def put(self, user_id): self.reqparse.add_argument('password', type=str, required=False) args = self.reqparse.parse_args() AuditLog.log('user.passwordReset', session['user'].username, args) user = User.query.filter(User.user_id == user_id).first() if not user: return self.make_response('User not found', HTTP.NOT_FOUND) if ROLE_ADMIN not in session[ 'user'].roles and user_id != session['user'].user_id: self.log.warning( '{} tried to change the password for another user'.format( session['user'].user_id)) return self.make_response( 'You cannot change other users passwords', HTTP.FORBIDDEN) authsys = current_app.available_auth_systems[user.auth_system] if authsys.readonly: return self.make_response( 'You cannot reset passwords for the {} based users'.format( authsys.name), HTTP.FORBIDDEN) new_pass = args['password'] or generate_password() user.password = hash_password(new_pass) db.session.add(user) db.session.commit() return self.make_response( { 'user': user.to_json(), 'newPassword': new_pass if not args['password'] else None }, HTTP.OK)
def bootstrap(self): admin_user = db.User.find_one(User.username == 'admin', User.auth_system == self.name) if not admin_user: roles = db.Role.filter(Role.name.in_( (ROLE_ADMIN, ROLE_USER))).all() admin_password = generate_password() admin_user = User() admin_user.username = '******' admin_user.auth_system = self.name admin_user.password = hash_password(admin_password) db.session.add(admin_user) db.session.commit() db.session.refresh(admin_user) User.add_role(admin_user, roles) self.log.error( 'Created admin account for local authentication, username: admin, password: {}' .format(admin_password)) else: self.log.debug('Local Auth admin user already exists, skipping')
def post(self): """Create a new user""" self.reqparse.add_argument('username', type=str, required=True) self.reqparse.add_argument('authSystem', type=str, required=True) self.reqparse.add_argument('password', type=str, required=False, default=None) self.reqparse.add_argument('roles', type=str, action='append', default=[]) args = self.reqparse.parse_args() auditlog(event='user.create', actor=session['user'].username, data=args) user = db.User.find_one(User.username == args['username'], User.auth_system == args['authSystem']) roles = [] if user: return self.make_response('User already exists', HTTP.BAD_REQUEST) if args['authSystem'] not in current_app.available_auth_systems: return self.make_response( 'The {} auth system does not allow local edits'.format( args['authSystem']), HTTP.BAD_REQUEST) if current_app.available_auth_systems[args['authSystem']].readonly: return self.make_response( 'You cannot create users for the {} auth system as it is handled externally' .format(args['authSystem']), HTTP.BAD_REQUEST) for roleName in args['roles']: role = db.Role.find_one(Role.name == roleName) if not role: return self.make_response('No such role {}'.format(roleName), HTTP.BAD_REQUEST) if roleName == ROLE_ADMIN and ROLE_ADMIN not in session[ 'user'].roles: self.log.error( 'User {} tried to grant admin privileges to {}'.format( session['user'].username, args['username'])) return self.make_response( 'You do not have permission to grant admin privileges', HTTP.FORBIDDEN) roles.append(role) authSys = current_app.available_auth_systems[args['authSystem']] password = args['password'] or generate_password() user = User() user.username = args['username'] user.password = hash_password(password) user.auth_system = authSys.name db.session.add(user) db.session.commit() db.session.refresh(user) User.add_role(user, roles) return self.make_response({ 'message': 'User {}/{} has been created'.format(user.auth_system, user.username), 'user': user, 'password': password if not args['password'] else None })