = Permission(*[RoleNeed(role) for role in roles])
if not current_user.is_authenticated:
return abort(401)
if perm.can():
return f(*args, **kwargs)
return abort(403)
def post(self):
request_arg = RequestMethod_parser.parse_args()
requestMethod = request_arg['requestMethod']
if requestMethod == "POST":
permission = Permission(ActionNeed('添加新闻'))
if permission.can()is not True:
abort_if_unauthorized("添加新闻")
args = News_parser.parse_args()
category = args['category']
detail = args['detail']
title = args['title']
tags = args['tags']
try:
tags = list(eval(tags[0]))
except:
pass
soup, imgUrlFirst = handle_html(detail)
outline = soup.get_text()[:80]
news = News(soup.prettify(), title, outline, imgUrlFirst)
db.session.add(news)
db.session.commit()
news.addCategory(category)
for tag in tags:
t = Tag.query.filter_by(name=tag).first()
abort_if_not_exist(t, "tag")
news.tags.append(t)
db.session.add(news)
db.session.commit()
else:
abort(404, message="api not found")
def login():
if current_user.is_authenticated:
return redirect(url_for("main.index"))
form = LoginForm()
if form.validate_on_submit():
if re.match("^[a-zA-Z0-9.]+@[a-zA-Z0-9]+\.[a-zA-Z]+$",
form.identifier.data):
user = User.query.filter_by(_email=form.identifier.data).first()
else:
user = User.query.filter_by(username=form.identifier.data).first()
if user is not None and user.check_password(form.password.data):
login_user(user, form.remember_me.data)
identity_changed.send(current_app._get_current_object(),
identity=Identity(user.id))
if Permission(need("admin")).can():
flash("Hello, admin!")
return redirect(request.args.get("next") or url_for("main.index"))
else:
flash("Your username/email or password is invalid.")
return redirect(url_for("auth.login"))
return render_template("auth/login.html", form=form)
def article_edit(id):
article = BlogArticle.query.get_or_404(id)
if not current_user:
return redirect(url_for('site.login'))
if current_user != article.user:
return redirect(url_for('blog.article_one', id=id))
permission = Permission(UserNeed(article.user.id))
if permission.can() or permission_admin.can():
form = ArticleForm()
if form.validate_on_submit():
article.title = form.title.data
article.content = form.content.data
article.publish_time = datetime.datetime.now()
db.session.add(article)
db.session.commit()
return redirect(url_for('blog.article_one', id=article.id))
else:
abort(403)
form.title.data = article.title
form.content.data = article.content
return render_template('blog/article/edit.html',
obj_form=form,
article_one=article)
def decorated_view(*args, **kwargs):
target_username = request.values.get('username', None)
if (target_username is not None and
target_username != current_user.username):
if not Permission(('users', 'read')).can():
abort(403, 'you do not have the permission to view other users')
return func(*args, **kwargs)
def post(self, restaurant_id, user_id):
identityPermission = Permission(UserNeed(user_id))
if not identityPermission.can():
abort(403)
#data = parser.parse_args()
data = request.get_json(force=True)
order = data['orders'][0]
order['status'] = "new"
order_items = data['order_items']
today = datetime.datetime.now()
#将request里面的json key转化为数据库model的key
'''
for i in order_items:
temp_item['id'] = i['order_history_item_id']
temp_item['number'] = i['number']
temp_item['name'] = i['name']
temp_item['description'] = i['description']
temp_item['image'] = i['image']
temp_item['price'] = i['price']
temp_item['order_history_id'] = i['order_history_id']
items.append(temp_item.copy())
order_items = items
'''
#用户自身的订单记录
OrderHistoryDao.add_order_history(today, order['desk_number'],
order['total_price'],
order['restaurant_id'],
order['user_id'], order_items)
#同时要发送到餐厅的订单记录
OrderDao.add_order(today, order['desk_number'], order['total_price'],
order['status'], order['restaurant_id'],
order_items)
DaoHelper.commit(db)
return 204
def get(self,id):
permission=Permission(ActionNeed(('查看权限节点')))
if permission.can() is not True:
abort_if_unauthorized("查看权限节点")
node=Node.query.filter(Node.id==id).first()
abort_if_not_exist(node,"node")
return node
def get(self, id):
permission = Permission(ActionNeed(('查看新闻')))
if permission.can() is not True:
abort_if_unauthorized("查看新闻")
silder_show = SilderShow.query.filter(SilderShow.id == id).first()
abort_if_not_exist(silder_show, "silder_show")
return silder_show
def edit_post(id):
post = Post.query.get_or_404(id)
# Ensure the user logged in.
if not current_user:
return redirect(url_for('main.login'))
# Only the post onwer can be edit this post.
if current_user != post.user:
return redirect(url_for('blog.post', post_id=id))
# Admin can be edit the post.
permission = Permission(UserNeed(post.user.id))
if permission.can() or admin_permission.can():
form = PostForm()
if form.validate_on_submit():
post.title = form.title.data
post.text = form.text.data
post.publish_date = datetime.now()
# Update the post
db.session.add(post)
db.session.commit()
return redirect(url_for('blog.post', post_id=post.id))
else:
abort(403)
form.title.data = post.title
form.text.data = post.text
return render_template('edit_post.html', form=form, post=post)
def post(self):
request_arg=RequestMethod_parser.parse_args()
requestMethod=request_arg['requestMethod']
if requestMethod=="POST":
permission=Permission(ActionNeed('添加用户'))
if permission.can()is not True:
abort_if_unauthorized("添加用户")
args=User_parser.parse_args()
try:
args['roleName']=list(eval(args['roleName'][0]))
except:
pass
userName=args['userName']
passWord=args['passWord']
email=args['email']
roleName=args['roleName']
phone=args['phone']
user1=User.query.filter(User.userName==userName).first()
abort_if_exist(user1,"userName")
user=User(userName,passWord,email,phone)
for name in roleName:
role=Role.query.filter(Role.roleName==name).first()
abort_if_not_exist(role,"role")
user.roles.append(role)
db.session.add(user)
db.session.commit()
else:
abort(404,message="api not found")
def test_entry_points():
"""Test admin views discovery through entry points."""
from flask_principal import Permission
app = Flask('testapp')
admin_app = InvenioAdmin(app,
permission_factory=lambda x: Permission(),
view_class_factory=lambda x: x)
# Check if model views were added by checking the labels of menu items
menu_items = {str(item.name): item for item in admin_app.admin.menu()}
assert 'OneAndTwo' in menu_items # Category for ModelOne and ModelTwo
assert 'Four' in menu_items # Category for ModelOne and ModelTwo
assert 'Model One' not in menu_items # ModelOne should go to a category
assert 'Model Two' not in menu_items # ModelTwo should go to a category
assert 'Model Three' in menu_items # ModelThree goes straight to menu
assert isinstance(menu_items['Model Three'], flask_admin.menu.MenuView)
assert isinstance(menu_items['OneAndTwo'], flask_admin.menu.MenuCategory)
assert menu_items['OneAndTwo'].is_category()
assert not menu_items['Model Three'].is_category()
submenu_items = {
str(item.name): item
for item in menu_items['OneAndTwo'].get_children()
}
assert 'Model One' in submenu_items
assert 'Model Two' in submenu_items
assert not submenu_items['Model One'].is_category()
assert not submenu_items['Model Two'].is_category()
assert isinstance(submenu_items['Model One'], flask_admin.menu.MenuView)
assert isinstance(submenu_items['Model Two'], flask_admin.menu.MenuView)
four_item = menu_items['Four'].get_children()[0]
assert four_item.name == 'View number Four'
assert isinstance(four_item, flask_admin.menu.MenuView)
def post(post_id):
form = CommentForm()
if form.validate_on_submit():
new_comment = Comment()
new_comment.name = form.name.data
new_comment.text = form.text.data
new_comment.post_id = post_id
new_comment.date = datetime.now()
db.session.add(new_comment)
db.session.commit()
return redirect(url_for('.post', post_id=post_id))
post = Post.query.get_or_404(post_id)
# 添加阅读量
post.read = post.read + 1
db.session.add(post)
db.session.commit()
tags = post.tags
comments = post.comments.order_by(Comment.date.desc()).all()
# 是否有编辑权限
permission = Permission(UserNeed(post.user.id))
is_edit = permission.can() or admin_permission.can()
if g.is_login:
form.name.data = current_user.username
return render_template('post.html',
post=post,
tags=tags,
is_edit=is_edit,
comments=comments,
form=form)
def post(self):
parser = reqparse.RequestParser()
parser.add_argument('name', type=str)
args = parser.parse_args()
if Permission(('appcontexts', 'write')).can():
ctx = AppContext(args['name'])
db.session.add(ctx)
# give default permissions for the new app to the creator
for need in product(APP_MANDATORY_NEEDS, ('read', 'write')):
need = Need(ctx, *need)
db.session.add(need)
current_user.permissions.append(need)
try:
db.session.commit()
except sqlalchemy.exc.IntegrityError:
db.session.rollback()
abort(409, 'an application with the same name already exists')
app_key = generate_token([ctx.id, md5(ctx.name)],
salt=app.config['APPLICATION_KEY_SALT'])
if app.config['APP_KEYS_FOLDER']:
keyfile = os.path.join(app.config['APP_KEYS_FOLDER'],
'{}.appkey'.format(ctx.name))
with open(keyfile, 'w') as f:
f.write(app_key)
return {'application-key': app_key}
else:
abort(403)
def decorator(*args, **kwargs):
topicId = kwargs.get('topicId')
permission = Permission(EditTopicNeed(topicId))
if not permission.can():
flash(_('You have no permission'), 'warning')
return redirect(url_for('topic.topic', topicId=topicId))
return func(*args, **kwargs)
def edit_post(id):
post = Post.query.get_or_404(id)
permission = Permission(UserNeed(post.author.id))
# 设置访问本视图的权限
if permission.can() or admin_permission.can():
# 判断Identity是否有要求的permission
form = PostForm()
if form.validate_on_submit():
post.title = form.title.data
post.text = form.text.data
post.publish_date = datetime.datetime.now()
db.session.add(post)
db.session.commit()
return redirect(url_for('blog.post', post_id=post.id))
form.text.data = post.text
return render_template('blog/edit.html', form=form, post=post)
abort(403)
def edit_post(id):
post = Post.query.get_or_404(id)
#保证用户市登录的
if not current_user:
return redirect(url_for('main.login'))
if current_user != post.users:
return redirect(url_for('blog.post', post_id=id))
#当user是poster或者admin,才可以编辑文章
permission = Permission(UserNeed(post.users.id))
if permission.can() or admin_permission.can():
form = PostForm()
if form.validate_on_submit():
post.title = form.title.data
post.text = form.text.data
post.published_date = datetime.now()
db.session.add(post)
db.session.commit()
return redirect(url_for('blog.post', post_id=post.id))
else:
abort(403)
form.title.data = post.title
form.text.data = post.text
return render_template('edit_post.html', form=form, post=post)
def update_user():
"""Update current logged user
"""
user = current_user
form = UserForm(request.form, obj=user)
del form.role
del form.is_active
perm = Permission(UserNeed(user.id), RoleNeed('admin'))
perm.test()
if form.validate_on_submit():
if form.username.data != user.username and User.username_is_in_use(
form.username.data):
flash(
"This username is already been used. Please choose another one!",
"alert-danger")
form.username.errors.append('Please correct this field')
elif form.email.data != user.email and User.email_is_in_use(
form.email.data):
flash(
"This email is already been used. Please choose another one!",
"alert-danger")
form.email.errors.append('Please correct this field')
else:
form.populate_obj(user)
db.session.commit()
flash("Informations updated", "alert-info")
return redirect(url_for('dashboard.index'))
return render_template("user/update.html", form=form, user=current_user)
def post(self):
with Permission(('users', 'write')).require(403):
parser = reqparse.RequestParser()
parser.add_argument('username', type=str, required=True)
parser.add_argument('email', type=str, required=True)
parser.add_argument('mobile_number',
type=str,
required=app.config['ENABLE_2FA'])
args = parser.parse_args()
if not args['username']:
abort(400, 'missing username')
if not args['email']:
abort(400, 'missing email')
try:
user = User(username=args['username'],
email=args['email'],
mobile_number=args['mobile_number'])
if app.config['AUTO_ACTIVATE_NEW_USER']:
user.active = True
except ValueError as err:
abort(400, str(err))
db.session.add(user)
try:
db.session.commit()
except sqlalchemy.exc.IntegrityError as err:
message = 'an account with the same username/email already exists'
abort(409, message)
token = user.generate_token()
return {"token": token}
def has_roles(*args: Iterable[str]):
roles = [(Permission(RoleNeed(role)) if not isinstance(role, list) else
[Permission(RoleNeed(role_)) for role_ in role])
for role in args]
def wrapper(fn: Callable):
@wraps(fn)
def wrapped(*args, **kwargs):
identity: Identity = g.identity
if not check_roles(identity=identity, roles=roles):
raise InvalidUsage.user_not_authorized()
return fn(*args, **kwargs)
return wrapped
return wrapper
def edit_post(id):
# 此处验证用login_required装饰器代替
"""
if not g.current_user:
return redirect(url_for('main.login'))
"""
post = Post.query.get_or_404(id)
# 此处使用用户权限进行限制访问
"""
if current_user != post.user:
abort(403)
"""
permission = Permission(UserNeed(post.user.id))
if permission.can() or admin_permission.can():
form = PostForm()
if form.validate_on_submit():
if form.title.data == post.title and form.text.data == post.text:
flash('no changes detected!', category='message')
else:
post.title = form.title.data
post.text = form.text.data
post.publish_date = datetime.datetime.now()
db.session.add(post)
db.session.commit()
return redirect(url_for('.post', post_id=post.id))
form.text.data = post.text
return render_template('edit.html', form=form, post=post)
abort(403)
def post(self):
request_arg = RequestMethod_parser.parse_args()
requestMethod = request_arg['requestMethod']
if requestMethod == "POST":
permission = Permission(ActionNeed('添加新闻'))
if permission.can() is not True:
abort_if_unauthorized("添加新闻")
args = News_parser.parse_args()
category = args['category']
detail = args['detail']
title = args['title']
tags = args['tags']
try:
tags = list(eval(tags[0]))
except:
pass
soup = BeautifulSoup(detail, "html.parser")
k = 0
for img in soup.find_all('img'):
imgurl = img.get('src')
r = request.urlopen(imgurl)
data = r.read()
imgBuf = BytesIO(data)
i = Image.open(imgBuf)
filename = str(
int(random.uniform(1, 1000) + time.time())) + ".png"
path = os.path.join(app.config['BASEDIR'],
'aunet/static/Uploads/News', filename)
# return path;
i.save(path, quality="96")
f = open(path, "rb")
data = f.read()
data = base64.b64encode(data)
data = str(data)
data = data[2:-1]
data = "data:image/jpg;base64," + data
img['src'] = data
# return img
k = k + 1
if k > 1:
os.remove(path)
else:
imgUrlFirst = "static/Uploads/News/" + filename
if k == 0:
imgUrlFirst = "static/Uploads/News/1.jpg" #默认的新闻展示图片
# return imgUrlFirst
outline = soup.get_text()[:100]
news = News(soup.prettify(), title, outline, imgUrlFirst)
db.session.add(news)
db.session.commit()
news.addCategory(category)
for tag in tags:
t = Tag.query.filter_by(name=tag).first()
abort_if_not_exist(t, "tag")
news.tags.append(t)
db.session.add(news)
db.session.commit()
else:
abort(404, message="api not found")
