[API][Plugin] Bugfix and API change
* users: Fixed bug in edit_user where if modify by admin * API: Users return list of roles as string not Roles
This commit is contained in:
parent
7aba295e45
commit
6f0e9854d6
|
|
@ -28,12 +28,12 @@ def update_user(user):
|
|||
|
||||
|
||||
def set_roles(user: User, roles: [str]):
|
||||
user.roles.clear()
|
||||
user.roles_.clear()
|
||||
for role_name in roles:
|
||||
role = Role.query.filter(Role.name == role_name).one_or_none()
|
||||
if not role:
|
||||
raise BadRequest("Role not found >{}<".format(role_name))
|
||||
user.roles.append(role)
|
||||
user.roles_.append(role)
|
||||
|
||||
|
||||
def modify_user(user, password, new_password=None):
|
||||
|
|
@ -56,7 +56,7 @@ def get_users():
|
|||
|
||||
|
||||
def get_user_by_role(role: Role):
|
||||
return User.query.join(User.roles).filter_by(role_id=role.id).all()
|
||||
return User.query.join(User.roles_).filter_by(role_id=role.id).all()
|
||||
|
||||
|
||||
def get_user(uid):
|
||||
|
|
|
|||
|
|
@ -53,14 +53,19 @@ class User(db.Model, ModelSerializeMixin):
|
|||
firstname: str = db.Column(db.String(30))
|
||||
lastname: str = db.Column(db.String(30))
|
||||
mail: str = db.Column(db.String(30))
|
||||
roles: [Role] = db.relationship("Role", secondary=association_table)
|
||||
roles: [str] = []
|
||||
|
||||
roles_: [Role] = db.relationship("Role", secondary=association_table)
|
||||
_id = db.Column("id", db.Integer, primary_key=True)
|
||||
_sessions = db.relationship("Session", back_populates="_user")
|
||||
_attributes = db.relationship(
|
||||
"_UserAttribute", collection_class=attribute_mapped_collection("name"), cascade="all, delete"
|
||||
)
|
||||
|
||||
@property
|
||||
def roles(self):
|
||||
return [role.name for role in self.roles_]
|
||||
|
||||
def set_attribute(self, name, value):
|
||||
if name in self._attributes:
|
||||
self._attributes[name].value = value
|
||||
|
|
@ -76,7 +81,7 @@ class User(db.Model, ModelSerializeMixin):
|
|||
return default
|
||||
|
||||
def get_permissions(self):
|
||||
return ["user"] + [permission.name for role in self.roles for permission in role.permissions]
|
||||
return ["user"] + [permission.name for role in self.roles_ for permission in role.permissions]
|
||||
|
||||
def has_permission(self, permission):
|
||||
return permission in self.get_permissions()
|
||||
|
|
|
|||
|
|
@ -49,7 +49,7 @@ def login():
|
|||
|
||||
# Lets cleanup the DB
|
||||
sessionController.clear_expired()
|
||||
return {"session": session, "user": user}, CREATED
|
||||
return {"session": session, "user": user, "permissions": user.get_permissions()}, CREATED
|
||||
|
||||
|
||||
@auth_bp.route("/auth", methods=["GET"])
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ from flask import Blueprint, request, jsonify, make_response
|
|||
from werkzeug.exceptions import BadRequest, Forbidden, MethodNotAllowed
|
||||
|
||||
from flaschengeist import logger
|
||||
from flaschengeist.models.user import User
|
||||
from flaschengeist.plugins import Plugin
|
||||
from flaschengeist.decorator import login_required, extract_session
|
||||
from flaschengeist.controller import userController
|
||||
|
|
@ -81,11 +82,14 @@ def get_user(userid, current_session):
|
|||
current_session: Session sent with Authorization Header
|
||||
|
||||
Returns:
|
||||
JSON encoded `flaschengeist.models.user.User` or HTTP error
|
||||
JSON encoded `flaschengeist.models.user.User` or if userid is current user also containing permissions or HTTP error
|
||||
"""
|
||||
logger.debug("Get information of user {{ {} }}".format(userid))
|
||||
user = userController.get_user(userid)
|
||||
return jsonify(user)
|
||||
user: User = userController.get_user(userid)
|
||||
serial = user.serialize()
|
||||
if (userid == current_session._user.userid):
|
||||
serial['permissions'] = user.get_permissions()
|
||||
return jsonify(serial)
|
||||
|
||||
|
||||
@users_bp.route("/users/<userid>", methods=["DELETE"])
|
||||
|
|
@ -132,9 +136,11 @@ def edit_user(userid, current_session):
|
|||
password = None
|
||||
new_password = data["new_password"] if "new_password" in data else None
|
||||
|
||||
author = user
|
||||
if userid != current_session._user.userid:
|
||||
if not user.has_permission(_permission_edit):
|
||||
return Forbidden
|
||||
author = current_session._user
|
||||
if not author.has_permission(_permission_edit):
|
||||
raise Forbidden
|
||||
else:
|
||||
if "password" not in data:
|
||||
raise BadRequest("Password is missing")
|
||||
|
|
@ -145,7 +151,7 @@ def edit_user(userid, current_session):
|
|||
setattr(user, key, data[key])
|
||||
|
||||
if "roles" in data:
|
||||
if not user.has_permission(_permission_set_roles):
|
||||
if not author.has_permission(_permission_set_roles):
|
||||
raise Forbidden
|
||||
userController.set_roles(user, data["roles"])
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue