def _check_for_user_lockout(original_object):
"""
Only to be called when the current user is known to have PERMIT_ADMIN_USERS
permission, checks that the current user hasn't locked themselves out from
user administration.
Also checks that the admin user's administration permission has not been
accidentally revoked.
If a lockout has occurred, the supplied original object is re-saved and a
ParameterError is raised.
"""
user_ids = [get_session_user_id(), 1]
for user_id in user_ids:
db_user = data_engine.get_user(user_id=user_id)
if db_user:
try:
# Require user administration
if not permissions_engine.is_permitted(
SystemPermissions.PERMIT_ADMIN_USERS,
db_user
): raise ParameterError()
# For the admin user, also require permissions administration
if user_id == 1 and not permissions_engine.is_permitted(
SystemPermissions.PERMIT_ADMIN_PERMISSIONS,
db_user
): raise ParameterError()
except ParameterError:
# Roll back permissions
data_engine.save_object(original_object)
permissions_engine.reset()
# Raise API error
who = 'the \'admin\' user' if user_id == 1 else 'you'
raise ParameterError(
'This change would lock %s out of administration' % who
)
def post(self, group_id):
params = self._get_validated_object_parameters(request.form)
group = data_engine.get_group(group_id=group_id, load_users=True)
if group is None:
raise DoesNotExistError(str(group_id))
# Check permissions! The current user must have user admin to be here.
# But if they don't also have permissions admin or superuser then we
# must block the change if the new group would grant one of the same.
if group.permissions.admin_permissions or group.permissions.admin_all:
if not permissions_engine.is_permitted(
SystemPermissions.PERMIT_ADMIN_PERMISSIONS,
get_session_user()):
raise SecurityError(
'You cannot add users to a group that ' +
'grants permissions administration, because you do not ' +
'have permissions administration access yourself.')
user = data_engine.get_user(user_id=params['user_id'])
if user is not None:
if user not in group.users:
group.users.append(user)
data_engine.save_object(group)
reset_user_sessions(user)
permissions_engine.reset()
return make_api_success_response()
def post(self):
params = self._get_validated_object_parameters(request.form)
db_session = data_engine.db_get_session()
db_commit = False
try:
db_group = data_engine.get_group(params['group_id'], _db_session=db_session)
if db_group is None:
raise DoesNotExistError(str(params['group_id']))
db_folder = data_engine.get_folder(params['folder_id'], _db_session=db_session)
if db_folder is None:
raise DoesNotExistError(str(params['folder_id']))
# This commits (needed for refresh to get the new ID)
fp = FolderPermission(db_folder, db_group, params['access'])
fp = data_engine.save_object(
fp, refresh=True, _db_session=db_session, _commit=True
)
db_commit = True
return make_api_success_response(object_to_dict(fp))
finally:
try:
if db_commit:
db_session.commit()
permissions_engine.reset()
else:
db_session.rollback()
finally:
db_session.close()
def delete(self, permission_id):
db_session = data_engine.db_get_session()
db_commit = False
try:
fp = data_engine.get_object(
FolderPermission,
permission_id,
_db_session=db_session
)
if fp is None:
raise DoesNotExistError(str(permission_id))
try:
data_engine.delete_folder_permission(
fp, _db_session=db_session, _commit=False
)
except ValueError as e:
raise ParameterError(str(e))
db_commit = True
return make_api_success_response()
finally:
if db_commit:
db_session.commit()
permissions_engine.reset()
else:
db_session.rollback()
db_session.close()
def post(self, group_id):
params = self._get_validated_object_parameters(request.form)
group = data_engine.get_group(group_id=group_id, load_users=True)
if group is None:
raise DoesNotExistError(str(group_id))
# Check permissions! The current user must have user admin to be here.
# But if they don't also have permissions admin or superuser then we
# must block the change if the new group would grant one of the same.
if group.permissions.admin_permissions or group.permissions.admin_all:
if not permissions_engine.is_permitted(
SystemPermissions.PERMIT_ADMIN_PERMISSIONS, get_session_user()
):
raise SecurityError(
'You cannot add users to a group that ' +
'grants permissions administration, because you do not ' +
'have permissions administration access yourself.'
)
user = data_engine.get_user(user_id=params['user_id'])
if user is not None:
if user not in group.users:
group.users.append(user)
data_engine.save_object(group)
permissions_engine.reset()
return make_api_success_response()
def put(self, permission_id):
params = self._get_validated_object_parameters(request.form)
fp = data_engine.get_object(FolderPermission, permission_id)
if fp is None:
raise DoesNotExistError(str(permission_id))
fp.access = params['access']
data_engine.save_object(fp)
permissions_engine.reset()
return make_api_success_response(object_to_dict(fp))
def delete(self, group_id):
# Check permissions! The current user must have permissions admin to delete groups.
permissions_engine.ensure_permitted(
SystemPermissions.PERMIT_ADMIN_PERMISSIONS, get_session_user())
group = data_engine.get_group(group_id=group_id, load_users=True)
if group is None:
raise DoesNotExistError(str(group_id))
try:
data_engine.delete_group(group)
except ValueError as e:
raise ParameterError(str(e))
# Reset permissions and session caches
reset_user_sessions(group.users)
permissions_engine.reset()
return make_api_success_response()
def delete(self, group_id, user_id):
group = data_engine.get_group(group_id=group_id, load_users=True)
if group is None:
raise DoesNotExistError(str(group_id))
# Back up the object in case we need to restore it
backup_group = copy.deepcopy(group)
# Update group membership
for idx, member in enumerate(group.users):
if member.id == user_id:
del group.users[idx]
data_engine.save_object(group)
permissions_engine.reset()
_check_for_user_lockout(backup_group)
break
return make_api_success_response()
def delete(self, group_id):
# Check permissions! The current user must have permissions admin to delete groups.
permissions_engine.ensure_permitted(
SystemPermissions.PERMIT_ADMIN_PERMISSIONS, get_session_user()
)
group = data_engine.get_group(group_id=group_id)
if group is None:
raise DoesNotExistError(str(group_id))
try:
data_engine.delete_group(group)
except ValueError as e:
raise ParameterError(str(e))
# Reset permissions cache
permissions_engine.reset()
return make_api_success_response()
def delete(self, group_id, user_id):
group = data_engine.get_group(group_id=group_id, load_users=True)
if group is None:
raise DoesNotExistError(str(group_id))
# Back up the object in case we need to restore it
backup_group = copy.deepcopy(group)
# Update group membership
for idx, member in enumerate(group.users):
if member.id == user_id:
del group.users[idx]
data_engine.save_object(group)
reset_user_sessions(member)
permissions_engine.reset()
_check_for_user_lockout(backup_group)
break
return make_api_success_response()
def put(self, group_id):
params = self._get_validated_object_parameters(request.form)
group = data_engine.get_group(group_id=group_id, load_users=True)
if group is None:
raise DoesNotExistError(str(group_id))
# Back up the object in case we need to restore it
backup_group = copy.deepcopy(group)
# Update group
group.description = params['description']
if group.group_type != Group.GROUP_TYPE_SYSTEM:
group.group_type = params['group_type']
if group.group_type == Group.GROUP_TYPE_LOCAL:
group.name = params['name']
permissions_changed = self._set_permissions(group, params)
data_engine.save_object(group)
# Reset permissions and session caches
if permissions_changed:
reset_user_sessions(group.users)
permissions_engine.reset()
_check_for_user_lockout(backup_group)
return make_api_success_response(object_to_dict(group))
def put(self, group_id):
params = self._get_validated_object_parameters(request.form)
group = data_engine.get_group(group_id=group_id, load_users=True)
if group is None:
raise DoesNotExistError(str(group_id))
# Back up the object in case we need to restore it
backup_group = copy.deepcopy(group)
# Update group
group.description = params['description']
if group.group_type != Group.GROUP_TYPE_SYSTEM:
group.group_type = params['group_type']
if group.group_type == Group.GROUP_TYPE_LOCAL:
group.name = params['name']
permissions_changed = self._set_permissions(group, params)
data_engine.save_object(group)
# Reset permissions cache
if permissions_changed:
permissions_engine.reset()
_check_for_user_lockout(backup_group)
# Do not give out anything password related
gdict = object_to_dict(group)
for udict in gdict['users']:
del udict['password']
return make_api_success_response(gdict)