def post(self, group_id):
params = self._get_validated_object_parameters(request.form)
group = data_engine.get_group(group_id=group_id, load_users=True)
if group is None:
raise DoesNotExistError(str(group_id))
# Check permissions! The current user must have user admin to be here.
# But if they don't also have permissions admin or superuser then we
# must block the change if the new group would grant one of the same.
if group.permissions.admin_permissions or group.permissions.admin_all:
if not permissions_engine.is_permitted(
SystemPermissions.PERMIT_ADMIN_PERMISSIONS,
get_session_user()):
raise SecurityError(
'You cannot add users to a group that ' +
'grants permissions administration, because you do not ' +
'have permissions administration access yourself.')
user = data_engine.get_user(user_id=params['user_id'])
if user is not None:
if user not in group.users:
group.users.append(user)
data_engine.save_object(group)
reset_user_sessions(user)
permissions_engine.reset()
return make_api_success_response()
def _set_permissions(self, folio, params, db_session):
"""
Sets portfolio permissions from the params and returns whether the
previous permissions were changed.
"""
changed = False
param_names = {
Group.ID_PUBLIC: 'public_access',
Group.ID_EVERYONE: 'internal_access'
}
for group_id in param_names:
access_level = params[param_names[group_id]]
current_perm = [
fp for fp in folio.permissions if fp.group_id == group_id
]
if not current_perm:
# Add missing folder permission for group
db_group = data_engine.get_group(group_id,
_db_session=db_session)
if db_group is None:
raise DoesNotExistError(param_names[group_id] + ' group')
changed = True
folio.permissions.append(
FolioPermission(folio, db_group, access_level))
else:
# Update the existing folder permission for group
fp = current_perm[0]
changed = changed or (fp.access != access_level)
fp.access = access_level
return changed
def post(self):
params = self._get_validated_object_parameters(request.form)
db_session = data_engine.db_get_session()
db_commit = False
try:
db_group = data_engine.get_group(params['group_id'], _db_session=db_session)
if db_group is None:
raise DoesNotExistError(str(params['group_id']))
db_folder = data_engine.get_folder(params['folder_id'], _db_session=db_session)
if db_folder is None:
raise DoesNotExistError(str(params['folder_id']))
# This commits (needed for refresh to get the new ID)
fp = FolderPermission(db_folder, db_group, params['access'])
fp = data_engine.save_object(
fp, refresh=True, _db_session=db_session, _commit=True
)
db_commit = True
return make_api_success_response(object_to_dict(fp))
finally:
try:
if db_commit:
db_session.commit()
permissions_engine.reset()
else:
db_session.rollback()
finally:
db_session.close()
def post(self, group_id):
params = self._get_validated_object_parameters(request.form)
group = data_engine.get_group(group_id=group_id, load_users=True)
if group is None:
raise DoesNotExistError(str(group_id))
# Check permissions! The current user must have user admin to be here.
# But if they don't also have permissions admin or superuser then we
# must block the change if the new group would grant one of the same.
if group.permissions.admin_permissions or group.permissions.admin_all:
if not permissions_engine.is_permitted(
SystemPermissions.PERMIT_ADMIN_PERMISSIONS, get_session_user()
):
raise SecurityError(
'You cannot add users to a group that ' +
'grants permissions administration, because you do not ' +
'have permissions administration access yourself.'
)
user = data_engine.get_user(user_id=params['user_id'])
if user is not None:
if user not in group.users:
group.users.append(user)
data_engine.save_object(group)
permissions_engine.reset()
return make_api_success_response()
def post(self):
params = self._get_validated_object_parameters(request.form)
db_session = data_engine.db_get_session()
db_commit = False
try:
db_group = data_engine.get_group(params['group_id'],
_db_session=db_session)
if db_group is None:
raise DoesNotExistError(str(params['group_id']))
db_folder = data_engine.get_folder(params['folder_id'],
_db_session=db_session)
if db_folder is None:
raise DoesNotExistError(str(params['folder_id']))
# This commits (needed for refresh to get the new ID)
fp = FolderPermission(db_folder, db_group, params['access'])
fp = data_engine.save_object(fp,
refresh=True,
_db_session=db_session,
_commit=True)
db_commit = True
return make_api_success_response(object_to_dict(fp))
finally:
try:
if db_commit:
db_session.commit()
permissions_engine.reset_folder_permissions()
else:
db_session.rollback()
finally:
db_session.close()
def folder_permissions():
folder_path = request.args.get('path', '')
if folder_path == '':
folder_path = os.path.sep
group_id = request.args.get('group', '')
if group_id == '':
group_id = Group.ID_PUBLIC
group = None
folder = None
current_perms = None
groups = []
err_msg = None
db_session = data_engine.db_get_session()
try:
# Get folder and group info
group = data_engine.get_group(group_id, _db_session=db_session)
if group is None:
raise DoesNotExistError('This group no longer exists')
folder = data_engine.get_folder(folder_path=folder_path, _db_session=db_session)
if folder is None or folder.status == Folder.STATUS_DELETED:
raise DoesNotExistError('This folder no longer exists')
# Get groups list
groups = data_engine.list_objects(Group, Group.name, _db_session=db_session)
# Get the current permissions for the folder+group, which can be None.
# Note that permissions_manager might fall back to the Public group if
# this is None, but to keep the admin manageable we're going to deal
# only with folder inheritance, not group inheritance too.
current_perms = data_engine.get_nearest_folder_permission(
folder, group,
_load_nearest_folder=True,
_db_session=db_session
)
except Exception as e:
log_security_error(e, request)
err_msg = str(e)
finally:
try:
return render_template(
'admin_folder_permissions.html',
group=group,
folder=folder,
folder_is_root=folder.is_root() if folder else False,
current_permissions=current_perms,
group_list=groups,
err_msg=err_msg,
GROUP_ID_PUBLIC=Group.ID_PUBLIC,
GROUP_ID_EVERYONE=Group.ID_EVERYONE
)
finally:
db_session.close()
def get(self, group_id=None):
if group_id is None:
# List groups
return make_api_success_response(
object_to_dict_list(data_engine.list_objects(
Group, Group.name)))
else:
# Get single group
group = data_engine.get_group(group_id=group_id, load_users=True)
if group is None:
raise DoesNotExistError(str(group_id))
return make_api_success_response(object_to_dict(group))
def folder_permissions():
folder_path = request.args.get('path', '')
if folder_path == '':
folder_path = os.path.sep
group_id = request.args.get('group', '')
if group_id == '':
group_id = Group.ID_PUBLIC
group = None
folder = None
current_perms = None
groups = []
err_msg = None
db_session = data_engine.db_get_session()
try:
# Get folder and group info
group = data_engine.get_group(group_id, _db_session=db_session)
if group is None:
raise DoesNotExistError('This group no longer exists')
folder = data_engine.get_folder(folder_path=folder_path,
_db_session=db_session)
if folder is None or folder.status == Folder.STATUS_DELETED:
raise DoesNotExistError('This folder no longer exists')
# Get groups list
groups = data_engine.list_objects(Group,
Group.name,
_db_session=db_session)
# Get the current permissions for the folder+group, which can be None.
# Note that permissions_manager might fall back to the Public group if
# this is None, but to keep the admin manageable we're going to deal
# only with folder inheritance, not group inheritance too.
current_perms = data_engine.get_nearest_folder_permission(
folder, group, _load_nearest_folder=True, _db_session=db_session)
except Exception as e:
log_security_error(e, request)
err_msg = safe_error_str(e)
finally:
try:
return render_template(
'admin_folder_permissions.html',
group=group,
folder=folder,
folder_is_root=folder.is_root() if folder else False,
current_permissions=current_perms,
group_list=groups,
err_msg=err_msg,
GROUP_ID_PUBLIC=Group.ID_PUBLIC,
GROUP_ID_EVERYONE=Group.ID_EVERYONE)
finally:
db_session.close()
def delete(self, group_id, user_id):
group = data_engine.get_group(group_id=group_id, load_users=True)
if group is None:
raise DoesNotExistError(str(group_id))
# Back up the object in case we need to restore it
backup_group = copy.deepcopy(group)
# Update group membership
for idx, member in enumerate(group.users):
if member.id == user_id:
del group.users[idx]
data_engine.save_object(group)
permissions_engine.reset()
_check_for_user_lockout(backup_group)
break
return make_api_success_response()
def delete(self, group_id):
# Check permissions! The current user must have permissions admin to delete groups.
permissions_engine.ensure_permitted(
SystemPermissions.PERMIT_ADMIN_PERMISSIONS, get_session_user()
)
group = data_engine.get_group(group_id=group_id)
if group is None:
raise DoesNotExistError(str(group_id))
try:
data_engine.delete_group(group)
except ValueError as e:
raise ParameterError(str(e))
# Reset permissions cache
permissions_engine.reset()
return make_api_success_response()
def delete(self, group_id):
# Check permissions! The current user must have permissions admin to delete groups.
permissions_engine.ensure_permitted(
SystemPermissions.PERMIT_ADMIN_PERMISSIONS, get_session_user())
group = data_engine.get_group(group_id=group_id, load_users=True)
if group is None:
raise DoesNotExistError(str(group_id))
try:
data_engine.delete_group(group)
except ValueError as e:
raise ParameterError(str(e))
# Reset permissions and session caches
reset_user_sessions(group.users)
permissions_engine.reset()
return make_api_success_response()
def get(self, group_id=None):
if group_id is None:
# List groups
return make_api_success_response(
object_to_dict_list(data_engine.list_objects(Group, Group.name))
)
else:
# Get single group
group = data_engine.get_group(group_id=group_id, load_users=True)
if group is None:
raise DoesNotExistError(str(group_id))
# Do not give out anything password related
gdict = object_to_dict(group)
for udict in gdict['users']:
del udict['password']
return make_api_success_response(gdict)
def delete(self, group_id, user_id):
group = data_engine.get_group(group_id=group_id, load_users=True)
if group is None:
raise DoesNotExistError(str(group_id))
# Back up the object in case we need to restore it
backup_group = copy.deepcopy(group)
# Update group membership
for idx, member in enumerate(group.users):
if member.id == user_id:
del group.users[idx]
data_engine.save_object(group)
reset_user_sessions(member)
permissions_engine.reset()
_check_for_user_lockout(backup_group)
break
return make_api_success_response()
def put(self, group_id):
params = self._get_validated_object_parameters(request.form)
group = data_engine.get_group(group_id=group_id, load_users=True)
if group is None:
raise DoesNotExistError(str(group_id))
# Back up the object in case we need to restore it
backup_group = copy.deepcopy(group)
# Update group
group.description = params['description']
if group.group_type != Group.GROUP_TYPE_SYSTEM:
group.group_type = params['group_type']
if group.group_type == Group.GROUP_TYPE_LOCAL:
group.name = params['name']
permissions_changed = self._set_permissions(group, params)
data_engine.save_object(group)
# Reset permissions and session caches
if permissions_changed:
reset_user_sessions(group.users)
permissions_engine.reset()
_check_for_user_lockout(backup_group)
return make_api_success_response(object_to_dict(group))
def group_edit(group_id):
embed = request.args.get('embed', '')
group = None
users = []
err_msg = None
try:
users = data_engine.list_users(status=User.STATUS_ACTIVE,
order_field=User.username)
if group_id > 0:
group = data_engine.get_group(group_id=group_id, load_users=True)
except Exception as e:
log_security_error(e, request)
err_msg = safe_error_str(e)
return render_template('admin_group_edit.html',
embed=embed,
users=users,
group=group,
err_msg=err_msg,
GROUP_ID_PUBLIC=Group.ID_PUBLIC,
GROUP_TYPE_LOCAL=Group.GROUP_TYPE_LOCAL,
GROUP_TYPE_SYSTEM=Group.GROUP_TYPE_SYSTEM,
STATUS_ACTIVE=User.STATUS_ACTIVE)
def group_edit(group_id):
embed = request.args.get('embed', '')
group = None
users = []
err_msg = None
try:
users = data_engine.list_users(status=User.STATUS_ACTIVE, order_field=User.username)
if group_id > 0:
group = data_engine.get_group(group_id=group_id, load_users=True)
except Exception as e:
log_security_error(e, request)
err_msg = str(e)
return render_template(
'admin_group_edit.html',
embed=embed,
users=users,
group=group,
err_msg=err_msg,
GROUP_ID_PUBLIC=Group.ID_PUBLIC,
GROUP_TYPE_LOCAL=Group.GROUP_TYPE_LOCAL,
GROUP_TYPE_SYSTEM=Group.GROUP_TYPE_SYSTEM,
STATUS_ACTIVE=User.STATUS_ACTIVE
)
def put(self, group_id):
params = self._get_validated_object_parameters(request.form)
group = data_engine.get_group(group_id=group_id, load_users=True)
if group is None:
raise DoesNotExistError(str(group_id))
# Back up the object in case we need to restore it
backup_group = copy.deepcopy(group)
# Update group
group.description = params['description']
if group.group_type != Group.GROUP_TYPE_SYSTEM:
group.group_type = params['group_type']
if group.group_type == Group.GROUP_TYPE_LOCAL:
group.name = params['name']
permissions_changed = self._set_permissions(group, params)
data_engine.save_object(group)
# Reset permissions cache
if permissions_changed:
permissions_engine.reset()
_check_for_user_lockout(backup_group)
# Do not give out anything password related
gdict = object_to_dict(group)
for udict in gdict['users']:
del udict['password']
return make_api_success_response(gdict)
