def _check_for_user_lockout(original_object): """ Only to be called when the current user is known to have PERMIT_ADMIN_USERS permission, checks that the current user hasn't locked themselves out from user administration. Also checks that the admin user's administration permission has not been accidentally revoked. If a lockout has occurred, the supplied original object is re-saved and a ParameterError is raised. """ user_ids = [get_session_user_id(), 1] for user_id in user_ids: db_user = data_engine.get_user(user_id=user_id) if db_user: try: # Require user administration if not permissions_engine.is_permitted( SystemPermissions.PERMIT_ADMIN_USERS, db_user): raise ParameterError() # For the admin user, also require permissions administration if user_id == 1 and not permissions_engine.is_permitted( SystemPermissions.PERMIT_ADMIN_PERMISSIONS, db_user): raise ParameterError() except ParameterError: # Roll back permissions data_engine.save_object(original_object) permissions_engine.reset() # Raise API error who = 'the \'admin\' user' if user_id == 1 else 'you' raise ParameterError( 'This change would lock %s out of administration' % who)
def _check_for_user_lockout(original_object): """ Only to be called when the current user is known to have PERMIT_ADMIN_USERS permission, checks that the current user hasn't locked themselves out from user administration. Also checks that the admin user's administration permission has not been accidentally revoked. If a lockout has occurred, the supplied original object is re-saved and a ParameterError is raised. """ user_ids = [get_session_user_id(), 1] for user_id in user_ids: db_user = data_engine.get_user(user_id=user_id) if db_user: try: # Require user administration if not permissions_engine.is_permitted( SystemPermissions.PERMIT_ADMIN_USERS, db_user ): raise ParameterError() # For the admin user, also require permissions administration if user_id == 1 and not permissions_engine.is_permitted( SystemPermissions.PERMIT_ADMIN_PERMISSIONS, db_user ): raise ParameterError() except ParameterError: # Roll back permissions data_engine.save_object(original_object) permissions_engine.reset() # Raise API error who = 'the \'admin\' user' if user_id == 1 else 'you' raise ParameterError( 'This change would lock %s out of administration' % who )
def post(self, group_id): params = self._get_validated_object_parameters(request.form) group = data_engine.get_group(group_id=group_id, load_users=True) if group is None: raise DoesNotExistError(str(group_id)) # Check permissions! The current user must have user admin to be here. # But if they don't also have permissions admin or superuser then we # must block the change if the new group would grant one of the same. if group.permissions.admin_permissions or group.permissions.admin_all: if not permissions_engine.is_permitted( SystemPermissions.PERMIT_ADMIN_PERMISSIONS, get_session_user()): raise SecurityError( 'You cannot add users to a group that ' + 'grants permissions administration, because you do not ' + 'have permissions administration access yourself.') user = data_engine.get_user(user_id=params['user_id']) if user is not None: if user not in group.users: group.users.append(user) data_engine.save_object(group) reset_user_sessions(user) permissions_engine.reset() return make_api_success_response()
def post(self, group_id): params = self._get_validated_object_parameters(request.form) group = data_engine.get_group(group_id=group_id, load_users=True) if group is None: raise DoesNotExistError(str(group_id)) # Check permissions! The current user must have user admin to be here. # But if they don't also have permissions admin or superuser then we # must block the change if the new group would grant one of the same. if group.permissions.admin_permissions or group.permissions.admin_all: if not permissions_engine.is_permitted( SystemPermissions.PERMIT_ADMIN_PERMISSIONS, get_session_user() ): raise SecurityError( 'You cannot add users to a group that ' + 'grants permissions administration, because you do not ' + 'have permissions administration access yourself.' ) user = data_engine.get_user(user_id=params['user_id']) if user is not None: if user not in group.users: group.users.append(user) data_engine.save_object(group) permissions_engine.reset() return make_api_success_response()
def _set_permissions(self, group, params): # Apply default permissions if this is a new group if not group.permissions: group.permissions = SystemPermissions(group, False, False, False, False, False, False, False) # Update permissions only if the current user has permissions admin if permissions_engine.is_permitted( SystemPermissions.PERMIT_ADMIN_PERMISSIONS, get_session_user()): group.permissions.folios = params['access_folios'] group.permissions.reports = params['access_reports'] group.permissions.admin_users = params['access_admin_users'] group.permissions.admin_files = params['access_admin_files'] group.permissions.admin_folios = params['access_admin_folios'] group.permissions.admin_permissions = params[ 'access_admin_permissions'] group.permissions.admin_all = params['access_admin_all'] return True return False
def _set_permissions(self, group, params): # Apply default permissions if this is a new group if not group.permissions: group.permissions = SystemPermissions( group, False, False, False, False, False, False, False ) # Update permissions only if the current user has permissions admin if permissions_engine.is_permitted( SystemPermissions.PERMIT_ADMIN_PERMISSIONS, get_session_user() ): group.permissions.folios = params['access_folios'] group.permissions.reports = params['access_reports'] group.permissions.admin_users = params['access_admin_users'] group.permissions.admin_files = params['access_admin_files'] group.permissions.admin_folios = params['access_admin_folios'] group.permissions.admin_permissions = params['access_admin_permissions'] group.permissions.admin_all = params['access_admin_all'] return True return False