def add_owner_to_group(group_id): group_id = sanitize(group_id) uid = sanitize(request.json.get('uid')) my_uid = token_handler.get_jwt_user(request.headers.get('Authorization')) if my_uid == None: return abort(401) if not api.is_active(my_uid): return abort(401) if not any(x.uid == my_uid for x in api.get_group_owners(group_id)): return abort(401) api.add_group_owner(group_id, uid) return "ok"
def __call__(self, environ, start_response): request = Request(environ) authheader = request.headers.get('Authorization') uid = token_handler.get_jwt_user(authheader) print(request.url.replace(request.url_root, "")) if uid == None and \ not request.url.replace(request.url_root, "") in ["login", "users/reset_password", "users/set_password_with_key"] and \ not request.url.replace(request.url_root, "").startswith("confirm"): res = Response(u'Authorization failed', mimetype='text/plain', status=401) return res(environ, start_response) return self.app(environ, start_response)
def group_owners(group_id): my_uid = token_handler.get_jwt_user(request.headers.get('Authorization')) if my_uid == None: return abort(401) if not api.is_active(my_uid): return abort(401) group_id = sanitize(group_id) ldap_owners = api.get_group_owners(group_id) owners = [] for x in ldap_owners: try: owners.append(object_to_dict(x)) except Exception as e: print(e) return jsonify(owners)
def accept_pending_member(group_id): group_id = sanitize(group_id) uid = sanitize(request.json.get('uid')) my_uid = token_handler.get_jwt_user(request.headers.get('Authorization')) if my_uid == None: return abort(401) if not api.is_active(my_uid): return abort(401) if not any(x.uid == my_uid for x in api.get_group_owners(group_id)): return abort(401) if any(x.uid == uid for x in api.get_group_inactive_pending_members(group_id)): api.activate_user(uid) api.remove_group_active_pending_member(group_id, uid) api.add_group_member(group_id, uid) return "ok"
def mygroups(): """ Gets all of the groups you are a member of. Returns them as json: [ { "businessCategory": "...", "cn": "...", "ou": "...", "membership": "...", // Either "pending", "member", or "admin" }, ... ] """ username = token_handler.get_jwt_user(request.headers.get('Authorization')) if username == None: return abort(401) if not api.is_active(username): return abort(401) pending_groups = [ object_to_dict(x) for x in api.get_groups_as_active_pending_member(username) ] member_groups = [ object_to_dict(x) for x in api.get_groups_as_member(username) ] owned_groups = [ object_to_dict(x) for x in api.get_groups_as_owner(username) ] # Groups can overlap. If you're owner you're always also member. # But the interesting information is that you're owner. member_groups = list(filter(lambda x: x not in owned_groups, member_groups)) # Add information about membership for group in pending_groups: group['membership'] = 'pending' for group in member_groups: group['membership'] = 'member' for group in owned_groups: group['membership'] = 'admin' all_groups = [] all_groups.extend(pending_groups) all_groups.extend(member_groups) all_groups.extend(owned_groups) return jsonify(all_groups)
def user_set_password_with_old(): """ Sets a new password using the old one. Takes a json body containing the keys old_password and new_password. Says ok when done, 401 when not ok. You need to be logged in to do this. """ uid = token_handler.get_jwt_user(request.headers.get('Authorization')) if uid == None: return abort(401) old_password = request.json.get('old_password') new_password = request.json.get('new_password') successful, _ = api.check_user_password(uid, old_password) if successful: api.set_user_password(uid, new_password) return "ok", 200 else: return "invalid old password", 401
def group_guests(group_id): group_id = sanitize(group_id) uid = token_handler.get_jwt_user(request.headers.get('Authorization')) if uid == None: return abort(401) if not api.is_active(uid): return abort(401) if not any(x.uid == uid for x in api.get_group_owners(group_id)): return abort(401) ldap_members = api.get_group_guests(group_id) members = [] for x in ldap_members: try: members.append(object_to_dict(x)) except Exception as e: print(e) return jsonify(members)
def groups(): """ Gets all groups. Returns them as json: [ { "businessCategory": "...", "cn": "...", "ou": "...", }, ... ] """ username = token_handler.get_jwt_user(request.headers.get('Authorization')) if username == None: return abort(401) if not api.is_active(username): return abort(401) groups = [object_to_dict(x) for x in api.get_groups()] return jsonify(groups)
def users(): """ Lists all users. Returns their uids in a json array. To access this, one must be owner in some group. """ # Check if user is admin in some group uid = token_handler.get_jwt_user(request.headers.get('Authorization')) if uid == None: return abort(401) if not api.is_active(uid): return abort(401) if not api.is_group_owner_anywhere(uid): return abort( 403), "To access this endpoint, you have to be owner of a group" # Ok, they are. List all users and return them! all_users = [object_to_dict(x) for x in api.get_users()] return jsonify(all_users)
def request_access_to_group(group_id): group_id = sanitize(group_id) my_uid = token_handler.get_jwt_user(request.headers.get('Authorization')) if my_uid == None: return abort(401) if not api.is_active(my_uid): return abort(401) api.add_group_active_pending_member(group_id, my_uid) group = api.get_group(group_id) user = api.get_user(my_uid) for owner in api.get_group_owners(group_id): mail.send_email(str(owner.mail), "Neue Anfrage in " + str(group.cn), \ "emails/new_pending_member_mail", { "name": str(owner.cn), "group_name": str(group.cn), "dashboard_url": config.FRONTEND_URL, "new_member_name": str(user.cn) }) return "ok"
def add_guest_to_group(group_id): group_id = sanitize(group_id) guest_name = sanitize(request.json.get('name')) guest_mail = sanitize(request.json.get('mail')) my_uid = token_handler.get_jwt_user(request.headers.get('Authorization')) if my_uid == None: return abort(401) if not api.is_active(my_uid): return abort(401) if not any(x.uid == my_uid for x in api.get_group_owners(group_id)): return abort(401) uid = api.create_guest(guest_name, guest_mail) api.add_group_member(group_id, uid) group = api.get_group(group_id) mail.send_email(str(guest_mail), "Du bist jetzt im Verteiler " + str(group.cn), \ "emails/guest_invite_email", { "name": str(guest_name), "group_name": str(group.cn), }) return uid
def remove_owner_from_group(group_id): group_id = sanitize(group_id) uid = sanitize(request.json.get('uid')) my_uid = token_handler.get_jwt_user(request.headers.get('Authorization')) # Auth is missing if my_uid == None: return abort(401) # User is inactive if not api.is_active(my_uid): return abort(401) # User is not an owner if not any(x.uid == my_uid for x in api.get_group_owners(group_id)): return abort(401) # User is not Dashboardadmin, cause dashboardadmin is holy if (uid == "dashboardadmin"): return abort(401) # User is the ownly owner despite dashboardadmin if not any((x.uid != "dashboardadmin" and x.uid != my_uid) for x in api.get_group_owners(group_id)): return abort(401) api.remove_group_owner(group_id, uid) return "ok"
def remove_user_from_group(group_id): """ Removes a user from a group. Call this function if you want to either remove yourself from a group or you want to remove another user from a group as an owner. If an owner removes a user from allgemein, their entire account is deleted. If a user is not part of any group after removal, their entire account is deleted. """ group_id = sanitize(group_id) uid = sanitize(request.json.get('uid')) my_uid = token_handler.get_jwt_user(request.headers.get('Authorization')) if my_uid == None: return abort(401) if not api.is_active(my_uid): return abort(401) # 1st: Is the uid the group? if not (any(x.uid == uid for x in api.get_group_guests(group_id)) or any(x.uid == uid for x in api.get_group_members(group_id))): return abort(400) # User is not Dashboardadmin, cause dashboardadmin is holy if (uid == "dashboardadmin"): return abort(400) # 2nd: Is the user an admin or just a user if any(x.uid == my_uid for x in api.get_group_owners(group_id)): # Group owners can remove anyone from a group but themself if uid == my_uid: return abort(400) # admin tried to remove oneself api.remove_group_member(group_id, uid) # remove # If user removed from allgemein or from their last group, remove the user if group_id == "allgemein" or \ (api.get_groups_as_member(uid) == [] and api.get_groups_as_owner(uid) == [] and api.get_groups_as_active_pending_member(uid) == []): api.delete_user(uid) return "ok" else: # Users can remove themselves from any group but allgemein if uid == my_uid and any(x.uid == uid for x in api.get_group_members( group_id)) and not group_id == "allgemein": api.remove_group_member(group_id, uid) return "ok" return abort(500)
def inactive_info(): uid = token_handler.get_jwt_user(request.headers.get('Authorization')) if uid == None: return abort(401) inactive_user = None try: inactive_info = api.get_inactive_user(uid) except LdapApiException as e: return jsonify({"inactive": False}) # Get the owners of the group you are pending in groups = api.get_groups_as_inactive_pending_member(uid) if len(groups) != 1: return jsonify({"inactive": True}) group = groups[0] group_name = str(group.cn) pending_group_owners = [ object_to_dict(api.get_user(dn_to_uid(str(x)))) for x in group.owner ] return jsonify({ "inactive": True, "pending_group_name": group_name, "pending_group_owners": pending_group_owners, })
def remove_pending_member_from_group(group_id): """ Cancels a membership request. Call this function if you want to either remove your own membership request from a group or you want to remove another user's request from a group as an owner. """ group_id = sanitize(group_id) uid = sanitize(request.json.get('uid')) my_uid = token_handler.get_jwt_user(request.headers.get('Authorization')) if my_uid == None: return abort(401) if not api.is_active(my_uid): return abort(401) # Users can remove their own requests from a group if uid == my_uid and any( x.uid == uid for x in api.get_group_active_pending_members(group_id)): api.remove_group_active_pending_member(group_id, uid) return "ok" # Group owners can remove any pending member if any(x.uid == my_uid for x in api.get_group_owners(group_id)): api.remove_group_active_pending_member(group_id, uid) return "ok" return abort(401)
def set_alternative_mail(): """ Starts the email confirmation process by sending an email. Takes a json body with the key "alternative_mail". """ alternative_mail = request.json.get('alternative_mail') uid = token_handler.get_jwt_user(request.headers.get('Authorization')) if uid == None: return abort(401) try: email_reset_token = token_handler.create_email_confirmation_jwt_token( uid, alternative_mail).decode("utf-8") mail.send_email( alternative_mail, "Email-Confirmation", "emails/email_confirmation", { "name": uid, "link": join(config.DASHBOARD_URL, "confirm?key=" + email_reset_token), }) return "ok" except LdapApiException as e: print(e) return abort(401)
def whoami(): uid = token_handler.get_jwt_user(request.headers.get('Authorization')) if uid == None: return abort(401) info = api.get_user_info(uid) return object_to_dict(info)