def post(self, group_id): params = self._get_validated_object_parameters(request.form) group = data_engine.get_group(group_id=group_id, load_users=True) if group is None: raise DoesNotExistError(str(group_id)) # Check permissions! The current user must have user admin to be here. # But if they don't also have permissions admin or superuser then we # must block the change if the new group would grant one of the same. if group.permissions.admin_permissions or group.permissions.admin_all: if not permissions_engine.is_permitted( SystemPermissions.PERMIT_ADMIN_PERMISSIONS, get_session_user()): raise SecurityError( 'You cannot add users to a group that ' + 'grants permissions administration, because you do not ' + 'have permissions administration access yourself.') user = data_engine.get_user(user_id=params['user_id']) if user is not None: if user not in group.users: group.users.append(user) data_engine.save_object(group) reset_user_sessions(user) permissions_engine.reset() return make_api_success_response()
def _set_permissions(self, folio, params, db_session): """ Sets portfolio permissions from the params and returns whether the previous permissions were changed. """ changed = False param_names = { Group.ID_PUBLIC: 'public_access', Group.ID_EVERYONE: 'internal_access' } for group_id in param_names: access_level = params[param_names[group_id]] current_perm = [ fp for fp in folio.permissions if fp.group_id == group_id ] if not current_perm: # Add missing folder permission for group db_group = data_engine.get_group(group_id, _db_session=db_session) if db_group is None: raise DoesNotExistError(param_names[group_id] + ' group') changed = True folio.permissions.append( FolioPermission(folio, db_group, access_level)) else: # Update the existing folder permission for group fp = current_perm[0] changed = changed or (fp.access != access_level) fp.access = access_level return changed
def post(self): params = self._get_validated_object_parameters(request.form) db_session = data_engine.db_get_session() db_commit = False try: db_group = data_engine.get_group(params['group_id'], _db_session=db_session) if db_group is None: raise DoesNotExistError(str(params['group_id'])) db_folder = data_engine.get_folder(params['folder_id'], _db_session=db_session) if db_folder is None: raise DoesNotExistError(str(params['folder_id'])) # This commits (needed for refresh to get the new ID) fp = FolderPermission(db_folder, db_group, params['access']) fp = data_engine.save_object( fp, refresh=True, _db_session=db_session, _commit=True ) db_commit = True return make_api_success_response(object_to_dict(fp)) finally: try: if db_commit: db_session.commit() permissions_engine.reset() else: db_session.rollback() finally: db_session.close()
def post(self, group_id): params = self._get_validated_object_parameters(request.form) group = data_engine.get_group(group_id=group_id, load_users=True) if group is None: raise DoesNotExistError(str(group_id)) # Check permissions! The current user must have user admin to be here. # But if they don't also have permissions admin or superuser then we # must block the change if the new group would grant one of the same. if group.permissions.admin_permissions or group.permissions.admin_all: if not permissions_engine.is_permitted( SystemPermissions.PERMIT_ADMIN_PERMISSIONS, get_session_user() ): raise SecurityError( 'You cannot add users to a group that ' + 'grants permissions administration, because you do not ' + 'have permissions administration access yourself.' ) user = data_engine.get_user(user_id=params['user_id']) if user is not None: if user not in group.users: group.users.append(user) data_engine.save_object(group) permissions_engine.reset() return make_api_success_response()
def post(self): params = self._get_validated_object_parameters(request.form) db_session = data_engine.db_get_session() db_commit = False try: db_group = data_engine.get_group(params['group_id'], _db_session=db_session) if db_group is None: raise DoesNotExistError(str(params['group_id'])) db_folder = data_engine.get_folder(params['folder_id'], _db_session=db_session) if db_folder is None: raise DoesNotExistError(str(params['folder_id'])) # This commits (needed for refresh to get the new ID) fp = FolderPermission(db_folder, db_group, params['access']) fp = data_engine.save_object(fp, refresh=True, _db_session=db_session, _commit=True) db_commit = True return make_api_success_response(object_to_dict(fp)) finally: try: if db_commit: db_session.commit() permissions_engine.reset_folder_permissions() else: db_session.rollback() finally: db_session.close()
def folder_permissions(): folder_path = request.args.get('path', '') if folder_path == '': folder_path = os.path.sep group_id = request.args.get('group', '') if group_id == '': group_id = Group.ID_PUBLIC group = None folder = None current_perms = None groups = [] err_msg = None db_session = data_engine.db_get_session() try: # Get folder and group info group = data_engine.get_group(group_id, _db_session=db_session) if group is None: raise DoesNotExistError('This group no longer exists') folder = data_engine.get_folder(folder_path=folder_path, _db_session=db_session) if folder is None or folder.status == Folder.STATUS_DELETED: raise DoesNotExistError('This folder no longer exists') # Get groups list groups = data_engine.list_objects(Group, Group.name, _db_session=db_session) # Get the current permissions for the folder+group, which can be None. # Note that permissions_manager might fall back to the Public group if # this is None, but to keep the admin manageable we're going to deal # only with folder inheritance, not group inheritance too. current_perms = data_engine.get_nearest_folder_permission( folder, group, _load_nearest_folder=True, _db_session=db_session ) except Exception as e: log_security_error(e, request) err_msg = str(e) finally: try: return render_template( 'admin_folder_permissions.html', group=group, folder=folder, folder_is_root=folder.is_root() if folder else False, current_permissions=current_perms, group_list=groups, err_msg=err_msg, GROUP_ID_PUBLIC=Group.ID_PUBLIC, GROUP_ID_EVERYONE=Group.ID_EVERYONE ) finally: db_session.close()
def get(self, group_id=None): if group_id is None: # List groups return make_api_success_response( object_to_dict_list(data_engine.list_objects( Group, Group.name))) else: # Get single group group = data_engine.get_group(group_id=group_id, load_users=True) if group is None: raise DoesNotExistError(str(group_id)) return make_api_success_response(object_to_dict(group))
def folder_permissions(): folder_path = request.args.get('path', '') if folder_path == '': folder_path = os.path.sep group_id = request.args.get('group', '') if group_id == '': group_id = Group.ID_PUBLIC group = None folder = None current_perms = None groups = [] err_msg = None db_session = data_engine.db_get_session() try: # Get folder and group info group = data_engine.get_group(group_id, _db_session=db_session) if group is None: raise DoesNotExistError('This group no longer exists') folder = data_engine.get_folder(folder_path=folder_path, _db_session=db_session) if folder is None or folder.status == Folder.STATUS_DELETED: raise DoesNotExistError('This folder no longer exists') # Get groups list groups = data_engine.list_objects(Group, Group.name, _db_session=db_session) # Get the current permissions for the folder+group, which can be None. # Note that permissions_manager might fall back to the Public group if # this is None, but to keep the admin manageable we're going to deal # only with folder inheritance, not group inheritance too. current_perms = data_engine.get_nearest_folder_permission( folder, group, _load_nearest_folder=True, _db_session=db_session) except Exception as e: log_security_error(e, request) err_msg = safe_error_str(e) finally: try: return render_template( 'admin_folder_permissions.html', group=group, folder=folder, folder_is_root=folder.is_root() if folder else False, current_permissions=current_perms, group_list=groups, err_msg=err_msg, GROUP_ID_PUBLIC=Group.ID_PUBLIC, GROUP_ID_EVERYONE=Group.ID_EVERYONE) finally: db_session.close()
def delete(self, group_id, user_id): group = data_engine.get_group(group_id=group_id, load_users=True) if group is None: raise DoesNotExistError(str(group_id)) # Back up the object in case we need to restore it backup_group = copy.deepcopy(group) # Update group membership for idx, member in enumerate(group.users): if member.id == user_id: del group.users[idx] data_engine.save_object(group) permissions_engine.reset() _check_for_user_lockout(backup_group) break return make_api_success_response()
def delete(self, group_id): # Check permissions! The current user must have permissions admin to delete groups. permissions_engine.ensure_permitted( SystemPermissions.PERMIT_ADMIN_PERMISSIONS, get_session_user() ) group = data_engine.get_group(group_id=group_id) if group is None: raise DoesNotExistError(str(group_id)) try: data_engine.delete_group(group) except ValueError as e: raise ParameterError(str(e)) # Reset permissions cache permissions_engine.reset() return make_api_success_response()
def delete(self, group_id): # Check permissions! The current user must have permissions admin to delete groups. permissions_engine.ensure_permitted( SystemPermissions.PERMIT_ADMIN_PERMISSIONS, get_session_user()) group = data_engine.get_group(group_id=group_id, load_users=True) if group is None: raise DoesNotExistError(str(group_id)) try: data_engine.delete_group(group) except ValueError as e: raise ParameterError(str(e)) # Reset permissions and session caches reset_user_sessions(group.users) permissions_engine.reset() return make_api_success_response()
def get(self, group_id=None): if group_id is None: # List groups return make_api_success_response( object_to_dict_list(data_engine.list_objects(Group, Group.name)) ) else: # Get single group group = data_engine.get_group(group_id=group_id, load_users=True) if group is None: raise DoesNotExistError(str(group_id)) # Do not give out anything password related gdict = object_to_dict(group) for udict in gdict['users']: del udict['password'] return make_api_success_response(gdict)
def delete(self, group_id, user_id): group = data_engine.get_group(group_id=group_id, load_users=True) if group is None: raise DoesNotExistError(str(group_id)) # Back up the object in case we need to restore it backup_group = copy.deepcopy(group) # Update group membership for idx, member in enumerate(group.users): if member.id == user_id: del group.users[idx] data_engine.save_object(group) reset_user_sessions(member) permissions_engine.reset() _check_for_user_lockout(backup_group) break return make_api_success_response()
def put(self, group_id): params = self._get_validated_object_parameters(request.form) group = data_engine.get_group(group_id=group_id, load_users=True) if group is None: raise DoesNotExistError(str(group_id)) # Back up the object in case we need to restore it backup_group = copy.deepcopy(group) # Update group group.description = params['description'] if group.group_type != Group.GROUP_TYPE_SYSTEM: group.group_type = params['group_type'] if group.group_type == Group.GROUP_TYPE_LOCAL: group.name = params['name'] permissions_changed = self._set_permissions(group, params) data_engine.save_object(group) # Reset permissions and session caches if permissions_changed: reset_user_sessions(group.users) permissions_engine.reset() _check_for_user_lockout(backup_group) return make_api_success_response(object_to_dict(group))
def group_edit(group_id): embed = request.args.get('embed', '') group = None users = [] err_msg = None try: users = data_engine.list_users(status=User.STATUS_ACTIVE, order_field=User.username) if group_id > 0: group = data_engine.get_group(group_id=group_id, load_users=True) except Exception as e: log_security_error(e, request) err_msg = safe_error_str(e) return render_template('admin_group_edit.html', embed=embed, users=users, group=group, err_msg=err_msg, GROUP_ID_PUBLIC=Group.ID_PUBLIC, GROUP_TYPE_LOCAL=Group.GROUP_TYPE_LOCAL, GROUP_TYPE_SYSTEM=Group.GROUP_TYPE_SYSTEM, STATUS_ACTIVE=User.STATUS_ACTIVE)
def group_edit(group_id): embed = request.args.get('embed', '') group = None users = [] err_msg = None try: users = data_engine.list_users(status=User.STATUS_ACTIVE, order_field=User.username) if group_id > 0: group = data_engine.get_group(group_id=group_id, load_users=True) except Exception as e: log_security_error(e, request) err_msg = str(e) return render_template( 'admin_group_edit.html', embed=embed, users=users, group=group, err_msg=err_msg, GROUP_ID_PUBLIC=Group.ID_PUBLIC, GROUP_TYPE_LOCAL=Group.GROUP_TYPE_LOCAL, GROUP_TYPE_SYSTEM=Group.GROUP_TYPE_SYSTEM, STATUS_ACTIVE=User.STATUS_ACTIVE )
def put(self, group_id): params = self._get_validated_object_parameters(request.form) group = data_engine.get_group(group_id=group_id, load_users=True) if group is None: raise DoesNotExistError(str(group_id)) # Back up the object in case we need to restore it backup_group = copy.deepcopy(group) # Update group group.description = params['description'] if group.group_type != Group.GROUP_TYPE_SYSTEM: group.group_type = params['group_type'] if group.group_type == Group.GROUP_TYPE_LOCAL: group.name = params['name'] permissions_changed = self._set_permissions(group, params) data_engine.save_object(group) # Reset permissions cache if permissions_changed: permissions_engine.reset() _check_for_user_lockout(backup_group) # Do not give out anything password related gdict = object_to_dict(group) for udict in gdict['users']: del udict['password'] return make_api_success_response(gdict)