def get_user_from_auth(): if verify_superuser_auth_token(request.cookies.get('auth_token')): return {'is_superuser': True} user = get_user(request.cookies) if user is None: abort(401) return user
def filter_applications(applications, cookies): """Filter applications based on user roles""" is_superuser = verify_superuser_auth_token( request.cookies.get('auth_token')) if is_superuser: # No filter for superuser return applications user = get_user(request.cookies) if user is None: abort(401) if has_role(user, 'flod_saksbehandlere'): # No filter for flod_saksbehandlere return applications if has_role(user, 'flod_brukere'): # Administratosr should only see applications for resources they own remote_resource_ids = [c['resource_id'] for c in user.get('credentials', []) if c['id'].startswith('CAN_EDIT_FACILITY_')] # Need to map the ids in the credentials which uses remote ids # to the local ones used in booking. uris = ["/facilities/%s" % i for i in remote_resource_ids] res = current_app.db_session.query(Resource).filter(Resource.uri.in_(uris)).all() local_resource_ids = [r.id for r in res] applications = applications.filter( Application.resource_id.in_(local_resource_ids) ) else: # External users should only see their own applications and the applications belonging to their organisations org_ids = [] orgs = get_person_from_web('/persons/%s/organisations/' % user['person_id']) org_uris = [org.get('uri') for org in orgs] if len(org_uris) > 0: res = current_app.db_session.query(Organisation).filter(Organisation.uri.in_(org_uris)).all() org_ids = [o.id for o in res] person_uri = '/persons/{}'.format(user['person_id']) if len(org_ids) == 0: applications = applications.filter( Application.person.has(uri=person_uri) ) else: applications = applications.filter( or_( Application.person.has(uri=person_uri), Application.organisation_id.in_(org_ids) ) ) return applications
def get_user(cookies): if verify_superuser_auth_token(cookies.get('auth_token')): return {'is_superuser': True} user_id = get_user_id_from_cookies(cookies) if user_id: url = '%s/api/%s/users/%s' % (USERS_URL, USERS_VERSION, user_id) response = requests.get(url, cookies=cookies) return response.json() return None
def validate(self, f, *args, **kwargs): auth_token = request.cookies.get("auth_token", None) valid = auth_token is not None and verify_auth_token(auth_token) and verify_superuser_auth_token(auth_token) if not valid: self.fail("User is not authorized to request the resource.", f, 403, None, *args, **kwargs)