def user_permitted(user_id: int=None, permission_id: int=None, database=None):
query1 = "select is_permitted(%(permissionid)s, %(userid)s) as permitted"
database.cursor.execute(query1, {'permissionid': permission_id, 'userid': user_id})
permitted = database.cursor.fetchone()[0]
if not permitted:
raise Forbidden('User does not have permission for this activity')
return True
def has_permission(self, obj_id: int, auth: Auth):
obj = get_or_404(self.actesviews.model, obj_id)
if obj.created.date() != timezone.localdate():
raise BadRequest("Observation can't be edited another day")
if auth.user != obj.owner:
raise Forbidden('Only owner can edit an Observation')
return True
def login(user: str, pwd: str, settings: Settings) -> Response:
user_logged = authenticate(username=user, password=pwd)
if not user_logged:
raise Forbidden("Utilisateur inactif, mauvais login/mot de passe")
SECRET = settings['JWT'].get('SECRET')
payload = get_payload(user_logged, settings['JWT'].get('PAYLOAD_DURATION'))
token = JWT.encode(payload, secret=SECRET)
return Response({'token': token}, status=201)
def resolve(self, x_api_key: http.Header, player_slug: str = None) -> Player:
if not x_api_key:
raise BadRequest("Missing header x-old-api-key.")
api_key: ApiKey = ApiKey.objects(key=x_api_key)
if not api_key:
raise BadRequest("Could not find a valid Api Key.")
api_key = api_key[0]
if player_slug and player_slug != api_key.player.slug:
raise Forbidden("You cannot access that player.")
return api_key.player
def login(user: str, pwd: str, settings: Settings) -> dict:
# do some check with your database here to see if the user is authenticated
if user != USER['user'] or pwd != USER['pwd']:
raise Forbidden('invalid credentials')
SECRET = settings['JWT'].get('SECRET')
payload = {
'username': user,
'iat': datetime.datetime.utcnow(),
'exp': datetime.datetime.utcnow() +
datetime.timedelta(minutes=60) # ends in 60 minutes
}
token = JWT.encode(payload, secret=SECRET)
return {'token': token}
def authenticate(self, authorization: http.Header, settings: Settings, db: Db):
# Firs we check token validity
jwt = get_jwt(authorization, settings)
if jwt.payload == {}:
raise AuthenticationFailed("payload non validé")
# Get User instance
user_id = jwt.payload['user_id']
try:
user = db.User.objects.get(id=user_id)
except ObjectDoesNotExist:
raise BadRequest('User in token not found')
if not user.is_active:
raise Forbidden("User Inactive")
return AuthUser(user=user)
def generate_api_key(player_slug: str, login_payload: Login) -> dict:
"""
Generate a new API Key for the player.
If an old key already exist, it will be deleted.
"""
player = Player.objects(slug=player_slug).first()
if not player:
raise NotFound(f"Player {player_slug} not found.")
if (not bcrypt.hashpw(login_payload.password.encode("utf-8"),
player.password.encode("utf-8")).decode("utf-8")
== player.password):
raise Forbidden("Wrong password")
old_api_key = ApiKey.objects(player=player)
if old_api_key:
for key in old_api_key:
key.delete()
new_api_key = ApiKey(player=player)
new_api_key.save()
return mongo_to_dict(new_api_key)