def edit_user(request, user_id):
if not is_active_superuser(request.user):
return HttpResponseRedirect(reverse('sentry'))
try:
user = User.objects.get(pk=user_id)
except User.DoesNotExist:
return HttpResponseRedirect(reverse('sentry-admin-users'))
form = ChangeUserForm(request.POST or None, instance=user)
if form.is_valid():
user = form.save()
return HttpResponseRedirect(reverse('sentry-admin-users'))
project_list = Project.objects.filter(
status=0,
organization__member_set__user=user,
).order_by('-date_added')
context = {
'form': form,
'the_user': user,
'project_list': project_list,
}
context.update(csrf(request))
return render_to_response('sentry/admin/users/edit.html', context, request)
def test_is_active_superuser():
request = HttpRequest()
request.META['REMOTE_ADDR'] = '10.0.0.1'
with override_settings(INTERNAL_IPS=()):
assert is_active_superuser(request) is False
request.user = User()
assert is_active_superuser(request) is False
request.user.is_superuser = True
assert is_active_superuser(request) is True
with override_settings(INTERNAL_IPS=('127.0.0.1', )):
assert is_active_superuser(request) is False
with override_settings(INTERNAL_IPS=('10.0.0.1', )):
assert is_active_superuser(request) is True
def can(self, request):
if 'prof' not in request.GET:
return False
if settings.DEBUG:
return True
if hasattr(request, 'user') and is_active_superuser(request.user):
return True
return False
def show_toolbar(self, request):
# TODO(dcramer): support VPN via INTERNAL_IPS + ipaddr maps
if not settings.SENTRY_DEBUGGER:
return False
if not is_active_superuser(request.user):
return False
if 'text/html' not in request.META.get('HTTP_ACCEPT', '*/*'):
return False
return True
def get_active_organization(self, request, organization_slug=None):
"""
Returns the currently active organization for the request or None
if no organization.
"""
active_organization = None
is_implicit = organization_slug is None
if is_implicit:
organization_slug = request.session.get('activeorg')
if organization_slug is not None:
if is_active_superuser(request.user):
try:
active_organization = Organization.objects.get_from_cache(
slug=organization_slug, )
if active_organization.status != OrganizationStatus.VISIBLE:
raise Organization.DoesNotExist
except Organization.DoesNotExist:
logging.info('Active organization [%s] not found',
organization_slug)
return None
if active_organization is None:
organizations = Organization.objects.get_for_user(
user=request.user, )
if active_organization is None and organization_slug:
try:
active_organization = (o for o in organizations
if o.slug == organization_slug).next()
except StopIteration:
logging.info('Active organization [%s] not found in scope',
organization_slug)
if is_implicit:
del request.session['activeorg']
active_organization = None
if active_organization is None:
if not is_implicit:
return None
try:
active_organization = organizations[0]
except IndexError:
logging.info('User is not a member of any organizations')
pass
if active_organization and active_organization.slug != request.session.get(
'activeorg'):
request.session['activeorg'] = active_organization.slug
return active_organization
def _can_access(self, request, member):
# TODO(dcramer): ideally org owners/admins could perform these actions
if is_active_superuser(request.user):
return True
if not request.user.is_authenticated():
return False
if request.user.id == member.user_id:
return True
return False
def delete(self, request, organization, member_id):
try:
om = self._get_member(request, organization, member_id)
except OrganizationMember.DoesNotExist:
raise ResourceDoesNotExist
if request.user.is_authenticated() and not is_active_superuser(
request.user):
try:
acting_member = OrganizationMember.objects.get(
organization=organization,
user=request.user,
)
except OrganizationMember.DoesNotExist:
return Response({'detail': ERR_INSUFFICIENT_ROLE}, status=400)
else:
if not acting_member.can_manage_member(om):
return Response({'detail': ERR_INSUFFICIENT_ROLE},
status=400)
# TODO(dcramer): do we even need this check?
elif not request.access.has_scope('member:delete'):
return Response({'detail': ERR_INSUFFICIENT_SCOPE}, status=400)
if self._is_only_owner(om):
return Response({'detail': ERR_ONLY_OWNER}, status=403)
audit_data = om.get_audit_log_data()
with transaction.atomic():
AuthIdentity.objects.filter(
user=om.user,
auth_provider__organization=organization,
).delete()
om.delete()
self.create_audit_entry(
request=request,
organization=organization,
target_object=om.id,
target_user=om.user,
event=AuditLogEntryEvent.MEMBER_REMOVE,
data=audit_data,
)
return Response(status=204)
def handle(self, request, organization, member_id):
try:
member = OrganizationMember.objects.get(
Q(user__is_active=True) | Q(user__isnull=True),
id=member_id,
)
except OrganizationMember.DoesNotExist:
return self.redirect(reverse('sentry'))
if request.POST.get('op') == 'reinvite' and member.is_pending:
return self.resend_invite(request, organization, member)
can_admin = request.access.has_scope('member:delete')
if can_admin and not is_active_superuser(request.user):
acting_member = OrganizationMember.objects.get(
user=request.user,
organization=organization,
)
can_admin = acting_member.can_manage_member(member)
if member.user == request.user or not can_admin:
return self.view_member(request, organization, member)
form = self.get_form(request, member)
if form.is_valid():
member = form.save(request.user, organization,
request.META['REMOTE_ADDR'])
messages.add_message(request, messages.SUCCESS,
_('Your changes were saved.'))
redirect = reverse('sentry-organization-member-settings',
args=[organization.slug, member.id])
return self.redirect(redirect)
context = {
'member': member,
'form': form,
'role_list': roles.get_all(),
}
return self.respond('sentry/organization-member-settings.html',
context)
def create_new_user(request):
if not is_active_superuser(request.user):
return HttpResponseRedirect(reverse('sentry'))
form = NewUserForm(request.POST or None,
initial={
'send_welcome_mail': True,
'create_project': True,
})
if form.is_valid():
user = form.save(commit=False)
# create a random password
password = uuid.uuid4().hex
user.set_password(password)
user.save()
if form.cleaned_data['send_welcome_mail']:
context = {
'username': user.username,
'password': password,
'url': absolute_uri(reverse('sentry')),
}
body = render_to_string('sentry/emails/welcome_mail.txt', context,
request)
try:
send_mail('%s Welcome to Sentry' %
(settings.EMAIL_SUBJECT_PREFIX, ),
body,
settings.SERVER_EMAIL, [user.email],
fail_silently=False)
except Exception as e:
logger = logging.getLogger('sentry.mail.errors')
logger.exception(e)
return HttpResponseRedirect(reverse('sentry-admin-users'))
context = {
'form': form,
}
context.update(csrf(request))
return render_to_response('sentry/admin/users/new.html', context, request)
def get(self, request):
"""
List your Organizations
```````````````````````
Return a list of organizations available to the authenticated
session. This is particularly useful for requests with an
user bound context. For API key based requests this will
only return the organization that belongs to the key.
:qparam bool member: restrict results to organizations which you have
membership
:auth: required
"""
member_only = request.GET.get('member') in ('1', 'true')
queryset = Organization.objects.filter(
status=OrganizationStatus.VISIBLE, )
if request.auth:
if hasattr(request.auth, 'project'):
queryset = queryset.filter(
id=request.auth.project.organization_id)
else:
queryset = queryset.filter(id=request.auth.organization.id)
elif member_only or not is_active_superuser(request.user):
queryset = queryset.filter(
id__in=OrganizationMember.objects.filter(
user=request.user, ).values('organization'), )
query = request.GET.get('query')
if query:
queryset = queryset.filter(
Q(name__icontains=query) | Q(slug__icontains=query), )
return self.paginate(
request=request,
queryset=queryset,
order_by='name',
on_results=lambda x: serialize(x, request.user),
paginator_cls=OffsetPaginator,
)
def handle(self, request, organization, team):
form = self.get_form(request, team)
if form.is_valid():
try:
team = form.save()
except IntegrityError:
form.errors['__all__'] = [
'There was an error while saving your changes. Please try again.'
]
if form.is_valid():
AuditLogEntry.objects.create(
organization=organization,
actor=request.user,
ip_address=request.META['REMOTE_ADDR'],
target_object=team.id,
event=AuditLogEntryEvent.TEAM_EDIT,
data=team.get_audit_log_data(),
)
messages.add_message(request, messages.SUCCESS,
_('Changes to your team were saved.'))
return HttpResponseRedirect(
reverse('sentry-manage-team',
args=[organization.slug, team.slug]))
if is_active_superuser(request.user):
can_remove_team = True
else:
can_remove_team = request.access.has_team_scope(
team, 'team:delete')
context = {
'form': form,
'can_remove_team': can_remove_team,
}
return self.respond('sentry/teams/manage.html', context)
def get_attrs(self, item_list, user):
if is_active_superuser(user) or settings.SENTRY_PUBLIC:
inactive_memberships = frozenset(
OrganizationMemberTeam.objects.filter(
team__in=item_list,
organizationmember__user=user,
is_active=False,
).values_list('team', flat=True))
memberships = frozenset(
[t.id for t in item_list if t.id not in inactive_memberships])
elif user.is_authenticated():
memberships = frozenset(
OrganizationMemberTeam.objects.filter(
organizationmember__user=user,
team__in=item_list,
is_active=True,
).values_list('team', flat=True))
else:
memberships = frozenset()
if user.is_authenticated():
access_requests = frozenset(
OrganizationAccessRequest.objects.filter(
team__in=item_list,
member__user=user,
).values_list('team', flat=True))
else:
access_requests = frozenset()
result = {}
for team in item_list:
result[team] = {
'pending_request': team.id in access_requests,
'is_member': team.id in memberships,
}
return result
def has_permission(self, request, view):
if is_active_superuser(request.user):
return True
return False
def has_perm(self, perm_name):
warnings.warn('User.has_perm is deprecated', DeprecationWarning)
from sentry.auth.utils import is_active_superuser
return is_active_superuser(self)
def has_permission(self, request):
return is_active_superuser(request.user)
def get(self, request, user):
data = serialize(user, request.user)
data['isSuperuser'] = user == request.user and is_active_superuser(user)
return Response(data)
def has_module_perms(self, app_label):
# the admin requires this method
from sentry.auth.utils import is_active_superuser
return is_active_superuser(self)
def process_request(self, request):
request.is_superuser = lambda: is_active_superuser(request)
