def authenticate_v2(self, request, key):
try:
token = TokenV2.objects.get(key=key)
except TokenV2.DoesNotExist:
# Continue authentication in token v1
return None
if token.wiped_at:
raise DeviceRemoteWipedException('Device set to be remote wiped')
try:
user = User.objects.get(email=token.user)
except User.DoesNotExist:
raise AuthenticationFailed('User inactive or deleted')
if MULTI_TENANCY:
orgs = ccnet_api.get_orgs_by_user(token.user)
if orgs:
user.org = orgs[0]
if user.is_active:
need_save = False
# We update the device's last_login_ip, client_version, platform_version if changed
ip = get_client_ip(request)
if ip and ip != token.last_login_ip:
token.last_login_ip = ip
need_save = True
client_version = request.META.get(HEADER_CLIENT_VERSION, '')
if client_version and client_version != token.client_version:
token.client_version = client_version
need_save = True
platform_version = request.META.get(HEADER_PLATFORM_VERSION, '')
if platform_version and platform_version != token.platform_version:
token.platform_version = platform_version
need_save = True
if not within_time_range(token.last_accessed, datetime.datetime.now(), 10 * 60):
# We only need 10min precision for the last_accessed field
need_save = True
if need_save:
try:
token.save()
except:
logger.exception('error when save token v2:')
return (user, token)
def process_request(self, request):
username = request.user.username
request.user.org = None
if CLOUD_MODE:
request.cloud_mode = True
if MULTI_TENANCY:
orgs = ccnet_api.get_orgs_by_user(username)
if orgs:
request.user.org = orgs[0]
else:
request.cloud_mode = False
return None
def authenticate_v1(self, request, key):
try:
token = Token.objects.get(key=key)
except Token.DoesNotExist:
raise AuthenticationFailed('Invalid token')
try:
user = User.objects.get(email=token.user)
except User.DoesNotExist:
raise AuthenticationFailed('User inactive or deleted')
if MULTI_TENANCY:
orgs = ccnet_api.get_orgs_by_user(token.user)
if orgs:
user.org = orgs[0]
if user.is_active:
return (user, token)
def put(self, request, repo_id, format=None):
""" transfer a library
Permission checking:
1. only admin can perform this action.
"""
repo = seafile_api.get_repo(repo_id)
if not repo:
error_msg = 'Library %s not found.' % repo_id
return api_error(status.HTTP_404_NOT_FOUND, error_msg)
new_owner = request.data.get('owner', None)
if not new_owner:
error_msg = 'owner invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
try:
User.objects.get(email=new_owner)
except User.DoesNotExist:
error_msg = 'User %s not found.' % new_owner
return api_error(status.HTTP_404_NOT_FOUND, error_msg)
if is_org_context(request):
try:
if seafserv_threaded_rpc.get_org_id_by_repo_id(repo_id) > 0:
error_msg = 'Can not transfer organization library.'
return api_error(status.HTTP_403_FORBIDDEN, error_msg)
if ccnet_api.get_orgs_by_user(new_owner):
error_msg = 'Can not transfer library to organization user %s' % new_owner
return api_error(status.HTTP_403_FORBIDDEN, error_msg)
except Exception as e:
logger.error(e)
error_msg = 'Internal Server Error'
return api_error(status.HTTP_500_INTERNAL_SERVER_ERROR, error_msg)
seafile_api.set_repo_owner(repo_id, new_owner)
repo = seafile_api.get_repo(repo_id)
repo_info = get_repo_info(repo)
return Response(repo_info)
def _populate_user_quota_usage(user):
"""Populate space/share quota to user.
Arguments:
- `user`:
"""
orgs = ccnet_api.get_orgs_by_user(user.email)
try:
if orgs:
user.org = orgs[0]
org_id = user.org.org_id
user.space_usage = seafile_api.get_org_user_quota_usage(
org_id, user.email)
user.space_quota = seafile_api.get_org_user_quota(
org_id, user.email)
else:
user.space_usage = seafile_api.get_user_self_usage(user.email)
user.space_quota = seafile_api.get_user_quota(user.email)
except SearpcError as e:
logger.error(e)
user.space_usage = -1
user.space_quota = -1
def post(self, request):
# argument check
operation = request.data.get('operation', None)
if not operation:
error_msg = 'operation invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
# operation could be `share`, `unshare`, `delete`, `transfer`
# we now only use `share`, `unshare`
if operation not in ('share', 'unshare'):
error_msg = 'operation can only be "share", "unshare".'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
result = {}
result['failed'] = []
result['success'] = []
username = request.user.username
repo_id_list = request.data.getlist('repo_id')
valid_repo_id_list = []
# filter out invalid repo id
for repo_id in repo_id_list:
if not seafile_api.get_repo(repo_id):
result['failed'].append({
'repo_id':
repo_id,
'error_msg':
'Library %s not found.' % repo_id
})
continue
repo_owner = get_repo_owner(request, repo_id)
if repo_owner != username and not is_repo_admin(username, repo_id):
result['failed'].append({
'repo_id': repo_id,
'error_msg': 'Permission denied.'
})
continue
valid_repo_id_list.append(repo_id)
# share repo
if operation == 'share':
share_type = request.data.get('share_type', None)
if not share_type:
error_msg = 'share_type invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
if share_type not in ('user', 'group'):
error_msg = 'share_type can only be "user", "group".'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
permission = request.data.get('permission', 'rw')
if permission not in [
PERMISSION_READ, PERMISSION_READ_WRITE, PERMISSION_ADMIN
]:
error_msg = 'permission invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
# share repo to user
if share_type == 'user':
to_username = request.data.get('username', None)
if not to_username:
error_msg = 'username invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
try:
User.objects.get(email=to_username)
except User.DoesNotExist:
error_msg = 'User %s not found.' % to_username
return api_error(status.HTTP_404_NOT_FOUND, error_msg)
# check if to_user is an org user
try:
org_of_to_user = ccnet_api.get_orgs_by_user(to_username)
except Exception as e:
logger.error(e)
org_of_to_user = []
if is_org_context(request):
org_id = request.user.org.org_id
org_name = request.user.org.org_name
if len(org_of_to_user
) == 0 or org_id != org_of_to_user[0].org_id:
error_msg = 'User %s is not member of organization %s.' \
% (to_username, org_name)
return api_error(status.HTTP_403_FORBIDDEN, error_msg)
else:
if len(org_of_to_user) >= 1:
error_msg = 'User %s is member of organization %s.' \
% (to_username, org_of_to_user[0].org_name)
return api_error(status.HTTP_403_FORBIDDEN, error_msg)
for repo_id in valid_repo_id_list:
if self.has_shared_to_user(request, repo_id, to_username):
result['failed'].append({
'repo_id':
repo_id,
'error_msg':
'This item has been shared to %s.' % to_username
})
continue
try:
org_id = None
if is_org_context(request):
org_id = request.user.org.org_id
seaserv.seafserv_threaded_rpc.org_add_share(
org_id, repo_id, username, to_username,
permission)
else:
seafile_api.share_repo(repo_id, username,
to_username, permission)
# send a signal when sharing repo successful
repo = seafile_api.get_repo(repo_id)
share_repo_to_user_successful.send(sender=None,
from_user=username,
to_user=to_username,
repo=repo,
path='/',
org_id=org_id)
result['success'].append({
"repo_id": repo_id,
"username": to_username,
"permission": permission
})
send_perm_audit_msg('add-repo-perm', username,
to_username, repo_id, '/',
permission)
except Exception as e:
logger.error(e)
result['failed'].append({
'repo_id':
repo_id,
'error_msg':
'Internal Server Error'
})
# share repo to group
if share_type == 'group':
to_group_id = request.data.get('group_id', None)
if not to_group_id:
error_msg = 'group_id invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
try:
to_group_id = int(to_group_id)
except ValueError:
error_msg = 'group_id invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
group = ccnet_api.get_group(to_group_id)
if not group:
error_msg = 'Group %s not found.' % to_group_id
return api_error(status.HTTP_404_NOT_FOUND, error_msg)
group_name = group.group_name
if not is_group_member(to_group_id, username):
error_msg = 'User %s is not member of group %s.' % (
username, group_name)
return api_error(status.HTTP_403_FORBIDDEN, error_msg)
for repo_id in valid_repo_id_list:
if self.has_shared_to_group(request, repo_id, to_group_id):
result['failed'].append({
'repo_id':
repo_id,
'error_msg':
'This item has been shared to %s.' % group_name
})
continue
try:
org_id = None
if is_org_context(request):
org_id = request.user.org.org_id
seafile_api.add_org_group_repo(
repo_id, org_id, to_group_id, username,
permission)
else:
seafile_api.set_group_repo(repo_id, to_group_id,
username, permission)
# send a signal when sharing repo successful
repo = seafile_api.get_repo(repo_id)
share_repo_to_group_successful.send(
sender=None,
from_user=username,
group_id=to_group_id,
repo=repo,
path='/',
org_id=org_id)
result['success'].append({
"repo_id": repo_id,
"group_id": to_group_id,
"group_name": group_name,
"permission": permission
})
send_perm_audit_msg('add-repo-perm', username,
to_group_id, repo_id, '/',
permission)
except SearpcError as e:
logger.error(e)
result['failed'].append({
'repo_id':
repo_id,
'error_msg':
'Internal Server Error'
})
# unshare repo
if operation == 'unshare':
share_type = request.data.get('share_type', None)
if not share_type:
error_msg = 'share_type invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
if share_type not in ('user', 'group'):
error_msg = 'share_type can only be "user", "group".'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
# unshare repo from user
if share_type == 'user':
to_username = request.data.get('username', None)
if not to_username:
error_msg = 'username invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
for repo_id in valid_repo_id_list:
if not self.has_shared_to_user(request, repo_id,
to_username):
result['failed'].append({
'repo_id':
repo_id,
'error_msg':
'This item has not been shared to %s.' %
to_username
})
continue
repo_owner = get_repo_owner(request, repo_id)
try:
# get share permission before unshare operation
permission = check_user_share_out_permission(
repo_id, '/', to_username, is_org_context(request))
if is_org_context(request):
# when calling seafile API to share authority related functions, change the uesrname to repo owner.
org_id = request.user.org.org_id
seafile_api.org_remove_share(
org_id, repo_id, repo_owner, to_username)
else:
seafile_api.remove_share(repo_id, repo_owner,
to_username)
# Delete share permission at ExtraSharePermission table.
ExtraSharePermission.objects.delete_share_permission(
repo_id, to_username)
# send message
send_perm_audit_msg('delete-repo-perm', username,
to_username, repo_id, '/',
permission)
result['success'].append({
"repo_id": repo_id,
"username": to_username,
})
except Exception as e:
logger.error(e)
result['failed'].append({
'repo_id':
repo_id,
'error_msg':
'Internal Server Error'
})
# unshare repo from group
if share_type == 'group':
to_group_id = request.data.get('group_id', None)
if not to_group_id:
error_msg = 'group_id invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
try:
to_group_id = int(to_group_id)
except ValueError:
error_msg = 'group_id invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
group = ccnet_api.get_group(to_group_id)
group_name = group.group_name if group else ''
for repo_id in valid_repo_id_list:
if not self.has_shared_to_group(request, repo_id,
to_group_id):
result['failed'].append({
'repo_id':
repo_id,
'error_msg':
'This item has not been shared to %s.' % group_name
})
continue
try:
# get share permission before unshare operation
permission = check_group_share_out_permission(
repo_id, '/', to_group_id, is_org_context(request))
org_id = None
if is_org_context(request):
org_id = request.user.org.org_id
seafile_api.del_org_group_repo(
repo_id, org_id, to_group_id)
else:
seafile_api.unset_group_repo(
repo_id, to_group_id, username)
# Delete share permission at ExtraSharePermission table.
ExtraGroupsSharePermission.objects.delete_share_permission(
repo_id, to_group_id)
# send message
send_perm_audit_msg('delete-repo-perm', username,
to_group_id, repo_id, '/',
permission)
result['success'].append({
"repo_id": repo_id,
"group_id": to_group_id,
"group_name": group_name,
})
except SearpcError as e:
logger.error(e)
result['failed'].append({
'repo_id':
repo_id,
'error_msg':
'Internal Server Error'
})
return Response(result)
def get(self, request, format=None):
""" List 'all' libraries (by name/owner/page)
Permission checking:
1. only admin can perform this action.
"""
if not request.user.admin_permissions.can_manage_library():
return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.')
order_by = request.GET.get('order_by', '').lower().strip()
if order_by and order_by not in ('size', 'file_count'):
error_msg = 'order_by invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
# search libraries (by name/owner)
repo_name = request.GET.get('name', '')
owner = request.GET.get('owner', '')
repos = []
if repo_name and owner:
# search by name and owner
orgs = ccnet_api.get_orgs_by_user(owner)
if orgs:
org_id = orgs[0].org_id
owned_repos = seafile_api.get_org_owned_repo_list(
org_id, owner)
else:
owned_repos = seafile_api.get_owned_repo_list(owner)
for repo in owned_repos:
if not repo.name or repo.is_virtual:
continue
if repo_name in repo.name:
repo_info = get_repo_info(repo)
repos.append(repo_info)
return Response({
"name": repo_name,
"owner": owner,
"repos": repos
})
elif repo_name:
# search by name(keyword in name)
repos_all = seafile_api.get_repo_list(-1, -1)
for repo in repos_all:
if not repo.name or repo.is_virtual:
continue
if repo_name in repo.name:
repo_info = get_repo_info(repo)
repos.append(repo_info)
return Response({"name": repo_name, "owner": '', "repos": repos})
elif owner:
# search by owner
orgs = ccnet_api.get_orgs_by_user(owner)
if orgs:
org_id = orgs[0].org_id
owned_repos = seafile_api.get_org_owned_repo_list(
org_id, owner)
else:
owned_repos = seafile_api.get_owned_repo_list(owner)
for repo in owned_repos:
if repo.is_virtual:
continue
repo_info = get_repo_info(repo)
repos.append(repo_info)
return Response({"name": '', "owner": owner, "repos": repos})
# get libraries by page
try:
current_page = int(request.GET.get('page', '1'))
per_page = int(request.GET.get('per_page', '100'))
except ValueError:
current_page = 1
per_page = 100
start = (current_page - 1) * per_page
limit = per_page + 1
if order_by:
repos_all = seafile_api.get_repo_list(start, limit, order_by)
else:
repos_all = seafile_api.get_repo_list(start, limit)
if len(repos_all) > per_page:
repos_all = repos_all[:per_page]
has_next_page = True
else:
has_next_page = False
default_repo_id = get_system_default_repo_id()
repos_all = [r for r in repos_all if not r.is_virtual]
repos_all = [r for r in repos_all if r.repo_id != default_repo_id]
return_results = []
for repo in repos_all:
repo_info = get_repo_info(repo)
return_results.append(repo_info)
page_info = {
'has_next_page': has_next_page,
'current_page': current_page
}
return Response({"page_info": page_info, "repos": return_results})
def get(self, request):
"""Search user from DB, LDAPImport and Profile
Permission checking:
1. only admin can perform this action.
"""
if not request.user.admin_permissions.can_manage_user():
return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.')
query_str = request.GET.get('query', '').lower()
if not query_str:
error_msg = 'query invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
users = []
# search user from ccnet db
users += ccnet_api.search_emailusers('DB', query_str, 0, 10)
# search user from ccnet ldapimport
users += ccnet_api.search_emailusers('LDAP', query_str, 0, 10)
ccnet_user_emails = [u.email for u in users]
# get institution for user from ccnet
if getattr(settings, 'MULTI_INSTITUTION', False):
user_institution_dict = {}
profiles = Profile.objects.filter(user__in=ccnet_user_emails)
for profile in profiles:
email = profile.user
if email not in user_institution_dict:
user_institution_dict[email] = profile.institution
for user in users:
user.institution = user_institution_dict.get(user.email, '')
# search user from profile
searched_profile = Profile.objects.filter(
(Q(nickname__icontains=query_str))
| Q(contact_email__icontains=query_str))[:10]
for profile in searched_profile:
email = profile.user
institution = profile.institution
# remove duplicate emails
if email not in ccnet_user_emails:
try:
# get is_staff and is_active info
user = User.objects.get(email=email)
user.institution = institution
users.append(user)
except User.DoesNotExist:
continue
data = []
for user in users:
info = {}
info['email'] = user.email
info['name'] = email2nickname(user.email)
info['contact_email'] = email2contact_email(user.email)
info['is_staff'] = user.is_staff
info['is_active'] = user.is_active
info['source'] = user.source.lower()
orgs = ccnet_api.get_orgs_by_user(user.email)
if orgs:
org_id = orgs[0].org_id
info['org_id'] = org_id
info['org_name'] = orgs[0].org_name
info['quota_usage'] = seafile_api.get_org_user_quota_usage(
org_id, user.email)
info['quota_total'] = seafile_api.get_org_user_quota(
org_id, user.email)
else:
info['quota_usage'] = seafile_api.get_user_self_usage(
user.email)
info['quota_total'] = seafile_api.get_user_quota(user.email)
info['create_time'] = timestamp_to_isoformat_timestr(user.ctime)
last_login_obj = UserLastLogin.objects.get_by_username(user.email)
info['last_login'] = datetime_to_isoformat_timestr(
last_login_obj.last_login) if last_login_obj else ''
info['role'] = get_user_role(user)
if getattr(settings, 'MULTI_INSTITUTION', False):
info['institution'] = user.institution
data.append(info)
result = {'user_list': data}
return Response(result)
def get(self, request):
"""List all users in DB or LDAPImport
Permission checking:
1. only admin can perform this action.
"""
if not request.user.admin_permissions.can_manage_user():
return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.')
# parameter check
try:
page = int(request.GET.get('page', '1'))
per_page = int(request.GET.get('per_page', '25'))
except ValueError:
page = 1
per_page = 25
start = (page - 1) * per_page
source = request.GET.get('source', 'DB').lower().strip()
if source not in ['db', 'ldapimport']:
# source: 'DB' or 'LDAPImport', default is 'DB'
error_msg = 'source %s invalid.' % source
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
order_by = request.GET.get('order_by', '').lower().strip()
if order_by:
if order_by not in ('quota_usage'):
error_msg = 'order_by invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
direction = request.GET.get('direction', 'desc').lower().strip()
if direction not in ('asc', 'desc'):
error_msg = 'direction invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
if source == 'db':
total_count = ccnet_api.count_emailusers('DB') + \
ccnet_api.count_inactive_emailusers('DB')
if order_by:
if total_count > 500 and \
not getattr(settings, 'ALWAYS_SORT_USERS_BY_QUOTA_USAGE', False):
error_msg = _(
"There are more than 500 users, and sort is not offered."
)
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
try:
data = self.get_info_of_users_order_by_quota_usage(
source, direction, page, per_page)
except Exception as e:
logger.error(e)
error_msg = 'Internal Server Error'
return api_error(status.HTTP_500_INTERNAL_SERVER_ERROR,
error_msg)
result = {'data': data, 'total_count': total_count}
return Response(result)
else:
users = ccnet_api.get_emailusers('DB', start, per_page)
elif source == 'ldapimport':
# api param is 'LDAP', but actually get count of 'LDAPImport' users
total_count = ccnet_api.count_emailusers('LDAP') + \
ccnet_api.count_inactive_emailusers('LDAP')
if order_by:
if total_count > 500 and \
not getattr(settings, 'ALWAYS_SORT_USERS_BY_QUOTA_USAGE', False):
error_msg = _(
"There are more than 500 users, and sort is not offered."
)
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
try:
data = self.get_info_of_users_order_by_quota_usage(
source, direction, page, per_page)
except Exception as e:
logger.error(e)
error_msg = 'Internal Server Error'
return api_error(status.HTTP_500_INTERNAL_SERVER_ERROR,
error_msg)
result = {'data': data, 'total_count': total_count}
return Response(result)
else:
users = ccnet_api.get_emailusers('LDAPImport', start, per_page)
data = []
for user in users:
profile = Profile.objects.get_profile_by_user(user.email)
info = {}
info['email'] = user.email
info['name'] = email2nickname(user.email)
info['contact_email'] = email2contact_email(user.email)
info[
'login_id'] = profile.login_id if profile and profile.login_id else ''
info['is_staff'] = user.is_staff
info['is_active'] = user.is_active
orgs = ccnet_api.get_orgs_by_user(user.email)
try:
if orgs:
org_id = orgs[0].org_id
info['org_id'] = org_id
info['org_name'] = orgs[0].org_name
info['quota_usage'] = seafile_api.get_org_user_quota_usage(
org_id, user.email)
info['quota_total'] = seafile_api.get_org_user_quota(
org_id, user.email)
else:
info['quota_usage'] = seafile_api.get_user_self_usage(
user.email)
info['quota_total'] = seafile_api.get_user_quota(
user.email)
except Exception as e:
logger.error(e)
info['quota_usage'] = -1
info['quota_total'] = -1
info['create_time'] = timestamp_to_isoformat_timestr(user.ctime)
last_login_obj = UserLastLogin.objects.get_by_username(user.email)
info['last_login'] = datetime_to_isoformat_timestr(
last_login_obj.last_login) if last_login_obj else ''
info['role'] = get_user_role(user)
if getattr(settings, 'MULTI_INSTITUTION', False):
info['institution'] = profile.institution if profile else ''
data.append(info)
result = {'data': data, 'total_count': total_count}
return Response(result)
def get(self, request):
"""List all admins from database and ldap imported
"""
if not request.user.admin_permissions.can_manage_user():
return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.')
try:
admin_users = ccnet_api.get_superusers()
except Exception as e:
logger.error(e)
error_msg = 'Internal Server Error'
return api_error(status.HTTP_500_INTERNAL_SERVER_ERROR, error_msg)
admin_users_info = []
for user in admin_users:
user_info = {}
profile = Profile.objects.get_profile_by_user(user.email)
user_info['email'] = user.email
user_info['name'] = email2nickname(user.email)
user_info['contact_email'] = email2contact_email(user.email)
user_info[
'login_id'] = profile.login_id if profile and profile.login_id else ''
user_info['is_staff'] = user.is_staff
user_info['is_active'] = user.is_active
orgs = ccnet_api.get_orgs_by_user(user.email)
try:
if orgs:
org_id = orgs[0].org_id
user_info['org_id'] = org_id
user_info['org_name'] = orgs[0].org_name
user_info[
'quota_usage'] = seafile_api.get_org_user_quota_usage(
org_id, user.email)
user_info['quota_total'] = seafile_api.get_org_user_quota(
org_id, user.email)
else:
user_info['quota_usage'] = seafile_api.get_user_self_usage(
user.email)
user_info['quota_total'] = seafile_api.get_user_quota(
user.email)
except Exception as e:
logger.error(e)
user_info['quota_usage'] = -1
user_info['quota_total'] = -1
user_info['create_time'] = timestamp_to_isoformat_timestr(
user.ctime)
last_login_obj = UserLastLogin.objects.get_by_username(user.email)
user_info['last_login'] = datetime_to_isoformat_timestr(
last_login_obj.last_login) if last_login_obj else ''
try:
admin_role = AdminRole.objects.get_admin_role(user.email)
user_info['admin_role'] = admin_role.role
except AdminRole.DoesNotExist:
user_info['admin_role'] = DEFAULT_ADMIN
admin_users_info.append(user_info)
result = {
'admin_user_list': admin_users_info,
}
return Response(result)
def delete(self):
"""
When delete user, we should also delete group relationships.
"""
if self.source == "DB":
source = "DB"
else:
source = "LDAP"
username = self.username
orgs = []
if is_pro_version():
orgs = ccnet_api.get_orgs_by_user(username)
# remove owned repos
owned_repos = []
if orgs:
for org in orgs:
owned_repos += seafile_api.get_org_owned_repo_list(
org.org_id, username)
else:
owned_repos += seafile_api.get_owned_repo_list(username)
for r in owned_repos:
seafile_api.remove_repo(r.id)
# remove shared in repos
shared_in_repos = []
if orgs:
for org in orgs:
org_id = org.org_id
shared_in_repos = seafile_api.get_org_share_in_repo_list(
org_id, username, -1, -1)
for r in shared_in_repos:
seafile_api.org_remove_share(org_id, r.repo_id, r.user,
username)
else:
shared_in_repos = seafile_api.get_share_in_repo_list(
username, -1, -1)
for r in shared_in_repos:
seafile_api.remove_share(r.repo_id, r.user, username)
ExtraSharePermission.objects.filter(share_to=username).delete()
# clear web api and repo sync token
# when delete user
try:
clear_token(self.username)
except Exception as e:
logger.error(e)
# remove current user from joined groups
ccnet_api.remove_group_user(username)
ccnet_api.remove_emailuser(source, username)
signals.user_deleted.send(sender=self.__class__, username=username)
Profile.objects.delete_profile_by_user(username)
if config.ENABLE_TERMS_AND_CONDITIONS:
from termsandconditions.models import UserTermsAndConditions
UserTermsAndConditions.objects.filter(username=username).delete()
self.delete_user_options(username)
def post(self, request):
# argument check
operation = request.data.get('operation', None)
if not operation:
error_msg = 'operation invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
# operation could be `share`, `unshare`, `delete`, `transfer`
# we now only use `share`, `unshare`
if operation not in ('share', 'unshare'):
error_msg = 'operation can only be "share", "unshare".'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
result = {}
result['failed'] = []
result['success'] = []
username = request.user.username
repo_id_list = request.data.getlist('repo_id')
valid_repo_id_list = []
# filter out invalid repo id
for repo_id in repo_id_list:
if not seafile_api.get_repo(repo_id):
result['failed'].append({
'repo_id': repo_id,
'error_msg': 'Library %s not found.' % repo_id
})
continue
repo_owner = get_repo_owner(request, repo_id)
if repo_owner != username and not is_repo_admin(username, repo_id):
result['failed'].append({
'repo_id': repo_id,
'error_msg': 'Permission denied.'
})
continue
valid_repo_id_list.append(repo_id)
# share repo
if operation == 'share':
share_type = request.data.get('share_type', None)
if not share_type:
error_msg = 'share_type invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
if share_type not in ('user', 'group'):
error_msg = 'share_type can only be "user", "group".'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
permission = request.data.get('permission', 'rw')
if permission not in get_available_repo_perms():
error_msg = 'permission invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
# share repo to user
if share_type == 'user':
to_username = request.data.get('username', None)
if not to_username:
error_msg = 'username invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
try:
User.objects.get(email=to_username)
except User.DoesNotExist:
error_msg = 'User %s not found.' % to_username
return api_error(status.HTTP_404_NOT_FOUND, error_msg)
# check if to_user is an org user
try:
org_of_to_user = ccnet_api.get_orgs_by_user(to_username)
except Exception as e:
logger.error(e)
org_of_to_user = []
if is_org_context(request):
org_id = request.user.org.org_id
org_name = request.user.org.org_name
if len(org_of_to_user) == 0 or org_id != org_of_to_user[0].org_id:
error_msg = 'User %s is not member of organization %s.' \
% (to_username, org_name)
return api_error(status.HTTP_403_FORBIDDEN, error_msg)
else:
if len(org_of_to_user) >= 1:
error_msg = 'User %s is member of organization %s.' \
% (to_username, org_of_to_user[0].org_name)
return api_error(status.HTTP_403_FORBIDDEN, error_msg)
for repo_id in valid_repo_id_list:
if self.has_shared_to_user(request, repo_id, to_username):
result['failed'].append({
'repo_id': repo_id,
'error_msg': 'This item has been shared to %s.' % to_username
})
continue
try:
org_id = None
if is_org_context(request):
org_id = request.user.org.org_id
seaserv.seafserv_threaded_rpc.org_add_share(org_id,
repo_id, username, to_username, permission)
else:
seafile_api.share_repo(
repo_id, username, to_username, permission)
# send a signal when sharing repo successful
repo = seafile_api.get_repo(repo_id)
share_repo_to_user_successful.send(sender=None,
from_user=username,
to_user=to_username,
repo=repo, path='/',
org_id=org_id)
result['success'].append({
"repo_id": repo_id,
"username": to_username,
"permission": permission
})
send_perm_audit_msg('add-repo-perm', username, to_username,
repo_id, '/', permission)
except Exception as e:
logger.error(e)
result['failed'].append({
'repo_id': repo_id,
'error_msg': 'Internal Server Error'
})
# share repo to group
if share_type == 'group':
to_group_id = request.data.get('group_id', None)
if not to_group_id:
error_msg = 'group_id invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
try:
to_group_id = int(to_group_id)
except ValueError:
error_msg = 'group_id invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
group = ccnet_api.get_group(to_group_id)
if not group:
error_msg = 'Group %s not found.' % to_group_id
return api_error(status.HTTP_404_NOT_FOUND, error_msg)
group_name = group.group_name
if not is_group_member(to_group_id, username):
error_msg = 'User %s is not member of group %s.' % (username, group_name)
return api_error(status.HTTP_403_FORBIDDEN, error_msg)
for repo_id in valid_repo_id_list:
if self.has_shared_to_group(request, repo_id, to_group_id):
result['failed'].append({
'repo_id': repo_id,
'error_msg': 'This item has been shared to %s.' % group_name
})
continue
try:
org_id = None
if is_org_context(request):
org_id = request.user.org.org_id
seafile_api.add_org_group_repo(
repo_id, org_id, to_group_id, username, permission)
else:
seafile_api.set_group_repo(
repo_id, to_group_id, username, permission)
# send a signal when sharing repo successful
repo = seafile_api.get_repo(repo_id)
share_repo_to_group_successful.send(sender=None,
from_user=username,
group_id=to_group_id,
repo=repo, path='/',
org_id=org_id)
result['success'].append({
"repo_id": repo_id,
"group_id": to_group_id,
"group_name": group_name,
"permission": permission
})
send_perm_audit_msg('add-repo-perm', username, to_group_id,
repo_id, '/', permission)
except SearpcError as e:
logger.error(e)
result['failed'].append({
'repo_id': repo_id,
'error_msg': 'Internal Server Error'
})
# unshare repo
if operation == 'unshare':
share_type = request.data.get('share_type', None)
if not share_type:
error_msg = 'share_type invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
if share_type not in ('user', 'group'):
error_msg = 'share_type can only be "user", "group".'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
# unshare repo from user
if share_type == 'user':
to_username = request.data.get('username', None)
if not to_username:
error_msg = 'username invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
for repo_id in valid_repo_id_list:
if not self.has_shared_to_user(request, repo_id, to_username):
result['failed'].append({
'repo_id': repo_id,
'error_msg': 'This item has not been shared to %s.' % to_username
})
continue
repo_owner = get_repo_owner(request, repo_id)
try:
# get share permission before unshare operation
permission = check_user_share_out_permission(repo_id,
'/', to_username, is_org_context(request))
if is_org_context(request):
# when calling seafile API to share authority related functions, change the uesrname to repo owner.
org_id = request.user.org.org_id
seafile_api.org_remove_share(org_id, repo_id, repo_owner, to_username)
else:
seafile_api.remove_share(repo_id, repo_owner, to_username)
# Delete share permission at ExtraSharePermission table.
ExtraSharePermission.objects.delete_share_permission(repo_id,
to_username)
# send message
send_perm_audit_msg('delete-repo-perm', username,
to_username, repo_id, '/', permission)
result['success'].append({
"repo_id": repo_id,
"username": to_username,
})
except Exception as e:
logger.error(e)
result['failed'].append({
'repo_id': repo_id,
'error_msg': 'Internal Server Error'
})
# unshare repo from group
if share_type == 'group':
to_group_id = request.data.get('group_id', None)
if not to_group_id:
error_msg = 'group_id invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
try:
to_group_id = int(to_group_id)
except ValueError:
error_msg = 'group_id invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
group = ccnet_api.get_group(to_group_id)
group_name = group.group_name if group else ''
for repo_id in valid_repo_id_list:
if not self.has_shared_to_group(request, repo_id, to_group_id):
result['failed'].append({
'repo_id': repo_id,
'error_msg': 'This item has not been shared to %s.' % group_name
})
continue
try:
# get share permission before unshare operation
permission = check_group_share_out_permission(repo_id,
'/', to_group_id, is_org_context(request))
org_id = None
if is_org_context(request):
org_id = request.user.org.org_id
seafile_api.del_org_group_repo(repo_id, org_id, to_group_id)
else:
seafile_api.unset_group_repo(
repo_id, to_group_id, username)
# Delete share permission at ExtraSharePermission table.
ExtraGroupsSharePermission.objects.delete_share_permission(repo_id,
to_group_id)
# send message
send_perm_audit_msg('delete-repo-perm', username,
to_group_id, repo_id, '/', permission)
result['success'].append({
"repo_id": repo_id,
"group_id": to_group_id,
"group_name": group_name,
})
except SearpcError as e:
logger.error(e)
result['failed'].append({
'repo_id': repo_id,
'error_msg': 'Internal Server Error'
})
return Response(result)
def put(self, request, repo_id, format=None):
""" transfer a library, rename a library
Permission checking:
1. only admin can perform this action.
"""
repo = seafile_api.get_repo(repo_id)
if not repo:
error_msg = 'Library %s not found.' % repo_id
return api_error(status.HTTP_404_NOT_FOUND, error_msg)
new_repo_name = request.data.get('name', None)
if new_repo_name:
try:
res = seafile_api.edit_repo(repo_id, new_repo_name, '', None)
except Exception as e:
logger.error(e)
error_msg = 'Internal Server Error'
return api_error(status.HTTP_500_INTERNAL_SERVER_ERROR, error_msg)
if res == -1:
e = 'Admin rename failed: ID of library is %s, edit_repo api called failed.' % \
repo_id
logger.error(e)
error_msg = 'Internal Server Error'
return api_error(status.HTTP_500_INTERNAL_SERVER_ERROR, error_msg)
new_owner = request.data.get('owner', None)
if new_owner:
try:
new_owner_obj = User.objects.get(email=new_owner)
except User.DoesNotExist:
error_msg = 'User %s not found.' % new_owner
return api_error(status.HTTP_404_NOT_FOUND, error_msg)
if not new_owner_obj.permissions.can_add_repo():
error_msg = _(u'Transfer failed: role of %s is %s, can not add library.') % \
(new_owner, new_owner_obj.role)
return api_error(status.HTTP_403_FORBIDDEN, error_msg)
if MULTI_TENANCY:
try:
if seafile_api.get_org_id_by_repo_id(repo_id) > 0:
error_msg = 'Can not transfer organization library.'
return api_error(status.HTTP_403_FORBIDDEN, error_msg)
if ccnet_api.get_orgs_by_user(new_owner):
error_msg = 'Can not transfer library to organization user %s' % new_owner
return api_error(status.HTTP_403_FORBIDDEN, error_msg)
except Exception as e:
logger.error(e)
error_msg = 'Internal Server Error'
return api_error(status.HTTP_500_INTERNAL_SERVER_ERROR, error_msg)
repo_owner = seafile_api.get_repo_owner(repo_id)
if new_owner == repo_owner:
error_msg = _(u"Library can not be transferred to owner.")
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
# get repo shared to user/group list
shared_users = seafile_api.list_repo_shared_to(
repo_owner, repo_id)
shared_groups = seafile_api.list_repo_shared_group_by_user(
repo_owner, repo_id)
# get all pub repos
pub_repos = []
if not request.cloud_mode:
pub_repos = seafile_api.list_inner_pub_repos_by_owner(repo_owner)
# transfer repo
seafile_api.set_repo_owner(repo_id, new_owner)
# reshare repo to user
for shared_user in shared_users:
shared_username = shared_user.user
if new_owner == shared_username:
continue
seafile_api.share_repo(repo_id, new_owner,
shared_username, shared_user.perm)
# reshare repo to group
for shared_group in shared_groups:
shared_group_id = shared_group.group_id
if not is_group_member(shared_group_id, new_owner):
continue
seafile_api.set_group_repo(repo_id, shared_group_id,
new_owner, shared_group.perm)
# reshare repo to links
try:
UploadLinkShare.objects.filter(username=repo_owner, repo_id=repo_id).update(username=new_owner)
FileShare.objects.filter(username=repo_owner, repo_id=repo_id).update(username=new_owner)
except Exception as e:
logger.error(e)
error_msg = 'Internal Server Error'
return api_error(status.HTTP_500_INTERNAL_SERVER_ERROR, error_msg)
# check if current repo is pub-repo
# if YES, reshare current repo to public
for pub_repo in pub_repos:
if repo_id != pub_repo.id:
continue
seafile_api.add_inner_pub_repo(repo_id, pub_repo.permission)
break
# send admin operation log signal
admin_op_detail = {
"id": repo_id,
"name": repo.name,
"from": repo_owner,
"to": new_owner,
}
admin_operation.send(sender=None, admin_name=request.user.username,
operation=REPO_TRANSFER, detail=admin_op_detail)
repo = seafile_api.get_repo(repo_id)
repo_info = get_repo_info(repo)
return Response(repo_info)
def get(self, request):
""" Get all file access logs.
Permission checking:
1. only admin can perform this action.
"""
if not request.user.admin_permissions.can_view_user_log():
return api_error(status.HTTP_403_FORBIDDEN, 'Permission denied.')
try:
current_page = int(request.GET.get('page', '1'))
per_page = int(request.GET.get('per_page', '100'))
except ValueError:
current_page = 1
per_page = 100
user_selected = request.GET.get('email', None)
if user_selected and not is_valid_email(user_selected):
error_msg = 'email %s invalid.' % user_selected
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
repo_id_selected = request.GET.get('repo_id', None)
if repo_id_selected and not is_valid_repo_id_format(repo_id_selected):
error_msg = 'repo_id %s invalid.' % repo_id_selected
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
start = per_page * (current_page - 1)
limit = per_page + 1
if user_selected:
org_id = -1
orgs = ccnet_api.get_orgs_by_user(user_selected)
if orgs:
org_id = orgs[0].org_id
elif repo_id_selected:
org_id = seafile_api.get_org_id_by_repo_id(repo_id_selected)
else:
org_id = 0
# org_id = 0, show all file audit
events = get_file_audit_events(user_selected, org_id, repo_id_selected,
start, limit) or []
if len(events) > per_page:
events = events[:per_page]
has_next_page = True
else:
has_next_page = False
# Use dict to reduce memcache fetch cost in large for-loop.
nickname_dict = {}
contact_email_dict = {}
repo_dict = {}
user_email_set = set()
repo_id_set = set()
for event in events:
user_email_set.add(event.user)
repo_id_set.add(event.repo_id)
for e in user_email_set:
if e not in nickname_dict:
nickname_dict[e] = email2nickname(e)
if e not in contact_email_dict:
contact_email_dict[e] = email2contact_email(e)
for e in repo_id_set:
if e not in repo_dict:
repo_dict[e] = seafile_api.get_repo(e)
events_info = []
for ev in events:
data = {}
user_email = ev.user
data['email'] = user_email
data['name'] = nickname_dict.get(user_email, '')
data['contact_email'] = contact_email_dict.get(user_email, '')
data['ip'] = ev.ip
data['event_type'], data[
'device'] = generate_file_audit_event_type(ev)
data['time'] = utc_datetime_to_isoformat_timestr(ev.timestamp)
repo_id = ev.repo_id
data['repo_id'] = repo_id
repo = repo_dict.get(repo_id, None)
data['repo_name'] = repo.name if repo else ''
if ev.file_path.endswith('/'):
data[
'file_or_dir_name'] = '/' if ev.file_path == '/' else os.path.basename(
ev.file_path.rstrip('/'))
else:
data['file_or_dir_name'] = os.path.basename(ev.file_path)
events_info.append(data)
resp = {
'file_access_log_list': events_info,
'has_next_page': has_next_page,
}
return Response(resp)
def post(self, request):
# argument check
operation = request.data.get('operation')
# operation could be `share`, `delete`, `transfer`
# we now only use `share`
if not operation or operation not in ('share'):
error_msg = 'operation invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
result = {}
result['failed'] = []
result['success'] = []
username = request.user.username
repo_id_list = request.data.getlist('repo_id')
valid_repo_id_list = []
# filter out invalid repo id
for repo_id in repo_id_list:
if not seafile_api.get_repo(repo_id):
result['failed'].append({
'repo_id':
repo_id,
'error_msg':
'Library %s not found.' % repo_id
})
continue
if is_org_context(request):
org_id = request.user.org.org_id
org_repo_owner = seafile_api.get_org_repo_owner(repo_id)
if not username == org_repo_owner:
result['failed'].append({
'repo_id': repo_id,
'error_msg': 'Permission denied.'
})
continue
else:
if not seafile_api.is_repo_owner(username, repo_id):
result['failed'].append({
'repo_id': repo_id,
'error_msg': 'Permission denied.'
})
continue
valid_repo_id_list.append(repo_id)
# share repo
if operation == 'share':
share_type = request.data.get('share_type')
if share_type != 'user' and share_type != 'group':
error_msg = 'share_type invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
permission = request.data.get('permission', 'rw')
if permission not in ('r', 'rw'):
error_msg = 'permission invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
# share repo to user
if share_type == 'user':
to_username = request.data.get('username', None)
if not to_username:
error_msg = 'username invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
try:
User.objects.get(email=to_username)
except User.DoesNotExist:
error_msg = 'User %s not found.' % to_username
return api_error(status.HTTP_404_NOT_FOUND, error_msg)
# check if to_user is an org user
try:
org_of_to_user = ccnet_api.get_orgs_by_user(to_username)
except Exception as e:
logger.debug(e)
org_of_to_user = []
if is_org_context(request):
org_id = request.user.org.org_id
org_name = request.user.org.org_name
if len(org_of_to_user
) == 0 or org_id != org_of_to_user[0].org_id:
error_msg = 'User %s is not member of organization %s.' \
% (to_username, org_name)
return api_error(status.HTTP_403_FORBIDDEN, error_msg)
else:
if len(org_of_to_user) >= 1:
error_msg = 'User %s is member of organization %s.' \
% (to_username, org_of_to_user[0].org_name)
return api_error(status.HTTP_403_FORBIDDEN, error_msg)
for repo_id in valid_repo_id_list:
if self.has_shared_to_user(request, repo_id, to_username):
result['failed'].append({
'repo_id':
repo_id,
'error_msg':
'This item has been shared to %s.' % to_username
})
continue
try:
org_id = None
if is_org_context(request):
org_id = request.user.org.org_id
seaserv.seafserv_threaded_rpc.org_add_share(
org_id, repo_id, username, to_username,
permission)
else:
seafile_api.share_repo(repo_id, username,
to_username, permission)
# send a signal when sharing repo successful
repo = seafile_api.get_repo(repo_id)
share_repo_to_user_successful.send(sender=None,
from_user=username,
to_user=to_username,
repo=repo,
path='/',
org_id=org_id)
result['success'].append({
"repo_id": repo_id,
"username": to_username,
"permission": permission
})
send_perm_audit_msg('add-repo-perm', username,
to_username, repo_id, '/',
permission)
except Exception as e:
logger.error(e)
result['failed'].append({
'repo_id':
repo_id,
'error_msg':
'Internal Server Error'
})
# share repo to group
if share_type == 'group':
to_group_id = request.data.get('group_id', None)
if not to_group_id:
error_msg = 'group_id invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
try:
to_group_id = int(to_group_id)
except ValueError:
error_msg = 'group_id invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
group = ccnet_api.get_group(to_group_id)
if not group:
error_msg = 'Group %s not found.' % to_group_id
return api_error(status.HTTP_404_NOT_FOUND, error_msg)
group_name = group.group_name
if not is_group_member(to_group_id, username):
error_msg = 'User %s is not member of group %s.' % (
username, group_name)
return api_error(status.HTTP_403_FORBIDDEN, error_msg)
for repo_id in valid_repo_id_list:
if self.has_shared_to_group(request, repo_id, to_group_id):
result['failed'].append({
'repo_id':
repo_id,
'error_msg':
'This item has been shared to %s.' % group_name
})
continue
try:
org_id = None
if is_org_context(request):
org_id = request.user.org.org_id
seafile_api.add_org_group_repo(
repo_id, org_id, to_group_id, username,
permission)
else:
seafile_api.set_group_repo(repo_id, to_group_id,
username, permission)
# send a signal when sharing repo successful
repo = seafile_api.get_repo(repo_id)
share_repo_to_group_successful.send(
sender=None,
from_user=username,
group_id=to_group_id,
repo=repo,
path='/',
org_id=org_id)
result['success'].append({
"repo_id": repo_id,
"group_id": to_group_id,
"group_name": group_name,
"permission": permission
})
send_perm_audit_msg('add-repo-perm', username,
to_group_id, repo_id, '/',
permission)
except SearpcError as e:
logger.error(e)
result['failed'].append({
'repo_id':
repo_id,
'error_msg':
'Internal Server Error'
})
return Response(result)
def basic_auth_user(self, realmname, username, password, environ):
if "'" in username:
return False
try:
ccnet_email = None
session = None
if self.session_cls:
session = self.session_cls()
user = api.get_emailuser(username)
if user:
ccnet_email = user.email
else:
if session:
profile_profile = seahub_db.Base.classes.profile_profile
q = session.query(profile_profile.user).filter(profile_profile.contact_email==username)
res = q.first()
if res:
ccnet_email = res[0]
if not ccnet_email:
_logger.warning('User %s doesn\'t exist', username)
return False
enable_webdav_secret = False
if hasattr(seahub_settings, 'ENABLE_WEBDAV_SECRET'):
enable_webdav_secret = seahub_settings.ENABLE_WEBDAV_SECRET
enable_two_factor_auth = False
if session and enableTwoFactorAuth(session, ccnet_email):
enable_two_factor_auth = True
if not enable_webdav_secret and enable_two_factor_auth:
_logger.warning("Two factor auth is enabled, no access to webdav.")
return False
elif enable_webdav_secret and enable_two_factor_auth:
if not validateSecret(session, password, ccnet_email):
return False
elif not enable_webdav_secret and not enable_two_factor_auth:
if api.validate_emailuser(ccnet_email, password) != 0:
return False
else:
if not validateSecret(session, password, ccnet_email) and \
api.validate_emailuser(ccnet_email, password) != 0:
return False
username = ccnet_email
except Exception as e:
_logger.warning('Failed to login: %s', e)
return False
finally:
if session:
session.close()
try:
user = api.get_emailuser_with_import(username)
if user.role == 'guest':
environ['seafile.is_guest'] = True
else:
environ['seafile.is_guest'] = False
except Exception as e:
_logger.exception('get_emailuser')
if multi_tenancy_enabled():
try:
orgs = api.get_orgs_by_user(username)
if orgs:
environ['seafile.org_id'] = orgs[0].org_id
except Exception as e:
_logger.exception('get_orgs_by_user')
pass
environ["http_authenticator.username"] = username
return True
def basic_auth_user(self, realmname, username, password, environ):
if "'" in username:
return False
try:
ccnet_email = None
session = None
if self.session_cls:
session = self.session_cls()
user = api.get_emailuser(username)
if user:
ccnet_email = user.email
else:
if session:
profile_profile = seahub_db.Base.classes.profile_profile
q = session.query(profile_profile.user).filter(
profile_profile.contact_email == username)
res = q.first()
if res:
ccnet_email = res[0]
if not ccnet_email:
_logger.warning('User %s doesn\'t exist', username)
return False
enable_webdav_secret = False
if hasattr(seahub_settings, 'ENABLE_WEBDAV_SECRET'):
enable_webdav_secret = seahub_settings.ENABLE_WEBDAV_SECRET
enable_two_factor_auth = False
if session and enableTwoFactorAuth(session, ccnet_email):
enable_two_factor_auth = True
if not enable_webdav_secret and enable_two_factor_auth:
_logger.warning(
"Two factor auth is enabled, no access to webdav.")
return False
if enable_webdav_secret:
if not session:
return False
else:
from Crypto.Cipher import AES
secret = seahub_settings.SECRET_KEY[:BLOCK_SIZE]
cipher = AES.new(secret.encode('utf8'), AES.MODE_ECB)
encoded_str = 'aes$' + EncodeAES(
cipher, password.encode('utf8')).decode('utf8')
options_useroptions = seahub_db.Base.classes.options_useroptions
q = session.query(options_useroptions.email)
q = q.filter(options_useroptions.email == ccnet_email,
options_useroptions.option_val == encoded_str)
res = q.first()
if not res:
return False
elif api.validate_emailuser(ccnet_email, password) != 0:
return False
username = ccnet_email
except Exception as e:
_logger.warning('Failed to login: %s', e)
return False
finally:
if session:
session.close()
try:
user = api.get_emailuser_with_import(username)
if user.role == 'guest':
environ['seafile.is_guest'] = True
else:
environ['seafile.is_guest'] = False
except Exception as e:
_logger.exception('get_emailuser')
if multi_tenancy_enabled():
try:
orgs = api.get_orgs_by_user(username)
if orgs:
environ['seafile.org_id'] = orgs[0].org_id
except Exception as e:
_logger.exception('get_orgs_by_user')
pass
environ["http_authenticator.username"] = username
return True
def put(self, request, repo_id, format=None):
""" transfer a library
Permission checking:
1. only admin can perform this action.
"""
repo = seafile_api.get_repo(repo_id)
if not repo:
error_msg = 'Library %s not found.' % repo_id
return api_error(status.HTTP_404_NOT_FOUND, error_msg)
new_owner = request.data.get('owner', None)
if not new_owner:
error_msg = 'owner invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
try:
new_owner_obj = User.objects.get(email=new_owner)
except User.DoesNotExist:
error_msg = 'User %s not found.' % new_owner
return api_error(status.HTTP_404_NOT_FOUND, error_msg)
if not new_owner_obj.permissions.can_add_repo():
error_msg = 'Transfer failed: role of %s is %s, can not add library.' % \
(new_owner, new_owner_obj.role)
return api_error(status.HTTP_403_FORBIDDEN, error_msg)
if MULTI_TENANCY:
try:
if seafserv_threaded_rpc.get_org_id_by_repo_id(repo_id) > 0:
error_msg = 'Can not transfer organization library.'
return api_error(status.HTTP_403_FORBIDDEN, error_msg)
if ccnet_api.get_orgs_by_user(new_owner):
error_msg = 'Can not transfer library to organization user %s' % new_owner
return api_error(status.HTTP_403_FORBIDDEN, error_msg)
except Exception as e:
logger.error(e)
error_msg = 'Internal Server Error'
return api_error(status.HTTP_500_INTERNAL_SERVER_ERROR,
error_msg)
repo_owner = seafile_api.get_repo_owner(repo_id)
# get repo shared to user/group list
shared_users = seafile_api.list_repo_shared_to(repo_owner, repo_id)
shared_groups = seafile_api.list_repo_shared_group_by_user(
repo_owner, repo_id)
# get all pub repos
pub_repos = []
if not request.cloud_mode:
pub_repos = seafile_api.list_inner_pub_repos_by_owner(repo_owner)
# transfer repo
seafile_api.set_repo_owner(repo_id, new_owner)
# reshare repo to user
for shared_user in shared_users:
shared_username = shared_user.user
if new_owner == shared_username:
continue
seafile_api.share_repo(repo_id, new_owner, shared_username,
shared_user.perm)
# reshare repo to group
for shared_group in shared_groups:
shared_group_id = shared_group.group_id
if not ccnet_api.is_group_user(shared_group_id, new_owner):
continue
seafile_api.set_group_repo(repo_id, shared_group_id, new_owner,
shared_group.perm)
# check if current repo is pub-repo
# if YES, reshare current repo to public
for pub_repo in pub_repos:
if repo_id != pub_repo.id:
continue
seafile_api.add_inner_pub_repo(repo_id, pub_repo.permission)
break
# send admin operation log signal
admin_op_detail = {
"id": repo_id,
"name": repo.name,
"from": repo_owner,
"to": new_owner,
}
admin_operation.send(sender=None,
admin_name=request.user.username,
operation=REPO_TRANSFER,
detail=admin_op_detail)
repo = seafile_api.get_repo(repo_id)
repo_info = get_repo_info(repo)
return Response(repo_info)
def get(self, request):
"""List all users in DB or LDAPImport
Permission checking:
1. only admin can perform this action.
"""
try:
page = int(request.GET.get('page', '1'))
per_page = int(request.GET.get('per_page', '25'))
except ValueError:
page = 1
per_page = 25
start = (page - 1) * per_page
# source: 'DB' or 'LDAPImport', default is 'DB'
source = request.GET.get('source', 'DB')
source = source.lower()
if source not in ['db', 'ldapimport']:
error_msg = 'source %s invalid.' % source
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
if source == 'db':
users = ccnet_api.get_emailusers('DB', start, per_page)
total_count = ccnet_api.count_emailusers('DB') + \
ccnet_api.count_inactive_emailusers('DB')
elif source == 'ldapimport':
users = ccnet_api.get_emailusers('LDAPImport', start, per_page)
# api param is 'LDAP', but actually get count of 'LDAPImport' users
total_count = ccnet_api.count_emailusers('LDAP') + \
ccnet_api.count_inactive_emailusers('LDAP')
data = []
for user in users:
profile = Profile.objects.get_profile_by_user(user.email)
info = {}
info['email'] = user.email
info['name'] = email2nickname(user.email)
info['contact_email'] = email2contact_email(user.email)
info[
'login_id'] = profile.login_id if profile and profile.login_id else ''
info['is_staff'] = user.is_staff
info['is_active'] = user.is_active
orgs = ccnet_api.get_orgs_by_user(user.email)
try:
if orgs:
org_id = orgs[0].org_id
info['org_id'] = org_id
info['org_name'] = orgs[0].org_name
except Exception as e:
logger.error(e)
info['create_time'] = timestamp_to_isoformat_timestr(user.ctime)
last_login_obj = UserLastLogin.objects.get_by_username(user.email)
info['last_login'] = datetime_to_isoformat_timestr(
last_login_obj.last_login) if last_login_obj else ''
info['role'] = get_user_role(user)
info['storage_usage'] = Workspaces.objects.get_owner_total_storage(
owner=user.email)
if getattr(settings, 'MULTI_INSTITUTION', False):
info['institution'] = profile.institution if profile else ''
data.append(info)
result = {'data': data, 'total_count': total_count}
return Response(result)
def put(self, request, repo_id, format=None):
""" update a library status, transfer a library, rename a library
Permission checking:
1. only admin can perform this action.
"""
# argument check
new_status = request.data.get('status', None)
if new_status:
if new_status not in ('normal', 'read-only'):
error_msg = 'status invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
new_repo_name = request.data.get('name', None)
if new_repo_name:
if not is_valid_dirent_name(new_repo_name):
error_msg = 'name invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
new_owner = request.data.get('owner', None)
if new_owner:
if not is_valid_email(new_owner):
error_msg = 'owner invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
# resource check
repo = seafile_api.get_repo(repo_id)
if not repo:
error_msg = 'Library %s not found.' % repo_id
return api_error(status.HTTP_404_NOT_FOUND, error_msg)
if new_status:
try:
seafile_api.set_repo_status(repo_id, normalize_repo_status_str(new_status))
except Exception as e:
logger.error(e)
error_msg = 'Internal Server Error'
return api_error(status.HTTP_500_INTERNAL_SERVER_ERROR, error_msg)
if new_repo_name:
try:
res = seafile_api.edit_repo(repo_id, new_repo_name, '', None)
except Exception as e:
logger.error(e)
error_msg = 'Internal Server Error'
return api_error(status.HTTP_500_INTERNAL_SERVER_ERROR, error_msg)
if res == -1:
e = 'Admin rename failed: ID of library is %s, edit_repo api called failed.' % \
repo_id
logger.error(e)
error_msg = 'Internal Server Error'
return api_error(status.HTTP_500_INTERNAL_SERVER_ERROR, error_msg)
if new_owner:
try:
new_owner_obj = User.objects.get(email=new_owner)
except User.DoesNotExist:
error_msg = 'User %s not found.' % new_owner
return api_error(status.HTTP_404_NOT_FOUND, error_msg)
if not new_owner_obj.permissions.can_add_repo():
error_msg = _('Transfer failed: role of %s is %s, can not add library.') % \
(new_owner, new_owner_obj.role)
return api_error(status.HTTP_403_FORBIDDEN, error_msg)
if MULTI_TENANCY:
try:
if seafile_api.get_org_id_by_repo_id(repo_id) > 0:
error_msg = 'Can not transfer organization library.'
return api_error(status.HTTP_403_FORBIDDEN, error_msg)
if ccnet_api.get_orgs_by_user(new_owner):
error_msg = 'Can not transfer library to organization user %s' % new_owner
return api_error(status.HTTP_403_FORBIDDEN, error_msg)
except Exception as e:
logger.error(e)
error_msg = 'Internal Server Error'
return api_error(status.HTTP_500_INTERNAL_SERVER_ERROR, error_msg)
repo_owner = seafile_api.get_repo_owner(repo_id)
if new_owner == repo_owner:
error_msg = _("Library can not be transferred to owner.")
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
# get repo shared to user/group list
shared_users = seafile_api.list_repo_shared_to(
repo_owner, repo_id)
shared_groups = seafile_api.list_repo_shared_group_by_user(
repo_owner, repo_id)
# get all pub repos
pub_repos = []
if not request.cloud_mode:
pub_repos = seafile_api.list_inner_pub_repos_by_owner(repo_owner)
# transfer repo
seafile_api.set_repo_owner(repo_id, new_owner)
# reshare repo to user
for shared_user in shared_users:
shared_username = shared_user.user
if new_owner == shared_username:
continue
seafile_api.share_repo(repo_id, new_owner,
shared_username, shared_user.perm)
# reshare repo to group
for shared_group in shared_groups:
shared_group_id = shared_group.group_id
if not is_group_member(shared_group_id, new_owner):
continue
seafile_api.set_group_repo(repo_id, shared_group_id,
new_owner, shared_group.perm)
# reshare repo to links
try:
UploadLinkShare.objects.filter(username=repo_owner, repo_id=repo_id).update(username=new_owner)
FileShare.objects.filter(username=repo_owner, repo_id=repo_id).update(username=new_owner)
except Exception as e:
logger.error(e)
error_msg = 'Internal Server Error'
return api_error(status.HTTP_500_INTERNAL_SERVER_ERROR, error_msg)
# check if current repo is pub-repo
# if YES, reshare current repo to public
for pub_repo in pub_repos:
if repo_id != pub_repo.id:
continue
seafile_api.add_inner_pub_repo(repo_id, pub_repo.permission)
break
# send admin operation log signal
admin_op_detail = {
"id": repo_id,
"name": repo.name,
"from": repo_owner,
"to": new_owner,
}
admin_operation.send(sender=None, admin_name=request.user.username,
operation=REPO_TRANSFER, detail=admin_op_detail)
repo = seafile_api.get_repo(repo_id)
repo_info = get_repo_info(repo)
return Response(repo_info)
def handle(self, *args, **options):
self.stdout.write("Export users to '../users.xlsx'.")
try:
users = ccnet_api.get_emailusers('DB', -1, -1) + \
ccnet_api.get_emailusers('LDAPImport', -1, -1)
except Exception as e:
self.stdout.write('Error: ' + str(e))
return
if is_pro_version():
is_pro = True
else:
is_pro = False
if is_pro:
head = [_("Email"), _("Name"), _("Contact Email"), _("Status"), _("Role"),
_("Space Usage") + "(MB)", _("Space Quota") + "(MB)",
_("Create At"), _("Last Login"), _("Admin"), _("LDAP(imported)"),]
else:
head = [_("Email"), _("Name"), _("Contact Email"), _("Status"),
_("Space Usage") + "(MB)", _("Space Quota") + "(MB)",
_("Create At"), _("Last Login"), _("Admin"), _("LDAP(imported)"),]
# only operate 100 users for every `for` loop
looped = 0
limit = 100
data_list = []
while looped < len(users):
current_users = users[looped:looped+limit]
last_logins = UserLastLogin.objects.filter(username__in=[x.email \
for x in current_users])
user_profiles = Profile.objects.filter(user__in=[x.email \
for x in current_users])
for user in current_users:
# populate name and contact email
user.contact_email = ''
user.name = ''
for profile in user_profiles:
if profile.user == user.email:
user.contact_email = profile.contact_email
user.name = profile.nickname
# populate space usage and quota
MB = get_file_size_unit('MB')
# populate user quota usage
orgs = ccnet_api.get_orgs_by_user(user.email)
try:
if orgs:
user.org = orgs[0]
org_id = user.org.org_id
user.space_usage = seafile_api.get_org_user_quota_usage(org_id, user.email)
user.space_quota = seafile_api.get_org_user_quota(org_id, user.email)
else:
user.space_usage = seafile_api.get_user_self_usage(user.email)
user.space_quota = seafile_api.get_user_quota(user.email)
except Exception as e:
self.stdout.write('Debug: ' + str(e))
user.space_usage = -1
user.space_quota = -1
if user.space_usage > 0:
try:
space_usage_MB = round(float(user.space_usage) / MB, 2)
except Exception as e:
self.stdout.write('Debug: ' + str(e))
space_usage_MB = '--'
else:
space_usage_MB = ''
if user.space_quota > 0:
try:
space_quota_MB = round(float(user.space_quota) / MB, 2)
except Exception as e:
self.stdout.write('Debug: ' + str(e))
space_quota_MB = '--'
else:
space_quota_MB = ''
# populate user last login time
user.last_login = None
for last_login in last_logins:
if last_login.username == user.email:
user.last_login = last_login.last_login
if user.is_active:
status = _('Active')
else:
status = _('Inactive')
create_at = tsstr_sec(user.ctime) if user.ctime else ''
last_login = user.last_login.strftime("%Y-%m-%d %H:%M:%S") if \
user.last_login else ''
is_admin = _('Yes') if user.is_staff else ''
ldap_import = _('Yes') if user.source == 'LDAPImport' else ''
if is_pro:
if user.role:
if user.role == GUEST_USER:
role = _('Guest')
elif user.role == DEFAULT_USER:
role = _('Default')
else:
role = user.role
else:
role = _('Default')
row = [user.email, user.name, user.contact_email, status, role,
space_usage_MB, space_quota_MB, create_at,
last_login, is_admin, ldap_import]
else:
row = [user.email, user.name, user.contact_email, status,
space_usage_MB, space_quota_MB, create_at,
last_login, is_admin, ldap_import]
data_list.append(row)
# update `looped` value when `for` loop finished
looped += limit
wb = write_xls('users', head, data_list)
if not wb:
self.stdout.write('Error: please check the log.')
return
wb.save('../users.xlsx')
self.stdout.write('Done.\n')
def handle(self, *args, **options):
self.stdout.write("Export users to '../users.xlsx'.")
try:
users = ccnet_api.get_emailusers('DB', -1, -1) + \
ccnet_api.get_emailusers('LDAPImport', -1, -1)
except Exception as e:
self.stdout.write('Error: ' + str(e))
return
if is_pro_version():
is_pro = True
else:
is_pro = False
if is_pro:
head = [
_("Email"),
_("Name"),
_("Contact Email"),
_("Status"),
_("Role"),
_("Space Usage") + "(MB)",
_("Space Quota") + "(MB)",
_("Create At"),
_("Last Login"),
_("Admin"),
_("LDAP(imported)"),
]
else:
head = [
_("Email"),
_("Name"),
_("Contact Email"),
_("Status"),
_("Space Usage") + "(MB)",
_("Space Quota") + "(MB)",
_("Create At"),
_("Last Login"),
_("Admin"),
_("LDAP(imported)"),
]
# only operate 100 users for every `for` loop
looped = 0
limit = 100
data_list = []
while looped < len(users):
current_users = users[looped:looped + limit]
last_logins = UserLastLogin.objects.filter(username__in=[x.email \
for x in current_users])
user_profiles = Profile.objects.filter(user__in=[x.email \
for x in current_users])
for user in current_users:
# populate name and contact email
user.contact_email = ''
user.name = ''
for profile in user_profiles:
if profile.user == user.email:
user.contact_email = profile.contact_email
user.name = profile.nickname
# populate space usage and quota
MB = get_file_size_unit('MB')
# populate user quota usage
orgs = ccnet_api.get_orgs_by_user(user.email)
try:
if orgs:
user.org = orgs[0]
org_id = user.org.org_id
user.space_usage = seafile_api.get_org_user_quota_usage(
org_id, user.email)
user.space_quota = seafile_api.get_org_user_quota(
org_id, user.email)
else:
user.space_usage = seafile_api.get_user_self_usage(
user.email)
user.space_quota = seafile_api.get_user_quota(
user.email)
except Exception as e:
self.stdout.write('Debug: ' + str(e))
user.space_usage = -1
user.space_quota = -1
if user.space_usage > 0:
try:
space_usage_MB = round(float(user.space_usage) / MB, 2)
except Exception as e:
self.stdout.write('Debug: ' + str(e))
space_usage_MB = '--'
else:
space_usage_MB = ''
if user.space_quota > 0:
try:
space_quota_MB = round(float(user.space_quota) / MB, 2)
except Exception as e:
self.stdout.write('Debug: ' + str(e))
space_quota_MB = '--'
else:
space_quota_MB = ''
# populate user last login time
user.last_login = None
for last_login in last_logins:
if last_login.username == user.email:
user.last_login = last_login.last_login
if user.is_active:
status = _('Active')
else:
status = _('Inactive')
create_at = tsstr_sec(user.ctime) if user.ctime else ''
last_login = user.last_login.strftime("%Y-%m-%d %H:%M:%S") if \
user.last_login else ''
is_admin = _('Yes') if user.is_staff else ''
ldap_import = _('Yes') if user.source == 'LDAPImport' else ''
if is_pro:
if user.role:
if user.role == GUEST_USER:
role = _('Guest')
elif user.role == DEFAULT_USER:
role = _('Default')
else:
role = user.role
else:
role = _('Default')
row = [
user.email, user.name, user.contact_email, status,
role, space_usage_MB, space_quota_MB, create_at,
last_login, is_admin, ldap_import
]
else:
row = [
user.email, user.name, user.contact_email, status,
space_usage_MB, space_quota_MB, create_at, last_login,
is_admin, ldap_import
]
data_list.append(row)
# update `looped` value when `for` loop finished
looped += limit
wb = write_xls('users', head, data_list)
if not wb:
self.stdout.write('Error: please check the log.')
return
wb.save('../users.xlsx')
self.stdout.write('Done.\n')
def put(self, request, repo_id, format=None):
""" transfer a library
Permission checking:
1. only admin can perform this action.
"""
repo = seafile_api.get_repo(repo_id)
if not repo:
error_msg = 'Library %s not found.' % repo_id
return api_error(status.HTTP_404_NOT_FOUND, error_msg)
new_owner = request.data.get('owner', None)
if not new_owner:
error_msg = 'owner invalid.'
return api_error(status.HTTP_400_BAD_REQUEST, error_msg)
try:
User.objects.get(email=new_owner)
except User.DoesNotExist:
error_msg = 'User %s not found.' % new_owner
return api_error(status.HTTP_404_NOT_FOUND, error_msg)
if MULTI_TENANCY:
try:
if seafserv_threaded_rpc.get_org_id_by_repo_id(repo_id) > 0:
error_msg = 'Can not transfer organization library.'
return api_error(status.HTTP_403_FORBIDDEN, error_msg)
if ccnet_api.get_orgs_by_user(new_owner):
error_msg = 'Can not transfer library to organization user %s' % new_owner
return api_error(status.HTTP_403_FORBIDDEN, error_msg)
except Exception as e:
logger.error(e)
error_msg = 'Internal Server Error'
return api_error(status.HTTP_500_INTERNAL_SERVER_ERROR, error_msg)
repo_owner = seafile_api.get_repo_owner(repo_id)
# get repo shared to user/group list
shared_users = seafile_api.list_repo_shared_to(
repo_owner, repo_id)
shared_groups = seafile_api.list_repo_shared_group_by_user(
repo_owner, repo_id)
# get all pub repos
pub_repos = []
if not request.cloud_mode:
pub_repos = seafile_api.list_inner_pub_repos_by_owner(repo_owner)
# transfer repo
seafile_api.set_repo_owner(repo_id, new_owner)
# reshare repo to user
for shared_user in shared_users:
shared_username = shared_user.user
if new_owner == shared_username:
continue
seafile_api.share_repo(repo_id, new_owner,
shared_username, shared_user.perm)
# reshare repo to group
for shared_group in shared_groups:
shared_group_id = shared_group.group_id
if not ccnet_api.is_group_user(shared_group_id, new_owner):
continue
seafile_api.set_group_repo(repo_id, shared_group_id,
new_owner, shared_group.perm)
# check if current repo is pub-repo
# if YES, reshare current repo to public
for pub_repo in pub_repos:
if repo_id != pub_repo.id:
continue
seafile_api.add_inner_pub_repo(repo_id, pub_repo.permission)
break
repo = seafile_api.get_repo(repo_id)
repo_info = get_repo_info(repo)
return Response(repo_info)
