def mygroups():
if 'username' not in flask.session:
return flask.abort(403)
user_id = auth_utils.get_user_id(flask.session['username'])
return flask.render_template('newsgroups.html',
groups=helpers.get_my_newsgroups(user_id),
page="my")
def campus_positions():
'''Renders the campus positions template. We collect a list of
groups that the currently loged in user is the admin of. We
also collect the total list of positions and pass it in'''
approved_group_ids = []
approved_group_names = []
def approve_group(group):
approved_group_ids.append(group['group_id'])
approved_group_names.append(group['group_name'])
if is_admin():
groups = groups_helpers.get_group_list_data(('group_id', 'group_name'))
for group in groups:
approve_group(group)
else:
username = flask.session.get('username')
if username:
user_id = get_user_id(username)
for group in helpers.get_group_list_of_member(user_id):
if group["control"]:
approve_group(group)
all_positions = groups_helpers.get_position_data(
include_house_and_ug=False, order_by=("group_name", "pos_name"))
return flask.render_template('campus_positions.html',
approved_group_ids=approved_group_ids,
approved_group_names=approved_group_names,
all_positions=all_positions)
def set_timezone():
user_id = auth_utils.get_user_id(flask.session['username'])
timezone = flask.request.form['timezone']
timezone = int(timezone) if timezone else None
helpers.set_member_field(user_id, 'timezone', timezone)
return redirect(
flask.url_for('directory_search.view_user', user_id=user_id))
def insert_event_to_db(calendar_tag,
google_event_id,
event_summary,
event_description,
event_location,
begin_time,
end_time,
username=None):
'''
Inserts events to our db. If the event already exists (by looking
for the google id) then update.
'''
insert = '''
INSERT INTO calendar_events (user_id, calendar_tag,
google_event_id, summary, description,
location, begin_time, end_time) VALUES
(%s, %s, %s, %s, %s, %s, %s, %s) ON DUPLICATE KEY UPDATE
user_id = VALUES(user_id),
summary=VALUES(summary),
description=VALUES(description),
location=VALUES(location),
begin_time=VALUES(begin_time),
end_time=VALUES(end_time)
'''
with flask.g.pymysql_db.cursor() as cursor:
cursor.execute(insert, [
auth_utils.get_user_id(username), calendar_tag, google_event_id,
event_summary, event_description, event_location, begin_time,
end_time
])
def create_position():
form = flask.request.form
group_id = form.get('group_id')
try:
group_id = int(group_id)
except ValueError:
return jsonify({'success': False, 'message': 'Invalid group'})
pos_name = form.get('pos_name')
if not pos_name:
return jsonify({'success': False, 'message': 'Invalid position'})
username = flask.session.get('username')
if not (username and helpers.can_control(get_user_id(username), group_id)):
return jsonify({
'success': False,
'message': 'You do not control this group'
})
send = 'send' in form
control = 'control' in form
receive = 'receive' in form
try:
helpers.add_position(group_id,
pos_name,
send=send,
control=control,
receive=receive)
except Exception as e:
flask.current_app.logger.exception(f'Failed to create position: {e}')
return jsonify({'success': False, 'message': 'Unable to add position'})
return jsonify({'success': True})
def view_post(post_id):
if 'username' not in flask.session:
return flask.abort(403)
user_id = auth_utils.get_user_id(flask.session['username'])
post = helpers.get_post(post_id)
if not groups.is_user_in_group(user_id, post['group_id']):
return flask.abort(403)
return flask.render_template('view_post.html', post=post)
def unsubscribe(group_id):
if 'username' not in flask.session:
return flask.abort(403)
helpers.unsubscribe(auth_utils.get_user_id(flask.session['username']),
group_id)
flask.flash('Successfully unsubscribed')
return flask.redirect(
flask.url_for('newsgroups.view_group', group_id=group_id))
def apply_subscription(group_id):
if 'username' not in flask.session:
return flask.abort(403)
helpers.apply_subscription(
auth_utils.get_user_id(flask.session['username']), group_id)
flask.flash('Successfully applied for subscription')
return flask.redirect(
flask.url_for('newsgroups.view_group', group_id=group_id))
def delete_notes(username, course, section):
user_id = get_user_id(username)
query = """
UPDATE scheduler_sections SET notes = NULL
WHERE user_id = %s AND course_id = %s AND section_number = %s
"""
with flask.g.pymysql_db.cursor() as cursor:
cursor.execute(query, (user_id, course, section))
def delete_application(user_id, group_id):
username = flask.session.get('username')
if username is None or not helpers.get_user_actions(
auth_utils.get_user_id(username), group_id)['control']:
return flask.abort(403)
helpers.remove_application(user_id, group_id)
return flask.redirect(
flask.url_for('newsgroups.view_group', group_id=group_id))
def login_submit():
"""Handle authentication."""
mask_and_user = flask.request.form.get('username', None)
password = flask.request.form.get('password', None)
# Need to take care of the case when masquerading occurs.
username = None
mask = None
if mask_and_user is not None:
# Check for the character to split.
if ':' in mask_and_user:
# If it's there, we assume the second part is a mask name.
split = mask_and_user.split(':')
if len(split) > 2:
flask.flash('You cannot specify multiple masks at once.')
return flask.redirect(flask.url_for('auth.login'))
username, mask = split
else:
username = mask_and_user
if username is not None and password is not None:
user_id = helpers.authenticate(username, password)
if user_id is not None:
if mask is not None:
# If the user doesn't have permission, refuse the attempt to masquerade.
if not auth_utils.check_permission(username, Permissions.MASK):
flask.flash('You do not have permission to masquerade.')
return flask.redirect(flask.url_for('auth.login'))
# Also check that the mask exists.
if not auth_utils.get_user_id(mask):
flask.flash('That person does not exist to mask.')
return flask.redirect(flask.url_for('auth.login'))
# If the user has mask permissions, give them the mask.
flask.session['username'] = mask
flask.current_app.logger.info(
f'User {username} is masquerading as {mask}')
else:
flask.session['username'] = username
flask.current_app.logger.info(f'User logged in: {username}')
# Update last login time
auth_utils.update_last_login(username)
# Return to previous page if in session
if 'next' in flask.session:
redirect_to = flask.session.pop('next')
return flask.redirect(redirect_to)
else:
return flask.redirect(flask.url_for('home'))
flask.current_app.logger.warn(
f'Invalid login attempt for user: {username}')
flask.flash('Incorrect username or password. Please try again!')
return flask.redirect(flask.url_for('auth.login'))
def add_planner_course(username, course_id, year):
"""
Adds a certain course to a certain user's planner for a given year.
Year 1 is frosh year, year 2 is smore year, etc.
"""
user_id = get_user_id(username)
query = 'INSERT INTO planner_courses (user_id, course_id, planner_year) VALUES (%s, %s, %s)'
with flask.g.pymysql_db.cursor() as cursor:
cursor.execute(query, (user_id, course_id, year))
def is_admin():
"""
Checks if user can control the settings.
"""
if 'username' not in flask.session:
return False
user_id = auth_utils.get_user_id(flask.session['username'])
ascit_id = groups.get_group_id('ASCIT')
return auth_utils.is_admin() or groups.is_user_in_group(user_id, ascit_id)
def set_responses(question_ids, responses):
user_id = get_user_id(flask.session['username'])
query = """
INSERT INTO survey_responses(question_id, user_id, response)
VALUES (%s, %s, %s)
"""
with flask.g.pymysql_db.cursor() as cursor:
for question_id, response in zip(question_ids, responses):
cursor.execute(query, [question_id, user_id, response])
def get_notes(username, course, section):
user_id = get_user_id(username)
query = """
SELECT notes FROM scheduler_sections
WHERE user_id= %s AND course_id = %s AND section_number = %s
"""
with flask.g.pymysql_db.cursor() as cursor:
cursor.execute(query, (user_id, course, section))
return cursor.fetchone()['notes']
def add_reservation(room, username, reason, start, end):
insertion = """
INSERT INTO room_reservations
(room_id, user_id, reason, start_time, end_time)
VALUES (%s, %s, %s, %s, %s)
"""
with flask.g.pymysql_db.cursor() as cursor:
cursor.execute(insertion,
[room, get_user_id(username), reason, start, end])
def restrict_edit_access(survey, allow_after_close):
username = flask.session.get('username')
if not check_permission(username, Permissions.SURVEYS):
flask.abort(403)
if not survey:
return 'Invalid access key'
if get_user_id(username) != survey['creator']:
return 'You are not the creator of this survey'
if not allow_after_close and survey['end_time'] < datetime.now():
return 'Cannot modify a survey after it has closed'
def get_notes(username, course):
user_id = get_user_id(username)
query = "SELECT notes FROM scheduler_notes WHERE user_id=%s AND course_id=%s"
with flask.g.pymysql_db.cursor() as cursor:
cursor.execute(query, (user_id, course))
res = cursor.fetchone()
if res:
return res['notes']
else:
return None
def post(group_id=None):
if 'username' not in flask.session:
return flask.abort(403)
user_id = auth_utils.get_user_id(flask.session['username'])
if not group_id:
group_id = flask.request.form.get('group')
return flask.render_template('post.html',
groups=helpers.get_my_newsgroups(
user_id, True),
group_selected=group_id,
page='post')
def edit_notes(username, course, notes):
if len(notes) == 0:
delete_notes(username, course)
return
user_id = get_user_id(username)
query = """
INSERT INTO scheduler_notes (user_id, course_id, notes) VALUES (%s, %s, %s)
ON DUPLICATE KEY UPDATE notes = VALUES(notes)
"""
with flask.g.pymysql_db.cursor() as cursor:
cursor.execute(query, (user_id, course, notes))
def get_hidden_fields(viewer_name, viewee_id):
"""
Returns a set of strings corresponding to fields
on view_user page for viewee that viewer should not see
"""
if viewer_name is not None:
is_me = get_user_id(viewer_name) == viewee_id
if is_me or check_permission(
viewer_name, DirectoryPermissions.HIDDEN_SEARCH_FIELDS):
return set()
return HIDDEN_FIELDS
def all_posts(group_id):
if 'username' not in flask.session:
return flask.abort(403)
user_id = auth_utils.get_user_id(flask.session['username'])
if not groups.is_user_in_group(user_id, group_id):
return flask.abort(403)
group_name = groups.get_group_data(group_id, ['group_name'])['group_name']
return flask.render_template('all_posts.html',
group_id=group_id,
group_name=group_name,
messages=helpers.get_past_messages(
group_id, 50))
def drop_scheduler_section(username, course, section):
"""
Removes a certain section number of a certain course
from a certain user's schedule for the course's term.
"""
user_id = get_user_id(username)
query = """
DELETE FROM scheduler_sections
WHERE user_id = %s AND course_id = %s AND section_number = %s
"""
with flask.g.pymysql_db.cursor() as cursor:
cursor.execute(query, (user_id, course, section))
def add_scheduler_section(username, course, section):
"""
Adds a certain section number of a certain course
to a certain user's schedule for the course's term.
"""
user_id = get_user_id(username)
query = """
INSERT INTO scheduler_sections (user_id, course_id, section_number)
VALUES (%s, %s, %s)
"""
with flask.g.pymysql_db.cursor() as cursor:
cursor.execute(query, (user_id, course, section))
def drop_planner_course(username, course_id, year):
"""
Removes a certain course from a certain user's planner for a given year.
Year 1 is frosh year, year 2 is smore year, etc.
"""
user_id = get_user_id(username)
query = """
DELETE FROM planner_courses
WHERE user_id = %s AND course_id = %s AND planner_year = %s
"""
with flask.g.pymysql_db.cursor() as cursor:
cursor.execute(query, (user_id, course_id, year))
def get_my_items():
"""
Generates the table of items managed by the current user.
"""
return table_fetch(
"""
marketplace_items NATURAL LEFT JOIN
marketplace_textbooks NATURAL JOIN
marketplace_categories
""",
fields=MANAGE_FIELDS,
attrs={'user_id': get_user_id(flask.session['username'])})
def drop_planner_placeholder(username, placeholder_id):
"""
Removes the placeholder with the given ID from the user's planner.
Returns whether successful (i.e. the given placeholder did belong to the user).
"""
user_id = get_user_id(username)
query = """
DELETE FROM planner_placeholders
WHERE placeholder_id = %s AND user_id = %s
"""
with flask.g.pymysql_db.cursor() as cursor:
cursor.execute(query, (placeholder_id, user_id))
return cursor.rowcount > 0
def view_user(user_id):
if not is_caltech_user():
return login_redirect()
user = helpers.get_user(user_id)
is_me = 'username' in flask.session and get_user_id(
flask.session['username']) == user_id
hidden_fields = helpers.get_hidden_fields(flask.session.get('username'),
user_id)
return flask.render_template('view_user.html',
user=user,
is_me=is_me,
user_id=user_id,
hidden_fields=hidden_fields)
def update_lock_query(title, new_lock_status):
"""
Query for updating lock status
"""
title = title.replace(" ", "_")
query = """
UPDATE webpage_files
SET locked = %s, last_edit_time = NOW(), last_edit_uid = %s
WHERE title = %s
"""
with flask.g.pymysql_db.cursor() as cursor:
cursor.execute(
query, (new_lock_status,
auth_utils.get_user_id(flask.session['username']), title))
def set_email():
username = flask.session.get('username')
if username is None:
flask.abort(403)
email = flask.request.form['email']
valid = validate_email(email) and \
validate_matches(email, flask.request.form['email2'])
if not valid:
return redirect(flask.url_for('.edit_user'))
user_id = auth_utils.get_user_id(username)
helpers.set_member_field(user_id, 'email', email)
return redirect(
flask.url_for('directory_search.view_user', user_id=user_id))