def post(self, dashboard_id): """ Allow anonymous access to a dashboard. :param dashboard_id: The numeric ID of the dashboard to share. :>json string public_url: The URL for anonymous access to the dashboard. :>json api_key: The API key to use when accessing it. """ dashboard = models.Dashboard.get_by_id_and_org(dashboard_id, self.current_org) require_admin_or_owner(dashboard.user_id) api_key = models.ApiKey.create_for_object(dashboard, self.current_user) models.db.session.flush() models.db.session.commit() public_url = url_for( "redash.public_dashboard", token=api_key.api_key, org_slug=self.current_org.slug, _external=True, ) self.record_event({ "action": "activate_api_key", "object_id": dashboard.id, "object_type": "dashboard", }) return {"public_url": public_url, "api_key": api_key.api_key}
def post(self, object_type, object_id): model = get_model_from_type(object_type) obj = get_object_or_404(model.get_by_id_and_org, object_id, self.current_org) require_admin_or_owner(obj.user_id) req = request.get_json(True) access_type = req['access_type'] if access_type not in ACCESS_TYPES: abort(400, message='Unknown access type.') try: grantee = User.get_by_id_and_org(req['user_id'], self.current_org) except NoResultFound: abort(400, message='User not found.') permission = AccessPermission.grant(obj, access_type, grantee, self.current_user) db.session.commit() self.record_event({ 'action': 'grant_permission', 'object_id': object_id, 'object_type': object_type, 'grantee': grantee.id, 'access_type': access_type, }) return permission.to_dict()
def delete(self, object_type, object_id): model = get_model_from_type(object_type) obj = get_object_or_404(model.get_by_id_and_org, object_id, self.current_org) require_admin_or_owner(obj.user_id) req = request.get_json(True) grantee_id = req['user_id'] access_type = req['access_type'] grantee = User.query.get(req['user_id']) if grantee is None: abort(400, message='User not found.') AccessPermission.revoke(obj, grantee, access_type) db.session.commit() self.record_event({ 'action': 'revoke_permission', 'object_id': object_id, 'object_type': object_type, 'access_type': access_type, 'grantee_id': grantee_id })
def post(self): widget_properties = request.get_json(force=True) dashboard = models.Dashboard.get_by_id_and_org(widget_properties.pop('dashboard_id'), self.current_org) require_admin_or_owner(dashboard.user_id) widget_properties['options'] = json.dumps(widget_properties['options']) widget_properties.pop('id', None) widget_properties['dashboard'] = dashboard widget_properties['visualization'] = widget_properties.pop('visualization_id') widget = models.Widget.create(**widget_properties) layout = json.loads(widget.dashboard.layout) new_row = True if len(layout) == 0 or widget.width == 2: layout.append([widget.id]) elif len(layout[-1]) == 1: neighbour_widget = models.Widget.get(models.Widget.id == layout[-1][0]) if neighbour_widget.width == 1: layout[-1].append(widget.id) new_row = False else: layout.append([widget.id]) else: layout.append([widget.id]) widget.dashboard.layout = json.dumps(layout) widget.dashboard.save() return {'widget': widget.to_dict(), 'layout': layout, 'new_row': new_row}
def post(self, dashboard_id): """ Allow anonymous access to a dashboard. :param dashboard_id: The numeric ID of the dashboard to share. :>json string public_url: The URL for anonymous access to the dashboard. :>json api_key: The API key to use when accessing it. """ dashboard = models.Dashboard.get_by_id_and_org(dashboard_id, self.current_org) require_admin_or_owner(dashboard.user_id) api_key = models.ApiKey.get_exsistkey_by_object(dashboard) if not api_key: api_key = models.ApiKey.create_for_object(dashboard, self.current_user) api_key.active = True models.db.session.flush() models.db.session.commit() public_url = url_for('redash.public_dashboard', token=api_key.api_key, org_slug=self.current_org.slug, _external=True) self.record_event({ 'action': 'activate_api_key', 'object_id': dashboard.id, 'object_type': 'dashboard', }) return {'public_url': public_url, 'api_key': api_key.api_key}
def post(self, dashboard_id): dashboard = models.Dashboard.get_by_id_and_org(dashboard_id, self.current_org) require_admin_or_owner(dashboard.user_id) api_key = models.ApiKey.create_for_object(dashboard, self.current_user) public_url = url_for('redash.public_dashboard', token=api_key.api_key, org_slug=self.current_org.slug, _external=True) return {'public_url': public_url, 'api_key': api_key.api_key}
def post(self, object_type, object_id): model = get_model_from_type(object_type) obj = get_object_or_404(model.get_by_id_and_org, object_id, self.current_org) require_admin_or_owner(obj.user_id) req = request.get_json(True) access_type = req['access_type'] if access_type not in ACCESS_TYPES: abort(400, message='Unknown access type.') try: grantee = User.get_by_id_and_org(req['user_id'], self.current_org) except User.DoesNotExist: abort(400, message='User not found.') permission = AccessPermission.grant(obj, access_type, grantee, self.current_user) self.record_event({ 'action': 'grant_permission', 'object_id': object_id, 'object_type': object_type, 'access_type': access_type, 'grantee': grantee.id }) return permission.to_dict()
def post(self, dashboard_id): """ Allow anonymous access to a dashboard. :param dashboard_id: The numeric ID of the dashboard to share. :>json string public_url: The URL for anonymous access to the dashboard. :>json api_key: The API key to use when accessing it. """ if settings.FEATURE_DISABLE_PUBLIC_DASHBOARDS: logging.info("Disabled public dashboards.") abort(403, message="The feature is disabled due to security reasons.") dashboard = models.Dashboard.get_by_id_and_org(dashboard_id, self.current_org) require_admin_or_owner(dashboard.user_id) api_key = models.ApiKey.create_for_object(dashboard, self.current_user) models.db.session.flush() models.db.session.commit() public_url = url_for('redash.public_dashboard', token=api_key.api_key, org_slug=self.current_org.slug, _external=True) self.record_event({ 'action': 'activate_api_key', 'object_id': dashboard.id, 'object_type': 'dashboard', }) return {'public_url': public_url, 'api_key': api_key.api_key}
def post(self, alert_id): ## 获得参数 req = request.get_json(True) ## 提取参数 params = project(req, ('options', 'name', 'query_id', 'rearm')) ## 根据参数查询 alert = get_object_or_404(Alert.get_by_id_and_org, alert_id, self.current_org) ##判断权限 require_admin_or_owner(alert.user.id) ###### # for k, v in updates.items(): # setattr(model, k, v) # 进行更新 self.update_model(alert, params) ####### # 提交更新 session.commit() self.record_event({ 'action': 'edit', 'timestamp': int(time.time()), 'object_id': alert.id, 'object_type': 'alert' }) # serialize_alert 对返回的查询列,进行特定处理,转换为前端需要的json return serialize_alert(alert)
def delete(self, object_type, object_id): model = get_model_from_type(object_type) obj = get_object_or_404(model.get_by_id_and_org, object_id, self.current_org) require_admin_or_owner(obj.user_id) req = request.get_json(True) grantee_id = req["user_id"] access_type = req["access_type"] grantee = User.query.get(req["user_id"]) if grantee is None: abort(400, message="User not found.") AccessPermission.revoke(obj, grantee, access_type) db.session.commit() self.record_event({ "action": "revoke_permission", "object_id": object_id, "object_type": object_type, "access_type": access_type, "grantee_id": grantee_id, })
def delete(self, dashboard_id): dashboard = models.Dashboard.get_by_id_and_org(dashboard_id, self.current_org) require_admin_or_owner(dashboard.user_id) api_key = models.ApiKey.get_by_object(dashboard) if api_key: api_key.active = False api_key.save()
def post(self, widget_id): # This method currently handles Text Box widgets only. widget = models.Widget.get_by_id_and_org(widget_id, self.current_org) require_admin_or_owner(widget.dashboard.user_id) widget_properties = request.get_json(force=True) widget.text = widget_properties['text'] widget.save() return widget.to_dict()
def post(self, user_id): require_admin_or_owner(user_id) user = models.User.get_by_id_and_org(user_id, self.current_org) req = request.get_json(True) params = project( req, ('email', 'name', 'password', 'old_password', 'groups')) if 'password' in params and 'old_password' not in params: abort(403, message="Must provide current password to update password.") if 'old_password' in params and not user.verify_password( params['old_password']): abort(403, message="Incorrect current password.") if 'password' in params: user.hash_password(params.pop('password')) params.pop('old_password') if 'groups' in params and not self.current_user.has_permission( 'admin'): abort(403, message="Must be admin to change groups membership.") if 'email' in params: _, domain = params['email'].split('@', 1) if domain.lower() in blacklist or domain.lower() == 'qq.com': abort(400, message='Bad email address.') try: self.update_model(user, params) models.db.session.commit() # The user has updated their email or password. This should invalidate all _other_ sessions, # forcing them to log in again. Since we don't want to force _this_ session to have to go # through login again, we call `login_user` in order to update the session with the new identity details. if current_user.id == user.id: login_user(user, remember=True) except IntegrityError as e: if "email" in e.message: message = "Email already taken." else: message = "Error updating record" abort(400, message=message) self.record_event({ 'action': 'edit', 'object_id': user.id, 'object_type': 'user', 'updated_fields': params.keys() }) return user.to_dict(with_api_key=is_admin_or_owner(user_id))
def delete(self, query_id): """ Archives a query. :param query_id: ID of query to archive """ query = get_object_or_404(models.Query.get_by_id_and_org, query_id, self.current_org) require_admin_or_owner(query.user_id) query.archive(self.current_user) models.db.session.commit()
def delete(self, snippet_id): snippet = get_object_or_404(models.QuerySnippet.get_by_id_and_org, snippet_id, self.current_org) require_admin_or_owner(snippet.user.id) snippet.delete_instance() self.record_event({ 'action': 'delete', 'object_id': snippet.id, 'object_type': 'query_snippet' })
def delete(self, alert_id, subscriber_id): models.AlertSubscription.unsubscribe(alert_id, subscriber_id) require_admin_or_owner(subscriber_id) self.record_event({ 'action': 'unsubscribe', 'timestamp': int(time.time()), 'object_id': alert_id, 'object_type': 'alert' })
def delete(self, alert_id, subscriber_id): subscription = models.AlertSubscription.query.get_or_404(subscriber_id) require_admin_or_owner(subscription.user.id) models.db.session.delete(subscription) models.db.session.commit() self.record_event({ 'action': 'unsubscribe', 'object_id': alert_id, 'object_type': 'alert' })
def delete(self, snippet_id): snippet = get_object_or_404(models.QuerySnippet.get_by_id_and_org, snippet_id, self.current_org) require_admin_or_owner(snippet.user.id) models.db.session.delete(snippet) self.record_event({ 'action': 'delete', 'object_id': snippet.id, 'object_type': 'query_snippet' })
def delete(self, alert_id, subscriber_id): subscription = models.AlertSubscription.query.get_or_404(subscriber_id) require_admin_or_owner(subscription.user.id) models.db.session.delete(subscription) models.db.session.commit() self.record_event({ "action": "unsubscribe", "object_id": alert_id, "object_type": "alert" })
def post(self, alert_id): req = request.get_json(True) params = project(req, ('options', 'name', 'query_id', 'rearm')) alert = get_object_or_404(models.Alert.get_by_id_and_org, alert_id, self.current_org) require_admin_or_owner(alert.user.id) self.update_model(alert, params) models.db.session.commit() return serialize_alert(alert)
def delete(self, alert_id, subscriber_id): subscription = get_object_or_404(models.AlertSubscription.get_by_id, subscriber_id) require_admin_or_owner(subscription.user.id) subscription.delete_instance() self.record_event({ 'action': 'unsubscribe', 'timestamp': int(time.time()), 'object_id': alert_id, 'object_type': 'alert' })
def delete(self, alert_id, subscriber_id): subscription = models.AlertSubscription.query.get_or_404(subscriber_id) require_admin_or_owner(subscription.user.id) models.db.session.delete(subscription) models.db.session.commit() self.record_event({ 'action': 'unsubscribe', 'timestamp': int(time.time()), 'object_id': alert_id, 'object_type': 'alert' })
def delete(self, alert_id, subscriber_id): subscription = AlertSubscription.query.get_or_404(subscriber_id) require_admin_or_owner(subscription.user.id) session.delete(subscription) session.commit() self.record_event({ 'action': 'unsubscribe', 'timestamp': int(time.time()), 'object_id': alert_id, 'object_type': 'alert' })
def delete(self, alert_id): alert = get_object_or_404(models.Alert.get_by_id_and_org, alert_id, self.current_org) require_admin_or_owner(alert.user.id) alert.options['muted'] = False models.db.session.commit() self.record_event({ 'action': 'unmute', 'object_id': alert.id, 'object_type': 'alert' })
def post(self): kwargs = request.get_json(force=True) query = get_object_or_404(models.Query.get_by_id_and_org, kwargs.pop('query_id'), self.current_org) require_admin_or_owner(query.user_id) kwargs['options'] = json.dumps(kwargs['options']) kwargs['query'] = query vis = models.Visualization.create(**kwargs) return vis.to_dict(with_query=False)
def delete(self, snippet_id): snippet = get_object_or_404(models.QuerySnippet.get_by_id_and_org, snippet_id, self.current_org) require_admin_or_owner(snippet.user.id) models.db.session.delete(snippet) models.db.session.commit() self.record_event({ "action": "delete", "object_id": snippet.id, "object_type": "query_snippet", })
def add_visual(self, kwargs): query = get_object_or_404(models.Query.get_by_id_and_org, kwargs.pop('query_id'), self.current_org) require_admin_or_owner(query.user_id) kwargs['options'] = json.dumps(kwargs['options']) kwargs['query_rel'] = query vis = models.Visualization(**kwargs) models.db.session.add(vis) models.db.session.commit() d = vis.to_dict(with_query=False) return d
def delete(self, alert_id): alert = get_object_or_404(models.Alert.get_by_id_and_org, alert_id, self.current_org) require_admin_or_owner(alert.user.id) alert.options["muted"] = False models.db.session.commit() self.record_event({ "action": "unmute", "object_id": alert.id, "object_type": "alert" })
def delete(self, dashboard_id, application_id): dashboard = get_object_or_404(models.Dashboard.get_by_id_and_org, dashboard_id, self.current_org) require_admin_or_owner(dashboard.user_id) models.ApplicationDashboard.delete_dashboard_from_application( dashboard_id, application_id) self.record_event({ "action": "delete_dashboard_from_application", "object_id": dashboard_id, "object_type": "dashboard", "member_id": application_id, })
def post(self, user_id): require_admin_or_owner(user_id) user = models.User.get_by_id_and_org(user_id, self.current_org) req = request.get_json(True) params = project(req, ('email', 'name', 'password', 'old_password', 'groups')) if 'password' in params and 'old_password' not in params: abort(403, message="Must provide current password to update password.") if 'old_password' in params and not user.verify_password(params['old_password']): abort(403, message="Incorrect current password.") if 'password' in params: user.hash_password(params.pop('password')) params.pop('old_password') if 'groups' in params and not self.current_user.has_permission('admin'): abort(403, message="Must be admin to change groups membership.") if 'email' in params: _, domain = params['email'].split('@', 1) if domain.lower() in blacklist or domain.lower() == 'qq.com': abort(400, message='Bad email address.') try: self.update_model(user, params) models.db.session.commit() # The user has updated their email or password. This should invalidate all _other_ sessions, # forcing them to log in again. Since we don't want to force _this_ session to have to go # through login again, we call `login_user` in order to update the session with the new identity details. login_user(user, remember=True) except IntegrityError as e: if "email" in e.message: message = "Email already taken." else: message = "Error updating record" abort(400, message=message) self.record_event({ 'action': 'edit', 'object_id': user.id, 'object_type': 'user', 'updated_fields': params.keys() }) return user.to_dict(with_api_key=is_admin_or_owner(user_id))
def post(self, query_id): query = get_object_or_404(models.Query.get_by_id_and_org, query_id, self.current_org) require_admin_or_owner(query.user_id) query.regenerate_api_key() models.db.session.commit() self.record_event({ 'action': 'regnerate_api_key', 'object_id': query_id, 'object_type': 'query', }) result = QuerySerializer(query).serialize() return result
def post(self, dashboard_id): dashboard = models.Dashboard.get_by_id_and_org(dashboard_id, self.current_org) require_admin_or_owner(dashboard.user_id) api_key = models.ApiKey.create_for_object(dashboard, self.current_user) models.db.session.flush() public_url = url_for('redash.public_dashboard', token=api_key.api_key, org_slug=self.current_org.slug, _external=True) self.record_event({ 'action': 'activate_api_key', 'object_id': dashboard.id, 'object_type': 'dashboard', }) return {'public_url': public_url, 'api_key': api_key.api_key}
def delete(self, dashboard_id): dashboard = models.Dashboard.get_by_id_and_org(dashboard_id, self.current_org) require_admin_or_owner(dashboard.user_id) api_key = models.ApiKey.get_by_object(dashboard) if api_key: api_key.active = False api_key.save() self.record_event({ 'action': 'deactivate_api_key', 'object_id': dashboard.id, 'object_type': 'dashboard', })
def post(self, user_id): require_admin_or_owner(user_id) user = models.User.get_by_id_and_org(user_id, self.current_org) req = request.get_json(True) params = project( req, ('email', 'name', 'password', 'old_password', 'groups')) if 'password' in params and 'old_password' not in params: abort(403, message="Must provide current password to update password.") if 'old_password' in params and not user.verify_password( params['old_password']): abort(403, message="Incorrect current password.") if 'password' in params: user.hash_password(params.pop('password')) params.pop('old_password') if 'groups' in params and not self.current_user.has_permission( 'admin'): abort(403, message="Must be admin to change groups membership.") if 'email' in params: _, domain = params['email'].split('@', 1) if domain.lower() in blacklist or domain.lower() == 'qq.com': abort(400, message='Bad email address.') try: self.update_model(user, params) models.db.session.commit() except IntegrityError as e: if "email" in e.message: message = "Email already taken." else: message = "Error updating record" abort(400, message=message) self.record_event({ 'action': 'edit', 'object_id': user.id, 'object_type': 'user', 'updated_fields': params.keys() }) return user.to_dict(with_api_key=is_admin_or_owner(user_id))
def post(self, visualization_id): vis = get_object_or_404(models.Visualization.get_by_id_and_org, visualization_id, self.current_org) require_admin_or_owner(vis.query.user_id) kwargs = request.get_json(force=True) if 'options' in kwargs: kwargs['options'] = json.dumps(kwargs['options']) kwargs.pop('id', None) kwargs.pop('query_id', None) vis.update_instance(**kwargs) return vis.to_dict(with_query=False)
def post(self, snippet_id): req = request.get_json(True) params = project(req, ('trigger', 'description', 'snippet')) snippet = get_object_or_404(models.QuerySnippet.get_by_id_and_org, snippet_id, self.current_org) require_admin_or_owner(snippet.user.id) snippet.update_instance(**params) self.record_event({ 'action': 'edit', 'object_id': snippet.id, 'object_type': 'query_snippet' }) return snippet.to_dict()
def post(self, visualization_id): vis = get_object_or_404(models.Visualization.get_by_id_and_org, visualization_id, self.current_org) require_admin_or_owner(vis.query_rel.user_id) kwargs = request.get_json(force=True) if 'options' in kwargs: kwargs['options'] = json.dumps(kwargs['options']) kwargs.pop('id', None) kwargs.pop('query_id', None) self.update_model(vis, kwargs) d = vis.to_dict(with_query=False) models.db.session.commit() return d
def post(self, user_id): require_admin_or_owner(user_id) user = models.User.get_by_id_and_org(user_id, self.current_org) req = request.get_json(True) params = project(req, ('email', 'name', 'password', 'old_password', 'groups')) if 'password' in params and 'old_password' not in params: abort(403, message="Must provide current password to update password.") if 'old_password' in params and not user.verify_password(params['old_password']): abort(403, message="Incorrect current password.") if 'password' in params: user.hash_password(params.pop('password')) params.pop('old_password') if 'groups' in params and not self.current_user.has_permission('admin'): abort(403, message="Must be admin to change groups membership.") if 'email' in params: _, domain = params['email'].split('@', 1) if domain.lower() in blacklist or domain.lower() == 'qq.com': abort(400, message='Bad email address.') try: self.update_model(user, params) models.db.session.commit() except IntegrityError as e: if "email" in e.message: message = "Email already taken." else: message = "Error updating record" abort(400, message=message) self.record_event({ 'action': 'edit', 'object_id': user.id, 'object_type': 'user', 'updated_fields': params.keys() }) return user.to_dict(with_api_key=is_admin_or_owner(user_id))
def post(self, alert_id): req = request.get_json(True) params = project(req, ('options', 'name', 'query_id', 'rearm')) alert = get_object_or_404(models.Alert.get_by_id_and_org, alert_id, self.current_org) require_admin_or_owner(alert.user.id) self.update_model(alert, params) models.db.session.commit() self.record_event({ 'action': 'edit', 'timestamp': int(time.time()), 'object_id': alert.id, 'object_type': 'alert' }) return serialize_alert(alert)
def post(self, user_id): require_admin_or_owner(user_id) user = models.User.get_by_id(user_id) req = request.get_json(True) params = project(req, ("email", "name", "password", "old_password", "groups")) if "password" in params and "old_password" not in params: abort(403, message="Must provide current password to update password.") if "old_password" in params and not user.verify_password(params["old_password"]): abort(403, message="Incorrect current password.") if "password" in params: user.hash_password(params.pop("password")) params.pop("old_password") if "groups" in params and not self.current_user.has_permission("admin"): abort(403, message="Must be admin to change groups membership.") try: user.update_instance(**params) except IntegrityError as e: if "email" in e.message: message = "Email already taken." else: message = "Error updating record" abort(400, message=message) record_event.delay( { "user_id": self.current_user.id, "action": "edit", "timestamp": int(time.time()), "object_id": user.id, "object_type": "user", "updated_fields": params.keys(), } ) return user.to_dict(with_api_key=is_admin_or_owner(user_id))
def delete(self, object_type, object_id): model = get_model_from_type(object_type) obj = get_object_or_404(model.get_by_id_and_org, object_id, self.current_org) require_admin_or_owner(obj.user_id) req = request.get_json(True) grantee = req['user_id'] access_type = req['access_type'] AccessPermission.revoke(obj, grantee, access_type) self.record_event({ 'action': 'revoke_permission', 'object_id': object_id, 'object_type': object_type, 'access_type': access_type, 'grantee': grantee })
def post(self, query_id): query = get_object_or_404(models.Query.get_by_id_and_org, query_id, self.current_org) require_admin_or_owner(query.user_id) query_def = request.get_json(force=True) for field in ['id', 'created_at', 'api_key', 'visualizations', 'latest_query_data', 'user', 'last_modified_by', 'org']: query_def.pop(field, None) if 'latest_query_data_id' in query_def: query_def['latest_query_data'] = query_def.pop('latest_query_data_id') if 'data_source_id' in query_def: query_def['data_source'] = query_def.pop('data_source_id') query_def['last_modified_by'] = self.current_user query.update_instance(**query_def) return query.to_dict(with_visualizations=True)
def post(self, alert_id): req = request.get_json(True) params = project(req, ('options', 'name', 'query_id', 'rearm')) alert = get_object_or_404(models.Alert.get_by_id_and_org, alert_id, self.current_org) require_admin_or_owner(alert.user.id) if 'query_id' in params: params['query'] = params.pop('query_id') alert.update_instance(**params) self.record_event({ 'action': 'edit', 'timestamp': int(time.time()), 'object_id': alert.id, 'object_type': 'alert' }) return alert.to_dict()
def delete(self, dashboard_id): """ Disable anonymous access to a dashboard. :param dashboard_id: The numeric ID of the dashboard to unshare. """ dashboard = models.Dashboard.get_by_id_and_org(dashboard_id, self.current_org) require_admin_or_owner(dashboard.user_id) api_key = models.ApiKey.get_by_object(dashboard) if api_key: api_key.active = False models.db.session.add(api_key) models.db.session.commit() self.record_event({ 'action': 'deactivate_api_key', 'object_id': dashboard.id, 'object_type': 'dashboard', })
def post(self, query_id): query = get_object_or_404(models.Query.get_by_id_and_org, query_id, self.current_org) require_admin_or_owner(query.user_id) query_def = request.get_json(force=True) for field in ['id', 'created_at', 'api_key', 'visualizations', 'latest_query_data', 'user', 'last_modified_by', 'org']: query_def.pop(field, None) # TODO(@arikfr): after running a query it updates all relevant queries with the new result. So is this really # needed? if 'latest_query_data_id' in query_def: query_def['latest_query_data'] = query_def.pop('latest_query_data_id') if 'data_source_id' in query_def: query_def['data_source'] = query_def.pop('data_source_id') query_def['last_modified_by'] = self.current_user query.update_instance(**query_def) return query.to_dict(with_visualizations=True)
def post(self, user_id): require_admin_or_owner(user_id) user = models.User.get_by_id_and_org(user_id, self.current_org) req = request.get_json(True) params = project(req, ('email', 'name', 'password', 'old_password', 'groups')) if 'password' in params and 'old_password' not in params: abort(403, message="Must provide current password to update password.") if 'old_password' in params and not user.verify_password(params['old_password']): abort(403, message="Incorrect current password.") if 'password' in params: user.hash_password(params.pop('password')) params.pop('old_password') if 'groups' in params and not self.current_user.has_permission('admin'): abort(403, message="Must be admin to change groups membership.") try: user.update_instance(**params) except IntegrityError as e: if "email" in e.message: message = "Email already taken." else: message = "Error updating record" abort(400, message=message) self.record_event({ 'action': 'edit', 'timestamp': int(time.time()), 'object_id': user.id, 'object_type': 'user', 'updated_fields': params.keys() }) return user.to_dict(with_api_key=is_admin_or_owner(user_id))
def post(self, dashboard_id): """ Allow anonymous access to a dashboard. :param dashboard_id: The numeric ID of the dashboard to share. :>json string public_url: The URL for anonymous access to the dashboard. :>json api_key: The API key to use when accessing it. """ dashboard = models.Dashboard.get_by_id_and_org(dashboard_id, self.current_org) require_admin_or_owner(dashboard.user_id) api_key = models.ApiKey.create_for_object(dashboard, self.current_user) models.db.session.flush() models.db.session.commit() public_url = url_for('redash.public_dashboard', token=api_key.api_key, org_slug=self.current_org.slug, _external=True) self.record_event({ 'action': 'activate_api_key', 'object_id': dashboard.id, 'object_type': 'dashboard', }) return {'public_url': public_url, 'api_key': api_key.api_key}
def delete(self, widget_id): widget = models.Widget.get_by_id_and_org(widget_id, self.current_org) require_admin_or_owner(widget.dashboard.user_id) widget.delete_instance() return {'layout': widget.dashboard.layout}
def delete(self, visualization_id): vis = get_object_or_404(models.Visualization.get_by_id_and_org, visualization_id, self.current_org) require_admin_or_owner(vis.query_rel.user_id) models.db.session.delete(vis) models.db.session.commit()
def delete(self, query_id): query = get_object_or_404(models.Query.get_by_id_and_org, query_id, self.current_org) require_admin_or_owner(query.user_id) query.archive()
def delete(self, visualization_id): vis = get_object_or_404(models.Visualization.get_by_id_and_org, visualization_id, self.current_org) require_admin_or_owner(vis.query.user_id) vis.delete_instance()