示例#1
0
def _check_for_user_lockout(original_object):
    """
    Only to be called when the current user is known to have PERMIT_ADMIN_USERS
    permission, checks that the current user hasn't locked themselves out from
    user administration.
    Also checks that the admin user's administration permission has not been
    accidentally revoked.
    If a lockout has occurred, the supplied original object is re-saved and a
    ParameterError is raised.
    """
    user_ids = [get_session_user_id(), 1]
    for user_id in user_ids:
        db_user = data_engine.get_user(user_id=user_id)
        if db_user:
            try:
                # Require user administration
                if not permissions_engine.is_permitted(
                    SystemPermissions.PERMIT_ADMIN_USERS,
                    db_user
                ): raise ParameterError()
                # For the admin user, also require permissions administration
                if user_id == 1 and not permissions_engine.is_permitted(
                    SystemPermissions.PERMIT_ADMIN_PERMISSIONS,
                    db_user
                ): raise ParameterError()
            except ParameterError:
                # Roll back permissions
                data_engine.save_object(original_object)
                permissions_engine.reset()
                # Raise API error
                who = 'the \'admin\' user' if user_id == 1 else 'you'
                raise ParameterError(
                    'This change would lock %s out of administration' % who
                )
示例#2
0
    def post(self, group_id):
        params = self._get_validated_object_parameters(request.form)
        group = data_engine.get_group(group_id=group_id, load_users=True)
        if group is None:
            raise DoesNotExistError(str(group_id))

        # Check permissions! The current user must have user admin to be here.
        # But if they don't also have permissions admin or superuser then we
        # must block the change if the new group would grant one of the same.
        if group.permissions.admin_permissions or group.permissions.admin_all:
            if not permissions_engine.is_permitted(
                    SystemPermissions.PERMIT_ADMIN_PERMISSIONS,
                    get_session_user()):
                raise SecurityError(
                    'You cannot add users to a group that ' +
                    'grants permissions administration, because you do not ' +
                    'have permissions administration access yourself.')

        user = data_engine.get_user(user_id=params['user_id'])
        if user is not None:
            if user not in group.users:
                group.users.append(user)
                data_engine.save_object(group)
                reset_user_sessions(user)
                permissions_engine.reset()
        return make_api_success_response()
示例#3
0
    def post(self):
        params = self._get_validated_object_parameters(request.form)
        db_session = data_engine.db_get_session()
        db_commit = False
        try:
            db_group = data_engine.get_group(params['group_id'], _db_session=db_session)
            if db_group is None:
                raise DoesNotExistError(str(params['group_id']))
            db_folder = data_engine.get_folder(params['folder_id'], _db_session=db_session)
            if db_folder is None:
                raise DoesNotExistError(str(params['folder_id']))

            # This commits (needed for refresh to get the new ID)
            fp = FolderPermission(db_folder, db_group, params['access'])
            fp = data_engine.save_object(
                fp, refresh=True, _db_session=db_session, _commit=True
            )
            db_commit = True
            return make_api_success_response(object_to_dict(fp))
        finally:
            try:
                if db_commit:
                    db_session.commit()
                    permissions_engine.reset()
                else:
                    db_session.rollback()
            finally:
                db_session.close()
示例#4
0
    def delete(self, permission_id):
        db_session = data_engine.db_get_session()
        db_commit = False
        try:
            fp = data_engine.get_object(
                FolderPermission,
                permission_id,
                _db_session=db_session
            )
            if fp is None:
                raise DoesNotExistError(str(permission_id))
            try:
                data_engine.delete_folder_permission(
                    fp, _db_session=db_session, _commit=False
                )
            except ValueError as e:
                raise ParameterError(str(e))

            db_commit = True
            return make_api_success_response()
        finally:
            if db_commit:
                db_session.commit()
                permissions_engine.reset()
            else:
                db_session.rollback()
            db_session.close()
示例#5
0
    def post(self, group_id):
        params = self._get_validated_object_parameters(request.form)
        group = data_engine.get_group(group_id=group_id, load_users=True)
        if group is None:
            raise DoesNotExistError(str(group_id))

        # Check permissions! The current user must have user admin to be here.
        # But if they don't also have permissions admin or superuser then we
        # must block the change if the new group would grant one of the same.
        if group.permissions.admin_permissions or group.permissions.admin_all:
            if not permissions_engine.is_permitted(
                SystemPermissions.PERMIT_ADMIN_PERMISSIONS, get_session_user()
            ):
                raise SecurityError(
                    'You cannot add users to a group that ' +
                    'grants permissions administration, because you do not ' +
                    'have permissions administration access yourself.'
                )

        user = data_engine.get_user(user_id=params['user_id'])
        if user is not None:
            if user not in group.users:
                group.users.append(user)
                data_engine.save_object(group)
                permissions_engine.reset()
        return make_api_success_response()
示例#6
0
 def put(self, permission_id):
     params = self._get_validated_object_parameters(request.form)
     fp = data_engine.get_object(FolderPermission, permission_id)
     if fp is None:
         raise DoesNotExistError(str(permission_id))
     fp.access = params['access']
     data_engine.save_object(fp)
     permissions_engine.reset()
     return make_api_success_response(object_to_dict(fp))
示例#7
0
 def delete(self, group_id):
     # Check permissions! The current user must have permissions admin to delete groups.
     permissions_engine.ensure_permitted(
         SystemPermissions.PERMIT_ADMIN_PERMISSIONS, get_session_user())
     group = data_engine.get_group(group_id=group_id, load_users=True)
     if group is None:
         raise DoesNotExistError(str(group_id))
     try:
         data_engine.delete_group(group)
     except ValueError as e:
         raise ParameterError(str(e))
     # Reset permissions and session caches
     reset_user_sessions(group.users)
     permissions_engine.reset()
     return make_api_success_response()
示例#8
0
 def delete(self, group_id, user_id):
     group = data_engine.get_group(group_id=group_id, load_users=True)
     if group is None:
         raise DoesNotExistError(str(group_id))
     # Back up the object in case we need to restore it
     backup_group = copy.deepcopy(group)
     # Update group membership
     for idx, member in enumerate(group.users):
         if member.id == user_id:
             del group.users[idx]
             data_engine.save_object(group)
             permissions_engine.reset()
             _check_for_user_lockout(backup_group)
             break
     return make_api_success_response()
示例#9
0
 def delete(self, group_id):
     # Check permissions! The current user must have permissions admin to delete groups.
     permissions_engine.ensure_permitted(
         SystemPermissions.PERMIT_ADMIN_PERMISSIONS, get_session_user()
     )
     group = data_engine.get_group(group_id=group_id)
     if group is None:
         raise DoesNotExistError(str(group_id))
     try:
         data_engine.delete_group(group)
     except ValueError as e:
         raise ParameterError(str(e))
     # Reset permissions cache
     permissions_engine.reset()
     return make_api_success_response()
示例#10
0
 def delete(self, group_id, user_id):
     group = data_engine.get_group(group_id=group_id, load_users=True)
     if group is None:
         raise DoesNotExistError(str(group_id))
     # Back up the object in case we need to restore it
     backup_group = copy.deepcopy(group)
     # Update group membership
     for idx, member in enumerate(group.users):
         if member.id == user_id:
             del group.users[idx]
             data_engine.save_object(group)
             reset_user_sessions(member)
             permissions_engine.reset()
             _check_for_user_lockout(backup_group)
             break
     return make_api_success_response()
示例#11
0
 def put(self, group_id):
     params = self._get_validated_object_parameters(request.form)
     group = data_engine.get_group(group_id=group_id, load_users=True)
     if group is None:
         raise DoesNotExistError(str(group_id))
     # Back up the object in case we need to restore it
     backup_group = copy.deepcopy(group)
     # Update group
     group.description = params['description']
     if group.group_type != Group.GROUP_TYPE_SYSTEM:
         group.group_type = params['group_type']
     if group.group_type == Group.GROUP_TYPE_LOCAL:
         group.name = params['name']
     permissions_changed = self._set_permissions(group, params)
     data_engine.save_object(group)
     # Reset permissions and session caches
     if permissions_changed:
         reset_user_sessions(group.users)
         permissions_engine.reset()
         _check_for_user_lockout(backup_group)
     return make_api_success_response(object_to_dict(group))
示例#12
0
 def put(self, group_id):
     params = self._get_validated_object_parameters(request.form)
     group = data_engine.get_group(group_id=group_id, load_users=True)
     if group is None:
         raise DoesNotExistError(str(group_id))
     # Back up the object in case we need to restore it
     backup_group = copy.deepcopy(group)
     # Update group
     group.description = params['description']
     if group.group_type != Group.GROUP_TYPE_SYSTEM:
         group.group_type = params['group_type']
     if group.group_type == Group.GROUP_TYPE_LOCAL:
         group.name = params['name']
     permissions_changed = self._set_permissions(group, params)
     data_engine.save_object(group)
     # Reset permissions cache
     if permissions_changed:
         permissions_engine.reset()
         _check_for_user_lockout(backup_group)
     # Do not give out anything password related
     gdict = object_to_dict(group)
     for udict in gdict['users']:
         del udict['password']
     return make_api_success_response(gdict)