示例#1
0
def add():
    """Add `email` to the whitelist."""
    form = AddToWhitelistForm(request.form)

    if form.user_type.data == 'fake_user':
        if form.validate_on_submit():
            fake_id = str(uuid.uuid4())
            fake_email = fake_id[:10] + "@fake-users.com"
            filename = form.fake_user_image.data
            try:
                fake_image = Image.objects().get(filename=filename)
                fake_user = User(email=fake_email,
                                 gplus_id=fake_id,
                                 name=form.name.data,
                                 user_type=form.user_type.data,
                                 image=fake_image)
            except Image.DoesNotExist:
                fake_user = User(email=fake_email,
                                 gplus_id=fake_id,
                                 name=form.name.data,
                                 user_type=form.user_type.data)
            fake_user.save()
        else:
            app.logger.warning(form.errors)
    else:
        user_exists = User.objects(email=form.email.data).count() != 0
        if form.validate_on_submit() and not user_exists:
            wl = Whitelist(email=form.email.data,
                           user_type=form.user_type.data)
            wl.save()
        else:
            app.logger.warning(form.errors)
    return redirect(url_for('users.index'))
示例#2
0
    def test_whitelist_add_duplicate_email(self):
        """Test that when a duplicate email is added to the whitelist it is
        rejected.
        """
        query_string_data_1 = {
            "email": "*****@*****.**",
            "user_type": "user"
        }
        query_string_data_2 = {
            "email": "*****@*****.**",
            "user_type": "editor"
        }
        self.request_with_role('/whitelist/add',
                               method='POST',
                               data=query_string_data_1,
                               follow_redirects=True)

        resp = self.request_with_role('/whitelist/add',
                                      method='POST',
                                      data=query_string_data_2,
                                      follow_redirects=True)

        self.assertEqual(resp.status_code, 200)
        self.assertEqual(Whitelist.objects().count(), 1)
        wl = Whitelist.objects().get(email="*****@*****.**")
        self.assertEqual(wl.user_type, "user")
示例#3
0
def create_fake_users(db, nb_users=50, fake=None):
    from app.models import User
    from app.models import UserRole
    from app.models import Whitelist

    if fake is None:
        fake = Faker()

    wl1 = Whitelist(label=fake.word())
    admin = UserRole(label=fake.word())
    contributor = UserRole(label=fake.word())

    db.session.add(wl1)
    db.session.add(admin)
    db.session.add(contributor)
    db.session.commit()

    roles = [admin, contributor]
    whitelists = [wl1]
    try:
        for i in range(0, nb_users):
            u1 = User(username=fake.user_name(),
                      password=fake.user_name(),
                      email=fake.free_email(),
                      active=random.choice([0, 1]),
                      first_name=fake.first_name(),
                      last_name=fake.last_name())
            u1.role = random.choice(roles)
            u1.whitelists = [random.choice(whitelists)]
            db.session.add(u1)
        db.session.commit()
    except IntegrityError as e:
        db.session.rollback()
示例#4
0
def delete(user_id):
    """Delete the user with id `user_id`

    If the `revoke` property is set to true,
    then the user will be removed from the whitelist, and not be
    allowed to make an account again.
    """
    object_id = ObjectId(user_id)
    if User.objects(id=object_id).count() != 1:
        abort(401)
    user = User.objects().get(id=object_id)

    # Update whitelist
    try:
        wl = Whitelist.objects().get(email=user.email)
        wl.redeemed = False
        wl.save()
    except DoesNotExist:
        pass
    user.delete()

    # Log out if a user is attempting to delete themselves
    if 'gplus_id' in session and user.gplus_id == session['gplus_id']:
        flash('You deleted yourself successfully. Logging out.')
        return redirect(url_for('.logout'), 303)
    flash('User deleted successfully.')

    return redirect(url_for('.index'), code=303)
示例#5
0
def delete(user_id):
    """Delete the user with id ``user_id``

    If the ``revoke`` property is set to true,
    then the user will be removed from the whitelist, and not be
    allowed to make an account again.

    **Route:** ``/admin/users/delete/<user_id>``

    **Methods:** ``POST``
    """
    object_id = ObjectId(user_id)
    if User.objects(id=object_id).count() != 1:
        abort(401)
    user = User.objects().get(id=object_id)

    # Update whitelist
    try:
        wl = Whitelist.objects().get(email=user.email)
        wl.redeemed = False
        wl.save()
    except DoesNotExist:
        pass
    user.delete()

    # Log out if a user is attempting to delete themselves
    if "gplus_id" in session and user.gplus_id == session["gplus_id"]:
        flash("You deleted yourself successfully. Logging out.", MESSAGE_FLASH)
        return redirect(url_for(".logout"), 303)
    flash("User deleted successfully.", MESSAGE_FLASH)

    return redirect(url_for(".index"), code=303)
示例#6
0
 def test_whitelist_add_valid_input(self):
     """Test that when valid input is provided, a user is added to the
     whitelist.
     """
     query_string_data = {
         "email": "*****@*****.**",
         "user_type": "user"
     }
     resp = self.request_with_role('/whitelist/add',
                                   method='POST',
                                   data=query_string_data,
                                   follow_redirects=True)
     self.assertEqual(resp.status_code, 200)
     self.assertEqual(Whitelist.objects().count(), 1)
     user = Whitelist.objects().get(email="*****@*****.**")
     self.assertEqual(user.user_type, "user")
示例#7
0
 def get(self):
     objects = DBWhitelist.objects()
     result = {
         'count': objects.count(),
         'data': json.loads(objects.to_json())
     }
     return result
示例#8
0
def delete(user_id):
    """Delete the user with id ``user_id``

    If the ``revoke`` property is set to true,
    then the user will be removed from the whitelist, and not be
    allowed to make an account again.

    **Route:** ``/admin/users/delete/<user_id>``

    **Methods:** ``POST``
    """
    object_id = ObjectId(user_id)
    if User.objects(id=object_id).count() != 1:
        abort(401)
    user = User.objects().get(id=object_id)

    # Update whitelist
    try:
        wl = Whitelist.objects().get(email=user.email)
        wl.redeemed = False
        wl.save()
    except DoesNotExist:
        pass
    user.delete()

    # Log out if a user is attempting to delete themselves
    if 'gplus_id' in session and user.gplus_id == session['gplus_id']:
        flash('You deleted yourself successfully. Logging out.', MESSAGE_FLASH)
        return redirect(url_for('.logout'), 303)
    flash('User deleted successfully.', MESSAGE_FLASH)

    return redirect(url_for('.index'), code=303)
示例#9
0
def create_fake_users(db, nb_users=50, fake=None):
    from app.models import User
    from app.models import UserRole
    from app.models import Whitelist

    if fake is None:
        fake = Faker()

    #logging.getLogger('faker.factory').setLevel(logging.ERROR)

    wl1 = Whitelist(label=fake.word())
    admin = UserRole(label=fake.word())
    contributor = UserRole(label=fake.word())

    db.session.add(wl1)
    db.session.add(admin)
    db.session.add(contributor)
    db.session.commit()

    roles = [admin, contributor]
    whitelists = [wl1]

    for i in range(0, nb_users):
        u1 = User(username=fake.user_name(),
                  password=fake.user_name(),
                  email=fake.free_email(),
                  active=1,
                  first_name=fake.first_name(),
                  last_name=fake.last_name())
        u1.role = roles[1]
        u1.whitelists = whitelists
        db.session.add(u1)
        db.session.commit()
示例#10
0
def wipe():
    """Wipe all users from the database"""
    if request.method == "POST":
        for w in Whitelist.objects():
            w.delete()
        # use code=303 to avoid POSTing to the next page.
        return redirect(url_for('users.index'), code=303)
    return '''\
示例#11
0
def delete(email):
    """Delete `email` from the whitelist."""
    if Whitelist.objects(email=email).count() > 0:
        Whitelist.objects.get(email=email).delete()
        flash("Whitelist entry revoked successfully.")
        return redirect(url_for('users.index'))
    flash('No such user in the database.')
    return redirect(url_for('users.index'))
示例#12
0
    def __call__(self, form, field):
        """Called internally by :mod:`wtforms` on validation of the field.

        :param form: The parent form
        :type form: :class:`Form`
        :param field: The field to validate
        :type field: :class:`Field`

        :raises: :class:`wtforms.validators.ValidationError`
        """
        if form.user_type.data != 'fake_user' and \
                Whitelist.objects(email=field.data).count():
            raise ValidationError(self.message)
示例#13
0
    def __call__(self, form, field):
        """Called internally by :mod:`wtforms` on validation of the field.

        :param form: The parent form
        :type form: :class:`Form`
        :param field: The field to validate
        :type field: :class:`Field`

        :raises: :class:`wtforms.validators.ValidationError`
        """
        if form.user_type.data != 'fake_user' and \
                Whitelist.objects(email=field.data).count():
            raise ValidationError(self.message)
示例#14
0
def create_profile():
    """Create a profile (filling in the form with openid data), and
    register it in the database.

    **Route:** ``/admin/create-profile``

    **Methods:** ``GET, POST``
    """
    if g.user is not None and 'gplus_id' in session:
        # use code=303 to avoid POSTing to the next page.
        return redirect(url_for('admin.index'), code=303)
    form = CreateProfileForm(request.form,
                             name=request.args['name'],
                             email=request.args['email'],
                             next=request.args['next'])
    if form.validate_on_submit():
        if User.objects(email=form.email.data).count() != 0:
            # A user with this email already exists.  Override it.
            user = User.objects.get(email=form.email.data)
            user.openid = session['openid']
            user.name = form.name.data
            flash('Account with this email already exists.  Overridden.',
                  MESSAGE_FLASH)
            user.register_login()
            user.save()
        else:
            # Retreive their user type from the whitelist then remove them.
            wl = Whitelist.objects().get(email=form.email.data)
            user_type = wl.user_type
            wl.redeemed = True
            wl.save()
            # Create a brand new user
            user = User(email=form.email.data,
                        name=form.name.data,
                        gplus_id=session['gplus_id'],
                        user_type=user_type,
                        image_url=request.args.get('image_url'))
            flash('Account created successfully.', MESSAGE_FLASH)
            user.register_login()
            user.save()

        # redirect to the next url or the root of the application ('/')
        if form.next.data:
            # use code=303 to avoid POSTing to the next page.
            return redirect(form.next.data, code=303)
        # use code=303 to avoid POSTing to the next page.
        return redirect('/', code=303)

    return render_template('admin/auth/create_profile.html',
                           image_url=request.args.get('image_url'),
                           form=form)
示例#15
0
def add():
    """Add and email to the whitelist.

    **Route:** ``/admin/whitelist/add``

    **Methods:** ``POST``
    """
    form = AddToWhitelistForm(request.form)

    if form.user_type.data == 'fake_user':
        if form.validate_on_submit():
            fake_id = str(uuid.uuid4())
            fake_email = fake_id[:10] + "@fake-users.com"
            filename = form.fake_user_image.data
            try:
                fake_image = Image.objects().get(filename=filename)
                fake_user = User(email=fake_email,
                                 gplus_id=fake_id,
                                 name=form.name.data,
                                 user_type=form.user_type.data,
                                 image=fake_image)
            except Image.DoesNotExist:
                fake_user = User(email=fake_email,
                                 gplus_id=fake_id,
                                 name=form.name.data,
                                 user_type=form.user_type.data)
            fake_user.save()
        else:
            app.logger.warning(form.errors)
    else:
        user_exists = User.objects(email=form.email.data).count() != 0
        if form.validate_on_submit() and not user_exists:
            wl = Whitelist(email=form.email.data,
                           user_type=form.user_type.data)
            wl.save()
        else:
            app.logger.warning(form.errors)
    return redirect(url_for('users.index'))
示例#16
0
    def test_whitelist_revoke(self):
        """Test removing an email from the waitlist.

        Adds num_trials emails to the whitelist, deletes some of them,
        and checks to make sure the right ones were deleted."""
        num_trials = 20
        # Post `num_trials` new whitelist entries
        for i in range(num_trials):
            query_string_data = {
                "email": "*****@*****.**" % i,
                "user_type": "user"
            }
            resp = self.request_with_role('/whitelist/add',
                                          method='POST',
                                          data=query_string_data,
                                          follow_redirects=True)

            # No error pages
            self.assertEqual(resp.status_code, 200)

        # `num_trials` whitelist items added.
        self.assertEqual(Whitelist.objects().count(), num_trials)

        delete = [i for i in range(num_trials) if i % 3 == 0]
        for i in range(num_trials):
            if i in delete:
                resp = self.request_with_role(
                    '/whitelist/delete/email%[email protected]' % i,
                    method='POST')
                self.assertEqual(resp.status_code, 200)

        for i in range(num_trials):
            in_list = Whitelist.objects(
                email="*****@*****.**" % i).count() == 1
            if i in delete:
                self.assertFalse(in_list)
            else:
                self.assertTrue(in_list)
示例#17
0
def index():
    """View and manage users

    Whitelisted users are the only ones allowed to make user accounts.
    """
    upload_form = UploadImageForm()
    whitelist_form = AddToWhitelistForm()
    return render_template('admin/users/users.html',
                           whitelist_form=whitelist_form,
                           upload_form=upload_form,
                           whitelist=Whitelist.objects(redeemed=False),
                           users=User.objects(),
                           images=Image.objects(),
                           current_user=g.user)
示例#18
0
 def test_whitelist_add_invalid_email(self):
     """Test that when an invalid email is provided, no user is added to the
     whitelist.
     """
     query_string_data = {
         "email": "notanemail",
         "user_type": "user"
     }
     resp = self.request_with_role('/whitelist/add',
                                   method='POST',
                                   query_string=query_string_data,
                                   follow_redirects=True)
     self.assertEqual(resp.status_code, 200)
     self.assertEqual(Whitelist.objects().count(), 0)
示例#19
0
def create_profile():
    """Create a profile (filling in the form with openid data), and
    register it in the database.

    **Route:** ``/admin/create-profile``

    **Methods:** ``GET, POST``
    """
    if g.user is not None and 'gplus_id' in session:
        # use code=303 to avoid POSTing to the next page.
        return redirect(url_for('admin.index'), code=303)
    form = CreateProfileForm(request.form,
                             name=request.args['name'],
                             email=request.args['email'],
                             next=request.args['next'])
    if form.validate_on_submit():
        if User.objects(email=form.email.data).count() != 0:
            # A user with this email already exists.  Override it.
            user = User.objects.get(email=form.email.data)
            user.openid = session['openid']
            user.name = form.name.data
            flash('Account with this email already exists.  Overridden.',
                  MESSAGE_FLASH)
            user.register_login()
            user.save()
        else:
            # Retreive their user type from the whitelist then remove them.
            wl = Whitelist.objects().get(email=form.email.data)
            user_type = wl.user_type
            wl.redeemed = True
            wl.save()
            # Create a brand new user
            user = User(email=form.email.data,
                        name=form.name.data,
                        gplus_id=session['gplus_id'],
                        user_type=user_type,
                        image_url=request.args.get('image_url'))
            flash('Account created successfully.', MESSAGE_FLASH)
            user.register_login()
            user.save()

        # redirect to the next url or the root of the application ('/')
        if form.next.data:
            # use code=303 to avoid POSTing to the next page.
            return redirect(form.next.data, code=303)
        # use code=303 to avoid POSTing to the next page.
        return redirect('/', code=303)

    return render_template('admin/auth/create_profile.html',
                           image_url=request.args.get('image_url'), form=form)
示例#20
0
 def test_whitelist_add_no_user_type(self):
     """Test that when no user type is provided, then no user is added to
     the whitelist.
     """
     query_string_data = {
         "email": "*****@*****.**",
         "user_type": None
     }
     resp = self.request_with_role('/whitelist/add',
                                   method='POST',
                                   query_string=query_string_data,
                                   follow_redirects=True)
     self.assertEqual(resp.status_code, 200)
     self.assertEqual(Whitelist.objects().count(), 0)
示例#21
0
def delete(email):
    """Delete ``email`` from the whitelist.

    **Route:** ``/admin/whitelist/delete/<email>``

    **Methods:** ``POST``

    :param str email: The email address to delete from the whitelist.
    """
    if Whitelist.objects(email=email).count() > 0:
        Whitelist.objects.get(email=email).delete()
        flash("Whitelist entry revoked successfully.", MESSAGE_FLASH)
        return redirect(url_for('users.index'))
    flash('No such user in the database.', ERROR_FLASH)
    return redirect(url_for('users.index'))
示例#22
0
def api_post_whitelist(api_version):
    """
    {
        data: {
            label : 'My new whitelist'
        }
    }
    :return:
    """
    data = request.get_json()

    try:
        new_whitelist_name = data.get("label")
        whitelist = Whitelist(label=new_whitelist_name)

        whitelist.users = [current_app.get_current_user()]

        db.session.add(whitelist)
        db.session.commit()
        return make_200(data=whitelist.serialize())
    except Exception as e:
        db.session.rollback()
        print(str(e))
        return make_400(str(e))
示例#23
0
def index():
    """View and manage users

    Whitelisted users are the only ones allowed to make user accounts.
    """

    upload_form = UploadImageForm()
    whitelist_form = AddToWhitelistForm()
    return render_template('admin/users/users.html',
                           whitelist_form=whitelist_form,
                           upload_form=upload_form,
                           whitelist=Whitelist.objects(redeemed=False),
                           users=User.objects(),
                           images=Image.objects(),
                           current_user=g.user)
示例#24
0
def delete(email):
    """Delete ``email`` from the whitelist.

    **Route:** ``/admin/whitelist/delete/<email>``

    **Methods:** ``POST``

    :param str email: The email address to delete from the whitelist.
    """
    if Whitelist.objects(email=email).count() > 0:
        Whitelist.objects.get(email=email).delete()
        flash("Whitelist entry revoked successfully.")
        return redirect(url_for('users.index'))
    flash('No such user in the database.')
    return redirect(url_for('users.index'))
示例#25
0
def index():
    """View and manage users.

    Whitelisted users are the only ones allowed to make user accounts.

    **Route:** ``/admin/users``

    **Methods:** ``GET``
    """

    upload_form = UploadImageForm()
    whitelist_form = AddToWhitelistForm()
    return render_template(
        "admin/users/users.html",
        whitelist_form=whitelist_form,
        upload_form=upload_form,
        whitelist=Whitelist.objects(redeemed=False),
        users=User.objects(),
        images=Image.objects(),
        current_user=g.user,
    )
示例#26
0
    def test_whitelist_add_email_of_existing_user(self):
        """Test that when a email is added to the whitelist that belongs to
        an existing user, it should be rejected.
        """
        # Add a user to the database
        user = User(name="Test User", email="*****@*****.**",
                    gplus_id="test123", user_type="admin")
        user.save()
        self.assertEqual(User.objects(email="*****@*****.**").count(), 1)

        # Post a new whitelist entry
        query_string_data = {
            "email": "*****@*****.**",
            "user_type": "user"
        }
        resp = self.request_with_role('/whitelist/add',
                                      method='POST',
                                      data=query_string_data,
                                      follow_redirects=True)

        self.assertEqual(resp.status_code, 200)
        self.assertEqual(Whitelist.objects().count(), 0)
示例#27
0
 def __call__(self, form, field):
     if form.user_type.data != 'fake_user' and \
             Whitelist.objects(email=field.data).count() != 0:
         raise ValidationError(self.message)
示例#28
0
def store_token():
    """Do the oauth flow for Google plus sign in, storing the access token
    in the session, and redircting to create an account if appropriate.

    Because this method will be called from a ``$.ajax()`` request in
    JavaScript, we can't return ``redirect()``, so instead this method returns
    the URL that the user should be redirected to, and the redirect happens in
    html:

    .. code:: javascript

        success: function(response) {
            window.location.href = response.data.redirect_url;
        }

    **Route:** ``/admin/store-token``

    **Methods:** ``POST``
    """
    if request.args.get('state', '') != session.get('state'):
        return json_error_message('Invalid state parameter.', 401)

    del session['state']
    code = request.data

    try:
        # Upgrade the authorization code into a credentials object
        oauth_flow = flow_from_clientsecrets(config['CLIENT_SECRETS_PATH'],
                                             scope='')
        oauth_flow.redirect_uri = 'postmessage'
        credentials = oauth_flow.step2_exchange(code)
    except FlowExchangeError:
        return json_error_message('Failed to upgrade the authorization code.',
                                  401)

    gplus_id = credentials.id_token['sub']

    # Store the access token in the session for later use.
    session['credentials'] = credentials.access_token
    session['gplus_id'] = gplus_id

    if User.objects(gplus_id=gplus_id).count() == 0:
        # A new user model must be made

        # Get the user's name and email to populate the form
        http = httplib2.Http()
        http = credentials.authorize(http)
        people_document = gplus_service.people().get(userId='me').execute(
            http=http)

        # The user must be whitelisted in order to create an account.
        email = people_document['emails'][0]['value']
        if Whitelist.objects(email=email).count() != 1:
            return json_error_message('User has not been whitelisted.', 401, {
                'whitelisted': False,
                'email': email
            })

        return json_success({
            'redirect_url':
            url_for('.create_profile',
                    next=request.args.get('next'),
                    name=people_document['displayName'],
                    email=email,
                    image_url=people_document['image']['url'])
        })

    user = User.objects().get(gplus_id=gplus_id)
    user.register_login()
    user.save()

    # The user already exists.  Redirect to the next url or
    # the root of the application ('/')
    if request.args.get('next'):
        return json_success({'redirect_url': request.args.get('next')})
    return json_success({'redirect_url': request.url_root})
示例#29
0
 def __call__(self, form, field):
     if form.user_type.data != 'fake_user' and \
             Whitelist.objects(email=field.data).count() != 0:
         raise ValidationError(self.message)
示例#30
0
 def setUp(self):
     for w in Whitelist.objects():
         w.delete()
     super(TestAuth, self).setUp()
示例#31
0
def store_token():
    """Do the oauth flow for Google plus sign in, storing the access token
    in the session, and redircting to create an account if appropriate.

    Because this method will be called from a $.ajax() request in JavaScript,
    we can't return redirect(), so instead this method returns the URL that
    the user should be redirected to, and the redirect happens in JavaScript:
        success: function(response) {
            window.location.href = response;
        }
    """
    if request.args.get('state', '') != session.get('state'):
        return json_response('Invalid state parameter.', 401)

    del session['state']
    code = request.data

    try:
        # Upgrade the authorization code into a credentials object
        oauth_flow = flow_from_clientsecrets(
            'config/client_secrets.json', scope='')
        oauth_flow.redirect_uri = 'postmessage'
        credentials = oauth_flow.step2_exchange(code)
    except FlowExchangeError:
        return json_response('Failed to upgrade the authorization code.',
                                  401)

    gplus_id = credentials.id_token['sub']

    # Store the access token in the session for later use.
    session['credentials'] = credentials.access_token
    session['gplus_id'] = gplus_id

    if User.objects(gplus_id=gplus_id).count() == 0:
        # A new user model must be made

        # Get the user's name and email to populate the form
        http = httplib2.Http()
        http = credentials.authorize(http)
        people_document = gplus_service.people().get(
            userId='me').execute(http=http)

        # The user must be whitelisted in order to create an account.
        email = people_document['emails'][0]['value']
        if Whitelist.objects(email=email).count() != 1:
            return json_response({
                'code': WHITELIST_CODE,
                'title': 'User has not been whitelisted.',
                'email': email
                }, 401)

        return json_response(url_for(
            '.create_profile',
            next=request.args.get('next'),
            name=people_document['displayName'],
            email=email,
            image_url=people_document['image']['url']), 200)

    user = User.objects().get(gplus_id=gplus_id)
    user.register_login()
    user.save()

    # The user already exists.  Redirect to the next url or
    # the root of the application ('/')
    if request.args.get('next'):
        return json_response(request.args.get('next'), 200)
    return json_response(request.url_root, 200)