def client_edit(key):
client = Client.query.filter_by(key=key).first_or_404()
if not client.owner_is(g.user):
abort(403)
form = RegisterClientForm(obj=client)
form.edit_obj = client
form.client_owner.choices = available_client_owners()
if request.method == 'GET':
if client.user:
form.client_owner.data = client.user.userid
else:
form.client_owner.data = client.org.userid
if form.validate_on_submit():
if client.user != form.user or client.org != form.org:
# Ownership has changed. Remove existing permission assignments
for perm in UserClientPermissions.query.filter_by(client=client).all():
db.session.delete(perm)
for perm in TeamClientPermissions.query.filter_by(client=client).all():
db.session.delete(perm)
flash("This application’s owner has changed, so all previously assigned permissions "
"have been revoked", "warning")
form.populate_obj(client)
client.user = form.user
client.org = form.org
if not client.team_access:
# This client does not have access to teams in organizations. Remove all existing assignments
for cta in ClientTeamAccess.query.filter_by(client=client).all():
db.session.delete(cta)
db.session.commit()
return render_redirect(url_for('client_info', key=client.key), code=303)
return render_form(form=form, title="Edit application", formid="client_edit",
submit="Save changes", ajax=True)
def reset_email(userid, secret):
logout_internal()
user = User.query.filter_by(userid=userid).first()
if not user:
abort(404)
resetreq = PasswordResetRequest.query.filter_by(user=user, reset_code=secret).first()
if not resetreq:
return render_message(title="Invalid reset link",
message=Markup("The reset link you clicked on is invalid."))
if resetreq.created_at < datetime.utcnow() - timedelta(days=1):
# Reset code has expired (> 24 hours). Delete it
db.session.delete(resetreq)
db.session.commit()
return render_message(title="Expired reset link",
message=Markup("The reset link you clicked on has expired."))
# Reset code is valid. Now ask user to choose a new password
form = PasswordResetForm()
if form.validate_on_submit():
user.password = form.password.data
db.session.delete(resetreq)
db.session.commit()
return render_message(title="Password reset complete", message=Markup(
'Your password has been reset. You may now <a href="%s">login</a> with your new password.' % escape(url_for('login'))))
return render_form(form=form, title="Reset password", formid='reset', submit="Reset password",
message=Markup('Hello, <strong>%s</strong>. You may now choose a new password.' % user.fullname),
ajax=True)
def add_email():
form = NewEmailAddressForm()
if form.validate_on_submit():
useremail = UserEmailClaim(user=g.user, email=form.email.data)
db.session.add(useremail)
db.session.commit()
send_email_verify_link(useremail)
flash("We sent you an email to confirm your address.", "info")
return render_redirect(url_for('profile'), code=303)
return render_form(form=form, title="Add an email address", formid="email_add", submit="Add email", ajax=True)
def add_phone():
form = NewPhoneForm()
if form.validate_on_submit():
userphone = UserPhoneClaim(user=g.user, phone=form.phone.data)
db.session.add(userphone)
send_phone_verify_code(userphone)
db.session.commit()
flash("We sent a verification code to your phone number.", "info")
return render_redirect(url_for('verify_phone', number=userphone.phone), code=303)
return render_form(form=form, title="Add a phone number", formid="phone_add", submit="Add phone", ajax=True)
def org_new():
form = OrganizationForm()
form.edit_obj = None
if form.validate_on_submit():
org = Organization()
form.populate_obj(org)
org.owners.users.append(g.user)
db.session.add(org)
db.session.commit()
return render_redirect(url_for('org_info', name=org.name), code=303)
return render_form(form=form, title="New Organization", formid="org_new", submit="Create", ajax=False)
def org_edit(name):
org = Organization.query.filter_by(name=name).first_or_404()
if g.user not in org.owners.users:
abort(403)
form = OrganizationForm(obj=org)
form.edit_obj = org
if form.validate_on_submit():
form.populate_obj(org)
db.session.commit()
return render_redirect(url_for('org_info', name=org.name), code=303)
return render_form(form=form, title="New Organization", formid="org_edit", submit="Save", ajax=False)
def change_password():
if g.user.pw_hash is None:
form = PasswordResetForm()
else:
form = PasswordChangeForm()
if form.validate_on_submit():
g.user.password = form.password.data
db.session.commit()
flash("Your new password has been saved.", category='info')
return render_redirect(url_for('profile'), code=303)
return render_form(form=form, title="Change password", formid="changepassword", submit="Change password", ajax=True)
def team_edit(name, userid):
org = Organization.query.filter_by(name=name).first_or_404()
if g.user not in org.owners.users:
abort(403)
team = Team.query.filter_by(org=org, userid=userid).first_or_404()
form = TeamForm(obj=team)
form.edit_obj = team
if form.validate_on_submit():
form.populate_obj(team)
db.session.commit()
return render_redirect(url_for('org_info', name=org.name), code=303)
return render_form(form=form, title=u"Edit team: %s" % team.title, formid='team_edit', submit="Save", ajax=False)
def team_new(name):
org = Organization.query.filter_by(name=name).first_or_404()
if g.user not in org.owners.users:
abort(403)
form = TeamForm()
if form.validate_on_submit():
team = Team(org=org)
form.populate_obj(team)
db.session.add(team)
db.session.commit()
return render_redirect(url_for('org_info', name=org.name), code=303)
return render_form(form=form, title=u"Create new team", formid='team_new', submit="Create", ajax=False)
def resource_new(key):
client = Client.query.filter_by(key=key).first_or_404()
if not client.owner_is(g.user):
abort(403)
form = ResourceForm()
form.edit_id = None
if form.validate_on_submit():
resource = Resource(client=client)
form.populate_obj(resource)
db.session.add(resource)
db.session.commit()
flash("Your new resource has been saved", "info")
return render_redirect(url_for('client_info', key=key), code=303)
return render_form(form=form, title="Define a resource", formid="resource_new", submit="Define resource", ajax=True)
def profile_edit():
form = ProfileForm(obj=g.user)
form.edit_obj = g.user
if form.validate_on_submit():
form.populate_obj(g.user)
db.session.commit()
next_url = get_next_url()
if next_url is not None:
return render_redirect(next_url)
else:
flash("Your profile was successfully edited.", category='info')
return render_redirect(url_for('profile'), code=303)
return render_form(form, title="Edit profile", formid="profile_edit", submit="Save changes", ajax=True)
def register():
form = RegisterForm()
if form.validate_on_submit():
user = register_internal(None, form.fullname.data, form.password.data)
user.username = form.username.data or None
useremail = UserEmailClaim(user=user, email=form.email.data)
db.session.add(useremail)
db.session.commit()
send_email_verify_link(useremail)
login_internal(user)
flash("You are now one of us. Welcome aboard!", category='info')
if 'next' in request.args:
return redirect(request.args['next'], code=303)
else:
return redirect(url_for('index'), code=303)
return render_form(form=form, title='Register an account', formid='register', submit='Register')
def permission_new():
form = PermissionForm()
form.context.choices = available_client_owners()
if request.method == 'GET':
form.context.data = g.user.userid
if form.validate_on_submit():
perm = Permission()
form.populate_obj(perm)
perm.user = form.user
perm.org = form.org
perm.allusers = False
db.session.add(perm)
db.session.commit()
flash("Your new permission has been defined", "info")
return render_redirect(url_for('permission_list'), code=303)
return render_form(form=form, title="Define a new permission", formid="perm_new",
submit="Define new permission", ajax=True)
def verify_phone(number):
phoneclaim = UserPhoneClaim.query.filter_by(phone=number).first_or_404()
if phoneclaim.user != g.user:
abort(403)
form = VerifyPhoneForm()
form.phoneclaim = phoneclaim
if form.validate_on_submit():
if not g.user.phones:
primary = True
else:
primary = False
userphone = UserPhone(user=g.user, phone=phoneclaim.phone, gets_text=True, primary=primary)
db.session.add(userphone)
db.session.delete(phoneclaim)
db.session.commit()
flash("Your phone number has been verified.", "info")
return render_redirect(url_for('profile'), code=303)
return render_form(form=form, title="Verify phone number", formid="phone_verify", submit="Verify", ajax=True)
def resource_action_new(key, idr):
client = Client.query.filter_by(key=key).first_or_404()
if not client.owner_is(g.user):
abort(403)
resource = Resource.query.get_or_404(idr)
if resource.client != client:
abort(403)
form = ResourceActionForm()
form.edit_id = None
form.edit_resource = resource
if form.validate_on_submit():
action = ResourceAction(resource=resource)
form.populate_obj(action)
db.session.add(action)
db.session.commit()
flash("Your new action has been saved", "info")
return render_redirect(url_for('client_info', key=key), code=303)
return render_form(form=form, title="Define an action", formid="action_new", submit="Define action", ajax=True)
def client_new():
form = RegisterClientForm()
form.client_owner.choices = available_client_owners()
if request.method == 'GET':
form.client_owner.data = g.user.userid
if form.validate_on_submit():
client = Client()
form.populate_obj(client)
client.user = form.user
client.org = form.org
client.trusted = False
db.session.add(client)
db.session.commit()
return render_redirect(url_for('client_info', key=client.key), code=303)
return render_form(form=form, title="Register a new client application",
formid="client_new", submit="Register application", ajax=True)
def permission_user_new(key):
client = Client.query.filter_by(key=key).first_or_404()
if not client.owner_is(g.user):
abort(403)
if client.user:
available_perms = Permission.query.filter(db.or_(
Permission.allusers == True,
Permission.user == g.user)).order_by('name').all()
form = UserPermissionAssignForm()
elif client.org:
available_perms = Permission.query.filter(db.or_(
Permission.allusers == True,
Permission.org == client.org)).order_by('name').all()
form = TeamPermissionAssignForm()
form.org = client.org
form.team_id.choices = [(team.userid, team.title) for team in client.org.teams]
else:
abort(403) # This should never happen. Clients always have an owner.
form.perms.choices = [(ap.name, u"%s – %s" % (ap.name, ap.title)) for ap in available_perms]
if form.validate_on_submit():
perms = set()
if client.user:
permassign = UserClientPermissions.query.filter_by(user=form.user, client=client).first()
if permassign:
perms.update(permassign.permissions.split(u' '))
else:
permassign = UserClientPermissions(user=form.user, client=client)
db.session.add(permassign)
else:
permassign = TeamClientPermissions.query.filter_by(team=form.team, client=client).first()
if permassign:
perms.update(permassign.permissions.split(u' '))
else:
permassign = TeamClientPermissions(team=form.team, client=client)
db.session.add(permassign)
perms.update(form.perms.data)
permassign.permissions = u' '.join(sorted(perms))
db.session.commit()
if client.user:
flash("Permissions have been assigned to user %s" % form.user.pickername, "info")
else:
flash("Permissions have been assigned to team '%s'" % permassign.team.pickername, "info")
return render_redirect(url_for('client_info', key=key), code=303)
return render_form(form=form, title="Assign permissions", formid="perm_assign", submit="Assign permissions", ajax=True)
def resource_edit(key, idr):
client = Client.query.filter_by(key=key).first_or_404()
if not client.owner_is(g.user):
abort(403)
resource = Resource.query.get_or_404(idr)
if resource.client != client:
abort(403)
form = ResourceForm()
form.edit_id = idr
if request.method == 'GET':
form.name.data = resource.name
form.title.data = resource.title
form.description.data = resource.description
form.siteresource.data = resource.siteresource
if form.validate_on_submit():
form.populate_obj(resource)
db.session.commit()
flash("Your resource has been edited", "info")
return render_redirect(url_for('client_info', key=key), code=303)
return render_form(form=form, title="Edit resource", formid="resource_edit", submit="Save changes", ajax=True)
def permission_user_edit(key, userid):
client = Client.query.filter_by(key=key).first_or_404()
if not client.owner_is(g.user):
abort(403)
if client.user:
user = User.query.filter_by(userid=userid).first_or_404()
available_perms = Permission.query.filter(db.or_(
Permission.allusers == True,
Permission.user == g.user)).order_by('name').all()
permassign = UserClientPermissions.query.filter_by(user=user, client=client).first_or_404()
elif client.org:
team = Team.query.filter_by(userid=userid).first_or_404()
available_perms = Permission.query.filter(db.or_(
Permission.allusers == True,
Permission.org == client.org)).order_by('name').all()
permassign = TeamClientPermissions.query.filter_by(team=team, client=client).first_or_404()
form = PermissionEditForm()
form.perms.choices = [(ap.name, u"%s – %s" % (ap.name, ap.title)) for ap in available_perms]
if request.method == 'GET':
if permassign:
form.perms.data = permassign.permissions.split(u' ')
if form.validate_on_submit():
form.perms.data.sort()
perms = u' '.join(form.perms.data)
if not perms:
db.session.delete(permassign)
else:
permassign.permissions = perms
db.session.commit()
if perms:
if client.user:
flash("Permissions have been updated for user %s" % user.pickername, "info")
else:
flash("Permissions have been updated for team '%s'" % team.title, "info")
else:
if client.user:
flash("All permissions have been revoked for user %s" % user.pickername, "info")
else:
flash("All permissions have been revoked for team '%s'" % team.title, "info")
return render_redirect(url_for('client_info', key=key), code=303)
return render_form(form=form, title="Edit permissions", formid="perm_edit", submit="Save changes", ajax=True)
def permission_edit(id):
perm = Permission.query.get_or_404(id)
if not perm.owner_is(g.user):
abort(403)
form = PermissionForm(obj=perm)
form.context.choices = available_client_owners()
form.edit_obj = perm
if request.method == 'GET':
if perm.user:
form.context.data = perm.user.userid
else:
form.context.data = perm.org.userid
if form.validate_on_submit():
form.populate_obj(perm)
perm.user = form.user
perm.org = form.org
db.session.commit()
flash("Your permission has been saved", "info")
return render_redirect(url_for('permission_list'), code=303)
return render_form(form=form, title="Edit permission", formid="perm_edit",
submit="Save changes", ajax=True)
def reset():
# User wants to reset password
# Ask for username or email, verify it, and send a reset code
form = PasswordResetRequestForm()
if form.validate_on_submit():
username = form.username.data
user = form.user
if '@' in username and not username.startswith('@'):
# They provided an email address. Send reset email to that address
email = username
else:
# Send to their existing address
# User.email is a UserEmail object
email = unicode(user.email)
if not email:
# They don't have an email address. Maybe they logged in via Twitter
# and set a local username and password, but no email. Could happen.
return render_message(title="Reset password", message=Markup(
"""
We do not have an email address for your account and therefore cannot
email you a reset link. Please contact
<a href="mailto:%s">%s</a> for assistance.
""" % (escape(app.config['SITE_SUPPORT_EMAIL']), escape(app.config['SITE_SUPPORT_EMAIL']))))
resetreq = PasswordResetRequest(user=user)
db.session.add(resetreq)
send_password_reset_link(email=email, user=user, secret=resetreq.reset_code)
db.session.commit()
return render_message(title="Reset password", message=Markup(
u"""
You were sent an email at <code>%s</code> with a link to reset your password.
Please check your email. If it doesn’t arrive in a few minutes,
it may have landed in your spam or junk folder.
The reset link is valid for 24 hours.
""" % escape(email)))
return render_form(form=form, title="Reset password", submit="Send reset code", ajax=True)
def client_team_access(key):
client = Client.query.filter_by(key=key).first_or_404()
form = ClientTeamAccessForm()
user_orgs = g.user.organizations_owned()
form.organizations.choices = [(org.userid, org.title) for org in user_orgs]
org_selected = [org.userid for org in user_orgs if client in org.clients_with_team_access()]
if request.method == 'GET':
form.organizations.data = org_selected
if form.validate_on_submit():
org_del = Organization.query.filter(Organization.userid.in_(
set(org_selected) - set(form.organizations.data))).all()
org_add = Organization.query.filter(Organization.userid.in_(
set(form.organizations.data) - set(org_selected))).all()
cta_del = ClientTeamAccess.query.filter_by(client=client).filter(
ClientTeamAccess.org_id.in_([org.id for org in org_del])).all()
for cta in cta_del:
db.session.delete(cta)
for org in org_add:
cta = ClientTeamAccess(org=org, client=client, access_level=CLIENT_TEAM_ACCESS.ALL)
db.session.add(cta)
db.session.commit()
flash("You have assigned access to teams in your organizations for this app.", "info")
return render_redirect(url_for('client_info', key=key), code=303)
return render_form(form=form, title="Select organizations", submit="Save", ajax=True)