def _check_for_user_lockout(original_object): """ Only to be called when the current user is known to have PERMIT_ADMIN_USERS permission, checks that the current user hasn't locked themselves out from user administration. Also checks that the admin user's administration permission has not been accidentally revoked. If a lockout has occurred, the supplied original object is re-saved and a ParameterError is raised. """ user_ids = [get_session_user_id(), 1] for user_id in user_ids: db_user = data_engine.get_user(user_id=user_id) if db_user: try: # Require user administration if not permissions_engine.is_permitted( SystemPermissions.PERMIT_ADMIN_USERS, db_user): raise ParameterError() # For the admin user, also require permissions administration if user_id == 1 and not permissions_engine.is_permitted( SystemPermissions.PERMIT_ADMIN_PERMISSIONS, db_user): raise ParameterError() except ParameterError: # Roll back permissions data_engine.save_object(original_object) permissions_engine.reset() # Raise API error who = 'the \'admin\' user' if user_id == 1 else 'you' raise ParameterError( 'This change would lock %s out of administration' % who)
def _check_for_user_lockout(original_object): """ Only to be called when the current user is known to have PERMIT_ADMIN_USERS permission, checks that the current user hasn't locked themselves out from user administration. Also checks that the admin user's administration permission has not been accidentally revoked. If a lockout has occurred, the supplied original object is re-saved and a ParameterError is raised. """ user_ids = [get_session_user_id(), 1] for user_id in user_ids: db_user = data_engine.get_user(user_id=user_id) if db_user: try: # Require user administration if not permissions_engine.is_permitted( SystemPermissions.PERMIT_ADMIN_USERS, db_user ): raise ParameterError() # For the admin user, also require permissions administration if user_id == 1 and not permissions_engine.is_permitted( SystemPermissions.PERMIT_ADMIN_PERMISSIONS, db_user ): raise ParameterError() except ParameterError: # Roll back permissions data_engine.save_object(original_object) permissions_engine.reset() # Raise API error who = 'the \'admin\' user' if user_id == 1 else 'you' raise ParameterError( 'This change would lock %s out of administration' % who )
def decorated_function(*args, **kwargs): res = _check_internal_request(request, session, False, True, SystemPermissions.PERMIT_ADMIN_USERS) # If not admin_users, allow GET and PUT for current user's record if res: allow = (request.method == 'GET' or request.method == 'PUT') and \ 'user_id' in kwargs and \ kwargs['user_id'] == get_session_user_id() if not allow: return res return f(*args, **kwargs)
def decorated_function(*args, **kwargs): res = _check_internal_request(request, session, False, True, SystemPermissions.PERMIT_ADMIN_USERS) # If not admin_users, allow GET and PUT for current user's record if res: allow = (request.method in ['GET', 'PUT'] and 'user_id' in kwargs and kwargs['user_id'] > 0 and kwargs['user_id'] == get_session_user_id()) if not allow: return res return f(*args, **kwargs)
def get(self, task_id): db_task = task_engine.get_task(task_id=task_id, decode_attrs=True) if not db_task: raise DoesNotExistError(str(task_id)) else: # Requires super user or task owner if not db_task.user or db_task.user.id != get_session_user_id(): permissions_engine.ensure_permitted(SystemPermissions.PERMIT_SUPER_USER, get_session_user()) tdict = object_to_dict(db_task) if tdict.get("user") is not None: # Do not give out anything password related del tdict["user"]["password"] return make_api_success_response(tdict)
def delete(self, user_id): user = data_engine.get_user(user_id=user_id) if user is None: raise DoesNotExistError(str(user_id)) if user.id == 1: raise ParameterError('The \'admin\' user cannot be deleted') data_engine.delete_user(user) # If this is the current user, log out if get_session_user_id() == user_id: log_out() # Reset session caches reset_user_sessions(user) return make_api_success_response(object_to_dict(user))
def delete(self, user_id): user = data_engine.get_user(user_id=user_id) if user is None: raise DoesNotExistError(str(user_id)) if user.id == 1: raise ParameterError('The \'admin\' user cannot be deleted') data_engine.delete_user(user) # If this is the current user, log out if get_session_user_id() == user_id: log_out() # Do not give out anything password related udict = object_to_dict(user) del udict['password'] return make_api_success_response(udict)